Analyzing Prefetch Files for Execution History When to Use - When determining which programs were executed on a Windows system and when - During malware investigations to confirm execution of suspicious binaries - For establishing a timeline of application usage during an incident - When correlating program execution with other forensic artifacts - To identify anti-forensic tools or unauthorized software that was run Prerequisites - Access to Windows Prefetch directory (C:\Windows\Prefetch\) from forensic image - PECmd (Eric Zimmerman), WinPrefetchView, or python-prefetch parser - Understandi…