Did you know that uninstalling an application doesn’t erase the evidence that it was ever used?
Windows maintains a hidden record for programs you run to improve startup performance. This mechanism is called Prefetch.
Stored in C:\Windows\Prefetch, these .pf files record details such as:
The exact date and time the program was executed
The file path it was launched from
How many times it was run
In order to discover these files, you can use WinPrefetchView - free to download here.
Because of this, digital forensics investigators can demonstrate that a program like CCleaner or Malware.exe was executed—even after the application has been removed or the system has been “cleaned.”
