IR and forensic talk

Home > Forensics, Windows Analysis > Windows Prefetch Directory

Windows Prefetch Directory

June 8th, 2009 kiddi Leave a comment Go to comments

The Prefetch folder in Windows contains information about last run software on a Windows machine. It can be very valuable to examine the content of the prefetch directory (can be found at %WINDIR%/Prefetch, usually either C:\WINDOWS\Prefetch or C:\WINNT\Prefetch) to find clues about which software has been recently run on the system.

To be able to use this script that I wrote, you need to first mount the Windows image file (see previous post from me on how-to mount a NTFS volume in Linux). Then you can run the script, that can be found here, like this:

read_prefetch /mnt/analyze/WINNT/Prefetch

Or you can create a HTML report like this

read_prefetch -h /tmp/report.html /mnt/analyze/WINNT/Prefetch

An example report can be seen here:

Example report

Categories: Forensics, Windows Analysis Tags:

Comments (0) Trackbacks (0) Leave a comment Trackback

No comments yet.

No trackbacks yet.

Read a unicode file Restore Point Analysis

-->

Windows Prefetch Directory

Search the blog

Forensics

Security

Categories

Blogroll

Archives

Meta