Parse Windows 10 Prefetch Files with Python3!
The tool utilizes libscca to interact with Windows prefetch files. PECmd is a common Windows executable that can perform similar functions. I wanted to make one for Linux OSs, with inspiration from w10pf_parser.py!
Prefetcher can pull the following information from prefetch files:
- Executable Name
- Run Count
- Run Times (Up to last 8 run times Forensic Value of Prefetch)
- Number of Files Referenced
- Number of Volumes
- List of Referenced Files
- List of Volumes
- Volume Information
The provided information can be utilized for a variety of reasons to include threat hunting, triage, forensic investigations, or incident response!
git clone https://github.com/ajread4/prefetcher.git
cd prefetcher
pip3 install -r requirements.txt
$ python3 prefetcher.py -h
usage: prefetcher.py [-h] [-f prefetch_file] [-d prefetch_directory] [-j]
Prefetcher - Parse Windows 10 Prefetch Files
options:
-h, --help show this help message and exit
-f prefetch_file, --file prefetch_file prefetch file to analyze
-d prefetch_directory, --directory prefetch_directory directory of prefetch files to analyze
-j, --json output results to json
- Analyze a prefetch file and return run times, referenced files, and volumes.
$ python3 prefetcher.py -f SCHTASKS.EXE-DC1676CD.pf
Analyzing: SCHTASKS.EXE-DC1676CD.pf
Executable Name: SCHTASKS.EXE
Run Count: 3
Run Time: 2024-05-21 03:10:43.220383
Run Time: 2024-05-21 03:10:43.142639
Run Time: 2024-05-21 03:10:43.095917
Total Number of Files: 31
Total Number of Volumes: 1
Files Referenced
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\NTDLL.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\WOW64.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\WOW64WIN.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\KERNEL32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\KERNEL32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\USER32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\WOW64CPU.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\NTDLL.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\SCHTASKS.EXE
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\KERNELBASE.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\LOCALE.NLS
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\MSVCRT.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\OLEAUT32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\MSVCP_WIN.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\UCRTBASE.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\COMBASE.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\RPCRT4.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\OLE32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\EN-US\SCHTASKS.EXE.MUI
\VOLUME{01d951602330db46-52233816}\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\KERNEL.APPCORE.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\BCRYPTPRIMITIVES.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\SECHOST.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\BCRYPT.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\CLBCATQ.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\REGISTRATION\R000000000006.CLB
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\TASKSCHD.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSWOW64\SSPICLI.DLL
\VOLUME{01d951602330db46-52233816}\PROGRAM FILES\RUXIM\PLUGSCHEDULER.XML
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\EN-US\KERNELBASE.DLL.MUI
\VOLUME{01d951602330db46-52233816}\$MFT
Volume Information
\VOLUME{01d951602330db46-52233816}
- Analyze a directory of multiple prefetch files.
$ python3 prefetcher.py -d /home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/
Analyzing Directory: /home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/
Analyzing: /home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/DLLHOST.EXE-7617EDA2.pf
Executable Name: DLLHOST.EXE
Run Count: 2
Run Time: 2024-04-26 10:11:12.841024
Run Time: 2024-03-26 23:25:41.108135
Total Number of Files: 4
Total Number of Volumes: 1
Files Referenced
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\NTDLL.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\DLLHOST.EXE
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\KERNEL32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\KERNELBASE.DLL
Volume Information
\VOLUME{01d951602330db46-52233816}
--------------------------------------------------------------------------------
Analyzing: /home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/MSDT.EXE-D579957D.pf
Executable Name: MSDT.EXE
Run Count: 1
Run Time: 2023-05-02 14:17:47.074418
Total Number of Files: 14
Total Number of Volumes: 1
Files Referenced
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\NTDLL.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\MSDT.EXE
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\KERNEL32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\KERNELBASE.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\LOCALE.NLS
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\ADVAPI32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\MSVCRT.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\SECHOST.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\RPCRT4.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\USER32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\WIN32U.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\GDI32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\GDI32FULL.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\MSVCP_WIN.DLL
Volume Information
\VOLUME{01d951602330db46-52233816}
--------------------------------------------------------------------------------
Analyzing: /home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/SVCHOST.EXE-73D024B2.pf
Executable Name: SVCHOST.EXE
Run Count: 4
Run Time: 2024-05-21 03:10:58.908235
Run Time: 2024-05-14 03:25:44.144453
Run Time: 2024-04-26 10:17:27.679007
Run Time: 2024-03-26 23:02:34.967828
Total Number of Files: 31
Total Number of Volumes: 1
Files Referenced
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\NTDLL.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\SVCHOST.EXE
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\KERNEL32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\KERNELBASE.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\LOCALE.NLS
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\SECHOST.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\RPCRT4.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\UCRTBASE.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\BCRYPT.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\COMBASE.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\RPCSS.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\KERNEL.APPCORE.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\MSVCRT.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\BCRYPTPRIMITIVES.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\USER32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\WIN32U.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\GDI32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\GDI32FULL.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\MSVCP_WIN.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\EN-US\SVCHOST.EXE.MUI
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\CLIPSVC.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\WEBSERVICES.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\WLDP.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\ADVAPI32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\OLEAUT32.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\OLE32.DLL
\VOLUME{01d951602330db46-52233816}\$MFT
\VOLUME{01d951602330db46-52233816}\PROGRAMDATA\MICROSOFT\WINDOWS\CLIPSVC\TOKENS.DAT
\VOLUME{01d951602330db46-52233816}\WINDOWS\SYSTEM32\WINBRAND.DLL
\VOLUME{01d951602330db46-52233816}\WINDOWS\BRANDING\BASEBRD\BASEBRD.DLL
\VOLUME{01d951602330db46-52233816}\PROGRAMDATA\REGID.1991-06.COM.MICROSOFT\REGID.1991-06.COM.MICROSOFT_WINDOWS-10-PRO-N.SWIDTAG
Volume Information
\VOLUME{01d951602330db46-52233816}
--------------------------------------------------------------------------------
- Analyze a prefetch file and output to JSON, beautify with jq.
$ python3 prefetcher.py -f /home/ajread/research//Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/SPPSVC.EXE-96070FE0.pf -j | jq
{
"filename": "/home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/SPPSVC.EXE-96070FE0.pf",
"executable_name": "SPPSVC.EXE",
"run_times": {
"Run 1": "2024-05-21 03:16:50.753964",
"Run 2": "2024-05-21 03:13:38.711712",
"Run 3": "2024-05-14 03:23:11.524263",
"Run 4": "2024-05-14 03:12:46.354052",
"Run 5": "2024-04-26 10:17:40.744764",
"Run 6": "2024-04-26 10:09:36.816612",
"Run 7": "2024-03-26 23:25:40.748713",
"Run 8": "2024-03-26 23:17:46.482938"
},
"num_files": 43,
"files": {
"File 1": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\NTDLL.DLL",
"File 2": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\SPPSVC.EXE",
"File 3": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\KERNEL32.DLL",
"File 4": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL",
"File 5": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\LOCALE.NLS",
"File 6": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL",
"File 7": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\MSVCRT.DLL",
"File 8": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\RPCRT4.DLL",
"File 9": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\COMBASE.DLL",
"File 10": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\BCRYPT.DLL",
"File 11": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\CRYPT32.DLL",
"File 12": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\CRYPTXML.DLL",
"File 13": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\OLE32.DLL",
"File 14": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL",
"File 15": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\XMLLITE.DLL",
"File 16": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\PKEYHELPER.DLL",
"File 17": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\SECHOST.DLL",
"File 18": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\UCRTBASE.DLL",
"File 19": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\WEBSERVICES.DLL",
"File 20": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\GDI32.DLL",
"File 21": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\USER32.DLL",
"File 22": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\MSVCP_WIN.DLL",
"File 23": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\WIN32U.DLL",
"File 24": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\GDI32FULL.DLL",
"File 25": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\EN-US\\SPPSVC.EXE.MUI",
"File 26": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\RPCSS.DLL",
"File 27": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\KERNEL.APPCORE.DLL",
"File 28": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL",
"File 29": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\CRYPTSP.DLL",
"File 30": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\RSAENH.DLL",
"File 31": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\GLOBALIZATION\\SORTING\\SORTDEFAULT.NLS",
"File 32": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\CRYPTBASE.DLL",
"File 33": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\SPP\\STORE\\2.0\\DATA.DAT",
"File 34": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\SPP\\PLUGIN-MANIFESTS-SIGNED\\SPPWINOB-SPP-PLUGIN-MANIFEST-SIGNED.XRM-MS",
"File 35": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\SPPWINOB.DLL",
"File 36": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\DSROLE.DLL",
"File 37": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\CLIPC.DLL",
"File 38": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\SPP\\PLUGIN-MANIFESTS-SIGNED\\SPPOBJS-SPP-PLUGIN-MANIFEST-SIGNED.XRM-MS",
"File 39": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\SPPOBJS.DLL",
"File 40": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\NETAPI32.DLL",
"File 41": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\SPP\\STORE\\2.0\\CACHE\\CACHE.DAT",
"File 42": "\\VOLUME{01d951602330db46-52233816}\\WINDOWS\\SYSTEM32\\SPP\\STORE\\2.0\\TOKENS.DAT",
"File 43": "\\VOLUME{01d951602330db46-52233816}\\$MFT"
},
"num_volumes": 1,
"volume_information": {
"Volume 1": "\\VOLUME{01d951602330db46-52233816}"
}
}
- Analyze a directory and output filenames and run times with jq.
$ python3 prefetcher.py -d /home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/ -j | jq .filename,.run_times
"/home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/RUNTIMEBROKER.EXE-5A3B22F7.pf"
{
"Run 1": "2024-05-21 03:15:43.204075"
}
"/home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/CONHOST.EXE-0C6456FB.pf"
{
"Run 1": "2024-05-21 03:16:00.245528",
"Run 2": "2024-05-21 03:10:41.751760",
"Run 3": "2024-05-21 03:10:41.751760",
"Run 4": "2024-05-14 03:40:14.932390",
"Run 5": "2024-05-14 03:40:16.557475",
"Run 6": "2024-05-14 03:40:16.525716",
"Run 7": "2024-05-14 03:40:16.463360",
"Run 8": "2024-05-14 03:40:16.432116"
}
"/home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/SVCHOST.EXE-8F09AACB.pf"
{
"Run 1": "2024-04-26 10:17:30.415057"
}
"/home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/SVCHOST.EXE-59D511F9.pf"
{
"Run 1": "2024-04-26 10:17:30.399101"
}
"/home/ajread/research/Triage/Workstation/2024-05-21T033012_triage_asset/C/Windows/prefetch/IDENTITY_HELPER.EXE-12341E99.pf"
{
"Run 1": "2024-04-26 10:09:46.918062"
}
More capabilities are set to be added in the future to include:
- Keyword searching
- Directory identification
- Suspicious name detection
- Much more!
The code for Prefetcher was written by me, AJ Read, with inspiration from w10pf_parser.py.
- Twitter: ajread3
- Github: ajread4
- LinkedIn: Austin Read