PeCmd
How to use PeCmd to parse Windows Prefetch (.pf) files in order to provide evidence that a specific application was executed during an incident investigation.
PECmd is a command line tool developed by Eric Zimmerman, to process Prefetch files (.pf) on Windows operating systems, identifying items such as:
Volume information
Files and Directories referenced
Executions time (up to last 8 for Win8+)
Total execution count
PECmd can output the parsed prefetch files into .csv, json and HTML formats for further analysis. It should be noted that Windows Servers do not have prefetch enabled by default, information on enabling this service can be found on Darkcybe - Evidence of Execution
Instructions
Parsing a Single Prefetch File
Parses the prefetch file for bad.exe and writes the output to a .csv file for further analysis. A single entry will be returned to STDOUT
Output
Parsing all Prefetch Files within a Directory
Parses all prefetch files within a supplied directory. The example depicts parsing all .pf files within the default Windows prefetch directory and writes the output to a .csv file for further analysis. The q switch prevents the tool from printing the results to STDOUT. Two files will be output, a standard parsing of the entries Prefetch directory and a second timeline view of individual application executions.
Interesting Fields
SourceCreated = .pf Creation Timestamp
SourceModified = .pf Modification Timestamp
SourceAccessed = .pf Last Access Timestamp (Will be overwritten by tooling)
ExecutableName = Name of executable
RunCount = Amount of times executed
LastRun = Timestamp of last execution
PreviousRun# = Timestamps of previous executions
Output
Date/Time of Execution Prefetch files are created roughly ~10 seconds after an executable is executed, therefore the modification (last execution) and creation (first execution) DTGโs may be 10 seconds after displayed times on the prefetch listings. {: .prompt-info }
Sources
Last updated
