I am currently taking the Windows Prefetch class in the Surviving Digital Forensics training series presented by Sumuri.
The class has recently been updated to include the format change of the prefetch files in Windows 10. In addition this weeks episode of the Surviving Digital Forensics podcast talks about the format change of the prefetch files but also talks about NirSoft WinPrefetchView version 1.35 application that can be utilized to decode and analyze Windows 10 prefetch files.
The Windows 10 prefetch files are compressed with the Xpress Huffman algorithm and many previously used free or low cost tools have not been updated to decompress the Windows 10 prefetch files. WinPrefetchView on the other hand has been updated to analyze the Windows 10 prefetch files.
The SDF podcast episode points out that the WinPrefetchView tool needs to be run from a Windows 8 or Windows 10 workstation to make use of the Xpress Huffman algorithm to analyze the prefetch files.
WinPrefetchView defaults to the prefetch location of the workstation it is being run on. Clicking on Option > Advanced Options will open a dialog box where the path to the prefetch folder of the suspect workstation has been saved.
The information can be analyzed within the application or it can be exported in a few different formats. The option to create a report for all items or only selected items is availble in either CSV or HTML.
The last run times of the application are listed within a single column and having these dates and times listed in invidiual columns would be extremely helpful; especially in the CSV report format so that the run times could be sorted. However, this slight formatting change can be manually obtained using Microsoft Excel or some other spreadsheet program that supports CSV data.
Nirsoft’s WinPrefetchView appears to be a well build, lightweight, gui application that can be used to quickly analyze Windows prefetch information and is available at no cost from NirSoft.
This tool will get plenty of use as I work my way through the Surviving Digital Forensics training on Windows Prefetch and a full review of the SDF class will be coming up in a future post. You can find more information on the Surviving Digital Forensics training over at the Sumuri website. More information on the Windows Prefetch class specifically can be found Here.
The NirSoft WinPrefetchView software can be found at Here.