digital forensics

Analyzing Prefetch Files for Execution History

Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation.

evidence-collectionexecution-historyforensicsprefetchtimeline-analysiswindows-artifacts
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When determining which programs were executed on a Windows system and when
  • During malware investigations to confirm execution of suspicious binaries
  • For establishing a timeline of application usage during an incident
  • When correlating program execution with other forensic artifacts
  • To identify anti-forensic tools or unauthorized software that was run

Prerequisites

  • Access to Windows Prefetch directory (C:\Windows\Prefetch) from forensic image
  • PECmd (Eric Zimmerman), WinPrefetchView, or python-prefetch parser
  • Understanding of Prefetch file format (versions 17, 23, 26, 30)
  • Windows system with Prefetch enabled (default on client OS, disabled on servers)
  • Knowledge of Prefetch naming conventions (APPNAME-HASH.pf)

Workflow

Step 1: Extract Prefetch Files from Forensic Image

# Mount the forensic image
mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence
 
# Copy all prefetch files
mkdir -p /cases/case-2024-001/prefetch/
cp /mnt/evidence/Windows/Prefetch/*.pf /cases/case-2024-001/prefetch/
 
# Count and list prefetch files
ls -la /cases/case-2024-001/prefetch/ | wc -l
ls -la /cases/case-2024-001/prefetch/ | head -30
 
# Hash all prefetch files for integrity
sha256sum /cases/case-2024-001/prefetch/*.pf > /cases/case-2024-001/prefetch/pf_hashes.txt
 
# Note: Prefetch filename format is EXECUTABLE_NAME-XXXXXXXX.pf
# The hash (XXXXXXXX) is based on the executable path
# Same executable from different paths creates different prefetch files

Step 2: Parse Prefetch Files with PECmd

# Using Eric Zimmerman's PECmd (Windows or via Mono/Wine on Linux)
# Download from https://ericzimmerman.github.io/
 
# Parse a single prefetch file
PECmd.exe -f "C:\cases\prefetch\POWERSHELL.EXE-A]B2C3D4.pf"
 
# Parse all prefetch files and output to CSV
PECmd.exe -d "C:\cases\prefetch\" --csv "C:\cases\analysis\" --csvf prefetch_results.csv
 
# Parse with JSON output
PECmd.exe -d "C:\cases\prefetch\" --json "C:\cases\analysis\" --jsonf prefetch_results.json
 
# Output includes for each file:
# - Executable name and path
# - Run count
# - Last run time (up to 8 timestamps in Windows 10)
# - Files and directories referenced during execution
# - Volume information (serial number, creation date)
# - Prefetch file creation time

Step 3: Parse with Python for Linux-Based Analysis

pip install prefetch
 
python3 << 'PYEOF'
import os
import json
from datetime import datetime
 
# Parse prefetch files using python
import struct
 
def parse_prefetch(filepath):
    """Parse a Windows Prefetch file."""
    with open(filepath, 'rb') as f:
        data = f.read()
 
    # Check for MAM compressed format (Windows 10)
    if data[:4] == b'MAM\x04':
        import lznt1  # or use DecompressBuffer
        # Windows 10 prefetch files are compressed
        print(f"  [Compressed Win10 format - use PECmd for full parsing]")
        return None
 
    # Version 17 (XP), 23 (Vista/7), 26 (8.1), 30 (10)
    version = struct.unpack('<I', data[0:4])[0]
    signature = data[4:8]
 
    if signature != b'SCCA':
        print(f"  Invalid prefetch signature")
        return None
 
    file_size = struct.unpack('<I', data[8:12])[0]
    exec_name = data[16:76].decode('utf-16-le').strip('\x00')
    run_count = struct.unpack('<I', data[208:212])[0] if version >= 23 else struct.unpack('<I', data[144:148])[0]
 
    result = {
        'version': version,
        'executable': exec_name,
        'file_size': file_size,
        'run_count': run_count,
    }
 
    # Extract last execution timestamps
    if version == 23:  # Vista/7 - 1 timestamp
        ts = struct.unpack('<Q', data[128:136])[0]
        result['last_run'] = filetime_to_datetime(ts)
    elif version >= 26:  # Win8+ - up to 8 timestamps
        timestamps = []
        for i in range(8):
            ts = struct.unpack('<Q', data[128+i*8:136+i*8])[0]
            if ts > 0:
                timestamps.append(filetime_to_datetime(ts))
        result['last_run_times'] = timestamps
 
    return result
 
def filetime_to_datetime(ft):
    """Convert Windows FILETIME to datetime string."""
    if ft == 0:
        return None
    timestamp = (ft - 116444736000000000) / 10000000
    try:
        return datetime.utcfromtimestamp(timestamp).strftime('%Y-%m-%d %H:%M:%S UTC')
    except (OSError, ValueError):
        return None
 
# Process all prefetch files
prefetch_dir = '/cases/case-2024-001/prefetch/'
results = []
 
for filename in sorted(os.listdir(prefetch_dir)):
    if filename.lower().endswith('.pf'):
        filepath = os.path.join(prefetch_dir, filename)
        print(f"\n=== {filename} ===")
        result = parse_prefetch(filepath)
        if result:
            print(f"  Executable: {result['executable']}")
            print(f"  Run Count:  {result['run_count']}")
            if 'last_run' in result:
                print(f"  Last Run:   {result['last_run']}")
            elif 'last_run_times' in result:
                for i, ts in enumerate(result['last_run_times']):
                    print(f"  Run Time {i+1}: {ts}")
            results.append(result)
 
# Save results
with open('/cases/case-2024-001/analysis/prefetch_analysis.json', 'w') as f:
    json.dump(results, f, indent=2)
PYEOF

Step 4: Identify Suspicious Execution Evidence

# Search for known malicious tool names in prefetch
ls /cases/case-2024-001/prefetch/ | grep -iE \
   '(MIMIKATZ|PSEXEC|WMIC|COBALT|BEACON|PWDUMP|PROCDUMP|LAZAGNE|RUBEUS|BLOODHOUND|SHARPHOUND|CERTUTIL|BITSADMIN)'
 
# Search for script interpreters (potential malicious execution)
ls /cases/case-2024-001/prefetch/ | grep -iE \
   '(POWERSHELL|CMD\.EXE|WSCRIPT|CSCRIPT|MSHTA|REGSVR32|RUNDLL32|MSIEXEC)'
 
# Search for remote access tools
ls /cases/case-2024-001/prefetch/ | grep -iE \
   '(TEAMVIEWER|ANYDESK|LOGMEIN|VNC|SPLASHTOP|SCREENCONNECT|AMMYY)'
 
# Search for data exfiltration tools
ls /cases/case-2024-001/prefetch/ | grep -iE \
   '(RAR|7Z|ZIP|RCLONE|MEGA|DROPBOX|ONEDRIVE|GDRIVE|FTP|CURL|WGET)'
 
# Find recently created prefetch files (newest executables run)
ls -lt /cases/case-2024-001/prefetch/ | head -20
 
# Cross-reference with Shimcache and Amcache for confirmation
# Prefetch existence = program was executed at least once

Step 5: Build Execution Timeline

# Create timeline from prefetch data
python3 << 'PYEOF'
import json
import csv
 
with open('/cases/case-2024-001/analysis/prefetch_analysis.json') as f:
    data = json.load(f)
 
timeline = []
for entry in data:
    if 'last_run_times' in entry:
        for ts in entry['last_run_times']:
            if ts:
                timeline.append({
                    'timestamp': ts,
                    'executable': entry['executable'],
                    'run_count': entry['run_count'],
                    'source': 'Prefetch'
                })
    elif 'last_run' in entry and entry['last_run']:
        timeline.append({
            'timestamp': entry['last_run'],
            'executable': entry['executable'],
            'run_count': entry['run_count'],
            'source': 'Prefetch'
        })
 
# Sort chronologically
timeline.sort(key=lambda x: x['timestamp'])
 
# Write timeline CSV
with open('/cases/case-2024-001/analysis/execution_timeline.csv', 'w', newline='') as f:
    writer = csv.DictWriter(f, fieldnames=['timestamp', 'executable', 'run_count', 'source'])
    writer.writeheader()
    writer.writerows(timeline)
 
# Print suspicious time window
for entry in timeline:
    if '2024-01-15' in entry['timestamp'] or '2024-01-16' in entry['timestamp']:
        print(f"  {entry['timestamp']} | {entry['executable']} (x{entry['run_count']})")
PYEOF

Key Concepts

Concept Description
Prefetch Windows performance optimization that pre-loads application data and tracks execution
SCCA signature Magic bytes identifying a valid Prefetch file
Path hash CRC-based hash of the executable path forming part of the .pf filename
Run count Number of times the executable has been launched (may wrap around)
Last run timestamps Windows 8+ stores up to 8 most recent execution timestamps
Referenced files List of files and directories accessed during the first 10 seconds of execution
Volume information Drive serial number and creation date identifying the source volume
MAM compression Windows 10 Prefetch files use MAM4 compression requiring decompression before parsing

Tools & Systems

Tool Purpose
PECmd Eric Zimmerman's Prefetch parser with CSV/JSON output
WinPrefetchView NirSoft GUI tool for viewing Prefetch files
python-prefetch Python library for parsing Prefetch files
Prefetch Hash Calculator Tool to calculate expected hash from executable paths
KAPE Automated artifact collection including Prefetch
Autopsy Forensic platform with Prefetch analysis module
Plaso/log2timeline Super-timeline tool that includes Prefetch parser
Velociraptor Endpoint agent with Prefetch collection and analysis artifacts

Common Scenarios

Scenario 1: Confirming Malware Execution Search Prefetch directory for the malware executable name, confirm execution via Prefetch existence, extract run count and last run time, identify referenced DLLs to understand malware behavior, correlate with registry autorun entries.

Scenario 2: Attacker Tool Usage Timeline Identify Prefetch files for PsExec, Mimikatz, BloodHound, and other attacker tools, build chronological timeline of tool execution, determine the sequence of the attack (reconnaissance, credential theft, lateral movement), match timestamps with network connection logs.

Scenario 3: Data Staging and Exfiltration Look for Prefetch entries of compression tools (7z, WinRAR, zip), identify execution of file transfer utilities (rclone, FTP clients), check for cloud storage client execution, timeline when data staging and transfer occurred.

Scenario 4: Anti-Forensics Detection Check for execution of known anti-forensic tools (CCleaner, Eraser, SDelete), identify if Prefetch directory was recently cleared (fewer files than expected for active system), note timestamps of anti-forensic tool execution relative to other evidence.

Output Format

Prefetch Analysis Summary:
  System: Windows 10 Pro (Build 19041)
  Prefetch Files: 234
  Analysis Period: All available execution history
 
  Execution Statistics:
    Total unique executables: 234
    First execution: 2023-06-15 (system install)
    Latest execution: 2024-01-18 23:45 UTC
 
  Suspicious Executions:
    MIMIKATZ.EXE-5F2A3B1C.pf
      Run Count: 3 | Last: 2024-01-16 02:30:15 UTC
    PSEXEC.EXE-AD70946C.pf
      Run Count: 7 | Last: 2024-01-16 02:45:30 UTC
    RCLONE.EXE-1F3E5A2B.pf
      Run Count: 2 | Last: 2024-01-17 03:15:00 UTC
    POWERSHELL.EXE-022A1004.pf
      Run Count: 145 | Last: 2024-01-18 14:00:00 UTC
 
  Attack Timeline (from Prefetch):
    2024-01-15 14:32 - POWERSHELL.EXE (initial access)
    2024-01-16 02:30 - MIMIKATZ.EXE (credential theft)
    2024-01-16 02:45 - PSEXEC.EXE (lateral movement)
    2024-01-17 03:15 - RCLONE.EXE (data exfiltration)
 
  Report: /cases/case-2024-001/analysis/execution_timeline.csv
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md3.1 KB

API Reference: Windows Prefetch Analysis Tools

Prefetch File Format

Location

C:\Windows\Prefetch\

Filename Convention

EXECUTABLE_NAME-XXXXXXXX.pf
  • EXECUTABLE_NAME - Uppercase name of the executed program
  • XXXXXXXX - Hash of the executable path (8 hex characters)
  • .pf - Prefetch file extension

Version History

Version Windows OS Notes
17 XP Basic format
23 Vista, 7 Added run count, timestamps
26 8, 8.1 Extended timestamps (8 entries)
30 10, 11 MAM compressed, 8 timestamps

Header Structure (Uncompressed)

Offset Size Field
0 4 Version
4 4 Signature (SCCA)
12 4 File size
16 60 Executable name (UTF-16LE)
76 4 Prefetch hash

PECmd (Eric Zimmerman) - Full Parser

Syntax

PECmd.exe -f <prefetch_file>              # Single file
PECmd.exe -d <prefetch_directory>          # Entire directory
PECmd.exe -d <dir> --csv <output_dir>     # Export to CSV
PECmd.exe -d <dir> --json <output_dir>    # Export to JSON
PECmd.exe -f <file> -q                    # Quiet mode

Output Fields

Field Description
SourceFilename Original executable path
RunCount Number of times executed
LastRun Most recent execution timestamp
PreviousRun0-7 Up to 8 previous run timestamps (Win8+)
FilesLoaded DLLs and files accessed during execution
Directories Directories accessed
VolumeSerialNumber Volume where executable resided

WinPrefetchView (NirSoft)

GUI Features

  • Lists all prefetch files with execution details
  • Shows run count, timestamps, referenced files
  • Export to CSV, HTML, or text
  • Sort by any column for analysis

Python Prefetch Parsing

Structure Parsing

import struct
 
with open("APP.EXE-HASH.pf", "rb") as f:
    data = f.read()
 
version = struct.unpack_from("<I", data, 0)[0]
signature = data[4:8]   # Should be b"SCCA"
exe_name = data[16:76].decode("utf-16-le").rstrip("\x00")
pf_hash = struct.unpack_from("<I", data, 76)[0]

FILETIME Conversion

import datetime
 
def filetime_to_datetime(filetime):
    epoch = datetime.datetime(1601, 1, 1)
    delta = datetime.timedelta(microseconds=filetime // 10)
    return epoch + delta

Suspicious Prefetch Indicators

Offensive Tools

Tool Prefetch Name
Mimikatz MIMIKATZ.EXE-*.pf
PsExec PSEXEC.EXE-*.pf, PSEXESVC.EXE-*.pf
BloodHound SHARPHOUND.EXE-*.pf
Rubeus RUBEUS.EXE-*.pf
LaZagne LAZAGNE.EXE-*.pf

LOLBins (Living Off the Land)

Binary Concern
CERTUTIL.EXE File download, Base64 decode
MSHTA.EXE Script execution via HTA
REGSVR32.EXE COM scriptlet execution
BITSADMIN.EXE File download
MSBUILD.EXE Code execution via project files

Timeline Integration

Plaso / log2timeline

log2timeline.py timeline.plaso /path/to/prefetch/
psort.py -o l2tcsv timeline.plaso > prefetch_timeline.csv

Scripts 1

agent.py8.0 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Windows Prefetch file analysis agent for program execution history forensics."""

import struct
import os
import sys
import datetime
import json
import glob


def parse_prefetch_header(filepath):
    """Parse the Prefetch file header to extract execution metadata."""
    with open(filepath, "rb") as f:
        data = f.read()

    # Check for compression (Windows 10 prefetch files are MAM compressed)
    if data[:4] == b"MAM\x04":
        # Windows 10 compressed format - need decompression
        return {"error": "Compressed prefetch (Windows 10 MAM format) - use PECmd for full parsing",
                "compressed": True, "raw_size": len(data)}

    # Standard prefetch header (versions 17, 23, 26, 30)
    if len(data) < 84:
        return {"error": "File too small to be a valid prefetch file"}

    version = struct.unpack_from("<I", data, 0)[0]
    signature = data[4:8]

    if signature != b"SCCA":
        return {"error": f"Invalid signature: {signature.hex()} (expected 53434341)"}

    file_size = struct.unpack_from("<I", data, 12)[0]
    exe_name = data[16:76].decode("utf-16-le", errors="replace").rstrip("\x00")
    hash_value = struct.unpack_from("<I", data, 76)[0]

    result = {
        "version": version,
        "signature": signature.hex(),
        "file_size": file_size,
        "executable_name": exe_name,
        "prefetch_hash": f"0x{hash_value:08X}",
    }

    # Version-specific parsing
    if version == 17:  # Windows XP
        result["format"] = "Windows XP"
        run_count = struct.unpack_from("<I", data, 144)[0]
        last_run = parse_filetime(struct.unpack_from("<Q", data, 120)[0])
        result["run_count"] = run_count
        result["last_run_time"] = last_run
    elif version == 23:  # Windows Vista/7
        result["format"] = "Windows Vista/7"
        run_count = struct.unpack_from("<I", data, 152)[0]
        last_run = parse_filetime(struct.unpack_from("<Q", data, 128)[0])
        result["run_count"] = run_count
        result["last_run_time"] = last_run
    elif version == 26:  # Windows 8/8.1
        result["format"] = "Windows 8/8.1"
        run_count = struct.unpack_from("<I", data, 208)[0]
        last_run = parse_filetime(struct.unpack_from("<Q", data, 128)[0])
        result["run_count"] = run_count
        result["last_run_time"] = last_run
    elif version == 30:  # Windows 10/11
        result["format"] = "Windows 10/11"
        result["note"] = "Use PECmd.exe for full Windows 10 prefetch parsing"
    else:
        result["format"] = f"Unknown version {version}"

    return result


def parse_filetime(filetime):
    """Convert Windows FILETIME (100ns intervals since 1601-01-01) to ISO string."""
    if filetime == 0:
        return "N/A"
    try:
        epoch = datetime.datetime(1601, 1, 1)
        delta = datetime.timedelta(microseconds=filetime // 10)
        dt = epoch + delta
        return dt.isoformat() + "Z"
    except (OverflowError, OSError):
        return "Invalid timestamp"


def parse_prefetch_filename(filename):
    """Parse executable name and hash from prefetch filename format: APPNAME-HASH.pf."""
    basename = os.path.basename(filename)
    if not basename.upper().endswith(".PF"):
        return None, None
    name_part = basename[:-3]  # Remove .pf
    parts = name_part.rsplit("-", 1)
    if len(parts) == 2:
        return parts[0], parts[1]
    return name_part, None


def scan_prefetch_directory(prefetch_dir):
    """Scan a directory of prefetch files and extract execution history."""
    results = []
    pf_files = glob.glob(os.path.join(prefetch_dir, "*.pf"))
    pf_files.extend(glob.glob(os.path.join(prefetch_dir, "*.PF")))

    for pf_file in sorted(set(pf_files)):
        exe_name, pf_hash = parse_prefetch_filename(pf_file)
        header = parse_prefetch_header(pf_file)
        results.append({
            "file": os.path.basename(pf_file),
            "parsed_name": exe_name,
            "parsed_hash": pf_hash,
            "file_modified": datetime.datetime.fromtimestamp(
                os.path.getmtime(pf_file)).isoformat(),
            "header": header,
        })
    return results


SUSPICIOUS_EXECUTABLES = [
    "MIMIKATZ", "PSEXEC", "WMIC", "PROCDUMP", "RUBEUS", "SEATBELT",
    "BLOODHOUND", "SHARPHOUND", "LAZAGNE", "SECRETSDUMP", "NTDSUTIL",
    "CERTUTIL", "BITSADMIN", "MSHTA", "REGSVR32", "RUNDLL32",
    "CSCRIPT", "WSCRIPT", "POWERSHELL", "CMD", "MSBUILD",
    "INSTALLUTIL", "REGASM", "REGSVCS", "XWIZARD",
    "NETCAT", "NCAT", "NC", "NMAP", "MASSCAN",
    "RAR", "7Z", "WINRAR", "RCLONE",
]


def detect_suspicious_execution(prefetch_results):
    """Flag suspicious or known-attacker-tool prefetch files."""
    findings = []
    for result in prefetch_results:
        name = (result.get("parsed_name") or "").upper()
        for sus in SUSPICIOUS_EXECUTABLES:
            if sus in name:
                findings.append({
                    "severity": "HIGH",
                    "executable": result.get("parsed_name"),
                    "file": result.get("file"),
                    "reason": f"Known offensive/dual-use tool: {sus}",
                    "run_count": result.get("header", {}).get("run_count"),
                    "last_run": result.get("header", {}).get("last_run_time"),
                })
                break
    return findings


def build_execution_timeline(prefetch_results):
    """Build a chronological timeline of program execution."""
    timeline = []
    for result in prefetch_results:
        header = result.get("header", {})
        last_run = header.get("last_run_time")
        if last_run and last_run not in ("N/A", "Invalid timestamp"):
            timeline.append({
                "timestamp": last_run,
                "executable": result.get("parsed_name"),
                "run_count": header.get("run_count"),
                "prefetch_file": result.get("file"),
            })
    return sorted(timeline, key=lambda x: x["timestamp"])


def run_pecmd(prefetch_path, output_dir=None):
    """Run Eric Zimmerman's PECmd for comprehensive prefetch parsing."""
    import subprocess
    cmd = ["PECmd.exe", "-f", prefetch_path]
    if output_dir:
        cmd += ["--csv", output_dir]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
    return result.stdout, result.returncode


if __name__ == "__main__":
    print("=" * 60)
    print("Windows Prefetch File Analysis Agent")
    print("Execution history, timeline building, suspicious tool detection")
    print("=" * 60)

    target = sys.argv[1] if len(sys.argv) > 1 else None

    if target and os.path.exists(target):
        if os.path.isdir(target):
            print(f"\n[*] Scanning prefetch directory: {target}")
            results = scan_prefetch_directory(target)
            print(f"[*] Found {len(results)} prefetch files")

            print("\n--- Execution History ---")
            for r in results[:20]:
                header = r.get("header", {})
                name = r.get("parsed_name", "?")
                count = header.get("run_count", "?")
                last = header.get("last_run_time", "?")
                print(f"  {name:30s} runs={count} last={last}")

            print("\n--- Suspicious Executables ---")
            suspicious = detect_suspicious_execution(results)
            for s in suspicious:
                print(f"  [!] {s['executable']}: {s['reason']} "
                      f"(runs={s['run_count']}, last={s['last_run']})")

            print("\n--- Execution Timeline ---")
            timeline = build_execution_timeline(results)
            for t in timeline[-20:]:
                print(f"  {t['timestamp']} | {t['executable']} (x{t['run_count']})")
        else:
            print(f"\n[*] Analyzing: {target}")
            exe_name, pf_hash = parse_prefetch_filename(target)
            print(f"  Name: {exe_name}, Hash: {pf_hash}")
            header = parse_prefetch_header(target)
            print(f"  {json.dumps(header, indent=2)}")
    else:
        print(f"\n[DEMO] Usage:")
        print(f"  python agent.py <prefetch_dir>    # Analyze all .pf files")
        print(f"  python agent.py <file.pf>         # Analyze single prefetch file")
Keep exploring