Info

PrefetchForensics is an application to extract information from Windows Prefetch files. Prefetch files can obviously provide useful information in a forensic investigation like the date the application was last run and the number of times the application has run.

The file format is relatively straight forward, although there are different binary formats between XP and Vista. PrefetchForensics will parse all prefetch files in a given directory, calculate the hash value using the determine algorithm, which should be the same value that is appended to the file name. The algorithm that generates the hash value is again different between XP and Vista.

Features

• Exports to CSV
• Exports to HTML
• Extracts the Number Times Run value and Last Ran Date/Time

Screenshot