During our forensics investigations regarding Microsoft Windows operating systems, extracting information from the several Prefetch files can be pretty useful in many cases. Indeed, these files contain, amongst other values, the last time the program was launched, a counter of how many times it has been used, the full path where the EXE file was, etc.
Unfortunately, the best tool we have found so far is pf from TZWorks LLC but it is closed-source. And even if there are some documentations on the Internet about those files, they were either incomplete or we found mistakes in them. All things together lead us to implement an opensource parser in Python for those files.
Today we are releasing our tool and this blog post is going to describe the Prefetch file format in details.