How to Investigate with Windows Prefetch Files

https://www.tcm.rocks/certs-y - New forensics coursework (and possible cert) coming later this year! Until then, check out our existing blue team certifications, like the PSAA (Practical SOC Analyst Associate) and PSAP (Practical SOC Analyst Professional). What is Windows Prefetch? And why does Windows use it? Most importantly, how can we use it to our advantage as forensic examiners? It turns out, Windows Prefetch can provide some solid evidence of program execution. You can learn a surprising amount from it - even without using any forensic tools. Andrew Prince walks you through all of these things in a little over 15 minutes in today's video. What do you want to see Andrew explain next? Share your picks in the comments! ⬇️ #forensics #dfir #digitalforensics #cybersecurity #windows Sponsor a Video: https://www.tcm.rocks/Sponsors Pentests & Security Consulting: https://tcm-sec.com Get Trained: https://www.tcm.rocks/acad-y Get Certified: http://www.tcm.rocks/certs-y Merch: https://www.bonfire.com/store/tcm-sec... 0:00 - Introduction 00:44 - What is Windows Prefetch? 02:43 - Prefetch Configuration 05:40 - Prefetch Files 08:58 - Parsing Prefetch Files 11:49 - Hunting Anti-Forensics 13:14 - Scaling Prefetch Analysis 16:05 - Conclusion 📱Social Media📱 ___________________________________________ X: https://x.com/TCMSecurity Twitch:   / thecybermentor   Instagram:   / tcmsecurity   LinkedIn:   / tcm-security-inc   TikTok:   / tcmsecurity   Discord:   / discord   Facebook:   / tcmsecure