Prefetch Files

Prefetch speeds up the loading of a specific application resource, allowing you to open your most used application faster. Prefetching enables a browser to fetch the resources required to view content that will be accessed later. Prefetch files will disclose whether the individual installed and ran a particular program; tracking such information is critical during the digital forensic analysis process. This way, we can determine which executable was executed and when. Prefetch also records the loaded files' information, which tells us which files and paths it interacted with during its execution.

We can use PeCmd by Eric Zimmerman to parse the prefetch files.

C:\Users\Hp\Downloads\Compressed\PECmd\PECmd.exe -d "C:\Users\Hp\Downloads\campfire-1\Triage\Workstation\2024-05-21T033012_triage_asset" --csv . --csvf output.csv

Now, we can use timeline explorer to correlate events.

We should look for any execution around the timeline we established so far. Let's filter for the date of the incident to reduce the noise. We add the filter for the "Last Run" field

To get the full path of the file, go to the files loaded and double-click to see all files loaded by this tool at execution.

You can check the last run column to see when was the tool actually run.