Investigating Prefetch
21/05/2021 Friday
Prefetch is a Microsoft Windows feature that first appeared in Windows XP. It is a Memory Manager component that can speed up the Windows boot process and reduce the time it takes for programs to start up. It achieves this by storing files required by an application in RAM as soon as the application is launched, thereby reducing disk seeks and consolidating disk reads. Prefetch is available on Windows XP, 2003, Vista, 7, 8.1, and Windows 10.
Digital Forensics Value of Prefetch Artifacts
Prefetch speeds up the loading of a specific application resource, allowing you to open your most used application faster. Prefetching enables a browser to fetch the resources required to view content that will be accessed later. Prefetch files will disclose whether the individual installed and ran a particular program, tracking such information is critical during the digital forensic analysis process.
Location of Prefetch Artifacts
In Windows XP/7/8/10 Prefetch artifacts are located at C:\Windows\Prefetch.
Structure of Prefetch Artifacts
The Prefetch structure contains program source code files that include:
- The name of the corresponding executable.
- The size of the prefetch file.
- The number of times the executable has been run.
- Information related to the volume that the executable is on.
- The files and directories that were referenced during the application startup.
Analyzing Prefetch Artifacts with ArtiFast Windows
This section will discuss how to use ArtiFast Windows to analyze Prefetch artifact from Windows machines and what kind of digital forensics insights we can gain from the artifact.
After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Prefetch artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Prefetch artifact in ArtiFast software.
Prefetch Artifact
- Executable File Name - Process/application name.
- Executable File Path - Process/application path.
- Run Count - Indicates the number of times the process/application was run.
- Prefetch File Creation Time - File creation time.
- Prefetch File Last Modification Time - File last modification time.
- Last Run Time - Date and time when the process/application was last run.
- 2nd Recent Run Time - 2nd recent run time.
- 3rd Recent Run Time - 3rd recent run time.
- 4th Recent Run Time - 4th recent run time.
- 5th Recent Run Time - 5th recent run time.
- 6th Recent Run Time - 6th recent run time.
- 7th Recent Run Time - 7th recent run time.
- 8th Recent Run Time - 8th recent run time.
- Loaded Resources - Loaded resources.
- Volumes Information - Information about the volumes (volume name, creation time, serial number, etc.)
