Skip to content

Blog

What to do after a suspicious entry surfaces: how to confirm execution, what to cross-reference, and the false-positive patterns that catch analysts off guard.
Walking through the Windows 7 service and scheduled task that write RecentFileCache.bcf, and what that lifecycle means for triage windows.
A hands-on read of the RecentFileCache.bcf binary format with a hex dump, a decoded record, and the edge cases a parser has to handle.
Four Windows evidence-of-execution artifacts side-by-side: what each one stores, what it doesn't, and which one to reach for first.
A short primer on the Windows 7 AppCompat artifact: where it lives, what it records, and why it still shows up in 2026 triage cases.