Windows keeps a cache of prefetch files. When an executable is run, the system records properties about the executable to make it faster to run next time. Therefore, it can provides important information for the investigation.
Prefetch file contains the following information:
- Creation date – timestamped with the local time of the machine
- Date/time of last execution time – timestamped with the local time of the machine
- Run count – the number of times the executable has been launched
- Other run times – limited to the previous eight (8) executions
- Directories and files referenced – includes other executables
- Volumes and file paths – the location from which files were accessed
As part of its process, a .pf file is created in the C:\Windows\Prefetch\ directory and updated each subsequent time the application is executed.
Going through them one by one will be painful, so I will utilize the PECmd by Eric Zimmerman’s to parse the .pf files from the command line.
.\PECmd.exe -d C:\Users\Default\Desktop\Prefetch\ --csv C:\Users\Default\Desktop\
...
CSV output will be saved to C:\Users\Default\Desktop\20250709183028_PECmd_Output.csv
CSV time line output will be saved to C:\Users\Default\Desktop\20250709183028_PECmd_Output_Timeline.csvAs a result, 2 .csv file will be generated:
- PECmd_Output.csv — Summary of parsed data
- PECmd_Output_Timeline.csv — Timeline view