Prefetch Files

WindowsExecution EvidenceDisk Image

Location

C:\Windows\Prefetch\*.pf

Common Names

.pf

Description

Windows Prefetch files recording application execution with the executable name, run count, last eight execution times, and all files/directories referenced during the first ten seconds of execution.

Forensic Value

Prefetch proves program execution even after the binary is deleted. The last eight execution timestamps create a usage pattern timeline. Referenced files and directories reveal what the tool accessed at launch, such as configuration files or credential stores. The existence of prefetch for tools like psexec.exe, mimikatz.exe, or rclone.exe is a strong indicator of compromise.

Tools Required

KAPEPECmd (Eric Zimmerman)WinPrefetchView (NirSoft)

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target Prefetch

PECmd

PECmd.exe -d "C:\Windows\Prefetch" --csv C:\output --csvf Prefetch.csv

PowerShell

Copy-Item "C:\Windows\Prefetch\*.pf" -Destination C:\output\Prefetch\

WinPrefetchView

WinPrefetchView.exe /folder "C:\Windows\Prefetch" /scomma C:\output\prefetch_parsed.csv

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1059T1204.002T1569.002

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote