Does this skill work with Windows 10 and 11?

Yes, it includes specific workflows for handling the MAM compression used in Windows 10 and 11 Prefetch files, as well as the extended timestamp storage introduced in Windows 8.

Can Prefetch files prove a file was executed if it has been deleted?

Yes, Prefetch files often persist even after the source executable is deleted, serving as definitive evidence that a program once existed and was executed on the system.

What information can be recovered from Windows Prefetch files?

Prefetch files provide the executable name, the path from which it ran, the total number of times it was executed, the last execution timestamps (up to 8 on modern Windows), and the files/directories the application accessed during the first 10 seconds of execution.

Which forensic tools are recommended for use with this skill?

The skill is optimized for use with Eric Zimmerman's PECmd, but also supports python-prefetch parsers, WinPrefetchView, and general-purpose forensic platforms like Autopsy or KAPE.

Windows Prefetch Forensic Analysis

Name: Windows Prefetch Forensic Analysis
Author: mukul975

bymukul975

•

4,121

•

Security & Testing

Analyzes Windows Prefetch files to reconstruct detailed program execution history and forensic timelines for security investigations.

This skill provides a comprehensive framework for digital forensic investigators to parse and interpret Windows Prefetch (.pf) files. It enables AI agents to extract critical evidence such as application run counts, multiple execution timestamps (for Windows 8+), and lists of referenced files and directories. By automating the identification of suspicious binaries like credential dumpers, remote access tools, and anti-forensic utilities, this skill helps incident responders build accurate attack timelines and verify malicious activity across various Windows versions, including handling modern MAM-compressed formats.

Key Features

014,121 GitHub stars

02Extracts up to 8 recent execution timestamps per executable for timeline reconstruction

03Automates discovery of known malicious tools, interpreters, and exfiltration utilities

04Parses Prefetch versions 17, 23, 26, and 30 (Windows XP through Windows 11)

05Identifies referenced files and DLLs to understand application behavior

06Handles Windows 10/11 MAM compression for deep forensic parsing

Use Cases

01Confirming the execution of unauthorized software or portable malicious binaries

02Establishing a chronological timeline of attacker activity during incident response

03Detecting the use of anti-forensic tools intended to hide system activity

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills analyzing-prefetch-files-for-execution-history

For use in Claude.ai and ChatGPT

Key Features

014,121 GitHub stars

02Extracts up to 8 recent execution timestamps per executable for timeline reconstruction

03Automates discovery of known malicious tools, interpreters, and exfiltration utilities

04Parses Prefetch versions 17, 23, 26, and 30 (Windows XP through Windows 11)

05Identifies referenced files and DLLs to understand application behavior

06Handles Windows 10/11 MAM compression for deep forensic parsing

Use Cases

01Confirming the execution of unauthorized software or portable malicious binaries

02Establishing a chronological timeline of attacker activity during incident response

03Detecting the use of anti-forensic tools intended to hide system activity

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills analyzing-prefetch-files-for-execution-history

For use in Claude.ai and ChatGPT