Prefetch Files

windowsExecution EvidenceDisk Image

Location

C:\Windows\Prefetch\*.pf

Description

Windows Prefetch files recording application execution with the executable name, run count, last eight execution times, and all files/directories referenced during the first ten seconds of execution.

Forensic Value

Prefetch proves program execution even after the binary is deleted. The last eight execution timestamps create a usage pattern timeline. Referenced files and directories reveal what the tool accessed at launch, such as configuration files or credential stores. The existence of prefetch for tools like psexec.exe, mimikatz.exe, or rclone.exe is a strong indicator of compromise.

Tools Required

KAPEPECmd (Eric Zimmerman)WinPrefetchView (NirSoft)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical