Archive for the ‘Post Exploitation’ Category

Windows Prefetch Folder Tool

October 19, 2009 Leave a comment

The inspiration of this tool came after listening to Pauldotcom Episode 171.
I wanted something that I can run in the form of a script to extract information from the windows prefetch folder.

Windows caches portions of frequently accessed programs in order to speed up program launches.  The prefetch folder reveals which programs you have been running recently, how many times you executed the program and when you last executed the program.

This is one place where forensic investigators should look at first when looking at a compromised/suspect machine.  <as heard on pauldotcom>

The tool can be download from

The below screenshot shows the options of the prefetch-tool

prefetch tool usage help

Below shows the results of running the prefetch-tool script.

example of prefetch-tool usage

Send me your comments and feedbacks to keith.lee2012[at]

Categories: Post Exploitation