Prefetch

Windows creates prefetch files whenever any application is run for the very first time, this helps speed up the loading times for an application. For an investigator this can allow for in depth analysis of a user’s application history.

Knowing when and what applications are executed can provide an understanding of the intent of the user. For example if a user ran an anti-forensics application like Ccleaner, this could indicate they were trying to cover their activity. Another example would be if a user ran an internal business application at a time outside of business hours.

The prefetch file stores the date and times of the first execution and the seven most recent executions, along with the files and directories referenced by the executable.

There are some limitations to prefetch files. Depending on the version of Windows running on the machine, only a certain number of prefetch files will be stored. As new programs are run and new prefetch files are created, Windows may delete the oldest prefetch files to stay below a certain limit. Furthermore, a single program may cause the creation of multiple prefetch files, as Windows may treat a program running with different command line arguments as a totally new program.

We regularly find that prefetch data proves to contain helpful artifacts in order to understand what a user was doing at a point in time.