analyzing-prefetch-files-for-execution-history

# Analyzing Prefetch Files for Execution History ## When to Use - When determining which programs were executed on a Windows system and when - During malware investigations to confirm execution of suspicious binaries - For establishing a timeline of application usage during an incident - When correlating program execution with other forensic artifacts - To identify anti-forensic tools or unauthorized software that was run ## Prerequisites - Access to Windows Prefetch directory (C:\Windows\Prefetch\) from forensic image - PECmd (Eric Zimmerman), WinPrefetchView, or python-prefetch parser - Understanding of Prefetch file format (versions 17, 23, 26, 30) - Windows system with Prefetch enabled (default on client OS, disabled on servers) - Knowledge of Prefetch naming conventions (APPNAME-HASH.pf) ## Workflow ### Step 1: Extract Prefetch Files from Forensic Image ```bash # Mount the forensic image mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence # Copy all prefetch files mkdir -p /cases/case-2024-001/prefetch/ cp /mnt/evidence/Windows/Prefetch/*.pf /cases/case-2024-001/prefetch/ # Count and list prefetch files ls -la /cases/case-2024-001/prefetch/ | wc -l ls -la /cases/case-2024-001/prefetch/ | head -30 # Hash all prefetch files for integrity sha256sum /cases/case-2024-001/prefetch/*.pf > /cases/case-2024-001/prefetch/pf_hashes.txt # Note: Prefetch filename format is EXECUTABLE_NAME-XXXXXXXX.pf # The hash (XXXXXXXX) is based on t...