Description: This query enumerates prefetch files to identify evidence of execution.
What The Data Shows: The query returns all prefetch files along with first execution (btime) and last execution (mtime). This helps identify evidence of execution on Windows systems with prefetch enabled. One assumption being made is that the prefetch file was not previously deleted and recreated which means btime is no longer truly "first" execution of the associated binary.
SELECT datetime(btime, 'unixepoch', 'localtime') AS firstrun,datetime(mtime, 'unixepoch', 'localtime') AS lastrun,filename FROM file WHERE path like 'C:\Windows\Prefetch\%.pf' ORDER BY lastrun DESC;