# Information Stored in Prefetch Files Each `.pf` file is a trove of forensically valuable metadata relating to the execution instance(s) it represents: * **Executable Name:** The filename of the program that was run. * **Run Count:** The total number of times the application has been executed *from that specific path*. * **Last Run Timestamp:** The precise date and time the application was **last executed** from that path. This is a **primary indicator of execution time**. (Remember: The *Date Modified* timestamp of the `.pf` file itself reflects this Last Run Time). * **Previous Run Timestamps:** Up to 8 of the most recent previous execution timestamps are stored, offering a history of recent launches from that path. * **Volume Information:** Details about the disk volume where the executable was located during its last run, including the volume name (e.g., `C:`), volume serial number, and the volume's creation date. * **File Metrics:** Records the size of the original executable file. * **Directories Referenced:** A list of directories the application accessed during its initial startup phase (usually within the first \~10 seconds). * **Files Referenced (Indexes/Loaded Resources):** A list of specific files (including DLLs, configuration files, data files, etc.) that the application loaded or accessed during that initial startup phase. This is crucial for linking processes like `java.exe` to specific `.jar` files or `rundll32.exe` to specific `.dll` files. * **Executable Path Hash:** The 8-character hash identifying the path of execution. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://itzicehere.gitbook.io/redlotusguide/screensharing-general-knowledge/seventh-section-manual-ss-techniques/windows-prefetch-analysis/information-stored-in-prefetch-files.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.