Prefetch Files
When system or user programs are executed on a Windows computer a Prefetch file is created. The purpose of the Prefetch file is to increase the performance of the computer by pre-loading code pages. Example of prefetch files are detailed below:
A Prefetch file is created for every program executed. Note a program does not have to installed, execution of standalone programs will also result in the creation of Prefetch files. A Prefetch file name contains the original name of the executable file followed by a hexadecimal value of the path that executable file resides in together with a ‘.pf’ file extension.
It can seen in the above image that many programs have been executed. Note that highlighted Prefetch files indicating that the BitLocker Wizard and a Command Prompt has been executed.
The Prefetch files record the first and last times an executable has been run, the name and the path it was executed from, how many times it has been executed together with the dates and times for the last 8 executions.
An example of Prefetch metadata is detailed below:
It can be seen that whilst the BitLocker Wizard has only been executed once, the Command Prompt has been executed on 94 occasions!
Malware has to execute to have an effect on a computer. It must run as a process in its own right or run as part of another process. If the malware has run as a process in its own right a Prefetch file will be created for that process.
Analysis of Prefetch files should therefore form part of any malware investigation.
Introduction to Digital Forensics: Malware Analysis and Investigations
Introduction to Digital Forensics: Malware Analysis and Investigations
Reach your personal and professional goals
Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.
Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.
