SDF Windows Prefetch Forensics

Learn how an analyze Windows prefetch evidence
SDF Windows Prefetch Forensics
File Size :
382.15 MB
Total length :
1h 23m



Michael Leclair


Last update




SDF Windows Prefetch Forensics

What you’ll learn

Understand what the Windows Prefetch artifact is
Be able to explain the artifact
Know what types of user behavior affects the artifact
Know how to conduct validation testing
Understand how to properly interpret Prefetch results
Know how to use several freely available Prefetch forensic tools

SDF Windows Prefetch Forensics


Windows 8 or 10 system (Windows 10 recommended)
All in-class forensic programs are freely available and download links provided
Student testing and validation material provided


Welcome to the Surviving Digital Forensics series. This class is focused on helping you become a better computer forensic examiner by understanding how to use Windows Prefetch data to prove file use and knowledge – all in about one hour.
As with previous SDF classes you will learn by doing. The class begins with Windows prefetch fundamentals and will provide an understanding of how the artifact works. Then students delve into several validation exercises to observe how user driven activity affects Windows prefetch evidence. The last section teaches students how to use several freely available DFIR community built forensic tools to examine prefetch evidence. By the end of the class students will have a solid understanding of how to use the Windows prefetch as evidence, understand the types of user behaviors that affect the prefetch and know how to use Windows prefetch forensic tools.
Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or with any forensic tool you choose. Therefore you are not just going to learn about the Windows prefetch but you will learn a method you can use to answer questions that may come up in the future.
A PC running Windows 8 or Windows 10 is required for this course. The forensic tools we use are all freely available, so beyond your laptop and operating system all you need is the desire to become a better computer forensic examiner.


Section 1: Introduction

Lecture 1 Welcome to Windows Prefetch Forensics

Lecture 2 Class outline

Lecture 3 Class Tools & Downloads

Lecture 4 Operating system for class

Lecture 5 Tools for the practical exercises

Section 2: Understanding Windows Prefetch

Lecture 6 What is Windows Prefetch?

Lecture 7 Forensic Value

Lecture 8 Forensic Breakdown

Lecture 9 File Headers

Lecture 10 Prefetch Registry Key

Lecture 11 Caveats

Section 3: Validation Exercises

Lecture 12 Overview

Lecture 13 First Run Time

Lecture 14 Last Run Time

Lecture 15 Run from USB

Lecture 16 Deleted Executable

Lecture 17 DLLs & Other Support Files

Lecture 18 Latency Issues

Lecture 19 Validation Wrap-up

Section 4: Forensic Tools

Lecture 20 Overview

Lecture 21 Sample prefetch data

Lecture 22 FTK Imager

Lecture 23 WinPrefetchView

Lecture 24 CDQR

Lecture 25 RegRipper

Lecture 26 Windows Prefetch Parser – Setup on Windows

Lecture 27 Windows Prefetch Parser – Usage

Section 5: Conclusion

Lecture 28 Conclusion

Lecture 29 Thank you!

Computer forensic analysts,Security Analyst,IT Professionals,Students

Course Information:

Udemy | English | 1h 23m | 382.15 MB
Created by: Michael Leclair

You Can See More Courses in the IT & Software >> Greetings from

New Courses

Scroll to Top