Product Features
Forensic Analysis of Prefetch files in Windows

Forensic Analysis of Prefetch files in Windows

This is the fourth blog post in a series of five about recovering Business Applications & OS Artifacts for your digital forensics investigations.  

What are prefetch files?

Prefetch files are great artifacts for forensic investigators trying to analyze applications that have been run on a system. Windows creates a prefetch file when an application is run from a particular location for the very first time. This is used to help speed up the loading of applications. For investigators, these files contain some valuable data on a user’s application history on a computer.

Why are prefetch files important to your digital forensics investigation?

Evidence of program execution can be a valuable resource for forensic investigators. They can prove that a suspect ran a program like CCleaner to cover up any potential wrongdoing.  

If the program has since been deleted, a prefetch file may still exist on the system to provide evidence of execution. Another valuable use for prefetch files is in malware investigations which can assist examiners in determining when a malicious program was run. Combining this with some basic timeline analysis, investigators can identify any additional malicious files that were downloaded or created on the system and help determine the root cause of an incident. 

The key artifacts that need to be found when investigating prefetch files

Prefetch files are all named in a common format where the name of the application is listed, then an eight-character hash of the location where the application was run, followed by the .PF extension. For example, the prefetch file for the application Snipping Tool (SNIPPINGTOOL.EXE) would appear as SNIPPINGTOOL.EXE-9A9B0B31.pf, where 9A9B0B31 is a hash of the path from where the file was executed. These files are all stored in the ROOT/Windows/Prefetch folder. 

Analyzing prefetch files is relatively straightforward. Contents include: 

  • File name: The name of the executable. 
  • Timestamps: Information on when the executable was run. 
  • Run counts: The number of times the executable has been executed. 
  • File and directory paths: Details about files and directories accessed by the executable. 

Beyond the name and path mentioned previously, prefetch files contain details on the number of times the application has been run, volume details, as well as timestamp information detailing when the application was first and last run. For Windows 8+, prefetch files contain up to eight timestamps for when an application was last run, giving investigators several additional timestamps to help build a timeline of events on a system. 

The location of the executable can be just as important as any timestamp data. Most seasoned malware investigators can recognize the added concern of a known file executing from a temp folder, versus a more legitimate location such as the Windows\system32 folder. 

Prefetch files also can exist after the original application (or its parent directory) has been deleted. Although the hashing algorithm for the parent directory was changed after Windows 8, making hash reversal difficult, it can still be a useful tool in identifying other applications that were run from the same deleted directories. In cases such as computer intrusion or malware, this can potentially identify other malicious applications.   

Making prefetch file analysis easier with Magnet Axiom

Magnet Axiom parses out prefetch files from all versions of Windows into a separate artifact category for quick locating and reviewThe below screenshot (from a parsed Windows 11 image) shows a search result for a prefetch artifact (same SNIPPINGTOOL.EXE file referenced and shown above). However, Magnet Axiom has collected and organized the timestamps and additional details contained in the prefetch file, plus reported them to the investigator in an easy-to-read format: 

  1. Hash of the original path of the application
  2. Application name
  3. The number of times the application was run
  4. Timestamps for the last eight times the application was run (Windows 8+)

By adding these timestamps to our prefetch analysis, investigators can use the Axiom Timeline feature to map out the applications that a suspect has run on a system over a given time or identify any malicious executables that might have run during an incident. 

Prefetch files are just one of many Windows OS artifacts that help investigators understand what a user was doing on a system at a particular time. All Windows OS artifacts should be examined together to uncover the bigger picture of an incident or investigation. 

Related Resources

Blog

Blog

Quickly uncover the history of your case with Magnet Review’s Timeline View

Magnet Review empowers your investigative team members—both inside and outside your organization—to securely collaborate and review digital evidence from any of your data sources anywhere in the world.   When working

November 6, 2024 • About a 4 minute view
Blog

Blog

Magnet Griffeye 24.5 and Project VIC GID now available

Magnet Forensics is excited to announce the release of version 24.5 of the Magnet Griffeye suite! This update brings key enhancements to the Griffeye Intelligence Database (GID) in Griffeye Operations

October 30, 2024 • About a 3 minute view
Blog

Blog

Meet compliance needs with category extractions in Magnet Verakey

Efficiency, accuracy, and protecting data privacy is critical when performing mobile investigations. For forensic examiners, the ability to filter through massive datasets and extract only what is relevant to a

October 29, 2024 • About a 5 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top