Buying for a Team? Gift This Course
Wishlisted Wishlist

Please confirm that you want to add Surviving Digital Forensics: Windows Prefetch to your Wishlist.

Add to Wishlist

Surviving Digital Forensics: Windows Prefetch

Helping you sharpen your computer forensic skills to prove file use and knowledge.
4.6 (25 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
219 students enrolled
Last updated 5/2015
30-Day Money-Back Guarantee
  • 1 hour on-demand video
  • 3 Articles
  • 1 Supplemental Resource
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
Have a coupon?
What Will I Learn?
Use Windows Prefetch data to help prove file use and knowledge
View Curriculum
  • Windows 7 or Windows 8 system required
  • All in-class forensic programs are freely available and downloads provided
  • Student testing and validation material provided

All SDF courses may now be found at SUMURI.COM. This course will remain live in UDEMY for existing students.

Welcome to the Surviving Digital Forensics series. This class is focused on helping you become a better computer forensic examiner by understanding how to use Windows Prefetch data to prove file use and knowledge - all in about one hour.

As with previous SDF classes you will learn by doing. The class begins with a brief overview of the Windows Prefetch and an understanding of how it works. Then we will get into a number of validation exercises to see how user activity really affects Windows Prefetch data. Learning is hands on and we will use low cost and no cost computer forensic tools to do so.

Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or with any forensic tool you choose. Therefore you are not just going to learn about the Windows Prefetch but you will learn a method you can use to answer questions that may come up in the future.

Class Outline

1. Introduction and Welcome to the SDF series

2. What this class is all about

3. How to get the most of this class

4. What is the Windows Prefetch?

5. About ".pf" files

6. "Open State" issues and other exclusions

7. Prefetch Registry Setting

8. Set up for the practicals

9. Validation Exercise: Running a program for the first time

10. Validation Exercise: Last run time

11. Validation Exercise: Flushing out rogue applications

12. Validation Exercise: Running a program from a USB device

13. Validation Exercise: Proving file use and knowledge

14. Setting up for the student practical

15. Student Practical

16. Windows 7 versus Windows 8

17. Final thoughts about the Prefetch

18. Thank you!

19 How to get your Udemy certificate

A PC running Windows 7 or Windows 8+ is required for this course. The forensic tools we use are all freely available, so beyond your operating system all you need is the desire to become a better computer forensic examiner.

Who is the target audience?
  • Computer forensic analysts
  • IT Professionals
  • Students
Students Who Viewed This Course Also Viewed
Curriculum For This Course
Expand All 21 Lectures Collapse All 21 Lectures 01:01:59
3 Lectures 11:51

Welcome to SDF! This is the second part of the "Proving File Use & Knowledge" series that I am doing. If you are looking to sharpen your computer forensics skills then you are in the right place.

Preview 05:15

In this module I give you a brief overview of what we will be doing.

Preview 03:59

These are some training tips I give all my online students and they are based on feedback I have received as well as my own experience as a student.

Preview 02:37
Understanding Windows Prefetch
5 Lectures 17:57

It is important to understand the artifact we are working with. This module details what the Windows Prefetch is and how we can use it as computer forensic examiners. Included in this section is a PDF file with some survival tips.

What is the Windows Prefetch?

In this module we will take a closer look at a Prefetch file, or a ",pf" file.

About .PF files

File headers do change along with the version of Windows OS you are running. Here is some more details to help you figure out the signature you are looking for.

More about Prefetch File Headers

Understanding how the Windows Prefetch behaves is another important factor. This module talks about some things you need to always be mindful of when using Prefetch data as evidence.

Open State Issues and Exclusions

Sometimes you do no see what you expect during a Prefetch analysis. If so, my first step is to check out the Windows Registry key in order to see if the Prefetch is turned on for the system. This module shows you where to look at what to look for to accomplish this.

Prefetch Registry Setting
Working with the Windows Prefetch
9 Lectures 22:26

In this section we get our test system ready for the upcoming practicals.

Set Up for the practicals

This is the introduction practical and the beginning of our Prefetch validation exercises.

Validation Exercise: Running a program for the first time

Next up is more validation and looking at multiple launches of our test application.

Validation Exercise: Last Run Time

Windows Prefetch can be used to identify malware being run from non-standard locations. In this exercise we will take a closer look.

Validation Exercise: Flushing out rogue applications

Make sure you do this validation exercise. I have seen different results in Windows Prefetch behavior when applications are run from an attached USB device. I test three applications in this exercise and go over the results. I suggest you do the same.

Validation Exercise: Running a program from a USB device

Sometimes you get file name data caught up in Prefetch File data. This often includes the file's path which leads directly back to a user account. In this exercise we will see it first hand.

Validation Exercise: Proving file use & knowledge

So far we have been using WinPrefetchView on a live system. You can use it to analyze exported Prefetch folders from target systems too and that is exactly what you will be doing in the next student practical. I will go through the set up process.

Setting up the Student Practical

In this practical you are working with the Prefetch files provided in the last module. Look ahead to the Student Practical Questions and answer them using WInPrefetchView and what you have learned about interpreting Windows Prefetch data.

Student Practical

Student Practical Questions
7 questions

There is a difference in the evidence you can gather from a Windows 7 system and a Windows 8 system. At this time I can only show you the difference (via a pay tool) because I am still searching for a low cost/ no cost solutions. At this point be advised of the difference and I will update this section as soon as I find a solution.

Windows 7 versus Windows 8
Solid State Drives and Windows PreFetch and SuperFetch Evidence
1 Lecture 00:00

Solid State Drives (SSDs) affect PreFetch and SuperFetch evidence. So, depending on the evidence you are working with you may or may not have any artifacts. In this section I show you how to determine if the PreFetch or SuperFetch is enabled on a Live system as well as where this information is located on an image file of the system.

Solid State Drives and PreFetch and SuperFetch Evidence
3 pages
3 Lectures 06:42
Final Thoughts about the Prefetch

Thanks for joining me in another edition of the SDF series. I hope you enjoyed the class!

Check out other classes of the SDF series at

Follow me on Twitter @LeclairDF to get the latest happenings of the SDF series.

Check out our Blog at

Check out our Youtube channel

By the way, music "sax rock & roll" by Kevin MacLeod - incompetech (dot) com

Thank you!

How to get your Udemy Certificate
About the Instructor
4.1 Average rating
289 Reviews
2,245 Students
15 Courses
Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.

Report Abuse