Understanding and Analyzing Windows Prefetch Files

Understanding and Analyzing Windows Prefetch Files. Using PeCmd to investigate forensic values of prefetch files.

INSIGHTSFORENSIC TOOLS

6/28/20242 min read

black laptop computer keyboard in closeup photo
black laptop computer keyboard in closeup photo

Overview

Prefetching is like the computer’s way of doing its homework. It loads important parts of executables from the hard drive into memory before they’re needed. When you run a file for the first time, the computer makes a note of it in a special .pf file in the prefetch folder. The computer keeps track of all the files each app uses and writes them down in the .pf file. On older Windows (7 and before), the prefetch folder can hold up to 128 files. On newer Windows (8 and later), it can hold up to 1,024 files.

Prefetch is turned on be default on Windows workstations (although it can be turned off) but not on Servers.

Location

Prefetch files are found in the 'Prefetch' folder within the Windows directory. Each file within this directory is named after the executable it corresponds to, followed by a hash value.

C:WindowsPrefetch directory.
C:WindowsPrefetchCHROME.EXE-46AA1511.pf

Forensic Value

Prefetch file names are made up of the executables name, a dash, and a hex representation of the hash for the app’s location.

  • Prefetch files show when the executable has been run.

  • Always look at other evidence in relation and context, to corroborate prefetch information

  • Inside each prefetch file, you can find:

    • How many times the file has been run.

    • Where it was run from.

    • The last time it was run.

  • From Windows 8 onwards, prefetch files show up to eight run times.

  • The creation time of the prefetch file can give an extra run time, making up to nine total run times for each app.

Pro Tips for Investigators

  • If you see more than one prefetch file with the same executable name, it usually means the same one was run from different places.

  • For example, if you see many prefetch files for cmd.exe, it could mean a file named cmd.exe was run from a different place, not the usual C:WindowsSystem32 folder.

    • But there are exceptions. Some Windows files like svchost, dllhost, backgroundtaskhost, and rundll32 can have many prefetch files. This is because the hash value at the end of each prefetch file is based on the full path and any extra options used when running the app.

  • If you use live response tools (tools that analyze a computer while it’s running) on a computer, new prefetch files will be made for those tools.

    • Each computer can only keep a certain number of prefetch files. So, if new ones are made, the oldest ones might get deleted.

Tools for Analyzing Prefetch Data

PeCmd is a tool by Eric Zimmerman used for parsing a prefetch file. We can use it for forensic artifacts as they store information concerning execution.

# To process a single prefetch file
PECmd.exe -f "C:TriageCALC.EXE-3FBEF7FD.pf"

# To process a single prefetch file and save the output as a JSON file
PECmd.exe -f "C:TriageCALC.EXE-3FBEF7FD.pf" --json "C:TriagejsonOutput" --jsonpretty

# To process all prefetch files in a directory
PECmd.exe -d "C:Triage"

# To process all prefetch files in a directory and save the output as a CSV file
PECmd.exe -d "C:Triage" --csv "C:Triage" --csvf PreFetched.csv

Subscribe newsletter