I have received some feedback from the EnCase forums on posting my Prefetch Folder analysis EnScript and I thought this would be a good place to do it, and make it available to everyone. Before I get started I just wanted to give notation to Harlan Carvey and his book Windows Forensic Analysis which this script is based on from one of his perl scripts in that book.
For those of you that have not read the book or don't have idea on what prefetching is, prefetching is Windows way of saving load times for programs that are used often. The .pf files located in the pretech folder are cached portions of .exe files. This folder holds up to 128, sometimes more, .pf files and they all can be analyzed with this script. Each .pf file holds the hard page faults of the .exe along with metadata about where the executable is located and how many times that the .exe has been launched. There maybe multiple .exe .pf files with the same name in the directory such as rundll.exe-[characters).pf or even notepad.exe-[characters).pf each having a different set of random characters after the .exe-. These characters are not random and produced from the file path to where the .exe is located so if one notepad.exe is ran from system32 and another from windows it will generate two different .pf files. Evil will more then likely show up in this folder and you will be able to locate where it is being run from from looking at these files, or running this script.
So the big question is how do I use this EnScript, why should I download it. Well it will show you all the information talked about above, specifically:
Location of the .exe
Number of times .exe has ran
Last time .exe ran
The other data that you can correlate with this is the time that the file was created. Knowing when the .pf file was created and when it last ran will give you a date range on how long the .exe has been on the machine, great for malware(evil) or any case where the user is not supposed to be running program outside the enterprises gold build. You can also use data from the User Assist registry keys to see who ran the program because the .pf files do not give attribution to who ran the program but this area could be compared to the .pf files to give this. The EnScript can be downloaded below.
Prefetch Folder Analysis