> For the complete documentation index, see [llms.txt](https://mahmoud-shaker.gitbook.io/dfir-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mahmoud-shaker.gitbook.io/dfir-notes/prefetch-files-forensics.md).

# Prefetch Files Forensics

Prefetch forensics refers to analyzing Windows Prefetch files, which provide insights into application usage on a system. Prefetch files are created by Windows to improve the performance of applications by preloading data. They track executable files when they are run

### location : C:\Windows\Prefetch\\

### Key Aspects of Prefetch Analysis

1. **Understanding Prefetch Files**: Prefetch files have the extension `.pf` and are named after the executable they represent, along with a hash of the path. For example, `notepad.exe` might have a file named `NOTEPAD.EXE-XXXXXXXX.pf`.
2. **Execution Times**: Prefetch files store the last 8 run times, helping investigators determine how often and when a program was executed.
3. **Associated DLLs and Resources**: Prefetch files contain a list of DLLs and other resources the program loaded, which can indicate dependencies and how the program interacted with the system.
4. **Size and Hashing**: The size of the Prefetch file can vary with different Windows versions. Starting from Windows 8, files also include volume creation date and hashing information

<figure><img src="/files/AINvn7pLJm4AdCAFoNcs" alt=""><figcaption></figcaption></figure>

### Structure

Include metadata about the executed program, such as:

* Program name and path.
* Last execution timestamp.
* Number of times the program was executed.
* Loaded module (DLL) paths used by the application

### **Forensic Significance**

1. **Program Execution Evidence**
   * Prefetch files can confirm whether a program was executed, even if the program itself has been deleted.
   * Useful in cases where malware was executed but later removed.
2. **Execution Timeline**
   * Last execution timestamp helps build a timeline of activity.
   * Frequency of execution reveals patterns of use.
3. **File and Directory Discovery**
   * Paths and filenames of associated files or libraries (DLLs) loaded by the program provide additional clues.
4. **Artifact of Anti-Forensics**
   * Absence of expected prefetch files might indicate the system was tampered with or an anti-forensic tool was used

**Tools**

* **Eric Zimmerman's PECmd**: Parse Prefetch files for detailed analysis.
* **Windows Prefetch Parser (wpf)**: Extract metadata and module information.

Here I used **PECmd tool** and look what I got&#x20;

<figure><img src="/files/oZLA25acdn4ZDc8KqwHZ" alt=""><figcaption></figcaption></figure>
