Information Stored in Prefetch Files
Each .pf file is a trove of forensically valuable metadata relating to the execution instance(s) it represents:
Executable Name: The filename of the program that was run.
Run Count: The total number of times the application has been executed from that specific path.
Last Run Timestamp: The precise date and time the application was last executed from that path. This is a primary indicator of execution time. (Remember: The Date Modified timestamp of the
.pffile itself reflects this Last Run Time).Previous Run Timestamps: Up to 8 of the most recent previous execution timestamps are stored, offering a history of recent launches from that path.
Volume Information: Details about the disk volume where the executable was located during its last run, including the volume name (e.g.,
C:), volume serial number, and the volume's creation date.File Metrics: Records the size of the original executable file.
Directories Referenced: A list of directories the application accessed during its initial startup phase (usually within the first ~10 seconds).
Files Referenced (Indexes/Loaded Resources): A list of specific files (including DLLs, configuration files, data files, etc.) that the application loaded or accessed during that initial startup phase. This is crucial for linking processes like
java.exeto specific.jarfiles orrundll32.exeto specific.dllfiles.Executable Path Hash: The 8-character hash identifying the path of execution.
Last updated