Parses the RecentFileCache as evidence of execution artifact existing on older Windows systems (<= Win 7).
Full path, Drive letter and the binary name will be parsed. The order represents the timeline of the execution flow. However, there are no timestamps included in this artifact.
name: Windows.Forensics.RecentFileCache
author: Stephan Mikiss @stephmikiss (SEC Defence @SEC Consult)
description: |
Parses the RecentFileCache as evidence of execution artifact existing on older Windows systems (<= Win 7).
Full path, Drive letter and the binary name will be parsed. The order represents the timeline of the execution flow. However, there are no timestamps included in this artifact.
type: CLIENT
parameters:
- name: FileGlob
description: Glob to RecentFileCache.
default: C:/Windows/appcompat/Programs/RecentFileCache.bcf
- name: FullPathRegex
description: Regex to filter in the full path of the entry.
default: .
- name: BinaryRegex
description: Regex to filter for binary names.
default: .
sources:
- query: |
LET entries = SELECT utf16(string=Entry) as FullPath
FROM parse_records_with_regex(
file="C:/Windows/appcompat/Programs/RecentFileCache.bcf",
regex='''[\x00]{3}(?P<Entry>[a-z]\x00:.+?\x00)[\x00]{2}''')
SELECT parse_string_with_regex(string=FullPath,regex='''(?P<Drive>^[a-z]:)''').Drive as Drive,
FullPath,
parse_string_with_regex(string=FullPath,regex='''\\(?P<Binary>[^\\]+$)''').Binary as Binary
FROM entries
WHERE FullPath =~ FullPathRegex
AND Binary =~ BinaryRegex