๐ฆ Volatility3 Windows Plugin - Prefetch
ยท 4 min read
Windows prefetch files are temporary files stored in the %SystemRoot%\System\Prefetch folder. This memory management feature is keeping track of the frequently running applications on a given system. We can extract some data from those files in order to get useful information for a digital forensic investigation. In this blog article, I will explain how we can use memory forensic to extract prefetch files, parse them and create in the end a volatility3 plugin.