Notifications
Clear all
Topic starter
20/02/2009 4:11 am
Hello,
Would it be uncharacteristic for there only to be one prefetch file on a system (win2003 server) that was build in mid 2008? The existing PF file is NTOSBOOT… I thought that they might have been deleted, but I looked in unallocated space. Also not sure how the command to delete the *.pf files wouldn't that application be listed in the prefetch? The only thing I can think of is that this system was remotely administered, the HTTP server, DNS etc were set to run of a scheduler…
Thoughts…
Thanks
20/02/2009 5:59 pm
As is stated and referenced in "Windows Forensic Analysis", Windows 2003 by default does NOT do application prefetching…therefore, you should NOT expect to see application prefetch files.
What you're seeing is normal for a Windows 2003 system.