Every day, the computer loads some programs and a lot of additional crap that comes with it. Every day the same routine over and over again. Being a diligent and responsible guy, it wondered how to improve this process. So, it decides to save the most recently loaded programs and whatever dlls and stuff these programs need so that everything is ready the next time the program is run. Where is this data stored? In Prefetch.
Prefetch is for the efficiency of starting processes and their resources (movies for media players, spreadsheets for Excel, for example). Improves startup time of applications. The PC watches what an app requests and opens during its first 10 seconds of execution and only then creates or updates the corresponding pf file.
β οΈ Anatomy
Each prefetch file name follows the pattern: <EXENAME>-<PATHHASHED+CMDARGS>.pf. If collecting prefetch on a live system, run volatile collection tools before that and collect pf files to avoid overwriting the oldest prefetch with prefetch for live response tools (or disable prefetch before collection). Prefetch tracks the execution of programs. A central repository of what was run on the system. File size can be used to search for the same process with a different name on a different machine.
π Path: C:\Windows\Prefetch.
Prefetch contains the following information about the process (I’ve marked the most forensically interesting fields with a π₯):
πΎ Filename π₯ πΎ Creation time π₯ πΎ Modified time π₯ πΎ File Size πΎ Process EXE πΎ Process Path π₯ πΎ Run Counter π₯ πΎ Last Run Time π₯ (the same information is reflected in the file system modification timestamp) πΎ Missing Process + libraries and resources for each process.
All prefetch have a signature at offset 4th byte. MAM - compressed and SCCA - plain text.
| OS | Signature1 (version) | signature2 (type) |
|---|---|---|
| WinXP & 2003 | 0x00000011 or 17 | SCCA |
| Vista | 0x00000023 or 23 | SCCA |
| W8 | 0x0000001a or 26 | SCCA |
| W10 | MAM | 0x04 |
| W10 | 0x0000001e or 30 | SCCA |
Prefetch can be disabled in registry SYSTEM hive, key π: HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement\PrefetchParameters\Enable Prefetcher:
| key | meaning |
|---|---|
0 |
disabled |
1 |
enabled for apps only |
2 |
enabled for boot only |
3 |
boot and app enabled (default) |
π You can check it with rip.exe:
rip.exe -r SYSTEM -p prefetch # to show whether prefetch is enabled
βοΈ When live-response tools π οΈ are run on the system, new
pffiles are created, and older ones might get deleted. βοΈ Prefetch is usually turned off on the servers and for the systems with SSD (which don’t like write operations). βοΈ Starting from Windows 10 the prefetch is compressed. βοΈ Also, there is a latency issue - some apps are not closed upon clicking β, but remain running in the background. Hence, the last time run might be different. βοΈ The hash in the filename is derived from both the app path and command line arguments. That’s why some legit processes have severalpffiles.
Prefetch is an invaluable resource during the investigation. Although one should not solely rely on it, it gives a lot if insights.
πΊ First, sometimes it so happens (especially with the malware running on the system) that two programs have the same name. Since they can’t be in the same folder (Windows won’t allow it), the path to the executable for both programs will be different. Since the pf filename is derived from the path hash and the exe name, if the same exe was run from different locations - different .pf files will be created. Now, imagine that you see two prefetch files for cmd, that’s not something expected and is worth looking into.
πΊ Another good thing about Prefetch is that even if an application was deleted, the info remains in Prefetch (at least, for some time).
πΊPrefetch stores 8 execution times (one of them is the first time run, and the other - is the last time run). But don’t forget about the file system timestamps! So, the date and time the pf file itself was created as yet another execution time.
β° Timestamps
Filesystem Timestamps. The first time the executable is run, a pf file is created. The last time it was run - a pf’s file Modified date and time. However, consider a scenario when a program was run a long time in the past and wasn’t run for a while after that. Its pf file was overwritten (prefetch keeps 1024 entries, which used to be 128 in W7 and below). Sometime after that, the executable is run again, and the pf file is created again. The FS timestamps will show that the file was first executed recently when it’s not straightforward.
π Tools
π‘ Write a script to determine deleted files
WinPrefetchView. To view pretech files (decompressed as well) in GUI.
Fred - Forensic Registry Editor. To view exported hives.
FTK Imager Lite. Fairly heavy footprint - 15-16Mb.
CDQR. This tool focuses on the pf intself rather than on a data it contains. It’s useful for making timelines.
RegRipper (GUI and CUI).
rip.exe -r SYSTEM -p prefetch # to show whether prefetch is enabled
Prefetch parser. More info than with WinPrefetchView
prefetch.py -c -d -e
prefetch.py -c -d > pf.csv
prefetch.py -f <file_to_parse> > pf.txt
Columns: last executed, MFT sequence number, MFT record number, executable name, run counter,
PECmd. Eric Zimmerman’s tool.
PECmd.exe -f <pffile>.pf
PECmd.exe -d "Prefetch folder" --csv "outoutdir" --csvf "outputfile"
PECmd.exe -f "Prefetch_file.pf" --json "outoutdir" --jsonpretty
# -k comma-separated keywords
# -mp high precision timestamps
# --local
# vss process Volume Shadow Copies as well