Extract all "Prefetch Cache" entries in JSON format

Is there a way to extract all entries from “Prefetch Cache” under “Investigation Details”?

I am trying to find entries with specific “recent_run_time”.
Since there is no column in “Prefetch Cache” with any sort of “time” information I need to click trough each and every entry.

The search option under “Prefetch Cache” does not work for timestamps.
(Information under “Assets & Endpoints / Asset Details” > “Running Processes” is not sufficient.)

Any advice would be appreciated.
Thanks

To answer my own question:

There is a way:

• Navigate to the investigation with “Prefetch Cache”;
• Open “DevTools” of your web browser (F12);
• In “DevTools” open the “Network” tab;
• Open the “Prefetch Cache” in the investigation;
• Start scrolling trough the “Prefetch Cache” entries until you reach the last entry;
• Stop recording network log in “DevTools” ;
• There should be several “data” lines in “DevTools”;
• Open each of them and copy the content of the “Response” tab;
• Paste the content in a text editor and use a tool that can unflatten JSON (like JSTool for Notepad++);
• Enjoy;

If anyone knows a more civilized method please let me know.
Thanks

Hi Krasimir,

Thank you for your enquiry and input.

As of today, exporting that information isn’t available in the product unfortunately however you have clearly highlighted again that filtering “Prefetch Cache” by timestamp is missing. This is something we are currently discussing internally with Product Management and Engineering.
We will hopefully have that field added as a table column to allow quick sorting.

Thanks,
Oli

Querying or at the very least exporting scheduled forensics data would make such a difference.

I too would love to see this implemented! Better sorting, exporting, and API access for forensics data would be very helpful.