< Back
Get-ForensicPrefetch
Post
NAME Get-ForensicPrefetch
SYNOPSIS
Gets the Prefetch objects from the specified volume or file.
SYNTAX
Get-ForensicPrefetch [[-VolumeName] <String>] [-Fast <SwitchParameter>] [<CommonParameters>]
Get-ForensicPrefetch -Path <String> [-Fast <SwitchParameter>] [<CommonParameters>]
DESCRIPTION
The Get-ForensicPrefetch cmdlet parses the binary structure in the specified Prefetch file. If a file is not
specified, Get-Prefetch parses all .pf files in the C:\\Windows\\Prefetch directory.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? 0
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-Fast [<SwitchParameter>]
Use the Windows API to list files within the C:\\Windows\\Prefetch directory. WARNING: Not forensically sound.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
Path to file to be parsed.
Required? true
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
PowerForensics.Artifacts.Prefetch
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicPrefetch
This command gets an array of all Prefetch files in the C:\\Windows\\Prefetch directory.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-ForensicPrefetch -Path C:\\Windows\\Prefetch\\CMD.EXE-89305D47.pf
Version : WINDOWS_8
Name : CMD.EXE
Path : \\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CMD.EXE
PathHash : 89305D47
DependencyCount : 25
PrefetchAccessTime : {4/3/2015 4:29:25 AM, 4/3/2015 4:29:18 AM, 3/31/2015 12:33:17 PM, 3/31/2015
12:22:42 PM...}
DeviceCount : 1
RunCount : 40
This command parses the Prefetch file specified by the Path parameter.
RELATED LINKS
SYNOPSIS
Gets the Prefetch objects from the specified volume or file.
SYNTAX
Get-ForensicPrefetch [[-VolumeName] <String>] [-Fast <SwitchParameter>] [<CommonParameters>]
Get-ForensicPrefetch -Path <String> [-Fast <SwitchParameter>] [<CommonParameters>]
DESCRIPTION
The Get-ForensicPrefetch cmdlet parses the binary structure in the specified Prefetch file. If a file is not
specified, Get-Prefetch parses all .pf files in the C:\\Windows\\Prefetch directory.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? 0
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-Fast [<SwitchParameter>]
Use the Windows API to list files within the C:\\Windows\\Prefetch directory. WARNING: Not forensically sound.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
Path to file to be parsed.
Required? true
Position? named
Default value
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
PowerForensics.Artifacts.Prefetch
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicPrefetch
This command gets an array of all Prefetch files in the C:\\Windows\\Prefetch directory.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-ForensicPrefetch -Path C:\\Windows\\Prefetch\\CMD.EXE-89305D47.pf
Version : WINDOWS_8
Name : CMD.EXE
Path : \\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CMD.EXE
PathHash : 89305D47
DependencyCount : 25
PrefetchAccessTime : {4/3/2015 4:29:25 AM, 4/3/2015 4:29:18 AM, 3/31/2015 12:33:17 PM, 3/31/2015
12:22:42 PM...}
DeviceCount : 1
RunCount : 40
This command parses the Prefetch file specified by the Path parameter.
RELATED LINKS