Prefetch Parsing

Parses Windows Prefetch (.pf) files and extracts execution artifacts, timeline data, and behavioral patterns for forensic analysis.

Prefetch Parsing

Parses Windows Prefetch (.pf) files and extracts execution artifacts, timeline data, and behavioral patterns for forensic analysis.

API Endpoint

POST /analysis/prefetch/parse

HTTP Headers

Content-Type: application/json
X-Cursed-Api-Token: API token for authentication
X-Cursed-Api-Enc-Key: Encryption key for authenticated users (required if using encrypted files)

Request Method

POST

Parameters

Request Body (JSON):

Parameter	Type	Required	Description
`file_ids`	array	Yes	Array of file UUIDs to parse (100 files maximum)

Request Body Schema

{
  "file_ids": ["string (UUID)", "string (UUID)", ...]
}

Response Format

Success Response (200 OK):

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "job_name": "Mystic Phoenix Parser",
  "message": "Job queued",
  "category": "prefetch"
}

Error Response (400 Bad Request):

{
  "error": "No file IDs provided"
}

{
  "error": "Too many file IDs provided"
}

{
  "error": "Max prefetch analysis file limit exceeded"
}

{
  "error": "Failed to download file"
}

Error Response (401 Unauthorized):

{
  "error": "Unauthorized"
}

Error Codes

HTTP Status	Description
200	Success - Analysis job queued
400	Bad Request - Invalid parameters or file limit exceeded
401	Unauthorized - Missing authentication for private files
413	Payload Too Large - Too many files submitted
500	Internal Server Error - Server processing error

Example cURL Commands

Parse Multiple Prefetch Files

curl -X POST https://api.cursedtools.com/analysis/prefetch/parse \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": [
      "12345678-abcd-1234-ef56-789012345678",
      "87654321-dcba-4321-fe65-210987654321"
    ]
  }'

Parse Single Prefetch File

curl -X POST https://api.cursedtools.com/analysis/prefetch/parse \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": ["12345678-abcd-1234-ef56-789012345678"]
  }'

Example Response

{
  "id": "f8635c61-36f6-4bf2-a1a7-82cb50f2bcb5",
  "job_name": "Ethereal Dragon Parser",
  "message": "Job queued",
  "category": "prefetch"
}

Job Results

Once parsing is complete, the job will contain structured analysis results that can be retrieved using the Job Status API. Results include:

Analysis Types

Result Type	Description
Execution Timeline	Chronological timeline of program executions with frequency analysis
Executable Statistics	Program execution frequency and usage patterns
LOLBIN Detection	Identification of Living-off-the-Land binaries and their usage
Volume Analysis	Analysis of accessed volumes, drives, and suspicious locations
Module Analysis	DLL dependencies and loaded module statistics
Anomaly Detection	Suspicious execution patterns, proximity alerts, and location anomalies

Forensic Insights

Program Usage Patterns: Frequency and timing of application executions
Execution Anomalies: Unusual execution locations or suspicious proximity patterns
Timeline Reconstruction: Detailed execution chronology for incident reconstruction
LOLBIN Identification: Automatic detection of legitimate tools used maliciously
Volume and Path Analysis: File system access patterns and suspicious locations

Processing Notes

File Requirements

Files must be valid Windows Prefetch (.pf) format
Maximum 100 files per request
Files are processed asynchronously
Supports prefetch files from Windows XP through Windows 11

Performance Considerations

Individual prefetch files process within seconds
Batch processing scales linearly with file count
Job priority determined by user subscription level
Multiple files are processed in parallel when possible

Example Use Cases

cURL Example - Malware Analysis

# Analyze prefetch files from suspected compromised system
curl -X POST https://api.cursedtools.com/analysis/prefetch/parse \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": ["malware-prefetch-uuid"]
  }'

cURL Example - Incident Response

# Batch analyze prefetch collection from incident
curl -X POST https://api.cursedtools.com/analysis/prefetch/parse \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": [
      "prefetch-1-uuid",
      "prefetch-2-uuid",
      "prefetch-3-uuid"
    ]
  }'

Notes

Maximum of 100 prefetch files can be analyzed in a single request
Job results can be retrieved using the job status endpoint
Authentication is required for private/encrypted files
Job names are auto-generated using creative memorable combinations
Priority is determined by user subscription level
Unauthenticated users can analyze public files only
The analysis creates a background job that processes files asynchronously
Results include searchable summary data for efficient querying
Analysis automatically normalizes volume paths and timestamps
LOLBIN detection uses continuously updated signature database

Event Logs (EVTX) Parsing

Parses Windows Event Log (.evtx) files and extracts structured forensic data for analysis. Optionally runs Sigma rules against the extracted events for threat detection.

Registry Hives Parsing

Parses Windows Registry hive files and extracts forensic artifacts, configuration data, persistence mechanisms, and user activity patterns for comprehensive analysis.