How Forensic Experts Use Windows Prefetch

To a computer forensics expert like Paula Januszkiewicz, Windows Prefetch files are a virtual treasure trove that can reveal not only what has happened on an operating system but when it took place. In this brief tutorial, Paula shares the tool and method needed to unlock the contents of these digital artifacts.

Prefetch files offer a digital snapshot of events inside your Windows operating system (OS). Because they are created when an executable program is run from a particular location for the very first time, forensic specialists can use these files to determine what was running and when.

In the event of a cyber-attack, the timeline of evidence captured in Prefetch files can prove extremely useful in determining the root cause. However, unlocking their secrets is dependent on knowing the right method and having the right tools.

In this example, Paula uses CQPrefetchParser.exe to analyze Prefetch to reveal the history of execution of executable programs in the OS. This tool, created by experts at CQURE, can be used to detect what kind of DLLs were loaded and also how many times a particular executable has run. Download the CQURE free tool by clicking the banner below.

 

Using prefetch you can investigate what kind of different types of executables were running in the operating system. The CQPrefetch Parser tool has various options. It takes as a parameter a prefetch file to analyze. We can also specify only the directory that contains the prefetch files or the /out where we are able to decompress the PF file.

CQPreferchParser shows all the paths that were related to that particular prefetch file, as well as modules, the different types of DLLs that were loaded when this particular executable was running. Additionally, you can see a part of the execution history, for example like how many times notepad.exe was executed and what was the last time I had it opened.

CQPrefetchParser is a great tool to support us in a prefetch analysis while performing forensics, but it can itself be deleted if an attacker has administrative privileges to that computer. So, remember that you may have to use some audit tools to eventually recover prefetch files in order to analyze them in the future.

Join us LIVE from 6PM CET on Nov. 23, 2021 for our biggest ever annual cybersecurity webinar feat. Sami Laiho, Michael Grafnetter & Paula Januszkiewicz.

Take this chance to grow your skills in Azure AD security, digital forensics, shadow credential injection attacks, and Privileged Access Workstations.

REGISTER HERE

Comments