LinkedinTryHackme

Prefetch

1. What Is Windows Prefetch

  • Prefetch is a Windows performance feature: when an application runs, Windows tracks which files and resources it uses (for ~10 seconds) so that future launches are faster.

  • Prefetch files are stored in C:\Windows\Prefetch\ and use the .pf extension.

  • File-naming convention: <EXECUTABLE_NAME>-<HASH>.pf, where the hash is derived from the full path of the executable.

  • Different Windows versions use different Prefetch format versions: e.g., 17 for XP, 30 for Windows 10.

  • On newer Windows (8+), Prefetch files may contain up to 8 embedded timestamps (last run times).

  • There is a limit on how many Prefetch files the OS retains: for example, Windows 8+ can keep up to ~1,024.

  • Limitation: Prefetch only records resource usage during the first seconds of execution, so not all file activity is captured.

2. Forensic Value of Prefetch

  • Evidence of Execution: A .pf file indicates that an executable was run.

  • Run Count: How many times the application has been executed.

  • Timestamps: Useful to build a timeline — first run, last run(s).

  • Referenced Files and Directories: Prefetch records which DLLs and other files the application touched during startup, which can help identify malicious behavior.

  • Executable Path Insight: The hash in filename gives insight into where the executable was run from — important if an attacker ran it from a non-standard location (e.g., a temp folder).

  • Persistence of Evidence: Even if the executable is deleted, the Prefetch file may remain, giving evidence of past execution.

3. Prefetch File Structure (Low-Level / Technical)

  • Prefetch files are binary structured, with a header and multiple sections.

  • Timestamps inside the prefetch are stored in FILETIME (little-endian).

  • Key metadata in a prefetch file includes:

    • Executable name

    • Hash of its path (used in filename)

    • Run count

    • Volume (disk) information (which volume the exe was run from)

    • List of referenced files / DLLs used on startup

4. Tools for Prefetch Analysis

  • PECmd (by Eric Zimmerman):

    • A command-line tool for parsing .pf files.

    • It extracts: created time, modified time, last run times, run count, volume info, referenced files/directories.

    • Example usage:

5. Investigation Workflow (Forensics / IR)

  1. Collection

    • Acquire the C:\Windows\Prefetch\ directory from a disk image.

    • Compute hashes of the .pf files for integrity.

  2. Parsing

    • Use PECmd (or other tool) to parse every .pf file.

    • Export data (e.g., CSV, JSON) for further analysis.

  3. Timeline Construction

    • Use embedded timestamps (up to 8 for newer Windows) + file system MACE timestamps to build a run timeline.

    • The creation timestamp of the PF file often corresponds to the first execution.

  4. Contextual Analysis

    • Check the path hash in the filename to understand where the executable ran from; if it's from a suspicious location, raise a flag.

    • Look at the list of referenced DLLs/files to understand which modules were loaded during startup — helpful for malware.

    • Correlate Prefetch data with other artifacts: event logs, process execution logs (ex: Event ID 4688), AmCache, Shimcache, etc.

  5. Anomaly Detection

    • Multiple .pf files with the same executable name but different hashes → the same binary ran from different paths.

    • Unusual run count (very high or very low) may indicate either frequent use or possible cover-up.

    • Missing .pf files for known malicious executables may indicate tampering / anti-forensics.

  6. Reporting

    • For each suspicious .pf: document executable name, path hash, run count, run times, referenced files.

    • Build a narrative: “This executable ran from a temp directory X times, last run was at …, and loaded these DLLs …”

    • Assess forensic significance: is it malware, legitimate software, or possibly a user tool?

6. Limitations & Caveats

  • Prefetch is disabled on some systems (e.g., on certain Windows Server configurations).

  • Timestamps can be imprecise: the Prefetch mechanism monitors only the first ~10 seconds of execution, so not all activity is captured.

  • Filename hash ambiguity: the hash is derived from the path, but reversing it is not trivial.

  • Limited retention: old .pf files may be purged when the system reaches its Prefetch limit.

  • Anti-forensics: attackers can delete or tamper with Prefetch files to hide execution.

  • Not user-specific: Prefetch does not record which user ran the program.

PreviousEvidence of ExecutionNextShimcache

Last updated