Intro
The Prefetch feature in Windows optimizes the performance of frequently used programs by preloading certain files into memory, reducing the time it takes to start a process. By storing this information on disk, the feature includes properties related to file execution that can be beneficial for incident response teams.
Explained
Loading files from memory is faster than loading them from disk. By having the necessary files in memory, Windows can avoid the delay that would otherwise be caused by reading those files from disk. When an application is launched, the Prefetch feature creates a file with the extension “.pf” in the “C:\Windows\Prefetch” folder.
These “.pf” files contain information about the files required to launch the application and the order in which they should be loaded into memory. The next time the application is launched, Windows uses this information to preload the necessary files into memory, reducing the time it takes for the application to start.
The Prefetch folder includes information about how frequently and in what way an application is used, such as the timestamps of when the application was last launched. If you can decompress the files, there is even more information that can be retrieved including a timeline of each time an application was executed. For instance, additional information can be retrieved pertaining to total execution counts, access times, full paths, and file names on the system itself.
Script
The following script pulls basic prefetch information for quick retrieval of information for incident response teams. This script does not provide comprehensive data into the full timeline of events of application execution times but rather evidence that a process was launched. If ran as is, the output can be retrieved at C:\temp\prefetch_information.csv.
If you require more information, check out Get-ForensicPrefetch. The PowerForensics module utilizes a C# Class Library (Assembly) to offer a public API for conducting forensic tasks.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
$prefetchFiles = Get-ChildItem -Path C:\Windows\Prefetch | Sort-Object -Property LastWriteTime -Descending
$results = foreach ($file in $prefetchFiles) {
$strippedName = ([regex]::Match($file.Name, '^(.+?)-[A-Za-z0-9]{8}\.pf$')).Groups[1].Value
$properties = [ordered]@{
'Stripped' = $strippedName
'Name' = $file.Name
'LastAccessTime' = $file.LastAccessTime
'LastWriteTime' = $file.LastWriteTime
'CreationTime' = $file.CreationTime
'Prefetch File Size' = "{0:N2} MB" -f ($file.Length / 1MB)
'Mode' = $file.Mode
}
New-Object -TypeName PSObject -Property $properties
}
$results | Export-Csv -Path C:\temp\prefetch_information.csv -NoTypeInformationConclusion
Prefetch in Windows can provide valuable insights into the execution of applications on a system, making it an important tool for forensic investigators and incident response teams. By understanding the capabilities of the Prefetch feature and the data it contains, investigators can gain a deeper understanding of the applications that have been executed on a Windows system.