Forensics ‐ Prefetch Files - Foren-Ken/tech-journal GitHub Wiki
What Is Prefetch and Why Should I Care?
Prefetch is a file created for each application. It is to reduce the amount of time to get files required for a program to run to optimize system startup.
It's located in the C:\Windows\Prefetch folder and can be used to prove that a file was ran on the Windows device. The value found through prefetch is that it will always record when an EXE is ran and won't disappear when the EXE is deleted from the system.
Each file within
C:\Windows\Prefetchends in .pf symbolizing the Pre-Fetch.
Prefetch shows the following:
- File paths of files/folders accessed during (first 10 seconds) of application run.
- Number of time an application was run
- Last time an application was run.
- Media information of volumes accessed.
- The creation date of the prefetch is the same as the first time the application was run.
SSDs may not contain prefetch and Window Server also does not contain prefetch files. To disable this, accessing the following key would be required HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
Super Fetch is for programs which start during the system startup. Not much is known due to the lack of research.
Location:
C:\Windows\Prefetch
Usage: These prefetch files are created whenever an executable is used on the system. Contains a multitude of information like:
- File paths accessed within first 10 seconds of application run
- A count of application runs
- Last time the application was ran
- Information on the media, data storage container, which the volume accessed (Volume S/N and Creation Date)
Tools:
PECmd- Eric Zimmerman
Manual Forensics: The contents of Prefetch is the following: (Partial, here is more)
| Offset | Length in Bytes | Item Description |
|---|---|---|
| 0x0000 | 4 | The Version Signature: Each file signature including and before Windows 11 has the following format XX:00:00:00 where XX represents the version of windows: Windows XP/Windows 2003: 0x11 Windows 7/Windows Vista: 0x17 Windows 8.1: 0x1A Windows 10: 0x1E Windows 11: 0x1F |
| 0x0004 | 4 | File Signature: Here lies file signatures, this value displays header of the file (which commercially is after the version signature) and confirms the type of file being used. The file signature for this file is 0x53:43:43:41. |
| 0x0008 | 4 | Unknown |
| 0x000C | 4 | Prefetch File size |
| 0x0010 | 60 | EXE Filename (UTF -16) |
| 0x004C | 4 | Prefetch Hash |
| 0x0050 | 4 | Unknown? |