What Is Prefetch?
Windows Prefetch is a performance feature designed to speed up application launches. But it also creates a useful forensic artifact.
Every time a program runs, Windows may create a small file that records information about that execution.
This means investigators can sometimes determine whether a specific program was launched on a computer.
Where Prefetch Files Are Stored
Prefetch files live in:
C:\Windows\Prefetch
Each file represents a program that has been executed.
Example:
NOTEPAD.EXE-3F4A2B1C.pf
What Information Prefetch Contains
- Program name
- Last run time
- Number of executions
- Files accessed during launch
Why This Matters
Prefetch can answer questions like:
- Was a specific program ever run?
- When was it last executed?
- How often was it used?
Example Investigation
If malware executed from a suspicious folder, investigators might find a corresponding prefetch file showing exactly when it ran.
Even if the program itself was deleted, the Prefetch file may still remain.
Important Note
Windows typically keeps around 1024 Prefetch entries on modern systems. Older entries eventually get overwritten to make room for new ones.
So Prefetch is useful for investigating
recent activity.
Comments (0)
No comments yet. Be the first to comment!
Leave a Comment