Back to binalyze.com

Prefetch Files

Overview

Evidence: Prefetch Files Description: Collect Prefetch Files and Parse Category: Process Execution Platform: Windows Short Name: pf Is Parsed: Yes - Prefetch files are parsed into structured data Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Prefetch is a memory management feature that speeds up application loading by caching information about programs and their dependencies. When a program is executed, Windows creates a .pf file in C:\Windows\Prefetch that tracks the files and directories accessed during the program's startup.

Prefetch files are valuable forensic artifacts because they provide evidence of program execution, even after the program has been deleted. Each prefetch file contains execution timestamps, run counts, and lists of files accessed by the application.

Data Collected

Prefetch Files Table

Field
Description
Example

FilePath

Path to prefetch file

Prefetch/CHROME.EXE-12345678.pf

FileSize

Size of prefetch file

45678

FileModified

Last modified timestamp

2023-10-15T14:30:00

FileAccessed

Last accessed timestamp

2023-10-15T15:45:00

FileCreated

Creation timestamp

2023-10-01T10:00:00

Prefetch Parsed Table

Field
Description
Example

PrefetchRowID

Foreign key to prefetch file

1

FileName

Original executable name

CHROME.EXE

FilePath

Full path to executable

C:\Program Files\Google\Chrome\Application\chrome.exe

RunCount

Number of times executed

42

PrefetchHash

Prefetch hash value

12345678

Version

Prefetch file format version

30

LastRunTime

Array of last run timestamps (JSON)

["2023-10-15T14:30:00Z","2023-10-14T09:15:00Z"...]

Prefetch Referenced Volumes

Field
Description
Example

PrefetchRowID

Foreign key to prefetch file

1

VolumeName

Volume device name

\Device\HarddiskVolume3

Serial

Volume serial number

123456789

CreationTime

Volume creation timestamp

2023-01-01T00:00:00

Prefetch Referenced Files

Field
Description
Example

PrefetchRowID

Foreign key to prefetch file

1

Path

Path to referenced file

C:\Windows\System32\kernel32.dll

Collection Method

This collector:

  • Collects all .pf files from C:\Windows\Prefetch

  • Parses each prefetch file using libscca library

  • Extracts execution timestamps, run counts, and file references

  • Resolves volume information from embedded volume serials

  • Maps prefetch hashes to executable paths

Usage

Prefetch files are essential for establishing program execution timelines and detecting malware execution. Investigators use this data to prove program execution, establish execution timelines, identify deleted malware, track portable executable usage, detect lateral movement tools, identify reconnaissance utilities, and correlate file access patterns with malicious activity.

Known Limitations

  • Prefetch may be disabled on some systems

  • Limited to ~1024 most recently executed programs

  • Timestamps limited to last 8 executions (Windows 8+)

  • Prefetch files may be cleared by CCleaner or similar tools

  • Hash calculation varies by Windows version

Notes

Prefetch files are created only for executables launched from the file system, not for DLLs or scripts. The prefetch hash can help identify the execution path even when the executable name is generic.

PreviousPowershell HistoryNextProcesses and Modules

Last updated

Was this helpful?