🏺 Prefetch

Created: 01.06.2023

Every day, the computer loads some programs and a lot of additional crap that comes with it. Every day the same routine over and over again. Being a diligent and responsible guy, it wondered how to improve this process. So, it decides to save the most recently loaded programs and whatever dlls and stuff these programs need so that everything is ready the next time the program is run. Where is this data stored? In Prefetch.

Prefetch is for the efficiency of starting processes and their resources (movies for media players, spreadsheets for Excel, for example). Improves startup time of applications. The PC watches what an app requests and opens during its first 10 seconds of execution and only then creates or updates the corresponding pf file.

☠️ Anatomy

Each prefetch file name follows the pattern: <EXENAME>-<PATHHASHED+CMDARGS>.pf. If collecting prefetch on a live system, run volatile collection tools before that and collect pf files to avoid overwriting the oldest prefetch with prefetch for live response tools (or disable prefetch before collection). Prefetch tracks the execution of programs. A central repository of what was run on the system. File size can be used to search for the same process with a different name on a different machine.

πŸ“‚ Path: C:\Windows\Prefetch.

❗️ Limited to 128 files on XP and Win7- 10

Prefetch contains the following information about the process (I’ve marked the most forensically interesting fields with a πŸ”₯):

🐾 Filename πŸ”₯ 🐾 Creation time πŸ”₯ 🐾 Modified time πŸ”₯ 🐾 File Size 🐾 Process EXE 🐾 Process Path πŸ”₯ 🐾 Run Counter πŸ”₯ 🐾 Last Run Time πŸ”₯ (the same information is reflected in the file system modification timestamp) 🐾 Missing Process + libraries and resources for each process.

All prefetch have a signature at offset 4th byte. MAM - compressed and SCCA - plain text.

OS Signature1 (version) signature2 (type)
WinXP & 2003 0x00000011 or 17 SCCA
Vista 0x00000023 or 23 SCCA
W8 0x0000001a or 26 SCCA
W10 MAM 0x04
W10 0x0000001e or 30 SCCA

Prefetch can be disabled in registry SYSTEM hive, key πŸ”‘: HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement\PrefetchParameters\Enable Prefetcher:

key meaning
0 disabled
1 enabled for apps only
2 enabled for boot only
3 boot and app enabled (default)

πŸ“˜ You can check it with rip.exe:

rip.exe -r SYSTEM -p prefetch # to show whether prefetch is enabled

⛔️ When live-response tools πŸ› οΈ are run on the system, new pf files are created, and older ones might get deleted. ⛔️ Prefetch is usually turned off on the servers and for the systems with SSD (which don’t like write operations). ⛔️ Starting from Windows 10 the prefetch is compressed. ⛔️ Also, there is a latency issue - some apps are not closed upon clicking ❌, but remain running in the background. Hence, the last time run might be different. ⛔️ The hash in the filename is derived from both the app path and command line arguments. That’s why some legit processes have several pf files.

Prefetch is an invaluable resource during the investigation. Although one should not solely rely on it, it gives a lot if insights.

🏺 First, sometimes it so happens (especially with the malware running on the system) that two programs have the same name. Since they can’t be in the same folder (Windows won’t allow it), the path to the executable for both programs will be different. Since the pf filename is derived from the path hash and the exe name, if the same exe was run from different locations - different .pf files will be created. Now, imagine that you see two prefetch files for cmd, that’s not something expected and is worth looking into.

🏺 Another good thing about Prefetch is that even if an application was deleted, the info remains in Prefetch (at least, for some time).

🏺Prefetch stores 8 execution times (one of them is the first time run, and the other - is the last time run). But don’t forget about the file system timestamps! So, the date and time the pf file itself was created as yet another execution time.

⏰ Timestamps

Filesystem Timestamps. The first time the executable is run, a pf file is created. The last time it was run - a pf’s file Modified date and time. However, consider a scenario when a program was run a long time in the past and wasn’t run for a while after that. Its pf file was overwritten (prefetch keeps 1024 entries, which used to be 128 in W7 and below). Sometime after that, the executable is run again, and the pf file is created again. The FS timestamps will show that the file was first executed recently when it’s not straightforward.

πŸ›  Tools

πŸ’‘ Write a script to determine deleted files

WinPrefetchView. To view pretech files (decompressed as well) in GUI.

Fred - Forensic Registry Editor. To view exported hives.

FTK Imager Lite. Fairly heavy footprint - 15-16Mb.

CDQR. This tool focuses on the pf intself rather than on a data it contains. It’s useful for making timelines.

RegRipper (GUI and CUI).

rip.exe -r SYSTEM -p prefetch # to show whether prefetch is enabled

Prefetch parser. More info than with WinPrefetchView

prefetch.py -c -d -e
prefetch.py -c -d > pf.csv
prefetch.py -f <file_to_parse> > pf.txt

Columns: last executed, MFT sequence number, MFT record number, executable name, run counter,

PECmd. Eric Zimmerman’s tool.

PECmd.exe -f <pffile>.pf
PECmd.exe -d "Prefetch folder" --csv "outoutdir" --csvf "outputfile"
PECmd.exe -f "Prefetch_file.pf" --json "outoutdir" --jsonpretty

# -k  comma-separated keywords
# -mp high precision timestamps
# --local
# vss  process Volume Shadow Copies as well


Expand… https://forensics.wiki/