Incident Response with EZTools - Evidence of Execution
PECmd is bundled with EZTools. This tool is a Prefetch Parser.
Prefetch since Windows XP: Windows creates a prefetch file every time you run the file for the first time. It is a component of a memory manager that can speed up the Windows boot process and shorten the amount of time it takes to start up programs. This file contains data that the OS needs to speed up the app’s load time whenever you run it.
From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.
During an incident, an executable may be launched which causes our system to behave in an odd ways. Getting an evidence of this execution on the system can help the responder pivot the investigation.