Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
Prefetch files in Windows are used to speed up the loading of software. Analyzing these files can provide insights about program execution history, which is valuable in digital forensics.
Step 1: Download the Tool
Go to Eric Zimmerman's GitHub repository or his official website to find the latest version of the tool.
Download the PECmd tool, which may be part of his command line tools suite.
Step 2: Prepare the Environment
Extract the downloaded zip file to a folder of your choice.
Place the Prefetch files you wish to analyze into a directory that's easily accessible.
Step 3: Open Command Prompt and Navigate to the Tool's Directory
Win + R, type cmd, and hit Enter to open the Command Prompt.
cd C:\Users\Profile\IR\ToolsStep 4: Execute the PECmd Tool
To analyze a single Prefetch file:
.\PECmd.exe -f C:\Windows\Prefetch\BRAVE.EXE-E6B9ADB7.pfFor analyzing all Prefetch files in a directory:
.\PECmd.exe -d C:\Windows\Prefetch\Step 5: Review the Output
The tool will parse the Prefetch files and display the output in the Command Prompt.
Information includes application run times, execution counts, and accessed files.
Step 6: Export the Results
To export to a CSV file:
.\PECmd.exe -d C:\Windows\Prefetch\ -csv C:\Users\Profile\IR\Investigations\HOSTNAME_PrefetchOutput.csvStep 7: Analyze the CSV Output
Open the CSV in your preferred program and analyze the data for execution patterns.
Additional Options
For a list of all commands:
.\PECmd.exe --helpUsing PECmd.exe on a CSV of Prefetch Names
Sometimes, when I'm conducting incident response, I only ahve access to CrowdStrike Real Time Response (RTR) which tends to be more often than not. Depending on your permissions level, you may not have access to run PECmd.exe within a live response option or on the host.
In cases like this, I grab an output of all of the file names within the hosts prefetch and parse them on my workstation.
To use PECmd.exe on a CSV of Prefetch file names:
Ensure your CSV file is formatted properly, with each Prefetch file path on a separate line.
Get-ChildItem -Path C:\Windows\Prefetch*.pf | Select-Object -ExpandProperty FullName | Export-Csv -Path C:\Windows\Temp\prefetch_file_names.csv -NoTypeInformationUse a script to read each line from the CSV and pass it to
PECmd.exefor processing.
Example PowerShell script snippet
# Define paths
$PECmdPath = "E:\ZurSec\Blogs\Prefetch\PECmd.exe"
$PrefetchDir = "C:\Windows\Prefetch"
$OutputDir = "E:\ZurSec\Blogs\Prefetch"
$OutputCsv = Join-Path $OutputDir "Output.csv"
$OutputTimelineCsv = Join-Path $OutputDir "OutputTimeline.csv"
# Ensure the output directory exists
if (-not (Test-Path -Path $OutputDir)) {
New-Item -ItemType Directory -Path $OutputDir
}
# Collect the Prefetch file paths
$prefetchFiles = Get-ChildItem -Path $PrefetchDir -Filter "*.pf"
# Initialize the output CSVs
if (Test-Path $OutputCsv) { Remove-Item $OutputCsv }
if (Test-Path $OutputTimelineCsv) { Remove-Item $OutputTimelineCsv }
foreach ($file in $prefetchFiles) {
& $PECmdPath -f $file.FullName --csv $OutputDir
# Determine the names of the newly created CSV files
$timestamp = Get-Date -Format "yyyyMMddHHmmss"
$detailCsv = Join-Path $OutputDir ($timestamp + "_PECmd_Output.csv")
$timelineCsv = Join-Path $OutputDir ($timestamp + "_PECmd_Output_Timeline.csv")
# Append the contents to the Output and OutputTimeline CSVs
if (Test-Path $detailCsv) {
if (!(Test-Path $OutputCsv)) {
Copy-Item $detailCsv $OutputCsv
} else {
Get-Content $detailCsv | Select-Object -Skip 1 | Add-Content $OutputCsv
}
Remove-Item $detailCsv
}
if (Test-Path $timelineCsv) {
if (!(Test-Path $OutputTimelineCsv)) {
Copy-Item $timelineCsv $OutputTimelineCsv
} else {
Get-Content $timelineCsv | Select-Object -Skip 1 | Add-Content $OutputTimelineCsv
}
Remove-Item $timelineCsv
}
}Last updated
Was this helpful?