Parse and extract Windows RecentFileCache.bcf files using Eric Zimmerman's RecentFileCacheParser. Covers CLI flags, output formats (CSV/JSON), and output field reference.
RecentFileCacheParser is Eric Zimmerman's command-line tool for parsing Windows RecentFileCache.bcf files. These files are found on Windows 7/Server 2008 R2 systems and record paths of recently executed programs, providing evidence of application execution. Forensic interpretation of RecentFileCache data (execution timeline analysis, etc.) belongs in a separate analysis skill.
RecentFileCacheParser.exe -f <file> [--csv <dir> | --json <dir>] [other options]
Single-letter options use a single dash (-). Multi-character options use double dashes (--).
| Flag | Description |
|---|---|
-f | RecentFileCache.bcf file to process. Required. |
| Flag | Description |
|---|---|
--csv | Directory to write CSV output |
--csvf | Custom filename for CSV output (overrides default) |
--json | Directory to write JSON output |
It's recommended to specify at least one output format to write results to a file. Forensic output can be very large and may consume the context window. CSV is the most common choice for analysis with Timeline Explorer or Excel.
| Flag | Description | Default |
|---|---|---|
-q | Suppress per-file output; show only filename being processed | FALSE |
--pretty | Use human-readable layout for JSON export | FALSE |
Output columns depend on tool version.
| Column | Description |
|---|---|
| SourceFile | Path to the source RecentFileCache.bcf file |
| SourceCreated | .bcf file creation timestamp |
| SourceModified | .bcf file last modified timestamp |
| SourceAccessed | .bcf file last accessed timestamp |
| Filename | Full path of the recently executed file |
RecentFileCacheParser.exe -f "C:\Cases\Evidence\RecentFileCache.bcf" --csv "C:\Cases\Output"
RecentFileCacheParser.exe -f "C:\Cases\Evidence\RecentFileCache.bcf" --csv "C:\Cases\Output" --csvf RecentFileCache_parsed.csv
RecentFileCacheParser.exe -f "C:\Cases\Evidence\RecentFileCache.bcf" --json "C:\Cases\Output" --pretty
RecentFileCacheParser.exe -f "E:\Windows\AppCompat\Programs\RecentFileCache.bcf" --csv "C:\Cases\Output"