Forensic Analysis of Prefetch files in Windows


This is the fourth blog post in a series of five about recovering Business Applications & OS Artifacts for your digital forensics investigations.

What are Prefetch Files?

Prefetch files are great artifacts for forensic investigators trying to analyze applications that have been run on a system. Windows creates a prefetch file when an application is run from a particular location for the very first time. This is used to help speed up the loading of applications. For investigators, these files contain some valuable data on a user’s application history on a computer.

Why are Prefetch Files Important to Your Digital Forensics Investigation?

Evidence of program execution can be a valuable resource for forensic investigators. They can prove that a suspect ran a program like CCleaner to cover up any potential wrongdoing. If the program has since been deleted, a prefetch file may still exist on the system to provide evidence of execution. Another valuable use for prefetch files is in malware investigations which can assist examiners in determining when a malicious program was run. Combining this with some basic timeline analysis, investigators can identify any additional malicious files that were downloaded or created on the system, and help determine the root cause of an incident.

The Key Artifacts That Need to be Found When Investigating Prefetch Files

Prefetch files are all named in a common format where the name of the application is listed, then an eight character hash of the location where the application was run, followed by the .PF extension. For example, the prefetch file for calc.exe would appear as CALC.EXE-0FE8F3A9.pf, where 0FE8F3A9 is a hash of the path from where the file was executed. These files are all stored in the ROOT/Windows/Prefetch folder.

Calculating the original path of the application from the hash provided in the prefetch file is relatively easy, but can be time consuming. Depending on the version of Windows the file was taken from, a different hashing function is used. One function is used for XP/2003, a different one for Vista, and another is used for 2008/7/8/2012. Both the Forensics Wiki and Hexacorn blog go into excellent detail on prefetch files, and provide scripts for investigators to calculate the original path.

The location of the executable can be just as important as any timestamp data. Most seasoned malware investigators can recognize the added concern of a known file executing from a temp folder, versus a more legitimate location such as the Windows\system32 folder.

While the information found in the filename can be quite valuable, the contents of a prefetch file contain a wealth of information as well. Below is a partial screenshot of the raw data included with the prefetch file for calc.exe:

Analyzing prefetch files is relatively straightforward. Beyond the name and path mentioned previously, prefetch files contain details on the number of times the application has been run, volume details, as well as timestamp information detailing when the application was first and last run. For Windows 8+, prefetch files now contain up to eight timestamps for when an application was last run, giving investigators several additional timestamps to help build a timeline of events on a system.

Making Prefetch File Analysis Easier with Internet Evidence Finder (IEF)

The below screenshot shows a search result for a prefetch artifact (same calc.exe file referenced and shown above). However, IEF has collected and organized the timestamps and additional details contained in the prefetch file, plus reported them to the investigator in an easy-to-read format:

  1. Hash of the original path of the application
  2. Application name
  3. The number of times the application was run
  4. Timestamps for the last 8 times the application was run (Windows 8)

By adding these timestamps to our prefetch analysis, investigators can use tools like IEF Timeline or log2timeline to map out the applications that a suspect has run on a system over a given time, or identify any malicious executables that might have run during an incident.

Prefetch files are just one of many Windows OS artifacts that help investigators understand what a user was doing on a system at a particular time. All Windows OS artifacts should be examined together to uncover the bigger picture of an incident or investigation.

As always, feel free to get in touch with me by emailing jamie(dot)mcquaid(at)magnetforensics(dot)com. Or, you can ask me a question here. 

Related resources you might be interested in:

  1. Read the next blog in our series: Forensic Analysis of Windows Shellbags
  2. See what IEF is all about: Attend a Demo
  3. Try IEF for Free:

Jamie McQuaid
Forensics Consultant, Magnet Forensics