Search Prefetch Data

Searches through parsed Windows Prefetch data using text queries, filters, and time ranges. Enables rapid investigation of program execution patterns, timeline analysis, and anomaly detection.

Search Prefetch Data

Searches through parsed Windows Prefetch data using text queries, filters, and time ranges. Enables rapid investigation of program execution patterns, timeline analysis, and anomaly detection.

API Endpoint

POST /analysis/prefetch/search

HTTP Headers

Content-Type: application/json
X-Cursed-Api-Token: API token for authentication
X-Cursed-Api-Enc-Key: Encryption key for authenticated users (required if using encrypted job results)

Request Method

POST

Parameters

Request Body (JSON):

Parameter	Type	Required	Description
`job_id`	UUID	Yes	Job ID from a completed Prefetch parse operation
`search`	string	Yes	Search query text to match against prefetch data
`filter`	array	No	Array of filter criteria objects
`page`	integer	No	Page number for pagination (1-10, default: 1)
`show`	integer	No	Number of results per page (1-100, default: 10)
`start_time`	integer	No	Start timestamp filter (Unix milliseconds)
`end_time`	integer	No	End timestamp filter (Unix milliseconds)
`browse_events`	boolean	Yes	Whether to browse raw prefetch data or summary insights

Filter Criteria Schema

{
  "field": "string",
  "operator": "string",
  "value": "string"
}

Supported Filter Operators

Operator	Description
`equals`	Exact match
`not_equals`	Not equal to
`contains`	Contains substring
`does_not_contain`	Does not contain substring
`starts_with`	Starts with substring
`ends_with`	Ends with substring

Request Body Schema

{
  "job_id": "string (UUID)",
  "search": "string",
  "filter": [
    {
      "field": "string",
      "operator": "string",
      "value": "string"
    }
  ],
  "page": 1,
  "show": 10,
  "start_time": 1705395000000,
  "end_time": 1705481400000,
  "browse_events": true
}

Response Format

Success Response (200 OK) - Browse Events Mode:

{
  "insights": [
    {
      "IndexTable": {
        "title": "Prefetch Table",
        "data": [
          [
            [
              "NOTEPAD.EXE-D8414F97.pf",
              "NOTEPAD.EXE",
              "C:\\Windows\\System32\\notepad.exe"
            ],
            {
              "Count": "3",
              "RunTimes": "2024-01-15 14:30:22,2024-01-15 16:45:10,2024-01-16 09:15:33",
              "Modules": "ntdll.dll,kernel32.dll,user32.dll,gdi32.dll",
              "Volumes": "\\Volume{12345678-1234-1234-abcd-123456789abc}\\Windows\\System32",
              "Version": "30"
            }
          ]
        ],
        "columns": [
          "Prefetch File",
          "File Name", 
          "File Path",
          "Prefetch Data"
        ],
        "category": "General"
      }
    }
  ]
}

Error Response (400 Bad Request):

{
  "error": "Job not found"
}

{
  "error": "Job not completed"
}

{
  "error": "Invalid time range"
}

Error Codes

HTTP Status	Description
200	Success - Search results retrieved
400	Bad Request - Invalid job ID or search parameters
401	Unauthorized - Missing authentication
403	Forbidden - Encryption key required for private job
404	Not Found - Job not found
500	Internal Server Error - Server processing error

Example cURL Commands

Basic Prefetch Search

curl -X POST https://api.cursedtools.com/analysis/prefetch/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "f8635c61-36f6-4bf2-a1a7-82cb50f2bcb5",
    "search": "powershell",
    "page": 1,
    "show": 25,
    "browse_events": true
  }'

Search with Filters and Time Range

curl -X POST https://api.cursedtools.com/analysis/prefetch/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "f8635c61-36f6-4bf2-a1a7-82cb50f2bcb5",
    "search": "cmd",
    "filter": [
      {
        "field": "file_name",
        "operator": "equals",
        "value": "cmd.exe"
      },
      {
        "field": "details.Count",
        "operator": "contains",
        "value": "5"
      }
    ],
    "start_time": 1705395000000,
    "end_time": 1705481400000,
    "page": 1,
    "show": 50,
    "browse_events": true
  }'

Search Capabilities

Text Search

Full-text search across all prefetch fields
Case-insensitive matching
Partial string matching
Module and volume path searching

Filterable Fields

Common fields available for filtering:

prefetch_file - Prefetch filename
file_name - Executable name
file_path - Full executable path
version - Prefetch file version
details.Count - Execution count
details.RunTimes - Execution timestamps
details.Modules - Loaded modules
details.Volumes - Referenced volumes

Time Range Filtering

Unix timestamp in milliseconds
Filters based on execution timestamps
Efficient querying of execution periods

Browse Modes

Browse Events (true)

Searches raw prefetch execution data
Individual execution records
Detailed module and volume information
Forensic-level detail

Browse Summary (false)

Searches processed summary insights
Aggregated execution patterns
High-level behavioral analysis
Timeline correlation data

Example Use Cases

Hunt for LOLBIN Usage

curl -X POST https://api.cursedtools.com/analysis/prefetch/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "job-uuid",
    "search": "rundll32",
    "filter": [
      {
        "field": "file_name",
        "operator": "contains",
        "value": "rundll32"
      }
    ],
    "browse_events": true
  }'

Timeline Analysis

curl -X POST https://api.cursedtools.com/analysis/prefetch/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "job-uuid",
    "search": "",
    "start_time": 1705395000000,
    "end_time": 1705481400000,
    "page": 1,
    "show": 100,
    "browse_events": true
  }'

Suspicious Location Hunt

curl -X POST https://api.cursedtools.com/analysis/prefetch/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "job-uuid",
    "search": "temp",
    "filter": [
      {
        "field": "file_path",
        "operator": "contains",
        "value": "\\temp\\"
      }
    ],
    "browse_events": true
  }'

Performance Tips

Efficient Searching

Use specific executable names to reduce result sets
Apply path filters to focus on suspicious locations
Use time ranges for incident-focused analysis
Search module names for dependency analysis

Large Dataset Handling

Start with summary searches (browse_events: false)
Use pagination for large result sets
Apply filters before broad text searching
Use time ranges to limit execution periods

Notes

Job must be completed before searching
Authentication is required for private jobs
Encryption key needed for encrypted job results
Search supports both raw prefetch data and summary insights
Results are paginated for performance
Time ranges filter by execution timestamps
Text search covers executable names, paths, modules, and volumes
Filters can be combined for precise queries
Browse mode affects search performance and detail level
Results optimized for forensic analysis workflows
Volume paths are automatically normalized for searching

Search Event Logs (EVTX)

Searches through parsed Windows Event Log data using text queries, filters, and time ranges. Enables rapid investigation of specific events, patterns, and anomalies in EVTX analysis results.

Search Registry Data

Searches through parsed Windows Registry data using text queries, filters, and time ranges. Enables rapid investigation of Registry keys, values, persistence mechanisms, and configuration changes.