RecentFileCache

Purpose and Function

The RecentFileCache.bcf is a binary file used by the Windows operating system, primarily as part of its Application Compatibility framework. Similar to Amcache/Syscache, its purpose is to cache information about recently executed applications to assist with compatibility checks and system performance. It functions as a straightforward, short-term log of program executions.

From a DFIR standpoint, RecentFileCache.bcf serves as another valuable, albeit less detailed, source of execution evidence. It is particularly useful because it can sometimes contain traces of executed programs that are not found in other, more commonly analyzed artifacts, or it may provide slightly different temporal data, helping to corroborate or expand a timeline.

Location and Structure

The RecentFileCache.bcf is a single binary file located in the same directory as the Amcache.hve hive.

  • Location: C:\Windows\AppCompat\Programs\RecentFileCache.bcf

The file has a simple internal structure, typically containing a header and a series of sequential entries. Each entry represents an executed program and stores a limited set of metadata. Due to its binary format, it must be parsed with specialized tools to be human-readable.

Stored Metadata

Compared to Amcache, the metadata stored in RecentFileCache.bcf is more concise. A typical entry includes:

  • File Path: The full path of the executable that was launched.

  • File Size: The size of the executable file.

  • Execution Timestamp: A timestamp that generally reflects the time of execution. The exact nature of this timestamp can vary between Windows versions and system states.

The cache has a limited size and operates on a first-in, first-out (FIFO) basis. As new programs are executed, their information is added to the cache, and older entries are eventually overwritten.

Forensic Value

While not as comprehensive as artifacts like Prefetch or SRUM, RecentFileCache.bcf is a valuable piece of the investigative puzzle for several reasons:

  • Quick Execution Confirmation: It provides a simple and direct way to confirm that an executable was run on the system.

  • Complementary Evidence: Its primary value lies in its ability to corroborate evidence from other sources. Finding an executable's path in both RecentFileCache.bcf and another artifact (like BAM) strengthens the certainty of the finding.

  • Unique Traces: In some cases, due to the nuances of Windows logging, an execution might be recorded in RecentFileCache.bcf but not in other locations, especially if other artifacts were cleared or failed to update. This makes it a crucial secondary source to check.

  • Simplicity: Its straightforward structure makes it relatively easy and fast to parse, allowing for a quick check of recent system activity.

However, its limited size and lack of detailed metadata (like run counts or file hashes) make it less powerful as a standalone source of evidence compared to its more robust counterparts.

Reflection points (SS Contest)

For a ScreenSharer, RecentFileCache.bcf is a quick-hit artifact that can provide that one extra piece of evidence needed to confirm a suspicion.

  • The Corroborating Hit: Its main role in a screenshare is to back up other findings. If you find a suspicious executable in Prefetch, finding it also listed in RecentFileCache.bcf adds another layer of certainty to your evidence, making it harder for the player to dispute.

  • Finding What's Missing: If you suspect a player has cleared their Prefetch or BAM, RecentFileCache.bcf might still hold the trace you need. It's a key part of a "leave no stone unturned" approach to checking for execution evidence.

  • Speed and Efficiency: During a time-sensitive screenshare, parsing this file with a tool like Eric Zimmerman's RecentFileCacheParser is extremely fast and can give an immediate overview of recently run programs, helping to quickly identify targets for deeper investigation.

PreviousAmcache / SyscacheNextActivities Cache

Last updated