Windows.KapeFiles.Targets

Kape is a popular bulk collector tool for triaging a system quickly. While KAPE itself is not an opensource tool, the logic it uses to decide which files to collect is encoded in YAML files hosted on the KapeFiles project (https://github.com/EricZimmerman/KapeFiles ) and released under an MIT license.

This artifact is automatically generated from these YAML files, contributed and maintained by the community. This artifact only encapsulates the KAPE “Targets” - basically a bunch of glob expressions used for collecting files on the endpoint. We do not do any post processing these files - we just collect them.

We recommend that timeouts and upload limits be used conservatively with this artifact because we can upload really vast quantities of data very quickly.

NOTE: This artifact was built from The KapeFile Repository commit 15e702f dated 2025-02-14T12:19:30-0500.

name: Windows.KapeFiles.Targets
description: |

    Kape is a popular bulk collector tool for triaging a system
    quickly. While KAPE itself is not an opensource tool, the logic it
    uses to decide which files to collect is encoded in YAML files
    hosted on the KapeFiles project
    (https://github.com/EricZimmerman/KapeFiles) and released under an
    MIT license.

    This artifact is automatically generated from these YAML files,
    contributed and maintained by the community. This artifact only
    encapsulates the KAPE "Targets" - basically a bunch of glob
    expressions used for collecting files on the endpoint. We do not
    do any post processing these files - we just collect them.

    We recommend that timeouts and upload limits be used
    conservatively with this artifact because we can upload really
    vast quantities of data very quickly.

    NOTE: This artifact was built from The KapeFile Repository
    commit 15e702f dated 2025-02-14T12:19:30-0500.

reference:
  - https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape
  - https://github.com/EricZimmerman/KapeFiles

parameters:
  - name: UseAutoAccessor
    description: |
      Uses file accessor when possible instead of ntfs parser - this
      is much faster. Note that when using VSS analysis we have to use
      the ntfs accessor for everything which will be much slower.
    type: bool
    default: Y

  - name: Device
    description: |
      Name of the drive letter to search. You can add multiple drives
      separated with a comma.
    default: "C:,D:"

  - name: VSSAnalysisAge
    type: int
    default: 0
    description: |
      If larger than zero we analyze VSS within this many days
      ago. (e.g 7 will analyze all VSS within the last week).  Note
      that when using VSS analysis we have to use the ntfs accessor
      for everything which will be much slower.

  - name: _BasicCollection
    description: "Basic Collection (by Phill Moore): $Boot, $J, $Max, $LogFile, $MFT, $SDS, $T, WindowsIndexSearch - User, GatherLogs - User, Amcache, Amcache transaction files, Syscache, Syscache transaction files, Thumbcache DB, AppCompat PCA Folder, Setupapi.log XP, Setupapi.log Win7+, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell ISE - User Config, Prefetch, RecentFileCache, Recycle Bin - Windows Vista+, RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive, UserClasses.dat MSIX Hive, WindowsIndexSearch, GatherLogs, SAM registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SAM registry hive, SECURITY registry hive, SOFTWARE registry hive, SYSTEM registry hive, RegBack registry transaction files, SAM registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry transaction files, Local Service registry hive, Local Service registry transaction files, Network Service registry hive, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry transaction files, Event logs XP, Event logs Win7+, PowerShell Scheduled_Jobs, PowerShell Scheduled_Jobs Output, PowerShell Scheduled_Jobs Systemprofile, PowerShell Scheduled_Jobs Output Systemprofile, PowerShell Scheduled_Jobs WOW64 Systemprofile, PowerShell Scheduled_Jobs Output WOW64 Systemprofile, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, UsrClass.dat registry hive, SRUM, at .job, at SchedLgU.txt, XML, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData"
    type: bool
  - name: _KapeTriage
    description: "Calls Kape Triage (by Phill Moore): $Boot, $J, $Max, $LogFile, $MFT, $SDS, $T, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, AVG Persistent Logs, AVG FileInfo DB, AVG lsdbj2 JSON, Action1 Client Application logs, Amcache, Amcache transaction files, Ammyy Program Data, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - ProgramData - *.conf, AnyDesk Videos, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Chat Logs - User Profile, AppCompat PCA Folder, Application Event Log XP, Application Event Log Win7+, Avast AV Logs (XP), Avast AV Logs, Avast AV User Logs, Avast AV Index, Avast Persistent Data Logs, Avast Icarus Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Box Drive Application Metadata, Box Sync Application Metadata, Bookmarks, Cookies, Current Session, Current Tabs, Download Metadata, Favicons, History, Sessions Folder, Login Data, Network Action Predictor, Network Persistent State, Preferences, Quota Manager, Reporting and NEL, Shortcuts, Publisher Info DB/Brave Rewards, Top Sites, Visited Links, Web Data, Secure Preferences, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Sessions Folder, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Chrome Snapshots Folder, SYSTEM Chrome History, ComboFix, Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs, Cylance ProgramData Logs, Cylance Optics Logs, Cylance Program Files Logs, DWAgent Log Files, Dropbox Metadata, ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs, ESET Remote Administrator Logs, Local User Quarantine, SYSTEM user quarantine, Edge folder, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Sessions Folder, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Edge Snapshots Folder, Emsisoft Scan Logs, Event logs XP, Event logs Win7+, F-Secure Logs, F-Secure User Logs, F-Secure Scheduled Scan Reports, Addons, Downloads, Extensions, Form history, Permissions, Places, Protections, Search, Signons, Storage Sync, Webappstore, Password, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP, Addons XP, Search XP, Password XP, Sessionstore XP, FreeFileSync, Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata, HitmanPro Logs, HitmanPro Alert Logs, HitmanPro Database, ISLOnline Logs - Sessions - *.out, ISLOnline Logs - Session Configurations, ISL AlwaysOn Logs - Sessions List, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn - App Logs, ISL Light Logs - Sessions, ISL AlwaysOn - Email Configuration, ISL AlwaysOn - Configuration, ITarian, Comodo, Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, IE 11 Cookies, Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Agent Edge Service Logs, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData, Level RMM Client Application logs, LogMeIn ProgramData Logs, LogMeIn Application Logs, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, MegaSync Folder, MeshAgent .msh (configuration) file, MeshAgent log file, Windows Safety Scanner Logs, Net Monitor Server Logs, Net Monitor Server Data, Net Monitor Server Config, Net Monitor Server Temp Folder, Net Monitor Client Logs, Net Monitor Client Config, OneDrive Metadata Logs, OneDrive Metadata Settings, Opera - Local Folder, Opera - Roaming Folder, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell ISE - User Config, Prefetch, Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, Puffin - Image Cache, RDP Cache Files, Windows.old RDP Cache Files, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, Radmin Viewer Chats, Rclone Config, RecentFileCache, Recycle Bin - Windows Vista+, RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive, UserClasses.dat MSIX Hive, SAM registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SAM registry hive, SECURITY registry hive, SOFTWARE registry hive, SYSTEM registry hive, RegBack registry transaction files, SAM registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry transaction files, Local Service registry hive, Local Service registry transaction files, Network Service registry hive, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry transaction files, RemoteUtilities Connection Logs, RemoteUtilities Install Log, RogueKiller Reports, RustDesk logs, SRUM, SUM Database (.mdb files), SUPERAntiSpyware Logs, at .job, at SchedLgU.txt, XML, ScreenConnect Session Database, ScreenConnect User Config, SecureAge Antvirus Logs, SentinelOne EDR Log, Sophos Logs (XP), Sophos Logs, Splashtop Log Files, Splashtop Log Files in ProgramData, Supremo Connection Logs, Supremo File Transfer Inbox, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection Quarantine, ccSubSDK Database, registrationInfo.xml, Syscache, Syscache transaction files, TeamViewer Connection Logs, TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Report Logs, Trend Micro Security Agent Connection Logs, Unified endpoint management and security solutions from ManageEngine, UltraViewer User Logs, UltraViewer System Logs, UltraViewer Service Log, UltraViewer Connection Log, VIPRE Business Agent Logs, VIPRE Business User Logs (v7+), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), RealVNC Log, TightVNC Application Logs, Vivaldi Cookies, Vivaldi Network Persistent State, Vivaldi Favicons, Vivaldi History, Vivaldi Sessions Folder, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Preferences, Vivaldi Top Sites, Vivaldi Bookmarks, Vivaldi Visited Links, Vivaldi Web Data, Vivaldi User Tracking, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Notes, Vivaldi Download Metadata, WBEM, WER Files, Crash Dumps, Webroot Program Data, Windows Defender Logs, Windows Defender Event Logs, DetectionHistory, Windows Defender Quarantine, Windows Defender Detections.log, ActivitiesCache.db, Xeox RMM Client Application logs, Yandex Cookies, Yandex Network Persistent State, Yandex Favicons, Yandex History, Yandex Sessions Folder, Yandex Login Data, Yandex Network Action Predictor, Yandex Preferences, Yandex Top Sites, Yandex Bookmarks, Yandex Visited Links, Yandex Web Data, Yandex Autofill data, Yandex Passman logs, Yandex Shortcuts, Zoho Assist log files in AppData\Local, Zoho Assist .conf files in AppData\Local, Zoho Assist log files in ProgramData, Zoho Assist .conf files, Zoho Assist log files in Program Files*, Zoho Assist .conf files in  Program Files*, Zoho Assist .txt files in  Program Files*, mRemoteNG Logs, mRemoteNG Connection Configuration and Backups, mRemoteNG Program Settings, PowerShell Scheduled_Jobs, PowerShell Scheduled_Jobs Output, PowerShell Scheduled_Jobs Systemprofile, PowerShell Scheduled_Jobs Output Systemprofile, PowerShell Scheduled_Jobs WOW64 Systemprofile, PowerShell Scheduled_Jobs Output WOW64 Systemprofile, 360 Secure Browser Bookmarks, 360 Secure Browser Cookies, 360 Secure Browser Current Session, 360 Secure Browser Current Tabs, 360 Secure Browser Download Metadata, 360 Secure Browser Extension Cookies, 360 Secure Browser Favicons, 360 Secure Browser History, 360 Secure Browser Last Session, 360 Secure Browser Last Tabs, 360 Secure Browser Sessions Folder, 360 Secure Browser Login Data, 360 Secure Browser Media History, 360 Secure Browser Network Action Predictor, 360 Secure Browser Network Persistent State, 360 Secure Browser Preferences, 360 Secure Browser Quota Manager, 360 Secure Browser Reporting and NEL, 360 Secure Browser Shortcuts, 360 Secure Browser Top Sites, 360 Secure Browser Trust Tokens, 360 Secure Browser SyncData Database, 360 Secure Browser Visited Links, 360 Secure Browser Web Data, 360 Secure Browser Snapshots Folder, AnyDesk File Transfer Logs - Running in portable mode, AnyDesk File Transfer Logs - Installed as a Service, Arc Cookies, Arc Favicons, Arc History, Arc Sessions Folder, Arc Login Data, Arc Network Action Predictor, Arc Preferences, Arc Shortcuts, Arc Top Sites, Arc SyncData Database, Arc Bookmarks, Arc Visited Links, Arc Web Data, Arc JSON Files, Arc PLIST Files, CocCoc Bookmarks, CocCoc Cookies, CocCoc Current Session, CocCoc Current Tabs, CocCoc Download Metadata, CocCoc Extension Cookies, CocCoc Favicons, CocCoc History, CocCoc Last Session, CocCoc Last Tabs, CocCoc Sessions Folder, CocCoc Login Data, CocCoc Media History, CocCoc Network Action Predictor, CocCoc Network Persistent State, CocCoc Preferences, CocCoc Quota Manager, CocCoc Reporting and NEL, CocCoc Shortcuts, CocCoc Top Sites, CocCoc Trust Tokens, CocCoc SyncData Database, CocCoc Visited Links, CocCoc Web Data, CocCoc Snapshots Folder, QQ Browser Bookmarks, QQ Browser Cookies, QQ Browser Current Session, QQ Browser Current Tabs, QQ Browser Download Metadata, QQ Browser Extension Cookies, QQ Browser Favicons, QQ Browser History, QQ Browser Last Session, QQ Browser Last Tabs, QQ Browser Sessions Folder, QQ Browser Login Data, QQ Browser Media History, QQ Browser Network Action Predictor, QQ Browser Network Persistent State, QQ Browser Preferences, QQ Browser Quota Manager, QQ Browser Reporting and NEL, QQ Browser Shortcuts, QQ Browser Top Sites, QQ Browser Trust Tokens, QQ Browser SyncData Database, QQ Browser Visited Links, QQ Browser Web Data, QQ Browser Snapshots Folder, Microsoft Quick Assist, Microsoft Remote Help, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, UsrClass.dat registry hive, Remco RAT Default path, Remco RAT custom path - AppData screenshots folder, Remco RAT custom path - AppData notess folder, Remco RAT custom path - AppData micrecords folder, Remco RAT custom path - AppData hpsupport, Remco RAT custom path, Remco RAT custom path - AppData notess, Remco RAT custom path - AppData screenshots, Remco RAT custom path  - AppData micrecords, Remco RAT custom path  - AppData hpsupport, Supermium Bookmarks XP, Supermium Cookies XP, Supermium Current Session XP, Supermium Current Tabs XP, Supermium Favicons XP, Supermium History XP, Supermium Last Session XP, Supermium Last Tabs XP, Supermium Sessions Folder XP, Supermium Network Action Predictor XP, Supermium Network Persistent State XP, Supermium Login Data XP, Supermium Preferences XP, Supermium Reporting and NEL XP, Supermium Trust Tokens XP, Supermium SyncData Database XP, Supermium Shortcuts XP, Supermium Top Sites XP, Supermium Visited Links XP, Supermium Web Data XP, Supermium Bookmarks, Supermium Cookies, Supermium Current Session, Supermium Current Tabs, Supermium Download Metadata, Supermium Extension Cookies, Supermium Favicons, Supermium History, Supermium Last Session, Supermium Last Tabs, Supermium Sessions Folder, Supermium Login Data, Supermium Media History, Supermium Network Action Predictor, Supermium Network Persistent State, Supermium Preferences, Supermium Quota Manager, Supermium Reporting and NEL, Supermium Shortcuts, Supermium Top Sites, Supermium Trust Tokens, Supermium SyncData Database, Supermium Visited Links, Supermium Web Data, Supermium Snapshots Folder, SYSTEM Supermium History, UCBrowser Bookmarks, UCBrowser Cookies, UCBrowser Current Session, UCBrowser Current Tabs, UCBrowser Download Metadata, UCBrowser Extension Cookies, UCBrowser Favicons, UCBrowser History, UCBrowser Last Session, UCBrowser Last Tabs, UCBrowser Sessions Folder, UCBrowser Login Data, UCBrowser Media History, UCBrowser Network Action Predictor, UCBrowser Network Persistent State, UCBrowser Preferences, UCBrowser Quota Manager, UCBrowser Reporting and NEL, UCBrowser Shortcuts, UCBrowser Top Sites, UCBrowser Trust Tokens, UCBrowser SyncData Database, UCBrowser Visited Links, UCBrowser Web Data, UCBrowser Snapshots Folder, WaveBrowser bookmarks, WaveBrowser Cookies, WaveBrowser Current Session, WaveBrowser Current Tabs, WaveBrowser Download Metadata, WaveBrowser Extension Cookies, WaveBrowser Favicons, WaveBrowser History, WaveBrowser Last Session, WaveBrowser Last Tabs, WaveBrowser Sessions Folder, WaveBrowser Login Data, WaveBrowser Media History, WaveBrowser Network Action Predictor, WaveBrowser Network Persistent State, WaveBrowser Preferences, WaveBrowser Quota Manager, WaveBrowser Reporting and NEL, WaveBrowser Shortcuts, WaveBrowser Top Sites, WaveBrowser Trust Tokens, WaveBrowser SyncData Database, WaveBrowser Visited Links, WaveBrowser Web Data, WaveBrowser Snapshots Folder, SYSTEM WaveBrowser History"
    type: bool
  - name: _SANS_Triage
    description: "SANS Triage Collection (by Mark Hallman): $Boot, $J, $Max, $LogFile, $MFT, $SDS, $T, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, AVG Persistent Logs, AVG FileInfo DB, AVG lsdbj2 JSON, Action1 Client Application logs, Amcache, Amcache transaction files, Ammyy Program Data, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - ProgramData - *.conf, AnyDesk Videos, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Chat Logs - User Profile, AppCompat PCA Folder, Application Event Log XP, Application Event Log Win7+, Avast AV Logs (XP), Avast AV Logs, Avast AV User Logs, Avast AV Index, Avast Persistent Data Logs, Avast Icarus Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, BITS files, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Box Drive Application Metadata, Box Sync Application Metadata, Bookmarks, Cookies, Current Session, Current Tabs, Download Metadata, Favicons, History, Sessions Folder, Login Data, Network Action Predictor, Network Persistent State, Preferences, Quota Manager, Reporting and NEL, Shortcuts, Publisher Info DB/Brave Rewards, Top Sites, Visited Links, Web Data, Secure Preferences, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Sessions Folder, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Chrome Snapshots Folder, SYSTEM Chrome History, Cisco Jabber Database, ComboFix, Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs, Cylance ProgramData Logs, Cylance Optics Logs, Cylance Program Files Logs, DWAgent Log Files, Discord Cache Files, Discord Local Storage LevelDB Files, Dropbox Metadata, ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs, ESET Remote Administrator Logs, Local User Quarantine, SYSTEM user quarantine, Edge folder, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Sessions Folder, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Edge Snapshots Folder, Emsisoft Scan Logs, Event logs XP, Event logs Win7+, WDI Trace Logs 1, WDI Trace Logs 2, WMI Trace Logs, SleepStudy Trace Logs, Energy-NTKL Trace Logs, Delivery Optimization Trace Logs, F-Secure Logs, F-Secure User Logs, F-Secure Scheduled Scan Reports, FileZilla XML Log Files, FileZilla SQLite3 Log Files, FileZilla Server XML Log Files, FileZilla Log Files, Addons, Downloads, Extensions, Form history, Permissions, Places, Protections, Search, Signons, Storage Sync, Webappstore, Password, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP, Addons XP, Search XP, Password XP, Sessionstore XP, FreeFileSync, Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata, Group Policy Files, Computer Group Policy files, User Group Policy files, Local Group Policy INI Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Startup/Shutdown Scripts, HexChat Chat Logs, HitmanPro Logs, HitmanPro Alert Logs, HitmanPro Database, ISLOnline Logs - Sessions - *.out, ISLOnline Logs - Session Configurations, ISL AlwaysOn Logs - Sessions List, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn - App Logs, ISL Light Logs - Sessions, ISL AlwaysOn - Email Configuration, ISL AlwaysOn - Configuration, ITarian, Comodo, IceChat Chat Logs, Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, IE 11 Cookies, Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Agent Edge Service Logs, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData, Level RMM Client Application logs, LogMeIn ProgramData Logs, LogMeIn Application Logs, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, Mattermost - Chat Logs, McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, MegaSync Folder, MeshAgent .msh (configuration) file, MeshAgent log file, Windows Safety Scanner Logs, Microsoft Teams IndexedDB Cache, Microsoft Teams Local Storage Cache, Microsoft Teams Cache, Microsoft Teams Config, Microsoft Teams Logs (Windows 11), .NET CLR UsageLogs (user-scoped), .NET CLR UsageLogs (system-scoped), Net Monitor Server Logs, Net Monitor Server Data, Net Monitor Server Config, Net Monitor Server Temp Folder, Net Monitor Client Logs, Net Monitor Client Config, OneDrive Metadata Logs, OneDrive Metadata Settings, Opera - Local Folder, Opera - Roaming Folder, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell ISE - User Config, PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location, Prefetch, Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, Puffin - Image Cache, RDP Cache Files, Windows.old RDP Cache Files, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, Radmin Viewer Chats, Rclone Config, RecentFileCache, Recycle Bin - Windows Vista+, RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive, UserClasses.dat MSIX Hive, SAM registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SAM registry hive, SECURITY registry hive, SOFTWARE registry hive, SYSTEM registry hive, RegBack registry transaction files, SAM registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry transaction files, Local Service registry hive, Local Service registry transaction files, Network Service registry hive, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry transaction files, RemoteUtilities Connection Logs, RemoteUtilities Install Log, Robo-FTP User Scripts, Robo-FTP User Debug Logs, Robo-FTP User Script/Trace Logs, Robo-FTP User XML Config, Robo-FTP User SSH Keys, Robo-FTP User SSL Certificates, Robo-FTP User PGP Keys, Robo-FTP SSH Keys, Robo-FTP SSL Certificates, Robo-FTP PGP Keys, Robo-FTP Debug Logs, Robo-FTP Script/Trace Logs, Robo-FTP XML Config, Robo-FTP Jobs, RogueKiller Reports, RustDesk logs, SRUM, SUM Database (.mdb files), SUPERAntiSpyware Logs, at .job, at SchedLgU.txt, XML, ScreenConnect Session Database, ScreenConnect User Config, SecureAge Antvirus Logs, SentinelOne EDR Log, Signal Attachments cache, Signal Logs, Signal config.json, Signal Database, main.db (App <v12), skype.db (App +v12), main.db XP, main.db Win7+, s4l-[username].db (App +v8), leveldb (Skype for Desktop +v8), Skype for Destkop v8+ Chromium Cache, Slack - Chat Logs, Slack LevelDB Files, Slack Electron Logs, Slack Cache, Slack Storage, Sophos Logs (XP), Sophos Logs, Splashtop Log Files, Splashtop Log Files in ProgramData, Supremo Connection Logs, Supremo File Transfer Inbox, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection Quarantine, ccSubSDK Database, registrationInfo.xml, Syscache, Syscache transaction files, TeamViewer Connection Logs, TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, Telegram app folder, Telegram downloaded files, Thumbcache DB, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Report Logs, Trend Micro Security Agent Connection Logs, Unified endpoint management and security solutions from ManageEngine, Setupapi.log XP, Setupapi.log Win7+, UltraViewer User Logs, UltraViewer System Logs, UltraViewer Service Log, UltraViewer Connection Log, VIPRE Business Agent Logs, VIPRE Business User Logs (v7+), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), RealVNC Log, TightVNC Application Logs, Viber Config Database, Viber Users Data Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Thumbnails Cache, Vivaldi Cookies, Vivaldi Network Persistent State, Vivaldi Favicons, Vivaldi History, Vivaldi Sessions Folder, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Preferences, Vivaldi Top Sites, Vivaldi Bookmarks, Vivaldi Visited Links, Vivaldi Web Data, Vivaldi User Tracking, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Notes, Vivaldi Download Metadata, WBEM, WER Files, Crash Dumps, Webroot Program Data, WhatsApp Cache, WhatsApp Local Storage, Microsoft Store WhatsApp Cache, Microsoft Store WhatsApp Local Storage, WinSCP (.ini file), Windows Defender Logs, Windows Defender Event Logs, DetectionHistory, Windows Defender Quarantine, Windows Defender Detections.log, Windows Firewall Logs, WindowsIndexSearch, GatherLogs, ActivitiesCache.db, Xeox RMM Client Application logs, Yandex Cookies, Yandex Network Persistent State, Yandex Favicons, Yandex History, Yandex Sessions Folder, Yandex Login Data, Yandex Network Action Predictor, Yandex Preferences, Yandex Top Sites, Yandex Bookmarks, Yandex Visited Links, Yandex Web Data, Yandex Autofill data, Yandex Passman logs, Yandex Shortcuts, Zoho Assist log files in AppData\Local, Zoho Assist .conf files in AppData\Local, Zoho Assist log files in ProgramData, Zoho Assist .conf files, Zoho Assist log files in Program Files*, Zoho Assist .conf files in  Program Files*, Zoho Assist .txt files in  Program Files*, mIRC Chat Logs (Vista+), mIRC Chat Logs (2000/XP), mRemoteNG Logs, mRemoteNG Connection Configuration and Backups, mRemoteNG Program Settings, PowerShell Scheduled_Jobs, PowerShell Scheduled_Jobs Output, PowerShell Scheduled_Jobs Systemprofile, PowerShell Scheduled_Jobs Output Systemprofile, PowerShell Scheduled_Jobs WOW64 Systemprofile, PowerShell Scheduled_Jobs Output WOW64 Systemprofile, 360 Secure Browser Bookmarks, 360 Secure Browser Cookies, 360 Secure Browser Current Session, 360 Secure Browser Current Tabs, 360 Secure Browser Download Metadata, 360 Secure Browser Extension Cookies, 360 Secure Browser Favicons, 360 Secure Browser History, 360 Secure Browser Last Session, 360 Secure Browser Last Tabs, 360 Secure Browser Sessions Folder, 360 Secure Browser Login Data, 360 Secure Browser Media History, 360 Secure Browser Network Action Predictor, 360 Secure Browser Network Persistent State, 360 Secure Browser Preferences, 360 Secure Browser Quota Manager, 360 Secure Browser Reporting and NEL, 360 Secure Browser Shortcuts, 360 Secure Browser Top Sites, 360 Secure Browser Trust Tokens, 360 Secure Browser SyncData Database, 360 Secure Browser Visited Links, 360 Secure Browser Web Data, 360 Secure Browser Snapshots Folder, Advanced IP Scanner Aliases, Advanced IP Scanner Comments, Advanced IP Scanner MAC, Advanced Port Scanner Aliases, Advanced Port Scanner Comments, Advanced Port Scanner MAC, AnyDesk File Transfer Logs - Running in portable mode, AnyDesk File Transfer Logs - Installed as a Service, Arc Cookies, Arc Favicons, Arc History, Arc Sessions Folder, Arc Login Data, Arc Network Action Predictor, Arc Preferences, Arc Shortcuts, Arc Top Sites, Arc SyncData Database, Arc Bookmarks, Arc Visited Links, Arc Web Data, Arc JSON Files, Arc PLIST Files, CocCoc Bookmarks, CocCoc Cookies, CocCoc Current Session, CocCoc Current Tabs, CocCoc Download Metadata, CocCoc Extension Cookies, CocCoc Favicons, CocCoc History, CocCoc Last Session, CocCoc Last Tabs, CocCoc Sessions Folder, CocCoc Login Data, CocCoc Media History, CocCoc Network Action Predictor, CocCoc Network Persistent State, CocCoc Preferences, CocCoc Quota Manager, CocCoc Reporting and NEL, CocCoc Shortcuts, CocCoc Top Sites, CocCoc Trust Tokens, CocCoc SyncData Database, CocCoc Visited Links, CocCoc Web Data, CocCoc Snapshots Folder, QQ Browser Bookmarks, QQ Browser Cookies, QQ Browser Current Session, QQ Browser Current Tabs, QQ Browser Download Metadata, QQ Browser Extension Cookies, QQ Browser Favicons, QQ Browser History, QQ Browser Last Session, QQ Browser Last Tabs, QQ Browser Sessions Folder, QQ Browser Login Data, QQ Browser Media History, QQ Browser Network Action Predictor, QQ Browser Network Persistent State, QQ Browser Preferences, QQ Browser Quota Manager, QQ Browser Reporting and NEL, QQ Browser Shortcuts, QQ Browser Top Sites, QQ Browser Trust Tokens, QQ Browser SyncData Database, QQ Browser Visited Links, QQ Browser Web Data, QQ Browser Snapshots Folder, Microsoft Quick Assist, Microsoft Remote Help, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, UsrClass.dat registry hive, Remco RAT Default path, Remco RAT custom path - AppData screenshots folder, Remco RAT custom path - AppData notess folder, Remco RAT custom path - AppData micrecords folder, Remco RAT custom path - AppData hpsupport, Remco RAT custom path, Remco RAT custom path - AppData notess, Remco RAT custom path - AppData screenshots, Remco RAT custom path  - AppData micrecords, Remco RAT custom path  - AppData hpsupport, Netscan XML default output, Supermium Bookmarks XP, Supermium Cookies XP, Supermium Current Session XP, Supermium Current Tabs XP, Supermium Favicons XP, Supermium History XP, Supermium Last Session XP, Supermium Last Tabs XP, Supermium Sessions Folder XP, Supermium Network Action Predictor XP, Supermium Network Persistent State XP, Supermium Login Data XP, Supermium Preferences XP, Supermium Reporting and NEL XP, Supermium Trust Tokens XP, Supermium SyncData Database XP, Supermium Shortcuts XP, Supermium Top Sites XP, Supermium Visited Links XP, Supermium Web Data XP, Supermium Bookmarks, Supermium Cookies, Supermium Current Session, Supermium Current Tabs, Supermium Download Metadata, Supermium Extension Cookies, Supermium Favicons, Supermium History, Supermium Last Session, Supermium Last Tabs, Supermium Sessions Folder, Supermium Login Data, Supermium Media History, Supermium Network Action Predictor, Supermium Network Persistent State, Supermium Preferences, Supermium Quota Manager, Supermium Reporting and NEL, Supermium Shortcuts, Supermium Top Sites, Supermium Trust Tokens, Supermium SyncData Database, Supermium Visited Links, Supermium Web Data, Supermium Snapshots Folder, SYSTEM Supermium History, UCBrowser Bookmarks, UCBrowser Cookies, UCBrowser Current Session, UCBrowser Current Tabs, UCBrowser Download Metadata, UCBrowser Extension Cookies, UCBrowser Favicons, UCBrowser History, UCBrowser Last Session, UCBrowser Last Tabs, UCBrowser Sessions Folder, UCBrowser Login Data, UCBrowser Media History, UCBrowser Network Action Predictor, UCBrowser Network Persistent State, UCBrowser Preferences, UCBrowser Quota Manager, UCBrowser Reporting and NEL, UCBrowser Shortcuts, UCBrowser Top Sites, UCBrowser Trust Tokens, UCBrowser SyncData Database, UCBrowser Visited Links, UCBrowser Web Data, UCBrowser Snapshots Folder, WaveBrowser bookmarks, WaveBrowser Cookies, WaveBrowser Current Session, WaveBrowser Current Tabs, WaveBrowser Download Metadata, WaveBrowser Extension Cookies, WaveBrowser Favicons, WaveBrowser History, WaveBrowser Last Session, WaveBrowser Last Tabs, WaveBrowser Sessions Folder, WaveBrowser Login Data, WaveBrowser Media History, WaveBrowser Network Action Predictor, WaveBrowser Network Persistent State, WaveBrowser Preferences, WaveBrowser Quota Manager, WaveBrowser Reporting and NEL, WaveBrowser Shortcuts, WaveBrowser Top Sites, WaveBrowser Trust Tokens, WaveBrowser SyncData Database, WaveBrowser Visited Links, WaveBrowser Web Data, WaveBrowser Snapshots Folder, SYSTEM WaveBrowser History, WindowsIndexSearch - User, GatherLogs - User"
    type: bool
  - name: _Boot
    description: "$Boot (by Eric Zimmerman): $Boot"
    type: bool
  - name: _J
    description: "$J (by Eric Zimmerman and Andrew Rathbun): $J, $Max"
    type: bool
  - name: _LogFile
    description: "$LogFile (by Eric Zimmerman): $LogFile"
    type: bool
  - name: _MFT
    description: "$MFT (by Eric Zimmerman): $MFT"
    type: bool
  - name: _MFTMirr
    description: "$MFTMirr (by Teo Kia Meng): $MFTMirr"
    type: bool
  - name: _SDS
    description: "$SDS (by Eric Zimmerman and Andrew Rathbun): $SDS"
    type: bool
  - name: _T
    description: "$T (by Eric Zimmerman and Andrew Rathbun): $T"
    type: bool
  - name: 1Password
    description: "1Password Password Manager (by Matt Dawson): 1Password Database, 1Password Backup Databases, 1Password Logs"
    type: bool
  - name: 360SecureBrowser
    description: "360 Secure Browser (by Reece394): 360 Secure Browser Bookmarks, 360 Secure Browser Cookies, 360 Secure Browser Current Session, 360 Secure Browser Current Tabs, 360 Secure Browser Download Metadata, 360 Secure Browser Extension Cookies, 360 Secure Browser Favicons, 360 Secure Browser History, 360 Secure Browser Last Session, 360 Secure Browser Last Tabs, 360 Secure Browser Sessions Folder, 360 Secure Browser Login Data, 360 Secure Browser Media History, 360 Secure Browser Network Action Predictor, 360 Secure Browser Network Persistent State, 360 Secure Browser Preferences, 360 Secure Browser Quota Manager, 360 Secure Browser Reporting and NEL, 360 Secure Browser Shortcuts, 360 Secure Browser Top Sites, 360 Secure Browser Trust Tokens, 360 Secure Browser SyncData Database, 360 Secure Browser Visited Links, 360 Secure Browser Web Data, Windows Protect Folder, 360 Secure Browser Snapshots Folder"
    type: bool
  - name: 4KVideoDownloader
    description: "4K Video Downloader (by Andrew Rathbun): 4K Video Downloader, 4K Video Downloader+"
    type: bool
  - name: AVG
    description: "AVG Antivirus Data (by Kirtan Shah and Dhiral Panjwani): AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, AVG Persistent Logs, AVG FileInfo DB, AVG lsdbj2 JSON"
    type: bool
  - name: AceText
    description: "AceText (by Andrew Rathbun): AceText - Clipboard History"
    type: bool
  - name: AcronisTrueImage
    description: "Acronis True Image (by Andrew Rathbun): Acronis True Image - Logs, Acronis True Image - Database Files, Acronis True Image - Scripts Folder"
    type: bool
  - name: Action1
    description: "Action1 Application Logs (by Andrew Skatoff @DFIR_TNT): Action1 Client Application logs"
    type: bool
  - name: ActiveDirectoryNTDS
    description: "Active Directory NTDS (by Zawadi Done): NTDS"
    type: bool
  - name: ActiveDirectorySysvol
    description: "Active Directory Sysvol (by Zawadi Done): SYSVOL"
    type: bool
  - name: AdvancedIPScanner
    description: "Advanced IP Scanner Artifacts (by Reece394): Advanced IP Scanner Aliases, Advanced IP Scanner Comments, Advanced IP Scanner MAC"
    type: bool
  - name: AdvancedPortScanner
    description: "Advanced Port Scanner Artifacts (by Reece394): Advanced Port Scanner Aliases, Advanced Port Scanner Comments, Advanced Port Scanner MAC"
    type: bool
  - name: AgentRansack
    description: "Agent Ransack - Free File Searching Utility (by Andrew Rathbun): Agent Ransack Config Logs, Agent Ransack CrashReports Logs, Agent Ransack IndexLog Logs, Agent Ransack Logs"
    type: bool
  - name: Amcache
    description: "Amcache.hve (by Eric Zimmerman): Amcache, Amcache transaction files"
    type: bool
  - name: Ammyy
    description: "Ammyy Data (by Drew Ervin): Ammyy Program Data"
    type: bool
  - name: Antivirus
    description: "Antivirus (by Andrew Rathbun): MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, AVG Persistent Logs, AVG FileInfo DB, AVG lsdbj2 JSON, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection Quarantine, ccSubSDK Database, registrationInfo.xml, Windows Safety Scanner Logs, Application Event Log XP, Application Event Log Win7+, TotalAV Logs, Avast AV Logs (XP), Avast AV Logs, Avast AV User Logs, Avast AV Index, Avast Persistent Data Logs, Avast Icarus Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Trend Micro Logs, Trend Micro Security Agent Report Logs, Trend Micro Security Agent Connection Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, VIPRE Business Agent Logs, VIPRE Business User Logs (v7+), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), Webroot Program Data, ComboFix, Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs, Cylance ProgramData Logs, Cylance Optics Logs, Cylance Program Files Logs, Windows Defender Logs, Windows Defender Event Logs, DetectionHistory, Windows Defender Quarantine, Windows Defender Detections.log, ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs, ESET Remote Administrator Logs, Local User Quarantine, SYSTEM user quarantine, Emsisoft Scan Logs, F-Secure Logs, F-Secure User Logs, F-Secure Scheduled Scan Reports, RogueKiller Reports, HitmanPro Logs, HitmanPro Alert Logs, HitmanPro Database, SUPERAntiSpyware Logs, SecureAge Antvirus Logs, SentinelOne EDR Log, Sophos Logs (XP), Sophos Logs"
    type: bool
  - name: AnyDesk
    description: "AnyDesk (by Andrew Rathbun, Scott Hanson, and Nicole Jao): AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - ProgramData - *.conf, AnyDesk Videos, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Chat Logs - User Profile, AnyDesk File Transfer Logs - Running in portable mode, AnyDesk File Transfer Logs - Installed as a Service"
    type: bool
  - name: ApacheAccessLog
    description: "Apache Access Log (by Hadar Yudovich): Apache Access Log"
    type: bool
  - name: AppCompatPCA
    description: "AppCompat PCA Folder (by Andrew Rathbun): AppCompat PCA Folder"
    type: bool
  - name: AppData
    description: "AppData (by Phill Moore): AppData"
    type: bool
  - name: AppXPackages
    description: "AppXPackages (by Nisarg Suthar): WindowsApps for AppX, SystemApps for AppX, UserSpecificPackages for AppX, AppRepository for AppX, ProgramData Packages for AppX"
    type: bool
  - name: ApplicationEvents
    description: "Windows Application Event Log (by Drew Ervin): Application Event Log XP, Application Event Log Win7+"
    type: bool
  - name: Arc
    description: "Arc Browser (by Reece394): Arc PLIST Files, Arc Cookies, Arc Favicons, Arc History, Arc Sessions Folder, Arc Login Data, Arc Network Action Predictor, Arc Preferences, Arc Shortcuts, Arc Top Sites, Arc SyncData Database, Arc Bookmarks, Arc Visited Links, Arc Web Data, Arc JSON Files"
    type: bool
  - name: AsperaConnect
    description: "Aspera Connect Log Files (by Dennis Reneau): Aspera Client Logs, Aspera Server Logs"
    type: bool
  - name: AteraAgent
    description: "AteraAgent (by Andrew Rathbun): AteraAgent .ini files, AteraAgent Logs"
    type: bool
  - name: Avast
    description: "Avast Antivirus Data (by Drew Ervin and Dhiral Panjwani): Avast AV Logs (XP), Avast AV Logs, Avast AV User Logs, Avast AV Index, Avast Persistent Data Logs, Avast Icarus Logs"
    type: bool
  - name: AviraAVLogs
    description: "Avira Logs (by Fabian Murer and Dhiral Panjwani): Avira Activity Logs, Avira Security Logs, Avira VPN Logs"
    type: bool
  - name: BCD
    description: "Boot Configuration Files (by Troy Larson): BCD, BCD Logs"
    type: bool
  - name: BITS
    description: "Microsoft BITS (Background Intelligent Transer Service) persistent files (by Jos Clephas): BITS files"
    type: bool
  - name: BitTorrent
    description: "BitTorrent (by Banaanhangwagen): TorrentClients - BitTorrent"
    type: bool
  - name: Bitdefender
    description: "Bitdefender Antivirus Data (by Drew Ervin, Ahmed Elshaer): Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files"
    type: bool
  - name: BoxDrive_Metadata
    description: "Box Cloud Storage Metadata (by Chad Tilbury): Box Drive Application Metadata, Box Sync Application Metadata"
    type: bool
  - name: BoxDrive_UserFiles
    description: "Box Cloud Storage Files (by Chad Tilbury): Box Sync User Files, Box Drive User Files"
    type: bool
  - name: BraveBrowser
    description: "Brave Browser (by Cassie Doemel): Bookmarks, Cookies, Current Session, Current Tabs, Download Metadata, Favicons, History, Sessions Folder, Login Data, Network Action Predictor, Network Persistent State, Preferences, Quota Manager, Reporting and NEL, Shortcuts, Publisher Info DB/Brave Rewards, Top Sites, Visited Links, Web Data, Secure Preferences"
    type: bool
  - name: BrowserCache
    description: "Browser Caches (by Bjorn Vanhaeren): Chrome Cache Folder, Chromium Edge Cache Folder, Firefox Cache Folder, IE 9/10 Cache, IE Index.dat temp internet files, IE 11 Cache, Edge WebcacheV01.dat, Brave Cache Folder"
    type: bool
  - name: CertUtil
    description: "Certutil (by NVISO (@NVISOsecurity), 2thewes): INetCache, System CryptnetUrlCache, System WOW64 CryptnetUrlCache, User CryptnetUrlCache"
    type: bool
  - name: Chrome
    description: "Chrome (by Eric Zimmerman and Andrew Rathbun): Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Sessions Folder, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Chrome Snapshots Folder, SYSTEM Chrome History, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP"
    type: bool
  - name: ChromeExtensions
    description: "Chrome Extension Files (by piesecurity): Chrome Extension Files, Chrome Extension Files XP"
    type: bool
  - name: ChromeFileSystem
    description: "Chrome HTML5 File System Contents (by Chad Tilbury): Chrome HTML5 File System Folder"
    type: bool
  - name: CiscoJabber
    description: "Jabber (by Andrew Bannon): Cisco Jabber Database"
    type: bool
  - name: ClipboardMaster
    description: "ClipboardMaster (by Andrew Rathbun): ClipboardMaster - Clipboard History - Backups, ClipboardMaster - Clipboard History - Text, ClipboardMaster - Clipboard History - Images"
    type: bool
  - name: CloudStorage_All
    description: "Cloud Storage Contents and Metadata (by Chad Tilbury and Andrew Rathbun): SugarSync Log File, SugarSync - Shared Folders (Default Location), SugarSync - My SugarSync (Default Location), MegaSync Folder, pCloud Database, pCloud Database WAL File, pCloud Database Shared Memory File, Idrive Cleanup Operations, Idrive Backup Operations, Idrive Delete Operations, Idrive Restore Operations, Idrive Backup Summary, Idrive Tracefile, Idrive Mapped Drives, Idrive Backup Schedule, Idrive Schedule History, Idrive Configuration, Idrive Local Drives, Idrive Exclusion Configurations, Idrive User Details, Idrive SQL Databse, Rclone Config, Box Drive Application Metadata, Box Sync Application Metadata, Box Drive User Files, Box Sync User Files, Dropbox Metadata, Windows Protect Folder, Dropbox User Files, OneDrive User Files, OneDrive Metadata Logs, OneDrive Metadata Settings, FreeFileSync, Google Drive Backup and Sync User Files, Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata"
    type: bool
  - name: CloudStorage_Metadata
    description: "Cloud Storage Metadata (by Chad Tilbury and Andrew Rathbun, Eric Capuano): Dropbox Metadata, Windows Protect Folder, OneDrive Metadata Logs, OneDrive Metadata Settings, FreeFileSync, Box Drive Application Metadata, Box Sync Application Metadata, Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata, Rclone Config, MegaSync Folder"
    type: bool
  - name: CloudStorage_OneDriveExplorer
    description: "OneDrive and other files used with OneDriveExplorer (by Brian Maloney): Recycle Bin - Windows Vista+, RECYCLER - WinXP, OneDrive Metadata Logs, OneDrive Metadata Settings, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry transaction files, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, UsrClass.dat registry hive"
    type: bool
  - name: CocCoc
    description: "CocCoc Browser (by Reece394): CocCoc Bookmarks, CocCoc Cookies, CocCoc Current Session, CocCoc Current Tabs, CocCoc Download Metadata, CocCoc Extension Cookies, CocCoc Favicons, CocCoc History, CocCoc Last Session, CocCoc Last Tabs, CocCoc Sessions Folder, CocCoc Login Data, CocCoc Media History, CocCoc Network Action Predictor, CocCoc Network Persistent State, CocCoc Preferences, CocCoc Quota Manager, CocCoc Reporting and NEL, CocCoc Shortcuts, CocCoc Top Sites, CocCoc Trust Tokens, CocCoc SyncData Database, CocCoc Visited Links, CocCoc Web Data, Windows Protect Folder, CocCoc Snapshots Folder"
    type: bool
  - name: CombinedLogs
    description: "Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs (by Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs and PowerShell Transcripts target): PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell ISE - User Config, PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location, Event logs XP, Event logs Win7+, WDI Trace Logs 1, WDI Trace Logs 2, WMI Trace Logs, SleepStudy Trace Logs, Energy-NTKL Trace Logs, Delivery Optimization Trace Logs, Windows Firewall Logs, .NET CLR UsageLogs (user-scoped), .NET CLR UsageLogs (system-scoped), Setupapi.log XP, Setupapi.log Win7+"
    type: bool
  - name: Combofix
    description: "ComboFix Antivirus Data (by Drew Ervin): ComboFix"
    type: bool
  - name: ConfluenceLogs
    description: "Confluence Log Files (by Eric Capuano): Confluence Wiki Log Files"
    type: bool
  - name: Cybereason
    description: "Cybereason Sensor/Detection Logs (by piesecurity): Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs"
    type: bool
  - name: Cylance
    description: "Cylance Antivirus Logs (by Ron Rader): Cylance Optics Logs, Cylance Program Files Logs, Cylance ProgramData Logs"
    type: bool
  - name: DC__
    description: "DC++ (by Andrew Rathbun): DC++ Chat Logs"
    type: bool
  - name: DWAgent
    description: "DWAgent Log Files (by Ron Rader): DWAgent Log Files"
    type: bool
  - name: Debian
    description: "Debian on Windows Subsystem for Linux (by Matt Dawson): Debian WSL .bash_history, Debian WSL .bashrc, Debian WSL .profile, Debian WSL User Crontabs, Debian WSL Apt Logs, Debian WSL ext4.vhdx, Debian WSL /etc/debian_version, Debian WSL /etc/fstab, Debian WSL /etc/os-release, Debian WSL /etc/passwd, Debian WSL /etc/group, Debian WSL /etc/shadow, Debian WSL /etc/timezone, Debian WSL /etc/hostname, Debian WSL /etc/hosts, Debian WSL /etc/crontab, Debian WSL /etc/bash.bashrc, Debian WSL /etc/profile"
    type: bool
  - name: DirectoryOpus
    description: "Directory Opus (by Andrew Rathbun): Directory Opus"
    type: bool
  - name: DirectoryTraversal_AudioFiles
    description: "Find audio files covering a multitude of formats (by Andrew Rathbun): Audio files"
    type: bool
  - name: DirectoryTraversal_ExcelDocuments
    description: "Find Excel and Excel alternative documents (by Andrew Rathbun): Excel and Excel-like Documents"
    type: bool
  - name: DirectoryTraversal_PDFDocuments
    description: "Find PDF and PDF alternative documents (by Andrew Rathbun): PDF and PDF-like Documents"
    type: bool
  - name: DirectoryTraversal_PictureFiles
    description: "Find picture files covering a multitude of formats (by Andrew Rathbun): Picture files"
    type: bool
  - name: DirectoryTraversal_SQLiteDatabases
    description: "Find files with common SQLite file extensions (by Andrew Rathbun): SQLite Files (.db* and .sqlite*)"
    type: bool
  - name: DirectoryTraversal_VideoFiles
    description: "Find video files covering a multitude of formats (by Andrew Rathbun): Video files"
    type: bool
  - name: DirectoryTraversal_WildCardExample
    description: "Find zip archives (by Eric Zimmerman): Zips"
    type: bool
  - name: DirectoryTraversal_WordDocuments
    description: "Find Word and Word alternative documents (by Andrew Rathbun): Word and Word-like Documents"
    type: bool
  - name: Discord
    description: "Discord Cache and LevelDB Files (by Christian Johansen and Matt Dawson): Discord Local Storage LevelDB Files, Discord Cache Files"
    type: bool
  - name: DoubleCommander
    description: "Double Commander (by Andrew Rathbun): Double Commander - history.xml, Double Commander - doublecmd.xml, Double Commander - FTP Log, Double Commander - multiarc.ini, Double Commander - session.ini, Double Commander - pixmaps.txt, Double Commander - shortcuts.scf"
    type: bool
  - name: Drivers
    description: "Windows Drivers (by Zawadi Done): Drivers"
    type: bool
  - name: Dropbox_Metadata
    description: "Dropbox Cloud Storage Metadata (by Chad Tilbury and Andrew Rathbun): Dropbox Metadata, Windows Protect Folder"
    type: bool
  - name: Dropbox_UserFiles
    description: "Dropbox Cloud Storage Files (by Chad Tilbury): Dropbox User Files"
    type: bool
  - name: EFCommander
    description: "EF Commander (by Andrew Rathbun): EF Commander - .ini File"
    type: bool
  - name: ESET
    description: "ESET Antivirus Data (by Drew Ervin, Phill Moore): ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs, ESET Remote Administrator Logs, Local User Quarantine, SYSTEM user quarantine"
    type: bool
  - name: Edge
    description: "Edge (by Phill Moore): Edge folder"
    type: bool
  - name: EdgeChromium
    description: "Microsoft Edge Chromium Artifacts (by Chad Tilbury and Andrew Rathbun): Edge SyncData Database, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Windows Protect Folder, Edge Snapshots Folder, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Sessions Folder, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites"
    type: bool
  - name: EdgeChromiumExtensions
    description: "Edge Chromium Extension Files (by cardinsou): Edge Chromium Extension Files"
    type: bool
  - name: Emsisoft
    description: "Emsisoft Antivirus Logs (by blueskycyber): Emsisoft Scan Logs"
    type: bool
  - name: EncapsulationLogging
    description: "EncapsulationLogging (by Troy Larson): EncapsulationLogging, EncapsulationLogging Logs"
    type: bool
  - name: EventLogs_RDP
    description: "Collect Win7+ RDP related Event logs (by Mark Hallman, esecrpm): Event logs Win7+"
    type: bool
  - name: EventLogs
    description: "Event logs (by Eric Zimmerman): Event logs XP, Event logs Win7+"
    type: bool
  - name: EventTraceLogs
    description: "Event Trace Logs (by Mark Hallman): WMI Trace Logs, SleepStudy Trace Logs, Energy-NTKL Trace Logs, Delivery Optimization Trace Logs, WDI Trace Logs 1, WDI Trace Logs 2"
    type: bool
  - name: EventTranscriptDB
    description: "EventTranscript.db (and other files related to Telemetry and Diagnostic Data) (by Andrew Rathbun and Josh Mitchell): EventTranscript.db, Microsoft Office Diagnostic Logs"
    type: bool
  - name: Evernote
    description: "Evernote (by Matt Dawson): Evernote Accounts, Evernote Notebooks, Evernote Notebook Snippets"
    type: bool
  - name: Everything__VoidTools_
    description: "Everything (VoidTools) (by Andrew Rathbun): Everything (VoidTools), Everything (VoidTools) - Run History, Everything (VoidTools) - Search History, Everything (VoidTools) - .ini file"
    type: bool
  - name: EvidenceOfExecution
    description: "Evidence of execution related files (by Eric Zimmerman): Amcache, Amcache transaction files, Syscache, Syscache transaction files, AppCompat PCA Folder, Prefetch, RecentFileCache"
    type: bool
  - name: Exchange
    description: "Exchange Log Files (by Keith Twombley): Exchange Setup Log file, Exchange TransportRoles log files, Exchange client access log files"
    type: bool
  - name: ExchangeClientAccess
    description: "Exchange Client Access Log Files (by Keith Twombley): Exchange client access log files"
    type: bool
  - name: ExchangeCve_2021_26855
    description: "Exchange Server Vulnerability *.Compiled Files (by Dennis Reneau): Exchange Server Modified Compiled Files"
    type: bool
  - name: ExchangeSetupLog
    description: "Exchange Setup Log (by 2thewes): Exchange Setup Log file"
    type: bool
  - name: ExchangeTransport
    description: "Exchange Transport Log Files (by Keith Twombley): Exchange TransportRoles log files"
    type: bool
  - name: FSecure
    description: "F-Secure Antivirus Data (by Drew Ervin): F-Secure Scheduled Scan Reports, F-Secure Logs, F-Secure User Logs"
    type: bool
  - name: FTPClients
    description: "FTP Clients (by Andrew Rathbun): WinSCP (.ini file), FileZilla XML Log Files, FileZilla SQLite3 Log Files, FileZilla Server XML Log Files, FileZilla Log Files, Robo-FTP User Scripts, Robo-FTP User Debug Logs, Robo-FTP User Script/Trace Logs, Robo-FTP User XML Config, Robo-FTP User SSH Keys, Robo-FTP User SSL Certificates, Robo-FTP User PGP Keys, Robo-FTP SSH Keys, Robo-FTP SSL Certificates, Robo-FTP PGP Keys, Robo-FTP Debug Logs, Robo-FTP Script/Trace Logs, Robo-FTP XML Config, Robo-FTP Jobs"
    type: bool
  - name: FastStoneImageViewer
    description: "FastStone Image Viewer (by DReneau): FastStone Image Viewer (FSIV)"
    type: bool
  - name: Fences
    description: "Fences (by Andrew Rathbun): Fences - Desktop Screenshots"
    type: bool
  - name: FileExplorerReplacements
    description: "File Explorer Replacements (by Andrew Rathbun): SpeedCommander - .ini File, Q-Dir - .ini File, Q-Dir - .qdr file, Tablacus Explorer - remember.xml, Tablacus Explorer - window.xml, Tablacus Explorer - window1.xml, Midnight Commander -- All Configuation Files, Multi Commander - Application Folder, Multi Commander - Config Folder, Multi Commander - Log Folder, Multi Commander - UserData Folder, Multi Commander - Log File, Total Commander - .ini File, Total Commander - Log File, Total Commander - Temp Files Created During Folder Traversal, Total Commander - FTP .ini File, Total Commander - File Tree, Total Commander - Frequent Directory Listing, Directory Opus, Total Commander - FTP Logs, Double Commander - history.xml, Double Commander - doublecmd.xml, Double Commander - FTP Log, Double Commander - multiarc.ini, Double Commander - session.ini, Double Commander - pixmaps.txt, Double Commander - shortcuts.scf, Free Commander - FreeCommander.ini, Free Commander - FreeCommander.ftp.ini, Free Commander - FreeCommander.hist.ini, Free Commander - FreeCommander.fav.xml, Free Commander - Backup Settings, Free Commander - FTP Log, Free Commander - FTP Related Information, EF Commander - .ini File, One Commander - All Configuration Files, One Commander - Other Configuration Files, XYplorer - .ini file, XYplorer - .ini file for each respective pane, XYplorer - AutoBackup folder, XYplorer - .dat files"
    type: bool
  - name: FileSystem
    description: "File system metadata (by Eric Zimmerman): $Boot, $J, $Max, $LogFile, $MFT, $SDS, $T"
    type: bool
  - name: FileZillaClient
    description: "FileZilla XML and SQLite Log Files (by Dennis Reneau): FileZilla XML Log Files, FileZilla SQLite3 Log Files"
    type: bool
  - name: FileZillaServer
    description: "FileZilla Server Logs (by Andrew Rathbun): FileZilla Server XML Log Files, FileZilla Log Files"
    type: bool
  - name: Firefox
    description: "Firefox (by Eric Zimmerman and Andrew Rathbun): Addons, Bookmarks, Cookies, Downloads, Extensions, Favicons, Form history, Permissions, Places, Protections, Search, Signons, Storage Sync, Webappstore, Password, Preferences, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP, Addons XP, Search XP, Password XP, Sessionstore XP"
    type: bool
  - name: FreeCommander
    description: "FreeCommander XE (by Andrew Rathbun): Free Commander - FreeCommander.ini, Free Commander - FreeCommander.ftp.ini, Free Commander - FreeCommander.hist.ini, Free Commander - FreeCommander.fav.xml, Free Commander - Backup Settings, Free Commander - FTP Log, Free Commander - FTP Related Information"
    type: bool
  - name: FreeDownloadManager
    description: "Free Download Manager (by Matt Dawson): FDM Database, FDM Backup Info, FDM Database (userdata.zip)"
    type: bool
  - name: FreeFileSync
    description: "FreeFileSync (by Andrew Rathbun): FreeFileSync"
    type: bool
  - name: Freenet
    description: "Freenet (by Charlie Rubisoff): Freenet"
    type: bool
  - name: FrostWire
    description: "FrostWire (by Andrew Rathbun): FrostWire Downloads, FrostWire AppData"
    type: bool
  - name: Gigatribe
    description: "Gigatribe Files (by Linus Nissi): Gigatribe Files Windows Vista/7/8/10, Gigatribe Files Windows XP"
    type: bool
  - name: GoogleDriveBackupSync_UserFiles
    description: "Google Backup and Sync Storage Files (by Chad Tilbury): Google Drive Backup and Sync User Files"
    type: bool
  - name: GoogleDrive_Metadata
    description: "Google Drive Metadata (by Chad Tilbury): Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata"
    type: bool
  - name: GoogleEarth
    description: "Google Earth (by Guus Beckers): Google Earth My Places file, Google Earth My Places Backup file, Google Earth My Places file (XP), Google Earth My Places Backup file (XP)"
    type: bool
  - name: GroupPolicy
    description: "Current Group Policy Enforcement (by piesecurity): User Group Policy files, Local Group Policy INI Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Startup/Shutdown Scripts, Group Policy Files, Computer Group Policy files"
    type: bool
  - name: HeidiSQL
    description: "HeidiSQL (by Hyun Yi @hyuunnn): HeidiSQL Backup files (*.sql), HeidiSQL (tabs.ini)"
    type: bool
  - name: HexChat
    description: "HexChat (by Andrew Rathbun): HexChat Chat Logs"
    type: bool
  - name: HitmanPro
    description: "HitmanPro Antivirus Data (by Drew Ervin): HitmanPro Logs, HitmanPro Alert Logs, HitmanPro Database"
    type: bool
  - name: HostsFile
    description: "Hosts file (by Max Zabuty): HostsFile"
    type: bool
  - name: IISConfiguration
    description: "IIS (by NVISO (@NVISOsecurity)): web.config, IIS applicationHost.config, IIS administration.config, IIS redirection.config"
    type: bool
  - name: IISLogFiles
    description: "IIS Log Files (by Troy Larson): IIS log files"
    type: bool
  - name: IRCClients
    description: "IRC Clients (by Andrew Rathbun): HexChat Chat Logs, IceChat Chat Logs, mIRC Chat Logs (Vista+), mIRC Chat Logs (2000/XP)"
    type: bool
  - name: ISLOnline
    description: "ISLOnline Remote Access Tool (by Thomas Burnette): ISLOnline Logs - Sessions - *.out, ISLOnline Logs - Session Configurations, ISL AlwaysOn Logs - Sessions List, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn - App Logs, ISL Light Logs - Sessions, ISL AlwaysOn - Email Configuration, ISL AlwaysOn - Configuration"
    type: bool
  - name: ITarian
    description: "ITarian RMM (by Phill Moore): ITarian, Comodo"
    type: bool
  - name: IceChat
    description: "IceChat (by Andrew Rathbun): IceChat Chat Logs"
    type: bool
  - name: IconCacheDB
    description: "IconCache.db files (by Herbert Bärschneider @SEC Consult): Windows IconCache DB"
    type: bool
  - name: Idrive
    description: "Idrive Backup Artifacts (by Thomas Burnette): Idrive Cleanup Operations, Idrive Backup Operations, Idrive Delete Operations, Idrive Restore Operations, Idrive Backup Summary, Idrive Tracefile, Idrive Mapped Drives, Idrive Backup Schedule, Idrive Schedule History, Idrive Configuration, Idrive Local Drives, Idrive Exclusion Configurations, Idrive User Details, Idrive SQL Databse"
    type: bool
  - name: ImgBurn
    description: "ImgBurn (by Chuck Whitson): ImgBurn - Application Log File"
    type: bool
  - name: InternetExplorer
    description: "Internet Explorer (by Eric Zimmerman): IE 11 Cookies, Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata"
    type: bool
  - name: IrfanView
    description: "IrfanView (by Andrew Rathbun): IrfanView Configuration File"
    type: bool
  - name: JDownloader2
    description: "JDownloader 2 (by Matt Dawson): JDownloader 2.0 Download Lists, JDownloader 2.0 Link Collector, JDownloader 2.0 General Settings, JDownloader 2.0 Link Grabber Settings, JDownloader 2.0 Proxy Settings"
    type: bool
  - name: JavaWebCache
    description: "Java WebStart Cache - (IDX Files) (by piesecurity): Java WebStart Cache User Level - Default, Java WebStart Cache User Level - IE Protected Mode, Java WebStart Cache System level, Java WebStart Cache System level - IE Protected Mode, Java WebStart Cache System level (SysWow64), Java WebStart Cache System level (SysWow64) - IE Protected Mode, Java WebStart Cache User Level - XP"
    type: bool
  - name: JumpLists
    description: "Jump lists (by Max Zabuty): JumpLists from CustomDestinations"
    type: bool
  - name: Kali
    description: "Kali on Windows Subsystem for Linux (by Matt Dawson): Kali WSL .bash_history, Kali WSL .bashrc, Kali WSL .profile, Kali WSL User Crontabs, Kali WSL Apt Logs, Kali WSL ext4.vhdx, Kali WSL /etc/debian_version, Kali WSL /etc/fstab, Kali WSL /etc/os-release, Kali WSL /etc/passwd, Kali WSL /etc/group, Kali WSL /etc/shadow, Kali WSL /etc/timezone, Kali WSL /etc/hostname, Kali WSL /etc/hosts, Kali WSL /etc/crontab, Kali WSL /etc/bash.bashrc, Kali WSL /etc/profile"
    type: bool
  - name: KapeTriage
    description: "KapeTriage collects most of the files needed for a DFIR Investigation. This Target pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, SUM data, Cloud metadata, WER, WBEM, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, JumpLists, 3rd party remote access software logs, 3rd party antivirus software logs, Windows 10/11 Timeline database, and $I Recycle Bin files. (by Scott Downie): $Boot, $J, $Max, $LogFile, $MFT, $SDS, $T, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, AVG Persistent Logs, AVG FileInfo DB, AVG lsdbj2 JSON, Action1 Client Application logs, Amcache, Amcache transaction files, Ammyy Program Data, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - ProgramData - *.conf, AnyDesk Videos, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Chat Logs - User Profile, AppCompat PCA Folder, Application Event Log XP, Application Event Log Win7+, Avast AV Logs (XP), Avast AV Logs, Avast AV User Logs, Avast AV Index, Avast Persistent Data Logs, Avast Icarus Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Box Drive Application Metadata, Box Sync Application Metadata, Bookmarks, Cookies, Current Session, Current Tabs, Download Metadata, Favicons, History, Sessions Folder, Login Data, Network Action Predictor, Network Persistent State, Preferences, Quota Manager, Reporting and NEL, Shortcuts, Publisher Info DB/Brave Rewards, Top Sites, Visited Links, Web Data, Secure Preferences, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Sessions Folder, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Chrome Snapshots Folder, SYSTEM Chrome History, ComboFix, Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs, Cylance ProgramData Logs, Cylance Optics Logs, Cylance Program Files Logs, DWAgent Log Files, Dropbox Metadata, ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs, ESET Remote Administrator Logs, Local User Quarantine, SYSTEM user quarantine, Edge folder, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Sessions Folder, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Edge Snapshots Folder, Emsisoft Scan Logs, Event logs XP, Event logs Win7+, F-Secure Logs, F-Secure User Logs, F-Secure Scheduled Scan Reports, Addons, Downloads, Extensions, Form history, Permissions, Places, Protections, Search, Signons, Storage Sync, Webappstore, Password, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP, Addons XP, Search XP, Password XP, Sessionstore XP, FreeFileSync, Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata, HitmanPro Logs, HitmanPro Alert Logs, HitmanPro Database, ISLOnline Logs - Sessions - *.out, ISLOnline Logs - Session Configurations, ISL AlwaysOn Logs - Sessions List, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn - App Logs, ISL Light Logs - Sessions, ISL AlwaysOn - Email Configuration, ISL AlwaysOn - Configuration, ITarian, Comodo, Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, IE 11 Cookies, Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Agent Edge Service Logs, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData, Level RMM Client Application logs, LogMeIn ProgramData Logs, LogMeIn Application Logs, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, MegaSync Folder, MeshAgent .msh (configuration) file, MeshAgent log file, Windows Safety Scanner Logs, Net Monitor Server Logs, Net Monitor Server Data, Net Monitor Server Config, Net Monitor Server Temp Folder, Net Monitor Client Logs, Net Monitor Client Config, OneDrive Metadata Logs, OneDrive Metadata Settings, Opera - Local Folder, Opera - Roaming Folder, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell ISE - User Config, Prefetch, Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, Puffin - Image Cache, RDP Cache Files, Windows.old RDP Cache Files, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, Radmin Viewer Chats, Rclone Config, RecentFileCache, Recycle Bin - Windows Vista+, RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive, UserClasses.dat MSIX Hive, SAM registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SAM registry hive, SECURITY registry hive, SOFTWARE registry hive, SYSTEM registry hive, RegBack registry transaction files, SAM registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry transaction files, Local Service registry hive, Local Service registry transaction files, Network Service registry hive, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry transaction files, RemoteUtilities Connection Logs, RemoteUtilities Install Log, RogueKiller Reports, RustDesk logs, SRUM, SUM Database (.mdb files), SUPERAntiSpyware Logs, at .job, at SchedLgU.txt, XML, ScreenConnect Session Database, ScreenConnect User Config, SecureAge Antvirus Logs, SentinelOne EDR Log, Sophos Logs (XP), Sophos Logs, Splashtop Log Files, Splashtop Log Files in ProgramData, Supremo Connection Logs, Supremo File Transfer Inbox, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection Quarantine, ccSubSDK Database, registrationInfo.xml, Syscache, Syscache transaction files, TeamViewer Connection Logs, TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Report Logs, Trend Micro Security Agent Connection Logs, Unified endpoint management and security solutions from ManageEngine, UltraViewer User Logs, UltraViewer System Logs, UltraViewer Service Log, UltraViewer Connection Log, VIPRE Business Agent Logs, VIPRE Business User Logs (v7+), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), RealVNC Log, TightVNC Application Logs, Vivaldi Cookies, Vivaldi Network Persistent State, Vivaldi Favicons, Vivaldi History, Vivaldi Sessions Folder, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Preferences, Vivaldi Top Sites, Vivaldi Bookmarks, Vivaldi Visited Links, Vivaldi Web Data, Vivaldi User Tracking, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Notes, Vivaldi Download Metadata, WBEM, WER Files, Crash Dumps, Webroot Program Data, Windows Defender Logs, Windows Defender Event Logs, DetectionHistory, Windows Defender Quarantine, Windows Defender Detections.log, ActivitiesCache.db, Xeox RMM Client Application logs, Yandex Cookies, Yandex Network Persistent State, Yandex Favicons, Yandex History, Yandex Sessions Folder, Yandex Login Data, Yandex Network Action Predictor, Yandex Preferences, Yandex Top Sites, Yandex Bookmarks, Yandex Visited Links, Yandex Web Data, Yandex Autofill data, Yandex Passman logs, Yandex Shortcuts, Zoho Assist log files in AppData\Local, Zoho Assist .conf files in AppData\Local, Zoho Assist log files in ProgramData, Zoho Assist .conf files, Zoho Assist log files in Program Files*, Zoho Assist .conf files in  Program Files*, Zoho Assist .txt files in  Program Files*, mRemoteNG Logs, mRemoteNG Connection Configuration and Backups, mRemoteNG Program Settings, PowerShell Scheduled_Jobs, PowerShell Scheduled_Jobs Output, PowerShell Scheduled_Jobs Systemprofile, PowerShell Scheduled_Jobs Output Systemprofile, PowerShell Scheduled_Jobs WOW64 Systemprofile, PowerShell Scheduled_Jobs Output WOW64 Systemprofile, 360 Secure Browser Bookmarks, 360 Secure Browser Cookies, 360 Secure Browser Current Session, 360 Secure Browser Current Tabs, 360 Secure Browser Download Metadata, 360 Secure Browser Extension Cookies, 360 Secure Browser Favicons, 360 Secure Browser History, 360 Secure Browser Last Session, 360 Secure Browser Last Tabs, 360 Secure Browser Sessions Folder, 360 Secure Browser Login Data, 360 Secure Browser Media History, 360 Secure Browser Network Action Predictor, 360 Secure Browser Network Persistent State, 360 Secure Browser Preferences, 360 Secure Browser Quota Manager, 360 Secure Browser Reporting and NEL, 360 Secure Browser Shortcuts, 360 Secure Browser Top Sites, 360 Secure Browser Trust Tokens, 360 Secure Browser SyncData Database, 360 Secure Browser Visited Links, 360 Secure Browser Web Data, 360 Secure Browser Snapshots Folder, AnyDesk File Transfer Logs - Running in portable mode, AnyDesk File Transfer Logs - Installed as a Service, Arc Cookies, Arc Favicons, Arc History, Arc Sessions Folder, Arc Login Data, Arc Network Action Predictor, Arc Preferences, Arc Shortcuts, Arc Top Sites, Arc SyncData Database, Arc Bookmarks, Arc Visited Links, Arc Web Data, Arc JSON Files, Arc PLIST Files, CocCoc Bookmarks, CocCoc Cookies, CocCoc Current Session, CocCoc Current Tabs, CocCoc Download Metadata, CocCoc Extension Cookies, CocCoc Favicons, CocCoc History, CocCoc Last Session, CocCoc Last Tabs, CocCoc Sessions Folder, CocCoc Login Data, CocCoc Media History, CocCoc Network Action Predictor, CocCoc Network Persistent State, CocCoc Preferences, CocCoc Quota Manager, CocCoc Reporting and NEL, CocCoc Shortcuts, CocCoc Top Sites, CocCoc Trust Tokens, CocCoc SyncData Database, CocCoc Visited Links, CocCoc Web Data, CocCoc Snapshots Folder, QQ Browser Bookmarks, QQ Browser Cookies, QQ Browser Current Session, QQ Browser Current Tabs, QQ Browser Download Metadata, QQ Browser Extension Cookies, QQ Browser Favicons, QQ Browser History, QQ Browser Last Session, QQ Browser Last Tabs, QQ Browser Sessions Folder, QQ Browser Login Data, QQ Browser Media History, QQ Browser Network Action Predictor, QQ Browser Network Persistent State, QQ Browser Preferences, QQ Browser Quota Manager, QQ Browser Reporting and NEL, QQ Browser Shortcuts, QQ Browser Top Sites, QQ Browser Trust Tokens, QQ Browser SyncData Database, QQ Browser Visited Links, QQ Browser Web Data, QQ Browser Snapshots Folder, Microsoft Quick Assist, Microsoft Remote Help, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, UsrClass.dat registry hive, Remco RAT Default path, Remco RAT custom path - AppData screenshots folder, Remco RAT custom path - AppData notess folder, Remco RAT custom path - AppData micrecords folder, Remco RAT custom path - AppData hpsupport, Remco RAT custom path, Remco RAT custom path - AppData notess, Remco RAT custom path - AppData screenshots, Remco RAT custom path  - AppData micrecords, Remco RAT custom path  - AppData hpsupport, Supermium Bookmarks XP, Supermium Cookies XP, Supermium Current Session XP, Supermium Current Tabs XP, Supermium Favicons XP, Supermium History XP, Supermium Last Session XP, Supermium Last Tabs XP, Supermium Sessions Folder XP, Supermium Network Action Predictor XP, Supermium Network Persistent State XP, Supermium Login Data XP, Supermium Preferences XP, Supermium Reporting and NEL XP, Supermium Trust Tokens XP, Supermium SyncData Database XP, Supermium Shortcuts XP, Supermium Top Sites XP, Supermium Visited Links XP, Supermium Web Data XP, Supermium Bookmarks, Supermium Cookies, Supermium Current Session, Supermium Current Tabs, Supermium Download Metadata, Supermium Extension Cookies, Supermium Favicons, Supermium History, Supermium Last Session, Supermium Last Tabs, Supermium Sessions Folder, Supermium Login Data, Supermium Media History, Supermium Network Action Predictor, Supermium Network Persistent State, Supermium Preferences, Supermium Quota Manager, Supermium Reporting and NEL, Supermium Shortcuts, Supermium Top Sites, Supermium Trust Tokens, Supermium SyncData Database, Supermium Visited Links, Supermium Web Data, Supermium Snapshots Folder, SYSTEM Supermium History, UCBrowser Bookmarks, UCBrowser Cookies, UCBrowser Current Session, UCBrowser Current Tabs, UCBrowser Download Metadata, UCBrowser Extension Cookies, UCBrowser Favicons, UCBrowser History, UCBrowser Last Session, UCBrowser Last Tabs, UCBrowser Sessions Folder, UCBrowser Login Data, UCBrowser Media History, UCBrowser Network Action Predictor, UCBrowser Network Persistent State, UCBrowser Preferences, UCBrowser Quota Manager, UCBrowser Reporting and NEL, UCBrowser Shortcuts, UCBrowser Top Sites, UCBrowser Trust Tokens, UCBrowser SyncData Database, UCBrowser Visited Links, UCBrowser Web Data, UCBrowser Snapshots Folder, WaveBrowser bookmarks, WaveBrowser Cookies, WaveBrowser Current Session, WaveBrowser Current Tabs, WaveBrowser Download Metadata, WaveBrowser Extension Cookies, WaveBrowser Favicons, WaveBrowser History, WaveBrowser Last Session, WaveBrowser Last Tabs, WaveBrowser Sessions Folder, WaveBrowser Login Data, WaveBrowser Media History, WaveBrowser Network Action Predictor, WaveBrowser Network Persistent State, WaveBrowser Preferences, WaveBrowser Quota Manager, WaveBrowser Reporting and NEL, WaveBrowser Shortcuts, WaveBrowser Top Sites, WaveBrowser Trust Tokens, WaveBrowser SyncData Database, WaveBrowser Visited Links, WaveBrowser Web Data, WaveBrowser Snapshots Folder, SYSTEM WaveBrowser History"
    type: bool
  - name: Kaseya
    description: "Kaseya Data (by Drew Ervin and Andrew Rathbun): Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Agent Edge Service Logs"
    type: bool
  - name: Keepass
    description: "Keepass (by Vito Alfano): Keepass Config Xml, Keepass Application Details, Keepass User Config"
    type: bool
  - name: KeepassXC
    description: "KeepassXC (by Vito Alfano): Keepass Local Ini, Keepass Roaming Ini"
    type: bool
  - name: LNKFilesAndJumpLists
    description: "LNK Files and jump lists (by Eric Zimmerman, Andrew Rathbun, Yogesh Khatri): LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData"
    type: bool
  - name: Level
    description: "Level.io Application Logs (by Andrew Skatoff @DFIR_TNT): Level RMM Client Application logs"
    type: bool
  - name: LinuxOnWindowsProfileFiles
    description: "Linux on Windows Profile Files (by Troy Larson): .profile, .bash_history, .bash_logout, .bashrc"
    type: bool
  - name: LiveUserFiles
    description: "Live User Files (by Mark Hallman): User Files - Desktop, User Files - Documents, User Files - Downloads, User Files - Dropbox"
    type: bool
  - name: LogFiles
    description: "LogFiles (includes SUM) (by Fabian Murer): LogFiles, Error logging"
    type: bool
  - name: LogMeIn
    description: "LogMeIn Data (by Drew Ervin): LogMeIn ProgramData Logs, LogMeIn Application Logs, Application Event Log XP, Application Event Log Win7+"
    type: bool
  - name: MOF
    description: "MOF files (WMI) (by Eric Zimmerman): MOF files"
    type: bool
  - name: MSSQLErrorLog
    description: "MS SQL ErrorLogs (by Troy Larson): MS SQL Errorlog, MS SQL Errorlogs"
    type: bool
  - name: MacriumReflect
    description: "Macrium Reflect (by Andrew Rathbun): Macrium Reflect"
    type: bool
  - name: Malwarebytes
    description: "Malwarebytes Data (by Drew Ervin & Kirtan Shah): MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs"
    type: bool
  - name: ManageEngineLogs
    description: "ManageEngine Log Files (by Whitney Champion, Phill Moore): ManageEngine Desktop Central Log Files, ManageEngine ADSelfService Plus Log Files"
    type: bool
  - name: Mattermost
    description: "Mattermost (by Andrew Rathbun): Mattermost - Chat Logs"
    type: bool
  - name: McAfee
    description: "McAfee Log Files (by Sam Smoker): McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs"
    type: bool
  - name: McAfee_ePO
    description: "McAfee ePO Log Files (by Doug Metz): McAfee ePO Logs"
    type: bool
  - name: MediaMonkey
    description: "MediaMonkey (by Andrew Rathbun): MediaMonkey - Media SQLite Database, MediaMonkey - MediaMonkey.ini"
    type: bool
  - name: Megasync
    description: "MegaSync Data Collection (by Vito Alfano): MegaSync Folder"
    type: bool
  - name: MemoryFiles
    description: "Memory Files (by Ahmed Elshaer, Teo Kia Meng): hiberfil.sys, pagefile.sys, swapfile.sys, Small Memory Dump directory"
    type: bool
  - name: MeshAgent
    description: "MeshAgent log and configuration files (by Geir Olav Skei, Atea IRT): MeshAgent .msh (configuration) file, MeshAgent log file"
    type: bool
  - name: MessagingClients
    description: "Messaging and communication apps (by Gregor Wegberg): HexChat Chat Logs, mIRC Chat Logs (Vista+), mIRC Chat Logs (2000/XP), Mattermost - Chat Logs, IceChat Chat Logs, WhatsApp Cache, Cisco Jabber Database, WhatsApp Local Storage, Microsoft Store WhatsApp Cache, Microsoft Store WhatsApp Local Storage, Telegram app folder, Telegram downloaded files, Microsoft Teams IndexedDB Cache, Microsoft Teams Local Storage Cache, Microsoft Teams Cache, Microsoft Teams Config, Microsoft Teams Logs (Windows 11), Viber Users Backgrounds Cache, Discord Cache Files, Discord Local Storage LevelDB Files, Signal Attachments cache, Signal Logs, Signal config.json, Signal Database, main.db (App <v12), skype.db (App +v12), main.db XP, main.db Win7+, s4l-[username].db (App +v8), leveldb (Skype for Desktop +v8), Skype for Destkop v8+ Chromium Cache, Slack - Chat Logs, Slack LevelDB Files, Slack Electron Logs, Slack Cache, Slack Storage, Viber Config Database, Viber Users Data Database, Viber Users Avatars Cache, Viber Users Thumbnails Cache"
    type: bool
  - name: MicrosoftAzureCopy
    description: "Microsoft Azure Copy (by Chuck Whitson): Azure Copy - User Profile - *.log, Azure Copy - Plans - *.ste*"
    type: bool
  - name: MicrosoftOfficeBackstage
    description: "Microsoft Office Backstage (by Brian Maloney): Microsoft Office Backstage"
    type: bool
  - name: MicrosoftOneNote
    description: "Microsoft OneNote (by Andrew Rathbun): Microsoft OneNote - FullTextSearchIndex, Microsoft OneNote - RecentNotebooks_SeenURLs, Microsoft OneNote - AccessibilityCheckerIndex, Microsoft OneNote - User NoteTags, Microsoft OneNote - RecentSearches"
    type: bool
  - name: MicrosoftSafetyScanner
    description: "Microsoft Safety Scanner (by Geir Olav Skei): Windows Safety Scanner Logs"
    type: bool
  - name: MicrosoftStickyNotes
    description: "Microsoft Sticky Notes (by Andrew Rathbun): Microsoft Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier, Microsoft Sticky Notes - 1607 and later"
    type: bool
  - name: MicrosoftTeams
    description: "Microsoft Teams (by Matt Dawson and Andrew Rathbun): Microsoft Teams IndexedDB Cache, Microsoft Teams Local Storage Cache, Microsoft Teams Cache, Microsoft Teams Config, Microsoft Teams Logs (Windows 11)"
    type: bool
  - name: MicrosoftToDo
    description: "Microsoft To Do (by Andrew Rathbun): Microsoft To Do - SQLite Database of To Do tasks, Microsoft To Do - User Avatar"
    type: bool
  - name: MidnightCommander
    description: "Midnight Commander (by Andrew Rathbun): Midnight Commander -- All Configuation Files"
    type: bool
  - name: MiniTimelineCollection
    description: "MFT, Registry and Event Logs to generate a mini timeline (by Mari DeGrazia): System Profile registry hive, $Boot, $J, $Max, $LogFile, $MFT, System Profile registry transaction files, $SDS, $T, Local Service registry hive, Local Service registry transaction files, Network Service registry hive, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, Event logs XP, Event logs Win7+, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry transaction files, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, UsrClass.dat registry hive, Registry.dat MSIX Hive, User.dat MSIX Hive, UserClasses.dat MSIX Hive, SAM registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SAM registry hive, SECURITY registry hive, SOFTWARE registry hive, SYSTEM registry hive, RegBack registry transaction files, SAM registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack)"
    type: bool
  - name: MstyDatabase
    description: "Msty is a UI to interact with large language models (LLMs) (by DReneau): Msty Artificial Intelligence"
    type: bool
  - name: MultiCommander
    description: "Multi Commander (by Andrew Rathbun): Multi Commander - Application Folder, Multi Commander - Config Folder, Multi Commander - Log Folder, Multi Commander - UserData Folder, Multi Commander - Log File"
    type: bool
  - name: NETCLRUsageLogs
    description: ".NET CLR UsageLogs (by Matias Davaro, Thomas DIOT (Qazeer)): .NET CLR UsageLogs (user-scoped), .NET CLR UsageLogs (system-scoped)"
    type: bool
  - name: NGINXLogs
    description: "NGINX Log Files (by Eric Capuano): NGINX Log Files"
    type: bool
  - name: NZBGet
    description: "NZBGet (by Andrew Rathbun): Usenet Clients - NZBGet Log File, Usenet Clients - NZBGet NZBs"
    type: bool
  - name: Nessus
    description: "Nessus (by Andrew Rathbun): Nessus Logs"
    type: bool
  - name: NetMonitorforEmployeesProfessional
    description: "Net Monitor for Employees Pro (by Tristan PINCEAUX - CERT CWATCH - ALMOND): Net Monitor Server Logs, Net Monitor Server Data, Net Monitor Server Config, Net Monitor Server Temp Folder, Net Monitor Client Logs, Net Monitor Client Config"
    type: bool
  - name: NetworkScanner
    description: "Network Scanner Tools (by Reece394): Advanced IP Scanner Aliases, Advanced IP Scanner Comments, Advanced IP Scanner MAC, Advanced Port Scanner Aliases, Advanced Port Scanner Comments, Advanced Port Scanner MAC, Netscan XML default output"
    type: bool
  - name: NewsbinPro
    description: "Newsbin Pro (by Andrew Rathbun): Usenet Clients - Newsbin Pro"
    type: bool
  - name: Newsleecher
    description: "Newsleecher (by Andrew Rathbun): Usenet Clients - Newsleecher"
    type: bool
  - name: Nicotine__
    description: "Nicotine++ (by Andrew Rathbun): Nicotine++ Logs, Nicotine++ Incomplete Downloads, Nicotine++ Buddyfiles.db, Nicotine++ Buddystreams.db, Nicotine++ Buddymtimes.db, Nicotine++ Buddyfileindex.db, Nicotine++ Buddywordindex.db, Nicotine++ Config Files, Nicotine++ User Shares, Nicotine++ Downloads.json, Nicotine++ Uploads.json"
    type: bool
  - name: Notepad__
    description: "Notepad++ Backups, recently searched/replaced terms and recently opened documents (by Banaanhangwagen and Matt Dawson): Notepad++ Config, Notepad++ Session, Notepad++ Unsaved Edits"
    type: bool
  - name: Notepad
    description: "A Target to collect files that are currently open in Notepad (Windows 11+) (by Andrew Rathbun): Notepad Session Files"
    type: bool
  - name: Notion
    description: "Notion Note-Taking App (by Thomas Burnette): Notion Local Storage, Notion Custom Dictionary"
    type: bool
  - name: OfficeAutosave
    description: "Office Autosave (by Russ Taylor): Publisher Autosave Location, Word Autosave Location, Excel Autosave Location, Powerpoint Autosave Location"
    type: bool
  - name: OfficeDiagnostics
    description: "Office Diagnostics (by teddy-ROxPin): Office Diagnostics, Office Elevated Diagnostics"
    type: bool
  - name: OfficeDocumentCache
    description: "Office Document Cache (by Banaanhangwagen): Office Document Cache"
    type: bool
  - name: OneCommander
    description: "One Commander (by Andrew Rathbun): One Commander - All Configuration Files, One Commander - Other Configuration Files"
    type: bool
  - name: OneDrive_Metadata
    description: "Microsoft OneDrive Storage Metadata (by Chad Tilbury): OneDrive Metadata Logs, OneDrive Metadata Settings"
    type: bool
  - name: OneDrive_UserFiles
    description: "Microsoft OneDrive Storage Files (by Chad Tilbury): OneDrive User Files"
    type: bool
  - name: OpenSSHClient
    description: "OpenSSH Client config, known hosts and keys (by Matt Dawson): OpenSSH Config File, OpenSSH Known Hosts, OpenSSH Public Keys, OpenSSH Default RSA Private Key, OpenSSH Default ECDSA Private Key, OpenSSH Default ECDSA-SK Private Key, OpenSSH Default ED25519 Private Key, OpenSSH Default ED25519-SK Private Key, OpenSSH Default DSA Private Key"
    type: bool
  - name: OpenSSHServer
    description: "OpenSSH Server Config and Logs (by Matt Dawson): OpenSSH Server Config File, OpenSSH Server Logs, OpenSSH Host ECDSA Key, OpenSSH Host ED25519 Key, OpenSSH Host DSA Key, OpenSSH Host RSA Key, OpenSSH User Authorized Keys, OpenSSH User Authorized Keys 2, OpenSSH Authorized Administrator Keys"
    type: bool
  - name: OpenVPNClient
    description: "OpenVPN Client Config and Log (by Mathias Frank): OpenVPN Client Config"
    type: bool
  - name: Opera
    description: "Opera (by Andrew Rathbun): Opera - Local Folder, Opera - Roaming Folder"
    type: bool
  - name: OutlookPSTOST
    description: "Outlook PST and OST files (by Eric Zimmerman and Chad Tilbury): PST XP, OST XP, PST (2013 or 2016), OST (2013 or 2016), PST, OST, NST, Outlook Attachment Temporary Storage"
    type: bool
  - name: P2PClients
    description: "P2P Clients (by Andrew Rathbun): Shareaza Logs, eMule Logs and Configuration Files, eMule part.met files, FrostWire Downloads, DC++ Chat Logs, FrostWire AppData, Gigatribe Files Windows Vista/7/8/10, Gigatribe Files Windows XP, Soulseek Chat Logs, Soulseek Search History/Shared Folders/Settings"
    type: bool
  - name: PeaZip
    description: "PeaZip (by Andrew Rathbun): PeaZip Configuration Files"
    type: bool
  - name: PerfLogs
    description: "Perflogs Folder Copy (by Vito Alfano): Perflogs"
    type: bool
  - name: PowerShell7Config
    description: "PowerShell 7 Runtime Config (by Andrew Rathbun): PowerShell 7 Config JSON"
    type: bool
  - name: PowerShellConsole
    description: "PowerShell Console Log File (by Mike Cary, 2thewes, Vikas Singh): PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell ISE - User Config"
    type: bool
  - name: PowerShellTranscripts
    description: "PowerShell Transcripts (by Andrew Rathbun and Chad Tilbury): PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location"
    type: bool
  - name: Prefetch
    description: "Prefetch files (by Eric Zimmerman): Prefetch"
    type: bool
  - name: ProgramData
    description: "ProgramData Folder Copy (by Vito Alfano): ProgramData"
    type: bool
  - name: ProgramExecution
    description: "Program Execution Triage Collection (by Max Zabuty): PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell ISE - User Config, PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location, Prefetch, WBEM, WER Files, Crash Dumps, Amcache, Amcache transaction files, Syscache, Syscache transaction files, AppCompat PCA Folder, RecentFileCache, .NET CLR UsageLogs (user-scoped), .NET CLR UsageLogs (system-scoped), JumpLists from CustomDestinations, ActivitiesCache.db"
    type: bool
  - name: ProtonVPN
    description: "ProtonVPN (by Andrew Rathbun): ProtonVPN - Connection Logs"
    type: bool
  - name: PuffinSecureBrowser
    description: "Puffin Secure Browser (by Andrew Rathbun): Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, Puffin - Image Cache"
    type: bool
  - name: PushNotification
    description: "Windows Push Notification Service (by Zawadi Done): WNS"
    type: bool
  - name: Q_Dir
    description: "Q-Dir (by Andrew Rathbun): Q-Dir - .ini File, Q-Dir - .qdr file"
    type: bool
  - name: QFinderPro__QNAP_
    description: "QFinderPro (QNAP) (by Andrew Rathbun): QFinderPro"
    type: bool
  - name: QQBrowser
    description: "QQ Browser (by Reece394): QQ Browser Cookies, QQ Browser Current Session, QQ Browser Current Tabs, QQ Browser Download Metadata, QQ Browser Extension Cookies, QQ Browser Favicons, QQ Browser History, QQ Browser Last Session, QQ Browser Last Tabs, QQ Browser Sessions Folder, QQ Browser Login Data, QQ Browser Media History, QQ Browser Network Action Predictor, QQ Browser Network Persistent State, QQ Browser Preferences, QQ Browser Quota Manager, QQ Browser Reporting and NEL, QQ Browser Shortcuts, QQ Browser Top Sites, QQ Browser Trust Tokens, QQ Browser SyncData Database, QQ Browser Visited Links, QQ Browser Web Data, Windows Protect Folder, QQ Browser Snapshots Folder, QQ Browser Bookmarks"
    type: bool
  - name: QlikSense
    description: "Qlik Sense (by Abdelkarim CHORFI - CERT CWATCH - ALMOND): Qlik Sense Logs"
    type: bool
  - name: QuickAssist
    description: "Microsoft Quick Assist/Remote Help (by Andrew Rathbun): Microsoft Quick Assist, Microsoft Remote Help"
    type: bool
  - name: RDPCache
    description: "RDP Cache Files (by Hadar Yudovich): RDP Cache Files, Windows.old RDP Cache Files"
    type: bool
  - name: RDPJumplist
    description: "RDP Jumplist Files (by Vito Alfano): RDP Jumplist Files"
    type: bool
  - name: RDPLogs
    description: "RDP Logs (by Drew Ervin): RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs"
    type: bool
  - name: Radmin
    description: "Radmin Server/Viewer Logs and Chats (by Mathias Frank): Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, Radmin Viewer Chats"
    type: bool
  - name: RcloneConf
    description: "Rclone config file (by Eric Capuano): Rclone Config"
    type: bool
  - name: RecentFileCache
    description: "RecentFileCache (by Eric Zimmerman): RecentFileCache"
    type: bool
  - name: RecentFolders
    description: "Recent Folders LNK files (by Max Zabuty): LNK Files from Recent, LNK Files from Microsoft Office Recent"
    type: bool
  - name: RecycleBin
    description: "Recycle Bin DataAndInfo (by Mark Hallman / Joshua Hickman): Recycle Bin - Windows Vista+, RECYCLER - WinXP"
    type: bool
  - name: RecycleBin_DataFiles
    description: "Recycle Bin Data Files (by Joshua Hickman, Andreas Hunkeler (@Karneades), Brian Maloney): Recycle Bin - Windows Vista+, RECYCLER - WinXP"
    type: bool
  - name: RecycleBin_InfoFiles
    description: "Recycle Bin Info Files (by Joshua Hickman, Andreas Hunkeler (@Karneades)): Recycle Bin - Windows Vista+, RECYCLER - WinXP"
    type: bool
  - name: RegistryHives
    description: "System and user related Registry hives (by Eric Zimmerman): System Profile registry hive, System Profile registry transaction files, Local Service registry hive, Local Service registry transaction files, Network Service registry hive, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry transaction files, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, UsrClass.dat registry hive, Registry.dat MSIX Hive, User.dat MSIX Hive, UserClasses.dat MSIX Hive, SAM registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SAM registry hive, SECURITY registry hive, SOFTWARE registry hive, SYSTEM registry hive, RegBack registry transaction files, SAM registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack)"
    type: bool
  - name: RegistryHivesMSIXApps
    description: "MSIX/APPX App Hives (by Zach Stanford / Mari DeGrazia): Registry.dat MSIX Hive, User.dat MSIX Hive, UserClasses.dat MSIX Hive"
    type: bool
  - name: RegistryHivesOther
    description: "Other Registry Hives (by Andrew Rathbun): BBI registry hive, BBI registry transaction files, BCD-Template registry hive, BCD-Template registry transaction files, COMPONENTS registry hive, COMPONENTS registry transaction files, DRIVERS registry hive, DRIVERS registry transaction files, ELAM registry hive, ELAM registry transaction files, userdiff registry hive, userdiff registry transaction files, VSMIDK registry hive, VSMIDK registry transaction files"
    type: bool
  - name: RegistryHivesSystem
    description: "System level/related Registry hives (by Eric Zimmerman / Mark Hallman): System Profile registry hive, System Profile registry transaction files, Local Service registry hive, Local Service registry transaction files, Network Service registry hive, Network Service registry transaction files, System Restore Points Registry Hives (XP), SAM registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SAM registry hive, SECURITY registry hive, SOFTWARE registry hive, SYSTEM registry hive, RegBack registry transaction files, SAM registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack)"
    type: bool
  - name: RegistryHivesUser
    description: "User Related Registry hives (by Eric Zimmerman / Mark Hallman): NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry transaction files, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, UsrClass.dat registry hive"
    type: bool
  - name: Remcos
    description: "Remcos RAT (by CERT CWATCH - ALMOND): Remco RAT custom path - AppData notess folder, Remco RAT custom path - AppData micrecords folder, Remco RAT custom path - AppData hpsupport, Remco RAT custom path, Remco RAT custom path - AppData notess, Remco RAT custom path - AppData screenshots, Remco RAT custom path  - AppData micrecords, Remco RAT custom path  - AppData hpsupport, Remco RAT Default path, Remco RAT custom path - AppData screenshots folder"
    type: bool
  - name: RemoteAdmin
    description: "Composite target for files related to remote administration tools (by Drew Ervin, Mathias Frank, Andrew Rathbun, Phill Moore): Splashtop Log Files, Splashtop Log Files in ProgramData, LogMeIn ProgramData Logs, LogMeIn Application Logs, Supremo Connection Logs, Supremo File Transfer Inbox, Action1 Client Application logs, MeshAgent .msh (configuration) file, MeshAgent log file, Ammyy Program Data, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - ProgramData - *.conf, AnyDesk Videos, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Chat Logs - User Profile, Microsoft Quick Assist, Microsoft Remote Help, TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, Application Event Log XP, Application Event Log Win7+, Net Monitor Server Logs, Net Monitor Server Data, Net Monitor Server Config, Net Monitor Server Temp Folder, Net Monitor Client Logs, Net Monitor Client Config, Unified endpoint management and security solutions from ManageEngine, UltraViewer User Logs, UltraViewer System Logs, UltraViewer Service Log, UltraViewer Connection Log, RealVNC Log, TightVNC Application Logs, RDP Cache Files, Windows.old RDP Cache Files, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, DWAgent Log Files, Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, Radmin Viewer Chats, Xeox RMM Client Application logs, TeamViewer Connection Logs, Zoho Assist log files in AppData\Local, Zoho Assist .conf files in AppData\Local, Zoho Assist log files in ProgramData, Zoho Assist .conf files, Zoho Assist log files in Program Files*, Zoho Assist .conf files in  Program Files*, Zoho Assist .txt files in  Program Files*, mRemoteNG Logs, mRemoteNG Connection Configuration and Backups, mRemoteNG Program Settings, RemoteUtilities Connection Logs, RemoteUtilities Install Log, AnyDesk File Transfer Logs - Running in portable mode, AnyDesk File Transfer Logs - Installed as a Service, RustDesk logs, ISLOnline Logs - Sessions - *.out, ISLOnline Logs - Session Configurations, ISL AlwaysOn Logs - Sessions List, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn - App Logs, ISL Light Logs - Sessions, ISL AlwaysOn - Email Configuration, ISL AlwaysOn - Configuration, ITarian, Comodo, Remco RAT Default path, Remco RAT custom path - AppData screenshots folder, Remco RAT custom path - AppData notess folder, Remco RAT custom path - AppData micrecords folder, Remco RAT custom path - AppData hpsupport, Remco RAT custom path, Remco RAT custom path - AppData notess, Remco RAT custom path - AppData screenshots, Remco RAT custom path  - AppData micrecords, Remco RAT custom path  - AppData hpsupport, ScreenConnect Session Database, ScreenConnect User Config, Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Agent Edge Service Logs, Level RMM Client Application logs"
    type: bool
  - name: RemoteUtilities_app
    description: "Remote Utilities (by Ryan McVicar): RemoteUtilities Connection Logs, RemoteUtilities Install Log"
    type: bool
  - name: RoamingProfile
    description: "User Related Registry Hives, LNK files, etc (by Scott Downie): NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files, Desktop LNK Files, Publisher Autosave Location, Excel Autosave Location, PowerPoint Autosave Location, Office Document Cache, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Sessions Folder, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Edge folder, Amcache, Amcache transaction files, LNK Files from Recent, LNK Files from Microsoft Office Recent"
    type: bool
  - name: Robo_FTP
    description: "Robo-FTP (by Thomas Burnette): Robo-FTP User Scripts, Robo-FTP User Debug Logs, Robo-FTP User Script/Trace Logs, Robo-FTP User XML Config, Robo-FTP User SSH Keys, Robo-FTP User SSL Certificates, Robo-FTP User PGP Keys, Robo-FTP SSH Keys, Robo-FTP SSL Certificates, Robo-FTP PGP Keys, Robo-FTP Debug Logs, Robo-FTP Script/Trace Logs, Robo-FTP XML Config, Robo-FTP Jobs"
    type: bool
  - name: RogueKiller
    description: "RogueKiller Anti-Malware (by Adlice Software) (by Drew Ervin): RogueKiller Reports"
    type: bool
  - name: RustDesk
    description: "RustDesk (by Andrew Rathbun): RustDesk logs"
    type: bool
  - name: SABnbzd
    description: "SABnbzd (by Andrew Rathbun): Usenet Clients - SABnzbd Download Logs, Usenet Clients - SABnzbd History.db"
    type: bool
  - name: SCCMClientLogs
    description: "SCCM Client Log Files (by Andrew Rathbun): SCCM Client Log Files"
    type: bool
  - name: SDB
    description: "Shim SDB FIles (by Troy Larson): SDB Files x64, SDB Files"
    type: bool
  - name: SOFELK
    description: "SOF-ELK related files of interest (by Tony Knutson and Andrew Rathbun): $Boot, $J, $Max, $LogFile, $MFT, $SDS, $T, Prefetch, Event logs XP, Event logs Win7+, Amcache, Amcache transaction files, Syscache, Syscache transaction files, AppCompat PCA Folder, RecentFileCache, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData"
    type: bool
  - name: SQLiteDatabases
    description: "SQLDatabases Target for use with SQLECmd Module (by Andrew Rathbun): 4K Video Downloader, Microsoft OneNote - FullTextSearchIndex, Microsoft OneNote - RecentNotebooks_SeenURLs, Microsoft OneNote - AccessibilityCheckerIndex, Microsoft OneNote - User NoteTags, Microsoft OneNote - RecentSearches, Microsoft Sticky Notes - 1607 and later, Microsoft To Do - SQLite Database of To Do tasks, Robo-FTP Jobs, TeraCopy - History Databases, TeraCopy - Main Database, Notion Local Storage, IDrive Backed Up Files, Dropbox Metadata, Google File Stream Metadata, FileZilla SQLite3 Log Files, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Addons, Bookmarks, Cookies, Downloads, Favicons, Form history, Permissions, Places, Protections, Search, Signons, Storage Sync, Webappstore, Windows 10 Notification DB, ActivitiesCache.db, Update Store.db, Bitdefender SQLite DB Files, EventTranscript.db"
    type: bool
  - name: SRUM
    description: "System Resource Usage Monitor (SRUM) Data (by Mark Hallman): SRUM, SOFTWARE registry hive, SOFTWARE registry transaction files"
    type: bool
  - name: SUM
    description: "SUM Database (by Andrew Rathbun): SUM Database (.mdb files)"
    type: bool
  - name: SUPERAntiSpyware
    description: "SUPERAntiSpyware Data (by Drew Ervin): SUPERAntiSpyware Logs"
    type: bool
  - name: SUSELinuxEnterpriseServer
    description: "SUSE Linux Enterprise Server on Windows Subsystem for Linux (by Matt Dawson): SUSE Linux Enterprise Server WSL /etc/os-release, SUSE Linux Enterprise Server WSL /etc/fstab, SUSE Linux Enterprise Server WSL /etc/passwd, SUSE Linux Enterprise Server WSL /etc/group, SUSE Linux Enterprise Server WSL /etc/shadow, SUSE Linux Enterprise Server WSL /etc/timezone, SUSE Linux Enterprise Server WSL /etc/hostname, SUSE Linux Enterprise Server WSL /etc/hosts, SUSE Linux Enterprise Server WSL /etc/bash.bashrc, SUSE Linux Enterprise Server WSL /etc/profile, SUSE Linux Enterprise Server WSL .bash_history, SUSE Linux Enterprise Server WSL .bashrc, SUSE Linux Enterprise Server WSL .profile, SUSE Linux Enterprise Server WSL ext4.vhdx"
    type: bool
  - name: ScheduledTasks
    description: "Scheduled tasks (*.job and XML) (by Eric Zimmerman, Reece394): PowerShell Scheduled_Jobs, PowerShell Scheduled_Jobs Output, PowerShell Scheduled_Jobs Systemprofile, PowerShell Scheduled_Jobs Output Systemprofile, PowerShell Scheduled_Jobs WOW64 Systemprofile, PowerShell Scheduled_Jobs Output WOW64 Systemprofile, at .job, at SchedLgU.txt, XML"
    type: bool
  - name: ScreenConnect
    description: "ScreenConnect Data (now known as ConnectWise Control) (by Drew Ervin): ScreenConnect User Config, Application Event Log XP, Application Event Log Win7+, ScreenConnect Session Database"
    type: bool
  - name: SecureAge
    description: "SecureAge Antivirus Logs (by Andrew Rathbun): SecureAge Antvirus Logs"
    type: bool
  - name: SentinelOne
    description: "Sentinel One Logs (by Kirtan Shah): SentinelOne EDR Log"
    type: bool
  - name: ServerTriage
    description: "A compound target for gathering artifacts common to servers. (by Eric Capuano): MS SQL Errorlog, MS SQL Errorlogs, IIS log files, ManageEngine Desktop Central Log Files, ManageEngine ADSelfService Plus Log Files, Confluence Wiki Log Files, Exchange client access log files, Apache Access Log, Exchange Setup Log file, Exchange TransportRoles log files, FileZilla Server XML Log Files, FileZilla Log Files, NGINX Log Files, OpenSSH Server Config File, OpenSSH Server Logs, OpenSSH Host ECDSA Key, OpenSSH Host ED25519 Key, OpenSSH Host DSA Key, OpenSSH Host RSA Key, OpenSSH User Authorized Keys, OpenSSH User Authorized Keys 2, OpenSSH Authorized Administrator Keys"
    type: bool
  - name: Session
    description: "Session Desktop (by Vito Alfano): Session App Folder"
    type: bool
  - name: ShareX
    description: "ShareX (by Andrew Rathbun): ShareX"
    type: bool
  - name: Shareaza
    description: "Shareaza (by Andrew Rathbun): Shareaza Logs"
    type: bool
  - name: SiemensTIA
    description: "Copy Siemens TIA Settings (by Olaf Schwarz (@b00010111)): Siemens TIA Settings"
    type: bool
  - name: Signal
    description: "Signal (Please view this tkape file for documentation on decryption!) (by Matt Dawson): Signal Logs, Signal config.json, Signal Database, Signal Attachments cache"
    type: bool
  - name: SignatureCatalog
    description: "Obtain detached signature catalog files (by Mike Pilkington): SignatureCatalog"
    type: bool
  - name: SimpleHelp
    description: "SimpleHelp Remote Access Client (by Chuck Whitson): SimpleHelp - ProgramData - JWrapper Logs, SimpleHelp - ProgramData - SimpleHelp Logs, SimpleHelp - User AppData - Technician Console Logs"
    type: bool
  - name: Skype
    description: "Skype (by Eric Zimmerman, Matt Dawson): main.db (App <v12), skype.db (App +v12), main.db XP, main.db Win7+, s4l-[username].db (App +v8), leveldb (Skype for Desktop +v8), Skype for Destkop v8+ Chromium Cache"
    type: bool
  - name: Slack
    description: "Slack (by Andrew Rathbun and Chad Tilbury): Slack - Chat Logs, Slack LevelDB Files, Slack Electron Logs, Slack Cache, Slack Storage"
    type: bool
  - name: Snagit
    description: "Snagit (by Andrew Rathbun): Snagit - Captures"
    type: bool
  - name: SnipAndSketch
    description: "Snip & Sketch Cached Images (by Kevin Pagano): Snip & Sketch"
    type: bool
  - name: SoftPerfectNetscan
    description: "Soft Perfect Network Scanner Output (by CERT CWATCH - ALMOND): Netscan XML default output"
    type: bool
  - name: Sophos
    description: "Sophos Data (by Drew Ervin, Reece394): Sophos Logs (XP), Application Event Log Win7+, Application Event Log XP, Sophos Logs"
    type: bool
  - name: Soulseek
    description: "Soulseek (by Andrew Rathbun): Soulseek Chat Logs, Soulseek Search History/Shared Folders/Settings"
    type: bool
  - name: SpeedCommander
    description: "SpeedCommander (by Andrew Rathbun): SpeedCommander - .ini File"
    type: bool
  - name: Splashtop
    description: "Splashtop (by Andrew Rathbun, Yogesh Khatri): Splashtop Log Files, Splashtop Log Files in ProgramData"
    type: bool
  - name: StartupFolders
    description: "Startup Folders (by Jason Ballard): User startup folders, System-wide startup folder"
    type: bool
  - name: StartupInfo
    description: "StartupInfo XML Files (by Hadar Yudovich): StartupInfo XML Files"
    type: bool
  - name: Steam
    description: "Steam (by Nisarg Suthar, SolitudePy): Steam Game Image files, Steam Login Metadata file, Steam Friend List and Username History file, Steam User Avatar files, Steam Game Tray Icon files, Steam Startup Times Log file"
    type: bool
  - name: SublimeText
    description: "Sublime Text 2/3/4 Auto Save Session (by Mathias Frank and Nisarg Suthar): SublimeText 2/3 Auto Save Session, SublimeText 4 Auto Save Session"
    type: bool
  - name: SugarSync
    description: "SugarSync (by Andrew Rathbun): SugarSync Log File, SugarSync - Shared Folders (Default Location), SugarSync - My SugarSync (Default Location)"
    type: bool
  - name: SumatraPDF
    description: "SumatraPDF (by Andrew Rathbun): SumatraPDF Settings - SessionData, SumatraPDF Cache"
    type: bool
  - name: Supermium
    description: "Supermium (by Reece394): Supermium Bookmarks XP, Supermium Cookies XP, Supermium Current Session XP, Supermium Current Tabs XP, Supermium Favicons XP, Supermium History XP, Supermium Last Session XP, Supermium Last Tabs XP, Supermium Sessions Folder XP, Supermium Network Action Predictor XP, Supermium Network Persistent State XP, Supermium Login Data XP, Supermium Preferences XP, Supermium Reporting and NEL XP, Supermium Trust Tokens XP, Supermium SyncData Database XP, Supermium Shortcuts XP, Supermium Top Sites XP, Supermium Visited Links XP, Supermium Web Data XP, Supermium Bookmarks, Supermium Cookies, Supermium Current Session, Supermium Current Tabs, Supermium Download Metadata, Supermium Extension Cookies, Supermium Favicons, Supermium History, Supermium Last Session, Supermium Last Tabs, Supermium Sessions Folder, Supermium Login Data, Supermium Media History, Supermium Network Action Predictor, Supermium Network Persistent State, Supermium Preferences, Supermium Quota Manager, Supermium Reporting and NEL, Supermium Shortcuts, Supermium Top Sites, Supermium Trust Tokens, Supermium SyncData Database, Supermium Visited Links, Supermium Web Data, Windows Protect Folder, Supermium Snapshots Folder, SYSTEM Supermium History"
    type: bool
  - name: SupremoRemoteDesktop
    description: "Supremo Remote Desktop Control Logs (by epoxigen): Supremo Connection Logs, Supremo File Transfer Inbox"
    type: bool
  - name: Symantec_AV_Logs
    description: "Symantec AV Logs (by Brian Maloney): Symantec Event Log Win7+, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection Quarantine, ccSubSDK Database, registrationInfo.xml, Application Event Log Win7+, Application Event Log XP, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection User Logs"
    type: bool
  - name: Syncthing
    description: "Syncthing Configuration and Logs (by Vito Alfano): Syncthing Configuration and Certificates, Syncthing Cache and Storage, Syncthing Logs"
    type: bool
  - name: Syscache
    description: "syscache.hve (by Phill Moore): Syscache, Syscache transaction files"
    type: bool
  - name: TablacusExplorer
    description: "Tablacus Explorer (by Andrew Rathbun): Tablacus Explorer - window.xml, Tablacus Explorer - window1.xml, Tablacus Explorer - remember.xml"
    type: bool
  - name: TeamViewerLogs
    description: "TeamViewer Logs (by Hadar Yudovich, Sam Smoker): TeamViewer Connection Logs, TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files"
    type: bool
  - name: Telegram
    description: "Telegram Desktop (by Simone Marinari): Telegram app folder, Telegram downloaded files"
    type: bool
  - name: TeraCopy
    description: "TeraCopy log history (by Kevin Pagano): TeraCopy"
    type: bool
  - name: ThumbCache
    description: "Thumbcache DB (by Eric Zimmerman): Thumbcache DB"
    type: bool
  - name: Thunderbird
    description: "Mozilla Thunderbird Email Client (by Matt Dawson): Mozilla Thunderbird Install Date, Mozilla Thunderbird Profiles.ini, Mozilla Thunderbird prefs.js, Mozilla Thunderbird Global Messages Database, Mozilla Thunderbird logins.json, Mozilla Thunderbird places.sqlite, Mozilla Thunderbird ImapMail INBOX, Mozilla Thunderbird Mail INBOX, Mozilla Thunderbird Calendar Data, Mozilla Thunderbird Attachments, Mozilla Thunderbird Address Book"
    type: bool
  - name: TorrentClients
    description: "Torrent Clients (by Andrew Rathbun): TorrentClients - qBittorrent, TorrentClients - uTorrent, TorrentClients - BitTorrent"
    type: bool
  - name: Torrents
    description: "Torrent Files (by Tony Knutson): Torrents"
    type: bool
  - name: TotalAV
    description: "TotalAV Antivirus Data (by Kirtan Shah): TotalAV Logs"
    type: bool
  - name: TotalCommander
    description: "Total Commander (by Andrew Rathbun, Jessica Venturo and Chuck Whitson): Total Commander - .ini File, Total Commander - Log File, Total Commander - Temp Files Created During Folder Traversal, Total Commander - FTP .ini File, Total Commander - File Tree, Total Commander - Frequent Directory Listing, Total Commander - FTP Logs"
    type: bool
  - name: TreeSize
    description: "TreeSize - Scan History (by Andrew Rathbun): TreeSize - ScanHistory.XML"
    type: bool
  - name: TrendMicro
    description: "Trend Micro Data (by Drew Ervin): Trend Micro Logs, Trend Micro Security Agent Report Logs, Trend Micro Security Agent Connection Logs"
    type: bool
  - name: UCBrowser
    description: "UCBrowser (by Reece394): UCBrowser Bookmarks, UCBrowser Cookies, UCBrowser Current Session, UCBrowser Current Tabs, UCBrowser Download Metadata, UCBrowser Extension Cookies, UCBrowser Favicons, UCBrowser History, UCBrowser Last Session, UCBrowser Last Tabs, UCBrowser Sessions Folder, UCBrowser Login Data, UCBrowser Media History, UCBrowser Network Action Predictor, UCBrowser Network Persistent State, UCBrowser Preferences, UCBrowser Quota Manager, UCBrowser Reporting and NEL, UCBrowser Shortcuts, UCBrowser Top Sites, UCBrowser Trust Tokens, UCBrowser SyncData Database, UCBrowser Visited Links, UCBrowser Web Data, Windows Protect Folder, UCBrowser Snapshots Folder"
    type: bool
  - name: UEMS
    description: "UEMS Manage Engine Agent (by Abdelkarim CHORFI - CERT CWATCH - ALMOND): Unified endpoint management and security solutions from ManageEngine"
    type: bool
  - name: USBDetective
    description: "Collects files that can be input into USB Detective for parsing (by Kevin Pagano): System Profile registry hive, System Profile registry transaction files, Local Service registry hive, Local Service registry transaction files, Network Service registry hive, Network Service registry transaction files, System Restore Points Registry Hives (XP), Desktop LNK Files XP, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry transaction files, Event logs XP, Event logs Win7+, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, UsrClass.dat registry hive, Desktop LNK Files, Amcache, Amcache transaction files, LNK Files from Recent (XP), Restore point LNK Files XP, Registry.dat MSIX Hive, User.dat MSIX Hive, UserClasses.dat MSIX Hive, Setupapi.log XP, Setupapi.log Win7+, LNK Files from Recent, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, Start Menu LNK Files, SAM registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SAM registry hive, SECURITY registry hive, SOFTWARE registry hive, SYSTEM registry hive, RegBack registry transaction files, SAM registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack)"
    type: bool
  - name: USBDevicesLogs
    description: "USB devices log files (by Eric Zimmerman, esecrpm): Setupapi.log XP, Setupapi.log Win7+"
    type: bool
  - name: Ubuntu
    description: "Ubuntu on Windows Subsystem for Linux (by Matt Dawson): Ubuntu WSL ext4.vhdx, Ubuntu WSL /etc/os-release, Ubuntu WSL /etc/fstab, Ubuntu WSL /etc/passwd, Ubuntu WSL /etc/group, Ubuntu WSL /etc/shadow, Ubuntu WSL /etc/timezone, Ubuntu WSL /etc/hostname, Ubuntu WSL /etc/hosts, Ubuntu WSL /etc/crontab, Ubuntu WSL /etc/bash.bashrc, Ubuntu WSL /etc/profile, Ubuntu WSL .bash_history, Ubuntu WSL .bashrc, Ubuntu WSL .profile, Ubuntu WSL User Crontabs, Ubuntu WSL Apt Logs"
    type: bool
  - name: Ultraviewer
    description: "UltraViewer (by Ryan McVicar, Sam Smoker): UltraViewer User Logs, UltraViewer System Logs, UltraViewer Service Log, UltraViewer Connection Log"
    type: bool
  - name: Usenet
    description: "Usenet (NZB) Files (by Andrew Rathbun): Usenet (NZB) Files"
    type: bool
  - name: UsenetClients
    description: "Usenet Clients (by Andrew Rathbun): Usenet Clients - NZBGet Log File, Usenet Clients - NZBGet NZBs, Usenet Clients - Newsbin Pro, Usenet Clients - Newsleecher, Usenet Clients - SABnzbd Download Logs, Usenet Clients - SABnzbd History.db"
    type: bool
  - name: UsersFolders
    description: "Users folders Dump (by Vito Alfano): Users"
    type: bool
  - name: VIPRE
    description: "VIPRE Data (by Drew Ervin): VIPRE Business User Logs (v7+), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), VIPRE Business Agent Logs"
    type: bool
  - name: VLC_Media_Player
    description: "VLC Media Player (by Matt Dawson): VLC Recently Opened Files, VLC Recorded Files"
    type: bool
  - name: VMware
    description: "Runs all VMware modules to collect VMware VM config files, logs and Virtual Hard Disks (by Matt Dawson): VHDX, VDI, VMDK, VMware - Virtual Machine Inventory, VMware (Fusion/Workstation/Server/Player), VHD"
    type: bool
  - name: VMwareInventory
    description: "VMware - Virtual Machine Inventory (by Andrew Rathbun): VMware - Virtual Machine Inventory"
    type: bool
  - name: VMwareMemory
    description: "VMware - Virtual Machine Memory (by Andrew Rathbun): VMware (Fusion/Workstation/Server/Player)"
    type: bool
  - name: VNCLogs
    description: "VNC Logs (by Phill Moore): RealVNC Log, TightVNC Application Logs, Application Event Log XP, Application Event Log Win7+"
    type: bool
  - name: Viber
    description: "ViberPC Messaging App (by Matt Dawson): Viber Config Database, Viber Users Data Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Thumbnails Cache"
    type: bool
  - name: VirtualBox
    description: "Runs all VirtualBox modules to collect Virtualbox VM config files, logs and Virtual Hard Disks (by Matt Dawson): VHDX, VDI, VMDK, VirtualBox VM configs, VirtualBox VM backup configs, VirtualBox Logs, VirtualBox Backup Logs, VirtualBox Hardening Logs, VirtualBox, VHD"
    type: bool
  - name: VirtualBoxConfig
    description: "Collects VirtualBox configuration files (by Matt Dawson): VirtualBox VM configs, VirtualBox VM backup configs"
    type: bool
  - name: VirtualBoxLogs
    description: "Collects VirtualBox log files (by Matt Dawson): VirtualBox Logs, VirtualBox Backup Logs, VirtualBox Hardening Logs"
    type: bool
  - name: VirtualBoxMemory
    description: "VirtualBox - Memory (by Andrew Rathbun): VirtualBox"
    type: bool
  - name: VirtualDisks
    description: "Virtual Disks (by Phill Moore): VHDX, VDI, VMDK, VHD"
    type: bool
  - name: VisualStudioCode
    description: "Visual Studio Code artifacts (by Sebastian Søgaard): VSCode Opened Files, VSCode Workspaces, VSCode User extensions, VSCode User settings, VSCode User Preferences, VSCode Network Cookies, VSCode Network Persistent State, VSCode Logs"
    type: bool
  - name: Vivaldi
    description: "Vivaldi Artifacts (by Sebastian Søgaard): Vivaldi Cookies, Vivaldi Network Persistent State, Vivaldi Favicons, Vivaldi History, Vivaldi Sessions Folder, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Preferences, Vivaldi Top Sites, Vivaldi Bookmarks, Vivaldi Visited Links, Vivaldi Web Data, Vivaldi User Tracking, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Notes, Vivaldi Download Metadata"
    type: bool
  - name: WBEM
    description: "Web-Based Enterprise Management (WBEM) (by Mark Hallman): WBEM"
    type: bool
  - name: WER
    description: "Windows Error Reporting (by Troy Larson): Crash Dumps, WER Files"
    type: bool
  - name: WSL
    description: "All Windows Subsystem for Linux targets (by Matt Dawson): Ubuntu WSL /etc/os-release, Ubuntu WSL /etc/fstab, Ubuntu WSL /etc/passwd, Ubuntu WSL /etc/group, Ubuntu WSL /etc/shadow, Ubuntu WSL /etc/timezone, Ubuntu WSL /etc/hostname, Ubuntu WSL /etc/hosts, Ubuntu WSL /etc/crontab, Ubuntu WSL /etc/bash.bashrc, Ubuntu WSL /etc/profile, Ubuntu WSL .bash_history, Ubuntu WSL .bashrc, Ubuntu WSL .profile, Ubuntu WSL User Crontabs, Ubuntu WSL Apt Logs, Ubuntu WSL ext4.vhdx, Debian WSL /etc/debian_version, Debian WSL /etc/fstab, Debian WSL /etc/os-release, Debian WSL /etc/passwd, Debian WSL /etc/group, Debian WSL /etc/shadow, Debian WSL /etc/timezone, Debian WSL /etc/hostname, Debian WSL /etc/hosts, Debian WSL /etc/crontab, Debian WSL /etc/bash.bashrc, Debian WSL /etc/profile, Debian WSL .bash_history, Debian WSL .bashrc, Debian WSL .profile, Debian WSL User Crontabs, Debian WSL Apt Logs, Debian WSL ext4.vhdx, openSUSE WSL /etc/os-release, openSUSE WSL /etc/fstab, openSUSE WSL /etc/passwd, openSUSE WSL /etc/group, openSUSE WSL /etc/shadow, openSUSE WSL /etc/timezone, openSUSE WSL /etc/hostname, openSUSE WSL /etc/hosts, openSUSE WSL /etc/bash.bashrc, openSUSE WSL /etc/profile, openSUSE WSL .bash_history, openSUSE WSL .bashrc, openSUSE WSL .profile, openSUSE WSL ext4.vhdx, SUSE Linux Enterprise Server WSL .bashrc, SUSE Linux Enterprise Server WSL .profile, SUSE Linux Enterprise Server WSL ext4.vhdx, SUSE Linux Enterprise Server WSL /etc/os-release, SUSE Linux Enterprise Server WSL /etc/fstab, SUSE Linux Enterprise Server WSL /etc/passwd, SUSE Linux Enterprise Server WSL /etc/group, SUSE Linux Enterprise Server WSL /etc/shadow, SUSE Linux Enterprise Server WSL /etc/timezone, SUSE Linux Enterprise Server WSL /etc/hostname, SUSE Linux Enterprise Server WSL /etc/hosts, SUSE Linux Enterprise Server WSL /etc/bash.bashrc, SUSE Linux Enterprise Server WSL /etc/profile, SUSE Linux Enterprise Server WSL .bash_history, Kali WSL /etc/debian_version, Kali WSL /etc/fstab, Kali WSL /etc/os-release, Kali WSL /etc/passwd, Kali WSL /etc/group, Kali WSL /etc/shadow, Kali WSL /etc/timezone, Kali WSL /etc/hostname, Kali WSL /etc/hosts, Kali WSL /etc/crontab, Kali WSL /etc/bash.bashrc, Kali WSL /etc/profile, Kali WSL .bash_history, Kali WSL .bashrc, Kali WSL .profile, Kali WSL User Crontabs, Kali WSL Apt Logs, Kali WSL ext4.vhdx"
    type: bool
  - name: WaveBrowser
    description: "WaveBrowser (by Kalil Olsen): WaveBrowser Favicons, WaveBrowser History, WaveBrowser Last Session, WaveBrowser Last Tabs, WaveBrowser Sessions Folder, WaveBrowser Login Data, WaveBrowser Media History, WaveBrowser Network Action Predictor, WaveBrowser Network Persistent State, WaveBrowser Preferences, WaveBrowser Quota Manager, WaveBrowser Reporting and NEL, WaveBrowser Shortcuts, WaveBrowser Top Sites, WaveBrowser Trust Tokens, WaveBrowser SyncData Database, WaveBrowser Visited Links, WaveBrowser Web Data, Windows Protect Folder, WaveBrowser Snapshots Folder, SYSTEM WaveBrowser History, WaveBrowser bookmarks, WaveBrowser Cookies, WaveBrowser Current Session, WaveBrowser Current Tabs, WaveBrowser Download Metadata, WaveBrowser Extension Cookies"
    type: bool
  - name: WebBrowsers
    description: "Web browser history, bookmarks, etc. (by Eric Zimmerman): Bookmarks, Cookies, Current Session, Current Tabs, Download Metadata, Favicons, History, Sessions Folder, Login Data, Network Action Predictor, Network Persistent State, Preferences, Quota Manager, Reporting and NEL, Shortcuts, Publisher Info DB/Brave Rewards, Top Sites, Visited Links, Web Data, Secure Preferences, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Sessions Folder, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Chrome Snapshots Folder, SYSTEM Chrome History, Edge folder, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Sessions Folder, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Edge Snapshots Folder, Addons, Downloads, Extensions, Form history, Permissions, Places, Protections, Search, Signons, Storage Sync, Webappstore, Password, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP, Addons XP, Search XP, Password XP, Sessionstore XP, Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, IE 11 Cookies, Opera - Local Folder, Opera - Roaming Folder, Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, Puffin - Image Cache, Vivaldi Cookies, Vivaldi Network Persistent State, Vivaldi Favicons, Vivaldi History, Vivaldi Sessions Folder, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Preferences, Vivaldi Top Sites, Vivaldi Bookmarks, Vivaldi Visited Links, Vivaldi Web Data, Vivaldi User Tracking, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Notes, Vivaldi Download Metadata, Yandex Cookies, Yandex Network Persistent State, Yandex Favicons, Yandex History, Yandex Sessions Folder, Yandex Login Data, Yandex Network Action Predictor, Yandex Preferences, Yandex Top Sites, Yandex Bookmarks, Yandex Visited Links, Yandex Web Data, Yandex Autofill data, Yandex Passman logs, Yandex Shortcuts, 360 Secure Browser Bookmarks, 360 Secure Browser Cookies, 360 Secure Browser Current Session, 360 Secure Browser Current Tabs, 360 Secure Browser Download Metadata, 360 Secure Browser Extension Cookies, 360 Secure Browser Favicons, 360 Secure Browser History, 360 Secure Browser Last Session, 360 Secure Browser Last Tabs, 360 Secure Browser Sessions Folder, 360 Secure Browser Login Data, 360 Secure Browser Media History, 360 Secure Browser Network Action Predictor, 360 Secure Browser Network Persistent State, 360 Secure Browser Preferences, 360 Secure Browser Quota Manager, 360 Secure Browser Reporting and NEL, 360 Secure Browser Shortcuts, 360 Secure Browser Top Sites, 360 Secure Browser Trust Tokens, 360 Secure Browser SyncData Database, 360 Secure Browser Visited Links, 360 Secure Browser Web Data, 360 Secure Browser Snapshots Folder, Arc Cookies, Arc Favicons, Arc History, Arc Sessions Folder, Arc Login Data, Arc Network Action Predictor, Arc Preferences, Arc Shortcuts, Arc Top Sites, Arc SyncData Database, Arc Bookmarks, Arc Visited Links, Arc Web Data, Arc JSON Files, Arc PLIST Files, CocCoc Bookmarks, CocCoc Cookies, CocCoc Current Session, CocCoc Current Tabs, CocCoc Download Metadata, CocCoc Extension Cookies, CocCoc Favicons, CocCoc History, CocCoc Last Session, CocCoc Last Tabs, CocCoc Sessions Folder, CocCoc Login Data, CocCoc Media History, CocCoc Network Action Predictor, CocCoc Network Persistent State, CocCoc Preferences, CocCoc Quota Manager, CocCoc Reporting and NEL, CocCoc Shortcuts, CocCoc Top Sites, CocCoc Trust Tokens, CocCoc SyncData Database, CocCoc Visited Links, CocCoc Web Data, CocCoc Snapshots Folder, QQ Browser Bookmarks, QQ Browser Cookies, QQ Browser Current Session, QQ Browser Current Tabs, QQ Browser Download Metadata, QQ Browser Extension Cookies, QQ Browser Favicons, QQ Browser History, QQ Browser Last Session, QQ Browser Last Tabs, QQ Browser Sessions Folder, QQ Browser Login Data, QQ Browser Media History, QQ Browser Network Action Predictor, QQ Browser Network Persistent State, QQ Browser Preferences, QQ Browser Quota Manager, QQ Browser Reporting and NEL, QQ Browser Shortcuts, QQ Browser Top Sites, QQ Browser Trust Tokens, QQ Browser SyncData Database, QQ Browser Visited Links, QQ Browser Web Data, QQ Browser Snapshots Folder, Supermium Bookmarks XP, Supermium Cookies XP, Supermium Current Session XP, Supermium Current Tabs XP, Supermium Favicons XP, Supermium History XP, Supermium Last Session XP, Supermium Last Tabs XP, Supermium Sessions Folder XP, Supermium Network Action Predictor XP, Supermium Network Persistent State XP, Supermium Login Data XP, Supermium Preferences XP, Supermium Reporting and NEL XP, Supermium Trust Tokens XP, Supermium SyncData Database XP, Supermium Shortcuts XP, Supermium Top Sites XP, Supermium Visited Links XP, Supermium Web Data XP, Supermium Bookmarks, Supermium Cookies, Supermium Current Session, Supermium Current Tabs, Supermium Download Metadata, Supermium Extension Cookies, Supermium Favicons, Supermium History, Supermium Last Session, Supermium Last Tabs, Supermium Sessions Folder, Supermium Login Data, Supermium Media History, Supermium Network Action Predictor, Supermium Network Persistent State, Supermium Preferences, Supermium Quota Manager, Supermium Reporting and NEL, Supermium Shortcuts, Supermium Top Sites, Supermium Trust Tokens, Supermium SyncData Database, Supermium Visited Links, Supermium Web Data, Supermium Snapshots Folder, SYSTEM Supermium History, UCBrowser Bookmarks, UCBrowser Cookies, UCBrowser Current Session, UCBrowser Current Tabs, UCBrowser Download Metadata, UCBrowser Extension Cookies, UCBrowser Favicons, UCBrowser History, UCBrowser Last Session, UCBrowser Last Tabs, UCBrowser Sessions Folder, UCBrowser Login Data, UCBrowser Media History, UCBrowser Network Action Predictor, UCBrowser Network Persistent State, UCBrowser Preferences, UCBrowser Quota Manager, UCBrowser Reporting and NEL, UCBrowser Shortcuts, UCBrowser Top Sites, UCBrowser Trust Tokens, UCBrowser SyncData Database, UCBrowser Visited Links, UCBrowser Web Data, UCBrowser Snapshots Folder, WaveBrowser bookmarks, WaveBrowser Cookies, WaveBrowser Current Session, WaveBrowser Current Tabs, WaveBrowser Download Metadata, WaveBrowser Extension Cookies, WaveBrowser Favicons, WaveBrowser History, WaveBrowser Last Session, WaveBrowser Last Tabs, WaveBrowser Sessions Folder, WaveBrowser Login Data, WaveBrowser Media History, WaveBrowser Network Action Predictor, WaveBrowser Network Persistent State, WaveBrowser Preferences, WaveBrowser Quota Manager, WaveBrowser Reporting and NEL, WaveBrowser Shortcuts, WaveBrowser Top Sites, WaveBrowser Trust Tokens, WaveBrowser SyncData Database, WaveBrowser Visited Links, WaveBrowser Web Data, WaveBrowser Snapshots Folder, SYSTEM WaveBrowser History"
    type: bool
  - name: WebServers
    description: "Logs from all known web server applications and supporting services (by Eric Capuano): MS SQL Errorlog, MS SQL Errorlogs, IIS log files, Apache Access Log, NGINX Log Files"
    type: bool
  - name: Webroot
    description: "Webroot Antivirus (by Drew Ervin): Webroot Program Data"
    type: bool
  - name: WhatsApp
    description: "WhatsApp Local Files (by Matt Dawson, SolitudePy): WhatsApp Cache, WhatsApp Local Storage, Microsoft Store WhatsApp Cache, Microsoft Store WhatsApp Local Storage"
    type: bool
  - name: WhatsApp_Media
    description: "WhatsApp Shared Media Files (by SolitudePy): Microsoft Store WhatsApp Desktop Profile Pictures, Microsoft Store WhatsApp Shared Media"
    type: bool
  - name: WinDefendDetectionHist
    description: "Windows Defender Threat DetectionHistory files (by Jordan Klepser): DetectionHistory"
    type: bool
  - name: WinSCP
    description: "WinSCP (by Andrew Rathbun): WinSCP (.ini file)"
    type: bool
  - name: WindowsCopilotRecall
    description: "Windows Copilot+ Recall (by Zach Stanford/Phill Moore): Recall folder"
    type: bool
  - name: WindowsDefender
    description: "Windows Defender Data (by Drew Ervin): Windows Defender Logs, Windows Defender Event Logs, DetectionHistory, Windows Defender Quarantine, Windows Defender Detections.log"
    type: bool
  - name: WindowsFirewall
    description: "Windows Firewall Logs (by Mike Cary): Windows Firewall Logs"
    type: bool
  - name: WindowsHello
    description: "Windows Hello (by Kevin Pagano): Cryptokeys, Masterkey, NGC, SECURITY registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SECURITY registry hive, SOFTWARE registry hive, SYSTEM registry hive, SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack)"
    type: bool
  - name: WindowsIndexSearch
    description: "Windows Index Search (by Mark Hallman, Reece394): GatherLogs, WindowsIndexSearch - User, GatherLogs - User, WindowsIndexSearch"
    type: bool
  - name: WindowsNetwork
    description: "Windows Networks settings (by Zawadi Done): Network setting files"
    type: bool
  - name: WindowsNotificationsDB
    description: "Windows 10 Notification DB (by Hadar Yudovich): Windows 10 Notification DB"
    type: bool
  - name: WindowsOSUpgradeArtifacts
    description: "Windows OS Upgrade Artifacts (by Andrew Rathbun): MigLog.xml, Setupact.log, HumanReadable.xml, FolderMoveLog.txt, Update Store.db"
    type: bool
  - name: WindowsPowerDiagnostics
    description: "Windows Power Diagnostics (by Andrew Rathbun): Windows Power Diagnostics"
    type: bool
  - name: WindowsServerDNSAndDHCP
    description: "Windows Server DNS and DHCP log files (by Zawadi Done): DNS Netlogon files, DNS files, DHCP files"
    type: bool
  - name: WindowsSubsystemforAndroid
    description: "Windows Subsystem for Android (WSA) (by Andrew Rathbun): Appcompatdb.json, userdata.vhdx, Diagnostic Logs for WSA, App download artifacts (PNG), App download artifacts (ICO)"
    type: bool
  - name: WindowsTelemetryDiagnosticsLegacy
    description: "Legacy Windows Telemetry and Diagnostics files (*.rbs) (by Andrew Rathbun and Josh Mitchell): Legacy .rbs files relating to Windows Telemetry and Diagnostics"
    type: bool
  - name: WindowsTimeline
    description: "ActivitiesCache.db collector (by Lee Whitfield, Thomas DIOT (Qazeer)): ActivitiesCache.db"
    type: bool
  - name: WindowsUpdate
    description: "Windows Update Logs (by Rick van Dreunen): Windows Update Session Orchestrator logs, Windows Update logs, Windows Component-Based Servicing logs"
    type: bool
  - name: WindowsYourPhone
    description: "Windows Your Phone (by Andrew Rathbun): Windows Your Phone - All Databases"
    type: bool
  - name: XPRestorePoints
    description: "XP Restore Points - System Volume Information directory (by Phill Moore): System Volume Information"
    type: bool
  - name: XYplorer
    description: "XYplorer (by Andrew Rathbun): XYplorer - .ini file, XYplorer - .ini file for each respective pane, XYplorer - AutoBackup folder, XYplorer - .dat files"
    type: bool
  - name: Xeox
    description: "Xeox Application Logs (by Andrew Skatoff @DFIR_TNT): Xeox RMM Client Application logs"
    type: bool
  - name: Yandex
    description: "Yandex Artifacts (by Sebastian Søgaard): Yandex Cookies, Yandex Network Persistent State, Yandex Favicons, Yandex History, Yandex Sessions Folder, Yandex Login Data, Yandex Network Action Predictor, Yandex Preferences, Yandex Top Sites, Yandex Bookmarks, Yandex Visited Links, Yandex Web Data, Yandex Autofill data, Yandex Passman logs, Yandex Shortcuts"
    type: bool
  - name: ZohoAssist
    description: "Zoho Assist artifacts (by Andrew Rathbun): Zoho Assist log files in ProgramData, Zoho Assist .conf files, Zoho Assist log files in Program Files*, Zoho Assist .conf files in  Program Files*, Zoho Assist .txt files in  Program Files*, Zoho Assist log files in AppData\Local, Zoho Assist .conf files in AppData\Local"
    type: bool
  - name: Zoom
    description: "Zoom client artifacts (by Ryan McVicar): Zoom plugin (Outlook), Zoom client logs, Zoom client logs (Windows XP), Zoom client recordings"
    type: bool
  - name: eMule
    description: "eMule (by Fábio Melo Pfeifer): eMule Logs and Configuration Files, eMule part.met files"
    type: bool
  - name: iTunesBackup
    description: "iTunes Backups (by Tony Knutson): iTunes Backup Folder, iTunes Backup Folder - iOS13"
    type: bool
  - name: mIRC
    description: "mIRC (by Andrew Rathbun): mIRC Chat Logs (Vista+), mIRC Chat Logs (2000/XP)"
    type: bool
  - name: mRemoteNG
    description: "mRemoteNG (by Markus Einarsson (@einarssonm)): mRemoteNG Logs, mRemoteNG Connection Configuration and Backups, mRemoteNG Program Settings"
    type: bool
  - name: openSUSE
    description: "openSUSE on Windows Subsystem for Linux (by Matt Dawson): openSUSE WSL ext4.vhdx, openSUSE WSL /etc/os-release, openSUSE WSL /etc/fstab, openSUSE WSL /etc/passwd, openSUSE WSL /etc/group, openSUSE WSL /etc/shadow, openSUSE WSL /etc/timezone, openSUSE WSL /etc/hostname, openSUSE WSL /etc/hosts, openSUSE WSL /etc/bash.bashrc, openSUSE WSL /etc/profile, openSUSE WSL .bash_history, openSUSE WSL .bashrc, openSUSE WSL .profile"
    type: bool
  - name: pCloudDatabase
    description: "pCloud Database (by Josh Hickman): pCloud Database, pCloud Database WAL File, pCloud Database Shared Memory File"
    type: bool
  - name: qBittorrent
    description: "qBittorrent (by Banaanhangwagen): TorrentClients - qBittorrent"
    type: bool
  - name: uTorrent
    description: "uTorrent (by Banaanhangwagen): TorrentClients - uTorrent"
    type: bool

  - name: KapeRules
    type: hidden
    description: A CSV file controlling the different Kape Target Rules
    default: |
      Id,Name,Category,Glob,Accessor,Comment
      1,$Boot,FileSystem,$Boot,ntfs,
      2,$J,FileSystem,$Extend\$UsnJrnl:$J,ntfs,
      3,$Max,FileSystem,$Extend\$UsnJrnl:$Max,ntfs,
      4,$J,FileSystem,$Extend\$J,ntfs,This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Targets are looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed
      5,$Max,FileSystem,$Extend\$Max,ntfs,This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Targets are looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed
      6,$LogFile,FileSystem,$LogFile,ntfs,
      7,$MFT,FileSystem,$MFT,ntfs,
      8,$MFTMirr,FileSystem,$MFTMirr,ntfs,$MFTMirr is a redundant copy of the first four (4) records of the MFT.
      9,$SDS,FileSystem,$Secure:$SDS,ntfs,
      10,$SDS,FileSystem,$Secure_$SDS,ntfs,This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Target is looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed
      11,$T,FileSystem,$Extend\$RmMetadata\$TxfLog\$Tops:$T,ntfs,
      12,$T,FileSystem,$Extend\$RmMetadata\$TxfLog\$T,ntfs,This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Target is looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed
      13,1Password Database,Apps,Users\*\AppData\Local\1password\data\1Password10.sqlite,lazy_ntfs,"Database which holds information about 1Password installation, such as accounts, categories, settings and more"
      14,1Password Backup Databases,Apps,Users\*\AppData\Local\1password\backups\1Password10.sqlite,lazy_ntfs,Backups of 1Password Database
      15,1Password Logs,Apps,Users\*\AppData\Local\1password\logs\*.log,lazy_ntfs,Log of usage of 1Password - can be useful for identifying periods of user activity
      16,4K Video Downloader,Apps,Users\*\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader\*.sqlite,lazy_ntfs,Grabs database(s) that stores user download history
      17,4K Video Downloader+,Apps,Users\*\AppData\Local\4kdownload.com\4K Video Downloader+\4K Video Downloader+\*.sqlite,lazy_ntfs,Grabs database(s) that stores user download history
      18,AVG AV Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\AVG\Antivirus\log\**10,lazy_ntfs,
      19,AVG AV Report Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\AVG\Antivirus\report\**10,lazy_ntfs,
      20,AVG AV Logs,Antivirus,ProgramData\AVG\Antivirus\log\**10,lazy_ntfs,
      21,AVG Report Logs,Antivirus,ProgramData\AVG\Antivirus\report\**10,lazy_ntfs,
      22,AVG Persistent Logs,Antivirus,ProgramData\AVG\Persistent Data\Antivirus\Logs\**10,lazy_ntfs,
      23,AVG FileInfo DB,Antivirus,ProgramData\AVG\Antivirus\**10\FileInfo2.db,lazy_ntfs,
      24,AVG lsdbj2 JSON,Antivirus,ProgramData\AVG\Antivirus\lsdb2.json,lazy_ntfs,
      25,AceText - Clipboard History,Apps,Users\*\Documents\*.atc,lazy_ntfs,Locates the Clipboard history for AceText
      26,Acronis True Image - Logs,Apps,ProgramData\Acronis\TrueImageHome\Logs\ti_demon\*,lazy_ntfs,Copies out all log files
      27,Acronis True Image - Database Files,Apps,ProgramData\Acronis\TrueImageHome\Database\archives.db*,lazy_ntfs,Copies out the Database folder which appears to have important information
      28,Acronis True Image - Scripts Folder,Apps,ProgramData\Acronis\TrueImageHome\Scripts\*,lazy_ntfs,Copies out all scripts files
      29,Action1 Client Application logs,ApplicationLogs,Windows\Action1\logs\*.log,lazy_ntfs,"Contains Application Log entries such as service start and incomming connections, and deployed scripts/jobs."
      30,NTDS,Active Directory,Windows\NTDS\**10,lazy_ntfs,
      31,SYSVOL,Active Directory,Windows\SYSVOL\**10,lazy_ntfs,
      32,Agent Ransack Config Logs,Software,Users\*\AppData\Roaming\Mythicsoft\AgentRansack\config\**10,lazy_ntfs,
      33,Agent Ransack CrashReports Logs,Software,Users\*\AppData\Roaming\Mythicsoft\AgentRansack\CrashReports\**10,lazy_ntfs,
      34,Agent Ransack IndexLog Logs,Software,Users\*\AppData\Roaming\Mythicsoft\AgentRansack\IndexLog\**10,lazy_ntfs,
      35,Agent Ransack Logs,Software,Users\*\AppData\Roaming\Mythicsoft\AgentRansack\logs\**10,lazy_ntfs,
      36,Amcache,ApplicationCompatibility,Windows\AppCompat\Programs\Amcache.hve,lazy_ntfs,
      37,Amcache,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs\Amcache.hve,lazy_ntfs,
      38,Amcache transaction files,ApplicationCompatibility,Windows\AppCompat\Programs\Amcache.hve.LOG*,lazy_ntfs,
      39,Amcache transaction files,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs\Amcache.hve.LOG*,lazy_ntfs,
      40,Ammyy Program Data,ApplicationLogs,ProgramData\Ammyy\**10,lazy_ntfs,"May not contain traditional log files, but presence of this folder may indicate historical usage"
      41,AnyDesk Logs - User Profile - *.trace,Communications,Users\*\AppData\Roaming\AnyDesk\*.trace,lazy_ntfs,Collects the trace logs for AnyDesk from a user profile
      42,AnyDesk Logs - ProgramData - *.trace,Communications,ProgramData\AnyDesk\*.trace,lazy_ntfs,Collects the trace logs for AnyDesk from ProgramData
      43,AnyDesk Logs - User Profile - *.conf,Communications,Users\*\AppData\Roaming\AnyDesk\*.conf,lazy_ntfs,Collects the conf logs for AnyDesk from a user profile
      44,AnyDesk Logs - ProgramData - *.conf,Communications,ProgramData\AnyDesk\*.conf,lazy_ntfs,Collects the conf logs for AnyDesk from ProgramData
      45,AnyDesk Videos,Communications,Users\*\Videos\AnyDesk\*.anydesk,lazy_ntfs,Collects any session recordings made by the user while using AnyDesk
      46,AnyDesk Logs - User Profile - connection_trace.txt,Communications,Users\*\AppData\Roaming\AnyDesk\connection_trace.txt,lazy_ntfs,Collects the connection trace log from user profile
      47,AnyDesk Logs - ProgramData - connection_trace.txt,Communications,ProgramData\AnyDesk\connection_trace.txt,lazy_ntfs,Collects the connection trace log from ProgramData
      48,AnyDesk Logs - System User Account,Communications,Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\*,lazy_ntfs,Collects the logs associated with the System user account
      49,AnyDesk Chat Logs - User Profile,Communications,Users\*\AppData\Roaming\AnyDesk\chat\*.txt,lazy_ntfs,Collects chat logs associated with the user profile
      50,Apache Access Log,Webservers,**10\access.log,lazy_ntfs,
      51,AppCompat PCA Folder,ApplicationCompatibility,Windows\appcompat\pca,lazy_ntfs,
      52,AppData,UserData,Users\*\AppData\**10,lazy_ntfs,
      53,WindowsApps for AppX,Apps,Program Files\WindowsApps\Deleted*\**10,lazy_ntfs,Locates all the user AppX package directories which were installed through Microsoft Store and updated/uninstalled by the user.
      54,SystemApps for AppX,Apps,Windows\SystemApps\**10,lazy_ntfs,Locates all the system AppX package directories which were installed by the system.
      55,UserSpecificPackages for AppX,Apps,Users\*\AppData\Local\Packages\**10,lazy_ntfs,Locates all the user and system AppX package directories which are user specific on the system.
      56,AppRepository for AppX,Apps,ProgramData\Microsoft\Windows\AppRepository\Packages\**10\StateRepository-*.srd,lazy_ntfs,Locates the StateRepository .srd databases.
      57,ProgramData Packages for AppX,Apps,ProgramData\Packages\**10,lazy_ntfs,Locates the ProgramData AppX package directories.
      58,Application Event Log XP,EventLogs,Windows\System32\config\AppEvent.evt,lazy_ntfs,
      59,Application Event Log XP,EventLogs,Windows.old\Windows\System32\config\AppEvent.evt,lazy_ntfs,
      60,Application Event Log Win7+,EventLogs,Windows\System32\winevt\logs\application.evtx,lazy_ntfs,
      61,Application Event Log Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\application.evtx,lazy_ntfs,
      62,Aspera Client Logs,FileDownload,Users\*\AppData\Local\Aspera\Aspera Connect\var\log\**10\*.log,lazy_ntfs,
      63,Aspera Server Logs,FileDownload,Users\*\.aspera\connect\var\log\**10\*.log,lazy_ntfs,
      64,AteraAgent .ini files,Software,Program Files\ATERA Networks\AteraAgent\**10\*.ini,lazy_ntfs,Collects logs for AteraAgent
      65,AteraAgent Logs,Software,Program Files\ATERA Networks\AteraAgent\**10\*.txt,lazy_ntfs,Collects logs for AteraAgent
      66,AteraAgent Logs,Software,Program Files\ATERA Networks\AteraAgent\**10\*.db,lazy_ntfs,Collects logs for AteraAgent
      67,AteraAgent Logs,Software,Program Files\ATERA Networks\AteraAgent\**10\*.config,lazy_ntfs,Collects logs for AteraAgent
      68,AteraAgent Logs,Software,Program Files\ATERA Networks\AteraAgent\**10\*.cfg,lazy_ntfs,Collects logs for AteraAgent
      69,Avast AV Logs (XP),Antivirus,Documents And Settings\All Users\Application Data\Avast Software\Avast\Log\**10,lazy_ntfs,
      70,Avast AV Logs,Antivirus,ProgramData\Avast Software\Avast\Log\**10,lazy_ntfs,
      71,Avast AV User Logs,Antivirus,Users\*\Avast Software\Avast\Log\**10,lazy_ntfs,
      72,Avast AV Index,Antivirus,ProgramData\Avast Software\Avast\Chest\index.xml,lazy_ntfs,
      73,Avast Persistent Data Logs,Antivirus,ProgramData\Avast Software\Persistent Data\Avast\Logs\**10,lazy_ntfs,
      74,Avast Icarus Logs,Antivirus,ProgramData\Avast Software\Icarus\Logs\**10,lazy_ntfs,
      75,Avira Activity Logs,Antivirus,ProgramData\Avira\Antivirus\LOGFILES\**10,lazy_ntfs,Collects the scan logs of Avira Antivirus
      76,Avira Security Logs,Antivirus,ProgramData\Avira\Security\Logs\**10,lazy_ntfs,
      77,Avira VPN Logs,Antivirus,ProgramData\Avira\VPN\**10,lazy_ntfs,Collects the VPN logs
      78,BCD,Registry,Boot\BCD,lazy_ntfs,
      79,BCD Logs,Registry,Boot\BCD.LOG*,lazy_ntfs,
      80,BITS files,Persistence,ProgramData\Microsoft\Network\Downloader\**10,lazy_ntfs,
      81,TorrentClients - BitTorrent,FileDownload,Users\*\AppData\Roaming\BitTorrent\*.dat,lazy_ntfs,
      82,Bitdefender Endpoint Security Logs,Antivirus,ProgramData\Bitdefender\Endpoint Security\Logs\**10,lazy_ntfs,
      83,Bitdefender Internet Security Logs,Antivirus,ProgramData\Bitdefender\Desktop\Profiles\Logs\**10,lazy_ntfs,
      84,Bitdefender SQLite DB Files,Antivirus,"Program Files*\Bitdefender*\**10\*.{db,db-wal,db-shm}",lazy_ntfs,Bitdefender SQLite databases
      85,Box Drive Application Metadata,Apps,Users\*\AppData\Local\Box\Box\**10,lazy_ntfs,
      86,Box Sync Application Metadata,Apps,Users\*\AppData\Local\Box Sync\**10,lazy_ntfs,
      87,Box Drive User Files,Apps,Users\*\Box\**10,lazy_ntfs,Caution! This target will collect Box Drive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use or isolate system from network
      88,Box Sync User Files,Apps,Users\*\Box Sync\**10,lazy_ntfs,
      89,Bookmarks,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Bookmarks*,lazy_ntfs,
      90,Cookies,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Cookies*,lazy_ntfs,
      91,Current Session,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Current Session,lazy_ntfs,
      92,Current Tabs,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Current Tabs,lazy_ntfs,
      93,Download Metadata,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\DownloadMetadata,lazy_ntfs,
      94,Favicons,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Favicons*,lazy_ntfs,
      95,History,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\History*,lazy_ntfs,
      96,Sessions Folder,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Sessions\*,lazy_ntfs,
      97,Login Data,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Login Data,lazy_ntfs,
      98,Network Action Predictor,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Network Action Predictor,lazy_ntfs,
      99,Network Persistent State,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Network Persistent State,lazy_ntfs,
      100,Preferences,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Preferences,lazy_ntfs,
      101,Quota Manager,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\QuotaManager,lazy_ntfs,
      102,Reporting and NEL,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Reporting and NEL,lazy_ntfs,
      103,Shortcuts,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Shortcuts*,lazy_ntfs,
      104,Publisher Info DB/Brave Rewards,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\publisher_info_db*,lazy_ntfs,"SQLite Database related to ""Brave Rewards"" containing an event_log table"
      105,Top Sites,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Top Sites*,lazy_ntfs,
      106,Visited Links,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Visited Links*,lazy_ntfs,
      107,Web Data,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Web Data*,lazy_ntfs,
      108,Secure Preferences,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Secure Preferences*,lazy_ntfs,Contains additional preferences data
      109,Chrome Cache Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Cache\**10,lazy_ntfs,
      110,Chromium Edge Cache Folder,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Cache\**10,lazy_ntfs,
      111,Firefox Cache Folder,Communications,Users\*\AppData\Local\Mozilla\Firefox\Profiles\*\**10,lazy_ntfs,
      112,IE 9/10 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files\**10,lazy_ntfs,
      113,IE Index.dat temp internet files,Communications,Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5\index.dat,lazy_ntfs,
      114,IE 11 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCache\**10,lazy_ntfs,
      115,Edge WebcacheV01.dat,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\*,lazy_ntfs,
      116,Brave Cache Folder,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Cache\Cache_Data\**10,lazy_ntfs,
      117,System CryptnetUrlCache,FileKnowledge,Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\**10,lazy_ntfs,
      118,System WOW64 CryptnetUrlCache,FileKnowledge,Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\**10,lazy_ntfs,
      119,User CryptnetUrlCache,FileKnowledge,Users\*\AppData\LocalLow\Microsoft\CryptnetUrlCache\**10,lazy_ntfs,
      120,INetCache,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\INetCache\IE\**10,lazy_ntfs,
      121,Chrome bookmarks XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
      122,Chrome Cookies XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*,lazy_ntfs,
      123,Chrome Current Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
      124,Chrome Current Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
      125,Chrome Favicons XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
      126,Chrome History XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*,lazy_ntfs,
      127,Chrome Last Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
      128,Chrome Last Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
      129,Chrome Login Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
      130,Chrome Preferences XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
      131,Chrome Shortcuts XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
      132,Chrome Top Sites XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
      133,Chrome Visited Links XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
      134,Chrome Web Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
      135,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
      136,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs,
      137,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
      138,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
      139,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\DownloadMetadata,lazy_ntfs,
      140,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs,
      141,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
      142,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs,
      143,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
      144,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
      145,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs,
      146,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
      147,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs,
      148,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs,
      149,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs,
      150,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
      151,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs,
      152,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs,
      153,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
      154,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
      155,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs,
      156,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
      157,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
      158,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
      159,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
      160,Chrome Snapshots Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\Snapshots\*\**10,lazy_ntfs,Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #.
      161,SYSTEM Chrome History,Communications,Windows\system32\config\systemprofile\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs,
      162,Chrome Extension Files,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions\**10,lazy_ntfs,
      163,Chrome Extension Files XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions\**10,lazy_ntfs,
      164,Chrome HTML5 File System Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\File System\**10,lazy_ntfs,
      165,Cisco Jabber Database,Communications,Users\*\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History\*.db,lazy_ntfs,The Cisco Jabber process needs to be killed before database can be copied.
      166,ClipboardMaster - Clipboard History - Text,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\Clipboard.clm4,lazy_ntfs,Locates the user’s clipboard history (text) for ClipboardMaster
      167,ClipboardMaster - Clipboard History - Images,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\pics\**10,lazy_ntfs,Locates the user’s clipboard history (images) for ClipboardMaster
      168,ClipboardMaster - Clipboard History - Backups,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\Clipboard.clm4.ba*,lazy_ntfs,Locates the user’s clipboard history (backups) for ClipboardMaster
      169,ComboFix,Antivirus,ComboFix.txt,lazy_ntfs,
      170,Confluence Wiki Log Files,Logs,Atlassian\Application Data\Confluence\logs\*.log*,lazy_ntfs,
      171,Confluence Wiki Log Files,Logs,Program Files\Atlassian\Confluence\logs\*.log,lazy_ntfs,
      172,Cybereason Anti-Ransomware Logs,Antivirus,ProgramData\crs1\Logs\**10,lazy_ntfs,
      173,Cybereason Sensor Communications and Anti-Malware Logs,Antivirus,ProgramData\apv2\Logs\**10,lazy_ntfs,
      174,Cybereason Application Control and NGAV Logs,Antivirus,ProgramData\crb1\Logs\**10,lazy_ntfs,
      175,Cylance ProgramData Logs,Antivirus,ProgramData\Cylance\Desktop\**10,lazy_ntfs,
      176,Cylance Optics Logs,Antivirus,ProgramData\Cylance\Optics\Log\**10,lazy_ntfs,
      177,Cylance Program Files Logs,Antivirus,Program Files\Cylance\Desktop\log\**10,lazy_ntfs,
      178,DC++ Chat Logs,FileDownload,Users\*\AppData\Local\DC++\Logs\**10,lazy_ntfs,Locates DC++ hub/chat logs and copies them. Current as of version 0.868.
      179,DWAgent Log Files,Logs,ProgramData\DWAgent*\*.log*,lazy_ntfs,
      180,Debian WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\debian_version,lazy_ntfs,
      181,Debian WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\fstab,lazy_ntfs,
      182,Debian WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\os-release,lazy_ntfs,
      183,Debian WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\passwd,lazy_ntfs,
      184,Debian WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\group,lazy_ntfs,
      185,Debian WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\shadow,lazy_ntfs,
      186,Debian WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\timezone,lazy_ntfs,
      187,Debian WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\hostname,lazy_ntfs,
      188,Debian WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\hosts,lazy_ntfs,
      189,Debian WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\crontab,lazy_ntfs,
      190,Debian WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs,
      191,Debian WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\profile,lazy_ntfs,
      192,Debian WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.bash_history,lazy_ntfs,
      193,Debian WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.bashrc,lazy_ntfs,
      194,Debian WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.profile,lazy_ntfs,
      195,Debian WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs,
      196,Debian WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs,
      197,Debian WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\ext4.vhdx,lazy_ntfs,
      198,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_folders.osd,lazy_ntfs,Locates .osd file which contains names of folders that have been renamed manually by the user.
      199,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_files.osd,lazy_ntfs,Locates .osd file which contains names of files that have been renamed manually by the user.
      200,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_contains.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with contents related to the search query.
      201,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_name.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with a filename related to the search query.
      202,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_path.osd,lazy_ntfs,Locates .osd file which contains file paths related to user activity - not exactly sure how these are generated at this time.
      203,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\recent.osd,lazy_ntfs,Locates .osd file which contains file paths related to recent user activity. Effectively the DOpus Shellbags-equivalent. Appears to be for last 10 folder visited within the Lister.
      204,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\backupconfig.osd,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.
      205,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache\*,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.
      206,Directory Opus,Apps,Users\*\AppData\Roaming\GPSoftware\Directory Opus\Logs\*,lazy_ntfs,Locates .txt files that will be named with the IP address of the FTP server Directory Opus was used to connect to. All-activity.txt will simply be a combination of all other .txt files present in this directory.
      207,Audio files,Multimedia,"**10\*.{3gp,aa,aac,act,aiff,alac,amr,ape,au,awb,dss,dvf,flac,gsm,iklax,ivs,m4a,m4b,m4p,mmf,mp3,mpc,msv,nmf,ogg,oga,mogg,opus,ra,rm,raw,rf64,sln,tta,voc,vox,wav,wma,wv,webm}",lazy_ntfs,Covers most (if not all) audio file formats
      208,Excel and Excel-like Documents,Documents,"**10\*.{xls,xlsx,csv,tsv,xlt,xlm,xlsm,xltx,xltm,xlsb,xla,xlam,xll,xlw,ods,fodp,qpw}",lazy_ntfs,"Covers all document file formats for Excel, OpenOffice, LibreOffice, Apache OpenOffice, WPS Office, SoftMaker Office, and more"
      209,PDF and PDF-like Documents,Documents,"**10\*.{pdf,xps,oxps}",lazy_ntfs,Covers all PDF and PDF-like document formats
      210,Picture files,Multimedia,"**10\*.{ai,bmp,bpg,cdr,cpc,eps,exr,flif,gif,heif,ilbm,ima,jp2,j2k,jpf,jpm,jpg2,j2c,jpc,jpx,mj2jpeg,jpg,jxl,kra,ora,pcx,pgf,pgm,png,pnm,ppm,psb,psd,psp,svg,tga,tiff,webp,xaml,xcf}",lazy_ntfs,Covers most (if not all) picture file formats
      211,SQLite Files (.db* and .sqlite*),Databases,"**10\*.{db,sqlite}*)",lazy_ntfs,Covers all common file extensions for SQLite databases
      212,Video files,Multimedia,"**10\*.{3g2,3gp,amv,asf,avi,drc,flv,f4v,f4p,f4a,f4b,gif,gifv,m4v,mkv,mov,qt,mp4,m4p,mpg,mpeg,m2v,mp2,mpe,mpv,mts,m2ts,ts,mxf,nsv,ogv,ogg,rm,rmvb,roq,svi,viv,vob,webm,wmv,yuv}",lazy_ntfs,Covers most (if not all) video file formats
      213,Zips,Archives,**10\*.zip,lazy_ntfs,This is an example of how to walk a drive for a file mask. Probably do not want to use this one as is
      214,Word and Word-like Documents,Documents,"**10\*.{doc,docx,docm,dotx,dotm,docb,dot,wbk,odt,fodt,rtf,wp*,tmd}",lazy_ntfs,"Covers all document file formats for Word, OpenOffice, LibreOffice, Apache OpenOffice, WPS Office, SoftMaker Office, and more"
      215,Discord Cache Files,Communications,Users\*\AppData\Roaming\discord\cache\**10,lazy_ntfs,Gets cached data from Discord app
      216,Discord Local Storage LevelDB Files,Communications,Users\*\AppData\Roaming\discord\local storage\leveldb\**10,lazy_ntfs,Gets LevelDB database from Discord app
      217,Double Commander - history.xml,Apps,Users\*\AppData\Roaming\doublecmd\history.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from bottom to top.
      218,Double Commander - doublecmd.xml,Apps,Users\*\AppData\Roaming\doublecmd\doublecmd.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom.
      219,Double Commander - FTP Log,Apps,Users\*\AppData\Roaming\doublecmd\doublecmd*.log,lazy_ntfs,Locates log files that'll be named with the following naming convention: doublecmd_2021-04-03.log.
      220,Double Commander - multiarc.ini,Apps,Users\*\AppData\Roaming\doublecmd\multiarc.ini,lazy_ntfs,
      221,Double Commander - session.ini,Apps,Users\*\AppData\Roaming\doublecmd\session.ini,lazy_ntfs,
      222,Double Commander - pixmaps.txt,Apps,Users\*\AppData\Roaming\doublecmd\pixmaps.txt,lazy_ntfs,
      223,Double Commander - shortcuts.scf,Apps,Users\*\AppData\Roaming\doublecmd\shortcuts.scf,lazy_ntfs,
      224,Drivers,Drivers,Windows\system32\drivers\**10\*.sys,lazy_ntfs,
      225,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\info.json,lazy_ntfs,Getting individual files because folder may contain very large extraneous files. Info.json contains user's Dropbox folder location
      226,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\host.db,lazy_ntfs,SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64.
      227,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\machine_storage\tray-thumbnails.db,lazy_ntfs,SQLite database containing references to image files at one time present in a user’s Dropbox instance.
      228,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\host.dbx,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together."
      229,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption of Dropbox databases
      230,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\instance*\**10,lazy_ntfs,instance folder holds multiple SQLite databases related to Dropbox activity and contents
      231,Dropbox User Files,Apps,Users\*\Dropbox*\**10,lazy_ntfs,"Default storage location for Dropbox Personal and Business (when using wildcard), but can be user-defined. Check info.json file in user Dropbox metadata files to identify default folder."
      232,EF Commander - .ini File,Apps,Users\*\AppData\Roaming\EFSoftware\*,lazy_ntfs,Locates folder where all configuration files reside
      233,ESET NOD32 AV Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\**10,lazy_ntfs,
      234,ESET NOD32 AV Logs,Antivirus,ProgramData\ESET\ESET NOD32 Antivirus\Logs\**10,lazy_ntfs,Parser available at https://github.com/laciKE/EsetLogParser
      235,ESET NOD32 AV Logs,Antivirus,ProgramData\ESET\ESET Security\Logs\**10,lazy_ntfs,
      236,ESET Remote Administrator Logs,Antivirus,ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs,lazy_ntfs,Remote Administrator logs include information on tasks executed on the target.
      237,Local User Quarantine,Antivirus,Users\*\AppData\Local\ESET\ESET Security\Quarantine\**10,lazy_ntfs,
      238,SYSTEM user quarantine,Antivirus,Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\**10,lazy_ntfs,
      239,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs,
      240,Edge Bookmarks,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs,
      241,Edge Collections,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections\collectionsSQLite,lazy_ntfs,
      242,Edge Cookies,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network\Cookies*,lazy_ntfs,
      243,Edge Current Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Session,lazy_ntfs,
      244,Edge Current Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Tabs,lazy_ntfs,
      245,Edge Favicons,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Favicons*,lazy_ntfs,
      246,Edge History,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\History*,lazy_ntfs,
      247,Edge Last Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Session,lazy_ntfs,
      248,Edge Last Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Tabs,lazy_ntfs,
      249,Edge Sessions Folder,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sessions\*,lazy_ntfs,
      250,Edge Login Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Login Data,lazy_ntfs,
      251,Edge Media History,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Media History*,lazy_ntfs,
      252,Edge Network Action Predictor,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network Action Predictor,lazy_ntfs,
      253,Edge Preferences,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences,lazy_ntfs,
      254,Edge Shortcuts,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Shortcuts*,lazy_ntfs,
      255,Edge Top Sites,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Top Sites*,lazy_ntfs,
      256,Edge SyncData Database,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
      257,Edge Visited Links,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Visited Links,lazy_ntfs,
      258,Edge Web Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Web Data*,lazy_ntfs,
      259,Edge WebAssistDatabase,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\WebAssistDatabase*,lazy_ntfs,
      260,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline DPAPI decryption
      261,Edge Snapshots Folder,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\Snapshots\*\**10,lazy_ntfs,"Grabs folder that appears to have snapshots of Edge Chromium SQLite DBs organized by version #. In testing, there were 3 previous versions of Edge Chromium separated into different folders"
      262,Edge Chromium Extension Files,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Extensions\**10,lazy_ntfs,
      263,Emsisoft Scan Logs,ApplicationLogs,ProgramData\Emsisoft\Reports\scan*.txt,lazy_ntfs,Can contain file detection and quarantine info
      264,EncapsulationLogging,Executables,Windows\Appcompat\Programs\EncapsulationLogging.hve,lazy_ntfs,
      265,EncapsulationLogging,Executables,Windows.old\Windows\Appcompat\Programs\EncapsulationLogging.hve,lazy_ntfs,
      266,EncapsulationLogging Logs,Executables,Windows\Appcompat\Programs\EncapsulationLogging.hve.log*,lazy_ntfs,
      267,EncapsulationLogging Logs,Executables,Windows.old\Windows\Appcompat\Programs\EncapsulationLogging.hve.log*,lazy_ntfs,
      268,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\System.evtx,lazy_ntfs,
      269,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\System.evtx,lazy_ntfs,
      270,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\Security.evtx,lazy_ntfs,
      271,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\Security.evtx,lazy_ntfs,
      272,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx,lazy_ntfs,
      273,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx,lazy_ntfs,
      274,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx,lazy_ntfs,
      275,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx,lazy_ntfs,
      276,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx,lazy_ntfs,
      277,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx,lazy_ntfs,
      278,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,lazy_ntfs,
      279,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,lazy_ntfs,
      280,Event logs XP,EventLogs,Windows\System32\config\*.evt,lazy_ntfs,
      281,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\*.evtx,lazy_ntfs,
      282,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\*.evtx,lazy_ntfs,
      283,WDI Trace Logs 1,EventTraceLogs,Windows\System32\WDI\LogFiles\*.etl*,lazy_ntfs,
      284,WDI Trace Logs 1,EventTraceLogs,Windows.old\Windows\System32\WDI\LogFiles\*.etl*,lazy_ntfs,
      285,WDI Trace Logs 2,EventTraceLogs,Windows\System32\WDI\{*\**10,lazy_ntfs,
      286,WDI Trace Logs 2,EventTraceLogs,Windows.old\Windows\System32\WDI\{*\**10,lazy_ntfs,
      287,WMI Trace Logs,EventTraceLogs,Windows\System32\LogFiles\WMI\**10,lazy_ntfs,
      288,WMI Trace Logs,EventTraceLogs,Windows.old\Windows\System32\LogFiles\WMI\**10,lazy_ntfs,
      289,SleepStudy Trace Logs,EventTraceLogs,Windows\System32\SleepStudy\**10,lazy_ntfs,
      290,SleepStudy Trace Logs,EventTraceLogs,Windows.old\Windows\System32\SleepStudy\**10,lazy_ntfs,
      291,Energy-NTKL Trace Logs,EventTraceLogs,ProgramData\Microsoft\Windows\PowerEfficiency Diagnostics\energy-ntkl.etl,lazy_ntfs,
      292,Delivery Optimization Trace Logs,EventTraceLogs,Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\*.etl*,lazy_ntfs,
      293,EventTranscript.db,SystemEvents,ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs,
      294,EventTranscript.db,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs,
      295,Microsoft Office Diagnostic Logs,SystemEvents,Users\*\AppData\Local\Temp\Diagnostics\**10,lazy_ntfs,
      296,Evernote Accounts,Apps,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\.accounts,lazy_ntfs,Holds username and email of accounts
      297,Evernote Notebooks,Apps,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\*.exb,lazy_ntfs,SQLite Database of the notes
      298,Evernote Notebook Snippets,Apps,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\*.exb.snippets,lazy_ntfs,Note 'Snippets'
      299,Everything (VoidTools),FileSystem,Users\*\AppData\Local\Everything\Everything.db,lazy_ntfs,Copies out Everything.db
      300,Everything (VoidTools) - Run History,FileSystem,Users\*\AppData\Roaming\Everything\Run History.csv,lazy_ntfs,Copies out a CSV containing the history of items ran from Everything's search results window
      301,Everything (VoidTools) - Search History,FileSystem,Users\*\AppData\Roaming\Everything\Search History.csv,lazy_ntfs,Copies out a CSV containing the history of items searched for within Everything with timestamps
      302,Everything (VoidTools) - .ini file,FileSystem,Users\*\AppData\Roaming\Everything\Everything.ini,lazy_ntfs,Copies out the .ini file for Everything
      303,Exchange client access log files,Logs,Program Files\Microsoft\Exchange Server\*\Logging\**10\*.log,lazy_ntfs,Highly dependent on Exchange configuration
      304,Exchange Server Modified Compiled Files,Apps,Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration
      305,Exchange Server Modified Compiled Files,Apps,inetpub\wwwroot\aspnet_client\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration
      306,Exchange Server Modified Compiled Files,Apps,inetpub\wwwroot\aspnet_client\system_web\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration
      307,Exchange Server Modified Compiled Files,Apps,Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration
      308,Exchange Setup Log file,Logs,ExchangeSetupLogs\ExchangeSetup.log,lazy_ntfs,The Exchange Setup log tracks the progress of every task during the Exchange installation and configuration.
      309,Exchange TransportRoles log files,Logs,Program Files\Microsoft\Exchange Server\*\TransportRoles\Logs\**10\*.log,lazy_ntfs,Highly dependent on Exchange configuration
      310,F-Secure Logs,Antivirus,ProgramData\F-Secure\Log\**10,lazy_ntfs,
      311,F-Secure User Logs,Antivirus,Users\*\AppData\Local\F-Secure\Log\**10,lazy_ntfs,
      312,F-Secure Scheduled Scan Reports,Antivirus,ProgramData\F-Secure\Antivirus\ScheduledScanReports\**10,lazy_ntfs,
      313,Fences - Desktop Screenshots,Apps,Users\*\AppData\Roaming\Stardock\Fences\Backups,lazy_ntfs,Locates all screenshots taken automatically by the Fences application
      314,FileZilla XML Log Files,Logs,Users\*\AppData\Roaming\FileZilla\*.xml*,lazy_ntfs,
      315,FileZilla SQLite3 Log Files,Logs,Users\*\AppData\Roaming\FileZilla\*.sqlite3*,lazy_ntfs,
      316,FileZilla Server XML Log Files,Logs,Users\*\AppData\Roaming\FileZilla Server\*.xml*,lazy_ntfs,
      317,FileZilla Log Files,Logs,Program Files (x86)\FileZilla Server\Logs\*.log*,lazy_ntfs,
      318,Addons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs,
      319,Bookmarks,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*,lazy_ntfs,
      320,Bookmarks,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups\**10,lazy_ntfs,
      321,Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs,
      322,Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*,lazy_ntfs,
      323,Downloads,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs,
      324,Extensions,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions.json,lazy_ntfs,
      325,Favicons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs,
      326,Form history,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs,
      327,Permissions,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*,lazy_ntfs,
      328,Places,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs,
      329,Protections,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*,lazy_ntfs,
      330,Search,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs,
      331,Signons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs,
      332,Storage Sync,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*,lazy_ntfs,
      333,Webappstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs,
      334,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\key*.db,lazy_ntfs,
      335,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signon*.*,lazy_ntfs,
      336,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json,lazy_ntfs,
      337,Preferences,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\prefs.js,lazy_ntfs,
      338,Sessionstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore*,lazy_ntfs,
      339,Sessionstore Folder,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups\**10,lazy_ntfs,
      340,Places XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs,
      341,Downloads XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs,
      342,Form history XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs,
      343,Cookies XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs,
      344,Signons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs,
      345,Webappstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs,
      346,Favicons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs,
      347,Addons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs,
      348,Search XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs,
      349,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\key*.db,lazy_ntfs,
      350,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signon*.*,lazy_ntfs,
      351,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\logins.json,lazy_ntfs,
      352,Sessionstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\sessionstore*,lazy_ntfs,
      353,Free Commander - FreeCommander.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts.
      354,Free Commander - FreeCommander.ftp.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.ftp.ini,lazy_ntfs,Locates an .ini file that contains the file path to the FTP log for Free Commander.
      355,Free Commander - FreeCommander.hist.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.hist.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom for both left and right directory browsers.
      356,Free Commander - FreeCommander.fav.xml,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.fav.xml,lazy_ntfs,Locates an .xml file that contains favorited files/folder by the user.
      357,Free Commander - Backup Settings,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*\**10,lazy_ntfs,"Locates an exact copy of the above files which will have a timestamped folder name, i.e. Bkp_Settings-YYYY-MM-DD HH-MM-SS."
      358,Free Commander - FTP Log,Apps,Users\*\AppData\Local\Temp\fc*.log,lazy_ntfs,Locates log file(s) that have a default naming convention of fc_ftplog_20210403 but can be modified by the user.
      359,Free Commander - FTP Related Information,Apps,Users\*\AppData\Local\Temp\FreeCommander*\**10,lazy_ntfs,Locates a folder that may be named randomly that contains more FTP related information as well as .tmp files that are created while the user is traversing folders during an active FTP session. These files are deleted upon program exit.
      360,FDM Database,Apps,Users\*\AppData\Local\Free Download Manager\**10\fdm.sqlite,lazy_ntfs,"fdm.sqlite shows Torrents, downloads, folder history, auth credentials and more. Will also pull fdm.sqlite in db_backup/"
      361,FDM Backup Info,Apps,Users\*\AppData\Local\Free Download Manager\backup\backup.info,lazy_ntfs,"Backup info file - can change backup name from userdata.zip, so could give indication of file name"
      362,FDM Database (userdata.zip),Apps,Users\*\AppData\Local\Free Download Manager\backup\userdata.zip,lazy_ntfs,fdm.sqlite can also appear in the backup folder in a compressed userdata.zip file
      363,FreeFileSync,Apps,Users\*\AppData\Roaming\FreeFileSync\Logs,lazy_ntfs,Copies out all log files
      364,Freenet,FileDownload,Users\*\AppData\Local\Freenet\node*,lazy_ntfs,
      365,Freenet,FileDownload,Users\*\AppData\Local\Freenet\*completed.list.downloads,lazy_ntfs,
      366,Freenet,FileDownload,Users\*\AppData\Local\Freenet\*completed.list.uploads,lazy_ntfs,
      367,Freenet,FileDownload,Users\*\AppData\Local\Freenet\*.bak,lazy_ntfs,
      368,Freenet,FileDownload,Users\*\AppData\Local\Freenet\downloads\**10,lazy_ntfs,
      369,FrostWire Downloads,FileDownload,Users\*\Documents\FrostWire\Torrent Data\**10,lazy_ntfs,Locates files downloaded that land in the default location as specified by FrostWire
      370,FrostWire AppData,FileDownload,Users\*\.frostwire5\frostwire.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system
      371,FrostWire AppData,FileDownload,Users\*\.frostwire5\itunes.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system
      372,Gigatribe Files Windows Vista/7/8/10,FileDownload,Users\*\AppData\Local\Shalsoft\**10,lazy_ntfs,Locates Gigatribe files and copies them
      373,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Gigatribe\**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Gigatribe
      374,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Shalsoft\**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Shalsoft
      375,Google Drive Backup and Sync User Files,Apps,Users\*\Google Drive*\**10,lazy_ntfs,Older Google Drive Backup and Sync application only
      376,Google Drive Backup and Sync Metadata,Apps,Users\*\AppData\Local\Google\Drive\**10,lazy_ntfs,Older version of Google Drive
      377,Google Drive for Desktop Metadata,Apps,Users\*\AppData\Local\Google\DriveFS\**10,lazy_ntfs,Metadata folder the same for both newer Google Drive for Desktop and older Google File Stream application
      378,Google Earth My Places file,Apps,Users\*\AppData\LocalLow\Google\GoogleEarth\myplaces.kml,lazy_ntfs,File which holds favorited locations
      379,Google Earth My Places Backup file,Apps,Users\*\AppData\LocalLow\Google\GoogleEarth\myplaces.backup.kml,lazy_ntfs,Backup file which holds favorited locations
      380,Google Earth My Places file (XP),Apps,Documents and Settings\*\Application Data\Google\GoogleEarth\myplaces.kml,lazy_ntfs,File which holds favorited locations
      381,Google Earth My Places Backup file (XP),Apps,Documents and Settings\*\Application Data\Google\GoogleEarth\myplaces.backup.kml,lazy_ntfs,Backup file which holds favorited locations
      382,Group Policy Files,Communications,Windows\System32\grouppolicy\**10,lazy_ntfs,
      383,Computer Group Policy files,Communications,ProgramData\Microsoft\Group Policy\History\**10,lazy_ntfs,
      384,User Group Policy files,Communications,Users\*\AppData\Local\Microsoft\Group Policy\History\**10,lazy_ntfs,
      385,Local Group Policy INI Files,Communications,Windows.old\Windows\System32\grouppolicy\*.ini,lazy_ntfs,
      386,Local Group Policy Files - Registry Policy Files,Communications,Windows\System32\grouppolicy\*.pol,lazy_ntfs,
      387,Local Group Policy Files - Registry Policy Files,Communications,Windows.old\Windows\System32\grouppolicy\*.pol,lazy_ntfs,
      388,Local Group Policy Files - Startup/Shutdown Scripts,Communications,Windows\System32\grouppolicy\*\Scripts\**10,lazy_ntfs,
      389,Local Group Policy Files - Startup/Shutdown Scripts,Communications,Windows.old\Windows\System32\grouppolicy\*\Scripts\**10,lazy_ntfs,
      390,HeidiSQL Backup files (*.sql),Apps,Users\*\AppData\Roaming\HeidiSQL\Backups\*,lazy_ntfs,
      391,HeidiSQL (tabs.ini),Apps,Users\*\AppData\Roaming\HeidiSQL\tabs.ini,lazy_ntfs,
      392,HexChat Chat Logs,Communications,Users\*\AppData\Roaming\HexChat\logs\**10,lazy_ntfs,
      393,HitmanPro Logs,Antivirus,ProgramData\HitmanPro\Logs\**10,lazy_ntfs,
      394,HitmanPro Alert Logs,Antivirus,ProgramData\HitmanPro.Alert\Logs\**10,lazy_ntfs,
      395,HitmanPro Database,Antivirus,ProgramData\HitmanPro.Alert\excalibur.db,lazy_ntfs,SQLite DB
      396,HostsFile,HostsFile,Windows\System32\drivers\etc\Hosts,lazy_ntfs,
      397,IIS applicationHost.config,Apps,Windows\System32\inetsrv\config\applicationHost.config,lazy_ntfs,This configuration file stores the settings for all your Web sites and applications.
      398,IIS administration.config,Apps,Windows\System32\inetsrv\config\administration.config,lazy_ntfs,This configuration file stores the settings for IIS management.
      399,IIS redirection.config,Apps,Windows\System32\inetsrv\config\redirection.config,lazy_ntfs,This configuration file contains the settings that indicate the location where the centralized configuration files are stored.
      400,web.config,Apps,inetpub\wwwroot\**10\web.config,lazy_ntfs,The web.config is a file that is read by IIS and the ASP.NET Core Module to configure an app hosted with IIS.
      401,IIS log files,Logs,Windows\System32\LogFiles\W3SVC*\*.log,lazy_ntfs,
      402,IIS log files,Logs,Windows.old\Windows\System32\LogFiles\W3SVC*\*.log,lazy_ntfs,
      403,IIS log files,Logs,inetpub\logs\LogFiles\*.log,lazy_ntfs,
      404,IIS log files,Logs,inetpub\logs\LogFiles\W3SVC*\*.log,lazy_ntfs,
      405,IIS log files,Logs,Resources\Directory\*\LogFiles\Web\W3SVC*\*.log,lazy_ntfs,
      406,IIS log files,Logs,Windows\system32\LogFiles\HTTPERR\*.log,lazy_ntfs,
      407,ISLOnline Logs - Sessions - *.out,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light Client\*\ISLClient.out,lazy_ntfs,Collects client session logs for one or more sessions
      408,ISLOnline Logs - Session Configurations,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light Client\*\conf\*,lazy_ntfs,Configurations for ISL Light sessions
      409,ISL AlwaysOn Logs - Sessions List,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\session.xml,lazy_ntfs,Collects an xml file listing all sessions for ISL AlwaysOn (Unattended Access)
      410,ISL AlwaysOn Logs - Sessions,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*\trace.out,lazy_ntfs,Detailed log for each session for ISL AlwaysOn (Unattended Access)
      411,ISL AlwaysOn - App Logs,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\*.out,lazy_ntfs,Application logs containg various artifacts.
      412,ISL Light Logs - Sessions,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light\*\trace.out,lazy_ntfs,Collects client session logs for one or more sessions
      413,ISL AlwaysOn - Email Configuration,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\status\tray,lazy_ntfs,This file includes the email of the logged in user for ISL AlwaysOn (Unattended Access)
      414,ISL AlwaysOn - Configuration,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\StaticConfiguration.ini,lazy_ntfs,"Configuration information (port, http/htpps) for ISL AlwaysOn (Unattended Access)"
      415,ITarian,Apps,Program Files\ITarian\Endpoint Manager\rmmlogs,lazy_ntfs,
      416,ITarian,Apps,Program Files (x86)\ITarian\Endpoint Manager\rmmlogs,lazy_ntfs,
      417,Comodo,Apps,Program Files\Comodo\Endpoint Manager\rmmlogs,lazy_ntfs,
      418,ITarian,Apps,Program Files (x86)\Comodo\Endpoint Manager\rmmlogs,lazy_ntfs,
      419,IceChat Chat Logs,Communications,Users\*\AppData\Local\IceChat Networks\IceChat\Logs\**10,lazy_ntfs,
      420,Windows IconCache DB,IconCache,Users\*\AppData\Local\IconCache.db,lazy_ntfs,
      421,Idrive Cleanup Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Archive Cleanup\**10\*,lazy_ntfs,Contains individual log files for each archive cleanup operation
      422,Idrive Backup Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Backup\**10\*,lazy_ntfs,Contains individual log files for each backup operation
      423,Idrive Delete Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Delete\**10\*,lazy_ntfs,Contains individual log files for each delete operation
      424,Idrive Restore Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Restore\*,lazy_ntfs,Contains individual log files for each restore operation
      425,Idrive Backup Summary,Apps,ProgramData\IDrive\IBCOMMON\*\Session\LOGXML\*xml,lazy_ntfs,Contains summary of each backup session
      426,Idrive Tracefile,Apps,ProgramData\IDrive\IBCOMMON\*\Tracefile.txt\Tracefile.txt,lazy_ntfs,Application log which includes error logs for failed uploads
      427,Idrive Mapped Drives,Apps,ProgramData\IDrive\IBCOMMON\IDMappedDrives.txt,lazy_ntfs,List of mapped drives for backup
      428,Idrive Backup Schedule,Apps,ProgramData\IDrive\IBCOMMON\schedule.xml,lazy_ntfs,Backup schedule configurations
      429,Idrive Schedule History,Apps,ProgramData\IDrive\IBCOMMON\Sch_Trace.txt,lazy_ntfs,History of schedule configurations
      430,Idrive Configuration,Apps,ProgramData\IDrive\IBCOMMON\idrive.ini,lazy_ntfs,List of Idrive configuration options
      431,Idrive Local Drives,Apps,ProgramData\IDrive\IBCOMMON\get_Alldrives.txt,lazy_ntfs,List of all local drives
      432,Idrive Exclusion Configurations,Apps,ProgramData\IDrive\IBCOMMON\Exclude*,lazy_ntfs,Files pertaining to exclusion configurations
      433,Idrive User Details,Apps,ProgramData\IDrive\IBCOMMON\AutoComp.ini,lazy_ntfs,"Idrive username, Scheduler notification emails, local username"
      434,Idrive SQL Databse,Apps,ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.ibds,lazy_ntfs,Sql database of local files that are backed up
      435,ImgBurn - Application Log File,Apps,Users\*\AppData\Roaming\ImgBurn\Log Files\ImgBurn.log,lazy_ntfs,Contains the ImgBurn application log file.
      436,Index.dat History,Communications,Documents and Settings\*\Local Settings\History\History.IE5\index.dat,lazy_ntfs,
      437,Index.dat History subdirectory,Communications,Documents and Settings\*\Local Settings\History\History.IE5\*\index.dat,lazy_ntfs,
      438,Index.dat cookies,Communications,Documents and Settings\*\Cookies\index.dat,lazy_ntfs,
      439,Index.dat UserData,Communications,Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData\index.dat,lazy_ntfs,
      440,Index.dat Office XP,Communications,Documents and Settings\*\Application Data\Microsoft\Office\Recent\index.dat,lazy_ntfs,
      441,Index.dat Office,Communications,Users\*\AppData\Roaming\Microsoft\Office\Recent\index.dat,lazy_ntfs,
      442,Local Internet Explorer folder,Communications,Users\*\AppData\Local\Microsoft\Internet Explorer\**10,lazy_ntfs,
      443,Roaming Internet Explorer folder,Communications,Users\*\AppData\Roaming\Microsoft\Internet Explorer\**10,lazy_ntfs,
      444,IE 9/10 History,Communications,Users\*\AppData\Local\Microsoft\Windows\History\**10,lazy_ntfs,
      445,IE 9/10 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\Cookies\**10,lazy_ntfs,
      446,IE 9/10 Download History,Communications,Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory\**10,lazy_ntfs,
      447,IE 11 Metadata,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\*,lazy_ntfs,
      448,IE 11 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCookies\**10,lazy_ntfs,
      449,IrfanView Configuration File,FileKnowledge,Users\*\AppData\Roaming\IrfanView\i_view32.ini,lazy_ntfs,
      450,JDownloader 2.0 Download Lists,Apps,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\downloadList*.zip,lazy_ntfs,"Zip folder which contains several files (00,00_00 and extraInfo) which list the download folder, the time it was created, the name of the download, origin URL, referral URL and more"
      451,JDownloader 2.0 Link Collector,Apps,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\linkcollector*.zip,lazy_ntfs,"Zip folder which contains several files (0X,0X_00 and extraInfo) which list the websites crawled for links, the referral URLs, timestamps and more"
      452,JDownloader 2.0 General Settings,Apps,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.settings.GeneralSettings.json,lazy_ntfs,General user config for JDownloader 2.0. Holds default download folder.
      453,JDownloader 2.0 Link Grabber Settings,Apps,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.gui.views.linkgrabber.addlinksdialog.LinkgrabberSettings.json,lazy_ntfs,Linkgrabber Settings for JDownloader 2.0. Holds latest download destination folder.
      454,JDownloader 2.0 Proxy Settings,Apps,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.settings.InternetConnectionSettings.customproxylist.json,lazy_ntfs,Proxy configuration for JDownloader 2.0
      455,Java WebStart Cache User Level - Default,Communications,Users\*\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
      456,Java WebStart Cache User Level - IE Protected Mode,Communications,Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
      457,Java WebStart Cache System level,Communications,Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
      458,Java WebStart Cache System level,Communications,Windows.old\Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
      459,Java WebStart Cache System level - IE Protected Mode,Communications,Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
      460,Java WebStart Cache System level - IE Protected Mode,Communications,Windows.old\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
      461,Java WebStart Cache System level (SysWow64),Communications,Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
      462,Java WebStart Cache System level (SysWow64),Communications,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
      463,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communications,Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
      464,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communications,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
      465,Java WebStart Cache User Level - XP,Communications,Documents and Settings\*\Application Data\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
      466,JumpLists from CustomDestinations,JumpLists,Users\*\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\**10,lazy_ntfs,
      467,JumpLists from CustomDestinations,JumpLists,Users\*\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\**10,lazy_ntfs,
      468,Kali WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\debian_version,lazy_ntfs,
      469,Kali WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\fstab,lazy_ntfs,
      470,Kali WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\os-release,lazy_ntfs,
      471,Kali WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\passwd,lazy_ntfs,
      472,Kali WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\group,lazy_ntfs,
      473,Kali WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\shadow,lazy_ntfs,
      474,Kali WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\timezone,lazy_ntfs,
      475,Kali WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\hostname,lazy_ntfs,
      476,Kali WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\hosts,lazy_ntfs,
      477,Kali WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\crontab,lazy_ntfs,
      478,Kali WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs,
      479,Kali WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\profile,lazy_ntfs,
      480,Kali WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.bash_history,lazy_ntfs,
      481,Kali WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.bashrc,lazy_ntfs,
      482,Kali WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.profile,lazy_ntfs,
      483,Kali WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs,
      484,Kali WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs,
      485,Kali WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\ext4.vhdx,lazy_ntfs,
      486,Kaseya Live Connect Logs (XP),ApplicationLogs,Documents and Settings\*\Application Data\Kaseya\Log\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
      487,Kaseya Live Connect Logs,ApplicationLogs,Users\*\AppData\Local\Kaseya\Log\KaseyaLiveConnect\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
      488,Kaseya Agent Endpoint Service Logs (XP),ApplicationLogs,Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
      489,Kaseya Agent Endpoint Service Logs,ApplicationLogs,ProgramData\Kaseya\Log\Endpoint\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
      490,Kaseya Agent Service Log,ApplicationLogs,Program Files*\Kaseya\*\agentmon.log*,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
      491,Kaseya Setup Log,ApplicationLogs,Users\*\AppData\Local\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
      492,Kaseya Setup Log,ApplicationLogs,Windows\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
      493,Kaseya Setup Log,ApplicationLogs,Windows.old\Windows\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
      494,Kaseya Agent Edge Service Logs,ApplicationLogs,ProgramData\Kaseya\Log\KaseyaEdgeServices\**10,lazy_ntfs,https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
      495,Keepass User Config,Apps,Users\*\AppData\Roaming\KeePass\*.xml,lazy_ntfs,Collecting Keepass User Configuration File
      496,Keepass Config Xml,Apps,Program Files\KeePass Password Safe*\*.xml,lazy_ntfs,Collecting Keepass Configuration File
      497,Keepass Application Details,Apps,Program Files\KeePass Password Safe*\*.config,lazy_ntfs,Collecting Keepass Application Details
      498,Keepass Local Ini,Apps,Users\*\AppData\Local\KeePassXC\*.ini,lazy_ntfs,
      499,Keepass Roaming Ini,Apps,Users\*\AppData\Roaming\KeePassXC\*.ini,lazy_ntfs,
      500,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs,Also includes automatic and custom jumplist directories
      501,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs,
      502,Start Menu LNK Files,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\*.LNK,lazy_ntfs,
      503,LNK Files from Recent (XP),LNKFiles,Documents and Settings\*\Recent\**10,lazy_ntfs,
      504,Desktop LNK Files XP,LNKFiles,Documents and Settings\*\Desktop\*.LNK,lazy_ntfs,
      505,Desktop LNK Files,LNKFiles,Users\*\Desktop\*.LNK,lazy_ntfs,
      506,Restore point LNK Files XP,LNKFiles,System Volume Information\_restore*\RP*\*.LNK,lazy_ntfs,
      507,LNK Files from C:\ProgramData,LNKFiles,ProgramData\Microsoft\Windows\Start Menu\Programs\*.LNK,lazy_ntfs,
      508,Level RMM Client Application logs,ApplicationLogs,Program Files\Level\*.log,lazy_ntfs,Contains Application Log entries such as service start and incoming connections.
      509,.bash_history,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_history,lazy_ntfs,
      510,.bash_logout,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_logout,lazy_ntfs,
      511,.bashrc,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bashrc,lazy_ntfs,
      512,.profile,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.profile,lazy_ntfs,
      513,User Files - Desktop,LiveUserFiles,Users\*\Desktop\**10,lazy_ntfs,
      514,User Files - Documents,LiveUserFiles,Users\*\Documents\**10,lazy_ntfs,
      515,User Files - Downloads,LiveUserFiles,Users\*\Downloads\**10,lazy_ntfs,
      516,User Files - Dropbox,LiveUserFiles,Users\*\Dropbox*\**10,lazy_ntfs,
      517,LogFiles,Logs,Windows\System32\LogFiles\**10,lazy_ntfs,
      518,LogFiles,Logs,Windows.old\Windows\System32\LogFiles\**10,lazy_ntfs,
      519,Error logging,Misc,windows\PFRO.log,lazy_ntfs,
      520,LogMeIn ProgramData Logs,ApplicationLogs,ProgramData\LogMeIn\Logs\**10,lazy_ntfs,
      521,LogMeIn Application Logs,ApplicationLogs,Users\*\AppData\Local\temp\LogMeInLogs\**10,lazy_ntfs,"Contains RemoteAssist (formerly GoToAssist), GoToMeeting, and other GoTo* logs"
      522,MOF files,WMI,**10\*.MOF,lazy_ntfs,
      523,MS SQL Errorlog,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG,lazy_ntfs,
      524,MS SQL Errorlogs,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG.*,lazy_ntfs,
      525,Macrium Reflect,Apps,ProgramData\Macrium\Macrium Service\*,lazy_ntfs,Copies out all log files
      526,Macrium Reflect,Apps,ProgramData\Macrium\Reflect\*,lazy_ntfs,Copies out the Reflect folder which contains many important logs
      527,Macrium Reflect,Apps,ProgramData\Macrium\Reflect Launcher,lazy_ntfs,Copies out the Reflect folder which contains many important logs
      528,MalwareBytes Anti-Malware Logs,Antivirus,ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-*.xml,lazy_ntfs,
      529,MalwareBytes Anti-Malware Service Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\logs\mbamservice.log*,lazy_ntfs,
      530,MalwareBytes Anti-Malware Scan Logs,Antivirus,Users\*\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs\**10,lazy_ntfs,
      531,MalwareBytes Anti-Malware Scan Results Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\ScanResults\**10,lazy_ntfs,
      532,ManageEngine Desktop Central Log Files,Logs,ManageEngine\DesktopCentral_Server\logs\**10,lazy_ntfs,
      533,ManageEngine ADSelfService Plus Log Files,Logs,ManageEngine\ADSelfService Plus\logs\**10,lazy_ntfs,
      534,Mattermost - Chat Logs,Apps,Users\*\AppData\Roaming\Mattermost\IndexedDB\**10,lazy_ntfs,Locates Mattermost logs and copies them
      535,McAfee Desktop Protection Logs XP,Antivirus,Users\All Users\Application Data\McAfee\DesktopProtection\**10,lazy_ntfs,
      536,McAfee Desktop Protection Logs,Antivirus,ProgramData\McAfee\DesktopProtection\**10,lazy_ntfs,
      537,McAfee Endpoint Security Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs\**10,lazy_ntfs,
      538,McAfee Endpoint Security Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs_Old\**10,lazy_ntfs,
      539,McAfee VirusScan Logs,Antivirus,ProgramData\Mcafee\VirusScan\**10,lazy_ntfs,
      540,McAfee ePO Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs\**10,lazy_ntfs,
      541,MediaMonkey - Media SQLite Database,Apps,Users\*\AppData\Roaming\MediaMonkey\MM.DB,lazy_ntfs,Locates SQLite DB that contains a complete enumeration of the user's media collection within MediaMonkey
      542,MediaMonkey - MediaMonkey.ini,Apps,Users\*\AppData\Roaming\MediaMonkey\MediaMonkey.ini,lazy_ntfs,Locates .ini file which contains information about the user's MediaMonkey application instance
      543,MegaSync Folder,ApplicationLogs,Users\*\AppData\Local\Mega Limited\MEGAsync\**10,lazy_ntfs,
      544,hiberfil.sys,Memory,hiberfil.sys,lazy_ntfs,
      545,pagefile.sys,Memory,pagefile.sys,lazy_ntfs,
      546,swapfile.sys,Memory,swapfile.sys,lazy_ntfs,
      547,Small Memory Dump directory,Memory,Windows\Minidump\*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump
      548,Small Memory Dump directory,Memory,Windows.old\Windows\Minidump\*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump
      549,MeshAgent .msh (configuration) file,Apps,Program Files\Mesh Agent\**10\*.msh,lazy_ntfs,Grabs all .msh (config) files present in this folder
      550,MeshAgent log file,Logs,Program Files\Mesh Agent\**10\*.log,lazy_ntfs,Grabs all .log files present in this folder
      551,Microsoft Office Backstage,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\BackstageinAppNavCache\**10,lazy_ntfs,
      552,Microsoft OneNote - FullTextSearchIndex,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's text content
      553,Microsoft OneNote - RecentNotebooks_SeenURLs,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications\RecentNotebooks_SeenURLs,lazy_ntfs,Grabs a file that appears to record recently seen OneNote notebooks
      554,Microsoft OneNote - AccessibilityCheckerIndex,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's version sync error history
      555,Microsoft OneNote - User NoteTags,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags\*LiveId.db,lazy_ntfs,Grabs a database that stores the user specified tags within OneNote to be used application-wide
      556,Microsoft OneNote - RecentSearches,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches\RecentSearches.db,lazy_ntfs,Grabs a database that stores the user's recent searches within OneNote
      557,Windows Safety Scanner Logs,Antivirus,Windows\Debug\msert.log,lazy_ntfs,
      558,"Microsoft Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier",Apps,Users\*\AppData\Roaming\Microsoft\StickyNotes\StickyNotes.snt,lazy_ntfs,
      559,Microsoft Sticky Notes - 1607 and later,Apps,Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\plum.sqlite*,lazy_ntfs,
      560,Microsoft Teams IndexedDB Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\**10,lazy_ntfs,"LevelDB database which can contain inbound/outbound chat messages, call history and more"
      561,Microsoft Teams Local Storage Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\Local Storage\leveldb\**10,lazy_ntfs,"LevelDB database which can contain meeting history, file transfer logs and more"
      562,Microsoft Teams Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\Cache\**10,lazy_ntfs,Chromium cache which can be viewed with Nirsoft's ChromeCacheView
      563,Microsoft Teams Config,Apps,Users\*\AppData\Roaming\Microsoft\Teams\desktop-config.json,lazy_ntfs,JSON config file for Teams
      564,Microsoft Teams Logs (Windows 11),Apps,Users\*\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs,lazy_ntfs,Lots of log files for MS Teams
      565,Microsoft To Do - SQLite Database of To Do tasks,Apps,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\todosqlite.db*,lazy_ntfs,
      566,Microsoft To Do - User Avatar,Apps,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\4c444a17ebb042fb92df97d00d1c802a\avatars\UserAvatar.jpg,lazy_ntfs,
      567,Midnight Commander -- All Configuation Files,Apps,Users\*\Midnight Commander\*,lazy_ntfs,Locates folder where all configuration files reside
      568,Multi Commander - Application Folder,Apps,Users\*\AppData\Local\MultiCommander*\**10,lazy_ntfs,Locates the contents of the Application folder.
      569,Multi Commander - Config Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\Config\**10,lazy_ntfs,Locates the contents of the Config folder.
      570,Multi Commander - Log Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\Logs\**10,lazy_ntfs,Locates log file(s) related to user activity within Multi Commander.
      571,Multi Commander - UserData Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\UserData\**10,lazy_ntfs,Locates the contents of the UserData folder.
      572,Multi Commander - Log File,Apps,Users\*\AppData\Roaming\MultiCommander*\**10\*MultiCommander.log,lazy_ntfs,Locates log file(s) associated with Milti Commander. Commonly in YYYY-MM-DD (numbers)-MultiCommander.log naming convention.
      573,.NET CLR UsageLogs (user-scoped),.NET CLR UsageLogs,Users\*\AppData\Local\Microsoft\CLR_*\**10\*.log,lazy_ntfs,
      574,.NET CLR UsageLogs (system-scoped),.NET CLR UsageLogs,Windows*\System32\config\systemprofile\AppData\Local\Microsoft\CLR_*\**10\*.log,lazy_ntfs,
      575,NGINX Log Files,Logs,nginx\logs\*.log,lazy_ntfs,
      576,Usenet Clients - NZBGet Log File,FileDownload,ProgramData\NZBGet\nzbget.log,lazy_ntfs,Locates NZBGet download log file
      577,Usenet Clients - NZBGet NZBs,FileDownload,ProgramData\NZBGet\nzb\*,lazy_ntfs,Locates NZBGet NZB files that were used by the user
      578,Nessus Logs,Nessus,ProgramData\Tenable\Nessus\conf\**10,lazy_ntfs,
      579,Nessus Logs,Nessus Logs,ProgramData\Tenable\Nessus\nessus\logs\**10,lazy_ntfs,
      580,Net Monitor Server Logs,ApplicationLogs,ProgramData\Net Monitor for Employees Pro\log\*\**10,lazy_ntfs,Contains Net Monitor server logs
      581,Net Monitor Server Data,Communications,ProgramData\Net Monitor for Employees Pro\data\**10,lazy_ntfs,Contains Net Monitor server data - Indicates what have been seen as the attacker
      582,Net Monitor Server Config,Apps,ProgramData\Net Monitor for Employees Pro\config\**10,lazy_ntfs,Contains Net Monitor server config
      583,Net Monitor Server Temp Folder,Apps,ProgramData\Net Monitor for Employees Pro\tmp\**10,lazy_ntfs,
      584,Net Monitor Client Logs,ApplicationLogs,Program Files*\Net Monitor for Employees Pro\log\**10,lazy_ntfs,Contains Net Monitor client logs
      585,Net Monitor Client Config,ApplicationLogs,Program Files*\Net Monitor for Employees Pro\config\**10,lazy_ntfs,Contains Net Monitor client config
      586,Usenet Clients - Newsbin Pro,FileDownload,Users\*\AppData\Local\Newsbin\Downloaded.db3,lazy_ntfs,Locates Newsbin Pro download log database
      587,Usenet Clients - Newsleecher,FileDownload,Users\*\AppData\Roaming\NewsLeecher\downloaded.dat,lazy_ntfs,Locates Newsleecher download .dat file
      588,Nicotine++ Logs,FileDownload,Users\*\AppData\Roaming\nicotine\logs\**10,lazy_ntfs,"Locates Nicotine++ chat logs, room logs, transfer logs, and debug logs (if enabled)"
      589,Nicotine++ Incomplete Downloads,FileDownload,Users\*\AppData\Roaming\nicotine\incomplete\**10,lazy_ntfs,Locates files that did not finish downloading
      590,Nicotine++ Buddyfiles.db,FileDownload,Users\*\AppData\Roaming\nicotine\buddyfiles.db\**10,lazy_ntfs,Locates a DB that appears to include shared files from a user's buddy list
      591,Nicotine++ Buddystreams.db,FileDownload,Users\*\AppData\Roaming\nicotine\buddystreams.db\**10,lazy_ntfs,Locates a DB that appears to include shared files from a user's buddy list
      592,Nicotine++ Buddymtimes.db,FileDownload,Users\*\AppData\Roaming\nicotine\buddymtimes.db\**10,lazy_ntfs,"Locates a DB that appears to enumerate which files the user is sharing to their buddy list, from a folder level"
      593,Nicotine++ Buddyfileindex.db,FileDownload,Users\*\AppData\Roaming\nicotine\buddyfileindex.db\**10,lazy_ntfs,"Locates a DB that appears to enumerate which files the user is sharing to their buddy list, from a file level"
      594,Nicotine++ Buddywordindex.db,FileDownload,Users\*\AppData\Roaming\nicotine\buddywordindex.db\**10,lazy_ntfs,Unknown what this is for at this time
      595,Nicotine++ Config Files,FileDownload,Users\*\AppData\Roaming\nicotine\config\**10,lazy_ntfs,Locates config files
      596,Nicotine++ User Shares,FileDownload,Users\*\AppData\Roaming\nicotine\usershares\**10,lazy_ntfs,Locates a DB that appears to store a list of files per user that they are sharing within Nicotine++. Note: this requires the user to right-click -> browse files shared by that user
      597,Nicotine++ Downloads.json,FileDownload,Users\*\AppData\Roaming\nicotine\downloads.json*,lazy_ntfs,Locates downloads.json
      598,Nicotine++ Uploads.json,FileDownload,Users\*\AppData\Roaming\nicotine\uploads.json*,lazy_ntfs,Locates uploads.json
      599,Notepad++ Unsaved Edits,Text Editor,Users\*\AppData\Roaming\Notepad++\backup\**10,lazy_ntfs,Locates non-saved Notepad++ files and copies them.
      600,Notepad++ Config,Text Editor,Users\*\AppData\Roaming\Notepad++\config.xml,lazy_ntfs,"Retrieves config.xml which contains recently searched terms, replaced terms and recently opened documents"
      601,Notepad++ Session,Text Editor,Users\*\AppData\Roaming\Notepad++\session.xml,lazy_ntfs,Retrieves session.xml which contains session date
      602,Notepad Session Files,Windows Notepad,Users\*\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\*.bin,lazy_ntfs,Contains .bin files which consist of the files opened in each tab in Windows Notepad
      603,Notion Local Storage,Apps,Users\*\AppData\Roaming\Notion\notion.db,lazy_ntfs,"Local storage file containing all pages, databases, users, etc."
      604,Notion Custom Dictionary,Apps,Users\*\AppData\Roaming\Notion\Partitions\notion\Custom Dictionary.txt,lazy_ntfs,
      605,Word Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\**10,lazy_ntfs,
      606,Excel Autosave Location,ApplicationCompatibility,Users\*\AppData\Roaming\Microsoft\Excel\**10,lazy_ntfs,
      607,Powerpoint Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Powerpoint\**10,lazy_ntfs,
      608,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Publisher\**10,lazy_ntfs,
      609,Office Diagnostics,Execution,Users\*\AppData\Local\Diagnostics\PCW.debugreport.xml,lazy_ntfs,Payloads for CVE-2022-30190 ('Follina') will be in this log
      610,Office Elevated Diagnostics,Execution,Users\*\AppData\Local\ElevatedDiagnostics\PCW.debugreport.xml,lazy_ntfs,Payloads for CVE-2022-30190 ('Follina') will be in this log
      611,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\**10,lazy_ntfs,
      612,One Commander - All Configuration Files,Apps,Users\*\OneCommander\*,lazy_ntfs,Locates folder where all configuration files reside
      613,One Commander - Other Configuration Files,Apps,Users\*\AppData\Local\Apps\2.0\*\*\onec*\**10,lazy_ntfs,Locates folder where all configuration files reside
      614,OneDrive Metadata Logs,Apps,Users\*\AppData\Local\Microsoft\OneDrive\logs\**10,lazy_ntfs,
      615,OneDrive Metadata Settings,Apps,Users\*\AppData\Local\Microsoft\OneDrive\settings\**10,lazy_ntfs,
      616,OneDrive User Files,Apps,Users\*\OneDrive*\**10,lazy_ntfs,Caution -- This target will collect OneDrive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use or isolate system from network.
      617,OpenSSH Config File,Apps,Users\*\.ssh\config,lazy_ntfs,"Config file can hold usernames, IP addresses and ports, key locations and configured shortcuts for servers e.g. ssh web-server"
      618,OpenSSH Known Hosts,Apps,Users\*\.ssh\known_hosts,lazy_ntfs,"Known hosts file can hold a list of connected FQDNs/IP Addresses and ports if they are non-default, as well as public key fingerprints"
      619,OpenSSH Public Keys,Apps,Users\*\.ssh\*.pub,lazy_ntfs,"Gets all public keys (*.pub). It is more difficult to find private keys as they typically do not have a file extension. However, the .pub files should be able to help find the private keys as they are typically named the same."
      620,OpenSSH Default RSA Private Key,Apps,Users\*\.ssh\id_rsa,lazy_ntfs,Default name for an auto-generated SSH RSA private key
      621,OpenSSH Default ECDSA Private Key,Apps,Users\*\.ssh\id_ecdsa,lazy_ntfs,Default name for an auto-generated SSH ECDSA private key
      622,OpenSSH Default ECDSA-SK Private Key,Apps,Users\*\.ssh\id_ecdsa_sk,lazy_ntfs,Default name for an auto-generated SSH ECDSA private key using a Security Key
      623,OpenSSH Default ED25519 Private Key,Apps,Users\*\.ssh\id_ed25519,lazy_ntfs,Default name for an auto-generated SSH ED25519 private key
      624,OpenSSH Default ED25519-SK Private Key,Apps,Users\*\.ssh\id_ed25519_sk,lazy_ntfs,Default name for an auto-generated SSH ED25519 private key using a Security Key
      625,OpenSSH Default DSA Private Key,Apps,Users\*\.ssh\id_dsa,lazy_ntfs,Default name for an auto-generated SSH DSA private key
      626,OpenSSH Server Config File,Apps,ProgramData\ssh\sshd_config,lazy_ntfs,Config file can hold information on allowed/denied users
      627,OpenSSH Server Logs,Apps,ProgramData\ssh\logs\*,lazy_ntfs,OpenSSH server logs
      628,OpenSSH Host ECDSA Key,Apps,ProgramData\ssh\ssh_host_ecdsa_key,lazy_ntfs,Retrieves the host ECDSA key
      629,OpenSSH Host ED25519 Key,Apps,ProgramData\ssh\ssh_host_ed25519_key,lazy_ntfs,Retrieves the host ED25519 key
      630,OpenSSH Host DSA Key,Apps,ProgramData\ssh\ssh_host_dsa_key,lazy_ntfs,Retrieves the host DSA key
      631,OpenSSH Host RSA Key,Apps,ProgramData\ssh\ssh_host_rsa_key,lazy_ntfs,Retrieves the host RSA key
      632,OpenSSH User Authorized Keys,Apps,Users\*\.ssh\authorized_keys,lazy_ntfs,Retrieves the user's authorised public keys
      633,OpenSSH User Authorized Keys 2,Apps,Users\*\.ssh\authorized_keys2,lazy_ntfs,Retrieves the user's authorised public keys from the second file
      634,OpenSSH Authorized Administrator Keys,Apps,ProgramData\ssh\administrators_authorized_keys,lazy_ntfs,Retrieves the administrator group's authorised public keys
      635,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\config\**10,lazy_ntfs,Contains OpenVPN Configs (Profiles)
      636,OpenVPN Client Config,ApplicationLogs,Program Files*\OpenVPN\config\**10,lazy_ntfs,Contains OpenVPN Configs(Profiles)
      637,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\log\*.log,lazy_ntfs,Contains OpenVPN Logs for each Config(Profile)
      638,Opera - Local Folder,Communications,Users\*\AppData\Local\Opera Software\Opera Stable\**10,lazy_ntfs,Grabs entire contents of the Opera AppData\Local folder
      639,Opera - Roaming Folder,Communications,Users\*\AppData\Roaming\Opera Software\Opera Stable\**10,lazy_ntfs,Grabs entire contents of the Opera AppData\Roaming folder
      640,PST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.pst,lazy_ntfs,
      641,OST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.ost,lazy_ntfs,
      642,PST (2013 or 2016),Communications,Users\*\Documents\Outlook Files\*.pst,lazy_ntfs,
      643,OST (2013 or 2016),Communications,Users\*\Documents\Outlook Files\*.ost,lazy_ntfs,
      644,PST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.pst,lazy_ntfs,"Outlook Data File: POP accounts, archives, older installations"
      645,OST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.ost,lazy_ntfs,"Offline Outlook Data File: M365, Exchange, IMAP"
      646,NST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.nst,lazy_ntfs,Outlook Group Storage File: Group conversations and calendar
      647,Outlook Attachment Temporary Storage,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\**10,lazy_ntfs,Outlook temporary storage folder for user attachments
      648,PeaZip Configuration Files,FileKnowledge,Users\*\AppData\Roaming\PeaZip\**10,lazy_ntfs,
      649,Perflogs,Application,PerfLogs\**10,lazy_ntfs,
      650,PowerShell 7 Config JSON,PowerShell,Program Files\PowerShell\7\powershell.config.json,lazy_ntfs,
      651,PowerShell Console Log,PowerShellConsoleLog,Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\*_history.txt,lazy_ntfs,
      652,PowerShell Console Log Systemprofile,PowerShellConsoleLog,Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\*_history.txt,lazy_ntfs,
      653,PowerShell Console Log WOW64 Systemprofile,PowerShellConsoleLog,Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\*_history.txt,lazy_ntfs,
      654,PowerShell ISE - AutoSave Files,PowerShellConsoleLog,Users\*\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\AutoSaveFiles\*.ps1,lazy_ntfs,
      655,PowerShell ISE - User Config,PowerShellConsoleLog,Users\*\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\*.config,lazy_ntfs,
      656,PowerShell Transcripts - Default Location,PowerShellTranscripts,Users\*\Documents\PowerShell_transcript.*.txt,lazy_ntfs,
      657,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Users\*\Documents\20*\PowerShell_transcript.*.txt,lazy_ntfs,
      658,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Windows\SysWOW64\*\PowerShell_transcript.*.txt,lazy_ntfs,
      659,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Program Files\Amazon\Ec2ConfigService\Scripts\*\PowerShell_transcript.*.txt,lazy_ntfs,
      660,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Windows\System32\*\PowerShell_transcript.*.txt,lazy_ntfs,
      661,Prefetch,Prefetch,Windows\prefetch\*.pf,lazy_ntfs,
      662,Prefetch,Prefetch,Windows.old\Windows\prefetch\*.pf,lazy_ntfs,
      663,ProgramData,ApplicationData,ProgramData\**10,lazy_ntfs,
      664,ProtonVPN - Connection Logs,ApplicationLogs,Users\*\AppData\Local\ProtonVPN\Logs,lazy_ntfs,Locates ProtonVPN connection logs.
      665,Puffin - data.db,Communications,Users\*\AppData\Local\PuffinSecureBrowser\data.db,lazy_ntfs,Grabs an important database file that contains browser history
      666,Puffin - Autocomplete Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\autocompletes.dat,lazy_ntfs,Grabs a file that stores autocomplete data
      667,Puffin - Password Forms Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\passwordForms.dat,lazy_ntfs,Grabs a file that stores some saved password data
      668,Puffin - Password (Encrypted),Communications,Users\*\AppData\Local\PuffinSecureBrowser\credential.dat,lazy_ntfs,Grabs a file that stores passwords in an encrypted format
      669,Puffin - Subscription Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\subscription,lazy_ntfs,Grabs a file that stores the user's email address that's associated with their Puffin subscription
      670,Puffin - Cookies,Communications,Users\*\AppData\Local\PuffinSecureBrowser\cookies.dat,lazy_ntfs,Grabs a file that stores information related to cookies
      671,Puffin - Image Cache,Communications,Users\*\AppData\Local\PuffinSecureBrowser\image_cache\**10,lazy_ntfs,Grabs a directory that caches images from websites visited
      672,WNS,WNS,Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs,
      673,WNS,WNS,Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs,
      674,Q-Dir - .ini File,Apps,Users\*\AppData\Roaming\Q-Dir\Q-Dir.ini,lazy_ntfs,Locates .ini file associated with Q-Dir which stores useful user activity information.
      675,Q-Dir - .qdr file,Apps,Users\*\AppData\Roaming\Q-Dir\start.qdr,lazy_ntfs,"Locates .qdr file associated with Q-Dir which stores useful user activity information, including the last 4 folders opened (encoded, unfortunately)."
      676,QFinderPro,Apps,Users\*\AppData\Local\QNAP\QfinderPro,lazy_ntfs,Locates a JSON file that provides network location information for any QNAP connected devices.
      677,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Proxy\**10\*.txt,lazy_ntfs,Collects the proxy logs for Qlik Sense
      678,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Proxy\**10\*.log,lazy_ntfs,Collects the proxy logs for Qlik Sense
      679,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Scheduler\**10\*.txt,lazy_ntfs,Collects the scheduler logs for Qlik Sense
      680,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Scheduler\**10\*.log,lazy_ntfs,Collects the scheduler logs for Qlik Sense
      681,RDP Cache Files,FileSystem,Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs,
      682,Windows.old RDP Cache Files,FileSystem,Windows.old\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs,
      683,RDP Cache Files,FileSystem,Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs,
      684,RDP Jumplist Files,FileSystem,Users\*\AppData\Local\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\**10,lazy_ntfs,
      685,RemoteConnectionManager Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs,
      686,RemoteConnectionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs,
      687,LocalSessionManager Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs,
      688,LocalSessionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs,
      689,RDPClient Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs,
      690,RDPClient Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs,
      691,RDPCoreTS Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP
      692,RDPCoreTS Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP
      693,Radmin Server 32bit Log,ApplicationLogs,Windows\SysWOW64\rserver30\Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections.
      694,Radmin Server 64bit Log,ApplicationLogs,Windows\System32\rserver30\Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections.
      695,Radmin Server 32bit Chats,ApplicationLogs,Windows\SysWOW64\rserver30\CHATLOGS\*\*.htm,lazy_ntfs,Previous chat logs
      696,Radmin Server 64bit Chats,ApplicationLogs,Windows\System32\rserver30\CHATLOGS\*\*.htm,lazy_ntfs,Previous chat logs
      697,Radmin Viewer Chats,ApplicationLogs,Users\*\Documents\ChatLogs\*\*.htm,lazy_ntfs,Previous chat logs
      698,Rclone Config,Apps,**10\rclone.conf,lazy_ntfs,
      699,RecentFileCache,ApplicationCompatibility,Windows\AppCompat\Programs\RecentFileCache.bcf,lazy_ntfs,
      700,RecentFileCache,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs\RecentFileCache.bcf,lazy_ntfs,
      701,LNK Files from Recent,File and Folder Usage,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs,
      702,LNK Files from Microsoft Office Recent,File and Folder Usage,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs,
      703,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\**10\$R*,lazy_ntfs,
      704,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\*\$R*\**10,lazy_ntfs,
      705,RECYCLER - WinXP,FileDeletion,RECYCLE*\**10\D*,lazy_ntfs,
      706,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\**10\$I*,lazy_ntfs,
      707,RECYCLER - WinXP,FileDeletion,RECYCLE*\**10\INFO2,lazy_ntfs,
      708,Registry.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\Registry.dat*,lazy_ntfs,
      709,User.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\User.dat*,lazy_ntfs,
      710,UserClasses.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\UserClasses.dat*,lazy_ntfs,
      711,BBI registry hive,Registry,Windows\System32\config\BBI,lazy_ntfs,
      712,BBI registry hive,Registry,Windows.old\Windows\System32\config\BBI,lazy_ntfs,
      713,BBI registry transaction files,Registry,Windows\System32\config\BBI.LOG*,lazy_ntfs,
      714,BBI registry transaction files,Registry,Windows.old\System32\config\BBI.LOG*,lazy_ntfs,
      715,BCD-Template registry hive,Registry,Windows\System32\config\BCD-Template,lazy_ntfs,
      716,BCD-Template registry hive,Registry,Windows.old\Windows\System32\config\BCD-Template,lazy_ntfs,
      717,BCD-Template registry transaction files,Registry,Windows\System32\config\BCD-Template.LOG*,lazy_ntfs,
      718,BCD-Template registry transaction files,Registry,Windows.old\System32\config\BCD-Template.LOG*,lazy_ntfs,
      719,COMPONENTS registry hive,Registry,Windows\System32\config\COMPONENTS,lazy_ntfs,
      720,COMPONENTS registry hive,Registry,Windows.old\Windows\System32\config\COMPONENTS,lazy_ntfs,
      721,COMPONENTS registry transaction files,Registry,Windows\System32\config\COMPONENTS.LOG*,lazy_ntfs,
      722,COMPONENTS registry transaction files,Registry,Windows.old\System32\config\COMPONENTS.LOG*,lazy_ntfs,
      723,DRIVERS registry hive,Registry,Windows\System32\config\DRIVERS,lazy_ntfs,
      724,DRIVERS registry hive,Registry,Windows.old\Windows\System32\config\DRIVERS,lazy_ntfs,
      725,DRIVERS registry transaction files,Registry,Windows\System32\config\DRIVERS.LOG*,lazy_ntfs,
      726,DRIVERS registry transaction files,Registry,Windows.old\System32\config\DRIVERS.LOG*,lazy_ntfs,
      727,ELAM registry hive,Registry,Windows\System32\config\ELAM,lazy_ntfs,
      728,ELAM registry hive,Registry,Windows.old\Windows\System32\config\ELAM,lazy_ntfs,
      729,ELAM registry transaction files,Registry,Windows\System32\config\ELAM.LOG*,lazy_ntfs,
      730,ELAM registry transaction files,Registry,Windows.old\System32\config\ELAM.LOG*,lazy_ntfs,
      731,userdiff registry hive,Registry,Windows\System32\config\userdiff,lazy_ntfs,
      732,userdiff registry hive,Registry,Windows.old\Windows\System32\config\userdiff,lazy_ntfs,
      733,userdiff registry transaction files,Registry,Windows\System32\config\userdiff.LOG*,lazy_ntfs,
      734,userdiff registry transaction files,Registry,Windows.old\System32\config\userdiff.LOG*,lazy_ntfs,
      735,VSMIDK registry hive,Registry,Windows\System32\config\VSMIDK,lazy_ntfs,
      736,VSMIDK registry hive,Registry,Windows.old\Windows\System32\config\VSMIDK,lazy_ntfs,
      737,VSMIDK registry transaction files,Registry,Windows\System32\config\VSMIDK.LOG*,lazy_ntfs,
      738,VSMIDK registry transaction files,Registry,Windows.old\System32\config\VSMIDK.LOG*,lazy_ntfs,
      739,SAM registry transaction files,Registry,Windows\System32\config\SAM.LOG*,lazy_ntfs,
      740,SAM registry transaction files,Registry,Windows.old\Windows\System32\config\SAM.LOG*,lazy_ntfs,
      741,SECURITY registry transaction files,Registry,Windows\System32\config\SECURITY.LOG*,lazy_ntfs,
      742,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config\SECURITY.LOG*,lazy_ntfs,
      743,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
      744,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
      745,SYSTEM registry transaction files,Registry,Windows\System32\config\SYSTEM.LOG*,lazy_ntfs,
      746,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config\SYSTEM.LOG*,lazy_ntfs,
      747,SAM registry hive,Registry,Windows\System32\config\SAM,lazy_ntfs,
      748,SAM registry hive,Registry,Windows.old\Windows\System32\config\SAM,lazy_ntfs,
      749,SECURITY registry hive,Registry,Windows\System32\config\SECURITY,lazy_ntfs,
      750,SECURITY registry hive,Registry,Windows.old\Windows\System32\config\SECURITY,lazy_ntfs,
      751,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs,
      752,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs,
      753,SYSTEM registry hive,Registry,Windows\System32\config\SYSTEM,lazy_ntfs,
      754,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config\SYSTEM,lazy_ntfs,
      755,RegBack registry transaction files,Registry,Windows\System32\config\RegBack\*.LOG*,lazy_ntfs,
      756,RegBack registry transaction files,Registry,Windows.old\Windows\System32\config\RegBack\*.LOG*,lazy_ntfs,
      757,SAM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SAM,lazy_ntfs,
      758,SAM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SAM,lazy_ntfs,
      759,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack\SECURITY,lazy_ntfs,
      760,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SECURITY,lazy_ntfs,
      761,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs,
      762,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs,
      763,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM,lazy_ntfs,
      764,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM,lazy_ntfs,
      765,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs,
      766,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs,
      767,System Profile registry hive,Registry,Windows\System32\config\systemprofile\NTUSER.DAT,lazy_ntfs,
      768,System Profile registry hive,Registry,Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT,lazy_ntfs,
      769,System Profile registry transaction files,Registry,Windows\System32\config\systemprofile\NTUSER.DAT.LOG*,lazy_ntfs,
      770,System Profile registry transaction files,Registry,Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT.LOG*,lazy_ntfs,
      771,Local Service registry hive,Registry,Windows\ServiceProfiles\LocalService\NTUSER.DAT,lazy_ntfs,
      772,Local Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT,lazy_ntfs,
      773,Local Service registry transaction files,Registry,Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*,lazy_ntfs,
      774,Local Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*,lazy_ntfs,
      775,Network Service registry hive,Registry,Windows\ServiceProfiles\NetworkService\NTUSER.DAT,lazy_ntfs,
      776,Network Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT,lazy_ntfs,
      777,Network Service registry transaction files,Registry,Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*,lazy_ntfs,
      778,Network Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*,lazy_ntfs,
      779,System Restore Points Registry Hives (XP),Registry,System Volume Information\_restore*\RP*\snapshot\_REGISTRY_*,lazy_ntfs,
      782,NTUSER.DAT registry transaction files,Registry,Users\*\NTUSER.DAT.LOG*,lazy_ntfs,
      783,NTUSER.DAT DEFAULT registry hive,Registry,Windows\System32\config\DEFAULT,lazy_ntfs,
      784,NTUSER.DAT DEFAULT registry hive,Registry,Windows.old\Windows\System32\config\DEFAULT,lazy_ntfs,
      785,NTUSER.DAT DEFAULT transaction files,Registry,Windows\System32\config\DEFAULT.LOG*,lazy_ntfs,
      786,NTUSER.DAT DEFAULT transaction files,Registry,Windows.old\Windows\System32\config\DEFAULT.LOG*,lazy_ntfs,
      788,UsrClass.dat registry transaction files,Registry,Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG*,lazy_ntfs,
      789,RemoteUtilities Connection Logs,Remote Access,Program Files*\Remote Utilities - Host\Logs\rut_log_*.html,lazy_ntfs,Includes connection log files
      790,RemoteUtilities Install Log,Remote Access,ProgramData\Remote Utilities\install.log,lazy_ntfs,Includes Install log file
      791,NTUSER.DAT registry hive,Registry,**10\NTUSER.DAT,lazy_ntfs,
      792,NTUSER.DAT registry transaction files,Registry,**10\NTUSER.DAT.LOG*,lazy_ntfs,
      793,NTUSER.DAT DEFAULT registry hive,Registry,**10\DEFAULT,lazy_ntfs,
      794,NTUSER.DAT DEFAULT transaction files,Registry,**10\DEFAULT.LOG*,lazy_ntfs,
      795,UsrClass.dat registry hive,Registry,**10\UsrClass.dat,lazy_ntfs,
      796,UsrClass.dat registry transaction files,Registry,**10\UsrClass.dat.LOG*,lazy_ntfs,
      797,LNK Files,LNKFiles,**10\*.LNK,lazy_ntfs,
      797,Desktop LNK Files,LNKFiles,**10\*.LNK,lazy_ntfs,
      798,Word Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\*,lazy_ntfs,
      798,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\*,lazy_ntfs,
      799,Excel Autosave Location,ApplicationCompatibility,Users\*\AppData\Roaming\Microsoft\Excel\*,lazy_ntfs,
      800,PowerPoint Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\PowerPoint\*,lazy_ntfs,
      801,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Publisher\*,lazy_ntfs,
      802,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\*,lazy_ntfs,
      802,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\*,lazy_ntfs,
      803,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
      803,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
      804,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs,
      804,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs,
      805,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
      805,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
      806,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
      806,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
      807,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs,
      807,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs,
      808,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs,
      808,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs,
      809,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
      809,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
      810,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs,
      810,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs,
      811,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
      811,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
      812,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
      812,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
      813,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs,
      813,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs,
      814,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
      814,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
      815,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs,
      815,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs,
      816,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs,
      816,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs,
      817,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs,
      817,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs,
      818,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
      818,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
      819,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs,
      819,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs,
      820,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs,
      820,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs,
      821,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
      821,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
      822,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
      822,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
      823,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs,
      823,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs,
      824,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
      824,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
      825,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
      825,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
      826,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
      826,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
      827,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
      827,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
      828,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs,
      828,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs,
      829,Amcache,ApplicationCompatibility,**10\Amcache.hve,lazy_ntfs,
      830,Amcache transaction files,ApplicationCompatibility,**10\Amcache.hve.LOG*,lazy_ntfs,
      831,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs,
      831,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs,
      832,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs,
      832,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs,
      833,Robo-FTP User Scripts,Apps,Program Files\Robo-FTP 3.12\UserData\*\Scripts\*.s,lazy_ntfs,Custom scripts created by each user
      834,Robo-FTP User Debug Logs,Apps,Program Files\Robo-FTP 3.12\UserData\*\Debug\*.log,lazy_ntfs,"Debug logs generated for each user, if enabled"
      835,Robo-FTP User Script/Trace Logs,Apps,Program Files\Robo-FTP 3.12\UserData\*\Logs\*,lazy_ntfs,Script and Trace logs generated for each user
      836,Robo-FTP User XML Config,Apps,Program Files\Robo-FTP 3.12\UserData\*\config.xml,lazy_ntfs,Config.xml unique to each user. Contains list of custom scripts and ftp sites
      837,Robo-FTP User SSH Keys,Apps,Program Files\Robo-FTP 3.12\UserData\*\SSH Keys\*,lazy_ntfs,Saved SSH keys for each user
      838,Robo-FTP User SSL Certificates,Apps,Program Files\Robo-FTP 3.12\UserData\*\SSL Certificates\*,lazy_ntfs,Saved SSL Certificates for each user
      839,Robo-FTP User PGP Keys,Apps,Program Files\Robo-FTP 3.12\UserData\*\PGP Keys\*,lazy_ntfs,Saved PGP Keys for each user
      840,Robo-FTP SSH Keys,Apps,Program Files\Robo-FTP 3.12\ProgramData\SSH Keys\*,lazy_ntfs,Shared SSH keys
      841,Robo-FTP SSL Certificates,Apps,Program Files\Robo-FTP 3.12\ProgramData\SSL Certificates\*,lazy_ntfs,Shared SSL Certificates
      842,Robo-FTP PGP Keys,Apps,Program Files\Robo-FTP 3.12\ProgramData\PGP Keys\*,lazy_ntfs,Shared PGP Keys
      843,Robo-FTP Debug Logs,Apps,Program Files\Robo-FTP 3.12\ProgramData\Debug\*,lazy_ntfs,Debug logs generated by Robo-FTP
      844,Robo-FTP Script/Trace Logs,Apps,Program Files\Robo-FTP 3.12\ProgramData\Logs\*,lazy_ntfs,Script and Trace logs generated by Robo-FTP
      845,Robo-FTP XML Config,Apps,Program Files\Robo-FTP 3.12\ProgramData\config.xml,lazy_ntfs,Config.xml. Contains list of custom scripts and ftp sites
      846,Robo-FTP Jobs,Apps,Program Files\Robo-FTP 3.12\ProgramData\SchedulerService.sqlite,lazy_ntfs,Contains details of scheduled jobs
      847,RogueKiller Reports,Antivirus,ProgramData\RogueKiller\logs\AdliceReport_*.json,lazy_ntfs,
      848,RustDesk logs,Communications,Users\*\AppData\Roaming\RustDesk\*,lazy_ntfs,Collects all log files related to RustDesk
      849,RustDesk logs,Communications,Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server,lazy_ntfs,Collects all log files related to RustDesk
      850,Usenet Clients - SABnzbd Download Logs,FileDownload,Users\*\AppData\Local\sabnzbd\logs\sabnzbd.log,lazy_ntfs,Locates SABnzbd download log
      851,Usenet Clients - SABnzbd History.db,FileDownload,Users\*\AppData\Local\sabnzbd\admin\history1.db,lazy_ntfs,Locates SABnzbd history log
      852,SCCM Client Log Files,Logs,Windows\CCM\Logs,lazy_ntfs,
      853,SDB Files,Executables,Windows\apppatch\Custom\*.sdb,lazy_ntfs,
      854,SDB Files,Executables,Windows.old\Windows\apppatch\Custom\*.sdb,lazy_ntfs,
      855,SDB Files x64,Executables,Windows\apppatch\Custom\Custom64\*.sdb,lazy_ntfs,
      856,SDB Files x64,Executables,Windows.old\Windows\apppatch\Custom\Custom64\*.sdb,lazy_ntfs,
      857,4K Video Downloader,SQLDatabases,Users\*\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader\*.sqlite,lazy_ntfs,Grabs database(s) that stores user download history
      858,Microsoft OneNote - FullTextSearchIndex,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's text content
      859,Microsoft OneNote - RecentNotebooks_SeenURLs,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications\RecentNotebooks_SeenURLs,lazy_ntfs,Grabs a file that appears to record recently seen OneNote notebooks
      860,Microsoft OneNote - AccessibilityCheckerIndex,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's version sync error history
      861,Microsoft OneNote - User NoteTags,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags\*LiveId.db,lazy_ntfs,Grabs a database that stores the user specified tags within OneNote to be used application-wide
      862,Microsoft OneNote - RecentSearches,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches\RecentSearches.db,lazy_ntfs,Grabs a database that stores the user's recent searches within OneNote
      863,Microsoft Sticky Notes - 1607 and later,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\plum.sqlite*,lazy_ntfs,
      864,Microsoft To Do - SQLite Database of To Do tasks,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\todosqlite.db*,lazy_ntfs,
      865,Robo-FTP Jobs,Apps,Program Files\Robo-FTP *\ProgramData\SchedulerService.sqlite,lazy_ntfs,
      866,TeraCopy - History Databases,SQLDatabases,Users\*\AppData\Roaming\TeraCopy\History\*.db,lazy_ntfs,
      867,TeraCopy - Main Database,SQLDatabases,Users\*\AppData\Roaming\TeraCopy\main.db,lazy_ntfs,
      868,Notion Local Storage,Apps,Users\*\AppData\Roaming\Notion\notion.db,lazy_ntfs,
      869,IDrive Backed Up Files,Apps,ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.idbs,lazy_ntfs,
      870,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\filecache.db*,lazy_ntfs,Getting individual files because folder may contain very large extraneous files
      871,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\config.dbx,lazy_ntfs,Getting individual files because folder may contain very large extraneous files
      872,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\home.db,lazy_ntfs,SQlite database which appears to keep track of the user's recent Dropbox activity
      873,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\icon.db,lazy_ntfs,SQLite database which appears to keep track of icons in the user's Drobox sync history which can give an indication as to which files and folders are present
      874,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync_history.db,lazy_ntfs,SQLite database which appears to keep track of the user's Drobox sync history
      875,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync\nucleus.sqlite3*,lazy_ntfs,SQLite database which appears to contain a table for deleted files
      876,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\host.db,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together."
      877,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\host.dbx,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together."
      878,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync\aggregation.dbx,lazy_ntfs,SQLite database which appears to contain snapshot table of the user's Dropbox contents in JSON with timestamps in UNIX Epoch
      879,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\avatarcache.db,lazy_ntfs,SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed
      879,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\avatarcache.db,lazy_ntfs,SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed
      880,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\cloud_graph\cloud_graph.db,lazy_ntfs,Windows_GoogleDrive_CloudGraphDB.smap
      881,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\TempData\*\change_buffer\**10,lazy_ntfs,DB(s) with seemingly randomized filename(s) that track file system changes within Google Drive
      882,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\snapshot.db,lazy_ntfs,Windows_GoogleDrive_SnapshotDB.smap
      883,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\sync_config.db,lazy_ntfs,Windows_GoogleDrive_SyncConfigDB.smap
      884,FileZilla SQLite3 Log Files,SQLDatabases,Users\*\AppData\Roaming\FileZilla\*.sqlite3*,lazy_ntfs,
      885,Chrome bookmarks XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
      886,Chrome Cookies XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*,lazy_ntfs,
      887,Chrome Current Session XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
      888,Chrome Current Tabs XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
      889,Chrome Favicons XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
      890,Chrome History XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*,lazy_ntfs,
      891,Chrome Last Session XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
      892,Chrome Last Tabs XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
      893,Chrome Login Data XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
      894,Chrome Preferences XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
      895,Chrome Shortcuts XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
      896,Chrome Top Sites XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
      897,Chrome Visited Links XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
      898,Chrome Web Data XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
      899,Chrome bookmarks,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
      900,Chrome Cookies,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Cookies*,lazy_ntfs,
      901,Chrome Current Session,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
      902,Chrome Current Tabs,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
      903,Chrome Download Metadata,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs,
      904,Chrome Extension Cookies,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs,
      905,Chrome Favicons,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
      906,Chrome History,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs,
      907,Chrome Last Session,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
      908,Chrome Last Tabs,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
      909,Chrome Login Data,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
      910,Chrome Media History,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs,
      911,Chrome Network Action Predictor,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs,
      912,Chrome Network Persistent State,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs,
      913,Chrome Preferences,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
      914,Chrome Quota Manager,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs,
      915,Chrome Reporting and NEL,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs,
      916,Chrome Shortcuts,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
      917,Chrome Top Sites,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
      918,Chrome Trust Tokens,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs,
      919,Chrome SyncData Database,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
      920,Chrome Visited Links,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
      921,Chrome Web Data,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
      922,Edge bookmarks,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs,
      922,Edge Bookmarks,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs,
      923,Edge Collections,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections\collectionsSQLite,lazy_ntfs,
      924,Edge Cookies,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Cookies*,lazy_ntfs,
      925,Edge Current Session,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Session,lazy_ntfs,
      926,Edge Current Tabs,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Tabs,lazy_ntfs,
      927,Edge Favicons,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Favicons*,lazy_ntfs,
      928,Edge History,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\History*,lazy_ntfs,
      929,Edge Last Session,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Session,lazy_ntfs,
      930,Edge Last Tabs,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Tabs,lazy_ntfs,
      931,Edge Login Data,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Login Data,lazy_ntfs,
      932,Edge Media History,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Media History*,lazy_ntfs,
      933,Edge Network Action Predictor,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network Action Predictor,lazy_ntfs,
      934,Edge Preferences,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences,lazy_ntfs,
      935,Edge Shortcuts,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Shortcuts*,lazy_ntfs,
      936,Edge Top Sites,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Top Sites*,lazy_ntfs,
      937,Edge SyncData Database,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
      938,Edge Visited Links,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Visited Links,lazy_ntfs,
      939,Edge Web Data,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Web Data*,lazy_ntfs,
      940,Addons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs,
      941,Bookmarks,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*,lazy_ntfs,
      942,Cookies,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs,
      943,Cookies,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*,lazy_ntfs,
      944,Downloads,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs,
      945,Favicons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs,
      946,Form history,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs,
      947,Permissions,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*,lazy_ntfs,
      948,Places,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs,
      949,Protections,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*,lazy_ntfs,
      950,Search,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs,
      951,Signons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs,
      952,Storage Sync,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*,lazy_ntfs,
      953,Webappstore,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs,
      954,Windows 10 Notification DB,SQLDatabases,Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs,
      955,Windows 10 Notification DB,SQLDatabases,Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs,
      956,ActivitiesCache.db,SQLDatabases,Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db*,lazy_ntfs,
      957,Update Store.db,OS Upgrade,ProgramData\USOPrivate\UpdateStore\store.db,lazy_ntfs,
      958,Bitdefender SQLite DB Files,Antivirus,"Program Files*\Bitdefender*\**10\*.{db,db-wal,db-shm}",lazy_ntfs,Bitdefender SQLite databases
      959,EventTranscript.db,SystemEvents,ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs,
      960,EventTranscript.db,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs,
      961,SRUM,Execution,Windows\System32\SRU\**10,lazy_ntfs,
      962,SRUM,Execution,Windows.old\Windows\System32\SRU\**10,lazy_ntfs,
      963,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs,
      964,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs,
      965,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
      966,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
      967,SUM Database (.mdb files),Logs,Windows\System32\LogFiles\SUM\*.mdb,lazy_ntfs,"Grabs Current.mdb, SystemIdentity.mdb, and [GUID].mdb"
      968,SUPERAntiSpyware Logs,Antivirus,Users\*\AppData\Roaming\SUPERAntiSpyware\Logs\**10,lazy_ntfs,
      969,SUSE Linux Enterprise Server WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\os-release,lazy_ntfs,
      970,SUSE Linux Enterprise Server WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\fstab,lazy_ntfs,
      971,SUSE Linux Enterprise Server WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\passwd,lazy_ntfs,
      972,SUSE Linux Enterprise Server WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\group,lazy_ntfs,
      973,SUSE Linux Enterprise Server WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\shadow,lazy_ntfs,
      974,SUSE Linux Enterprise Server WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\timezone,lazy_ntfs,
      975,SUSE Linux Enterprise Server WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\hostname,lazy_ntfs,
      976,SUSE Linux Enterprise Server WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\hosts,lazy_ntfs,
      977,SUSE Linux Enterprise Server WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs,
      978,SUSE Linux Enterprise Server WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\profile,lazy_ntfs,
      979,SUSE Linux Enterprise Server WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.bash_history,lazy_ntfs,
      980,SUSE Linux Enterprise Server WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.bashrc,lazy_ntfs,
      981,SUSE Linux Enterprise Server WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.profile,lazy_ntfs,
      982,SUSE Linux Enterprise Server WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\ext4.vhdx,lazy_ntfs,
      983,at .job,Persistence,Windows\Tasks\*.job,lazy_ntfs,
      984,at .job,Persistence,Windows.old\Windows\Tasks\*.job,lazy_ntfs,
      985,at SchedLgU.txt,Persistence,Windows\SchedLgU.txt,lazy_ntfs,
      986,at SchedLgU.txt,Persistence,Windows.old\Windows\SchedLgU.txt,lazy_ntfs,
      987,XML,Persistence,Windows\System32\Tasks\**10,lazy_ntfs,
      988,XML,Persistence,Windows\syswow64\Tasks\**10,lazy_ntfs,
      989,XML,Persistence,Windows.old\Windows\System32\Tasks\**10,lazy_ntfs,
      990,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data\Session.db,lazy_ntfs,SQLite database with session information
      991,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data\User.xml,lazy_ntfs,Contains each user's last authenticated time
      992,ScreenConnect User Config,ApplicationLogs,ProgramData\ScreenConnect Client*\user.config,lazy_ntfs,Contains server domain and IP info
      993,SecureAge Antvirus Logs,Antivirus,ProgramData\SecureAge Technology\SecureAge\log\**10,lazy_ntfs,
      994,SentinelOne EDR Log,Antivirus,programdata\sentinel\logs\**10,lazy_ntfs,Logs are in Binary Format (.binlog)
      995,Session App Folder,Apps,Users\*\AppData\Roaming\Session\**10,lazy_ntfs,Session App Folder
      996,ShareX,Apps,Users\*\Documents\ShareX\**10,lazy_ntfs,Locates and captures all files within the default ShareX folder path
      997,Shareaza Logs,FileDownload,Users\*\AppData\Roaming\Shareaza\**10,lazy_ntfs,Locates Shareaza logs and copies them.
      998,Siemens TIA Settings,ICS,Users\*\AppData\Roaming\Siemens\Automation\Portal*\Settings\**10,lazy_ntfs,
      999,Signal Attachments cache,Communications,Users\*\AppData\Roaming\Signal\attachments.noindex\**10,lazy_ntfs,Profile pictures (and possibly attachments) for users who this individual has as contacts or has communicated with
      1000,Signal Logs,Communications,Users\*\AppData\Roaming\Signal\logs\**10,lazy_ntfs,"Logs for Signal. Most recent has the extension .log while old ones will have extension .log.0, .log.1 etc."
      1001,Signal config.json,Communications,Users\*\AppData\Roaming\Signal\config.json,lazy_ntfs,config.json holds the db.sqlite SQLCipher raw key
      1002,Signal Database,Communications,Users\*\AppData\Roaming\Signal\sql\db.sqlite,lazy_ntfs,"Stores attachment details, conversations, messages, and more"
      1003,SignatureCatalog,FileMetadata,Windows\System32\CatRoot\**10,lazy_ntfs,
      1004,SignatureCatalog,FileMetadata,Windows.old\Windows\System32\CatRoot\**10,lazy_ntfs,
      1005,main.db (App <v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\main.db,lazy_ntfs,
      1006,skype.db (App +v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\skype.db,lazy_ntfs,
      1007,main.db XP,Communications,Documents and Settings\*\Application Data\Skype\*\main.db,lazy_ntfs,
      1008,main.db Win7+,Communications,Users\*\AppData\Roaming\Skype\*\main.db,lazy_ntfs,
      1009,s4l-[username].db (App +v8),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\s4l-*.db,lazy_ntfs,
      1010,leveldb (Skype for Desktop +v8),Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb\**10,lazy_ntfs,
      1011,Skype for Destkop v8+ Chromium Cache,Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\Cache\**10,lazy_ntfs,Can be viewed with Nirsoft's ChromeCacheView
      1012,Slack - Chat Logs,Apps,Users\*\AppData\Roaming\Slack\IndexedDB\**10,lazy_ntfs,Locates Slack logs and copies them
      1013,Slack LevelDB Files,Apps,Users\*\AppData\Roaming\Slack\Local Storage\leveldb\**10,lazy_ntfs,
      1014,Slack Electron Logs,Apps,Users\*\AppData\Roaming\Slack\logs\**10,lazy_ntfs,Current Slack application is based on Electron and additional logging can be found here.
      1015,Slack Cache,Apps,Users\*\AppData\Roaming\Slack\Cache\**10,lazy_ntfs,Collects Slack cache files. This folder can be parsed like a Chrome Browser cache using a tool like Nirsoft ChromeCacheView
      1016,Slack Storage,Apps,Users\*\AppData\Roaming\Slack\storage\**10,lazy_ntfs,User activity logs can be present including slack-downloads log
      1017,Snagit - Captures,Apps,Users\*\AppData\Local\TechSmith\Snagit\DataStore,lazy_ntfs,Locates all Snagit captures
      1018,Snip & Sketch,FileKnowledge,Users\*\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\*.png,lazy_ntfs,Pulls all temporary .png images generated by the Snip & Sketch screen capture tool built into Windows
      1019,Sophos Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs\**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"
      1020,Sophos Logs,Antivirus,ProgramData\Sophos\*\Logs\**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"
      1021,Sophos Logs,Antivirus,ProgramData\Sophos\Logs\**10,lazy_ntfs,Contains SophosUnifiedSupport.log
      1022,Soulseek Chat Logs,FileDownload,Users\*\AppData\Local\SoulseekQt\Soulseek Chat Logs\**10,lazy_ntfs,Locates Soulseek chat logs and copies them. Chat logs are in plaintext. Current as of version 2019.7.22.
      1023,Soulseek Search History/Shared Folders/Settings,FileDownload,Users\*\AppData\Local\SoulseekQt\1\*.dat,lazy_ntfs,"Locates .dat file(s) containing: search history, active searches (search_record), current shared folders (shared_file_folder), and wish list items (wish_list_item)."
      1024,SpeedCommander - .ini File,Apps,Users\*\AppData\Roaming\SpeedProject\SpeedCommander 19\*,lazy_ntfs,Locates folder where all configuration files reside
      1025,Splashtop Log Files,Software,Program Files*\Splashtop\Splashtop Remote\Server\log\**10,lazy_ntfs,Collects logs for Splashtop
      1026,Splashtop Log Files in ProgramData,Software,ProgramData\Splashtop\Temp\log\**10,lazy_ntfs,Collects logs for Splashtop
      1029,StartupInfo XML Files,Persistence,Windows\System32\WDI\LogFiles\StartupInfo\*.xml,lazy_ntfs,
      1030,StartupInfo XML Files,Persistence,Windows.old\Windows\System32\WDI\LogFiles\StartupInfo\*.xml,lazy_ntfs,
      1031,Steam Game Image files,Apps,Program Files\Steam\appcache\librarycache\**10,lazy_ntfs,Locates the directory containing image resources of installed/uninstalled games.
      1032,Steam Login Metadata file,Apps,Program Files\Steam\config\**10\loginusers.vdf,lazy_ntfs,Locates file containing Steam username and persona name.
      1033,Steam Friend List and Username History file,Apps,Program Files\Steam\userdata\*\config\**10\localconfig.vdf,lazy_ntfs,Locates file containing Steam Friend List and Username History.
      1034,Steam User Avatar files,Apps,Program Files\Steam\config\avatarcache\**10,lazy_ntfs,Locates the directory containing avatar cache.
      1035,Steam Game Tray Icon files,Apps,Program Files\Steam\steam\games\**10,lazy_ntfs,Locates the directory containing game icons appearing from tray menu.
      1036,Steam Startup Times Log file,Apps,Program Files\Steam\logs\**10\bootstrap_log.txt,lazy_ntfs,Locates the directory containing log for Steam startup times.
      1037,Steam Game Image files,Apps,Program Files (x86)\Steam\appcache\librarycache\**10,lazy_ntfs,Locates the directory containing image resources of installed/uninstalled games.
      1038,Steam Login Metadata file,Apps,Program Files (x86)\Steam\config\**10\loginusers.vdf,lazy_ntfs,Locates file containing Steam username and persona name.
      1039,Steam Friend List and Username History file,Apps,Program Files (x86)\Steam\userdata\*\config\**10\localconfig.vdf,lazy_ntfs,Locates file containing Steam Friend List and Username History.
      1040,Steam User Avatar files,Apps,Program Files (x86)\Steam\config\avatarcache\**10,lazy_ntfs,Locates the directory containing avatar cache.
      1041,Steam Game Tray Icon files,Apps,Program Files (x86)\Steam\steam\games\**10,lazy_ntfs,Locates the directory containing game icons appearing from tray menu.
      1042,Steam Startup Times Log file,Apps,Program Files (x86)\Steam\logs\**10\bootstrap_log.txt,lazy_ntfs,Locates the directory containing log for Steam startup times.
      1043,SublimeText 2/3 Auto Save Session,Text Editor,Users\*\AppData\Roaming\Sublime Text*\Settings\Session.sublime_session,lazy_ntfs,Sublime Text 2/3 stores unsaved (temporary) files and its content in its Session.sublime_session file
      1044,SublimeText 4 Auto Save Session,Text Editor,Users\*\AppData\Roaming\Sublime Text*\Local\*.sublime_session,lazy_ntfs,Sublime Text 4 stores unsaved (temporary) files and its content in its .sublime_session files
      1045,SugarSync Log File,Apps,Users\*\AppData\Local\SugarSync\sc1.log,lazy_ntfs,Locates a log file the gives a play-by-play of what the user synced when.
      1046,SugarSync - Shared Folders (Default Location),Apps,Users\*\Documents\SugarSync Shared Folders\**10,lazy_ntfs,
      1047,SugarSync - My SugarSync (Default Location),Apps,Users\*\Documents\My SugarSync\**10,lazy_ntfs,
      1048,SumatraPDF Settings - SessionData,FileKnowledge,Users\*\AppData\Local\SumatraPDF\SumatraPDF-settings.txt,lazy_ntfs,Settings file which contains information about previous user session
      1049,SumatraPDF Cache,FileKnowledge,Users\*\AppData\Local\SumatraPDF\sumatrapdfcache,lazy_ntfs,Folder contains a PNG snapshot of each PDF file the user had open at the time of last application close
      1050,Supremo Connection Logs,Communications,ProgramData\SupremoRemoteDesktop\Log\*.log,lazy_ntfs,Includes Supremo.00.Client.log and Supremo.00.Incoming.log
      1051,Supremo File Transfer Inbox,Communications,ProgramData\SupremoRemoteDesktop\Inbox,lazy_ntfs,Includes files transferred to the inbox folder during a remote session. See Supremo.00.FileTransfer.log
      1052,Symantec Endpoint Protection Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV\**10,lazy_ntfs,
      1053,Symantec Endpoint Protection Logs,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs\**10,lazy_ntfs,
      1054,Symantec Endpoint Protection User Logs,Antivirus,Users\*\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\**10,lazy_ntfs,
      1055,Symantec Event Log Win7+,EventLogs,Windows\System32\winevt\logs\Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log
      1056,Symantec Event Log Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log
      1057,Symantec Endpoint Protection Quarantine (XP),Antivirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\**10,lazy_ntfs,
      1058,Symantec Endpoint Protection Quarantine,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine\**10,lazy_ntfs,
      1059,ccSubSDK Database,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK\**10,lazy_ntfs,
      1060,registrationInfo.xml,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\registrationInfo.xml,lazy_ntfs,
      1061,Syscache,Program Execution,System Volume Information\Syscache.hve,lazy_ntfs,
      1062,Syscache transaction files,Program Execution,System Volume Information\Syscache.hve.LOG*,lazy_ntfs,
      1063,Tablacus Explorer - remember.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\remember.xml,lazy_ntfs,
      1064,Tablacus Explorer - window.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\window.xml,lazy_ntfs,
      1065,Tablacus Explorer - window1.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\window1.xml,lazy_ntfs,
      1066,TeamViewer Connection Logs,Communications,Program Files*\TeamViewer\connections*.txt,lazy_ntfs,Includes connections_incoming.txt and connections.txt
      1067,TeamViewer Application Logs,ApplicationLogs,Program Files*\TeamViewer\TeamViewer*_Logfile*,lazy_ntfs,Includes TeamViewer<version>_Logfile.log and TeamViewer<version>_Logfile_OLD.log
      1068,TeamViewer Application User Logs,ApplicationLogs,Users\*\AppData\Roaming\TeamViewer\TeamViewer*_Logfile*,lazy_ntfs,Alternate location for TeamViewer<version>_Logfile.log
      1069,TeamViewer Configuration Files,ApplicationLogs,Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport\**10,lazy_ntfs,Includes miscellaneous config files
      1070,Telegram app folder,Apps,Users\*\AppData\Roaming\Telegram Desktop\**10,lazy_ntfs,Telegram app folder structure
      1071,Telegram downloaded files,Apps,Users\*\Downloads\Telegram Desktop\**10,lazy_ntfs,Chat Attachments
      1072,TeraCopy,TeraCopy,Users\*\AppData\Roaming\TeraCopy\**10,lazy_ntfs,
      1073,Thumbcache DB,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db,lazy_ntfs,
      1074,Mozilla Thunderbird Install Date,Apps,Users\*\AppData\Roaming\Thunderbird\Crash Reports\InstallTime*,lazy_ntfs,Holds install time in Unix Seconds timestamp
      1075,Mozilla Thunderbird Profiles.ini,Apps,Users\*\AppData\Roaming\Thunderbird\profiles.ini,lazy_ntfs,Profiles list - can hold references to other profiles held elsewhere on the device
      1076,Mozilla Thunderbird prefs.js,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\prefs.js,lazy_ntfs,User Preferences for that profile
      1077,Mozilla Thunderbird Global Messages Database,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\global-messages-db.sqlite,lazy_ntfs,"Holds list of contacts, emails, and other potentially useful artifacts"
      1078,Mozilla Thunderbird logins.json,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\logins.json,lazy_ntfs,"Holds last time online login used, last time password changed, hostname, HTTP(s) URL and more"
      1079,Mozilla Thunderbird places.sqlite,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\places.sqlite,lazy_ntfs,"Holds history for Thunderbird - as it contains portions of Firefox embedded, it can be used to visit websites too"
      1080,Mozilla Thunderbird ImapMail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\ImapMail\**10\INBOX,lazy_ntfs,"Holds all email files with headers, content etc"
      1081,Mozilla Thunderbird Mail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Mail\**10\INBOX,lazy_ntfs,"Holds all email files with headers, content etc"
      1082,Mozilla Thunderbird Calendar Data,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\calendar-data\local.sqlite,lazy_ntfs,Holds local calendar data
      1083,Mozilla Thunderbird Attachments,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Attachments\*,lazy_ntfs,Holds attachments
      1084,Mozilla Thunderbird Address Book,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\abook.sqlite,lazy_ntfs,Holds local address book
      1085,Torrents,FileDownload,**10\*.torrent,lazy_ntfs,
      1086,TotalAV Logs,Antivirus,Program Files*\TotalAV\logs\**10,lazy_ntfs,
      1087,TotalAV Logs,Antivirus,ProgramData\TotalAV\logs\**10,lazy_ntfs,
      1088,Total Commander - .ini File,Apps,Users\*\AppData\Roaming\GHISLER\wincmd.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information.
      1089,Total Commander - Log File,Apps,**10\totalcmd.log,lazy_ntfs,Locates log file associated with Total Commander. NOTE: this log file is NOT enabled by default and the filename can be modified.
      1090,Total Commander - Temp Files Created During Folder Traversal,Apps,Users\*\AppData\Local\Temp\FTP*.tmp,lazy_ntfs,Locates .tmp files which are created during the user's folder traversal and provide insight into contents of each folder traversed.
      1091,Total Commander - FTP .ini File,Apps,Users\*\AppData\Roaming\GHISLER\wcx_ftp.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful FTP information.
      1092,Total Commander - File Tree,Apps,Users\*\AppData\Local\GHISLER\treeinfo*.wc,lazy_ntfs,Locates a file that contains an exhaustive file tree of a user's file system.
      1093,Total Commander - Frequent Directory Listing,Apps,Users\*\AppData\Local\GHISLER\tcDirFrq.txt,lazy_ntfs,Locates a file that contains a frequently accessed folder listing.
      1094,Total Commander - FTP Logs,Apps,Users\*\AppData\Local\Temp\tcftp.log,lazy_ntfs,Locates a file that contains the Total Commander FTP logs.
      1095,TreeSize - ScanHistory.XML,Apps,Users\*\AppData\Roaming\JAM Software\TreeSize\scanhistory.xml,lazy_ntfs,Locates XML file that provides a list of previously scanned directories by the user.
      1096,Trend Micro Logs,Antivirus,ProgramData\Trend Micro\**10,lazy_ntfs,
      1097,Trend Micro Security Agent Report Logs,Antivirus,Program Files*\Trend Micro\Security Agent\Report\*.log,lazy_ntfs,
      1098,Trend Micro Security Agent Connection Logs,Antivirus,Program Files*\Trend Micro\Security Agent\ConnLog\*.log,lazy_ntfs,
      1099,Unified endpoint management and security solutions from ManageEngine,RMM Tool,Program Files (x86)\ManageEngine\UEMS_Agent\logs\**10\*.log,lazy_ntfs,Collects all logs for UEMS
      1100,Unified endpoint management and security solutions from ManageEngine,RMM Tool,Users\*\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs\**10\*.log,lazy_ntfs,Collects User logs for UEMS
      1101,Setupapi.log XP,USBDevices,Windows\setupapi.log,lazy_ntfs,
      1102,Setupapi.log Win7+,USBDevices,Windows\inf\setupapi.*.log,lazy_ntfs,
      1103,Setupapi.log Win7+,USBDevices,Windows.old\Windows\inf\setupapi.*.log,lazy_ntfs,
      1104,Ubuntu WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\os-release,lazy_ntfs,
      1105,Ubuntu WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\fstab,lazy_ntfs,
      1106,Ubuntu WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\passwd,lazy_ntfs,
      1107,Ubuntu WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\group,lazy_ntfs,
      1108,Ubuntu WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\shadow,lazy_ntfs,
      1109,Ubuntu WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\timezone,lazy_ntfs,
      1110,Ubuntu WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\hostname,lazy_ntfs,
      1111,Ubuntu WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\hosts,lazy_ntfs,
      1112,Ubuntu WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\crontab,lazy_ntfs,
      1113,Ubuntu WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs,
      1114,Ubuntu WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\profile,lazy_ntfs,
      1115,Ubuntu WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.bash_history,lazy_ntfs,
      1116,Ubuntu WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.bashrc,lazy_ntfs,
      1117,Ubuntu WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.profile,lazy_ntfs,
      1118,Ubuntu WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs,
      1119,Ubuntu WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs,
      1120,Ubuntu WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\ext4.vhdx,lazy_ntfs,
      1121,UltraViewer User Logs,Remote Access,Users\*\AppData\Roaming\UltraViewer\**10,lazy_ntfs,"Includes all files related to UltraViewer chat, connections, and recordings"
      1122,UltraViewer System Logs,Remote Access,Windows\SysWOW64\config\systemprofile\AppData\Roaming\UltraViewer\**10,lazy_ntfs,"Includes all files related to UltraViewer chat, connections, and recordings"
      1123,UltraViewer Service Log,Remote Access,Program Files*\UltraViewer\UltraViewerService_log.txt,lazy_ntfs,UltraViewer Service log file
      1124,UltraViewer Connection Log,Remote Access,Program Files*\UltraViewer\ConnectionLog.Log,lazy_ntfs,UltraViewer Service level connection log
      1125,Usenet (NZB) Files,FileDownload,**10\*.nzb,lazy_ntfs,
      1126,Users,Application,Users\*\**10,lazy_ntfs,
      1127,VIPRE Business Agent Logs,Antivirus,ProgramData\VIPRE Business Agent\Logs\**10,lazy_ntfs,
      1128,VIPRE Business User Logs (v7+),Antivirus,Users\*\AppData\Roaming\VIPRE Business\**10,lazy_ntfs,
      1129,VIPRE Business User Logs (v5-v6),Antivirus,Users\*\AppData\Roaming\GFI Software\AntiMalware\Logs\**10,lazy_ntfs,
      1130,VIPRE Business User Logs (up to v4),Antivirus,Users\*\AppData\Roaming\Sunbelt Software\AntiMalware\Logs\**10,lazy_ntfs,
      1131,VLC Recently Opened Files,Apps,Users\*\AppData\Roaming\vlc\vlc-qt-interface.ini,lazy_ntfs,Configuration file for VLC. Holds [RecentsMRL] key which lists recently opened files as well as sometimes retaining timestamps for file opening
      1132,VLC Recorded Files,Apps,Users\*\Videos\vlc-*.avi,lazy_ntfs,"Recorded files in VLC. Sometimes the Record button may be pressed instead of Play by suspects, which can record them watching content with VLC"
      1133,VMware - Virtual Machine Inventory,Apps,Users\*\AppData\Roaming\VMware,lazy_ntfs,Locates an inventory of all Virtual Machines on disk.
      1134,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmem,lazy_ntfs,Captures all raw memory from VMware virtual machines.
      1135,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmss,lazy_ntfs,Captures all memory images from VMware virtual machines.
      1136,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmsn,lazy_ntfs,Captures all memory images from VMware virtual machines.
      1137,RealVNC Log,ApplicationLogs,Users\*\AppData\Local\RealVNC\vncserver.log,lazy_ntfs,https://www.realvnc.com/en/connect/docs/logging.html#logging
      1138,RealVNC Log,ApplicationLogs,ProgramData\RealVNC-Service\vncserver.log,lazy_ntfs,https://help.realvnc.com/hc/en-us/articles/360002254238-All-About-Logging-
      1139,TightVNC Application Logs,ApplicationLogs,ProgramData\TightVNC\Server\Logs,lazy_ntfs,https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1160&context=adf
      1140,Viber Config Database,Apps,Users\*\AppData\Roaming\ViberPC\config.db,lazy_ntfs,Configuration file for Viber
      1141,Viber Users Data Database,Apps,Users\*\AppData\Roaming\ViberPC\*\viber.db,lazy_ntfs,"Viber data for that user, containing Calls, Chat Messages, Contacts and more"
      1142,Viber Users Avatars Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Avatars,lazy_ntfs,Cache of the Avatars for other Viber users
      1143,Viber Users Backgrounds Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Backgrounds,lazy_ntfs,Store of the backgrounds
      1144,Viber Users Thumbnails Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Thumbnails,lazy_ntfs,Cache of the thumbnails for uploaded/downloaded images
      1145,VirtualBox VM configs,Apps,**10\*.vbox,lazy_ntfs,Locates all .vbox VM configuration files on disk
      1146,VirtualBox VM backup configs,Apps,**10\*.vbox-prev,lazy_ntfs,Locates all backup .vbox VM configuration files on disk
      1147,VirtualBox Logs,Apps,**10\VBox.log,lazy_ntfs,Locates all VBox.log files on disk
      1148,VirtualBox Backup Logs,Apps,**10\VBox.log.*,lazy_ntfs,Locates all backup VBox.log files on disk - these can show historic VM usage
      1149,VirtualBox Hardening Logs,Apps,**10\VBoxHardening.log,lazy_ntfs,Locates all VBoxHardening.log files on disk
      1150,VirtualBox,Memory,**10\*.sav,lazy_ntfs,Captures all partial memory images from VirtualBox.
      1151,VHD,Disk Images,**10\*.VHD,lazy_ntfs,
      1152,VHDX,Disk Images,**10\*.VHDX,lazy_ntfs,
      1153,VDI,Disk Images,**10\*.VDI,lazy_ntfs,
      1154,VMDK,Disk Images,**10\*.VMDK,lazy_ntfs,
      1155,VSCode Opened Files,Apps,Users\*\AppData\Roaming\Code\User\History\*\**10,lazy_ntfs,Grabs the files in the VSCode history. These are files the user has opened with VSCode
      1156,VSCode Workspaces,Apps,Users\*\AppData\Roaming\Code\User\globalStorage\storage.json*,lazy_ntfs,Grabs the file containing information about the users workspaces
      1157,VSCode User extensions,Apps,Users\*\AppData\Roaming\Code\CachedExtensions\user*,lazy_ntfs,Grabs the files relating to the users installed extensions
      1158,VSCode User settings,Apps,Users\*\AppData\Roaming\Code\User\settings.json*,lazy_ntfs,Grabs the file containing the settings the user has set.
      1159,VSCode User Preferences,Apps,Users\*\AppData\Roaming\Code\preferences*,lazy_ntfs,Grabs the file containing the preferences the user has set.
      1160,VSCode Network Cookies,Apps,Users\*\AppData\Roaming\Code\Network\Cookies*,lazy_ntfs,Grabs the cookie files. Same format as Chromium Cookies
      1161,VSCode Network Persistent State,Apps,Users\*\AppData\Roaming\Code\Network\Network Persistent State*,lazy_ntfs,Grabs the Network Persistent State file. Same format as in  Chromium
      1162,VSCode Logs,Apps,Users\*\AppData\Roaming\Code\logs\**10,lazy_ntfs,"Grabs the VSCode logs. Further analysis is needed to determine which logs are junk, and which can be vital."
      1163,Vivaldi Cookies,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\**10\Cookies*,lazy_ntfs,
      1164,Vivaldi Network Persistent State,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\**10\Network Persistent State,lazy_ntfs,
      1165,Vivaldi Favicons,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Favicons*,lazy_ntfs,
      1166,Vivaldi History,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\History*,lazy_ntfs,
      1167,Vivaldi Sessions Folder,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Sessions\*,lazy_ntfs,
      1168,Vivaldi Login Data,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Login Data,lazy_ntfs,
      1169,Vivaldi Network Action Predictor,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Network Action Predictor,lazy_ntfs,
      1170,Vivaldi Preferences,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Preferences,lazy_ntfs,
      1171,Vivaldi Top Sites,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Top Sites*,lazy_ntfs,
      1172,Vivaldi Bookmarks,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Bookmarks*,lazy_ntfs,
      1173,Vivaldi Visited Links,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Visited Links,lazy_ntfs,
      1174,Vivaldi Web Data,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Web Data*,lazy_ntfs,
      1175,Vivaldi User Tracking,Communications,Users\*\.vivaldi_reporting_data*,lazy_ntfs,
      1176,Vivaldi Calendar,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Calendar*,lazy_ntfs,
      1177,Vivaldi Contacts,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Contacts*,lazy_ntfs,
      1178,Vivaldi Notes,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Notes*,lazy_ntfs,
      1179,Vivaldi Download Metadata,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\DownloadMetadata*,lazy_ntfs,
      1180,WBEM,WBEM,Windows\System32\wbem\Repository\**10,lazy_ntfs,
      1181,WBEM,WBEM,Windows.old\Windows\System32\wbem\Repository\**10,lazy_ntfs,
      1182,WER Files,Executables,ProgramData\Microsoft\Windows\WER\**10,lazy_ntfs,
      1183,WER Files,Executables,Users\*\AppData\Local\Microsoft\Windows\WER\**10,lazy_ntfs,
      1184,Crash Dumps,SQL Exploitation,Users\*\AppData\Local\CrashDumps\*.dmp,lazy_ntfs,
      1185,Crash Dumps,SQL Exploitation,Windows\*.dmp,lazy_ntfs,
      1186,Crash Dumps,SQL Exploitation,Windows.old\Windows\*.dmp,lazy_ntfs,
      1187,Webroot Program Data,Antivirus,ProgramData\WRData\WRLog.log,lazy_ntfs,
      1188,WhatsApp Cache,Apps,Users\*\AppData\Roaming\WhatsApp\Cache,lazy_ntfs,"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files"
      1189,WhatsApp Local Storage,Apps,Users\*\AppData\Roaming\WhatsApp\Local Storage\leveldb,lazy_ntfs,"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper"
      1190,Microsoft Store WhatsApp Cache,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache,lazy_ntfs,"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files"
      1191,Microsoft Store WhatsApp Local Storage,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Local Storage\leveldb,lazy_ntfs,"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper"
      1192,Microsoft Store WhatsApp Desktop Profile Pictures,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\profilePictures,lazy_ntfs,"Copies the local store of contacts profile pictures, simply open with a photos software"
      1193,Microsoft Store WhatsApp Shared Media,Apps,"Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\shared\transfers\**10\*.{jpg,mp4,pdf,webp}",lazy_ntfs,"Copies the shared media, can get very large."
      1194,DetectionHistory,Antivirus,ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\**10,lazy_ntfs,
      1195,WinSCP (.ini file),Logs,**10\WinSCP.ini,lazy_ntfs,
      1196,Recall folder,FileKnowledge,Users\*\AppData\Local\CoreAIPlatform.00\UKP\**10,lazy_ntfs,
      1197,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Microsoft AntiMalware\Support\**10,lazy_ntfs,
      1198,Windows Defender Event Logs,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs,
      1199,Windows Defender Event Logs,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs,
      1200,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Windows Defender\Support\**10,lazy_ntfs,
      1201,Windows Defender Logs,Antivirus,Windows\Temp\MpCmdRun.log,lazy_ntfs,
      1202,Windows Defender Logs,Antivirus,Windows.old\Windows\Temp\MpCmdRun.log,lazy_ntfs,
      1203,DetectionHistory,Antivirus,ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\**10,lazy_ntfs,
      1204,Windows Defender Quarantine,Antivirus,ProgramData\Microsoft\Windows Defender\Quarantine\**10,lazy_ntfs,
      1205,Windows Defender Detections.log,Antivirus,ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log,lazy_ntfs,
      1206,Windows Firewall Logs,WindowsFirewallLogs,Windows\System32\LogFiles\Firewall\pfirewall.*,lazy_ntfs,
      1207,Windows Firewall Logs,WindowsFirewallLogs,Windows.old\Windows\System32\LogFiles\Firewall\pfirewall.*,lazy_ntfs,
      1208,Cryptokeys,Windows Hello,Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\**10,lazy_ntfs,
      1209,Masterkey,Windows Hello,Windows\System32\Microsoft\Protect\S-1-5-18\User\**10,lazy_ntfs,
      1210,NGC,Windows Hello,Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\**10,lazy_ntfs,
      1211,SECURITY registry transaction files,Registry,Windows\System32\config\SECURITY.LOG*,lazy_ntfs,
      1212,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config\SECURITY.LOG*,lazy_ntfs,
      1213,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
      1214,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
      1215,SYSTEM registry transaction files,Registry,Windows\System32\config\SYSTEM.LOG*,lazy_ntfs,
      1216,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config\SYSTEM.LOG*,lazy_ntfs,
      1217,SECURITY registry hive,Registry,Windows\System32\config\SECURITY,lazy_ntfs,
      1218,SECURITY registry hive,Registry,Windows.old\Windows\System32\config\SECURITY,lazy_ntfs,
      1219,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs,
      1220,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs,
      1221,SYSTEM registry hive,Registry,Windows\System32\config\SYSTEM,lazy_ntfs,
      1222,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config\SYSTEM,lazy_ntfs,
      1223,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack\SECURITY,lazy_ntfs,
      1224,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SECURITY,lazy_ntfs,
      1225,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs,
      1226,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs,
      1227,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM,lazy_ntfs,
      1228,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM,lazy_ntfs,
      1229,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs,
      1230,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs,
      1231,WindowsIndexSearch,FileKnowledge,programdata\microsoft\search\data\applications\windows\*,lazy_ntfs,
      1232,GatherLogs,FileKnowledge,programdata\microsoft\search\data\applications\windows\GatherLogs\**10,lazy_ntfs,
      1233,Network setting files,Misc,windows\system32\drivers\etc\**10,lazy_ntfs,
      1234,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs,
      1235,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs,
      1236,MigLog.xml,OS Upgrade,Windows\Panther\MigLog.xml,lazy_ntfs,
      1237,Setupact.log,OS Upgrade,Windows\Panther\Setupact.log,lazy_ntfs,
      1238,HumanReadable.xml,OS Upgrade,Windows\Panther\*HumanReadable.xml,lazy_ntfs,
      1239,FolderMoveLog.txt,OS Upgrade,Windows\Panther\Rollback\FolderMoveLog.txt,lazy_ntfs,
      1240,Update Store.db,OS Upgrade,ProgramData\USOPrivate\UpdateStore\store.db,lazy_ntfs,
      1241,Windows Power Diagnostics,Diagnostics,ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\**10,lazy_ntfs,
      1242,DNS Netlogon files,DNS,Windows\System32\config\**10\netlogon.*,lazy_ntfs,
      1243,DNS files,DNS,Windows\System32\dns\**10,lazy_ntfs,
      1244,DHCP files,DHCP,Windows\System32\dhcp\**10,lazy_ntfs,
      1245,Diagnostic Logs for WSA,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalState\diagnostics\logcat\*.log,lazy_ntfs,Filenames should be %timestamp%.log
      1246,App download artifacts (PNG),Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\*.png,lazy_ntfs,Will provide examiners with indicators of which apps were downloaded
      1247,App download artifacts (ICO),Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\*.ico,lazy_ntfs,Will provide examiners with indicators of which apps were downloaded WHEN since .ico files appear immediately when download of an application completes
      1248,Appcompatdb.json,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalState\appcompatdb.json,lazy_ntfs,"Grabs the appcompatdb.json, unknown exactly what this is but further relevance could be uncovered after more research is conducted"
      1249,userdata.vhdx,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\userdata.vhdx,lazy_ntfs,Grabs the user's data which appears to be stored in a VHDX
      1250,Legacy .rbs files relating to Windows Telemetry and Diagnostics,SystemEvents,ProgramData\Microsoft\Diagnosis\events*.rbs,lazy_ntfs,
      1251,Legacy .rbs files relating to Windows Telemetry and Diagnostics,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\events*.rbs,lazy_ntfs,
      1252,ActivitiesCache.db,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\**10\ActivitiesCache.db*,lazy_ntfs,
      1253,Windows Update Session Orchestrator logs,EventLogs,ProgramData\USOShared\Logs\System\**10\*.etl,lazy_ntfs,
      1254,Windows Update logs,EventLogs,Windows\Logs\WindowsUpdate\**10\WindowsUpdate*.etl,lazy_ntfs,
      1255,Windows Component-Based Servicing logs,EventLogs,Windows\Logs\CBS\**10\CBS*.log,lazy_ntfs,
      1256,Windows Your Phone - All Databases,Apps,Users\*\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed\**10,lazy_ntfs,Locates all Your Phone database files
      1257,System Volume Information,Folder capture,System Volume Information\**10,lazy_ntfs,
      1258,XYplorer - .ini file,Apps,Users\*\AppData\Roaming\XYplorer\XYplorer.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information.
      1259,XYplorer - .ini file for each respective pane,Apps,Users\*\AppData\Roaming\XYplorer\Panes\*\**10\pane.ini,lazy_ntfs,Locates the .ini file for the left and right pane.
      1260,XYplorer - AutoBackup folder,Apps,Users\*\AppData\Roaming\XYplorer\AutoBackup\**10,lazy_ntfs,Locates the AutoBackup folder and copies its contents.
      1261,XYplorer - .dat files,Apps,Users\*\AppData\Roaming\XYplorer\**10\*.dat,lazy_ntfs,"Locates the .dat files in the XYplorer's AppData folder, all of which are updated upon program's exit."
      1262,Xeox RMM Client Application logs,ApplicationLogs,Program Files\Xeox\*.log,lazy_ntfs,Contains Application Log entries such as service start and incomming connections.
      1263,Yandex Cookies,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\**10\Cookies*,lazy_ntfs,
      1264,Yandex Network Persistent State,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\**10\Network Persistent State,lazy_ntfs,
      1265,Yandex Favicons,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Favicons*,lazy_ntfs,
      1266,Yandex History,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\History*,lazy_ntfs,
      1267,Yandex Sessions Folder,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Sessions\*,lazy_ntfs,
      1268,Yandex Login Data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Ya Passman Data*,lazy_ntfs,
      1269,Yandex Network Action Predictor,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Network Action Predictor,lazy_ntfs,
      1270,Yandex Preferences,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Preferences,lazy_ntfs,
      1271,Yandex Top Sites,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Top Sites*,lazy_ntfs,
      1272,Yandex Bookmarks,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Bookmarks*,lazy_ntfs,
      1273,Yandex Visited Links,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Visited Links,lazy_ntfs,
      1274,Yandex Web Data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Web Data*,lazy_ntfs,
      1275,Yandex Autofill data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Ya Autofill Data*,lazy_ntfs,
      1276,Yandex Passman logs,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Passman Logs*,lazy_ntfs,
      1277,Yandex Shortcuts,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Shortcuts*,lazy_ntfs,
      1278,Zoho Assist log files in AppData\Local,Apps,Users\*\AppData\Local\ZohoMeeting\log\**10,lazy_ntfs,Zoho Assist log files in AppData
      ocal
      1279,Zoho Assist .conf files in AppData\Local,Apps,Users\*\AppData\Local\ZohoMeeting\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Connection/Settings)
      1280,Zoho Assist log files in ProgramData,Apps,ProgramData\ZohoMeeting\log\**10,lazy_ntfs,Zoho Assist log files in ProgramData
      1281,Zoho Assist .conf files,Apps,ProgramData\ZohoMeeting\**10\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Connection/Proxy/Settings)
      1282,Zoho Assist log files in Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\logs\**10,lazy_ntfs,Zoho Assist log files in Program Files*
      1283,Zoho Assist .conf files in  Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Service/Settings)
      1284,Zoho Assist .txt files in  Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\*.txt,lazy_ntfs,Grabs all .txt files present in this folder (Service/Settings)
      1285,Zoom client logs,Apps,Users\*\AppData\Roaming\Zoom\logs\**10\*,lazy_ntfs,Zoom client artifacts
      1286,Zoom client logs (Windows XP),Apps,Documents and Settings\*\Application Data\Zoom\**10\*,lazy_ntfs,Zoom client artifacts (Windows XP)
      1287,Zoom client recordings,Apps,Users\*\Documents\Zoom\**10\*,lazy_ntfs,Zoom recording artifacts
      1288,Zoom plugin (Outlook),Apps,Users\*\AppData\Roaming\Zoom Plugin\*.json,lazy_ntfs,Zoom plugin artifacts
      1289,eMule Logs and Configuration Files,FileDownload,Users\*\AppData\Local\eMule\**10,lazy_ntfs,Locates eMule logs and configuration files and copies them.
      1290,eMule part.met files,FileDownload,**10\*.part.met,lazy_ntfs,Locates eMule *.part.met files and copies them.
      1291,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple\Mobilesync\Backup\**10,lazy_ntfs,
      1292,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple Computer\Mobilesync\Backup\**10,lazy_ntfs,
      1293,iTunes Backup Folder - iOS13,Communications,Users\*\Apple\Mobilesync\Backup\**10,lazy_ntfs,
      1294,mIRC Chat Logs (Vista+),Communications,Users\*\AppData\Roaming\mIRC\logs\**10,lazy_ntfs,
      1295,mIRC Chat Logs (2000/XP),Communications,Documents and Settings\*\Application Data\mIRC\logs\**10,lazy_ntfs,
      1296,mRemoteNG Logs,Communications,Users\*\AppData\Roaming\mRemoteNG\mRemoteNG.log,lazy_ntfs,Contains log entries for remote connections
      1297,mRemoteNG Connection Configuration and Backups,Communications,Users\*\AppData\Roaming\mRemoteNG\confCons.xml*,lazy_ntfs,"Contains connection config, often with obfuscated credentials"
      1298,mRemoteNG Program Settings,Communications,Users\*\AppData\*\mRemoteNG\**10\user.config,lazy_ntfs,Contains user-specific program settings
      1299,openSUSE WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\os-release,lazy_ntfs,
      1300,openSUSE WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\fstab,lazy_ntfs,
      1301,openSUSE WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\passwd,lazy_ntfs,
      1302,openSUSE WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\group,lazy_ntfs,
      1303,openSUSE WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\shadow,lazy_ntfs,
      1304,openSUSE WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\timezone,lazy_ntfs,
      1305,openSUSE WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\hostname,lazy_ntfs,
      1306,openSUSE WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\hosts,lazy_ntfs,
      1307,openSUSE WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs,
      1308,openSUSE WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\profile,lazy_ntfs,
      1309,openSUSE WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.bash_history,lazy_ntfs,
      1310,openSUSE WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.bashrc,lazy_ntfs,
      1311,openSUSE WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.profile,lazy_ntfs,
      1312,openSUSE WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\ext4.vhdx,lazy_ntfs,
      1313,pCloud Database,Apps,Users\*\AppData\Local\pCloud\*.db,lazy_ntfs,Database contains all files sync'd with pCloud account.
      1314,pCloud Database WAL File,Apps,Users\*\AppData\Local\pCloud\*.db-wal,lazy_ntfs,Write-Ahead Log for pCloud database file.
      1315,pCloud Database Shared Memory File,Apps,Users\*\AppData\Local\pCloud\*.db-shm,lazy_ntfs,Shared Memory for the pCloud database file.
      1316,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Roaming\qBittorrent\*.ini,lazy_ntfs,
      1317,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\logs\*,lazy_ntfs,
      1318,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\GeoDB\*,lazy_ntfs,Locate .mmdb file for network peer connection analysis.
      1319,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\BT_backup\*,lazy_ntfs,Locate active (in-progress) torrent files.
      1320,TorrentClients - uTorrent,FileDownload,Users\*\AppData\Roaming\uTorrent\*.dat,lazy_ntfs,
      1322,PowerShell Scheduled_Jobs,Persistence,Users\*\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10,lazy_ntfs,
      1323,PowerShell Scheduled_Jobs Output,Persistence,Users\*\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\**10,lazy_ntfs,
      1324,PowerShell Scheduled_Jobs Systemprofile,Persistence,Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10,lazy_ntfs,
      1325,PowerShell Scheduled_Jobs Output Systemprofile,Persistence,Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\**10,lazy_ntfs,
      1326,PowerShell Scheduled_Jobs WOW64 Systemprofile,Persistence,Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10,lazy_ntfs,
      1327,PowerShell Scheduled_Jobs Output WOW64 Systemprofile,Persistence,Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\**10,lazy_ntfs,
      1328,360 Secure Browser Bookmarks,Communications,Users\*\AppData\Roaming\360se6\User Data\*\360Bookmarks*,lazy_ntfs,
      1329,360 Secure Browser Cookies,Communications,Users\*\AppData\Roaming\360se6\User Data\*\**10\Cookies*,lazy_ntfs,
      1330,360 Secure Browser Current Session,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Current Session,lazy_ntfs,
      1331,360 Secure Browser Current Tabs,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Current Tabs,lazy_ntfs,
      1332,360 Secure Browser Download Metadata,Communications,Users\*\AppData\Roaming\360se6\User Data\*\DownloadMetadata,lazy_ntfs,
      1333,360 Secure Browser Extension Cookies,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Extension Cookies,lazy_ntfs,
      1334,360 Secure Browser Favicons,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Favicons*,lazy_ntfs,
      1335,360 Secure Browser History,Communications,Users\*\AppData\Roaming\360se6\User Data\*\360History*,lazy_ntfs,
      1336,360 Secure Browser Last Session,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Last Session,lazy_ntfs,
      1337,360 Secure Browser Last Tabs,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Last Tabs,lazy_ntfs,
      1338,360 Secure Browser Sessions Folder,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Sessions\*,lazy_ntfs,
      1339,360 Secure Browser Login Data,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Login Data*,lazy_ntfs,
      1340,360 Secure Browser Media History,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Media History*,lazy_ntfs,
      1341,360 Secure Browser Network Action Predictor,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Network Action Predictor,lazy_ntfs,
      1342,360 Secure Browser Network Persistent State,Communications,Users\*\AppData\Roaming\360se6\User Data\*\**10\Network Persistent State,lazy_ntfs,
      1343,360 Secure Browser Preferences,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Preferences,lazy_ntfs,
      1344,360 Secure Browser Quota Manager,Communications,Users\*\AppData\Roaming\360se6\User Data\*\QuotaManager,lazy_ntfs,
      1345,360 Secure Browser Reporting and NEL,Communications,Users\*\AppData\Roaming\360se6\User Data\*\**10\Reporting and NEL,lazy_ntfs,
      1346,360 Secure Browser Shortcuts,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Shortcuts*,lazy_ntfs,
      1347,360 Secure Browser Top Sites,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Top Sites*,lazy_ntfs,
      1348,360 Secure Browser Trust Tokens,Communications,Users\*\AppData\Roaming\360se6\User Data\*\**10\Trust Tokens*,lazy_ntfs,
      1349,360 Secure Browser SyncData Database,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Sync Data\**10,lazy_ntfs,
      1350,360 Secure Browser Visited Links,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Visited Links,lazy_ntfs,
      1351,360 Secure Browser Web Data,Communications,Users\*\AppData\Roaming\360se6\User Data\*\Web Data*,lazy_ntfs,
      1352,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
      1353,360 Secure Browser Snapshots Folder,Communications,Users\*\AppData\Roaming\360se6\User Data\Snapshots\*\**10,lazy_ntfs,Grabs folder that appears to have snapshots of 360 Secure Browser SQLite DBs organized by version #.
      1354,Advanced IP Scanner Aliases,Apps,**10\advanced_ip_scanner_Aliases.bin,lazy_ntfs,
      1355,Advanced IP Scanner Comments,Apps,**10\advanced_ip_scanner_Comments.bin,lazy_ntfs,
      1356,Advanced IP Scanner MAC,Apps,**10\advanced_ip_scanner_MAC.bin,lazy_ntfs,
      1357,Advanced Port Scanner Aliases,Apps,**10\advanced_port_scanner_Aliases.bin,lazy_ntfs,
      1358,Advanced Port Scanner Comments,Apps,**10\advanced_port_scanner_Comments.bin,lazy_ntfs,
      1359,Advanced Port Scanner MAC,Apps,**10\advanced_port_scanner_MAC.bin,lazy_ntfs,
      1360,AnyDesk File Transfer Logs - Running in portable mode,Communications,Users\*\AppData\Roaming\AnyDesk\file_transfer_trace.txt,lazy_ntfs,Collects file transfer logs that occur when running in portable mode
      1361,AnyDesk File Transfer Logs - Installed as a Service,Communications,ProgramData\AnyDesk\file_transfer_trace.txt,lazy_ntfs,Collects file transfer logs that occur when running as an installed service
      1362,Arc Cookies,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Network\Cookies*,lazy_ntfs,
      1363,Arc Favicons,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Favicons*,lazy_ntfs,
      1364,Arc History,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\History*,lazy_ntfs,
      1365,Arc Sessions Folder,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Sessions\*,lazy_ntfs,
      1366,Arc Login Data,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Login Data*,lazy_ntfs,
      1367,Arc Network Action Predictor,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Network Action Predictor,lazy_ntfs,
      1368,Arc Preferences,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Preferences,lazy_ntfs,
      1369,Arc Shortcuts,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Shortcuts*,lazy_ntfs,
      1370,Arc Top Sites,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Top Sites*,lazy_ntfs,
      1371,Arc SyncData Database,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Sync Data\**10,lazy_ntfs,
      1372,Arc Bookmarks,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Bookmarks*,lazy_ntfs,
      1373,Arc Visited Links,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Visited Links,lazy_ntfs,
      1374,Arc Web Data,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Web Data*,lazy_ntfs,
      1375,Arc JSON Files,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\Storable*.json,lazy_ntfs,
      1376,Arc PLIST Files,Communications,Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\com*.plist,lazy_ntfs,
      1377,CocCoc Bookmarks,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Bookmarks*,lazy_ntfs,
      1378,CocCoc Cookies,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\**10\Cookies*,lazy_ntfs,
      1379,CocCoc Current Session,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Current Session,lazy_ntfs,
      1380,CocCoc Current Tabs,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Current Tabs,lazy_ntfs,
      1381,CocCoc Download Metadata,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\DownloadMetadata,lazy_ntfs,
      1382,CocCoc Extension Cookies,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Extension Cookies,lazy_ntfs,
      1383,CocCoc Favicons,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Favicons*,lazy_ntfs,
      1384,CocCoc History,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\History*,lazy_ntfs,
      1385,CocCoc Last Session,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Last Session,lazy_ntfs,
      1386,CocCoc Last Tabs,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Last Tabs,lazy_ntfs,
      1387,CocCoc Sessions Folder,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Sessions\*,lazy_ntfs,
      1388,CocCoc Login Data,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Login Data*,lazy_ntfs,
      1389,CocCoc Media History,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Media History*,lazy_ntfs,
      1390,CocCoc Network Action Predictor,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Network Action Predictor,lazy_ntfs,
      1391,CocCoc Network Persistent State,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Network Persistent State,lazy_ntfs,
      1392,CocCoc Preferences,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Preferences,lazy_ntfs,
      1393,CocCoc Quota Manager,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\QuotaManager,lazy_ntfs,
      1394,CocCoc Reporting and NEL,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Reporting and NEL,lazy_ntfs,
      1395,CocCoc Shortcuts,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Shortcuts*,lazy_ntfs,
      1396,CocCoc Top Sites,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Top Sites*,lazy_ntfs,
      1397,CocCoc Trust Tokens,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Trust Tokens*,lazy_ntfs,
      1398,CocCoc SyncData Database,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Sync Data\**10,lazy_ntfs,
      1399,CocCoc Visited Links,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Visited Links,lazy_ntfs,
      1400,CocCoc Web Data,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\*\Web Data*,lazy_ntfs,
      1401,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
      1402,CocCoc Snapshots Folder,Communications,Users\*\AppData\Local\CocCoc\Browser\User Data\Snapshots\*\**10,lazy_ntfs,Grabs folder that appears to have snapshots of CocCoc SQLite DBs organized by version #.
      1403,FastStone Image Viewer (FSIV),FileKnowledge,Users\*\AppData\Local\FastStone\FSIV\FSIV.db,lazy_ntfs,"Image browser, converter, and editor that supports all major graphic formats."
      1404,Azure Copy - User Profile - *.log,Apps,Users\*\.azcopy\*.log,lazy_ntfs,Collects session and transfer logs for Microsoft Azure Copy from a user profile
      1405,Azure Copy - Plans - *.ste*,Apps,Users\*\.azcopy\plans\*.ste*,lazy_ntfs,Collects the plans for Microsoft Azure Copy from a user profile
      1406,Msty Artificial Intelligence,FileKnowledge,Users\*\AppData\Roaming\Msty\*.db,lazy_ntfs,"Msty database includes API keys, chat messages, chat sessions, knowledge stack, etc."
      1407,QQ Browser Bookmarks,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Bookmarks*,lazy_ntfs,
      1408,QQ Browser Cookies,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\**10\Cookies*,lazy_ntfs,
      1409,QQ Browser Current Session,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Current Session,lazy_ntfs,
      1410,QQ Browser Current Tabs,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Current Tabs,lazy_ntfs,
      1411,QQ Browser Download Metadata,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\DownloadMetadata,lazy_ntfs,
      1412,QQ Browser Extension Cookies,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Extension Cookies,lazy_ntfs,
      1413,QQ Browser Favicons,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Favicons*,lazy_ntfs,
      1414,QQ Browser History,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\History*,lazy_ntfs,
      1415,QQ Browser Last Session,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Last Session,lazy_ntfs,
      1416,QQ Browser Last Tabs,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Last Tabs,lazy_ntfs,
      1417,QQ Browser Sessions Folder,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Sessions\*,lazy_ntfs,
      1418,QQ Browser Login Data,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Login Data*,lazy_ntfs,
      1419,QQ Browser Media History,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Media History*,lazy_ntfs,
      1420,QQ Browser Network Action Predictor,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Network Action Predictor,lazy_ntfs,
      1421,QQ Browser Network Persistent State,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\**10\Network Persistent State,lazy_ntfs,
      1422,QQ Browser Preferences,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Preferences,lazy_ntfs,
      1423,QQ Browser Quota Manager,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\QuotaManager,lazy_ntfs,
      1424,QQ Browser Reporting and NEL,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\**10\Reporting and NEL,lazy_ntfs,
      1425,QQ Browser Shortcuts,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Shortcuts*,lazy_ntfs,
      1426,QQ Browser Top Sites,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Top Sites*,lazy_ntfs,
      1427,QQ Browser Trust Tokens,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\**10\Trust Tokens*,lazy_ntfs,
      1428,QQ Browser SyncData Database,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Sync Data\**10,lazy_ntfs,
      1429,QQ Browser Visited Links,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Visited Links,lazy_ntfs,
      1430,QQ Browser Web Data,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Web Data*,lazy_ntfs,
      1431,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
      1432,QQ Browser Snapshots Folder,Communications,Users\*\AppData\Local\Tencent\QQBrowser\User Data\Snapshots\*\**10,lazy_ntfs,Grabs folder that appears to have snapshots of QQ Browser SQLite DBs organized by version #.
      1433,Microsoft Quick Assist,RemoteAdmin,Users\*\AppData\Local\Temp\QuickAssist\**10,lazy_ntfs,
      1434,Microsoft Remote Help,RemoteAdmin,Users\*\AppData\Local\Temp\RemoteHelp\**10,lazy_ntfs,
      1435,NTUSER.DAT registry hive XP,Registry,Documents and Settings\*\NTUSER.DAT*,lazy_ntfs,
      1436,NTUSER.DAT registry hive,Registry,Users\*\NTUSER.DAT*,lazy_ntfs,
      1437,UsrClass.dat registry hive,Registry,Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat*,lazy_ntfs,
      1438,Remco RAT Default path,ApplicationLogs,Users\*\AppData\Roaming\remcos\logs*.dat*,lazy_ntfs,Remco RAT logs.dat default file - contains debug data and logs relative to the keylogging module
      1439,Remco RAT custom path - AppData screenshots folder,ApplicationLogs,Users\*\AppData\Roaming\screenshots\logs*.dat*,lazy_ntfs,Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module
      1440,Remco RAT custom path - AppData notess folder,ApplicationLogs,Users\*\AppData\Roaming\notess\logs*.dat*,lazy_ntfs,Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module
      1441,Remco RAT custom path - AppData micrecords folder,ApplicationLogs,Users\*\AppData\Roaming\micrecords\logs*.dat*,lazy_ntfs,Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module
      1442,Remco RAT custom path - AppData hpsupport,ApplicationLogs,Users\*\AppData\Roaming\hpsupport\logs*.dat*,lazy_ntfs,Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module
      1443,Remco RAT custom path,ApplicationLogs,ProgramData\remcos\logs*.dat*,lazy_ntfs,Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module
      1444,Remco RAT custom path - AppData notess,ApplicationLogs,ProgramData\notess\logs*.dat*,lazy_ntfs,Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module
      1445,Remco RAT custom path - AppData screenshots,ApplicationLogs,ProgramData\screenshots\logs*.dat*,lazy_ntfs,Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module
      1446,Remco RAT custom path  - AppData micrecords,ApplicationLogs,ProgramData\micrecords\logs*.dat*,lazy_ntfs,Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module
      1447,Remco RAT custom path  - AppData hpsupport,ApplicationLogs,ProgramData\hpsupport\logs*.dat*,lazy_ntfs,Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module
      1448,SimpleHelp - ProgramData - JWrapper Logs,Apps,ProgramData\JWrapper-Remote Access\logs\*,lazy_ntfs,Collects application and connectivity logs
      1449,SimpleHelp - ProgramData - SimpleHelp Logs,Apps,ProgramData\SimpleHelp\logs\*,lazy_ntfs,Collects application and connectivity logs
      1450,SimpleHelp - User AppData - Technician Console Logs,Apps,Users\*\AppData\Roaming\JWrapper-SimpleHelp Technician\logs\*,lazy_ntfs,Collects technician console logs
      1451,Netscan XML default output,Apps,**10\netscan.xml,lazy_ntfs,
      1452,User startup folders,Persistence,Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup,lazy_ntfs,
      1453,System-wide startup folder,Persistence,ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp,lazy_ntfs,
      1454,Supermium Bookmarks XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Bookmarks*,lazy_ntfs,
      1455,Supermium Cookies XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\**10\Cookies*,lazy_ntfs,
      1456,Supermium Current Session XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Current Session,lazy_ntfs,
      1457,Supermium Current Tabs XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Current Tabs,lazy_ntfs,
      1458,Supermium Favicons XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Favicons*,lazy_ntfs,
      1459,Supermium History XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\History*,lazy_ntfs,
      1460,Supermium Last Session XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Last Session,lazy_ntfs,
      1461,Supermium Last Tabs XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Last Tabs,lazy_ntfs,
      1462,Supermium Sessions Folder XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Sessions\*,lazy_ntfs,
      1463,Supermium Network Action Predictor XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Network Action Predictor,lazy_ntfs,
      1464,Supermium Network Persistent State XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\**10\Network Persistent State,lazy_ntfs,
      1465,Supermium Login Data XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Login Data*,lazy_ntfs,
      1466,Supermium Preferences XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Preferences,lazy_ntfs,
      1467,Supermium Reporting and NEL XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\**10\Reporting and NEL,lazy_ntfs,
      1468,Supermium Trust Tokens XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\**10\Trust Tokens*,lazy_ntfs,
      1469,Supermium SyncData Database XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Sync Data\**10,lazy_ntfs,
      1470,Supermium Shortcuts XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Shortcuts*,lazy_ntfs,
      1471,Supermium Top Sites XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Top Sites*,lazy_ntfs,
      1472,Supermium Visited Links XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Visited Links,lazy_ntfs,
      1473,Supermium Web Data XP,Communications,Documents and Settings\*\Application Data\Supermium\User Data\*\Web Data*,lazy_ntfs,
      1474,Supermium Bookmarks,Communications,Users\*\AppData\Local\Supermium\User Data\*\Bookmarks*,lazy_ntfs,
      1475,Supermium Cookies,Communications,Users\*\AppData\Local\Supermium\User Data\*\**10\Cookies*,lazy_ntfs,
      1476,Supermium Current Session,Communications,Users\*\AppData\Local\Supermium\User Data\*\Current Session,lazy_ntfs,
      1477,Supermium Current Tabs,Communications,Users\*\AppData\Local\Supermium\User Data\*\Current Tabs,lazy_ntfs,
      1478,Supermium Download Metadata,Communications,Users\*\AppData\Local\Supermium\User Data\*\DownloadMetadata,lazy_ntfs,
      1479,Supermium Extension Cookies,Communications,Users\*\AppData\Local\Supermium\User Data\*\Extension Cookies,lazy_ntfs,
      1480,Supermium Favicons,Communications,Users\*\AppData\Local\Supermium\User Data\*\Favicons*,lazy_ntfs,
      1481,Supermium History,Communications,Users\*\AppData\Local\Supermium\User Data\*\History*,lazy_ntfs,
      1482,Supermium Last Session,Communications,Users\*\AppData\Local\Supermium\User Data\*\Last Session,lazy_ntfs,
      1483,Supermium Last Tabs,Communications,Users\*\AppData\Local\Supermium\User Data\*\Last Tabs,lazy_ntfs,
      1484,Supermium Sessions Folder,Communications,Users\*\AppData\Local\Supermium\User Data\*\Sessions\*,lazy_ntfs,
      1485,Supermium Login Data,Communications,Users\*\AppData\Local\Supermium\User Data\*\Login Data*,lazy_ntfs,
      1486,Supermium Media History,Communications,Users\*\AppData\Local\Supermium\User Data\*\Media History*,lazy_ntfs,
      1487,Supermium Network Action Predictor,Communications,Users\*\AppData\Local\Supermium\User Data\*\Network Action Predictor,lazy_ntfs,
      1488,Supermium Network Persistent State,Communications,Users\*\AppData\Local\Supermium\User Data\*\**10\Network Persistent State,lazy_ntfs,
      1489,Supermium Preferences,Communications,Users\*\AppData\Local\Supermium\User Data\*\Preferences,lazy_ntfs,
      1490,Supermium Quota Manager,Communications,Users\*\AppData\Local\Supermium\User Data\*\QuotaManager,lazy_ntfs,
      1491,Supermium Reporting and NEL,Communications,Users\*\AppData\Local\Supermium\User Data\*\**10\Reporting and NEL,lazy_ntfs,
      1492,Supermium Shortcuts,Communications,Users\*\AppData\Local\Supermium\User Data\*\Shortcuts*,lazy_ntfs,
      1493,Supermium Top Sites,Communications,Users\*\AppData\Local\Supermium\User Data\*\Top Sites*,lazy_ntfs,
      1494,Supermium Trust Tokens,Communications,Users\*\AppData\Local\Supermium\User Data\*\**10\Trust Tokens*,lazy_ntfs,
      1495,Supermium SyncData Database,Communications,Users\*\AppData\Local\Supermium\User Data\*\Sync Data\**10,lazy_ntfs,
      1496,Supermium Visited Links,Communications,Users\*\AppData\Local\Supermium\User Data\*\Visited Links,lazy_ntfs,
      1497,Supermium Web Data,Communications,Users\*\AppData\Local\Supermium\User Data\*\Web Data*,lazy_ntfs,
      1498,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
      1499,Supermium Snapshots Folder,Communications,Users\*\AppData\Local\Supermium\User Data\Snapshots\*\**10,lazy_ntfs,Grabs folder that appears to have snapshots of Supermium SQLite DBs organized by version #.
      1500,SYSTEM Supermium History,Communications,Windows\system32\config\systemprofile\AppData\Local\Supermium\User Data\*\History*,lazy_ntfs,
      1501,Syncthing Configuration and Certificates,Apps,Users\*\AppData\Local\Syncthing\*,lazy_ntfs,Folder storing Syncthing configuration and certificates
      1502,Syncthing Cache and Storage,Apps,Users\*\AppData\Local\SyncTrazor\*,lazy_ntfs,Folder storing session and storage cache
      1503,Syncthing Logs,ApplicationLogs,Users\*\AppData\Roaming\SyncTrazor\*,lazy_ntfs,Folder storing Syncthing session logs
      1504,UCBrowser Bookmarks,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Bookmarks*,lazy_ntfs,
      1505,UCBrowser Cookies,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\**10\Cookies*,lazy_ntfs,
      1506,UCBrowser Current Session,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Current Session,lazy_ntfs,
      1507,UCBrowser Current Tabs,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Current Tabs,lazy_ntfs,
      1508,UCBrowser Download Metadata,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\DownloadMetadata,lazy_ntfs,
      1509,UCBrowser Extension Cookies,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Extension Cookies,lazy_ntfs,
      1510,UCBrowser Favicons,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Favicons*,lazy_ntfs,
      1511,UCBrowser History,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\History*,lazy_ntfs,
      1512,UCBrowser Last Session,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Last Session,lazy_ntfs,
      1513,UCBrowser Last Tabs,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Last Tabs,lazy_ntfs,
      1514,UCBrowser Sessions Folder,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Sessions\*,lazy_ntfs,
      1515,UCBrowser Login Data,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Login Data*,lazy_ntfs,
      1516,UCBrowser Media History,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Media History*,lazy_ntfs,
      1517,UCBrowser Network Action Predictor,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Network Action Predictor,lazy_ntfs,
      1518,UCBrowser Network Persistent State,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Network Persistent State,lazy_ntfs,
      1519,UCBrowser Preferences,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Preferences,lazy_ntfs,
      1520,UCBrowser Quota Manager,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\QuotaManager,lazy_ntfs,
      1521,UCBrowser Reporting and NEL,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Reporting and NEL,lazy_ntfs,
      1522,UCBrowser Shortcuts,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Shortcuts*,lazy_ntfs,
      1523,UCBrowser Top Sites,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Top Sites*,lazy_ntfs,
      1524,UCBrowser Trust Tokens,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Trust Tokens*,lazy_ntfs,
      1525,UCBrowser SyncData Database,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Sync Data\**10,lazy_ntfs,
      1526,UCBrowser Visited Links,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Visited Links,lazy_ntfs,
      1527,UCBrowser Web Data,Communications,Users\*\AppData\Local\UCBrowser\User Data*\*\Web Data*,lazy_ntfs,
      1528,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
      1529,UCBrowser Snapshots Folder,Communications,Users\*\AppData\Local\UCBrowser\User Data*\Snapshots\*\**10,lazy_ntfs,Grabs folder that appears to have snapshots of UCBrowser SQLite DBs organized by version #.
      1530,WaveBrowser bookmarks,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Bookmarks*,lazy_ntfs,
      1531,WaveBrowser Cookies,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\**10\Cookies*,lazy_ntfs,
      1532,WaveBrowser Current Session,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Current Session,lazy_ntfs,
      1533,WaveBrowser Current Tabs,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Current Tabs,lazy_ntfs,
      1534,WaveBrowser Download Metadata,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\DownloadMetadata,lazy_ntfs,
      1535,WaveBrowser Extension Cookies,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Extension Cookies,lazy_ntfs,
      1536,WaveBrowser Favicons,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Favicons*,lazy_ntfs,
      1537,WaveBrowser History,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\History*,lazy_ntfs,
      1538,WaveBrowser Last Session,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Last Session,lazy_ntfs,
      1539,WaveBrowser Last Tabs,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Last Tabs,lazy_ntfs,
      1540,WaveBrowser Sessions Folder,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Sessions\*,lazy_ntfs,
      1541,WaveBrowser Login Data,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Login Data,lazy_ntfs,
      1542,WaveBrowser Media History,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Media History*,lazy_ntfs,
      1543,WaveBrowser Network Action Predictor,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Network Action Predictor,lazy_ntfs,
      1544,WaveBrowser Network Persistent State,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Network Persistent State,lazy_ntfs,
      1545,WaveBrowser Preferences,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Preferences,lazy_ntfs,
      1546,WaveBrowser Quota Manager,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\QuotaManager,lazy_ntfs,
      1547,WaveBrowser Reporting and NEL,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Reporting and NEL,lazy_ntfs,
      1548,WaveBrowser Shortcuts,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Shortcuts*,lazy_ntfs,
      1549,WaveBrowser Top Sites,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Top Sites*,lazy_ntfs,
      1550,WaveBrowser Trust Tokens,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Trust Tokens*,lazy_ntfs,
      1551,WaveBrowser SyncData Database,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
      1552,WaveBrowser Visited Links,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Visited Links,lazy_ntfs,
      1553,WaveBrowser Web Data,Communications,Users\*\AppData\Local\WaveBrowser\User Data\*\Web Data*,lazy_ntfs,
      1554,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
      1555,WaveBrowser Snapshots Folder,Communications,Users\*\AppData\Local\WaveBrowser\User Data\Snapshots\*\**10,lazy_ntfs,Grabs folder that appears to have snapshots of WaveBrowser SQLite DBs organized by version #.
      1556,SYSTEM WaveBrowser History,Communications,Windows\system32\config\systemprofile\AppData\Local\WaveBrowser\User Data\*\History*,lazy_ntfs,
      1557,WindowsIndexSearch - User,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Search\Data\Applications\S-1*\*,lazy_ntfs,
      1558,GatherLogs - User,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Search\Data\Applications\S-1*\GatherLogs\**10,lazy_ntfs,
  - name: KapeTargets
    type: hidden
    description: |
      Each parameter above represents a group of rules to be
      triggered. This table specifies which rule IDs will be included
      when the parameter is checked.
    default: |
      Group,RuleIds
      _BasicCollection,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 36, 37, 38, 39, 51, 280, 281, 282, 500, 501, 502, 503, 504, 505, 506, 507, 651, 652, 653, 654, 655, 661, 662, 699, 700, 706, 707, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 782, 783, 784, 785, 786, 788, 961, 962, 963, 964, 965, 966, 983, 984, 985, 986, 987, 988, 989, 1061, 1062, 1073, 1101, 1102, 1103, 1231, 1232, 1322, 1323, 1324, 1325, 1326, 1327, 1435, 1436, 1437, 1557, 1558]"
      _KapeTriage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 169, 172, 173, 174, 175, 176, 177, 179, 225, 226, 227, 228, 229, 230, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 263, 280, 281, 282, 310, 311, 312, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 363, 376, 377, 393, 394, 395, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 486, 487, 488, 489, 490, 491, 492, 493, 494, 500, 501, 502, 503, 504, 505, 506, 507, 508, 520, 521, 528, 529, 530, 531, 535, 536, 537, 538, 539, 540, 543, 549, 550, 557, 580, 581, 582, 583, 584, 585, 614, 615, 638, 639, 651, 652, 653, 654, 655, 661, 662, 665, 666, 667, 668, 669, 670, 671, 681, 682, 683, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 698, 699, 700, 706, 707, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 782, 783, 784, 785, 786, 788, 789, 790, 847, 848, 849, 961, 962, 963, 964, 965, 966, 967, 968, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992, 993, 994, 1019, 1020, 1021, 1025, 1026, 1050, 1051, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1066, 1067, 1068, 1069, 1086, 1087, 1096, 1097, 1098, 1099, 1100, 1121, 1122, 1123, 1124, 1127, 1128, 1129, 1130, 1137, 1138, 1139, 1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1252, 1262, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278, 1279, 1280, 1281, 1282, 1283, 1284, 1296, 1297, 1298, 1322, 1323, 1324, 1325, 1326, 1327, 1328, 1329, 1330, 1331, 1332, 1333, 1334, 1335, 1336, 1337, 1338, 1339, 1340, 1341, 1342, 1343, 1344, 1345, 1346, 1347, 1348, 1349, 1350, 1351, 1352, 1353, 1360, 1361, 1362, 1363, 1364, 1365, 1366, 1367, 1368, 1369, 1370, 1371, 1372, 1373, 1374, 1375, 1376, 1377, 1378, 1379, 1380, 1381, 1382, 1383, 1384, 1385, 1386, 1387, 1388, 1389, 1390, 1391, 1392, 1393, 1394, 1395, 1396, 1397, 1398, 1399, 1400, 1401, 1402, 1407, 1408, 1409, 1410, 1411, 1412, 1413, 1414, 1415, 1416, 1417, 1418, 1419, 1420, 1421, 1422, 1423, 1424, 1425, 1426, 1427, 1428, 1429, 1430, 1431, 1432, 1433, 1434, 1435, 1436, 1437, 1438, 1439, 1440, 1441, 1442, 1443, 1444, 1445, 1446, 1447, 1454, 1455, 1456, 1457, 1458, 1459, 1460, 1461, 1462, 1463, 1464, 1465, 1466, 1467, 1468, 1469, 1470, 1471, 1472, 1473, 1474, 1475, 1476, 1477, 1478, 1479, 1480, 1481, 1482, 1483, 1484, 1485, 1486, 1487, 1488, 1489, 1490, 1491, 1492, 1493, 1494, 1495, 1496, 1497, 1498, 1499, 1500, 1504, 1505, 1506, 1507, 1508, 1509, 1510, 1511, 1512, 1513, 1514, 1515, 1516, 1517, 1518, 1519, 1520, 1521, 1522, 1523, 1524, 1525, 1526, 1527, 1528, 1529, 1530, 1531, 1532, 1533, 1534, 1535, 1536, 1537, 1538, 1539, 1540, 1541, 1542, 1543, 1544, 1545, 1546, 1547, 1548, 1549, 1550, 1551, 1552, 1553, 1554, 1555, 1556]"
      _SANS_Triage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 80, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 165, 169, 172, 173, 174, 175, 176, 177, 179, 215, 216, 225, 226, 227, 228, 229, 230, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 263, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 310, 311, 312, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 363, 376, 377, 382, 383, 384, 385, 386, 387, 388, 389, 392, 393, 394, 395, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 486, 487, 488, 489, 490, 491, 492, 493, 494, 500, 501, 502, 503, 504, 505, 506, 507, 508, 520, 521, 528, 529, 530, 531, 534, 535, 536, 537, 538, 539, 540, 543, 549, 550, 557, 560, 561, 562, 563, 564, 573, 574, 580, 581, 582, 583, 584, 585, 614, 615, 638, 639, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 665, 666, 667, 668, 669, 670, 671, 681, 682, 683, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 698, 699, 700, 706, 707, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 782, 783, 784, 785, 786, 788, 789, 790, 833, 834, 835, 836, 837, 838, 839, 840, 841, 842, 843, 844, 845, 846, 847, 848, 849, 961, 962, 963, 964, 965, 966, 967, 968, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992, 993, 994, 999, 1000, 1001, 1002, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1016, 1019, 1020, 1021, 1025, 1026, 1050, 1051, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1066, 1067, 1068, 1069, 1070, 1071, 1073, 1086, 1087, 1096, 1097, 1098, 1099, 1100, 1101, 1102, 1103, 1121, 1122, 1123, 1124, 1127, 1128, 1129, 1130, 1137, 1138, 1139, 1140, 1141, 1142, 1143, 1144, 1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1188, 1189, 1190, 1191, 1195, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1207, 1231, 1232, 1252, 1262, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278, 1279, 1280, 1281, 1282, 1283, 1284, 1294, 1295, 1296, 1297, 1298, 1322, 1323, 1324, 1325, 1326, 1327, 1328, 1329, 1330, 1331, 1332, 1333, 1334, 1335, 1336, 1337, 1338, 1339, 1340, 1341, 1342, 1343, 1344, 1345, 1346, 1347, 1348, 1349, 1350, 1351, 1352, 1353, 1354, 1355, 1356, 1357, 1358, 1359, 1360, 1361, 1362, 1363, 1364, 1365, 1366, 1367, 1368, 1369, 1370, 1371, 1372, 1373, 1374, 1375, 1376, 1377, 1378, 1379, 1380, 1381, 1382, 1383, 1384, 1385, 1386, 1387, 1388, 1389, 1390, 1391, 1392, 1393, 1394, 1395, 1396, 1397, 1398, 1399, 1400, 1401, 1402, 1407, 1408, 1409, 1410, 1411, 1412, 1413, 1414, 1415, 1416, 1417, 1418, 1419, 1420, 1421, 1422, 1423, 1424, 1425, 1426, 1427, 1428, 1429, 1430, 1431, 1432, 1433, 1434, 1435, 1436, 1437, 1438, 1439, 1440, 1441, 1442, 1443, 1444, 1445, 1446, 1447, 1451, 1454, 1455, 1456, 1457, 1458, 1459, 1460, 1461, 1462, 1463, 1464, 1465, 1466, 1467, 1468, 1469, 1470, 1471, 1472, 1473, 1474, 1475, 1476, 1477, 1478, 1479, 1480, 1481, 1482, 1483, 1484, 1485, 1486, 1487, 1488, 1489, 1490, 1491, 1492, 1493, 1494, 1495, 1496, 1497, 1498, 1499, 1500, 1504, 1505, 1506, 1507, 1508, 1509, 1510, 1511, 1512, 1513, 1514, 1515, 1516, 1517, 1518, 1519, 1520, 1521, 1522, 1523, 1524, 1525, 1526, 1527, 1528, 1529, 1530, 1531, 1532, 1533, 1534, 1535, 1536, 1537, 1538, 1539, 1540, 1541, 1542, 1543, 1544, 1545, 1546, 1547, 1548, 1549, 1550, 1551, 1552, 1553, 1554, 1555, 1556, 1557, 1558]"
      _Boot,[1]
      _J,"[2, 3, 4, 5]"
      _LogFile,[6]
      _MFT,[7]
      _MFTMirr,[8]
      _SDS,"[9, 10]"
      _T,"[11, 12]"
      1Password,"[13, 14, 15]"
      360SecureBrowser,"[1328, 1329, 1330, 1331, 1332, 1333, 1334, 1335, 1336, 1337, 1338, 1339, 1340, 1341, 1342, 1343, 1344, 1345, 1346, 1347, 1348, 1349, 1350, 1351, 1352, 1353]"
      4KVideoDownloader,"[16, 17]"
      AVG,"[18, 19, 20, 21, 22, 23, 24]"
      AceText,[25]
      AcronisTrueImage,"[26, 27, 28]"
      Action1,[29]
      ActiveDirectoryNTDS,[30]
      ActiveDirectorySysvol,[31]
      AdvancedIPScanner,"[1354, 1355, 1356]"
      AdvancedPortScanner,"[1357, 1358, 1359]"
      AgentRansack,"[32, 33, 34, 35]"
      Amcache,"[36, 37, 38, 39]"
      Ammyy,[40]
      Antivirus,"[18, 19, 20, 21, 22, 23, 24, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 169, 172, 173, 174, 175, 176, 177, 233, 234, 235, 236, 237, 238, 263, 310, 311, 312, 393, 394, 395, 528, 529, 530, 531, 535, 536, 537, 538, 539, 540, 557, 847, 968, 993, 994, 1019, 1020, 1021, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1086, 1087, 1096, 1097, 1098, 1127, 1128, 1129, 1130, 1187, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205]"
      AnyDesk,"[41, 42, 43, 44, 45, 46, 47, 48, 49, 1360, 1361]"
      ApacheAccessLog,[50]
      AppCompatPCA,[51]
      AppData,[52]
      AppXPackages,"[53, 54, 55, 56, 57]"
      ApplicationEvents,"[58, 59, 60, 61]"
      Arc,"[1362, 1363, 1364, 1365, 1366, 1367, 1368, 1369, 1370, 1371, 1372, 1373, 1374, 1375, 1376]"
      AsperaConnect,"[62, 63]"
      AteraAgent,"[64, 65, 66, 67, 68]"
      Avast,"[69, 70, 71, 72, 73, 74]"
      AviraAVLogs,"[75, 76, 77]"
      BCD,"[78, 79]"
      BITS,[80]
      BitTorrent,[81]
      Bitdefender,"[82, 83, 84]"
      BoxDrive_Metadata,"[85, 86]"
      BoxDrive_UserFiles,"[87, 88]"
      BraveBrowser,"[89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108]"
      BrowserCache,"[109, 110, 111, 112, 113, 114, 115, 116]"
      CertUtil,"[117, 118, 119, 120]"
      Chrome,"[121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161]"
      ChromeExtensions,"[162, 163]"
      ChromeFileSystem,[164]
      CiscoJabber,[165]
      ClipboardMaster,"[166, 167, 168]"
      CloudStorage_All,"[85, 86, 87, 88, 225, 226, 227, 228, 229, 230, 231, 363, 375, 376, 377, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 543, 614, 615, 616, 698, 1045, 1046, 1047, 1313, 1314, 1315]"
      CloudStorage_Metadata,"[85, 86, 225, 226, 227, 228, 229, 230, 363, 376, 377, 543, 614, 615, 698]"
      CloudStorage_OneDriveExplorer,"[614, 615, 703, 704, 705, 706, 707, 782, 783, 784, 785, 786, 788, 1435, 1436, 1437]"
      CocCoc,"[1377, 1378, 1379, 1380, 1381, 1382, 1383, 1384, 1385, 1386, 1387, 1388, 1389, 1390, 1391, 1392, 1393, 1394, 1395, 1396, 1397, 1398, 1399, 1400, 1401, 1402]"
      CombinedLogs,"[280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 573, 574, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 1101, 1102, 1103, 1206, 1207]"
      Combofix,[169]
      ConfluenceLogs,"[170, 171]"
      Cybereason,"[172, 173, 174]"
      Cylance,"[175, 176, 177]"
      DC__,[178]
      DWAgent,[179]
      Debian,"[180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197]"
      DirectoryOpus,"[198, 199, 200, 201, 202, 203, 204, 205, 206]"
      DirectoryTraversal_AudioFiles,[207]
      DirectoryTraversal_ExcelDocuments,[208]
      DirectoryTraversal_PDFDocuments,[209]
      DirectoryTraversal_PictureFiles,[210]
      DirectoryTraversal_SQLiteDatabases,[211]
      DirectoryTraversal_VideoFiles,[212]
      DirectoryTraversal_WildCardExample,[213]
      DirectoryTraversal_WordDocuments,[214]
      Discord,"[215, 216]"
      DoubleCommander,"[217, 218, 219, 220, 221, 222, 223]"
      Drivers,[224]
      Dropbox_Metadata,"[225, 226, 227, 228, 229, 230]"
      Dropbox_UserFiles,[231]
      EFCommander,[232]
      ESET,"[233, 234, 235, 236, 237, 238]"
      Edge,[239]
      EdgeChromium,"[240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261]"
      EdgeChromiumExtensions,[262]
      Emsisoft,[263]
      EncapsulationLogging,"[264, 265, 266, 267]"
      EventLogs_RDP,"[268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279]"
      EventLogs,"[280, 281, 282]"
      EventTraceLogs,"[283, 284, 285, 286, 287, 288, 289, 290, 291, 292]"
      EventTranscriptDB,"[293, 294, 295]"
      Evernote,"[296, 297, 298]"
      Everything__VoidTools_,"[299, 300, 301, 302]"
      EvidenceOfExecution,"[36, 37, 38, 39, 51, 661, 662, 699, 700, 1061, 1062]"
      Exchange,"[303, 308, 309]"
      ExchangeClientAccess,[303]
      ExchangeCve_2021_26855,"[304, 305, 306, 307]"
      ExchangeSetupLog,[308]
      ExchangeTransport,[309]
      FSecure,"[310, 311, 312]"
      FTPClients,"[314, 315, 316, 317, 833, 834, 835, 836, 837, 838, 839, 840, 841, 842, 843, 844, 845, 846, 1195]"
      FastStoneImageViewer,[1403]
      Fences,[313]
      FileExplorerReplacements,"[198, 199, 200, 201, 202, 203, 204, 205, 206, 217, 218, 219, 220, 221, 222, 223, 232, 353, 354, 355, 356, 357, 358, 359, 567, 568, 569, 570, 571, 572, 612, 613, 674, 675, 1024, 1063, 1064, 1065, 1088, 1089, 1090, 1091, 1092, 1093, 1094, 1258, 1259, 1260, 1261]"
      FileSystem,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12]"
      FileZillaClient,"[314, 315]"
      FileZillaServer,"[316, 317]"
      Firefox,"[318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352]"
      FreeCommander,"[353, 354, 355, 356, 357, 358, 359]"
      FreeDownloadManager,"[360, 361, 362]"
      FreeFileSync,[363]
      Freenet,"[364, 365, 366, 367, 368]"
      FrostWire,"[369, 370, 371]"
      Gigatribe,"[372, 373, 374]"
      GoogleDriveBackupSync_UserFiles,[375]
      GoogleDrive_Metadata,"[376, 377]"
      GoogleEarth,"[378, 379, 380, 381]"
      GroupPolicy,"[382, 383, 384, 385, 386, 387, 388, 389]"
      HeidiSQL,"[390, 391]"
      HexChat,[392]
      HitmanPro,"[393, 394, 395]"
      HostsFile,[396]
      IISConfiguration,"[397, 398, 399, 400]"
      IISLogFiles,"[401, 402, 403, 404, 405, 406]"
      IRCClients,"[392, 419, 1294, 1295]"
      ISLOnline,"[407, 408, 409, 410, 411, 412, 413, 414]"
      ITarian,"[415, 416, 417, 418]"
      IceChat,[419]
      IconCacheDB,[420]
      Idrive,"[421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434]"
      ImgBurn,[435]
      InternetExplorer,"[436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448]"
      IrfanView,[449]
      JDownloader2,"[450, 451, 452, 453, 454]"
      JavaWebCache,"[455, 456, 457, 458, 459, 460, 461, 462, 463, 464, 465]"
      JumpLists,"[466, 467]"
      Kali,"[468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, 482, 483, 484, 485]"
      KapeTriage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 169, 172, 173, 174, 175, 176, 177, 179, 225, 226, 227, 228, 229, 230, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 263, 280, 281, 282, 310, 311, 312, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 363, 376, 377, 393, 394, 395, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 486, 487, 488, 489, 490, 491, 492, 493, 494, 500, 501, 502, 503, 504, 505, 506, 507, 508, 520, 521, 528, 529, 530, 531, 535, 536, 537, 538, 539, 540, 543, 549, 550, 557, 580, 581, 582, 583, 584, 585, 614, 615, 638, 639, 651, 652, 653, 654, 655, 661, 662, 665, 666, 667, 668, 669, 670, 671, 681, 682, 683, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 698, 699, 700, 706, 707, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 782, 783, 784, 785, 786, 788, 789, 790, 847, 848, 849, 961, 962, 963, 964, 965, 966, 967, 968, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992, 993, 994, 1019, 1020, 1021, 1025, 1026, 1050, 1051, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1066, 1067, 1068, 1069, 1086, 1087, 1096, 1097, 1098, 1099, 1100, 1121, 1122, 1123, 1124, 1127, 1128, 1129, 1130, 1137, 1138, 1139, 1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1252, 1262, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278, 1279, 1280, 1281, 1282, 1283, 1284, 1296, 1297, 1298, 1322, 1323, 1324, 1325, 1326, 1327, 1328, 1329, 1330, 1331, 1332, 1333, 1334, 1335, 1336, 1337, 1338, 1339, 1340, 1341, 1342, 1343, 1344, 1345, 1346, 1347, 1348, 1349, 1350, 1351, 1352, 1353, 1360, 1361, 1362, 1363, 1364, 1365, 1366, 1367, 1368, 1369, 1370, 1371, 1372, 1373, 1374, 1375, 1376, 1377, 1378, 1379, 1380, 1381, 1382, 1383, 1384, 1385, 1386, 1387, 1388, 1389, 1390, 1391, 1392, 1393, 1394, 1395, 1396, 1397, 1398, 1399, 1400, 1401, 1402, 1407, 1408, 1409, 1410, 1411, 1412, 1413, 1414, 1415, 1416, 1417, 1418, 1419, 1420, 1421, 1422, 1423, 1424, 1425, 1426, 1427, 1428, 1429, 1430, 1431, 1432, 1433, 1434, 1435, 1436, 1437, 1438, 1439, 1440, 1441, 1442, 1443, 1444, 1445, 1446, 1447, 1454, 1455, 1456, 1457, 1458, 1459, 1460, 1461, 1462, 1463, 1464, 1465, 1466, 1467, 1468, 1469, 1470, 1471, 1472, 1473, 1474, 1475, 1476, 1477, 1478, 1479, 1480, 1481, 1482, 1483, 1484, 1485, 1486, 1487, 1488, 1489, 1490, 1491, 1492, 1493, 1494, 1495, 1496, 1497, 1498, 1499, 1500, 1504, 1505, 1506, 1507, 1508, 1509, 1510, 1511, 1512, 1513, 1514, 1515, 1516, 1517, 1518, 1519, 1520, 1521, 1522, 1523, 1524, 1525, 1526, 1527, 1528, 1529, 1530, 1531, 1532, 1533, 1534, 1535, 1536, 1537, 1538, 1539, 1540, 1541, 1542, 1543, 1544, 1545, 1546, 1547, 1548, 1549, 1550, 1551, 1552, 1553, 1554, 1555, 1556]"
      Kaseya,"[486, 487, 488, 489, 490, 491, 492, 493, 494]"
      Keepass,"[495, 496, 497]"
      KeepassXC,"[498, 499]"
      LNKFilesAndJumpLists,"[500, 501, 502, 503, 504, 505, 506, 507]"
      Level,[508]
      LinuxOnWindowsProfileFiles,"[509, 510, 511, 512]"
      LiveUserFiles,"[513, 514, 515, 516]"
      LogFiles,"[517, 518, 519]"
      LogMeIn,"[58, 59, 60, 61, 520, 521]"
      MOF,[522]
      MSSQLErrorLog,"[523, 524]"
      MacriumReflect,"[525, 526, 527]"
      Malwarebytes,"[528, 529, 530, 531]"
      ManageEngineLogs,"[532, 533]"
      Mattermost,[534]
      McAfee,"[535, 536, 537, 538, 539]"
      McAfee_ePO,[540]
      MediaMonkey,"[541, 542]"
      Megasync,[543]
      MemoryFiles,"[544, 545, 546, 547, 548]"
      MeshAgent,"[549, 550]"
      MessagingClients,"[165, 215, 216, 392, 419, 534, 560, 561, 562, 563, 564, 999, 1000, 1001, 1002, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1016, 1070, 1071, 1140, 1141, 1142, 1143, 1144, 1188, 1189, 1190, 1191, 1294, 1295]"
      MicrosoftAzureCopy,"[1404, 1405]"
      MicrosoftOfficeBackstage,[551]
      MicrosoftOneNote,"[552, 553, 554, 555, 556]"
      MicrosoftSafetyScanner,[557]
      MicrosoftStickyNotes,"[558, 559]"
      MicrosoftTeams,"[560, 561, 562, 563, 564]"
      MicrosoftToDo,"[565, 566]"
      MidnightCommander,[567]
      MiniTimelineCollection,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 280, 281, 282, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 782, 783, 784, 785, 786, 788, 1435, 1436, 1437]"
      MstyDatabase,[1406]
      MultiCommander,"[568, 569, 570, 571, 572]"
      NETCLRUsageLogs,"[573, 574]"
      NGINXLogs,[575]
      NZBGet,"[576, 577]"
      Nessus,"[578, 579]"
      NetMonitorforEmployeesProfessional,"[580, 581, 582, 583, 584, 585]"
      NetworkScanner,"[1354, 1355, 1356, 1357, 1358, 1359, 1451]"
      NewsbinPro,[586]
      Newsleecher,[587]
      Nicotine__,"[588, 589, 590, 591, 592, 593, 594, 595, 596, 597, 598]"
      Notepad__,"[599, 600, 601]"
      Notepad,[602]
      Notion,"[603, 604]"
      OfficeAutosave,"[605, 606, 607, 608]"
      OfficeDiagnostics,"[609, 610]"
      OfficeDocumentCache,[611]
      OneCommander,"[612, 613]"
      OneDrive_Metadata,"[614, 615]"
      OneDrive_UserFiles,[616]
      OpenSSHClient,"[617, 618, 619, 620, 621, 622, 623, 624, 625]"
      OpenSSHServer,"[626, 627, 628, 629, 630, 631, 632, 633, 634]"
      OpenVPNClient,"[635, 636, 637]"
      Opera,"[638, 639]"
      OutlookPSTOST,"[640, 641, 642, 643, 644, 645, 646, 647]"
      P2PClients,"[178, 369, 370, 371, 372, 373, 374, 997, 1022, 1023, 1289, 1290]"
      PeaZip,[648]
      PerfLogs,[649]
      PowerShell7Config,[650]
      PowerShellConsole,"[651, 652, 653, 654, 655]"
      PowerShellTranscripts,"[656, 657, 658, 659, 660]"
      Prefetch,"[661, 662]"
      ProgramData,[663]
      ProgramExecution,"[36, 37, 38, 39, 51, 466, 467, 573, 574, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 699, 700, 1061, 1062, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1252]"
      ProtonVPN,[664]
      PuffinSecureBrowser,"[665, 666, 667, 668, 669, 670, 671]"
      PushNotification,"[672, 673]"
      Q_Dir,"[674, 675]"
      QFinderPro__QNAP_,[676]
      QQBrowser,"[1407, 1408, 1409, 1410, 1411, 1412, 1413, 1414, 1415, 1416, 1417, 1418, 1419, 1420, 1421, 1422, 1423, 1424, 1425, 1426, 1427, 1428, 1429, 1430, 1431, 1432]"
      QlikSense,"[677, 678, 679, 680]"
      QuickAssist,"[1433, 1434]"
      RDPCache,"[681, 682, 683]"
      RDPJumplist,[684]
      RDPLogs,"[685, 686, 687, 688, 689, 690, 691, 692]"
      Radmin,"[693, 694, 695, 696, 697]"
      RcloneConf,[698]
      RecentFileCache,"[699, 700]"
      RecentFolders,"[701, 702]"
      RecycleBin,"[703, 704, 705, 706, 707]"
      RecycleBin_DataFiles,"[703, 704, 705]"
      RecycleBin_InfoFiles,"[706, 707]"
      RegistryHives,"[708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 782, 783, 784, 785, 786, 788, 1435, 1436, 1437]"
      RegistryHivesMSIXApps,"[708, 709, 710]"
      RegistryHivesOther,"[711, 712, 713, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738]"
      RegistryHivesSystem,"[739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779]"
      RegistryHivesUser,"[782, 783, 784, 785, 786, 788, 1435, 1436, 1437]"
      Remcos,"[1438, 1439, 1440, 1441, 1442, 1443, 1444, 1445, 1446, 1447]"
      RemoteAdmin,"[29, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 58, 59, 60, 61, 179, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 486, 487, 488, 489, 490, 491, 492, 493, 494, 508, 520, 521, 549, 550, 580, 581, 582, 583, 584, 585, 681, 682, 683, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 789, 790, 848, 849, 990, 991, 992, 1025, 1026, 1050, 1051, 1066, 1067, 1068, 1069, 1099, 1100, 1121, 1122, 1123, 1124, 1137, 1138, 1139, 1262, 1278, 1279, 1280, 1281, 1282, 1283, 1284, 1296, 1297, 1298, 1360, 1361, 1433, 1434, 1438, 1439, 1440, 1441, 1442, 1443, 1444, 1445, 1446, 1447]"
      RemoteUtilities_app,"[789, 790]"
      RoamingProfile,"[791, 792, 793, 794, 795, 796, 797, 798, 799, 800, 801, 802, 803, 804, 805, 806, 807, 808, 809, 810, 811, 812, 813, 814, 815, 816, 817, 818, 819, 820, 821, 822, 823, 824, 825, 826, 827, 828, 829, 830, 831, 832]"
      Robo_FTP,"[833, 834, 835, 836, 837, 838, 839, 840, 841, 842, 843, 844, 845, 846]"
      RogueKiller,[847]
      RustDesk,"[848, 849]"
      SABnbzd,"[850, 851]"
      SCCMClientLogs,[852]
      SDB,"[853, 854, 855, 856]"
      SOFELK,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 36, 37, 38, 39, 51, 280, 281, 282, 500, 501, 502, 503, 504, 505, 506, 507, 661, 662, 699, 700, 1061, 1062]"
      SQLiteDatabases,"[857, 858, 859, 860, 861, 862, 863, 864, 865, 866, 867, 868, 869, 870, 871, 872, 873, 874, 875, 876, 877, 878, 879, 880, 881, 882, 883, 884, 885, 886, 887, 888, 889, 890, 891, 892, 893, 894, 895, 896, 897, 898, 899, 900, 901, 902, 903, 904, 905, 906, 907, 908, 909, 910, 911, 912, 913, 914, 915, 916, 917, 918, 919, 920, 921, 922, 923, 924, 925, 926, 927, 928, 929, 930, 931, 932, 933, 934, 935, 936, 937, 938, 939, 940, 941, 942, 943, 944, 945, 946, 947, 948, 949, 950, 951, 952, 953, 954, 955, 956, 957, 958, 959, 960]"
      SRUM,"[961, 962, 963, 964, 965, 966]"
      SUM,[967]
      SUPERAntiSpyware,[968]
      SUSELinuxEnterpriseServer,"[969, 970, 971, 972, 973, 974, 975, 976, 977, 978, 979, 980, 981, 982]"
      ScheduledTasks,"[983, 984, 985, 986, 987, 988, 989, 1322, 1323, 1324, 1325, 1326, 1327]"
      ScreenConnect,"[58, 59, 60, 61, 990, 991, 992]"
      SecureAge,[993]
      SentinelOne,[994]
      ServerTriage,"[50, 170, 171, 303, 308, 309, 316, 317, 401, 402, 403, 404, 405, 406, 523, 524, 532, 533, 575, 626, 627, 628, 629, 630, 631, 632, 633, 634]"
      Session,[995]
      ShareX,[996]
      Shareaza,[997]
      SiemensTIA,[998]
      Signal,"[999, 1000, 1001, 1002]"
      SignatureCatalog,"[1003, 1004]"
      SimpleHelp,"[1448, 1449, 1450]"
      Skype,"[1005, 1006, 1007, 1008, 1009, 1010, 1011]"
      Slack,"[1012, 1013, 1014, 1015, 1016]"
      Snagit,[1017]
      SnipAndSketch,[1018]
      SoftPerfectNetscan,[1451]
      Sophos,"[58, 59, 60, 61, 1019, 1020, 1021]"
      Soulseek,"[1022, 1023]"
      SpeedCommander,[1024]
      Splashtop,"[1025, 1026]"
      StartupFolders,"[1452, 1453]"
      StartupInfo,"[1029, 1030]"
      Steam,"[1031, 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039, 1040, 1041, 1042]"
      SublimeText,"[1043, 1044]"
      SugarSync,"[1045, 1046, 1047]"
      SumatraPDF,"[1048, 1049]"
      Supermium,"[1454, 1455, 1456, 1457, 1458, 1459, 1460, 1461, 1462, 1463, 1464, 1465, 1466, 1467, 1468, 1469, 1470, 1471, 1472, 1473, 1474, 1475, 1476, 1477, 1478, 1479, 1480, 1481, 1482, 1483, 1484, 1485, 1486, 1487, 1488, 1489, 1490, 1491, 1492, 1493, 1494, 1495, 1496, 1497, 1498, 1499, 1500]"
      SupremoRemoteDesktop,"[1050, 1051]"
      Symantec_AV_Logs,"[58, 59, 60, 61, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060]"
      Syncthing,"[1501, 1502, 1503]"
      Syscache,"[1061, 1062]"
      TablacusExplorer,"[1063, 1064, 1065]"
      TeamViewerLogs,"[1066, 1067, 1068, 1069]"
      Telegram,"[1070, 1071]"
      TeraCopy,[1072]
      ThumbCache,[1073]
      Thunderbird,"[1074, 1075, 1076, 1077, 1078, 1079, 1080, 1081, 1082, 1083, 1084]"
      TorrentClients,"[81, 1316, 1317, 1318, 1319, 1320]"
      Torrents,[1085]
      TotalAV,"[1086, 1087]"
      TotalCommander,"[1088, 1089, 1090, 1091, 1092, 1093, 1094]"
      TreeSize,[1095]
      TrendMicro,"[1096, 1097, 1098]"
      UCBrowser,"[1504, 1505, 1506, 1507, 1508, 1509, 1510, 1511, 1512, 1513, 1514, 1515, 1516, 1517, 1518, 1519, 1520, 1521, 1522, 1523, 1524, 1525, 1526, 1527, 1528, 1529]"
      UEMS,"[1099, 1100]"
      USBDetective,"[36, 37, 38, 39, 280, 281, 282, 500, 501, 502, 503, 504, 505, 506, 507, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 782, 783, 784, 785, 786, 788, 1101, 1102, 1103, 1435, 1436, 1437]"
      USBDevicesLogs,"[1101, 1102, 1103]"
      Ubuntu,"[1104, 1105, 1106, 1107, 1108, 1109, 1110, 1111, 1112, 1113, 1114, 1115, 1116, 1117, 1118, 1119, 1120]"
      Ultraviewer,"[1121, 1122, 1123, 1124]"
      Usenet,[1125]
      UsenetClients,"[576, 577, 586, 587, 850, 851]"
      UsersFolders,[1126]
      VIPRE,"[1127, 1128, 1129, 1130]"
      VLC_Media_Player,"[1131, 1132]"
      VMware,"[1133, 1134, 1135, 1136, 1151, 1152, 1153, 1154]"
      VMwareInventory,[1133]
      VMwareMemory,"[1134, 1135, 1136]"
      VNCLogs,"[58, 59, 60, 61, 1137, 1138, 1139]"
      Viber,"[1140, 1141, 1142, 1143, 1144]"
      VirtualBox,"[1145, 1146, 1147, 1148, 1149, 1150, 1151, 1152, 1153, 1154]"
      VirtualBoxConfig,"[1145, 1146]"
      VirtualBoxLogs,"[1147, 1148, 1149]"
      VirtualBoxMemory,[1150]
      VirtualDisks,"[1151, 1152, 1153, 1154]"
      VisualStudioCode,"[1155, 1156, 1157, 1158, 1159, 1160, 1161, 1162]"
      Vivaldi,"[1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179]"
      WBEM,"[1180, 1181]"
      WER,"[1182, 1183, 1184, 1185, 1186]"
      WSL,"[180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, 482, 483, 484, 485, 969, 970, 971, 972, 973, 974, 975, 976, 977, 978, 979, 980, 981, 982, 1104, 1105, 1106, 1107, 1108, 1109, 1110, 1111, 1112, 1113, 1114, 1115, 1116, 1117, 1118, 1119, 1120, 1299, 1300, 1301, 1302, 1303, 1304, 1305, 1306, 1307, 1308, 1309, 1310, 1311, 1312]"
      WaveBrowser,"[1530, 1531, 1532, 1533, 1534, 1535, 1536, 1537, 1538, 1539, 1540, 1541, 1542, 1543, 1544, 1545, 1546, 1547, 1548, 1549, 1550, 1551, 1552, 1553, 1554, 1555, 1556]"
      WebBrowsers,"[89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 638, 639, 665, 666, 667, 668, 669, 670, 671, 1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1328, 1329, 1330, 1331, 1332, 1333, 1334, 1335, 1336, 1337, 1338, 1339, 1340, 1341, 1342, 1343, 1344, 1345, 1346, 1347, 1348, 1349, 1350, 1351, 1352, 1353, 1362, 1363, 1364, 1365, 1366, 1367, 1368, 1369, 1370, 1371, 1372, 1373, 1374, 1375, 1376, 1377, 1378, 1379, 1380, 1381, 1382, 1383, 1384, 1385, 1386, 1387, 1388, 1389, 1390, 1391, 1392, 1393, 1394, 1395, 1396, 1397, 1398, 1399, 1400, 1401, 1402, 1407, 1408, 1409, 1410, 1411, 1412, 1413, 1414, 1415, 1416, 1417, 1418, 1419, 1420, 1421, 1422, 1423, 1424, 1425, 1426, 1427, 1428, 1429, 1430, 1431, 1432, 1454, 1455, 1456, 1457, 1458, 1459, 1460, 1461, 1462, 1463, 1464, 1465, 1466, 1467, 1468, 1469, 1470, 1471, 1472, 1473, 1474, 1475, 1476, 1477, 1478, 1479, 1480, 1481, 1482, 1483, 1484, 1485, 1486, 1487, 1488, 1489, 1490, 1491, 1492, 1493, 1494, 1495, 1496, 1497, 1498, 1499, 1500, 1504, 1505, 1506, 1507, 1508, 1509, 1510, 1511, 1512, 1513, 1514, 1515, 1516, 1517, 1518, 1519, 1520, 1521, 1522, 1523, 1524, 1525, 1526, 1527, 1528, 1529, 1530, 1531, 1532, 1533, 1534, 1535, 1536, 1537, 1538, 1539, 1540, 1541, 1542, 1543, 1544, 1545, 1546, 1547, 1548, 1549, 1550, 1551, 1552, 1553, 1554, 1555, 1556]"
      WebServers,"[50, 401, 402, 403, 404, 405, 406, 523, 524, 575]"
      Webroot,[1187]
      WhatsApp,"[1188, 1189, 1190, 1191]"
      WhatsApp_Media,"[1192, 1193]"
      WinDefendDetectionHist,[1194]
      WinSCP,[1195]
      WindowsCopilotRecall,[1196]
      WindowsDefender,"[1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205]"
      WindowsFirewall,"[1206, 1207]"
      WindowsHello,"[1208, 1209, 1210, 1211, 1212, 1213, 1214, 1215, 1216, 1217, 1218, 1219, 1220, 1221, 1222, 1223, 1224, 1225, 1226, 1227, 1228, 1229, 1230]"
      WindowsIndexSearch,"[1231, 1232, 1557, 1558]"
      WindowsNetwork,[1233]
      WindowsNotificationsDB,"[1234, 1235]"
      WindowsOSUpgradeArtifacts,"[1236, 1237, 1238, 1239, 1240]"
      WindowsPowerDiagnostics,[1241]
      WindowsServerDNSAndDHCP,"[1242, 1243, 1244]"
      WindowsSubsystemforAndroid,"[1245, 1246, 1247, 1248, 1249]"
      WindowsTelemetryDiagnosticsLegacy,"[1250, 1251]"
      WindowsTimeline,[1252]
      WindowsUpdate,"[1253, 1254, 1255]"
      WindowsYourPhone,[1256]
      XPRestorePoints,[1257]
      XYplorer,"[1258, 1259, 1260, 1261]"
      Xeox,[1262]
      Yandex,"[1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277]"
      ZohoAssist,"[1278, 1279, 1280, 1281, 1282, 1283, 1284]"
      Zoom,"[1285, 1286, 1287, 1288]"
      eMule,"[1289, 1290]"
      iTunesBackup,"[1291, 1292, 1293]"
      mIRC,"[1294, 1295]"
      mRemoteNG,"[1296, 1297, 1298]"
      openSUSE,"[1299, 1300, 1301, 1302, 1303, 1304, 1305, 1306, 1307, 1308, 1309, 1310, 1311, 1312]"
      pCloudDatabase,"[1313, 1314, 1315]"
      qBittorrent,"[1316, 1317, 1318, 1319]"
      uTorrent,[1320]

  - name: NTFS_CACHE_TIME
    type: int
    description: How often to flush the NTFS cache. (Default is never).
    default: "1000000"

sources:
  - name: All File Metadata
    query: |
      LET VSS_MAX_AGE_DAYS <= VSSAnalysisAge

      -- Filter the KapeTargets list by the groups that are enabled in
      -- the scope. Only the rows which contain a Group name defined
      -- as TRUE in the scope (parameter) will be included. We then
      -- merge all the Ids into a single flattened list we can check
      -- against.
      LET targets <= SELECT * FROM foreach(row={
        SELECT * FROM parse_csv(accessor="data", filename=KapeTargets)
        WHERE get(member=Group) AND log(message="Selecting " + Group)
      }, query={
        SELECT _value AS Id FROM foreach(row=RuleIds)
      })

      LET EnabledIds <= targets.Id

      -- Filter only the rules in the rule table that have an Id we
      -- want. Targets with $ in their name probably refer to ntfs
      -- special files and so they are designated as ntfs
      -- accessor. Other targets may need ntfs parsing but not
      -- necessary - they are designated with the lazy_ntfs accessor.
      LET rule_specs_ntfs <= SELECT Id, Glob
        FROM parse_csv(filename=KapeRules, accessor="data")
        WHERE Id in EnabledIds AND Accessor='ntfs'
        AND log(message="ntfs: Selecting glob " + Glob)

      LET rule_specs_lazy_ntfs <= SELECT Id, Glob
        FROM parse_csv(filename=KapeRules, accessor="data")
        WHERE Id in EnabledIds AND Accessor='lazy_ntfs'
        AND log(message="auto: Selecting glob " + Glob)

      -- Call the generic VSS file collector with the globs we want in
      -- a new CSV file.
      LET all_results_from_device(Device) = SELECT * FROM if(
           condition=VSSAnalysisAge > 0,
           then={
              -- Process everything with the ntfs_vss accessor.
              SELECT * FROM Artifact.Generic.Collectors.File(
                Root=Device,
                Accessor="ntfs_vss",
                collectionSpec=rule_specs_ntfs + rule_specs_lazy_ntfs)
           }, else={
             SELECT * FROM chain(async=TRUE,
               a={

                   -- Special files we access with the ntfs parser.
                   SELECT * FROM Artifact.Generic.Collectors.File(
                      Root=Device,
                      Accessor="ntfs",
                      collectionSpec=rule_specs_ntfs)
               }, b={

                   -- Prefer the auto accessor if possible since it
                   -- will fall back to ntfs if required but otherwise
                   -- will be faster.
                   SELECT * FROM Artifact.Generic.Collectors.File(
                      Root=Device,
                      Accessor=if(condition=UseAutoAccessor,
                                  then="auto", else="lazy_ntfs"),
                      collectionSpec=rule_specs_lazy_ntfs)
               })
           })

      // This materializes all the files into memory and then into
      // a tempfile if the list is too long.
      LET all_results <= SELECT * FROM foreach(
        row=split(string=Device, sep="\\s*,\\s*"),
        query={
          SELECT * FROM all_results_from_device(Device=_value)
        })

      SELECT * FROM all_results WHERE _Source =~ "Metadata"

  - name: Uploads
    query: |
      SELECT * FROM all_results WHERE _Source =~ "Uploads"

    notebook:
    - type: vql_suggestion
      name: Post process collection
      template: |
        /*

        # Post process this collection.

        Uncomment the following and evaluate the cell to create new
        collections based on the files collected from this artifact.

        The below VQL will apply remapping so standard artifacts will
        see the KapeFiles.Targets collection below as a virtual
        Windows Client. The artifacts will be collected to a temporary
        container and then re-imported as new collections into this
        client.

        NOTE: This is only a stop gap in case the proper artifacts
        were not collected in the first place. Parsing artifacts
        through a remapped collection is not as accurate as parsing
        directly on the endpoint. See
        https://docs.velociraptor.app/training/playbooks/preservation/
        for more info.

        */
        LET _ <= import(artifact="Windows.KapeFiles.Remapping")

        LET tmp <= tempfile()

        LET Results = SELECT import_collection(filename=Container, client_id=ClientId) AS Import
        FROM collect(artifacts=[
                       "Windows.Forensics.Usn",
                       "Windows.NTFS.MFT",
                     ],
                     args=dict(`Windows.Forensics.Usn`=dict(),
                               `Windows.NTFS.MFT`=dict()),
                     output=tmp,
                     remapping=GetRemapping(FlowId=FlowId, ClientId=ClientId))

        // SELECT * FROM Results