Surviving Digital Forensics: Windows Prefetch

Helping you sharpen your computer forensic skills to prove file use and knowledge.
4.6 (25 ratings)
Instead of using a simple lifetime average, Udemy calculates a
course's star rating by considering a number of different factors
such as the number of ratings, the age of ratings, and the
likelihood of fraudulent ratings.
218 students enrolled
Take This Course
  • Lectures 21
  • Length 1 hour
  • Skill Level All Levels
  • Languages English
  • Includes Lifetime access
    30 day money back guarantee!
    Available on iOS and Android
    Certificate of Completion
Wishlisted Wishlist

How taking a course works


Find online courses made by experts from around the world.


Take your courses with you and learn anywhere, anytime.


Learn and practice real-world skills and achieve your goals.

About This Course

Published 12/2014 English

Course Description

All SDF courses may now be found at SUMURI.COM. This course will remain live in UDEMY for existing students.

Welcome to the Surviving Digital Forensics series. This class is focused on helping you become a better computer forensic examiner by understanding how to use Windows Prefetch data to prove file use and knowledge - all in about one hour.

As with previous SDF classes you will learn by doing. The class begins with a brief overview of the Windows Prefetch and an understanding of how it works. Then we will get into a number of validation exercises to see how user activity really affects Windows Prefetch data. Learning is hands on and we will use low cost and no cost computer forensic tools to do so.

Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or with any forensic tool you choose. Therefore you are not just going to learn about the Windows Prefetch but you will learn a method you can use to answer questions that may come up in the future.

Class Outline

1. Introduction and Welcome to the SDF series

2. What this class is all about

3. How to get the most of this class

4. What is the Windows Prefetch?

5. About ".pf" files

6. "Open State" issues and other exclusions

7. Prefetch Registry Setting

8. Set up for the practicals

9. Validation Exercise: Running a program for the first time

10. Validation Exercise: Last run time

11. Validation Exercise: Flushing out rogue applications

12. Validation Exercise: Running a program from a USB device

13. Validation Exercise: Proving file use and knowledge

14. Setting up for the student practical

15. Student Practical

16. Windows 7 versus Windows 8

17. Final thoughts about the Prefetch

18. Thank you!

19 How to get your Udemy certificate

A PC running Windows 7 or Windows 8+ is required for this course. The forensic tools we use are all freely available, so beyond your operating system all you need is the desire to become a better computer forensic examiner.

What are the requirements?

  • Windows 7 or Windows 8 system required
  • All in-class forensic programs are freely available and downloads provided
  • Student testing and validation material provided

What am I going to get from this course?

  • Use Windows Prefetch data to help prove file use and knowledge

Who is the target audience?

  • Computer forensic analysts
  • IT Professionals
  • Students

What you get with this course?

Not for you? No problem.
30 day money back guarantee.

Forever yours.
Lifetime access.

Learn on the go.
Desktop, iOS and Android.

Get rewarded.
Certificate of completion.


Section 1: Introduction

Welcome to SDF! This is the second part of the "Proving File Use & Knowledge" series that I am doing. If you are looking to sharpen your computer forensics skills then you are in the right place.


In this module I give you a brief overview of what we will be doing.


These are some training tips I give all my online students and they are based on feedback I have received as well as my own experience as a student.

Section 2: Understanding Windows Prefetch

It is important to understand the artifact we are working with. This module details what the Windows Prefetch is and how we can use it as computer forensic examiners. Included in this section is a PDF file with some survival tips.


In this module we will take a closer look at a Prefetch file, or a ",pf" file.


File headers do change along with the version of Windows OS you are running. Here is some more details to help you figure out the signature you are looking for.


Understanding how the Windows Prefetch behaves is another important factor. This module talks about some things you need to always be mindful of when using Prefetch data as evidence.


Sometimes you do no see what you expect during a Prefetch analysis. If so, my first step is to check out the Windows Registry key in order to see if the Prefetch is turned on for the system. This module shows you where to look at what to look for to accomplish this.

Section 3: Working with the Windows Prefetch

In this section we get our test system ready for the upcoming practicals.


This is the introduction practical and the beginning of our Prefetch validation exercises.


Next up is more validation and looking at multiple launches of our test application.


Windows Prefetch can be used to identify malware being run from non-standard locations. In this exercise we will take a closer look.


Make sure you do this validation exercise. I have seen different results in Windows Prefetch behavior when applications are run from an attached USB device. I test three applications in this exercise and go over the results. I suggest you do the same.


Sometimes you get file name data caught up in Prefetch File data. This often includes the file's path which leads directly back to a user account. In this exercise we will see it first hand.


So far we have been using WinPrefetchView on a live system. You can use it to analyze exported Prefetch folders from target systems too and that is exactly what you will be doing in the next student practical. I will go through the set up process.


In this practical you are working with the Prefetch files provided in the last module. Look ahead to the Student Practical Questions and answer them using WInPrefetchView and what you have learned about interpreting Windows Prefetch data.

Student Practical Questions
7 questions

There is a difference in the evidence you can gather from a Windows 7 system and a Windows 8 system. At this time I can only show you the difference (via a pay tool) because I am still searching for a low cost/ no cost solutions. At this point be advised of the difference and I will update this section as soon as I find a solution.

Section 4: Solid State Drives and Windows PreFetch and SuperFetch Evidence
3 pages

Solid State Drives (SSDs) affect PreFetch and SuperFetch evidence. So, depending on the evidence you are working with you may or may not have any artifacts. In this section I show you how to determine if the PreFetch or SuperFetch is enabled on a Live system as well as where this information is located on an image file of the system.

Section 5: Conclusion
Final Thoughts about the Prefetch

Thanks for joining me in another edition of the SDF series. I hope you enjoyed the class!

Check out other classes of the SDF series at

Follow me on Twitter @LeclairDF to get the latest happenings of the SDF series.

Check out our Blog at

Check out our Youtube channel

By the way, music "sax rock & roll" by Kevin MacLeod - incompetech (dot) com

How to get your Udemy Certificate

Students Who Viewed This Course Also Viewed

  • Loading
  • Loading
  • Loading

Instructor Biography

Michael Leclair, Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.

Ready to start learning?
Take This Course