Prefetch is a feature introduced in Windows XP and still used even in Windows 10, that stores certain data about the apps you are running to help the program launch faster. Prefetch is an algorithm that helps predict cache hashes (when Windows requests data that isn't stored in the disk cache) and stores that data on the hard disk for easy retrieval. Superfetch is a feature that tries to determine which applications to launch and then loads all necessary files and data into memory. Both of these features require quite a few reads and writes to work. This data is located in C:\Windows\Prefetch, and theoretically, periodically deleting the data for this folder (for example, once a month) will improve performance.
The cached files are files with the extension "PF" inside the Prefetch directory:
When new apps are launched later, new prefetch data is created, which can mean slightly lower performance at startup. However, older entries will have less and less data to parse, and Windows will be able to find the data it needs faster. Any performance gain you see will be insignificant (if you see any), but users who want to throttle every CPU cycle from their computer will want to try it out. However, be aware that deleting data from the cache only when you boot Windows may slightly increase the PC's boot time. Each subsequent boot should resume normal operation because the boot data will already be available for the programs loaded by Windows at boot time. The Prefetcher configuration is stored in the windows registry at the following location:
Bilgisayar\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
You can set the EnablePrefetcher value to one of the following values:
0 = Disabled
1 = Application launch Prefetch enabled
2 = Boot Prefetch enabled
3 = Startup and Startup enabled (Optimal and Default)
When Should You Disable Prefetch and Superfetch?
To disable Prefetch, simply change the registry value to 0. To disable Superfetch, you need to click start option and type services.msc. Double click until you see Superfetch. By default, Windows 7/8/10 was supposed to automatically disable prefetch and superfetch if it detects an SSD drive, but this is not the case on Windows 10 computers.
If the system is running, click the Stop button and then change the Startup type to Disabled. Again, just disable boot and superfetch for computers with solid state hard drives. For hard drives with regular platters, they can help improve performance over time.
The Value of Prefetch Files in Forensic Processes
So what is the value of the prefetch file for forensic investigations? If you use Google to search for prefetch files, about the top fifty searches are for helping users speed up their computers.
You find websites that say they should delete their prefetch files. This information is clearly wrong, as the primary purpose of the boot file is to speed up the loading of user applications. Prefetch files can sometimes answer vital questions of computer forensics: who, what, when, where, why, and sometimes how, etc.
The forensic value of prefetch files will be examined from two different perspectives:
1. Contents of the Prefetch file
2. Establishing the existence of the prefetch file in the prefetch directory
The content of each prefetch file provides rich information about running applications. The prefetch file has two main sections. The top or first part of the prefetch file contains the metadata of the file. Metadata includes the file name, file location, associated timestamps (file created, last file accessed, and file modified), and the number of times the file has been played. This information will be expanded in the following section. The second or lower part of the prefetch file contains a ten-second snapshot of the files associated with the file that was executed when it was first opened. This information will also be expanded below.
Figure 2 shows a prefetch file after parsing it by the Prefetch_info.exe tool. With the use of a parser, data can be easily interpreted. In this example, the name of the file being executed was cmd.exe, which created the cmd.exe-087B4001.pf prefetch file. The associated timestamps shown below are all listed in UTC. Figure 2 also shows the program cmd.exe executing fifteen times and the location where cmd.exe is executed is the file \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CMD.EXE, which is equal to the \Windows\System32\ directory.
The forensic value of the contents of this file is pretty much obvious. From the file metadata, an inspector can determine the execution, location, and frequency of cmd.exe. These artifacts can answer the "what" and "where" of an event. The number of executions increases each time the application is run. Timestamp information shows the first time the application was run and the last time it was accessed or executed. This can respond to "when" a particular event activity occurs. Any file configured for "autostart" will not save a prefetch file when created. If the prefetch file is deleted from the prefetch folder, both the timestamps and the number of runs are reset.
The second half of the prefetch file is written in plain text, but can be difficult to read. Tools like BinText or Prefetch_info.exe can organize content making it easier to read and identify interests.
The value of browsing all locations of the resource where the application is executing can reveal hidden or hidden directory locations. As shown below in Figure 3, the prefetch file for excel.exe represents the one.xls file located on a TrueCrypt volume. Because TrueCrypt has the ability to hide directories from view, finding the path listed in a prefetch file can provide an otherwise unidentified data source. By browsing the contents of the boot files,
It is possible to define a hidden directory such as C:\WINDOWS\System32\WiQZC\hidden\hacking\tools\nc.exe. Oftentimes, hackers hide tools in unusual directories in the System32 folder without us being able to see them. The System32 directory is a folder containing many programs used by the operating system. Dear readers also know that most users do not browse this directory.
The full directory path in the boot file can also provide any user accounts listed under Documents and Settings (Windows XP) or the Users folder (Vista/Windows 7). This can reveal a temporary account used for malicious activities in the past, sometimes showing programs run by a potentially unauthorized user. This can answer the “who” question for a forensic review, or at least narrow the scope. Figure 4 shows file activity from the “admin” user account. This account may be malicious and tries to disguise itself as a legitimate "admin" account. Analyzing all paths in prefetch files may indicate that an app or file is being accessed from an external storage device. External storage device entries will differ from hard drive with an entry like \DEVICE\HARDDISKVOLUME1\ instead of \DEVICE\HARDDISK\DP(1) 0-0 + D\. The last access time in the prefetch file can be used in coordination with the timestamps in the USBStor registry key, unless the external device in question is subsequently added to the computer by rewriting the last access time. Once the timestamps have been identified by matching, the USBStor registry entry will contain the serial number of the device in question. This could extend the scope of forensic analysis to other devices that need to be intercepted and analyzed. Identifying unaccounted USB storage devices and the applications or files accessed on these USB devices can help answer “what” and “why” questions.
Prefetch files can also indicate whether a "scheduling frequency" file should occur. When hackers can compromise a system and change the timestamps of an application or tool, they may not be aware of what information is captured in a prefix file. For example, if the Standard Information Attribute (SIA) and File Name Attribute (FNA) timestamps are changed in the Master File Table (MFT) to prevent analysis, the entries in the prefix files for executing applications will reveal the real timestamp. If the entry was made for the first time and last looked at, completely eliminating "timing" efforts, the presence of a prefix file for the tool used to perform the timestamp manipulation would reveal suspicious activity.
Decoding of Prefetch Files for Forensic Purposes:
It will clearly give you what the presence of the prefetch file can reveal to you. Examining the contents of the prefetch directory can provide a history of activity on any computer system, as a ready-made file captures the activity of the first or later executed applications. Manual Software Using paid software or a tool like WinPrefetch View, you can extract the boot files and view only the creation of the file or the last access timestamp. First and foremost, the presence of the prefetch file indicates that a particular application is not only running on the computer but also at once. By sorting the entries by file creation or last access time, it is possible to see which applications are running on the system and what activity is taking place on the system.
For example, the entries in Figure 1 show that two separate DLLHOST.exe programs were executed on March 15, 2018. The CONSENT.exe application (as indicated by consent.exe-2D674CE4.pf) was executed after the second cmd.exe (DLLHOST.exe-1B91EF29.pf) was executed; this indicates that the computer system is a Windows 8 or Windows 10 system. The Consent.exe program is a pop-up window presented to the user when requesting a program that requires administrative access, such as the MMC.exe application that runs ten seconds after CONSENT.exe. Presence of prefetch files indicates that on March 9, 2018, at 3:20 PM, two instances of DLLHOST.exe were executing from different locations and monitoring the execution of the MMC.exe program. This event also initiates the execution of CONSENT.exe. (this file is first executed before MMC. MMC.exe was executed first in chronological order. The MMC program is Microsoft Management Console program and is used to manage user accounts, Windows Event logs, disk management, and other management programs. Also in Figure 1, shows the execution of PSEXEC.exe, a command line tool that allows the user to run commands remotely on a computer system.
If so, what kind of information can the researcher give the files? The presence of two Prefetch files with the same application prefix and different termination hashes will be indicative of two files (i.e. I) executing from two different locations. The eight-character hash in the name of the prefetch file is determined by where the application is executing.
In this example, a rogue DLLHOST.exe was executed from a different location than Windows\System32. This scenario can detect a potential malware infection where the malware runs in one place, for example its desktop or temporary directory, then removes itself from its original location and places a copy in Windows\System32, then reruns itself when modified with the ability to detect their location. offers. This causes two instances of the same prefetch file prefix to be created, terminated by two different eight characters. If two different prefix files are found in a forensic investigation and the location of the file needs to be determined, the site can be reverse engineered by trial and error. Of course, there is no magic algorithm that will allow you to add a formula out-of-the-box and re-create the way the application is executed. However, since the eight-character hash is generated from an algorithm using the location of the executed file, you can take any file, rename it to the prefetch file's (i.e. calc.exe) prefix and place it in different suspicious directories. Then execute the file and watch the prefetch directory until the trace file matches.
The number and type of prefetch files in the prefetch directory can also reveal information about the person using the computer system. The operating system will reduce the number of boot files when a certain number is met. The number of prefetch files can reveal several different items.
The system is relatively new and only a few different applications have been run on the system. This is typical of a normal home user. They may use only ten to fifteen programs over time.
The system has been widely used, either for a short or long period of time the user(s) has run many different programs. The timestamps and number of times the app was run will provide background information about the time and frequency these apps are used.
The type of applications implemented can be helpful in determining the technical capabilities of the user. For example, by identifying the types of programs the individual is running, the analyst can determine if the user is highly technical (for example, if there are Prefetch files for programming tools like Python and Perl, or technical programs like IdaPro and VMWare). The presence of hacker tools such as nmap, Metasploit or netcat can easily reveal the nature and purpose of a computer user. On the other hand, if the user only uses Internet web browsers, mail clients, and social networking software (Yahoo, Microsoft's Instant Messenger), you will get a better profile based on the type of computer user.
Here are some practical forensic examples of how the prefetch file can be used to aid forensic investigation:
A simple scenario is where network logs show the PC-A system scanning the PC-B system with a tool like Nessus. When local administrators asked the PC-A user about the activity, they denied the allegations and even said they could call their system for the Nessus tool if they wanted to. The seemingly user had simply removed the Nessus tool after use, plus a tool like BCWipe was used to overwrite all unallocated spaces. When the user of the system PC-A runs Nessus, the first time and the last time the file is run is the capture file, the number of times it's run and a Prefetch file is created where its location is. These timestamps should be associated with the network logs and any activity recorded on the system PC-B. Another valuable artifact is the prefetched file for the deletion tool BCWipe. The information that will constitute the same type of evidence is contained in the BCWipe prefetch file.
From a forensic standpoint, a boot file can be used to show that an employee who refused to receive a salary spreadsheet actually opened a Microsoft Excel file called ABCorp_2010_Salaries.xls on their computer, which was located on an external usb drive. For this to happen, the employee would have to open the file by double-clicking on the spreadsheet to open the file.
Although there are many different tools that can be used to analyze Prefetch files, two of the most useful tools to date are Prefetch_info.exe (Prefetch _parse_gui.exe) by Mark McKinnon and WinPrefetch interface by NirSoft. Prefetch_info.exe is a Windows command line tool that properly parses both the file's metadata (time stamps) and the NTFS / MFT file log. Prefetch_info.exe can only be run one prefetch file at a time. This tool quickly returns results in an interesting file.
Mark McKinnon's second tool, Prefetch_parse_gui.exe, is a graphical tool that analyzes entire directories of prefetch files. NirSoft's WinPrefetch View is modularized with the top listing each prefetch file with all its associated metadata. At the bottom, the NTFS / MFT log data is displayed for the prefetch entry selected at the top. Figure 5 shows the interface for WinPrefetch View. By default this tool will read the local computer system's prefetch files. The Home Options tab under Advanced Options allows you to select another location where Prefetch files can be extracted from an image. The metadata shown below can be sorted by columns and any topic of interest can be imported into HTML reports.
If no entry is selected, all files with the “.pf” extension will be processed. Figure 3 shows the options available when analyzing the defined application hosting the prefetch files and outputting a defined command line used to start compmgmt.msc.
If the boot files have been deleted intentionally or systematically through routine maintenance, there is still a chance for files of interest to be recovered. In computer forensics, our common sense dictates that any deleted file can be recovered as long as the file is not overwritten by something new. The same rule applies for prefetch files. A common method to search for a file is to search for the header of a file. Since each file has a distinctive file header, we can search from the unallocated space looking for the specified prefetch file header. This title in ASCII is “….CCA”. In hexadecimal, the prefetch file is represented as “11 00 00 00 53 43 43 41”. Once the file is identified, it can be opened and analyzed with one of the tools mentioned above. Since prefetch files do not have a file footer, it is usual to remove extra data when extracting a possible prefetch file. Excess data will be easily recognized and discarded.
There are a few things to consider when analyzing prefetch files: When certain applications are executed and "open", the boot file is not created until the application is closed. For example, if the application netcat was first run at 1:00 PM on June 14th, but the file was not closed by 3:00 PM on June 15th, the boot file would not be created until the file was transferred to the file. The Netcat application is shut down twenty-six hours after it was first executed. This delay in file creation will be thrown into the timeline analysis. Programs located in a user's Startup directory do not create a prefetch file.
When doing an Internet search for prefetch files, most initial findings tell users to remove prefetch files to speed up their computers. This may not be an anti-forensic sign. The absence of prefetch files may be due to the registry key settings “Enable Prefetcher” option which may have been changed to disable the system pre-registration. Below is the registry key that controls what actions the operating system takes regarding boot. By default, Windows XP, Vista, and Windows 7 have a value of "3" with both the application and boot cache enabled. Windows 2003 systems default to "2", so there is no application booting.
The presence of a prefetch file for the Windows Defragmentation tools, DRAG.exe and DFRNTFS.exe, also does not necessitate removing a prefetch file or defragmenting their computers to cover up some malicious activity. The Windows operating system, specifically the Task Scheduler, initiates the defragmentation process to reallocate entries in the Layout.ini file. When this happens, a new prefetch file will be created, DFRNTFS.exe and DEFRAG.exe. If these Prefetch files already exist, the number of runs will increase by one each time it is run.
These disclosures reveal many different types of forensic evidence that can be salvaged from prefetch file analysis when conducting forensic analysis. Whether prefetch file analysis helps an investigation depends on the type of forensic investigation being conducted.