# Prefetch Files

## Overview

**Evidence:** Prefetch Files\
**Description:** Collect Prefetch Files and Parse\
**Category:** System\
**Platform:** windows\
**Short Name:** pf\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

Windows Prefetch is a memory management feature that speeds up application loading by caching information about programs and their dependencies. When a program is executed, Windows creates a .pf file in `C:\Windows\Prefetch` that tracks the files and directories accessed during the program's startup.

Prefetch files are valuable forensic artifacts because they provide evidence of program execution, even after the program has been deleted. Each prefetch file contains execution timestamps, run counts, and lists of files accessed by the application.

## Data Collected

This collector gathers structured data about prefetch files.

### Prefetch Files Data

| Field           | Description                         | Example                                               |
| --------------- | ----------------------------------- | ----------------------------------------------------- |
| `FilePath`      | Path to prefetch file               | Prefetch/CHROME.EXE-12345678.pf                       |
| `FileSize`      | Size of prefetch file               | 45678                                                 |
| `FileModified`  | Last modified timestamp             | 2023-10-15T14:30:00                                   |
| `FileAccessed`  | Last accessed timestamp             | 2023-10-15T15:45:00                                   |
| `FileCreated`   | Creation timestamp                  | 2023-10-01T10:00:00                                   |
| `PrefetchRowID` | Foreign key to prefetch file        | 1                                                     |
| `FileName`      | Original executable name            | CHROME.EXE                                            |
| `FilePath`      | Full path to executable             | C:\Program Files\Google\Chrome\Application\chrome.exe |
| `RunCount`      | Number of times executed            | 42                                                    |
| `PrefetchHash`  | Prefetch hash value                 | 12345678                                              |
| `Version`       | Prefetch file format version        | 30                                                    |
| `LastRunTime`   | Array of last run timestamps (JSON) | \["2023-10-15T14:30:00Z","2023-10-14T09:15:00Z"...]   |
| `PrefetchRowID` | Foreign key to prefetch file        | 1                                                     |
| `VolumeName`    | Volume device name                  | \Device\HarddiskVolume3                               |
| `Serial`        | Volume serial number                | 123456789                                             |
| `CreationTime`  | Volume creation timestamp           | 2023-01-01T00:00:00                                   |
| `PrefetchRowID` | Foreign key to prefetch file        | 1                                                     |
| `Path`          | Path to referenced file             | C:\Windows\System32\kernel32.dll                      |

## Collection Method

This collector:

* Collects all .pf files from `C:\Windows\Prefetch`
* Parses each prefetch file using libscca library
* Extracts execution timestamps, run counts, and file references
* Resolves volume information from embedded volume serials
* Maps prefetch hashes to executable paths

## Forensic Value

Prefetch files are essential for establishing program execution timelines and detecting malware execution. Investigators use this data to prove program execution, establish execution timelines, identify deleted malware, track portable executable usage, detect lateral movement tools, identify reconnaissance utilities, and correlate file access patterns with malicious activity.