Skip to main content
CTF Support
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. CTF Support
  2. /
  3. Forensics
  4. /
  5. Logs & System Artifacts
  6. /
  7. Prefetch Analysis
Edit page

Prefetch Analysis

Introduction

Windows Prefetch files (.pf) record information about executed applications for performance optimization. They also provide evidence of program execution, even after binaries have been deleted.

Tools

Tool Purpose
PECmd Parse Prefetch files and extract execution metadata

Location 

C:\Windows\Prefetch\

Example files: CMD.EXE‑A6294E76.pf, MIMIKATZ.EXE‑B29D8C74.pf

Key Fields

Field Description
Run Count Number of times the program executed
Last Run Time Most recent execution timestamp (UTC)
File List Files accessed by this executable

Example 

PECmd.exe -d C:\Windows\Prefetch --csv out/