InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Information of interest
  • Parsing
  1. DFIR
  2. Windows
  3. Artefacts overview

Prefetch

PreviousOutlook_filesNextRecentFilecache

Last updated 1 year ago

Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: .

Overview

Location: %systemroot%\Prefetch\<EXECUTABLE.EXE>-<RANDOM_ID>.pf Filename example: POWERSHELL.EXE-022A1004.pf

Yield Information related to programs execution.

Not present by default on Windows Server Operating Systems.

Windows Prefetch is a performance enhancement feature that enables prefetching of applications to make system boots or applications startups faster. Prefetch files are created whenever a program is executed from a specific path. If the same binary is executed from different locations, separate Prefetch files will be created for each different location. A Prefetch file can be created even if the executable did not successfully run.

Whether the Prefect feature is enabled is configured by the EnablePrefetcher registry key:

  • 0 / undefined: disabled (default on Windows Server Operating Systems).

  • 0x1: Partially enabled (application prefetching only).

  • 0x2: Partially enabled (boot prefetching only).

  • 0x3: Enabled (application and boot prefetching).

Information of interest

Prefetch files are not automatically deleted if the related executable is deleted and can thus be a source of historical information. However, as the Prefetch directory is limited to 128 entries on Windows XP to Windows 7 and 1024 entries starting from Windows 8, Prefetch files may be overwritten and information lost.

The Prefecth filenames are based on the executed program name and a hash, computed using a proprietary algorithm and based on the full path (and for some binaries, such as dllhost.exe or svchost.exe, command line parameters) of the executed program.

The Prefecth files can yield the following information of forensic interest:

  • The file name and size of the binary executed.

  • The first and, starting from Windows 8, last eight executions timestamps.

  • The Prefecth file NTFS created and last modified timestamps also indicate the first and last time the program was executed.

  • Run count (number of time the binary was executed).

  • List of files and directories accessed during the first ten seconds of execution (including the eventual DLL loaded). The full path to executable file can often be determined from the list of files accessed (duplicate possible if a given binary access another binary with the same name).

Note that the Prefecth files can be easily deleted, potentially invalidating the trace of execution and timestamps (notably of first execution).

Prefecth files indirect information

The creation or modification of Prefecth files observed in others artefacts ($MFT, UsnJrnl, etc.) reflect an execution of the binary linked to the Prefecth file (and whose name can be deducted from the Prefecth filename).

Prefecth information related to PowerShell execution

The POWERSHELL.EXE-[...].pf Prefetch file may contain references to recently executed PowerShell scripts. For an entry to be created in the Prefetch file, the given script must be executed within the first ten seconds of the powershell.exe execution.

The accessed file list does retain entries from previous instances of a program execution. Accessed files information may thus persist through powershell.exe subsequent runs.

Parsing

Eric Zimmerman's PECmd.exe tool (KAPE's PECmd module) can be used to parse Prefecth file(s):

# Parses the specified Prefecth file.
PECmd.exe [-q --csv <CSV_DIRECTORY_OUTPUT>] -f <PF_FILE>

# Recursively retrieves and parses the Prefecth files in the specified directory.
PECmd.exe [-q --csv <CSV_DIRECTORY_OUTPUT>] -d <C:\Windows\Prefetch | C:\ | DIRECTORY>
artefacts.help