Windows Prefetch Analysis
The topic of data stored in the Prefetch trace files hasn’t been much discussed. James Habben in his article “Windows Prefetch: Overview of New Research in Sections A & B” analyzes the type of information that we can extract from one of these trace files (read the full article here).
The file format of Prefetch trace files has changed a bit over the years. The information that James writes about is the result of many years of elongated and inconsistent study time. He spent a lot of time in IDA trying to analyze the kernel level code. Perhaps, having familiarized with his explanations will push you to new thoughts, to work with this even more.
Read his full article here and leave a comment or write by e-mail.