The Windows XP prefetch cache is a cache meant to speed up the launch of programs by keeping the first few bytes of a program on disk in order to have them preloaded before the user launched the program. Only commonly used programs are cached in the prefetch. You can use the prefetch cache to see what programs were launched at the time a computer was compromised in order to see what programs were run on the computer.
- Prefetch files are store in %SYSTEMROOT%\Prefetch directory, with a “.pf” extension
- More on Windows prefetch forensics