What is the Prefetch file and how does it record program execution on Windows?

Prefetch files are stored in `%SystemRoot%\Prefetch` and are used by Windows to speed up application startup. They record the first few seconds of execution, including file paths, run count, and last run time. Forensic tools like WinPrefetchView can parse these files. Attackers often clear Prefetch files to hide their tools, but doing so may leave gaps in the timeline. For a complete approach to covering traces, see the article Penetration Techniques - Acquisition and Clearing of Windows System File Execution Records.