Skip to content

Series

Understanding RecentFileCache.bcf

8 posts in this series. Read them in order or jump to any one.

  1. What is RecentFileCache.bcf?

    A short primer on the Windows 7 AppCompat artifact: where it lives, what it records, and why it still shows up in 2026 triage cases.

  2. The .bcf format, byte-by-byte

    A hands-on read of the RecentFileCache.bcf binary format with a hex dump, a decoded record, and the edge cases a parser has to handle.

  3. Application Experience & ProgramDataUpdater: how .bcf gets populated

    Walking through the Windows 7 service and scheduled task that write RecentFileCache.bcf, and what that lifecycle means for triage windows.

  4. RecentFileCache vs Amcache vs Prefetch vs ShimCache

    Four Windows evidence-of-execution artifacts side-by-side: what each one stores, what it doesn't, and which one to reach for first.

  5. Acquiring RecentFileCache.bcf from live and offline systems

    Practical guide to pulling RecentFileCache.bcf in three settings: a running Windows 7 endpoint, a forensic disk image, and a Volume Shadow Copy.

  6. Triage: spotting suspicious entries in RecentFileCache

    A practical guide to the path heuristics, basename oddities, and drive patterns that turn a list of cached paths into investigative leads.

  7. Validating RecentFileCache findings: pivots and false positives

    What to do after a suspicious entry surfaces: how to confirm execution, what to cross-reference, and the false-positive patterns that catch analysts off guard.

  8. Detecting RecentFileCache tampering

    How attackers suppress, poison, or wipe RecentFileCache.bcf — and the event-log, scheduled-task, and filesystem signals that catch them doing it.

All posts in this series

A short primer on the Windows 7 AppCompat artifact: where it lives, what it records, and why it still shows up in 2026 triage cases.
A hands-on read of the RecentFileCache.bcf binary format with a hex dump, a decoded record, and the edge cases a parser has to handle.
Walking through the Windows 7 service and scheduled task that write RecentFileCache.bcf, and what that lifecycle means for triage windows.
Four Windows evidence-of-execution artifacts side-by-side: what each one stores, what it doesn't, and which one to reach for first.
Practical guide to pulling RecentFileCache.bcf in three settings: a running Windows 7 endpoint, a forensic disk image, and a Volume Shadow Copy.
A practical guide to the path heuristics, basename oddities, and drive patterns that turn a list of cached paths into investigative leads.
What to do after a suspicious entry surfaces: how to confirm execution, what to cross-reference, and the false-positive patterns that catch analysts off guard.
How attackers suppress, poison, or wipe RecentFileCache.bcf — and the event-log, scheduled-task, and filesystem signals that catch them doing it.