Forensic analysts can examine Prefetch files to determine which applications have been run, how often they were executed, and when they were last run.
In general, prefetch files are stored in the C:\Windows\Prefetch\ directory.
.\PECmd.exe -d C:\Windows\Prefetch --csv out.csv
Hunt
- powershell.exe
- cmd.exe
- wscript.exe
- mshta.exe
- rundll32.exe
- 7z.exe
- rar.exe
Red Flags
- Unknown random executables
- Run count anomalies
Correlate
- MFT
- Amcache
- 4688