The steps for Prefetch file analysis with Magnet AXIOM:

1. Create a new case and go to Load evidence. You have five options here: CONNECTED DRIVE, FILES & FOLDERS, COMPUTER IMAGE, VOLUME SHADOW COPY, and MOBILE DEVICES, as you can see in the following figure:

2. As mentioned before, you can use a forensic image or a previously exported folder with prefetch files. If you prefer the first option, choose COMPUTER IMAGE; if the second, choose FILES & FOLDERS. In our case, it's a folder, which has been chosen with the help of the AXIOM folder browser.

3. Now, let's go to the artifact details. As we are interested in prefetches, let's choose only these artifacts from the list. Click the CUSTOMIZE COMPUTER ARTIFACTS button, then CLEAR ALL, go to OPERATING SYSTEM, and tick the Windows Prefetch Files option. You can see how this works in the figure below:

4. So, now, we are ready to start analyzing the evidence. We have chosen only a folder with prefetch files, so very soon we can view parsing results in AXIOM Examine. Once the processing phase is finished, you are ready to view and analyze the results, as shown in the following figure:

As you can see, we can get the number of runs for each program, and also the timestamps of up to eight recent runs. A very valuable piece of information, especially for malware forensics!