Windows Prefetch
Windows Prefetch (.pf) is a critical artifact for establishing proof of execution. Initially introduced to speed up the boot process and application launch times, it serves as a persistent log of recent application activity. By monitoring the page faults that occur during an application's startup, the Memory Manager creates a trace file that maps the code and data loaded from disk. We use this mechanism to definitively prove that a specific binary executed on the system.
Imagine you go to a restaurant every Tuesday and order the same meal. After a few weeks, the waiter sees you walking in and tells the kitchen to start cooking your food before you even sit down. This makes your service much faster. Prefetch is that waiter. It remembers what programs you use and "pre-loads" the necessary files into memory so they start up instantly next time.
General
Prefetch files are generated by the Windows Memory Manager and stored in the C:\Windows\Prefetch directory. The system limits the number of files available depending on the OS version resulting in files rolling over once limits are reached. A Prefetch file contains a header followed by several data sections and compresses this data using the XPRESS Huffman algorithm starting in Windows 10. The filename format dictates that an 8-character hex hash is appended to the executable name to differentiate applications with the same name located in different paths.
Traces
Parsing a Prefetch file reveals an extensive timeline and mapping of how a program behaves during startup. Here are the core data points we extract:
- Execution Timestamps: Up to the last 8 execution times the program was run.
- Run Count: The total number of times the executable has been launched.
- Path Hash: A unique cryptographic identifier linking the execution to a specific file path.
- Loaded Resources: A complete list of all DLLs and files loaded within the first 10 seconds of execution.
- Volume Serial Number: The specific disk drive ID where the executable resided.
- and more.
Forensic Value
We leverage Prefetch files to prove malicious activity and reconstruct adversary timelines:
- Evidence of Execution: Proving that a specific tool successfully ran. Pivot to the global Execution overview to see how multiple artifacts converge.
- Verify Binary Metadata: Comparing Prefetch metadata with the more persistent AmCache registry hive to build a complete profile of the binary.
- USB Drive Tracking: Using the volume serial number to correlate an execution with a removable drive found at the scene.
- Renamed Executables: Detecting when malware hides by renaming itself to a legitimate system binary due to a path hash mismatch.