Prefetch, AmCache, ShimCache in Windows

One of the most important artifact in digital forensic

Refs

https://www.youtube.com/watch?v=f4RAtR_3zcs&ab_channel=13Cubed (Deep Dive on prefetch)

Make use of Prefetch

Prefetch is a software that was made by Microsoft -> To make better UX, but it is also being used in the DFIR field because the information it provided

Prefetch provides you with the time the file is executed, created, modified, deleted, and also how many times it execute

By the default you can't read prefetch using any text editor, you have to use a special tool call

PreviousLNK Shortcut NextMalicious Document (VBA, Office, PDF, ...)

Last updated 1 year ago

Was this helpful?