# Information Stored in Prefetch Files

Each `.pf` file is a trove of forensically valuable metadata relating to the execution instance(s) it represents:

* **Executable Name:** The filename of the program that was run.
* **Run Count:** The total number of times the application has been executed *from that specific path*.
* **Last Run Timestamp:** The precise date and time the application was **last executed** from that path. This is a **primary indicator of execution time**. (Remember: The *Date Modified* timestamp of the `.pf` file itself reflects this Last Run Time).
* **Previous Run Timestamps:** Up to 8 of the most recent previous execution timestamps are stored, offering a history of recent launches from that path.
* **Volume Information:** Details about the disk volume where the executable was located during its last run, including the volume name (e.g., `C:`), volume serial number, and the volume's creation date.
* **File Metrics:** Records the size of the original executable file.
* **Directories Referenced:** A list of directories the application accessed during its initial startup phase (usually within the first \~10 seconds).
* **Files Referenced (Indexes/Loaded Resources):** A list of specific files (including DLLs, configuration files, data files, etc.) that the application loaded or accessed during that initial startup phase. This is crucial for linking processes like `java.exe` to specific `.jar` files or `rundll32.exe` to specific `.dll` files.
* **Executable Path Hash:** The 8-character hash identifying the path of execution.