# Extracting Prefetch

## Prefetch

* Windows feature that records and analyzes data about frequently used files and applications.
* Uses this information to optimize startup and application launch times by prefetching necessary resources into memory.
* Stored in C:\Windows|Prefetch folder

## Steps

<mark style="color:red;">`/vol.py -f memdump_Win10x64_15063.mem --profile Win10x64_15063 prefetchparser`</mark>

* Download the plugin from github and put it into plugins directory.
* When you try running it, you will see this error: “Can’t load MSCompression Library”, because the prefetch files in Win10 are compressed thus requiring a third-party compression library to be installed.
* The open-source implementation of Microsoft compression algorithms is obtained from another GitHub repository. The Express Huffman algorithm is specifically utilized by prefetch files.
* Switch to root and clone the repo.

<mark style="color:red;">`git clone <https://github.com/coderforlife/ms-compress.git`</mark><mark style="color:red;">></mark>

* Run the “build.sh” file to compile it and you’ll get “libMSCompression.so” file.
* Move it to /usr/lib folder and exit out of root.
* Run the command again and you’ll get this error: “./mam-pf/ is not a directory”
* You need to specify the mam dump dir where the prefetch files will be dumped, where mam refers to Express Huffman algorithm.
* Create a dump directory and run the following command

<mark style="color:red;">`./vol.py -f memdump_Win10x64_15063.mem --profile Win10x64_15063 prefetchparser --mam-dir=./dump/`</mark>

* The parsed prefetch information is displayed, including execution times for specific processes.
* If a file has more number of execution times, 8 entries are displayed as only the last 8 times are tracked in Win 8 and later.
* You can find the prefetch files in the dump directory.
* Running <mark style="color:red;">`file`</mark> against them will not result in anything as it doesn’t recognize those files.

<mark style="color:red;">`xxd mam-pf-0000.pf | more`</mark>

* You can find the letters “MAM” in the header as it is a Express Huffman algorithm compressed file, which indeed is a valid Prefetch file.
* Only partial Prefetch files are extracted from memory (truncated at 4096 bytes), but they still have valid headers
* In Win10, Prefetch files are compressed and the file signature is MAM. Before Win10, the signature is SCCA. If the prefetch file is uncompressed, SCCA can be seen in the header.