During the forensic analysis of a Windows machine, you may find the name of a deleted prefetch file. While its content may not be recoverable, the filename itself is often enough to find the full path of the executable for which the prefetch file was created.
Using the tool
The following fields must be provided:
Including the extension. It will be embedded in the prefetch filename, unless this happens.
8 hexadecimal digits at the end of the prefetch filename, right before the
There are 3 known prefetch hash functions:
Used in Windows XP
Used in Windows Vista and Windows 10
Used in Windows 7, Windows 8 and Windows 8.1
A bodyfile of the volume the executable was executed from.
The bodyfile format is not very restrictive, so there are a lot of variations of it – some of which are not supported. Body files created with
MFTECmd should work fine.
The mount point of the bodyfile, as underlined below:
How does it work?
The provided bodyfile is used to get the path of every folder on the volume. The tool appends the provided executable name to each of those paths to create a list of possible full paths for the executable. Each possible full path is then hashed using the provided hash function. If there’s a possible full path for which the result matches the provided hash, that path is outputted.
The following cases are not supported:
- Hosting applications, such as
- Applications executed with the
- Applications executed from a UNC (network) path
The 29-character limit
If the executable name is longer than 29 characters (including the extension), it will be truncated in the prefetch filename. For example, executing this file:
This is a very long file nameSo this part will be truncated.exe
C:Temp directory on a Windows 10 machine, will result in the creation of this prefetch file:
THIS IS A VERY LONG FILE NAME-D0B882CC.pf
In this case, the executable name cannot be derived from the prefetch filename, so you will not be able to provide it to the tool.