Prefetch is a process or technique developed by the Windows operating system to maximize the performance and minimize wait times of an application to be loaded.
In general, prefetch automatically gets loaded with the application by caching required files and resources into memory which typically results in increasing the speed & minimizing the wait time. Prefetch is officially introduced by Microsoft and published at Windows XP and introduced various different versions of the prefetch files to increase the stability & functions of the prefetch files:
Some versions are :
- Windows XP and Windows 2003
- Vista and Windows 7
- Windows 8.1
- Windows 10
File location C:\\Windows\prefetch [*Required administrator privilege]
On further we can observe File name followed by a random number which is the HASHING generated by prefetch used to determine the path from where the file was executed, Depending on the version of Windows the file was taken from, a different hashing function is used.
NOTE: Prefetch is enabled default on windows workstations not on windows servers
In addition the Maximum number of prefetch files which can be stored at Windows XP to Windows 7 =128 & Windows 8 to Windows 10=1024.
Forensic investigation with Prefetch files
Prefetch files are generally used to investigate the applications that have been executed on a system, hence these files contain sensitive data used to retrieve user’s application history on a computer which is used for forensic investigations,
in most cases of cyber attacks, the attacker uses many malicious files to get executed on the victim system to gather sensitive information or to compromise the entire system, while the attacks take places its required multiple application to get executed,
While investigating the prefetch file we can determine the application which is accessed by the attackers on the targeted computer while compromising it, hence it is used to map or determine the activity of the attack execution.
The file consists of detailed information about the time when the file is created & accessed which are used to co-relate the activity happening on the victim system.
Prefetch analysis using PECmd
PECmd is an open-source CMD tool used to fetch all possible forensic artifacts from a prefetch file,
Download → https://ericzimmerman.github.io/#!index.md
Note: The above-mentioned link is used to download PECmd.
PECmd.exe will retrieve the list of the following detail mentioned below
- Created on [Display created date/time]
- Modified on [Display modified date/time]
- Last modified [Display last date/time]
- Executable Name [Display extension date/time]
- Hash [Display Prefetch hash]
- File Size [Display File size in bytes]
- Windows Version [Display OS version]
- Run Count [Display total run count of the specific file in the system]
- Other Run time [Display total date/time of top 7 count of the specific file in the system]
- Volume information
- Directories referenced [List of directories referenced]
- File referenced [List of files referenced]
Prefetch analysis is used to investigate Windows forensics artifacts which help to investigate & understand the activity done by the user on a system at a particular time. It majorly helps to reveal the root cause of an attack and helps to uncover the bigger picture of an incident or investigation.