Home > Forensics, Windows Analysis > Windows Prefetch Directory

Windows Prefetch Directory

The Prefetch folder in Windows contains information about last run software on a Windows machine.  It can be very valuable to examine the content of the prefetch directory (can be found at %WINDIR%/Prefetch, usually either C:\WINDOWS\Prefetch or C:\WINNT\Prefetch) to find clues about which software has been recently run on the system.

To be able to use this script that I wrote, you need to first mount the Windows image file (see previous post from me on how-to mount a NTFS volume in Linux).  Then you can run the script, that can be found here, like this:

read_prefetch /mnt/analyze/WINNT/Prefetch

Or you can create a HTML report like this

read_prefetch -h /tmp/report.html /mnt/analyze/WINNT/Prefetch

An example report can be seen here:

Example report

Example report

Categories: Forensics, Windows Analysis Tags:
  1. John
    April 21st, 2010 at 22:36 | #1

    Thanks for the great script. I’m having trouble with the html output though… if I use the -h flag, I get an error:

    $ ./read_prefetch.pl -h /tmp/report.html /mnt/analysis/WINDOWS/Prefetch/
    Option h is ambiguous (help, html)

    When I specify ‘-html’, the script completes dumping to stdout but not creating the html report. Any suggestions? I using Ubuntu 9.10.

  2. April 26th, 2010 at 12:26 | #2

    I sent you an e-mail, this should be an easy fix, just need a bit more info.

  1. No trackbacks yet.
-->