RecentFileCache.bcf

Overview

Evidence: RecentFileCache.bcf Description: Collect Recent File Cache Files Category: Process Execution Platform: Windows Short Name: rfc Is Parsed: No - Raw binary cache file Sent to Investigation Hub: Yes Collect File(s): No

Background

RecentFileCache.bcf is a binary file maintained by the Windows Application Compatibility infrastructure. It caches information about recently executed programs and can provide execution evidence.

This file complements other execution artifacts like prefetch, amcache, and appcompatcache.

Data Collected

Field

Description

Example

Type

File type

RecentFileCache

Name

File name

RecentFileCache.bcf

SourcePath

Original file path

C:\Windows\AppCompat\Programs\RecentFileCache.bcf

FilePath

Relative path in evidence

Files/RecentFileCache.bcf

FileSize

File size in bytes

524288

Collection Method

This collector collects the file from:

C:\Windows\AppCompat\Programs\RecentFileCache.bcf

Usage

RecentFileCache can provide additional program execution evidence. Investigators use this data to supplement execution artifact analysis and correlate with other execution evidence sources.

Known Limitations

Binary format with limited public documentation
Parsing tools are scarce
May overlap with other execution artifacts
Not as well-researched as prefetch or amcache

Notes

This artifact is less commonly analyzed than prefetch or amcache but can provide corroborating execution evidence.

PreviousRecentDocs NextRecycle Bin Information

Last updated 49 minutes ago

Was this helpful?