Prefetch Files
Overview
Section titled “Overview”Evidence: Prefetch Files
Description: Collect Prefetch Files and Parse
Category: System
Platform: windows
Short Name: pf
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Windows Prefetch is a memory management feature that speeds up application loading by caching information about programs and their dependencies. When a program is executed, Windows creates a .pf file in C:\Windows\Prefetch that tracks the files and directories accessed during the program’s startup.
Prefetch files are valuable forensic artifacts because they provide evidence of program execution, even after the program has been deleted. Each prefetch file contains execution timestamps, run counts, and lists of files accessed by the application.
Data Collected
Section titled “Data Collected”This collector gathers structured data about prefetch files.
Prefetch Files Data
Section titled “Prefetch Files Data”| Field | Description | Example |
|---|---|---|
FilePath | Path to prefetch file | Prefetch/CHROME.EXE-12345678.pf |
FileSize | Size of prefetch file | 45678 |
FileModified | Last modified timestamp | 2023-10-15T14:30:00 |
FileAccessed | Last accessed timestamp | 2023-10-15T15:45:00 |
FileCreated | Creation timestamp | 2023-10-01T10:00:00 |
PrefetchRowID | Foreign key to prefetch file | 1 |
FileName | Original executable name | CHROME.EXE |
FilePath | Full path to executable | C:\Program Files\Google\Chrome\Application\chrome.exe |
RunCount | Number of times executed | 42 |
PrefetchHash | Prefetch hash value | 12345678 |
Version | Prefetch file format version | 30 |
LastRunTime | Array of last run timestamps (JSON) | [“2023-10-15T14:30:00Z”,“2023-10-14T09:15:00Z”…] |
PrefetchRowID | Foreign key to prefetch file | 1 |
VolumeName | Volume device name | \Device\HarddiskVolume3 |
Serial | Volume serial number | 123456789 |
CreationTime | Volume creation timestamp | 2023-01-01T00:00:00 |
PrefetchRowID | Foreign key to prefetch file | 1 |
Path | Path to referenced file | C:\Windows\System32\kernel32.dll |
Collection Method
Section titled “Collection Method”This collector:
- Collects all .pf files from
C:\Windows\Prefetch - Parses each prefetch file using libscca library
- Extracts execution timestamps, run counts, and file references
- Resolves volume information from embedded volume serials
- Maps prefetch hashes to executable paths
Forensic Value
Section titled “Forensic Value”Prefetch files are essential for establishing program execution timelines and detecting malware execution. Investigators use this data to prove program execution, establish execution timelines, identify deleted malware, track portable executable usage, detect lateral movement tools, identify reconnaissance utilities, and correlate file access patterns with malicious activity.