Crow-Eye Prefetch Analyzer

Crow-Eye Prefetch Analyzer is a powerful Python-based command-line tool designed for forensic analysis of Windows Prefetch files (.pf). It extracts critical execution metadata, including executable names, run counts, last execution timestamps, and referenced resources, from C:\Windows\Prefetch or offline directories. Supporting Windows XP through Windows 11 (prefetch versions 17, 23, 26, 30, 31), it offers SQLite, JSON, and CSV outputs, multiprocessing for speed, and robust error handling. Ideal for digital forensics, incident response, and threat hunting.

What is a Prefetch File?

Windows Prefetch files (.pf), stored in C:\Windows\Prefetch, are created by the Windows Prefetcher to optimize application and boot performance. Introduced in Windows XP, they capture:

• Executable Name: Program name (e.g., NOTEPAD.EXE).
• Run Count: Number of executions.
• Last Execution Times: Up to eight timestamps (Windows 8+).
• Volume Information: Drive details hosting the executable.
• Resources Loaded: DLLs and other files used by the program.

Prefetch files are updated during execution and persist after file deletion, making them critical for reconstructing timelines and detecting malicious activity.

Why Use Crow-Eye Prefetch Analyzer?

Prefetch Analyzer transforms raw .pf files into actionable forensic insights

• Execution Evidence: Captures metadata for executables (e.g., FTK Imager, Python).
• Timeline Analysis: Orders events by last_run_time.
• Malware Detection: Identifies suspicious programs (e.g., PsExec in non-standard paths).
• System Baseline: Establishes normal application usage.
• User Behavior: Reveals usage patterns via run counts and timestamps.

Why It Matters: Prefetch files persist after file deletion, making them invaluable for uncovering hidden threats and building forensic timelines.

Live & Offline Analysis

Live: Parses .pf files from C:\Windows\Prefetch on Windows XP+ (admin required).
Offline: Analyzes user-specified directories (e.g., E:\prefetch_files).

Flexible Output Formats

SQLite (prefetch_data3.db): Structured database with fields like executable_name, run_count, and last_run_time.
JSON: Human-readable output (prefetch_data.json).
CSV: Spreadsheet-compatible (prefetch_data.csv).

Multiprocessing

Uses multiprocessing.Pool for parallel parsing, optimizing performance (e.g., 123 .pf files in 5 seconds).

Robust Parsing

Supports prefetch versions 17 (XP), 23 (Vista/7), 26 (8/8.1), 30 (10), and 31 (11).
Handles XPRESS Huffman compression in Windows 10/11 files.

Error Handling

Retries parsing on invalid files (3 attempts, 1-second delay).
Logs errors and high run counts (>1,000,000) to prefetch_analyzer.log.
Validates files with a minimum size of 84 bytes.

Run Count Management

Logs high run counts (e.g., 1,200,000,000) to prefetch_analyzer.log, focusing on last_executed for reliability.

Progress Tracking

Displays a tqdm progress bar (e.g., file=NOTEPAD.EXE-4A81B364.pf).
Reports parse success rate (e.g., 98.37% for 123 files).

Interactive & Non-Interactive Modes

Interactive: Number-based menu (1-4).
Non-Interactive: Command-line arguments for automation.

Static ASCII Logo

Displays a non-clearing ASCII logo at startup.

Customizable Output Paths

Allows user-specified paths for SQLite, JSON, or CSV outputs.

Clone or Download

git clone https://github.com/Ghassan-elsman/Prefetch-Parser-CLI
cd Prefetch-Parser-CLI

Install Python

Download Python 3.8+ from python.org. Ensure pip is included.

Run the Script

Automatically sets up a virtual environment (E:\prefetch analysis\venv_prefetch_parser) and installs tqdm and sqlite3.
C:/Users/Ghass/AppData/Local/Microsoft/WindowsApps/python3.12.exe "E:/prefetch analysis/cli_prefetch_parser.py"

Manual Dependency Installation

If needed:
pip install tqdm
Note: sqlite3 is typically included with Python 3.8+.

Interactive Mode

Launch without arguments for a user-friendly menu:
"E:/prefetch analysis/cli_prefetch_parser.py"
Menu Output:
=== CROW-EYE PREFETCH ANALYZER MENU ===
1. Live Analysis (C:\Windows\Prefetch)
2. Offline Analysis (Custom Directory)
3. Select Output Format
4. Exit

Current output format: SQLITE (prefetch_data3.db)
Enter a number (1-4) to select an option:
Options:

• 1. Live Analysis
• 2. Offline Analysis
• 3. Select Output Format (sqlite, json, csv)
• 4. Exit

Non-Interactive Mode

Run with command-line arguments:
"E:/prefetch analysis/cli_prefetch_parser.py" --non-interactive --output csv --offline "E:\prefetch_files"
Arguments:

• --non-interactive: Skip the menu.
• --output : Choose sqlite, json, or csv.
• --offline : Specify a directory of .pf files.
• --output-path : Custom output file path.

Examples

Live analysis with SQLite output:
Start-Process powershell -Verb RunAs -ArgumentList "-NoProfile -ExecutionPolicy Bypass -Command \ 'E:/prefetch analysis/cli_prefetch_parser.py' --non-interactive\""
Offline analysis with CSV output:
"E:/prefetch analysis/cli_prefetch_parser.py" --non-interactive --output csv --offline "E:\prefetch_files" --output-path "E:\output\custom.csv"

SQLite Database

CREATE TABLE prefetch_entries (
id INTEGER PRIMARY KEY AUTOINCREMENT,
filename TEXT,
executable_name TEXT,
hash TEXT,
run_count INTEGER,
last_executed TEXT,
run_times TEXT,
volume_name TEXT,
volume_creation_time TEXT,
volume_serial_number TEXT,
directories TEXT,
resources TEXT,
file_create_time TEXT,
file_modified_time TEXT,
file_accessed_time TEXT,
parse_status TEXT,
parsed_timestamp TIMESTAMP
);

JSON Output

{
"prefetch_entries": [
{
"filename": "NOTEPAD.EXE-4A81B364.pf",
"executable_name": "NOTEPAD.EXE",
"hash": "a1b2c3d4e5f6",
"run_count": 2,
"last_executed": "2025-01-16T20:26:42Z",
"run_times": "2025-01-16T20:26:42Z,2025-01-15T10:00:00Z",
"volume_name": "\\DEVICE\\HARDDISKVOLUME2",
"volume_creation_time": "2025-01-16T21:15:18",
"volume_serial_number": "88008c2f",
"directories": "\\WINDOWS\\SYSTEM32",
"resources": "\\WINDOWS\\SYSTEM32\\NTDLL.DLL,...",
"file_create_time": "2025-01-16T20:00:00",
"file_modified_time": "2025-01-16T20:00:00",
"file_accessed_time": "2025-01-16T20:26:42",
"parse_status": "Success",
"parsed_timestamp": "2025-07-20T04:35:00"
}
]
}

CSV Output

id,filename,executable_name,hash,run_count,last_executed,run_times,volume_name,volume_creation_time,volume_serial_number,directories,resources,file_create_time,file_modified_time,file_accessed_time,parse_status,parsed_timestamp
1,NOTEPAD.EXE-4A81B364.pf,NOTEPAD.EXE,a1b2c3d4e5f6,2,2025-01-16T20:26:42Z,2025-01-16T20:26:42Z;2025-01-15T10:00:00Z,\DEVICE\HARDDISKVOLUME2,2025-01-16T21:15:18,88008c2f,\WINDOWS\SYSTEM32,\WINDOWS\SYSTEM32\NTDLL.DLL;...,2025-01-16T20:00:00,2025-01-16T20:00:00,2025-01-16T20:26:42,Success,2025-07-20T04:35:00

What systems does Prefetch Analyzer support?

Live analysis requires Windows XP+. Offline analysis works on any OS with Python 3.8+.

Why do I need admin privileges?

Live analysis accesses C:\Windows\Prefetch, which may be restricted.

Why are run counts high?

Counts >1,000,000 may indicate parsing errors or Windows quirks. Check prefetch_analyzer.log and focus on last_executed.

Where are outputs saved?

Outputs are saved to \prefetch-parser or user-specified paths (e.g., prefetch_data3.db).

How does it handle compressed files?

Supports XPRESS Huffman decompression for Windows 10/11 prefetch files.

Permission Denied

Run as administrator:
Start-Process powershell -Verb RunAs -ArgumentList "-NoProfile -ExecutionPolicy Bypass -Command \ 'E:/prefetch analysis/cli_prefetch_parser.py'\""

Invalid Prefetch Files

Check file header:
hexdump -C -n 4 "E:\prefetch_files\NOTEPAD.EXE-4A81B364.pf"
Expected: 4d 41 4d (MAM) or 53 43 43 41 (SCCA).

High Run Counts

Review prefetch_analyzer.log for entries like:
2025-07-12 02:34:56,789 - WARNING - High run count (1200000000) in filename.pf, potential parsing error
Focus on last_executed for reliable timing.

Missing Dependencies

Install manually:
pip install tqdm

Database Errors

Delete and re-run:
del "E:\prefetch analysis\prefetch_data3.db"

• OS: Windows XP+ (live analysis).
• Python: 3.8+ (tested with 3.12).
• Dependencies: tqdm, sqlite3 (auto-installed; sqlite3 included with Python).
• Permissions: Admin rights for live analysis.
• Disk Space: Space for database and output files.
• Internet: Required for dependency installation.

Join the community at github.com/Ghassan-elsman/Prefetch-Parser-CLI. Submit pull requests or issues to enhance the tool, ensuring Windows XP+ compatibility and robust error handling.