DFIR-Notes
Windows Forensics
Windows Forensics
  • windows Memory Forensics
  • Windows Registry Forensics
  • Windows Registry Forensics with RegRipper
  • Windows Powershell Forensics
  • Incident Response Eventhoods
  • Incident Response splunk filters
  • LNK Files (Shortcut Files) Forensics
  • Jump List Forensics
  • Prefetch Files Forensics
  • Living off the Land Binaries (LOLBins)
  • COM (Component Object Model)
  • Key Email Headers for SOC Analysts and DFIR
  • Distributed Component Object Model (DCOM)
  • legitimate Windows processes
  • UserAssist Keys
  • Application Compatibility Cache (Shim Cache)
  • CIDSizeMRU
  • Start Menu Run MRUs
  • MUI Cache
  • BAM (Background Activity Moderator)
  • SRUM (System Resource Usage Monitor)
  • Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
  • 🔹 Windows System Processes
Powered by GitBook
On this page
  • location : C:\Windows\Prefetch\
  • Key Aspects of Prefetch Analysis
  • Structure
  • Forensic Significance

Prefetch Files Forensics

PreviousJump List ForensicsNextLiving off the Land Binaries (LOLBins)

Last updated 4 months ago

Prefetch forensics refers to analyzing Windows Prefetch files, which provide insights into application usage on a system. Prefetch files are created by Windows to improve the performance of applications by preloading data. They track executable files when they are run

location : C:\Windows\Prefetch\

Key Aspects of Prefetch Analysis

  1. Understanding Prefetch Files: Prefetch files have the extension .pf and are named after the executable they represent, along with a hash of the path. For example, notepad.exe might have a file named NOTEPAD.EXE-XXXXXXXX.pf.

  2. Execution Times: Prefetch files store the last 8 run times, helping investigators determine how often and when a program was executed.

  3. Associated DLLs and Resources: Prefetch files contain a list of DLLs and other resources the program loaded, which can indicate dependencies and how the program interacted with the system.

  4. Size and Hashing: The size of the Prefetch file can vary with different Windows versions. Starting from Windows 8, files also include volume creation date and hashing information

Structure

Include metadata about the executed program, such as:

  • Program name and path.

  • Last execution timestamp.

  • Number of times the program was executed.

  • Loaded module (DLL) paths used by the application

Forensic Significance

  1. Program Execution Evidence

    • Prefetch files can confirm whether a program was executed, even if the program itself has been deleted.

    • Useful in cases where malware was executed but later removed.

  2. Execution Timeline

    • Last execution timestamp helps build a timeline of activity.

    • Frequency of execution reveals patterns of use.

  3. File and Directory Discovery

    • Paths and filenames of associated files or libraries (DLLs) loaded by the program provide additional clues.

  4. Artifact of Anti-Forensics

    • Absence of expected prefetch files might indicate the system was tampered with or an anti-forensic tool was used

Tools

  • Eric Zimmerman's PECmd: Parse Prefetch files for detailed analysis.

  • Windows Prefetch Parser (wpf): Extract metadata and module information.

Here I used PECmd tool and look what I got