Prefetch & Superfetch - nurit-cyber/OperatingSystemForensics GitHub Wiki

Location - C:\Windows\Prefetch Double click on a file --> system will monitor the application when trying to be executed and see what libraries and details that are needed to be prepared to start the file and recorded into a prefetch file. This usually happens with one file per application or program on the device to make the boot time faster. However, this is not tied to users who have executed the file.

Prefetch: [APPLICATION].EXE-[8 RANDOM CHARACTERS].pf
- if the same application creates two different 8 random characters that do not match, they were probably run from different locations
Superfetch databases extensions are Ag***.db

Prefetch files on SSDs will be disabled because most of the time they slow down the performance. On servers, prefetch files will be disabled because usually servers are running the majority of the time if not all of the time.

Prefetch files are also good for seeing whether malware has been run on the device. They also can be used to check for entries when an application has been loaded.

Prefetch Details

File carving with 010, scalpel, File signatures:
- XP: 11 00 00 00 followed by ascii SCCA
- Vista/7: 17 00 00 00 followed by ascii SCCA
- 8/8.1: 1A 00 00 00 followed by ascii SCCA
- 10: MAM (ascii) followed by 0x04

Forensic Significance

Prefetch files contain the following:
- File paths for files/folders accessed during the first 10 seconds of application was run
- Number of times application was run with time stamps
- Last time application was run
- Media information for volumes accessed (volume serial # and creation date). This means that even if it was a USB, it will track the serial number of the USB drive.

Windows 8+ will only track the time stamps for the last 8 times.

Investigations with Prefetch

Creation date: first time it was run
Modification time: the last time the application was run (Last 8 time stamps recorded from Windows 8+)

Only can be deleted if they are factory reset, manually deleted (system privileges), or if 1024 applications after the last time that the original application could be run.
Most likely in order to achieve the last one, a script would need to be run.

Prefetch Format

Disable Prefetch

- HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameters
EnablePrefetcher
- 0 = Disabled
- 1 = Application launch prefetching enabled
- 2 = Boot prefetching enabled
- 3 = Application launch and boot enabled
3 by default

Using PECmd

-f: file
-d: directory
-k [word]: searches for that key word