Prefetch Files

Overview

Evidence: Prefetch Files Description: Collect Prefetch Files and Parse Category: System Platform: windows Short Name: pf Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Windows Prefetch is a memory management feature that speeds up application loading by caching information about programs and their dependencies. When a program is executed, Windows creates a .pf file in C:\Windows\Prefetch that tracks the files and directories accessed during the program's startup.

Prefetch files are valuable forensic artifacts because they provide evidence of program execution, even after the program has been deleted. Each prefetch file contains execution timestamps, run counts, and lists of files accessed by the application.

Data Collected

This collector gathers structured data about prefetch files.

Prefetch Files Data

Field

Description

Example

FilePath

Path to prefetch file

Prefetch/CHROME.EXE-12345678.pf

FileSize

Size of prefetch file

45678

FileModified

Last modified timestamp

2023-10-15T14:30:00

FileAccessed

Last accessed timestamp

2023-10-15T15:45:00

FileCreated

Creation timestamp

2023-10-01T10:00:00

PrefetchRowID

Foreign key to prefetch file

FileName

Original executable name

CHROME.EXE

FilePath

Full path to executable

C:\Program Files\Google\Chrome\Application\chrome.exe

RunCount

Number of times executed

PrefetchHash

Prefetch hash value

12345678

Version

Prefetch file format version

LastRunTime

Array of last run timestamps (JSON)

["2023-10-15T14:30:00Z","2023-10-14T09:15:00Z"...]

PrefetchRowID

Foreign key to prefetch file

VolumeName

Volume device name

\Device\HarddiskVolume3

Serial

Volume serial number

123456789

CreationTime

Volume creation timestamp

2023-01-01T00:00:00

PrefetchRowID

Foreign key to prefetch file

Path

Path to referenced file

C:\Windows\System32\kernel32.dll

Collection Method

This collector:

Collects all .pf files from C:\Windows\Prefetch
Parses each prefetch file using libscca library
Extracts execution timestamps, run counts, and file references
Resolves volume information from embedded volume serials
Maps prefetch hashes to executable paths

Forensic Value

Prefetch files are essential for establishing program execution timelines and detecting malware execution. Investigators use this data to prove program execution, establish execution timelines, identify deleted malware, track portable executable usage, detect lateral movement tools, identify reconnaissance utilities, and correlate file access patterns with malicious activity.

PreviousPowershell ConsoleHost History NextProcesses and Modules

Last updated 3 days ago

Was this helpful?