Incident Response with EZTools - Evidence of Execution Acquisition
RecentFileCacheParser is bundled with EZTools. This tool use to parse recent files inside .bcf format.
Amcache can provide a timeline of which program was executed and when it was first run and last modified. This also provides additional detail, giving us the File Path, Version, Hash, and etc.
RecentFileCache.bcf contains recently executed programs on Windows 7 systems.
During an incident, an executable may be launched, which causes our system to behave in an odd behavior. Getting an evidence of this execution on the system can help the responder pivot the investigation.
