What is Prefetch?
Prefetch is a Windows feature implemented to speed up the loading of programs, Information by default is stored as an individual file in %SystemRoot%\Preftech with a “pf” extension. On most systems these files can be found in the directory C:\Windows\Prefetch. In forensic analysis, prefetch can be extracted to identify details about file execution such as file name, timestamp and other resources consumed as a file executes.
Prefetch is essentially an implementation of a ram disk that keeps recently executed programs at the ready to launch to decrease the load time of frequently used applications. Information found in prefetch files can be used to establish evidence of application execution and is therefore a valuable source of information in digital forensic analysis.
Another Windows feature similar to Prefetch is called Superfetch and runs directly in windows memory as ram cache. On newer systems, both prefetch and superfetch are managed by the “SysMain” service.
Prefetch Configuration
On most Windows systems, prefetch is enabled by default unless:
- System is a Windows Server
- System only has SSD drives.
From Windows 8 forward, Windows detects drive types and will intelligently decide whether to enable prefetch to speed up spinning disks. Detailed information about the Prefetch file format can be found here.
Prefetch/Superfetch are configured through the same registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
The EnablePrefetcher value can set to be one of the following:
- 0 = Disabled
- 1 = Application launch prefetching enabled
- 2 = Boot prefetching enabled
- 3 = Applaunch and Boot enabled (Optimal and Default)
What information can be found in Prefetch?
Version: Version of Prefetch
Run count: Number of time the Prefetch file has run
Time Stamps: Last run timestamp(s) UTC
File name: Original executable file name
Prefetch hash: Hash value generated from the application path
Volume Count: Number of volumes associated with file execution
Volume Timestamp: Volume create timestamp
Volume Device Path: Device Path where file is launched
Volume Serial Number: Volume Serial Number
Directory Strings: Directories accessed by prefetched file
Resources Loaded: Files loaded along with the prefetched file
Prefetch Versions Numbers
17: Windows XP and Windows 2003
23: Vista and Windows 7
26: Windows 8.1
30: Windows 10
Major Differences in Prefetch versions
The prefetch function has changed from version to version of Windows and there are three notable differences between versions.
- Prefetch hashing differs based on Windows version
- Prefetch files for Windows 8.1 and later are MAM compressed, so directory strings and loaded resource paths are not in clear text.
- Run count timestamps for Windows 8.1 and greater keep timestamps for the last eight times the prefetched file was run. Earlier versions only store the latest run time.
Parsing Prefetch Files
Accessing Basic Artifacts
Prefetch files are stored in the SCCA file format and can be parsed with python using PYSCCA. Uncompressed prefetch data can be extracted using just a few lines of code.
Here is the output from the script prefetchruncounts.py that is based on code above.
Accessing Compressed Data
Francesco Picasso has written W10pfdecomp.py. This script uses python and Windows dlls to decompress data from prefetch and therefore does not work in a non-windows environment. Once data is decompressed, compressed data can be read using the “strings” command.
Putting it all together
Adam Witt at the excellent Hexacorn blog has written about prefetch files also has a script that incorporates the w10pfdecomp.py decompressor that comprehensively extracts prefetch file metadata and strings from a single file or a directory of prefetch files.
Even More Data and Structured Output
And if prefetch.py isn’t enough then there is PECmd by Eric Zimmerman. PECmd is a Windows executable written C# that grabs everything that can be known about a prefetch file and outputs data as formatted csv or json.
Fields Provided:
The data can be output as csv or json as a timeline of executable files and an exhaustive table of all metadata. I ran the command:
PECmd.exe -d “E:\windows\Prefetch” — csv “c:\temp” — csvf foo.csv
and got back two csv files. The first had metadata with the following fields:
Notes
SourceFilename
SourceCreated
SourceModified
SourceAccessed
ExecutableName
Hash
Size
Version
RunCount
LastRun
PreviousRun0, PreviousRun1, PreviousRun2, PreviousRun3, PreviousRun4, PreviousRun5, PreviousRun6
Volume0Name, Volume0Serial, Volume0Created
Volume1Name, Volume1Serial, Volume1Created
Directories
FilesLoaded
ParsingError
The second file was generated as a timeline of executions containing a last run time and complete executable path.
Prefetch extraction for Linux
After running Eric’s PECmd utility, I decided to update the earlier script, prefetchcounts.py to see if it was possible to access the compressed MAM data. This would allow me to produce Prefetch output similar to PECmd and Prefetch.py on a Linux platform.
Sure enough, the latest version of pyscca, allowed me to easily parse the strings print the output. The updated script now produces two files, somewhat like PECmd.
prefetchruncounts.py command syntax:
python prefetchruncounts.py /Prefetch/WWAHOST.EXE-776591F6.pf
By default runcount output goes to stdout and two files are created:
There is an option “-o” to rename the default output file names.
Wasn’t able to get every shred of data from the files, but was able to greatly improve my capability to target and analyze Prefetch from my Linux platform.
Available tools for parsing Prefetch
Beyond what has been mentioned there are still yet other tools for parsing prefetch. Some of those tools can be found on the DFIR training site.
Parsers of note include NirSoft’s WinPrefetchView and TZWorks Windows Prefetch Parser and a Prefetch Dump Enscript.