Prefetches and Superfetches - caitlinmallen/TechWiki GitHub Wiki

Prefetch & Superfetches

  • Located in C:\Windows\prefetch
  • Files with the .pf extension
  • Usually one file per application or program
  • Used by Windows to optimize the program startup and boot
  • Superfetch databases
    • Ag***.db
  • If you have a copy of an application, a prefetch file will be created
    • A prefetch is made for every instance of an application

Prefetch Details

  • File signature
    • XP -> 11 00 00 00 followed by ASCII SCCA
    • Vista/7 -> 17 00 00 00 followed by ASCII SCCA
    • 8/8.1 -> 1A 00 00 00 followed by ASCII SCCA
    • 10 -> MAM (ASCII) followed by 04 (hex)
  • On Windows 10, the prefetch file is compressed
    • Needs to be decompressed before being examined in a hex editor
  • Date of last execution and number of executions also included
    • Holds libraries and files that are used by the application
  • Prefetch files can be used to prove an application has been used
    • Can also be used to prove the existence of a malware that executed and deleted itself

Forensic Significance

  • Prefetch file contains
    • File path for files/folders accessed during first 10 seconds of execution
    • Number of executions
    • Last time application was run
    • Media information for volumes accessed
      • Volume serial number
      • Volume creation date
    • ini & NTOSBOOT-B00DFFAAD.pf
      • File paths from all over the hard drive recorded during boot time and then periodically for disk optimization purposes

Prefetch for Investigators

  • The existence of a prefetch file indicates that the application named by the prefetch file was definitely run
  • Creation date of prefetch file can indicate when the application was first run
  • The embedded date and modification date of a prefetch file can indicate when the named application was last run
    • On Windows 8, date and time for last 8 runs is recorded
  • Prefetch file is not deleted even after a program is uninstalled or deleted

Disabling Prefetches

  • HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameters
  • EnablePrefetcher
    • 0 = Disabled
    • 1 = Application launch prefetching enabled
    • 2 = Boot prefetching enabled
    • 3 = Application launch and boot enabled
  • 3 is the default
  • If a system is using an SSD, they are fast
    • Prefetch files are disabled on some SSDs because of the speed
    • Check if you are dealing with an SSD and if prefetches are disabled