The os loads key pieces of data and code from disk into memory before it's actually needed.
Prefetch Investigation FAQ:
When you should grab prefetch file?
You can grab is before performing Incident Response as the prefetch directory is populated after the application is executed. The content of the file is pretty volatile.
How you can use it in an Investigation?
Analysis of prefetch file is common in investigation, it has wealth of information stored in it.
* It contains:
- number of time an application has been executed,
- The original path of execution,
- the last time of execution
Here is what information we can glean from the prefetch:
- When a malicious file was executed?
- Where it was launched from?
- How many times it has been run?
- What DLLs were used by the malicious code?
- Name and location of the malicious file (even if deleted)?