Recent File Cache
Overview
Section titled “Overview”Evidence: Recent File Cache
Description: Collect recent file cache files
Category: System
Platform: windows
Short Name: rfc
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”RecentFileCache.bcf is a binary file maintained by the Windows Application Compatibility infrastructure. It caches information about recently executed programs and can provide execution evidence.
This file complements other execution artifacts like prefetch, amcache, and appcompatcache.
Data Collected
Section titled “Data Collected”This collector gathers structured data about recent file cache.
Recent File Cache Data
Section titled “Recent File Cache Data”| Field | Description | Example |
|---|---|---|
Type | File type | RecentFileCache |
Name | File name | RecentFileCache.bcf |
SourcePath | Original file path | C:\Windows\AppCompat\Programs\RecentFileCache.bcf |
FilePath | Relative path in evidence | Files/RecentFileCache.bcf |
FileSize | File size in bytes | 524288 |
Collection Method
Section titled “Collection Method”This collector collects the file from:
C:\Windows\AppCompat\Programs\RecentFileCache.bcf
Forensic Value
Section titled “Forensic Value”RecentFileCache can provide additional program execution evidence. Investigators use this data to supplement execution artifact analysis and correlate with other execution evidence sources.