Posts tagged "prefetch"
- What's a .pf file vs an Amcache entry?
.pf files are Windows Prefetch records — proof a binary executed, with run timestamps and loaded-files lists. Amcache entries record presence, with the SHA-1 hash and metadata.
2026-05-24
- What is Windows Prefetch? (glossary)
Prefetch is the Windows folder of .pf files recording every binary execution, with up to 8-10 run timestamps per binary and the files each one loaded. The strongest Windows execution evidence.
2026-05-24
- Amcache vs Prefetch: what each one really proves
Amcache records presence; Prefetch records execution. A practical reference for when to use each, what they overlap on, and how to combine them in a DFIR timeline.
2026-05-24