Kape is a popular bulk collector tool for triaging a system quickly. While KAPE itself is not an opensource tool, the logic it uses to decide which files to collect is encoded in YAML files hosted on the KapeFiles project (https://github.com/EricZimmerman/KapeFiles) and released under an MIT license.
This artifact is automatically generated from these YAML files, contributed and maintained by the community. This artifact only encapsulates the KAPE “Targets” - basically a bunch of glob expressions used for collecting files on the endpoint. We do not do any post processing these files - we just collect them.
We recommend that timeouts and upload limits be used conservatively with this artifact because we can upload really vast quantities of data very quickly.
NOTE: This artifact was built from The KapeFile Repository commit ad2180c dated 2024-10-08T15:00:46-0400.
name: Windows.KapeFiles.Targets
description: |
Kape is a popular bulk collector tool for triaging a system
quickly. While KAPE itself is not an opensource tool, the logic it
uses to decide which files to collect is encoded in YAML files
hosted on the KapeFiles project
(https://github.com/EricZimmerman/KapeFiles) and released under an
MIT license.
This artifact is automatically generated from these YAML files,
contributed and maintained by the community. This artifact only
encapsulates the KAPE "Targets" - basically a bunch of glob
expressions used for collecting files on the endpoint. We do not
do any post processing these files - we just collect them.
We recommend that timeouts and upload limits be used
conservatively with this artifact because we can upload really
vast quantities of data very quickly.
NOTE: This artifact was built from The KapeFile Repository
commit ad2180c dated 2024-10-08T15:00:46-0400.
reference:
- https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape
- https://github.com/EricZimmerman/KapeFiles
parameters:
- name: UseAutoAccessor
description: |
Uses file accessor when possible instead of ntfs parser - this
is much faster. Note that when using VSS analysis we have to use
the ntfs accessor for everything which will be much slower.
type: bool
default: Y
- name: Device
description: |
Name of the drive letter to search. You can add multiple drives
separated with a comma.
default: "C:,D:"
- name: VSSAnalysisAge
type: int
default: 0
description: |
If larger than zero we analyze VSS within this many days
ago. (e.g 7 will analyze all VSS within the last week). Note
that when using VSS analysis we have to use the ntfs accessor
for everything which will be much slower.
- name: _BasicCollection
description: "Basic Collection (by Phill Moore): $Boot, $J, $Max, $J, $Max, $LogFile, $MFT, $SDS, $SDS, $T, $T, Amcache, Amcache, Amcache transaction files, Amcache transaction files, AppCompat PCA Folder, Event logs Win7+, Event logs XP, Event logs Win7+, Keepass Roaming Ini, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, PowerShell 7 Config JSON, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell Transcripts - Observed Location, Prefetch, Rclone Config, RecentFileCache, RECYCLER - WinXP, Recycle Bin - Windows Vista+, RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive, VSMIDK registry transaction files, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History, Protections, Search, Signons, Storage Sync, Webappstore, Windows 10 Notification DB, Windows 10 Notification DB, User startup folders, System-wide startup folder, Steam Friend List and Username History file, TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, Windows Defender Logs, Windows Defender Event Logs, Zoom plugin (Outlook), eMule Logs and Configuration Files, eMule part.met files, iTunes Backup Folder, iTunes Backup Folder, iTunes Backup Folder - iOS13"
type: bool
- name: _KapeTriage
description: "Calls Kape Triage (by Phill Moore): $Boot, $J, $Max, $J, $Max, $LogFile, $MFT, $SDS, $SDS, $T, $T, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, AVG Persistent Logs, AVG FileInfo DB, AVG lsdbj2 JSON, Action1 Client Application logs, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Ammyy Program Data, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - ProgramData - *.conf, AnyDesk Videos, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Chat Logs - User Profile, AppCompat PCA Folder, Application Event Log XP, Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, Avast AV Logs (XP), Avast AV Logs, Avast AV User Logs, Avast AV Index, Avast Persistent Data Logs, Avast Icarus Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Box Drive Application Metadata, Box Sync Application Metadata, Bookmarks, Cookies, Current Session, Current Tabs, Download Metadata, Favicons, History, Sessions Folder, Login Data, Network Action Predictor, Network Persistent State, Preferences, Quota Manager, Reporting and NEL, Shortcuts, Publisher Info DB/Brave Rewards, Top Sites, Visited Links, Web Data, Secure Preferences, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Sessions Folder, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Chrome Snapshots Folder, SYSTEM Chrome History, ComboFix, Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs, Cylance ProgramData Logs, Cylance Optics Logs, Cylance Program Files Logs, DWAgent Log Files, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Windows Protect Folder, Dropbox Metadata, ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET Remote Administrator Logs, Local User Quarantine, SYSTEM user quarantine, Edge folder, Edge bookmarks, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Sessions Folder, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Windows Protect Folder, Edge Chromium Extension Files, Event logs Win7+, Event logs XP, Event logs Win7+, Exchange TransportRoles log files, F-Secure Logs, F-Secure User Logs, FileZilla Log Files, Addons, Bookmarks, Bookmarks, Cookies, Cookies, Downloads, Extensions, Favicons, Form history, Permissions, Places, Protections, Search, Signons, Storage Sync, Webappstore, Password, Password, Password, Preferences, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP, Addons XP, Search XP, Password XP, Password XP, Password XP, Google Drive Backup and Sync User Files, Google Drive Backup and Sync Metadata, HexChat Chat Logs, HitmanPro Logs, HitmanPro Alert Logs, IIS log files, ISLOnline Logs - Sessions - *.out, ISLOnline Logs - Session Configurations, ISL AlwaysOn Logs - Sessions List, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn - App Logs, ISL Light Logs - Sessions, ISL AlwaysOn - Email Configuration, ISL AlwaysOn - Configuration, ITarian, ITarian, Comodo, ImgBurn - Application Log File, Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, Kali WSL ext4.vhdx, Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, Keepass Roaming Ini, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData, Error logging, LogMeIn ProgramData Logs, Macrium Reflect, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs, Mattermost - Chat Logs, McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, Small Memory Dump directory, MeshAgent .msh (configuration) file, Microsoft OneNote - RecentSearches, Nessus Logs, Net Monitor Server Logs, Net Monitor Server Data, Net Monitor Server Config, Net Monitor Server Temp Folder, Net Monitor Client Logs, One Commander - Other Configuration Files, OneDrive Metadata Logs, OpenVPN Client Config, Opera - Local Folder, PowerShell 7 Config JSON, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell Transcripts - Observed Location, Prefetch, ProtonVPN - Connection Logs, Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, Qlik Sense Logs, RDP Cache Files, Windows.old RDP Cache Files, RDP Jumplist Files, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, Radmin Viewer Chats, Rclone Config, RecentFileCache, RECYCLER - WinXP, Recycle Bin - Windows Vista+, RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive, VSMIDK registry transaction files, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files, RemoteUtilities Connection Logs, Chrome Trust Tokens, Chrome Trust Tokens, Chrome SyncData Database, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Protections, Search, Signons, Storage Sync, Webappstore, Windows 10 Notification DB, Windows 10 Notification DB, ActivitiesCache.db, Update Store.db, Bitdefender SQLite DB Files, EventTranscript.db, EventTranscript.db, at SchedLgU.txt, at SchedLgU.txt, XML, ScreenConnect Session Database, ScreenConnect User Config, Slack Storage, Snagit - Captures, Snip & Sketch, Sophos Logs (XP), Sophos Logs, Sophos Logs, Soulseek Chat Logs, Soulseek Search History/Shared Folders/Settings, SpeedCommander - .ini File, Splashtop Log Files, Splashtop Log Files in ProgramData, User startup folders, System-wide startup folder, Steam Login Metadata file, Steam Friend List and Username History file, Steam User Avatar files, Steam Game Tray Icon files, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Syscache transaction files, Tablacus Explorer - remember.xml, Tablacus Explorer - window.xml, Tablacus Explorer - window1.xml, TeamViewer Connection Logs, TotalAV Logs, Total Commander - .ini File, Total Commander - Log File, Total Commander - Temp Files Created During Folder Traversal, Total Commander - Frequent Directory Listing, Total Commander - FTP Logs, TreeSize - ScanHistory.XML, Trend Micro Logs, Setupapi.log Win7+, Ubuntu WSL /etc/os-release, Ubuntu WSL /etc/fstab, VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), VLC Recently Opened Files, VLC Recorded Files, VMware - Virtual Machine Inventory, VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), RealVNC Log, RealVNC Log, TightVNC Application Logs, Viber Config Database, Viber Users Data Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Thumbnails Cache, VirtualBox VM configs, VirtualBox VM backup configs, VirtualBox Logs, VirtualBox Backup Logs, VirtualBox Hardening Logs, VirtualBox, VHD, VHDX, VDI, Vivaldi Cookies, Vivaldi Network Persistent State, Vivaldi Favicons, Vivaldi History, Vivaldi Sessions Folder, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Preferences, Vivaldi Top Sites, SECURITY registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), WindowsIndexSearch, GatherLogs, Network setting files, Windows 10 Notification DB, Windows 10 Notification DB, MigLog.xml, Setupact.log, HumanReadable.xml, FolderMoveLog.txt, Update Store.db, Windows Power Diagnostics, DNS Netlogon files, DNS files, DHCP files, Diagnostic Logs for WSA, App download artifacts (PNG), App download artifacts (ICO), Appcompatdb.json, userdata.vhdx, Legacy .rbs files relating to Windows Telemetry and Diagnostics, Xeox RMM Client Application logs, Yandex Cookies, Yandex Network Persistent State, Zoom plugin (Outlook), eMule Logs and Configuration Files, eMule part.met files, iTunes Backup Folder, iTunes Backup Folder, iTunes Backup Folder - iOS13"
type: bool
- name: _SANS_Triage
description: "SANS Triage Collection (by Mark Hallman): $Boot, $J, $Max, $J, $Max, $LogFile, $MFT, $SDS, $SDS, $T, $T, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, AVG Persistent Logs, AVG FileInfo DB, AVG lsdbj2 JSON, Action1 Client Application logs, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Ammyy Program Data, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - ProgramData - *.conf, AnyDesk Videos, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Chat Logs - User Profile, AppCompat PCA Folder, Application Event Log XP, Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, Avast AV Logs (XP), Avast AV Logs, Avast AV User Logs, Avast AV Index, Avast Persistent Data Logs, Avast Icarus Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, BITS files, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Box Drive Application Metadata, Box Sync Application Metadata, Bookmarks, Cookies, Current Session, Current Tabs, Download Metadata, Favicons, History, Sessions Folder, Login Data, Network Action Predictor, Network Persistent State, Preferences, Quota Manager, Reporting and NEL, Shortcuts, Publisher Info DB/Brave Rewards, Top Sites, Visited Links, Web Data, Secure Preferences, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Sessions Folder, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Chrome Snapshots Folder, SYSTEM Chrome History, Cisco Jabber Database, ComboFix, Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs, Cylance ProgramData Logs, Cylance Optics Logs, Cylance Program Files Logs, DWAgent Log Files, Discord Cache Files, Discord Local Storage LevelDB Files, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Windows Protect Folder, Dropbox Metadata, ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET Remote Administrator Logs, Local User Quarantine, SYSTEM user quarantine, Edge folder, Edge bookmarks, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Sessions Folder, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Windows Protect Folder, Edge Chromium Extension Files, Event logs Win7+, Event logs XP, Event logs Win7+, Event logs Win7+, WDI Trace Logs 1, WDI Trace Logs 1, WDI Trace Logs 2, WDI Trace Logs 2, WMI Trace Logs, WMI Trace Logs, SleepStudy Trace Logs, SleepStudy Trace Logs, Energy-NTKL Trace Logs, Exchange TransportRoles log files, F-Secure Logs, F-Secure User Logs, FileZilla Log Files, Addons, Bookmarks, Bookmarks, Cookies, Cookies, Downloads, Extensions, Favicons, Form history, Permissions, Places, Protections, Search, Signons, Storage Sync, Webappstore, Password, Password, Password, Preferences, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP, Addons XP, Search XP, Password XP, Password XP, Password XP, Google Drive Backup and Sync User Files, Google Drive Backup and Sync Metadata, Google Earth My Places Backup file (XP), Group Policy Files, Computer Group Policy files, User Group Policy files, Local Group Policy INI Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Startup/Shutdown Scripts, HeidiSQL (tabs.ini), HexChat Chat Logs, HitmanPro Logs, HitmanPro Alert Logs, IIS log files, ISLOnline Logs - Sessions - *.out, ISLOnline Logs - Session Configurations, ISL AlwaysOn Logs - Sessions List, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn - App Logs, ISL Light Logs - Sessions, ISL AlwaysOn - Email Configuration, ISL AlwaysOn - Configuration, ITarian, ITarian, Comodo, ITarian, ImgBurn - Application Log File, Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, Kali WSL ext4.vhdx, Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, Keepass Roaming Ini, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData, Error logging, LogMeIn ProgramData Logs, Macrium Reflect, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs, ManageEngine ADSelfService Plus Log Files, Mattermost - Chat Logs, McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, Small Memory Dump directory, MeshAgent .msh (configuration) file, Microsoft OneNote - RecentSearches, Microsoft Sticky Notes - 1607 and later, Microsoft Teams IndexedDB Cache, Microsoft Teams Local Storage Cache, Microsoft Teams Cache, Microsoft Teams Config, Multi Commander - Log File, .NET CLR UsageLogs (user-scoped), Nessus Logs, Net Monitor Server Logs, Net Monitor Server Data, Net Monitor Server Config, Net Monitor Server Temp Folder, Net Monitor Client Logs, One Commander - Other Configuration Files, OneDrive Metadata Logs, OpenVPN Client Config, Opera - Local Folder, PowerShell 7 Config JSON, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell ISE - User Config, PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, Prefetch, ProtonVPN - Connection Logs, Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, Qlik Sense Logs, RDP Cache Files, Windows.old RDP Cache Files, RDP Jumplist Files, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, Radmin Viewer Chats, Rclone Config, RecentFileCache, RECYCLER - WinXP, Recycle Bin - Windows Vista+, RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive, VSMIDK registry transaction files, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files, RemoteUtilities Connection Logs, Chrome Trust Tokens, Chrome Trust Tokens, Chrome SyncData Database, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Protections, Search, Signons, Storage Sync, Webappstore, Windows 10 Notification DB, Windows 10 Notification DB, ActivitiesCache.db, Update Store.db, Bitdefender SQLite DB Files, EventTranscript.db, EventTranscript.db, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SUM Database (.mdb files), SUPERAntiSpyware Logs, SUSE Linux Enterprise Server WSL /etc/passwd, SUSE Linux Enterprise Server WSL /etc/group, SUSE Linux Enterprise Server WSL /etc/shadow, SUSE Linux Enterprise Server WSL /etc/timezone, SUSE Linux Enterprise Server WSL /etc/hostname, SUSE Linux Enterprise Server WSL /etc/hosts, SUSE Linux Enterprise Server WSL /etc/bash.bashrc, SUSE Linux Enterprise Server WSL /etc/profile, SUSE Linux Enterprise Server WSL .bash_history, SUSE Linux Enterprise Server WSL .bashrc, SUSE Linux Enterprise Server WSL .profile, SUSE Linux Enterprise Server WSL ext4.vhdx, at SchedLgU.txt, at SchedLgU.txt, XML, ScreenConnect Session Database, ScreenConnect User Config, Slack Storage, Snagit - Captures, Snip & Sketch, Sophos Logs (XP), Sophos Logs, Sophos Logs, Soulseek Chat Logs, Soulseek Search History/Shared Folders/Settings, SpeedCommander - .ini File, Splashtop Log Files, Splashtop Log Files in ProgramData, User startup folders, System-wide startup folder, Steam Login Metadata file, Steam Friend List and Username History file, Steam User Avatar files, Steam Game Tray Icon files, Steam Startup Times Log file, Steam Game Image files, Steam Friend List and Username History file, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Syscache transaction files, Tablacus Explorer - remember.xml, Tablacus Explorer - window.xml, Tablacus Explorer - window1.xml, TeamViewer Connection Logs, TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, TotalAV Logs, Total Commander - .ini File, Total Commander - Log File, Total Commander - Temp Files Created During Folder Traversal, Total Commander - Frequent Directory Listing, Total Commander - FTP Logs, TreeSize - ScanHistory.XML, Trend Micro Logs, Setupapi.log Win7+, Ubuntu WSL /etc/os-release, Ubuntu WSL /etc/fstab, Ubuntu WSL /etc/passwd, Ubuntu WSL /etc/group, Ubuntu WSL /etc/shadow, Ubuntu WSL /etc/timezone, Ubuntu WSL /etc/hostname, VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), VLC Recently Opened Files, VLC Recorded Files, VMware - Virtual Machine Inventory, VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), RealVNC Log, RealVNC Log, TightVNC Application Logs, Viber Config Database, Viber Users Data Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Thumbnails Cache, VirtualBox VM configs, VirtualBox VM backup configs, VirtualBox Logs, VirtualBox Backup Logs, VirtualBox Hardening Logs, VirtualBox, VHD, VHDX, VDI, VMDK, VSCode Opened Files, VSCode Workspaces, VSCode User extensions, Vivaldi Cookies, Vivaldi Network Persistent State, Vivaldi Favicons, Vivaldi History, Vivaldi Sessions Folder, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Preferences, Vivaldi Top Sites, Vivaldi Bookmarks, Vivaldi Visited Links, Windows Defender Logs, Windows Defender Event Logs, SECURITY registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), WindowsIndexSearch, GatherLogs, Network setting files, Windows 10 Notification DB, Windows 10 Notification DB, MigLog.xml, Setupact.log, HumanReadable.xml, FolderMoveLog.txt, Update Store.db, Windows Power Diagnostics, DNS Netlogon files, DNS files, DHCP files, Diagnostic Logs for WSA, App download artifacts (PNG), App download artifacts (ICO), Appcompatdb.json, userdata.vhdx, Legacy .rbs files relating to Windows Telemetry and Diagnostics, XYplorer - AutoBackup folder, XYplorer - .dat files, Xeox RMM Client Application logs, Yandex Cookies, Yandex Network Persistent State, Zoom plugin (Outlook), eMule Logs and Configuration Files, eMule part.met files, iTunes Backup Folder, iTunes Backup Folder, iTunes Backup Folder - iOS13"
type: bool
- name: _Boot
description: "$Boot (by Eric Zimmerman): $Boot"
type: bool
- name: _J
description: "$J (by Eric Zimmerman and Andrew Rathbun): $J, $Max, $J, $Max"
type: bool
- name: _LogFile
description: "$LogFile (by Eric Zimmerman): $LogFile"
type: bool
- name: _MFT
description: "$MFT (by Eric Zimmerman): $MFT"
type: bool
- name: _MFTMirr
description: "$MFTMirr (by Teo Kia Meng): $MFTMirr"
type: bool
- name: _SDS
description: "$SDS (by Eric Zimmerman and Andrew Rathbun): $SDS, $SDS"
type: bool
- name: _T
description: "$T (by Eric Zimmerman and Andrew Rathbun): $T, $T"
type: bool
- name: 1Password
description: "1Password Password Manager (by Matt Dawson): 1Password Database, 1Password Backup Databases, 1Password Logs"
type: bool
- name: 4KVideoDownloader
description: "4K Video Downloader (by Andrew Rathbun): 4K Video Downloader, 4K Video Downloader+"
type: bool
- name: AVG
description: "AVG Antivirus Data (by Kirtan Shah and Dhiral Panjwani): AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, AVG Persistent Logs, AVG FileInfo DB, AVG lsdbj2 JSON"
type: bool
- name: AceText
description: "AceText (by Andrew Rathbun): AceText - Clipboard History"
type: bool
- name: AcronisTrueImage
description: "Acronis True Image (by Andrew Rathbun): Acronis True Image - Logs, Acronis True Image - Database Files, Acronis True Image - Scripts Folder"
type: bool
- name: Action1
description: "Action1 Application Logs (by Andrew Skatoff @DFIR_TNT): Action1 Client Application logs"
type: bool
- name: ActiveDirectoryNTDS
description: "Active Directory NTDS (by Zawadi Done): NTDS"
type: bool
- name: ActiveDirectorySysvol
description: "Active Directory Sysvol (by Zawadi Done): SYSVOL"
type: bool
- name: AgentRansack
description: "Agent Ransack - Free File Searching Utility (by Andrew Rathbun): Agent Ransack Config Logs, Agent Ransack CrashReports Logs, Agent Ransack IndexLog Logs, Agent Ransack Logs"
type: bool
- name: Amcache
description: "Amcache.hve (by Eric Zimmerman): Amcache, Amcache, Amcache transaction files, Amcache transaction files"
type: bool
- name: Ammyy
description: "Ammyy Data (by Drew Ervin): Ammyy Program Data"
type: bool
- name: Antivirus
description: "Antivirus (by Andrew Rathbun): AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, AVG Persistent Logs, AVG FileInfo DB, AVG lsdbj2 JSON, Application Event Log XP, Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, Avast AV Logs (XP), Avast AV Logs, Avast AV User Logs, Avast AV Index, Avast Persistent Data Logs, Avast Icarus Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, ComboFix, Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs, Cylance ProgramData Logs, Cylance Optics Logs, Cylance Program Files Logs, ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET Remote Administrator Logs, Local User Quarantine, SYSTEM user quarantine, Edge Chromium Extension Files, Exchange TransportRoles log files, F-Secure Logs, F-Secure User Logs, HexChat Chat Logs, HitmanPro Logs, HitmanPro Alert Logs, Macrium Reflect, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs, Mattermost - Chat Logs, McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, Microsoft OneNote - RecentSearches, Chrome Trust Tokens, Edge Preferences, EventTranscript.db, EventTranscript.db, at SchedLgU.txt, at SchedLgU.txt, XML, Snip & Sketch, Sophos Logs (XP), Sophos Logs, Sophos Logs, Soulseek Chat Logs, Soulseek Search History/Shared Folders/Settings, SpeedCommander - .ini File, Splashtop Log Files, Splashtop Log Files in ProgramData, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Syscache transaction files, Tablacus Explorer - remember.xml, Tablacus Explorer - window.xml, Total Commander - Frequent Directory Listing, Total Commander - FTP Logs, TreeSize - ScanHistory.XML, Trend Micro Logs, VDI, Vivaldi Cookies, Vivaldi Network Persistent State, Vivaldi Favicons, Vivaldi History, Vivaldi Sessions Folder, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Preferences, Vivaldi Top Sites"
type: bool
- name: AnyDesk
description: "AnyDesk (by Andrew Rathbun, Scott Hanson, and Nicole Jao): AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - ProgramData - *.conf, AnyDesk Videos, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Chat Logs - User Profile"
type: bool
- name: ApacheAccessLog
description: "Apache Access Log (by Hadar Yudovich): Apache Access Log"
type: bool
- name: AppCompatPCA
description: "AppCompat PCA Folder (by Andrew Rathbun): AppCompat PCA Folder"
type: bool
- name: AppData
description: "AppData (by Phill Moore): AppData"
type: bool
- name: AppXPackages
description: "AppXPackages (by Nisarg Suthar): WindowsApps for AppX, SystemApps for AppX, UserSpecificPackages for AppX, AppRepository for AppX, ProgramData Packages for AppX"
type: bool
- name: ApplicationEvents
description: "Windows Application Event Log (by Drew Ervin): Application Event Log XP, Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+"
type: bool
- name: AsperaConnect
description: "Aspera Connect Log Files (by Dennis Reneau): Aspera Client Logs, Aspera Server Logs"
type: bool
- name: AteraAgent
description: "AteraAgent (by Andrew Rathbun): AteraAgent .ini files, AteraAgent Logs, AteraAgent Logs, AteraAgent Logs, AteraAgent Logs"
type: bool
- name: Avast
description: "Avast Antivirus Data (by Drew Ervin and Dhiral Panjwani): Avast AV Logs (XP), Avast AV Logs, Avast AV User Logs, Avast AV Index, Avast Persistent Data Logs, Avast Icarus Logs"
type: bool
- name: AviraAVLogs
description: "Avira Logs (by Fabian Murer and Dhiral Panjwani): Avira Activity Logs, Avira Security Logs, Avira VPN Logs"
type: bool
- name: BCD
description: "Boot Configuration Files (by Troy Larson): BCD, BCD Logs"
type: bool
- name: BITS
description: "Microsoft BITS (Background Intelligent Transer Service) persistent files (by Jos Clephas): BITS files"
type: bool
- name: BitTorrent
description: "BitTorrent (by Banaanhangwagen): TorrentClients - BitTorrent"
type: bool
- name: Bitdefender
description: "Bitdefender Antivirus Data (by Drew Ervin, Ahmed Elshaer): Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files"
type: bool
- name: BoxDrive_Metadata
description: "Box Cloud Storage Metadata (by Chad Tilbury): Box Drive Application Metadata, Box Sync Application Metadata"
type: bool
- name: BoxDrive_UserFiles
description: "Box Cloud Storage Files (by Chad Tilbury): Box Drive User Files, Box Sync User Files"
type: bool
- name: BraveBrowser
description: "Brave Browser (by Cassie Doemel): Bookmarks, Cookies, Current Session, Current Tabs, Download Metadata, Favicons, History, Sessions Folder, Login Data, Network Action Predictor, Network Persistent State, Preferences, Quota Manager, Reporting and NEL, Shortcuts, Publisher Info DB/Brave Rewards, Top Sites, Visited Links, Web Data, Secure Preferences"
type: bool
- name: BrowserCache
description: "Browser Caches (by Bjorn Vanhaeren): Chrome Cache Folder, Chromium Edge Cache Folder, Firefox Cache Folder, IE 9/10 Cache, IE Index.dat temp internet files, IE 11 Cache, Edge WebcacheV01.dat, Brave Cache Folder"
type: bool
- name: CertUtil
description: "Certutil (by NVISO (@NVISOsecurity), 2thewes): System CryptnetUrlCache, System WOW64 CryptnetUrlCache, User CryptnetUrlCache, INetCache"
type: bool
- name: Chrome
description: "Chrome (by Eric Zimmerman and Andrew Rathbun): Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Sessions Folder, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Chrome Snapshots Folder, SYSTEM Chrome History"
type: bool
- name: ChromeExtensions
description: "Chrome Extension Files (by piesecurity): Chrome Extension Files, Chrome Extension Files XP"
type: bool
- name: ChromeFileSystem
description: "Chrome HTML5 File System Contents (by Chad Tilbury): Chrome HTML5 File System Folder"
type: bool
- name: CiscoJabber
description: "Jabber (by Andrew Bannon): Cisco Jabber Database"
type: bool
- name: ClipboardMaster
description: "ClipboardMaster (by Andrew Rathbun): ClipboardMaster - Clipboard History - Text, ClipboardMaster - Clipboard History - Images, ClipboardMaster - Clipboard History - Backups"
type: bool
- name: CloudStorage_All
description: "Cloud Storage Contents and Metadata (by Chad Tilbury and Andrew Rathbun): Box Drive Application Metadata, Box Sync Application Metadata, Box Drive User Files, Box Sync User Files, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Windows Protect Folder, Dropbox Metadata, Dropbox User Files, Gigatribe Files Windows XP, Google Drive Backup and Sync User Files, Google Drive Backup and Sync Metadata, Windows IconCache DB, Idrive Cleanup Operations, Idrive Backup Operations, Idrive Delete Operations, Idrive Restore Operations, Idrive Backup Summary, Idrive Tracefile, Idrive Mapped Drives, Idrive Backup Schedule, Idrive Schedule History, Idrive Configuration, Idrive Local Drives, Idrive Exclusion Configurations, Idrive User Details, One Commander - Other Configuration Files, OneDrive Metadata Logs, OneDrive Metadata Settings, Radmin Viewer Chats, Skype for Destkop v8+ Chromium Cache, Slack - Chat Logs, Slack LevelDB Files, Zoho Assist .conf files in AppData\Local, Zoho Assist log files in ProgramData, Zoho Assist .conf files"
type: bool
- name: CloudStorage_Metadata
description: "Cloud Storage Metadata (by Chad Tilbury and Andrew Rathbun, Eric Capuano): Box Drive Application Metadata, Box Sync Application Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Windows Protect Folder, Dropbox Metadata, Google Drive Backup and Sync User Files, Google Drive Backup and Sync Metadata, One Commander - Other Configuration Files, OneDrive Metadata Logs, Radmin Viewer Chats"
type: bool
- name: CloudStorage_OneDriveExplorer
description: "OneDrive and other files used with OneDriveExplorer (by Brian Maloney): One Commander - Other Configuration Files, OneDrive Metadata Logs, LNK Files from Microsoft Office Recent, Recycle Bin - Windows Vista+, Recycle Bin - Windows Vista+, RECYCLER - WinXP, Recycle Bin - Windows Vista+, System Restore Points Registry Hives (XP), NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive"
type: bool
- name: CombinedLogs
description: "Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs (by Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs and PowerShell Transcripts target): Event logs Win7+, Event logs XP, Event logs Win7+, Event logs Win7+, WDI Trace Logs 1, WDI Trace Logs 1, WDI Trace Logs 2, WDI Trace Logs 2, WMI Trace Logs, WMI Trace Logs, SleepStudy Trace Logs, SleepStudy Trace Logs, Energy-NTKL Trace Logs, Multi Commander - Log File, .NET CLR UsageLogs (user-scoped), PowerShell 7 Config JSON, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell ISE - User Config, PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, Vivaldi Bookmarks, Vivaldi Visited Links"
type: bool
- name: Combofix
description: "ComboFix Antivirus Data (by Drew Ervin): ComboFix"
type: bool
- name: ConfluenceLogs
description: "Confluence Log Files (by Eric Capuano): Confluence Wiki Log Files, Confluence Wiki Log Files"
type: bool
- name: Cybereason
description: "Cybereason Sensor/Detection Logs (by piesecurity): Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs"
type: bool
- name: Cylance
description: "Cylance Antivirus Logs (by Ron Rader): Cylance ProgramData Logs, Cylance Optics Logs, Cylance Program Files Logs"
type: bool
- name: DC__
description: "DC++ (by Andrew Rathbun): DC++ Chat Logs"
type: bool
- name: DWAgent
description: "DWAgent Log Files (by Ron Rader): DWAgent Log Files"
type: bool
- name: Debian
description: "Debian on Windows Subsystem for Linux (by Matt Dawson): Debian WSL /etc/debian_version, Debian WSL /etc/fstab, Debian WSL /etc/os-release, Debian WSL /etc/passwd, Debian WSL /etc/group, Debian WSL /etc/shadow, Debian WSL /etc/timezone, Debian WSL /etc/hostname, Debian WSL /etc/hosts, Debian WSL /etc/crontab, Debian WSL /etc/bash.bashrc, Debian WSL /etc/profile, Debian WSL .bash_history, Debian WSL .bashrc, Debian WSL .profile, Debian WSL User Crontabs, Debian WSL Apt Logs, Debian WSL ext4.vhdx"
type: bool
- name: DirectoryOpus
description: "Directory Opus (by Andrew Rathbun): Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus"
type: bool
- name: DirectoryTraversal_AudioFiles
description: "Find audio files covering a multitude of formats (by Andrew Rathbun): Audio files"
type: bool
- name: DirectoryTraversal_ExcelDocuments
description: "Find Excel and Excel alternative documents (by Andrew Rathbun): Excel and Excel-like Documents"
type: bool
- name: DirectoryTraversal_PDFDocuments
description: "Find PDF and PDF alternative documents (by Andrew Rathbun): PDF and PDF-like Documents"
type: bool
- name: DirectoryTraversal_PictureFiles
description: "Find picture files covering a multitude of formats (by Andrew Rathbun): Picture files"
type: bool
- name: DirectoryTraversal_SQLiteDatabases
description: "Find files with common SQLite file extensions (by Andrew Rathbun): SQLite Files (.db* and .sqlite*)"
type: bool
- name: DirectoryTraversal_VideoFiles
description: "Find video files covering a multitude of formats (by Andrew Rathbun): Video files"
type: bool
- name: DirectoryTraversal_WildCardExample
description: "Find zip archives (by Eric Zimmerman): Zips"
type: bool
- name: DirectoryTraversal_WordDocuments
description: "Find Word and Word alternative documents (by Andrew Rathbun): Word and Word-like Documents"
type: bool
- name: Discord
description: "Discord Cache and LevelDB Files (by Christian Johansen and Matt Dawson): Discord Cache Files, Discord Local Storage LevelDB Files"
type: bool
- name: DoubleCommander
description: "Double Commander (by Andrew Rathbun): Double Commander - history.xml, Double Commander - doublecmd.xml, Double Commander - FTP Log, Double Commander - multiarc.ini, Double Commander - session.ini, Double Commander - pixmaps.txt, Double Commander - shortcuts.scf"
type: bool
- name: Drivers
description: "Windows Drivers (by Zawadi Done): Drivers"
type: bool
- name: Dropbox_Metadata
description: "Dropbox Cloud Storage Metadata (by Chad Tilbury and Andrew Rathbun): Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Windows Protect Folder, Dropbox Metadata"
type: bool
- name: Dropbox_UserFiles
description: "Dropbox Cloud Storage Files (by Chad Tilbury): Dropbox User Files"
type: bool
- name: EFCommander
description: "EF Commander (by Andrew Rathbun): EF Commander - .ini File"
type: bool
- name: ESET
description: "ESET Antivirus Data (by Drew Ervin, Phill Moore): ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET Remote Administrator Logs, Local User Quarantine, SYSTEM user quarantine"
type: bool
- name: Edge
description: "Edge (by Phill Moore): Edge folder"
type: bool
- name: EdgeChromium
description: "Microsoft Edge Chromium Artifacts (by Chad Tilbury and Andrew Rathbun): Edge bookmarks, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Sessions Folder, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Windows Protect Folder"
type: bool
- name: EdgeChromiumExtensions
description: "Edge Chromium Extension Files (by cardinsou): Edge Snapshots Folder"
type: bool
- name: Emsisoft
description: "Emsisoft Antivirus Logs (by blueskycyber): Edge Chromium Extension Files"
type: bool
- name: EncapsulationLogging
description: "EncapsulationLogging (by Troy Larson): Emsisoft Scan Logs, EncapsulationLogging, EncapsulationLogging, EncapsulationLogging Logs"
type: bool
- name: EventLogs_RDP
description: "Collect Win7+ RDP related Event logs (by Mark Hallman, esecrpm): EncapsulationLogging Logs, Event logs Win7+, Event logs Win7+, Event logs Win7+, Event logs Win7+, Event logs Win7+, Event logs Win7+, Event logs Win7+, Event logs Win7+, Event logs Win7+, Event logs Win7+, Event logs Win7+"
type: bool
- name: EventLogs
description: "Event logs (by Eric Zimmerman): Event logs Win7+, Event logs XP, Event logs Win7+"
type: bool
- name: EventTraceLogs
description: "Event Trace Logs (by Mark Hallman): Event logs Win7+, WDI Trace Logs 1, WDI Trace Logs 1, WDI Trace Logs 2, WDI Trace Logs 2, WMI Trace Logs, WMI Trace Logs, SleepStudy Trace Logs, SleepStudy Trace Logs, Energy-NTKL Trace Logs"
type: bool
- name: EventTranscriptDB
description: "EventTranscript.db (and other files related to Telemetry and Diagnostic Data) (by Andrew Rathbun and Josh Mitchell): Delivery Optimization Trace Logs, EventTranscript.db, EventTranscript.db"
type: bool
- name: Evernote
description: "Evernote (by Matt Dawson): Microsoft Office Diagnostic Logs, Evernote Accounts, Evernote Notebooks"
type: bool
- name: Everything__VoidTools_
description: "Everything (VoidTools) (by Andrew Rathbun): Evernote Notebook Snippets, Everything (VoidTools), Everything (VoidTools) - Run History, Everything (VoidTools) - Search History"
type: bool
- name: EvidenceOfExecution
description: "Evidence of execution related files (by Eric Zimmerman): Amcache, Amcache, Amcache transaction files, Amcache transaction files, AppCompat PCA Folder, PowerShell Transcripts - Observed Location, Prefetch, Rclone Config, RecentFileCache, User startup folders, System-wide startup folder"
type: bool
- name: Exchange
description: "Exchange Log Files (by Keith Twombley): Everything (VoidTools) - .ini file, Exchange Server Modified Compiled Files, Exchange Setup Log file"
type: bool
- name: ExchangeClientAccess
description: "Exchange Client Access Log Files (by Keith Twombley): Everything (VoidTools) - .ini file"
type: bool
- name: ExchangeCve_2021_26855
description: "Exchange Server Vulnerability *.Compiled Files (by Dennis Reneau): Exchange client access log files, Exchange Server Modified Compiled Files, Exchange Server Modified Compiled Files, Exchange Server Modified Compiled Files"
type: bool
- name: ExchangeSetupLog
description: "Exchange Setup Log (by 2thewes): Exchange Server Modified Compiled Files"
type: bool
- name: ExchangeTransport
description: "Exchange Transport Log Files (by Keith Twombley): Exchange Setup Log file"
type: bool
- name: FSecure
description: "F-Secure Antivirus Data (by Drew Ervin): Exchange TransportRoles log files, F-Secure Logs, F-Secure User Logs"
type: bool
- name: FTPClients
description: "FTP Clients (by Andrew Rathbun): Fences - Desktop Screenshots, FileZilla XML Log Files, FileZilla SQLite3 Log Files, FileZilla Server XML Log Files, VSCode Network Persistent State"
type: bool
- name: Fences
description: "Fences (by Andrew Rathbun): F-Secure Scheduled Scan Reports"
type: bool
- name: FileExplorerReplacements
description: "File Explorer Replacements (by Andrew Rathbun): Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Double Commander - history.xml, Double Commander - doublecmd.xml, Double Commander - FTP Log, Double Commander - multiarc.ini, Double Commander - session.ini, Double Commander - pixmaps.txt, Double Commander - shortcuts.scf, EF Commander - .ini File, Sessionstore XP, Free Commander - FreeCommander.ini, Free Commander - FreeCommander.ftp.ini, Free Commander - FreeCommander.hist.ini, Free Commander - FreeCommander.fav.xml, Free Commander - Backup Settings, Free Commander - FTP Log, Microsoft To Do - User Avatar, Midnight Commander -- All Configuation Files, Multi Commander - Application Folder, Multi Commander - Config Folder, Multi Commander - Log Folder, Multi Commander - UserData Folder, Office Document Cache, One Commander - All Configuration Files, WNS, Q-Dir - .ini File, ScreenConnect Session Database, StartupInfo XML Files, StartupInfo XML Files, Steam Game Image files, Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection Quarantine, ccSubSDK Database, registrationInfo.xml, SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack)"
type: bool
- name: FileSystem
description: "File system metadata (by Eric Zimmerman): $Boot, $J, $Max, $J, $Max, $LogFile, $MFT, $SDS, $SDS, $T, $T"
type: bool
- name: FileZillaClient
description: "FileZilla XML and SQLite Log Files (by Dennis Reneau): Fences - Desktop Screenshots, FileZilla XML Log Files"
type: bool
- name: FileZillaServer
description: "FileZilla Server Logs (by Andrew Rathbun): FileZilla SQLite3 Log Files, FileZilla Server XML Log Files"
type: bool
- name: Firefox
description: "Firefox (by Eric Zimmerman and Andrew Rathbun): FileZilla Log Files, Addons, Bookmarks, Bookmarks, Cookies, Cookies, Downloads, Extensions, Favicons, Form history, Permissions, Places, Protections, Search, Signons, Storage Sync, Webappstore, Password, Password, Password, Preferences, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP, Addons XP, Search XP, Password XP, Password XP, Password XP"
type: bool
- name: FreeCommander
description: "FreeCommander XE (by Andrew Rathbun): Sessionstore XP, Free Commander - FreeCommander.ini, Free Commander - FreeCommander.ftp.ini, Free Commander - FreeCommander.hist.ini, Free Commander - FreeCommander.fav.xml, Free Commander - Backup Settings, Free Commander - FTP Log"
type: bool
- name: FreeDownloadManager
description: "Free Download Manager (by Matt Dawson): Free Commander - FTP Related Information, FDM Database, FDM Backup Info"
type: bool
- name: FreeFileSync
description: "FreeFileSync (by Andrew Rathbun): FDM Database (userdata.zip)"
type: bool
- name: Freenet
description: "Freenet (by Charlie Rubisoff): FreeFileSync, Freenet, Freenet, Freenet, Freenet"
type: bool
- name: FrostWire
description: "FrostWire (by Andrew Rathbun): Freenet, FrostWire Downloads, FrostWire AppData"
type: bool
- name: Gigatribe
description: "Gigatribe Files (by Linus Nissi): FrostWire AppData, Gigatribe Files Windows Vista/7/8/10, Gigatribe Files Windows XP"
type: bool
- name: GoogleDriveBackupSync_UserFiles
description: "Google Backup and Sync Storage Files (by Chad Tilbury): Gigatribe Files Windows XP"
type: bool
- name: GoogleDrive_Metadata
description: "Google Drive Metadata (by Chad Tilbury): Google Drive Backup and Sync User Files, Google Drive Backup and Sync Metadata"
type: bool
- name: GoogleEarth
description: "Google Earth (by Guus Beckers): Google Drive for Desktop Metadata, Google Earth My Places file, Google Earth My Places Backup file, Google Earth My Places file (XP)"
type: bool
- name: GroupPolicy
description: "Current Group Policy Enforcement (by piesecurity): Google Earth My Places Backup file (XP), Group Policy Files, Computer Group Policy files, User Group Policy files, Local Group Policy INI Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Startup/Shutdown Scripts"
type: bool
- name: HeidiSQL
description: "HeidiSQL (by Hyun Yi @hyuunnn): Local Group Policy Files - Startup/Shutdown Scripts, HeidiSQL Backup files (*.sql)"
type: bool
- name: HexChat
description: "HexChat (by Andrew Rathbun): HeidiSQL (tabs.ini)"
type: bool
- name: HitmanPro
description: "HitmanPro Antivirus Data (by Drew Ervin): HexChat Chat Logs, HitmanPro Logs, HitmanPro Alert Logs"
type: bool
- name: HostsFile
description: "Hosts file (by Max Zabuty): HitmanPro Database"
type: bool
- name: IISConfiguration
description: "IIS (by NVISO (@NVISOsecurity)): HostsFile, IIS applicationHost.config, IIS administration.config, IIS redirection.config"
type: bool
- name: IISLogFiles
description: "IIS Log Files (by Troy Larson): web.config, IIS log files, IIS log files, IIS log files, IIS log files, IIS log files"
type: bool
- name: IRCClients
description: "IRC Clients (by Andrew Rathbun): HeidiSQL (tabs.ini), ITarian, XYplorer - AutoBackup folder, XYplorer - .dat files"
type: bool
- name: ISLOnline
description: "ISLOnline Remote Access Tool (by Thomas Burnette): IIS log files, ISLOnline Logs - Sessions - *.out, ISLOnline Logs - Session Configurations, ISL AlwaysOn Logs - Sessions List, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn - App Logs, ISL Light Logs - Sessions, ISL AlwaysOn - Email Configuration"
type: bool
- name: ITarian
description: "ITarian RMM (by Phill Moore): ISL AlwaysOn - Configuration, ITarian, ITarian, Comodo"
type: bool
- name: IceChat
description: "IceChat (by Andrew Rathbun): ITarian"
type: bool
- name: IconCacheDB
description: "IconCache.db files (by Herbert Bärschneider @SEC Consult): IceChat Chat Logs"
type: bool
- name: Idrive
description: "Idrive Backup Artifacts (by Thomas Burnette): Windows IconCache DB, Idrive Cleanup Operations, Idrive Backup Operations, Idrive Delete Operations, Idrive Restore Operations, Idrive Backup Summary, Idrive Tracefile, Idrive Mapped Drives, Idrive Backup Schedule, Idrive Schedule History, Idrive Configuration, Idrive Local Drives, Idrive Exclusion Configurations, Idrive User Details"
type: bool
- name: ImgBurn
description: "ImgBurn (by Chuck Whitson): Idrive SQL Databse"
type: bool
- name: InternetExplorer
description: "Internet Explorer (by Eric Zimmerman): ImgBurn - Application Log File, Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata"
type: bool
- name: IrfanView
description: "IrfanView (by Andrew Rathbun): IE 11 Cookies"
type: bool
- name: JDownloader2
description: "JDownloader 2 (by Matt Dawson): IrfanView Configuration File, JDownloader 2.0 Download Lists, JDownloader 2.0 Link Collector, JDownloader 2.0 General Settings, JDownloader 2.0 Link Grabber Settings"
type: bool
- name: JavaWebCache
description: "Java WebStart Cache - (IDX Files) (by piesecurity): JDownloader 2.0 Proxy Settings, Java WebStart Cache User Level - Default, Java WebStart Cache User Level - IE Protected Mode, Java WebStart Cache System level, Java WebStart Cache System level, Java WebStart Cache System level - IE Protected Mode, Java WebStart Cache System level - IE Protected Mode, Java WebStart Cache System level (SysWow64), Java WebStart Cache System level (SysWow64), Java WebStart Cache System level (SysWow64) - IE Protected Mode, Java WebStart Cache System level (SysWow64) - IE Protected Mode"
type: bool
- name: JumpLists
description: "Jump lists (by Max Zabuty): Java WebStart Cache User Level - XP, JumpLists from CustomDestinations"
type: bool
- name: Kali
description: "Kali on Windows Subsystem for Linux (by Matt Dawson): JumpLists from CustomDestinations, Kali WSL /etc/debian_version, Kali WSL /etc/fstab, Kali WSL /etc/os-release, Kali WSL /etc/passwd, Kali WSL /etc/group, Kali WSL /etc/shadow, Kali WSL /etc/timezone, Kali WSL /etc/hostname, Kali WSL /etc/hosts, Kali WSL /etc/crontab, Kali WSL /etc/bash.bashrc, Kali WSL /etc/profile, Kali WSL .bash_history, Kali WSL .bashrc, Kali WSL .profile, Kali WSL User Crontabs, Kali WSL Apt Logs"
type: bool
- name: KapeTriage
description: "KapeTriage collects most of the files needed for a DFIR Investigation. This Target pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, SUM data, Cloud metadata, WER, WBEM, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, JumpLists, 3rd party remote access software logs, 3rd party antivirus software logs, Windows 10/11 Timeline database, and $I Recycle Bin files. (by Scott Downie): $Boot, $J, $Max, $J, $Max, $LogFile, $MFT, $SDS, $SDS, $T, $T, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, AVG Persistent Logs, AVG FileInfo DB, AVG lsdbj2 JSON, Action1 Client Application logs, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Ammyy Program Data, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - ProgramData - *.conf, AnyDesk Videos, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Chat Logs - User Profile, AppCompat PCA Folder, Application Event Log XP, Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, Avast AV Logs (XP), Avast AV Logs, Avast AV User Logs, Avast AV Index, Avast Persistent Data Logs, Avast Icarus Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Box Drive Application Metadata, Box Sync Application Metadata, Bookmarks, Cookies, Current Session, Current Tabs, Download Metadata, Favicons, History, Sessions Folder, Login Data, Network Action Predictor, Network Persistent State, Preferences, Quota Manager, Reporting and NEL, Shortcuts, Publisher Info DB/Brave Rewards, Top Sites, Visited Links, Web Data, Secure Preferences, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Sessions Folder, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Chrome Snapshots Folder, SYSTEM Chrome History, ComboFix, Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs, Cylance ProgramData Logs, Cylance Optics Logs, Cylance Program Files Logs, DWAgent Log Files, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Windows Protect Folder, Dropbox Metadata, ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET Remote Administrator Logs, Local User Quarantine, SYSTEM user quarantine, Edge folder, Edge bookmarks, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Sessions Folder, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Windows Protect Folder, Edge Chromium Extension Files, Event logs Win7+, Event logs XP, Event logs Win7+, Exchange TransportRoles log files, F-Secure Logs, F-Secure User Logs, FileZilla Log Files, Addons, Bookmarks, Bookmarks, Cookies, Cookies, Downloads, Extensions, Favicons, Form history, Permissions, Places, Protections, Search, Signons, Storage Sync, Webappstore, Password, Password, Password, Preferences, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP, Addons XP, Search XP, Password XP, Password XP, Password XP, Google Drive Backup and Sync User Files, Google Drive Backup and Sync Metadata, HexChat Chat Logs, HitmanPro Logs, HitmanPro Alert Logs, IIS log files, ISLOnline Logs - Sessions - *.out, ISLOnline Logs - Session Configurations, ISL AlwaysOn Logs - Sessions List, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn - App Logs, ISL Light Logs - Sessions, ISL AlwaysOn - Email Configuration, ISL AlwaysOn - Configuration, ITarian, ITarian, Comodo, ImgBurn - Application Log File, Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, Kali WSL ext4.vhdx, Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, Keepass Roaming Ini, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData, Error logging, LogMeIn ProgramData Logs, Macrium Reflect, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs, Mattermost - Chat Logs, McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, Small Memory Dump directory, MeshAgent .msh (configuration) file, Microsoft OneNote - RecentSearches, Nessus Logs, Net Monitor Server Logs, Net Monitor Server Data, Net Monitor Server Config, Net Monitor Server Temp Folder, Net Monitor Client Logs, One Commander - Other Configuration Files, OneDrive Metadata Logs, OpenVPN Client Config, Opera - Local Folder, PowerShell 7 Config JSON, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell Transcripts - Observed Location, Prefetch, ProtonVPN - Connection Logs, Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, Qlik Sense Logs, RDP Cache Files, Windows.old RDP Cache Files, RDP Jumplist Files, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, Radmin Viewer Chats, Rclone Config, RecentFileCache, RECYCLER - WinXP, Recycle Bin - Windows Vista+, RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive, VSMIDK registry transaction files, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files, RemoteUtilities Connection Logs, Chrome Trust Tokens, Chrome Trust Tokens, Chrome SyncData Database, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Protections, Search, Signons, Storage Sync, Webappstore, Windows 10 Notification DB, Windows 10 Notification DB, ActivitiesCache.db, Update Store.db, Bitdefender SQLite DB Files, EventTranscript.db, EventTranscript.db, at SchedLgU.txt, at SchedLgU.txt, XML, ScreenConnect Session Database, ScreenConnect User Config, Slack Storage, Snagit - Captures, Snip & Sketch, Sophos Logs (XP), Sophos Logs, Sophos Logs, Soulseek Chat Logs, Soulseek Search History/Shared Folders/Settings, SpeedCommander - .ini File, Splashtop Log Files, Splashtop Log Files in ProgramData, User startup folders, System-wide startup folder, Steam Login Metadata file, Steam Friend List and Username History file, Steam User Avatar files, Steam Game Tray Icon files, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Syscache transaction files, Tablacus Explorer - remember.xml, Tablacus Explorer - window.xml, Tablacus Explorer - window1.xml, TeamViewer Connection Logs, TotalAV Logs, Total Commander - .ini File, Total Commander - Log File, Total Commander - Temp Files Created During Folder Traversal, Total Commander - Frequent Directory Listing, Total Commander - FTP Logs, TreeSize - ScanHistory.XML, Trend Micro Logs, Setupapi.log Win7+, Ubuntu WSL /etc/os-release, Ubuntu WSL /etc/fstab, VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), VLC Recently Opened Files, VLC Recorded Files, VMware - Virtual Machine Inventory, VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), RealVNC Log, RealVNC Log, TightVNC Application Logs, Viber Config Database, Viber Users Data Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Thumbnails Cache, VirtualBox VM configs, VirtualBox VM backup configs, VirtualBox Logs, VirtualBox Backup Logs, VirtualBox Hardening Logs, VirtualBox, VHD, VHDX, VDI, Vivaldi Cookies, Vivaldi Network Persistent State, Vivaldi Favicons, Vivaldi History, Vivaldi Sessions Folder, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Preferences, Vivaldi Top Sites, SECURITY registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), WindowsIndexSearch, GatherLogs, Network setting files, Windows 10 Notification DB, Windows 10 Notification DB, MigLog.xml, Setupact.log, HumanReadable.xml, FolderMoveLog.txt, Update Store.db, Windows Power Diagnostics, DNS Netlogon files, DNS files, DHCP files, Diagnostic Logs for WSA, App download artifacts (PNG), App download artifacts (ICO), Appcompatdb.json, userdata.vhdx, Legacy .rbs files relating to Windows Telemetry and Diagnostics, Xeox RMM Client Application logs, Yandex Cookies, Yandex Network Persistent State, Zoom plugin (Outlook), eMule Logs and Configuration Files, eMule part.met files, iTunes Backup Folder, iTunes Backup Folder, iTunes Backup Folder - iOS13"
type: bool
- name: Kaseya
description: "Kaseya Data (by Drew Ervin and Andrew Rathbun): Kali WSL ext4.vhdx, Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log"
type: bool
- name: Keepass
description: "Keepass (by Vito Alfano): Kaseya Agent Edge Service Logs, Keepass User Config, Keepass Config Xml"
type: bool
- name: KeepassXC
description: "KeepassXC (by Vito Alfano): Keepass Application Details, Keepass Local Ini"
type: bool
- name: LNKFilesAndJumpLists
description: "LNK Files and jump lists (by Eric Zimmerman, Andrew Rathbun, Yogesh Khatri): Keepass Roaming Ini, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP"
type: bool
- name: Level
description: "Level.io Application Logs (by Andrew Skatoff @DFIR_TNT): LNK Files from C:\ProgramData"
type: bool
- name: LinuxOnWindowsProfileFiles
description: "Linux on Windows Profile Files (by Troy Larson): Level RMM Client Application logs, .bash_history, .bash_logout, .bashrc"
type: bool
- name: LiveUserFiles
description: "Live User Files (by Mark Hallman): .profile, User Files - Desktop, User Files - Documents, User Files - Downloads"
type: bool
- name: LogFiles
description: "LogFiles (includes SUM) (by Fabian Murer): User Files - Dropbox, LogFiles, LogFiles"
type: bool
- name: LogMeIn
description: "LogMeIn Data (by Drew Ervin): Application Event Log XP, Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, Error logging, LogMeIn ProgramData Logs"
type: bool
- name: MOF
description: "MOF files (WMI) (by Eric Zimmerman): LogMeIn Application Logs"
type: bool
- name: MSSQLErrorLog
description: "MS SQL ErrorLogs (by Troy Larson): MOF files, MS SQL Errorlog"
type: bool
- name: MacriumReflect
description: "Macrium Reflect (by Andrew Rathbun): MS SQL Errorlogs, Macrium Reflect, Macrium Reflect"
type: bool
- name: Malwarebytes
description: "Malwarebytes Data (by Drew Ervin & Kirtan Shah): Macrium Reflect, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs"
type: bool
- name: ManageEngineLogs
description: "ManageEngine Log Files (by Whitney Champion, Phill Moore): MalwareBytes Anti-Malware Scan Results Logs, ManageEngine Desktop Central Log Files"
type: bool
- name: Mattermost
description: "Mattermost (by Andrew Rathbun): ManageEngine ADSelfService Plus Log Files"
type: bool
- name: McAfee
description: "McAfee Log Files (by Sam Smoker): Mattermost - Chat Logs, McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs"
type: bool
- name: McAfee_ePO
description: "McAfee ePO Log Files (by Doug Metz): McAfee VirusScan Logs"
type: bool
- name: MediaMonkey
description: "MediaMonkey (by Andrew Rathbun): McAfee ePO Logs, MediaMonkey - Media SQLite Database"
type: bool
- name: Megasync
description: "MegaSync Data Collection (by Vito Alfano): MediaMonkey - MediaMonkey.ini"
type: bool
- name: MemoryFiles
description: "Memory Files (by Ahmed Elshaer, Teo Kia Meng): MegaSync Folder, hiberfil.sys, pagefile.sys, swapfile.sys, Small Memory Dump directory"
type: bool
- name: MeshAgent
description: "MeshAgent log and configuration files (by Geir Olav Skei, Atea IRT): Small Memory Dump directory, MeshAgent .msh (configuration) file"
type: bool
- name: MessagingClients
description: "Messaging and communication apps (by Gregor Wegberg): Cisco Jabber Database, Discord Cache Files, Discord Local Storage LevelDB Files, HeidiSQL (tabs.ini), ITarian, ManageEngine ADSelfService Plus Log Files, Microsoft Sticky Notes - 1607 and later, Microsoft Teams IndexedDB Cache, Microsoft Teams Local Storage Cache, Microsoft Teams Cache, Microsoft Teams Config, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SUM Database (.mdb files), SUPERAntiSpyware Logs, SUSE Linux Enterprise Server WSL /etc/passwd, SUSE Linux Enterprise Server WSL /etc/group, SUSE Linux Enterprise Server WSL /etc/shadow, SUSE Linux Enterprise Server WSL /etc/timezone, SUSE Linux Enterprise Server WSL /etc/hostname, SUSE Linux Enterprise Server WSL /etc/hosts, SUSE Linux Enterprise Server WSL /etc/bash.bashrc, SUSE Linux Enterprise Server WSL /etc/profile, SUSE Linux Enterprise Server WSL .bash_history, SUSE Linux Enterprise Server WSL .bashrc, SUSE Linux Enterprise Server WSL .profile, SUSE Linux Enterprise Server WSL ext4.vhdx, Steam Startup Times Log file, Steam Game Image files, Ubuntu WSL /etc/passwd, Ubuntu WSL /etc/group, Ubuntu WSL /etc/shadow, Ubuntu WSL /etc/timezone, Ubuntu WSL /etc/hostname, VMDK, VSCode Opened Files, VSCode Workspaces, VSCode User extensions, XYplorer - AutoBackup folder, XYplorer - .dat files"
type: bool
- name: MicrosoftOfficeBackstage
description: "Microsoft Office Backstage (by Brian Maloney): MeshAgent log file"
type: bool
- name: MicrosoftOneNote
description: "Microsoft OneNote (by Andrew Rathbun): Microsoft Office Backstage, Microsoft OneNote - FullTextSearchIndex, Microsoft OneNote - RecentNotebooks_SeenURLs, Microsoft OneNote - AccessibilityCheckerIndex, Microsoft OneNote - User NoteTags"
type: bool
- name: MicrosoftSafetyScanner
description: "Microsoft Safety Scanner (by Geir Olav Skei): Microsoft OneNote - RecentSearches"
type: bool
- name: MicrosoftStickyNotes
description: "Microsoft Sticky Notes (by Andrew Rathbun): Windows Safety Scanner Logs, Microsoft Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier"
type: bool
- name: MicrosoftTeams
description: "Microsoft Teams (by Matt Dawson and Andrew Rathbun): Microsoft Sticky Notes - 1607 and later, Microsoft Teams IndexedDB Cache, Microsoft Teams Local Storage Cache, Microsoft Teams Cache, Microsoft Teams Config"
type: bool
- name: MicrosoftToDo
description: "Microsoft To Do (by Andrew Rathbun): Microsoft Teams Logs (Windows 11), Microsoft To Do - SQLite Database of To Do tasks"
type: bool
- name: MidnightCommander
description: "Midnight Commander (by Andrew Rathbun): Microsoft To Do - User Avatar"
type: bool
- name: MiniTimelineCollection
description: "MFT, Registry and Event Logs to generate a mini timeline (by Mari DeGrazia): $Boot, $J, $Max, $J, $Max, $LogFile, $MFT, $SDS, $SDS, $T, $T, Event logs Win7+, Event logs XP, Event logs Win7+, RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive, VSMIDK registry transaction files, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive"
type: bool
- name: MultiCommander
description: "Multi Commander (by Andrew Rathbun): Midnight Commander -- All Configuation Files, Multi Commander - Application Folder, Multi Commander - Config Folder, Multi Commander - Log Folder, Multi Commander - UserData Folder"
type: bool
- name: NETCLRUsageLogs
description: ".NET CLR UsageLogs (by Matias Davaro, Thomas DIOT (Qazeer)): Multi Commander - Log File, .NET CLR UsageLogs (user-scoped)"
type: bool
- name: NGINXLogs
description: "NGINX Log Files (by Eric Capuano): .NET CLR UsageLogs (system-scoped)"
type: bool
- name: NZBGet
description: "NZBGet (by Andrew Rathbun): NGINX Log Files, Usenet Clients - NZBGet Log File"
type: bool
- name: Nessus
description: "Nessus (by Andrew Rathbun): Usenet Clients - NZBGet NZBs, Nessus Logs"
type: bool
- name: NetMonitorforEmployeesProfessional
description: "Net Monitor for Employees Pro (by Tristan PINCEAUX - CERT CWATCH - ALMOND): Nessus Logs, Net Monitor Server Logs, Net Monitor Server Data, Net Monitor Server Config, Net Monitor Server Temp Folder, Net Monitor Client Logs"
type: bool
- name: NewsbinPro
description: "Newsbin Pro (by Andrew Rathbun): Net Monitor Client Config"
type: bool
- name: Newsleecher
description: "Newsleecher (by Andrew Rathbun): Usenet Clients - Newsbin Pro"
type: bool
- name: Nicotine__
description: "Nicotine++ (by Andrew Rathbun): Usenet Clients - Newsleecher, Nicotine++ Logs, Nicotine++ Incomplete Downloads, Nicotine++ Buddyfiles.db, Nicotine++ Buddystreams.db, Nicotine++ Buddymtimes.db, Nicotine++ Buddyfileindex.db, Nicotine++ Buddywordindex.db, Nicotine++ Config Files, Nicotine++ User Shares, Nicotine++ Downloads.json"
type: bool
- name: Notepad__
description: "Notepad++ Backups, recently searched/replaced terms and recently opened documents (by Banaanhangwagen and Matt Dawson): Nicotine++ Uploads.json, Notepad++ Unsaved Edits, Notepad++ Config"
type: bool
- name: Notepad
description: "A Target to collect files that are currently open in Notepad (Windows 11+) (by Andrew Rathbun): Notepad++ Session"
type: bool
- name: Notion
description: "Notion Note-Taking App (by Thomas Burnette): Notepad Session Files, Notion Local Storage"
type: bool
- name: OfficeAutosave
description: "Office Autosave (by Russ Taylor): Notion Custom Dictionary, Word Autosave Location, Excel Autosave Location, Powerpoint Autosave Location"
type: bool
- name: OfficeDiagnostics
description: "Office Diagnostics (by teddy-ROxPin): Publisher Autosave Location, Office Diagnostics"
type: bool
- name: OfficeDocumentCache
description: "Office Document Cache (by Banaanhangwagen): Office Elevated Diagnostics"
type: bool
- name: OneCommander
description: "One Commander (by Andrew Rathbun): Office Document Cache, One Commander - All Configuration Files"
type: bool
- name: OneDrive_Metadata
description: "Microsoft OneDrive Storage Metadata (by Chad Tilbury): One Commander - Other Configuration Files, OneDrive Metadata Logs"
type: bool
- name: OneDrive_UserFiles
description: "Microsoft OneDrive Storage Files (by Chad Tilbury): OneDrive Metadata Settings"
type: bool
- name: OpenSSHClient
description: "OpenSSH Client config, known hosts and keys (by Matt Dawson): OneDrive User Files, OpenSSH Config File, OpenSSH Known Hosts, OpenSSH Public Keys, OpenSSH Default RSA Private Key, OpenSSH Default ECDSA Private Key, OpenSSH Default ECDSA-SK Private Key, OpenSSH Default ED25519 Private Key, OpenSSH Default ED25519-SK Private Key"
type: bool
- name: OpenSSHServer
description: "OpenSSH Server Config and Logs (by Matt Dawson): OpenSSH Default DSA Private Key, OpenSSH Server Config File, OpenSSH Server Logs, OpenSSH Host ECDSA Key, OpenSSH Host ED25519 Key, OpenSSH Host DSA Key, OpenSSH Host RSA Key, OpenSSH User Authorized Keys, OpenSSH User Authorized Keys 2"
type: bool
- name: OpenVPNClient
description: "OpenVPN Client Config and Log (by Mathias Frank): OpenSSH Authorized Administrator Keys, OpenVPN Client Config, OpenVPN Client Config"
type: bool
- name: Opera
description: "Opera (by Andrew Rathbun): OpenVPN Client Config, Opera - Local Folder"
type: bool
- name: OutlookPSTOST
description: "Outlook PST and OST files (by Eric Zimmerman and Chad Tilbury): Opera - Roaming Folder, PST XP, OST XP, PST (2013 or 2016), OST (2013 or 2016), PST, OST, NST"
type: bool
- name: P2PClients
description: "P2P Clients (by Andrew Rathbun): DC++ Chat Logs, Freenet, FrostWire Downloads, FrostWire AppData, FrostWire AppData, Gigatribe Files Windows Vista/7/8/10, Gigatribe Files Windows XP, SOFTWARE registry hive, XML, XML, Windows Component-Based Servicing logs, Windows Your Phone - All Databases"
type: bool
- name: PeaZip
description: "PeaZip (by Andrew Rathbun): Outlook Attachment Temporary Storage"
type: bool
- name: PerfLogs
description: "Perflogs Folder Copy (by Vito Alfano): PeaZip Configuration Files"
type: bool
- name: PowerShell7Config
description: "PowerShell 7 Runtime Config (by Andrew Rathbun): Perflogs"
type: bool
- name: PowerShellConsole
description: "PowerShell Console Log File (by Mike Cary, 2thewes, Vikas Singh): PowerShell 7 Config JSON, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files"
type: bool
- name: PowerShellTranscripts
description: "PowerShell Transcripts (by Andrew Rathbun and Chad Tilbury): PowerShell ISE - User Config, PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location"
type: bool
- name: Prefetch
description: "Prefetch files (by Eric Zimmerman): PowerShell Transcripts - Observed Location, Prefetch"
type: bool
- name: ProgramData
description: "ProgramData Folder Copy (by Vito Alfano): Prefetch"
type: bool
- name: ProgramExecution
description: "Program Execution Triage Collection (by Max Zabuty): Amcache, Amcache, Amcache transaction files, Amcache transaction files, AppCompat PCA Folder, Java WebStart Cache User Level - XP, JumpLists from CustomDestinations, Multi Commander - Log File, .NET CLR UsageLogs (user-scoped), PowerShell 7 Config JSON, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell ISE - AutoSave Files, PowerShell ISE - User Config, PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, Prefetch, Rclone Config, RecentFileCache, User startup folders, System-wide startup folder, VirtualBox VM backup configs, VirtualBox Logs, VirtualBox Backup Logs, VirtualBox Hardening Logs, VirtualBox, VHD, VHDX, SECURITY registry hive"
type: bool
- name: ProtonVPN
description: "ProtonVPN (by Andrew Rathbun): ProgramData"
type: bool
- name: PuffinSecureBrowser
description: "Puffin Secure Browser (by Andrew Rathbun): ProtonVPN - Connection Logs, Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies"
type: bool
- name: PushNotification
description: "Windows Push Notification Service (by Zawadi Done): Puffin - Image Cache, WNS"
type: bool
- name: Q_Dir
description: "Q-Dir (by Andrew Rathbun): WNS, Q-Dir - .ini File"
type: bool
- name: QFinderPro__QNAP_
description: "QFinderPro (QNAP) (by Andrew Rathbun): Q-Dir - .qdr file"
type: bool
- name: QlikSense
description: "Qlik Sense (by Abdelkarim CHORFI - CERT CWATCH - ALMOND): QFinderPro, Qlik Sense Logs, Qlik Sense Logs, Qlik Sense Logs"
type: bool
- name: RDPCache
description: "RDP Cache Files (by Hadar Yudovich): Qlik Sense Logs, RDP Cache Files, Windows.old RDP Cache Files"
type: bool
- name: RDPJumplist
description: "RDP Jumplist Files (by Vito Alfano): RDP Cache Files"
type: bool
- name: RDPLogs
description: "RDP Logs (by Drew Ervin): RDP Jumplist Files, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs"
type: bool
- name: Radmin
description: "Radmin Server/Viewer Logs and Chats (by Mathias Frank): RDPCoreTS Event Logs, Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats"
type: bool
- name: RcloneConf
description: "Rclone config file (by Eric Capuano): Radmin Viewer Chats"
type: bool
- name: RecentFileCache
description: "RecentFileCache (by Eric Zimmerman): Rclone Config, RecentFileCache"
type: bool
- name: RecentFolders
description: "Recent Folders LNK files (by Max Zabuty): RecentFileCache, LNK Files from Recent"
type: bool
- name: RecycleBin
description: "Recycle Bin DataAndInfo (by Mark Hallman / Joshua Hickman): LNK Files from Microsoft Office Recent, Recycle Bin - Windows Vista+, Recycle Bin - Windows Vista+, RECYCLER - WinXP, Recycle Bin - Windows Vista+"
type: bool
- name: RecycleBin_DataFiles
description: "Recycle Bin Data Files (by Joshua Hickman, Andreas Hunkeler (@Karneades), Brian Maloney): LNK Files from Microsoft Office Recent, Recycle Bin - Windows Vista+, Recycle Bin - Windows Vista+"
type: bool
- name: RecycleBin_InfoFiles
description: "Recycle Bin Info Files (by Joshua Hickman, Andreas Hunkeler (@Karneades)): RECYCLER - WinXP, Recycle Bin - Windows Vista+"
type: bool
- name: RegistryHives
description: "System and user related Registry hives (by Eric Zimmerman): RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive, VSMIDK registry transaction files, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive"
type: bool
- name: RegistryHivesMSIXApps
description: "MSIX/APPX App Hives (by Zach Stanford / Mari DeGrazia): RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive"
type: bool
- name: RegistryHivesOther
description: "Other Registry Hives (by Andrew Rathbun): UserClasses.dat MSIX Hive, BBI registry hive, BBI registry hive, BBI registry transaction files, BBI registry transaction files, BCD-Template registry hive, BCD-Template registry hive, BCD-Template registry transaction files, BCD-Template registry transaction files, COMPONENTS registry hive, COMPONENTS registry hive, COMPONENTS registry transaction files, COMPONENTS registry transaction files, DRIVERS registry hive, DRIVERS registry hive, DRIVERS registry transaction files, DRIVERS registry transaction files, ELAM registry hive, ELAM registry hive, ELAM registry transaction files, ELAM registry transaction files, userdiff registry hive, userdiff registry hive, userdiff registry transaction files, userdiff registry transaction files, VSMIDK registry hive, VSMIDK registry hive, VSMIDK registry transaction files"
type: bool
- name: RegistryHivesSystem
description: "System level/related Registry hives (by Eric Zimmerman / Mark Hallman): VSMIDK registry transaction files, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files"
type: bool
- name: RegistryHivesUser
description: "User Related Registry hives (by Eric Zimmerman / Mark Hallman): System Restore Points Registry Hives (XP), NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive"
type: bool
- name: RemoteAdmin
description: "Composite target for files related to remote administration tools (by Drew Ervin, Mathias Frank, Andrew Rathbun, Phill Moore): Action1 Client Application logs, Ammyy Program Data, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - ProgramData - *.conf, AnyDesk Videos, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Chat Logs - User Profile, Application Event Log XP, Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, DWAgent Log Files, IIS log files, ISLOnline Logs - Sessions - *.out, ISLOnline Logs - Session Configurations, ISL AlwaysOn Logs - Sessions List, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn - App Logs, ISL Light Logs - Sessions, ISL AlwaysOn - Email Configuration, ISL AlwaysOn - Configuration, ITarian, ITarian, Comodo, Kali WSL ext4.vhdx, Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, LNK Files from C:\ProgramData, Error logging, LogMeIn ProgramData Logs, Small Memory Dump directory, MeshAgent .msh (configuration) file, Nessus Logs, Net Monitor Server Logs, Net Monitor Server Data, Net Monitor Server Config, Net Monitor Server Temp Folder, Net Monitor Client Logs, Qlik Sense Logs, RDP Cache Files, Windows.old RDP Cache Files, RDP Jumplist Files, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, UsrClass.dat registry transaction files, RemoteUtilities Connection Logs, Chrome Trust Tokens, Chrome SyncData Database, ActivitiesCache.db, Update Store.db, Bitdefender SQLite DB Files, ScreenConnect Session Database, ScreenConnect User Config, Slack Storage, Snagit - Captures, Steam Login Metadata file, Steam Friend List and Username History file, Steam User Avatar files, Steam Game Tray Icon files, Tablacus Explorer - window1.xml, TeamViewer Connection Logs, TotalAV Logs, Total Commander - .ini File, Total Commander - Log File, Total Commander - Temp Files Created During Folder Traversal, Setupapi.log Win7+, Ubuntu WSL /etc/os-release, Ubuntu WSL /etc/fstab, SYSTEM registry hive (RegBack), DHCP files, Diagnostic Logs for WSA, App download artifacts (PNG), App download artifacts (ICO), Appcompatdb.json, userdata.vhdx, Legacy .rbs files relating to Windows Telemetry and Diagnostics, Xeox RMM Client Application logs, Yandex Cookies, Yandex Network Persistent State"
type: bool
- name: RemoteUtilities_app
description: "Remote Utilities (by Ryan McVicar): UsrClass.dat registry transaction files, RemoteUtilities Connection Logs"
type: bool
- name: RoamingProfile
description: "User Related Registry Hives, LNK files, etc (by Scott Downie): RemoteUtilities Install Log, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files, LNK Files, Desktop LNK Files, Word Autosave Location, Publisher Autosave Location, Excel Autosave Location, PowerPoint Autosave Location, Publisher Autosave Location, Office Document Cache, Office Document Cache, Chrome bookmarks, Chrome bookmarks, Chrome Cookies, Chrome Cookies, Chrome Current Session, Chrome Current Session, Chrome Current Tabs, Chrome Current Tabs, Chrome Download Metadata, Chrome Download Metadata, Chrome Extension Cookies, Chrome Extension Cookies, Chrome Favicons, Chrome Favicons, Chrome History, Chrome History, Chrome Last Session, Chrome Last Session, Chrome Last Tabs, Chrome Last Tabs, Chrome Sessions Folder, Chrome Sessions Folder, Chrome Login Data, Chrome Login Data, Chrome Media History, Chrome Media History"
type: bool
- name: Robo_FTP
description: "Robo-FTP (by Thomas Burnette): Chrome Network Action Predictor, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Network Persistent State, Chrome Preferences, Chrome Preferences, Chrome Quota Manager, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Shortcuts, Chrome Top Sites, Chrome Top Sites"
type: bool
- name: RogueKiller
description: "RogueKiller Anti-Malware (by Adlice Software) (by Drew Ervin): Chrome Trust Tokens"
type: bool
- name: RustDesk
description: "RustDesk (by Andrew Rathbun): Chrome Trust Tokens, Chrome SyncData Database"
type: bool
- name: SABnbzd
description: "SABnbzd (by Andrew Rathbun): Chrome SyncData Database, Chrome Visited Links"
type: bool
- name: SCCMClientLogs
description: "SCCM Client Log Files (by Andrew Rathbun): Chrome Visited Links"
type: bool
- name: SDB
description: "Shim SDB FIles (by Troy Larson): Chrome Web Data, Chrome Web Data, Windows Protect Folder, Windows Protect Folder"
type: bool
- name: SOFELK
description: "SOF-ELK related files of interest (by Tony Knutson and Andrew Rathbun): $Boot, $J, $Max, $J, $Max, $LogFile, $MFT, $SDS, $SDS, $T, $T, Amcache, Amcache, Amcache transaction files, Amcache transaction files, AppCompat PCA Folder, Event logs Win7+, Event logs XP, Event logs Win7+, Keepass Roaming Ini, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, PowerShell Transcripts - Observed Location, Prefetch, Rclone Config, RecentFileCache, User startup folders, System-wide startup folder"
type: bool
- name: SQLiteDatabases
description: "SQLDatabases Target for use with SQLECmd Module (by Andrew Rathbun): Edge folder, Edge folder, Amcache, Amcache transaction files, LNK Files from Recent, LNK Files from Recent, LNK Files from Microsoft Office Recent, LNK Files from Microsoft Office Recent, Robo-FTP User Scripts, Robo-FTP User Debug Logs, Robo-FTP User Script/Trace Logs, Robo-FTP User XML Config, Robo-FTP User SSH Keys, Robo-FTP User SSL Certificates, Robo-FTP User PGP Keys, Robo-FTP SSH Keys, Robo-FTP SSL Certificates, Robo-FTP PGP Keys, Robo-FTP Debug Logs, Robo-FTP Script/Trace Logs, Robo-FTP XML Config, Robo-FTP Jobs, RogueKiller Reports, RustDesk logs, RustDesk logs, Usenet Clients - SABnzbd Download Logs, Usenet Clients - SABnzbd History.db, SCCM Client Log Files, SDB Files, SDB Files, SDB Files x64, SDB Files x64, 4K Video Downloader, Microsoft OneNote - FullTextSearchIndex, Microsoft OneNote - RecentNotebooks_SeenURLs, Microsoft OneNote - AccessibilityCheckerIndex, Microsoft OneNote - User NoteTags, Microsoft OneNote - RecentSearches, Microsoft Sticky Notes - 1607 and later, Microsoft To Do - SQLite Database of To Do tasks, Robo-FTP Jobs, TeraCopy - History Databases, TeraCopy - Main Database, Notion Local Storage, IDrive Backed Up Files, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Google File Stream Metadata, Google File Stream Metadata, Google File Stream Metadata, Google File Stream Metadata, FileZilla SQLite3 Log Files, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Edge bookmarks, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs"
type: bool
- name: SRUM
description: "System Resource Usage Monitor (SRUM) Data (by Mark Hallman): Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History"
type: bool
- name: SUM
description: "SUM Database (by Andrew Rathbun): Edge Network Action Predictor"
type: bool
- name: SUPERAntiSpyware
description: "SUPERAntiSpyware Data (by Drew Ervin): Edge Preferences"
type: bool
- name: SUSELinuxEnterpriseServer
description: "SUSE Linux Enterprise Server on Windows Subsystem for Linux (by Matt Dawson): Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Addons, Bookmarks, Cookies, Cookies, Downloads, Favicons, Form history, Permissions, Places"
type: bool
- name: ScheduledTasks
description: "Scheduled tasks (*.job and XML) (by Eric Zimmerman, Reece394): Protections, Search, Signons, Storage Sync, Webappstore, Windows 10 Notification DB, Windows 10 Notification DB, Zoom plugin (Outlook), eMule Logs and Configuration Files, eMule part.met files, iTunes Backup Folder, iTunes Backup Folder, iTunes Backup Folder - iOS13"
type: bool
- name: ScreenConnect
description: "ScreenConnect Data (now known as ConnectWise Control) (by Drew Ervin): Application Event Log XP, Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, ActivitiesCache.db, Update Store.db, Bitdefender SQLite DB Files"
type: bool
- name: SecureAge
description: "SecureAge Antivirus Logs (by Andrew Rathbun): EventTranscript.db"
type: bool
- name: SentinelOne
description: "Sentinel One Logs (by Kirtan Shah): EventTranscript.db"
type: bool
- name: ServerTriage
description: "A compound target for gathering artifacts common to servers. (by Eric Capuano): Apache Access Log, Confluence Wiki Log Files, Confluence Wiki Log Files, Everything (VoidTools) - .ini file, Exchange Server Modified Compiled Files, Exchange Setup Log file, FileZilla SQLite3 Log Files, FileZilla Server XML Log Files, web.config, IIS log files, IIS log files, IIS log files, IIS log files, IIS log files, MOF files, MS SQL Errorlog, MalwareBytes Anti-Malware Scan Results Logs, ManageEngine Desktop Central Log Files, .NET CLR UsageLogs (system-scoped), OpenSSH Default DSA Private Key, OpenSSH Server Config File, OpenSSH Server Logs, OpenSSH Host ECDSA Key, OpenSSH Host ED25519 Key, OpenSSH Host DSA Key, OpenSSH Host RSA Key, OpenSSH User Authorized Keys, OpenSSH User Authorized Keys 2"
type: bool
- name: Session
description: "Session Desktop (by Vito Alfano): SRUM"
type: bool
- name: ShareX
description: "ShareX (by Andrew Rathbun): SRUM"
type: bool
- name: Shareaza
description: "Shareaza (by Andrew Rathbun): SOFTWARE registry hive"
type: bool
- name: SiemensTIA
description: "Copy Siemens TIA Settings (by Olaf Schwarz (@b00010111)): SOFTWARE registry hive"
type: bool
- name: Signal
description: "Signal (Please view this tkape file for documentation on decryption!) (by Matt Dawson): SOFTWARE registry transaction files, SOFTWARE registry transaction files, SUM Database (.mdb files), SUPERAntiSpyware Logs"
type: bool
- name: SignatureCatalog
description: "Obtain detached signature catalog files (by Mike Pilkington): SUSE Linux Enterprise Server WSL /etc/os-release, SUSE Linux Enterprise Server WSL /etc/fstab"
type: bool
- name: Skype
description: "Skype (by Eric Zimmerman, Matt Dawson): SUSE Linux Enterprise Server WSL /etc/passwd, SUSE Linux Enterprise Server WSL /etc/group, SUSE Linux Enterprise Server WSL /etc/shadow, SUSE Linux Enterprise Server WSL /etc/timezone, SUSE Linux Enterprise Server WSL /etc/hostname, SUSE Linux Enterprise Server WSL /etc/hosts, SUSE Linux Enterprise Server WSL /etc/bash.bashrc"
type: bool
- name: Slack
description: "Slack (by Andrew Rathbun and Chad Tilbury): SUSE Linux Enterprise Server WSL /etc/profile, SUSE Linux Enterprise Server WSL .bash_history, SUSE Linux Enterprise Server WSL .bashrc, SUSE Linux Enterprise Server WSL .profile, SUSE Linux Enterprise Server WSL ext4.vhdx"
type: bool
- name: Snagit
description: "Snagit (by Andrew Rathbun): at .job"
type: bool
- name: SnipAndSketch
description: "Snip & Sketch Cached Images (by Kevin Pagano): at .job"
type: bool
- name: Sophos
description: "Sophos Data (by Drew Ervin, Reece394): Application Event Log XP, Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, at SchedLgU.txt, at SchedLgU.txt, XML"
type: bool
- name: Soulseek
description: "Soulseek (by Andrew Rathbun): XML, XML"
type: bool
- name: SpeedCommander
description: "SpeedCommander (by Andrew Rathbun): ScreenConnect Session Database"
type: bool
- name: Splashtop
description: "Splashtop (by Andrew Rathbun, Yogesh Khatri): ScreenConnect Session Database, ScreenConnect User Config"
type: bool
- name: StartupFolders
description: "Startup Folders (by Jason Ballard): SecureAge Antvirus Logs, SentinelOne EDR Log"
type: bool
- name: StartupInfo
description: "StartupInfo XML Files (by Hadar Yudovich): Session App Folder, ShareX"
type: bool
- name: Steam
description: "Steam (by Nisarg Suthar, SolitudePy): Shareaza Logs, Siemens TIA Settings, Signal Attachments cache, Signal Logs, Signal config.json, Signal Database, SignatureCatalog, SignatureCatalog, main.db (App <v12), skype.db (App +v12), main.db XP, main.db Win7+"
type: bool
- name: SublimeText
description: "Sublime Text 2/3/4 Auto Save Session (by Mathias Frank and Nisarg Suthar): s4l-[username].db (App +v8), leveldb (Skype for Desktop +v8)"
type: bool
- name: SugarSync
description: "SugarSync (by Andrew Rathbun): Skype for Destkop v8+ Chromium Cache, Slack - Chat Logs, Slack LevelDB Files"
type: bool
- name: SumatraPDF
description: "SumatraPDF (by Andrew Rathbun): Slack Electron Logs, Slack Cache"
type: bool
- name: SupremoRemoteDesktop
description: "Supremo Remote Desktop Control Logs (by epoxigen): Slack Storage, Snagit - Captures"
type: bool
- name: Symantec_AV_Logs
description: "Symantec AV Logs (by Brian Maloney): Application Event Log XP, Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, Snip & Sketch, Sophos Logs (XP), Sophos Logs, Sophos Logs, Soulseek Chat Logs, Soulseek Search History/Shared Folders/Settings, SpeedCommander - .ini File, Splashtop Log Files, Splashtop Log Files in ProgramData"
type: bool
- name: Syscache
description: "syscache.hve (by Phill Moore): User startup folders, System-wide startup folder"
type: bool
- name: TablacusExplorer
description: "Tablacus Explorer (by Andrew Rathbun): StartupInfo XML Files, StartupInfo XML Files, Steam Game Image files"
type: bool
- name: TeamViewerLogs
description: "TeamViewer Logs (by Hadar Yudovich, Sam Smoker): Steam Login Metadata file, Steam Friend List and Username History file, Steam User Avatar files, Steam Game Tray Icon files"
type: bool
- name: Telegram
description: "Telegram Desktop (by Simone Marinari): Steam Startup Times Log file, Steam Game Image files"
type: bool
- name: TeraCopy
description: "TeraCopy log history (by Kevin Pagano): Steam Login Metadata file"
type: bool
- name: ThumbCache
description: "Thumbcache DB (by Eric Zimmerman): Steam Friend List and Username History file"
type: bool
- name: Thunderbird
description: "Mozilla Thunderbird Email Client (by Matt Dawson): Steam User Avatar files, Steam Game Tray Icon files, Steam Startup Times Log file, SublimeText 2/3 Auto Save Session, SublimeText 4 Auto Save Session, SugarSync Log File, SugarSync - Shared Folders (Default Location), SugarSync - My SugarSync (Default Location), SumatraPDF Settings - SessionData, SumatraPDF Cache, Supremo Connection Logs"
type: bool
- name: TorrentClients
description: "Torrent Clients (by Andrew Rathbun): TorrentClients - BitTorrent, Zoho Assist log files in Program Files*, Zoho Assist .conf files in Program Files*, Zoho Assist .txt files in Program Files*, Zoom client logs, Zoom client logs (Windows XP)"
type: bool
- name: Torrents
description: "Torrent Files (by Tony Knutson): Supremo File Transfer Inbox"
type: bool
- name: TotalAV
description: "TotalAV Antivirus Data (by Kirtan Shah): Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs"
type: bool
- name: TotalCommander
description: "Total Commander (by Andrew Rathbun, Jessica Venturo and Chuck Whitson): Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection Quarantine, ccSubSDK Database, registrationInfo.xml"
type: bool
- name: TreeSize
description: "TreeSize - Scan History (by Andrew Rathbun): Syscache"
type: bool
- name: TrendMicro
description: "Trend Micro Data (by Drew Ervin): Syscache transaction files, Tablacus Explorer - remember.xml, Tablacus Explorer - window.xml"
type: bool
- name: UEMS
description: "UEMS Manage Engine Agent (by Abdelkarim CHORFI - CERT CWATCH - ALMOND): Tablacus Explorer - window1.xml, TeamViewer Connection Logs"
type: bool
- name: USBDetective
description: "Collects files that can be input into USB Detective for parsing (by Kevin Pagano): Amcache, Amcache, Amcache transaction files, Amcache transaction files, Event logs Win7+, Event logs XP, Event logs Win7+, Keepass Roaming Ini, LNK Files from Recent, LNK Files from Microsoft Office Recent, Start Menu LNK Files, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, RECYCLER - WinXP, Registry.dat MSIX Hive, User.dat MSIX Hive, VSMIDK registry transaction files, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files"
type: bool
- name: USBDevicesLogs
description: "USB devices log files (by Eric Zimmerman, esecrpm): TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files"
type: bool
- name: Ubuntu
description: "Ubuntu on Windows Subsystem for Linux (by Matt Dawson): Telegram app folder, Telegram downloaded files, TeraCopy, Thumbcache DB, Mozilla Thunderbird Install Date, Mozilla Thunderbird Profiles.ini, Mozilla Thunderbird prefs.js, Mozilla Thunderbird Global Messages Database, Mozilla Thunderbird logins.json, Mozilla Thunderbird places.sqlite, Mozilla Thunderbird ImapMail INBOX, Mozilla Thunderbird Mail INBOX, Mozilla Thunderbird Calendar Data, Mozilla Thunderbird Attachments, Mozilla Thunderbird Address Book, Torrents, TotalAV Logs"
type: bool
- name: Ultraviewer
description: "UltraViewer (by Ryan McVicar, Sam Smoker): TotalAV Logs, Total Commander - .ini File, Total Commander - Log File, Total Commander - Temp Files Created During Folder Traversal"
type: bool
- name: Usenet
description: "Usenet (NZB) Files (by Andrew Rathbun): Total Commander - FTP .ini File"
type: bool
- name: UsenetClients
description: "Usenet Clients (by Andrew Rathbun): NGINX Log Files, Usenet Clients - NZBGet Log File, Net Monitor Client Config, Usenet Clients - Newsbin Pro, Chrome SyncData Database, Chrome Visited Links"
type: bool
- name: UsersFolders
description: "Users folders Dump (by Vito Alfano): Total Commander - File Tree"
type: bool
- name: VIPRE
description: "VIPRE Data (by Drew Ervin): Total Commander - Frequent Directory Listing, Total Commander - FTP Logs, TreeSize - ScanHistory.XML, Trend Micro Logs"
type: bool
- name: VLC_Media_Player
description: "VLC Media Player (by Matt Dawson): Trend Micro Security Agent Report Logs, Trend Micro Security Agent Connection Logs"
type: bool
- name: VMware
description: "Runs all VMware modules to collect VMware VM config files, logs and Virtual Hard Disks (by Matt Dawson): Unified endpoint management and security solutions from ManageEngine, Unified endpoint management and security solutions from ManageEngine, Setupapi.log XP, Setupapi.log Win7+, Ubuntu WSL .profile, Ubuntu WSL User Crontabs, Ubuntu WSL Apt Logs, Ubuntu WSL ext4.vhdx"
type: bool
- name: VMwareInventory
description: "VMware - Virtual Machine Inventory (by Andrew Rathbun): Unified endpoint management and security solutions from ManageEngine"
type: bool
- name: VMwareMemory
description: "VMware - Virtual Machine Memory (by Andrew Rathbun): Unified endpoint management and security solutions from ManageEngine, Setupapi.log XP, Setupapi.log Win7+"
type: bool
- name: VNCLogs
description: "VNC Logs (by Phill Moore): Application Event Log XP, Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, Setupapi.log Win7+, Ubuntu WSL /etc/os-release, Ubuntu WSL /etc/fstab"
type: bool
- name: Viber
description: "ViberPC Messaging App (by Matt Dawson): Ubuntu WSL /etc/passwd, Ubuntu WSL /etc/group, Ubuntu WSL /etc/shadow, Ubuntu WSL /etc/timezone, Ubuntu WSL /etc/hostname"
type: bool
- name: VirtualBox
description: "Runs all VirtualBox modules to collect Virtualbox VM config files, logs and Virtual Hard Disks (by Matt Dawson): Ubuntu WSL /etc/hosts, Ubuntu WSL /etc/crontab, Ubuntu WSL /etc/bash.bashrc, Ubuntu WSL /etc/profile, Ubuntu WSL .bash_history, Ubuntu WSL .bashrc, Ubuntu WSL .profile, Ubuntu WSL User Crontabs, Ubuntu WSL Apt Logs, Ubuntu WSL ext4.vhdx"
type: bool
- name: VirtualBoxConfig
description: "Collects VirtualBox configuration files (by Matt Dawson): Ubuntu WSL /etc/hosts, Ubuntu WSL /etc/crontab"
type: bool
- name: VirtualBoxLogs
description: "Collects VirtualBox log files (by Matt Dawson): Ubuntu WSL /etc/bash.bashrc, Ubuntu WSL /etc/profile, Ubuntu WSL .bash_history"
type: bool
- name: VirtualBoxMemory
description: "VirtualBox - Memory (by Andrew Rathbun): Ubuntu WSL .bashrc"
type: bool
- name: VirtualDisks
description: "Virtual Disks (by Phill Moore): Ubuntu WSL .profile, Ubuntu WSL User Crontabs, Ubuntu WSL Apt Logs, Ubuntu WSL ext4.vhdx"
type: bool
- name: VisualStudioCode
description: "Visual Studio Code artifacts (by Sebastian Søgaard): UltraViewer User Logs, UltraViewer System Logs, UltraViewer Service Log, UltraViewer Connection Log, Usenet (NZB) Files, Users, VIPRE Business Agent Logs, VIPRE Business User Logs (v7+)"
type: bool
- name: Vivaldi
description: "Vivaldi Artifacts (by Sebastian Søgaard): VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), VLC Recently Opened Files, VLC Recorded Files, VMware - Virtual Machine Inventory, VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), RealVNC Log, RealVNC Log, TightVNC Application Logs, Viber Config Database, Viber Users Data Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Thumbnails Cache, VirtualBox VM configs"
type: bool
- name: WBEM
description: "Web-Based Enterprise Management (WBEM) (by Mark Hallman): VirtualBox VM backup configs, VirtualBox Logs"
type: bool
- name: WER
description: "Windows Error Reporting (by Troy Larson): VirtualBox Backup Logs, VirtualBox Hardening Logs, VirtualBox, VHD, VHDX"
type: bool
- name: WSL
description: "All Windows Subsystem for Linux targets (by Matt Dawson): Debian WSL /etc/debian_version, Debian WSL /etc/fstab, Debian WSL /etc/os-release, Debian WSL /etc/passwd, Debian WSL /etc/group, Debian WSL /etc/shadow, Debian WSL /etc/timezone, Debian WSL /etc/hostname, Debian WSL /etc/hosts, Debian WSL /etc/crontab, Debian WSL /etc/bash.bashrc, Debian WSL /etc/profile, Debian WSL .bash_history, Debian WSL .bashrc, Debian WSL .profile, Debian WSL User Crontabs, Debian WSL Apt Logs, Debian WSL ext4.vhdx, JumpLists from CustomDestinations, Kali WSL /etc/debian_version, Kali WSL /etc/fstab, Kali WSL /etc/os-release, Kali WSL /etc/passwd, Kali WSL /etc/group, Kali WSL /etc/shadow, Kali WSL /etc/timezone, Kali WSL /etc/hostname, Kali WSL /etc/hosts, Kali WSL /etc/crontab, Kali WSL /etc/bash.bashrc, Kali WSL /etc/profile, Kali WSL .bash_history, Kali WSL .bashrc, Kali WSL .profile, Kali WSL User Crontabs, Kali WSL Apt Logs, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Addons, Bookmarks, Cookies, Cookies, Downloads, Favicons, Form history, Permissions, Places, Telegram app folder, Telegram downloaded files, TeraCopy, Thumbcache DB, Mozilla Thunderbird Install Date, Mozilla Thunderbird Profiles.ini, Mozilla Thunderbird prefs.js, Mozilla Thunderbird Global Messages Database, Mozilla Thunderbird logins.json, Mozilla Thunderbird places.sqlite, Mozilla Thunderbird ImapMail INBOX, Mozilla Thunderbird Mail INBOX, Mozilla Thunderbird Calendar Data, Mozilla Thunderbird Attachments, Mozilla Thunderbird Address Book, Torrents, TotalAV Logs, Yandex Favicons, Yandex History, Yandex Sessions Folder, Yandex Login Data, Yandex Network Action Predictor, Yandex Preferences, Yandex Top Sites, Yandex Bookmarks, Yandex Visited Links, Yandex Web Data, Yandex Autofill data, Yandex Passman logs, Yandex Shortcuts, Zoho Assist log files in AppData\Local"
type: bool
- name: WebBrowsers
description: "Web browser history, bookmarks, etc. (by Eric Zimmerman): Bookmarks, Cookies, Current Session, Current Tabs, Download Metadata, Favicons, History, Sessions Folder, Login Data, Network Action Predictor, Network Persistent State, Preferences, Quota Manager, Reporting and NEL, Shortcuts, Publisher Info DB/Brave Rewards, Top Sites, Visited Links, Web Data, Secure Preferences, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Sessions Folder, Chrome Login Data, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Shortcuts, Chrome Top Sites, Chrome Trust Tokens, Chrome SyncData Database, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Chrome Snapshots Folder, SYSTEM Chrome History, Edge folder, Edge bookmarks, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Sessions Folder, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Windows Protect Folder, FileZilla Log Files, Addons, Bookmarks, Bookmarks, Cookies, Cookies, Downloads, Extensions, Favicons, Form history, Permissions, Places, Protections, Search, Signons, Storage Sync, Webappstore, Password, Password, Password, Preferences, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP, Addons XP, Search XP, Password XP, Password XP, Password XP, ImgBurn - Application Log File, Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, OpenVPN Client Config, Opera - Local Folder, ProtonVPN - Connection Logs, Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), VLC Recently Opened Files, VLC Recorded Files, VMware - Virtual Machine Inventory, VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), RealVNC Log, RealVNC Log, TightVNC Application Logs, Viber Config Database, Viber Users Data Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Thumbnails Cache, VirtualBox VM configs, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), WindowsIndexSearch, GatherLogs, Network setting files, Windows 10 Notification DB, Windows 10 Notification DB, MigLog.xml, Setupact.log, HumanReadable.xml, FolderMoveLog.txt, Update Store.db, Windows Power Diagnostics, DNS Netlogon files, DNS files"
type: bool
- name: WebServers
description: "Logs from all known web server applications and supporting services (by Eric Capuano): Apache Access Log, web.config, IIS log files, IIS log files, IIS log files, IIS log files, IIS log files, MOF files, MS SQL Errorlog, .NET CLR UsageLogs (system-scoped)"
type: bool
- name: Webroot
description: "Webroot Antivirus (by Drew Ervin): VDI"
type: bool
- name: WhatsApp
description: "WhatsApp Local Files (by Matt Dawson, SolitudePy): VMDK, VSCode Opened Files, VSCode Workspaces, VSCode User extensions"
type: bool
- name: WhatsApp_Media
description: "WhatsApp Shared Media Files (by SolitudePy): VSCode User settings, VSCode User Preferences"
type: bool
- name: WinDefendDetectionHist
description: "Windows Defender Threat DetectionHistory files (by Jordan Klepser): VSCode Network Cookies"
type: bool
- name: WinSCP
description: "WinSCP (by Andrew Rathbun): VSCode Network Persistent State"
type: bool
- name: WindowsCopilotRecall
description: "Windows Copilot+ Recall (by Zach Stanford/Phill Moore): VSCode Logs"
type: bool
- name: WindowsDefender
description: "Windows Defender Data (by Drew Ervin): Vivaldi Cookies, Vivaldi Network Persistent State, Vivaldi Favicons, Vivaldi History, Vivaldi Sessions Folder, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Preferences, Vivaldi Top Sites"
type: bool
- name: WindowsFirewall
description: "Windows Firewall Logs (by Mike Cary): Vivaldi Bookmarks, Vivaldi Visited Links"
type: bool
- name: WindowsHello
description: "Windows Hello (by Kevin Pagano): Vivaldi Web Data, Vivaldi User Tracking, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Notes, Vivaldi Download Metadata, WBEM, WBEM, WER Files, WER Files, Crash Dumps, Crash Dumps, Crash Dumps, Webroot Program Data, WhatsApp Cache, WhatsApp Local Storage, Microsoft Store WhatsApp Cache, Microsoft Store WhatsApp Local Storage, Microsoft Store WhatsApp Desktop Profile Pictures, Microsoft Store WhatsApp Shared Media, DetectionHistory, WinSCP (.ini file), Recall folder"
type: bool
- name: WindowsIndexSearch
description: "Windows Index Search (by Mark Hallman): Windows Defender Logs, Windows Defender Event Logs"
type: bool
- name: WindowsNetwork
description: "Windows Networks settings (by Zawadi Done): Windows Defender Event Logs"
type: bool
- name: WindowsNotificationsDB
description: "Windows 10 Notification DB (by Hadar Yudovich): Windows Defender Logs, Windows Defender Logs"
type: bool
- name: WindowsOSUpgradeArtifacts
description: "Windows OS Upgrade Artifacts (by Andrew Rathbun): Windows Defender Logs, DetectionHistory, Windows Defender Quarantine, Windows Defender Detections.log, Windows Firewall Logs"
type: bool
- name: WindowsPowerDiagnostics
description: "Windows Power Diagnostics (by Andrew Rathbun): Windows Firewall Logs"
type: bool
- name: WindowsServerDNSAndDHCP
description: "Windows Server DNS and DHCP log files (by Zawadi Done): Cryptokeys, Masterkey, NGC"
type: bool
- name: WindowsSubsystemforAndroid
description: "Windows Subsystem for Android (WSA) (by Andrew Rathbun): SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files"
type: bool
- name: WindowsTelemetryDiagnosticsLegacy
description: "Legacy Windows Telemetry and Diagnostics files (*.rbs) (by Andrew Rathbun and Josh Mitchell): SYSTEM registry transaction files, SECURITY registry hive"
type: bool
- name: WindowsTimeline
description: "ActivitiesCache.db collector (by Lee Whitfield, Thomas DIOT (Qazeer)): SECURITY registry hive"
type: bool
- name: WindowsUpdate
description: "Windows Update Logs (by Rick van Dreunen): SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive"
type: bool
- name: WindowsYourPhone
description: "Windows Your Phone (by Andrew Rathbun): SYSTEM registry hive"
type: bool
- name: XPRestorePoints
description: "XP Restore Points - System Volume Information directory (by Phill Moore): SECURITY registry hive (RegBack)"
type: bool
- name: XYplorer
description: "XYplorer (by Andrew Rathbun): SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack)"
type: bool
- name: Xeox
description: "Xeox Application Logs (by Andrew Skatoff @DFIR_TNT): SYSTEM registry hive (RegBack)"
type: bool
- name: Yandex
description: "Yandex Artifacts (by Sebastian Søgaard): SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), WindowsIndexSearch, GatherLogs, Network setting files, Windows 10 Notification DB, Windows 10 Notification DB, MigLog.xml, Setupact.log, HumanReadable.xml, FolderMoveLog.txt, Update Store.db, Windows Power Diagnostics, DNS Netlogon files, DNS files"
type: bool
- name: ZohoAssist
description: "Zoho Assist artifacts (by Andrew Rathbun): DHCP files, Diagnostic Logs for WSA, App download artifacts (PNG), App download artifacts (ICO), Appcompatdb.json, userdata.vhdx, Legacy .rbs files relating to Windows Telemetry and Diagnostics"
type: bool
- name: Zoom
description: "Zoom client artifacts (by Ryan McVicar): Legacy .rbs files relating to Windows Telemetry and Diagnostics, ActivitiesCache.db, Windows Update Session Orchestrator logs, Windows Update logs"
type: bool
- name: eMule
description: "eMule (by Fábio Melo Pfeifer): Windows Component-Based Servicing logs, Windows Your Phone - All Databases"
type: bool
- name: iTunesBackup
description: "iTunes Backups (by Tony Knutson): System Volume Information, XYplorer - .ini file, XYplorer - .ini file for each respective pane"
type: bool
- name: mIRC
description: "mIRC (by Andrew Rathbun): XYplorer - AutoBackup folder, XYplorer - .dat files"
type: bool
- name: mRemoteNG
description: "mRemoteNG (by Markus Einarsson (@einarssonm)): Xeox RMM Client Application logs, Yandex Cookies, Yandex Network Persistent State"
type: bool
- name: openSUSE
description: "openSUSE on Windows Subsystem for Linux (by Matt Dawson): Yandex Favicons, Yandex History, Yandex Sessions Folder, Yandex Login Data, Yandex Network Action Predictor, Yandex Preferences, Yandex Top Sites, Yandex Bookmarks, Yandex Visited Links, Yandex Web Data, Yandex Autofill data, Yandex Passman logs, Yandex Shortcuts, Zoho Assist log files in AppData\Local"
type: bool
- name: pCloudDatabase
description: "pCloud Database (by Josh Hickman): Zoho Assist .conf files in AppData\Local, Zoho Assist log files in ProgramData, Zoho Assist .conf files"
type: bool
- name: qBittorrent
description: "qBittorrent (by Banaanhangwagen): Zoho Assist log files in Program Files*, Zoho Assist .conf files in Program Files*, Zoho Assist .txt files in Program Files*, Zoom client logs"
type: bool
- name: uTorrent
description: "uTorrent (by Banaanhangwagen): Zoom client logs (Windows XP)"
type: bool
- name: KapeRules
type: hidden
description: A CSV file controlling the different Kape Target Rules
default: |
Id,Name,Category,Glob,Accessor,Comment
1,$Boot,FileSystem,$Boot,ntfs,
2,$J,FileSystem,$Extend\$UsnJrnl:$J,ntfs,
3,$Max,FileSystem,$Extend\$UsnJrnl:$Max,ntfs,
4,$J,FileSystem,$Extend\$J,ntfs,This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Targets are looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed
5,$Max,FileSystem,$Extend\$Max,ntfs,This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Targets are looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed
6,$LogFile,FileSystem,$LogFile,ntfs,
7,$MFT,FileSystem,$MFT,ntfs,
8,$MFTMirr,FileSystem,$MFTMirr,ntfs,$MFTMirr is a redundant copy of the first four (4) records of the MFT.
9,$SDS,FileSystem,$Secure:$SDS,ntfs,
10,$SDS,FileSystem,$Secure_$SDS,ntfs,This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Target is looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed
11,$T,FileSystem,$Extend\$RmMetadata\$TxfLog\$Tops:$T,ntfs,
12,$T,FileSystem,$Extend\$RmMetadata\$TxfLog\$T,ntfs,This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Target is looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed
13,1Password Database,Apps,Users\*\AppData\Local\1password\data\1Password10.sqlite,lazy_ntfs,"Database which holds information about 1Password installation, such as accounts, categories, settings and more"
14,1Password Backup Databases,Apps,Users\*\AppData\Local\1password\backups\1Password10.sqlite,lazy_ntfs,Backups of 1Password Database
15,1Password Logs,Apps,Users\*\AppData\Local\1password\logs\*.log,lazy_ntfs,Log of usage of 1Password - can be useful for identifying periods of user activity
16,4K Video Downloader,Apps,Users\*\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader\*.sqlite,lazy_ntfs,Grabs database(s) that stores user download history
17,4K Video Downloader+,Apps,Users\*\AppData\Local\4kdownload.com\4K Video Downloader+\4K Video Downloader+\*.sqlite,lazy_ntfs,Grabs database(s) that stores user download history
18,AVG AV Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\AVG\Antivirus\log\**10,lazy_ntfs,
19,AVG AV Report Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\AVG\Antivirus\report\**10,lazy_ntfs,
20,AVG AV Logs,Antivirus,ProgramData\AVG\Antivirus\log\**10,lazy_ntfs,
21,AVG Report Logs,Antivirus,ProgramData\AVG\Antivirus\report\**10,lazy_ntfs,
22,AVG Persistent Logs,Antivirus,ProgramData\AVG\Persistent Data\Antivirus\Logs\**10,lazy_ntfs,
23,AVG FileInfo DB,Antivirus,ProgramData\AVG\Antivirus\**10\FileInfo2.db,lazy_ntfs,
24,AVG lsdbj2 JSON,Antivirus,ProgramData\AVG\Antivirus\lsdb2.json,lazy_ntfs,
25,AceText - Clipboard History,Apps,Users\*\Documents\*.atc,lazy_ntfs,Locates the Clipboard history for AceText
26,Acronis True Image - Logs,Apps,ProgramData\Acronis\TrueImageHome\Logs\ti_demon\*,lazy_ntfs,Copies out all log files
27,Acronis True Image - Database Files,Apps,ProgramData\Acronis\TrueImageHome\Database\archives.db*,lazy_ntfs,Copies out the Database folder which appears to have important information
28,Acronis True Image - Scripts Folder,Apps,ProgramData\Acronis\TrueImageHome\Scripts\*,lazy_ntfs,Copies out all scripts files
29,Action1 Client Application logs,ApplicationLogs,Windows\Action1\logs\*.log,lazy_ntfs,"Contains Application Log entries such as service start and incomming connections, and deployed scripts/jobs."
30,NTDS,Active Directory,Windows\NTDS\**10,lazy_ntfs,
31,SYSVOL,Active Directory,Windows\SYSVOL\**10,lazy_ntfs,
32,Agent Ransack Config Logs,Software,Users\*\AppData\Roaming\Mythicsoft\AgentRansack\config\**10,lazy_ntfs,
33,Agent Ransack CrashReports Logs,Software,Users\*\AppData\Roaming\Mythicsoft\AgentRansack\CrashReports\**10,lazy_ntfs,
34,Agent Ransack IndexLog Logs,Software,Users\*\AppData\Roaming\Mythicsoft\AgentRansack\IndexLog\**10,lazy_ntfs,
35,Agent Ransack Logs,Software,Users\*\AppData\Roaming\Mythicsoft\AgentRansack\logs\**10,lazy_ntfs,
36,Amcache,ApplicationCompatibility,Windows\AppCompat\Programs\Amcache.hve,lazy_ntfs,
37,Amcache,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs\Amcache.hve,lazy_ntfs,
38,Amcache transaction files,ApplicationCompatibility,Windows\AppCompat\Programs\Amcache.hve.LOG*,lazy_ntfs,
39,Amcache transaction files,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs\Amcache.hve.LOG*,lazy_ntfs,
40,Ammyy Program Data,ApplicationLogs,ProgramData\Ammyy\**10,lazy_ntfs,"May not contain traditional log files, but presence of this folder may indicate historical usage"
41,AnyDesk Logs - User Profile - *.trace,Communications,Users\*\AppData\Roaming\AnyDesk\*.trace,lazy_ntfs,Collects the trace logs for AnyDesk from a user profile
42,AnyDesk Logs - ProgramData - *.trace,Communications,ProgramData\AnyDesk\*.trace,lazy_ntfs,Collects the trace logs for AnyDesk from ProgramData
43,AnyDesk Logs - User Profile - *.conf,Communications,Users\*\AppData\Roaming\AnyDesk\*.conf,lazy_ntfs,Collects the conf logs for AnyDesk from a user profile
44,AnyDesk Logs - ProgramData - *.conf,Communications,ProgramData\AnyDesk\*.conf,lazy_ntfs,Collects the conf logs for AnyDesk from ProgramData
45,AnyDesk Videos,Communications,Users\*\Videos\AnyDesk\*.anydesk,lazy_ntfs,Collects any session recordings made by the user while using AnyDesk
46,AnyDesk Logs - User Profile - connection_trace.txt,Communications,Users\*\AppData\Roaming\AnyDesk\connection_trace.txt,lazy_ntfs,Collects the connection trace log from user profile
47,AnyDesk Logs - ProgramData - connection_trace.txt,Communications,ProgramData\AnyDesk\connection_trace.txt,lazy_ntfs,Collects the connection trace log from ProgramData
48,AnyDesk Logs - System User Account,Communications,Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\*,lazy_ntfs,Collects the logs associated with the System user account
49,AnyDesk Chat Logs - User Profile,Communications,Users\*\AppData\Roaming\AnyDesk\chat\*.txt,lazy_ntfs,Collects chat logs associated with the user profile
50,Apache Access Log,Webservers,**10\access.log,lazy_ntfs,
51,AppCompat PCA Folder,AppCompat,Windows\appcompat\pca,lazy_ntfs,
52,AppData,UserData,Users\*\AppData\**10,lazy_ntfs,
53,WindowsApps for AppX,Apps,Program Files\WindowsApps\Deleted*\**10,lazy_ntfs,Locates all the user AppX package directories which were installed through Microsoft Store and updated/uninstalled by the user.
54,SystemApps for AppX,Apps,Windows\SystemApps\**10,lazy_ntfs,Locates all the system AppX package directories which were installed by the system.
55,UserSpecificPackages for AppX,Apps,Users\*\AppData\Local\Packages\**10,lazy_ntfs,Locates all the user and system AppX package directories which are user specific on the system.
56,AppRepository for AppX,Apps,ProgramData\Microsoft\Windows\AppRepository\Packages\**10\StateRepository-*.srd,lazy_ntfs,Locates the StateRepository .srd databases.
57,ProgramData Packages for AppX,Apps,ProgramData\Packages\**10,lazy_ntfs,Locates the ProgramData AppX package directories.
58,Application Event Log XP,EventLogs,Windows\System32\config\AppEvent.evt,lazy_ntfs,
59,Application Event Log XP,EventLogs,Windows.old\Windows\System32\config\AppEvent.evt,lazy_ntfs,
60,Application Event Log Win7+,EventLogs,Windows\System32\winevt\logs\application.evtx,lazy_ntfs,
61,Application Event Log Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\application.evtx,lazy_ntfs,
62,Aspera Client Logs,FileDownload,Users\*\AppData\Local\Aspera\Aspera Connect\var\log\**10\*.log,lazy_ntfs,
63,Aspera Server Logs,FileDownload,Users\*\.aspera\connect\var\log\**10\*.log,lazy_ntfs,
64,AteraAgent .ini files,Software,Program Files\ATERA Networks\AteraAgent\**10\*.ini,lazy_ntfs,Collects logs for AteraAgent
65,AteraAgent Logs,Software,Program Files\ATERA Networks\AteraAgent\**10\*.txt,lazy_ntfs,Collects logs for AteraAgent
66,AteraAgent Logs,Software,Program Files\ATERA Networks\AteraAgent\**10\*.db,lazy_ntfs,Collects logs for AteraAgent
67,AteraAgent Logs,Software,Program Files\ATERA Networks\AteraAgent\**10\*.config,lazy_ntfs,Collects logs for AteraAgent
68,AteraAgent Logs,Software,Program Files\ATERA Networks\AteraAgent\**10\*.cfg,lazy_ntfs,Collects logs for AteraAgent
69,Avast AV Logs (XP),Antivirus,Documents And Settings\All Users\Application Data\Avast Software\Avast\Log\**10,lazy_ntfs,
70,Avast AV Logs,Antivirus,ProgramData\Avast Software\Avast\Log\**10,lazy_ntfs,
71,Avast AV User Logs,Antivirus,Users\*\Avast Software\Avast\Log\**10,lazy_ntfs,
72,Avast AV Index,Antivirus,ProgramData\Avast Software\Avast\Chest\index.xml,lazy_ntfs,
73,Avast Persistent Data Logs,Antivirus,ProgramData\Avast Software\Persistent Data\Avast\Logs\**10,lazy_ntfs,
74,Avast Icarus Logs,Antivirus,ProgramData\Avast Software\Icarus\Logs\**10,lazy_ntfs,
75,Avira Activity Logs,Antivirus,ProgramData\Avira\Antivirus\LOGFILES\**10,lazy_ntfs,Collects the scan logs of Avira Antivirus
76,Avira Security Logs,Antivirus,ProgramData\Avira\Security\Logs\**10,lazy_ntfs,
77,Avira VPN Logs,Antivirus,ProgramData\Avira\VPN\**10,lazy_ntfs,Collects the VPN logs
78,BCD,Registry,Boot\BCD,lazy_ntfs,
79,BCD Logs,Registry,Boot\BCD.LOG*,lazy_ntfs,
80,BITS files,Persistence,ProgramData\Microsoft\Network\Downloader\**10,lazy_ntfs,
81,TorrentClients - BitTorrent,FileDownload,Users\*\AppData\Roaming\BitTorrent\*.dat,lazy_ntfs,
82,Bitdefender Endpoint Security Logs,Antivirus,ProgramData\Bitdefender\Endpoint Security\Logs\**10,lazy_ntfs,
83,Bitdefender Internet Security Logs,Antivirus,ProgramData\Bitdefender\Desktop\Profiles\Logs\**10,lazy_ntfs,
84,Bitdefender SQLite DB Files,Antivirus,"Program Files*\Bitdefender*\**10\*.{db,db-wal,db-shm}",lazy_ntfs,Bitdefender SQLite databases
85,Box Drive Application Metadata,Apps,Users\*\AppData\Local\Box\Box\**10,lazy_ntfs,
86,Box Sync Application Metadata,Apps,Users\*\AppData\Local\Box Sync\**10,lazy_ntfs,
87,Box Drive User Files,Apps,Users\*\Box\**10,lazy_ntfs,Caution! This target will collect Box Drive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use or isolate system from network
88,Box Sync User Files,Apps,Users\*\Box Sync\**10,lazy_ntfs,
89,Bookmarks,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Bookmarks*,lazy_ntfs,
90,Cookies,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Cookies*,lazy_ntfs,
91,Current Session,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Current Session,lazy_ntfs,
92,Current Tabs,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Current Tabs,lazy_ntfs,
93,Download Metadata,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\DownloadMetadata,lazy_ntfs,
94,Favicons,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Favicons*,lazy_ntfs,
95,History,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\History*,lazy_ntfs,
96,Sessions Folder,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Sessions\*,lazy_ntfs,
97,Login Data,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Login Data,lazy_ntfs,
98,Network Action Predictor,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Network Action Predictor,lazy_ntfs,
99,Network Persistent State,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Network Persistent State,lazy_ntfs,
100,Preferences,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Preferences,lazy_ntfs,
101,Quota Manager,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\QuotaManager,lazy_ntfs,
102,Reporting and NEL,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Reporting and NEL,lazy_ntfs,
103,Shortcuts,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Shortcuts*,lazy_ntfs,
104,Publisher Info DB/Brave Rewards,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\publisher_info_db*,lazy_ntfs,"SQLite Database related to ""Brave Rewards"" containing an event_log table"
105,Top Sites,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Top Sites*,lazy_ntfs,
106,Visited Links,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Visited Links*,lazy_ntfs,
107,Web Data,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Web Data*,lazy_ntfs,
108,Secure Preferences,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Secure Preferences*,lazy_ntfs,Contains additional preferences data
109,Chrome Cache Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Cache\**10,lazy_ntfs,
110,Chromium Edge Cache Folder,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Cache\**10,lazy_ntfs,
111,Firefox Cache Folder,Communications,Users\*\AppData\Local\Mozilla\Firefox\Profiles\*\**10,lazy_ntfs,
112,IE 9/10 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files\**10,lazy_ntfs,
113,IE Index.dat temp internet files,Communications,Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5\index.dat,lazy_ntfs,
114,IE 11 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCache\**10,lazy_ntfs,
115,Edge WebcacheV01.dat,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\*,lazy_ntfs,
116,Brave Cache Folder,Communications,Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Cache\Cache_Data\**10,lazy_ntfs,
117,System CryptnetUrlCache,FileKnowledge,Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\**10,lazy_ntfs,
118,System WOW64 CryptnetUrlCache,FileKnowledge,Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\**10,lazy_ntfs,
119,User CryptnetUrlCache,FileKnowledge,Users\*\AppData\LocalLow\Microsoft\CryptnetUrlCache\**10,lazy_ntfs,
120,INetCache,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\INetCache\IE\**10,lazy_ntfs,
121,Chrome bookmarks XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
122,Chrome Cookies XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*,lazy_ntfs,
123,Chrome Current Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
124,Chrome Current Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
125,Chrome Favicons XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
126,Chrome History XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*,lazy_ntfs,
127,Chrome Last Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
128,Chrome Last Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
129,Chrome Login Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
130,Chrome Preferences XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
131,Chrome Shortcuts XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
132,Chrome Top Sites XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
133,Chrome Visited Links XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
134,Chrome Web Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
135,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
136,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs,
137,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
138,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
139,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\DownloadMetadata,lazy_ntfs,
140,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs,
141,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
142,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs,
143,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
144,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
145,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs,
146,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
147,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs,
148,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs,
149,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs,
150,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
151,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs,
152,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs,
153,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
154,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
155,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs,
156,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
157,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
158,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
159,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
160,Chrome Snapshots Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\Snapshots\*\**10,lazy_ntfs,Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #.
161,SYSTEM Chrome History,Communications,Windows\system32\config\systemprofile\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs,
162,Chrome Extension Files,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions\**10,lazy_ntfs,
163,Chrome Extension Files XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions\**10,lazy_ntfs,
164,Chrome HTML5 File System Folder,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\File System\**10,lazy_ntfs,
165,Cisco Jabber Database,Communications,Users\*\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History\*.db,lazy_ntfs,The Cisco Jabber process needs to be killed before database can be copied.
166,ClipboardMaster - Clipboard History - Text,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\Clipboard.clm4,lazy_ntfs,Locates the user’s clipboard history (text) for ClipboardMaster
167,ClipboardMaster - Clipboard History - Images,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\pics\**10,lazy_ntfs,Locates the user’s clipboard history (images) for ClipboardMaster
168,ClipboardMaster - Clipboard History - Backups,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\Clipboard.clm4.ba*,lazy_ntfs,Locates the user’s clipboard history (backups) for ClipboardMaster
169,ComboFix,Antivirus,ComboFix.txt,lazy_ntfs,
170,Confluence Wiki Log Files,Logs,Atlassian\Application Data\Confluence\logs\*.log*,lazy_ntfs,
171,Confluence Wiki Log Files,Logs,Program Files\Atlassian\Confluence\logs\*.log,lazy_ntfs,
172,Cybereason Anti-Ransomware Logs,Antivirus,ProgramData\crs1\Logs\**10,lazy_ntfs,
173,Cybereason Sensor Communications and Anti-Malware Logs,Antivirus,ProgramData\apv2\Logs\**10,lazy_ntfs,
174,Cybereason Application Control and NGAV Logs,Antivirus,ProgramData\crb1\Logs\**10,lazy_ntfs,
175,Cylance ProgramData Logs,Antivirus,ProgramData\Cylance\Desktop\**10,lazy_ntfs,
176,Cylance Optics Logs,Antivirus,ProgramData\Cylance\Optics\Log\**10,lazy_ntfs,
177,Cylance Program Files Logs,Antivirus,Program Files\Cylance\Desktop\log\**10,lazy_ntfs,
178,DC++ Chat Logs,FileDownload,Users\*\AppData\Local\DC++\Logs\**10,lazy_ntfs,Locates DC++ hub/chat logs and copies them. Current as of version 0.868.
179,DWAgent Log Files,Logs,ProgramData\DWAgent*\*.log*,lazy_ntfs,
180,Debian WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\debian_version,lazy_ntfs,
181,Debian WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\fstab,lazy_ntfs,
182,Debian WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\os-release,lazy_ntfs,
183,Debian WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\passwd,lazy_ntfs,
184,Debian WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\group,lazy_ntfs,
185,Debian WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\shadow,lazy_ntfs,
186,Debian WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\timezone,lazy_ntfs,
187,Debian WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\hostname,lazy_ntfs,
188,Debian WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\hosts,lazy_ntfs,
189,Debian WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\crontab,lazy_ntfs,
190,Debian WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs,
191,Debian WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\profile,lazy_ntfs,
192,Debian WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.bash_history,lazy_ntfs,
193,Debian WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.bashrc,lazy_ntfs,
194,Debian WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.profile,lazy_ntfs,
195,Debian WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs,
196,Debian WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs,
197,Debian WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\ext4.vhdx,lazy_ntfs,
198,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_folders.osd,lazy_ntfs,Locates .osd file which contains names of folders that have been renamed manually by the user.
199,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_files.osd,lazy_ntfs,Locates .osd file which contains names of files that have been renamed manually by the user.
200,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_contains.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with contents related to the search query.
201,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_name.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with a filename related to the search query.
202,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_path.osd,lazy_ntfs,Locates .osd file which contains file paths related to user activity - not exactly sure how these are generated at this time.
203,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\recent.osd,lazy_ntfs,Locates .osd file which contains file paths related to recent user activity. Effectively the DOpus Shellbags-equivalent. Appears to be for last 10 folder visited within the Lister.
204,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\backupconfig.osd,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.
205,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache\*,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.
206,Directory Opus,Apps,Users\*\AppData\Roaming\GPSoftware\Directory Opus\Logs\*,lazy_ntfs,Locates .txt files that will be named with the IP address of the FTP server Directory Opus was used to connect to. All-activity.txt will simply be a combination of all other .txt files present in this directory.
207,Audio files,Multimedia,"**10\*.{3gp,aa,aac,act,aiff,alac,amr,ape,au,awb,dss,dvf,flac,gsm,iklax,ivs,m4a,m4b,m4p,mmf,mp3,mpc,msv,nmf,ogg,oga,mogg,opus,ra,rm,raw,rf64,sln,tta,voc,vox,wav,wma,wv,webm}",lazy_ntfs,Covers most (if not all) audio file formats
208,Excel and Excel-like Documents,Documents,"**10\*.{xls,xlsx,csv,tsv,xlt,xlm,xlsm,xltx,xltm,xlsb,xla,xlam,xll,xlw,ods,fodp,qpw}",lazy_ntfs,"Covers all document file formats for Excel, OpenOffice, LibreOffice, Apache OpenOffice, WPS Office, SoftMaker Office, and more"
209,PDF and PDF-like Documents,Documents,"**10\*.{pdf,xps,oxps}",lazy_ntfs,Covers all PDF and PDF-like document formats
210,Picture files,Multimedia,"**10\*.{ai,bmp,bpg,cdr,cpc,eps,exr,flif,gif,heif,ilbm,ima,jp2,j2k,jpf,jpm,jpg2,j2c,jpc,jpx,mj2jpeg,jpg,jxl,kra,ora,pcx,pgf,pgm,png,pnm,ppm,psb,psd,psp,svg,tga,tiff,webp,xaml,xcf}",lazy_ntfs,Covers most (if not all) picture file formats
211,SQLite Files (.db* and .sqlite*),Databases,"**10\*.{db,sqlite}*)",lazy_ntfs,Covers all common file extensions for SQLite databases
212,Video files,Multimedia,"**10\*.{3g2,3gp,amv,asf,avi,drc,flv,f4v,f4p,f4a,f4b,gif,gifv,m4v,mkv,mov,qt,mp4,m4p,mpg,mpeg,m2v,mp2,mpe,mpv,mts,m2ts,ts,mxf,nsv,ogv,ogg,rm,rmvb,roq,svi,viv,vob,webm,wmv,yuv}",lazy_ntfs,Covers most (if not all) video file formats
213,Zips,Archives,**10\*.zip,lazy_ntfs,This is an example of how to walk a drive for a file mask. Probably do not want to use this one as is
214,Word and Word-like Documents,Documents,"**10\*.{doc,docx,docm,dotx,dotm,docb,dot,wbk,odt,fodt,rtf,wp*,tmd}",lazy_ntfs,"Covers all document file formats for Word, OpenOffice, LibreOffice, Apache OpenOffice, WPS Office, SoftMaker Office, and more"
215,Discord Cache Files,Communications,Users\*\AppData\Roaming\discord\cache\**10,lazy_ntfs,Gets cached data from Discord app
216,Discord Local Storage LevelDB Files,Communications,Users\*\AppData\Roaming\discord\local storage\leveldb\**10,lazy_ntfs,Gets LevelDB database from Discord app
217,Double Commander - history.xml,Apps,Users\*\AppData\Roaming\doublecmd\history.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from bottom to top.
218,Double Commander - doublecmd.xml,Apps,Users\*\AppData\Roaming\doublecmd\doublecmd.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom.
219,Double Commander - FTP Log,Apps,Users\*\AppData\Roaming\doublecmd\doublecmd*.log,lazy_ntfs,Locates log files that'll be named with the following naming convention: doublecmd_2021-04-03.log.
220,Double Commander - multiarc.ini,Apps,Users\*\AppData\Roaming\doublecmd\multiarc.ini,lazy_ntfs,
221,Double Commander - session.ini,Apps,Users\*\AppData\Roaming\doublecmd\session.ini,lazy_ntfs,
222,Double Commander - pixmaps.txt,Apps,Users\*\AppData\Roaming\doublecmd\pixmaps.txt,lazy_ntfs,
223,Double Commander - shortcuts.scf,Apps,Users\*\AppData\Roaming\doublecmd\shortcuts.scf,lazy_ntfs,
224,Drivers,Drivers,Windows\system32\drivers\**10\*.sys,lazy_ntfs,
225,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\info.json,lazy_ntfs,Getting individual files because folder may contain very large extraneous files. Info.json contains user's Dropbox folder location
226,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\host.db,lazy_ntfs,SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64.
227,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\machine_storage\tray-thumbnails.db,lazy_ntfs,SQLite database containing references to image files at one time present in a user’s Dropbox instance.
228,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\host.dbx,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together."
229,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption of Dropbox databases
230,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\instance*\**10,lazy_ntfs,instance folder holds multiple SQLite databases related to Dropbox activity and contents
231,Dropbox User Files,Apps,Users\*\Dropbox*\**10,lazy_ntfs,"Default storage location for Dropbox Personal and Business (when using wildcard), but can be user-defined. Check info.json file in user Dropbox metadata files to identify default folder."
232,EF Commander - .ini File,Apps,Users\*\AppData\Roaming\EFSoftware\*,lazy_ntfs,Locates folder where all configuration files reside
233,ESET NOD32 AV Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\**10,lazy_ntfs,
234,ESET NOD32 AV Logs,Antivirus,ProgramData\ESET\ESET NOD32 Antivirus\Logs\**10,lazy_ntfs,Parser available at https://github.com/laciKE/EsetLogParser
235,ESET NOD32 AV Logs,Antivirus,ProgramData\ESET\ESET Security\Logs\**10,lazy_ntfs,
236,ESET Remote Administrator Logs,Antivirus,ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs,lazy_ntfs,Remote Administrator logs include information on tasks executed on the target.
237,Local User Quarantine,Antivirus,Users\*\AppData\Local\ESET\ESET Security\Quarantine\**10,lazy_ntfs,
238,SYSTEM user quarantine,Antivirus,Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\**10,lazy_ntfs,
239,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs,
240,Edge bookmarks,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs,
240,Edge Bookmarks,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs,
241,Edge Collections,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections\collectionsSQLite,lazy_ntfs,
242,Edge Cookies,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network\Cookies*,lazy_ntfs,
243,Edge Current Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Session,lazy_ntfs,
244,Edge Current Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Tabs,lazy_ntfs,
245,Edge Favicons,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Favicons*,lazy_ntfs,
246,Edge History,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\History*,lazy_ntfs,
247,Edge Last Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Session,lazy_ntfs,
248,Edge Last Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Tabs,lazy_ntfs,
249,Edge Sessions Folder,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sessions\*,lazy_ntfs,
250,Edge Login Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Login Data,lazy_ntfs,
251,Edge Media History,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Media History*,lazy_ntfs,
252,Edge Network Action Predictor,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network Action Predictor,lazy_ntfs,
253,Edge Preferences,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences,lazy_ntfs,
254,Edge Shortcuts,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Shortcuts*,lazy_ntfs,
255,Edge Top Sites,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Top Sites*,lazy_ntfs,
256,Edge SyncData Database,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
257,Edge Visited Links,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Visited Links,lazy_ntfs,
258,Edge Web Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Web Data*,lazy_ntfs,
259,Edge WebAssistDatabase,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\WebAssistDatabase*,lazy_ntfs,
260,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline DPAPI decryption
261,Edge Snapshots Folder,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\Snapshots\*\**10,lazy_ntfs,"Grabs folder that appears to have snapshots of Edge Chromium SQLite DBs organized by version #. In testing, there were 3 previous versions of Edge Chromium separated into different folders"
262,Edge Chromium Extension Files,Communication,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Extensions\**10,lazy_ntfs,
263,Emsisoft Scan Logs,ApplicationLogs,ProgramData\Emsisoft\Reports\scan*.txt,lazy_ntfs,Can contain file detection and quarantine info
264,EncapsulationLogging,Executables,Windows\Appcompat\Programs\EncapsulationLogging.hve,lazy_ntfs,
265,EncapsulationLogging,Executables,Windows.old\Windows\Appcompat\Programs\EncapsulationLogging.hve,lazy_ntfs,
266,EncapsulationLogging Logs,Executables,Windows\Appcompat\Programs\EncapsulationLogging.hve.log*,lazy_ntfs,
267,EncapsulationLogging Logs,Executables,Windows.old\Windows\Appcompat\Programs\EncapsulationLogging.hve.log*,lazy_ntfs,
268,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\System.evtx,lazy_ntfs,
269,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\System.evtx,lazy_ntfs,
270,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\Security.evtx,lazy_ntfs,
271,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\Security.evtx,lazy_ntfs,
272,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx,lazy_ntfs,
273,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx,lazy_ntfs,
274,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx,lazy_ntfs,
275,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx,lazy_ntfs,
276,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx,lazy_ntfs,
277,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx,lazy_ntfs,
278,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,lazy_ntfs,
279,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,lazy_ntfs,
280,Event logs XP,EventLogs,Windows\System32\config\*.evt,lazy_ntfs,
281,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\*.evtx,lazy_ntfs,
282,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\*.evtx,lazy_ntfs,
283,WDI Trace Logs 1,Event Trace Logs,Windows\System32\WDI\LogFiles\*.etl*,lazy_ntfs,
284,WDI Trace Logs 1,Event Trace Logs,Windows.old\Windows\System32\WDI\LogFiles\*.etl*,lazy_ntfs,
285,WDI Trace Logs 2,Event Trace Logs,Windows\System32\WDI\{*\**10,lazy_ntfs,
286,WDI Trace Logs 2,Event Trace Logs,Windows.old\Windows\System32\WDI\{*\**10,lazy_ntfs,
287,WMI Trace Logs,Event Trace Logs,Windows\System32\LogFiles\WMI\**10,lazy_ntfs,
288,WMI Trace Logs,Event Trace Logs,Windows.old\Windows\System32\LogFiles\WMI\**10,lazy_ntfs,
289,SleepStudy Trace Logs,Event Trace Logs,Windows\System32\SleepStudy\**10,lazy_ntfs,
290,SleepStudy Trace Logs,Event Trace Logs,Windows.old\Windows\System32\SleepStudy\**10,lazy_ntfs,
291,Energy-NTKL Trace Logs,Event Trace Logs,ProgramData\Microsoft\Windows\PowerEfficiency Diagnostics\energy-ntkl.etl,lazy_ntfs,
292,Delivery Optimization Trace Logs,Event Trace Logs,Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\*.etl*,lazy_ntfs,
293,EventTranscript.db,SystemEvents,ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs,
294,EventTranscript.db,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs,
295,Microsoft Office Diagnostic Logs,SystemEvents,Users\*\AppData\Local\Temp\Diagnostics\**10,lazy_ntfs,
296,Evernote Accounts,App,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\.accounts,lazy_ntfs,Holds username and email of accounts
297,Evernote Notebooks,App,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\*.exb,lazy_ntfs,SQLite Database of the notes
298,Evernote Notebook Snippets,App,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\*.exb.snippets,lazy_ntfs,Note 'Snippets'
299,Everything (VoidTools),FileSystem,Users\*\AppData\Local\Everything\Everything.db,lazy_ntfs,Copies out Everything.db
300,Everything (VoidTools) - Run History,FileSystem,Users\*\AppData\Roaming\Everything\Run History.csv,lazy_ntfs,Copies out a CSV containing the history of items ran from Everything's search results window
301,Everything (VoidTools) - Search History,FileSystem,Users\*\AppData\Roaming\Everything\Search History.csv,lazy_ntfs,Copies out a CSV containing the history of items searched for within Everything with timestamps
302,Everything (VoidTools) - .ini file,FileSystem,Users\*\AppData\Roaming\Everything\Everything.ini,lazy_ntfs,Copies out the .ini file for Everything
303,Exchange client access log files,Logs,Program Files\Microsoft\Exchange Server\*\Logging\**10\*.log,lazy_ntfs,Highly dependent on Exchange configuration
304,Exchange Server Modified Compiled Files,Apps,Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration
305,Exchange Server Modified Compiled Files,Apps,inetpub\wwwroot\aspnet_client\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration
306,Exchange Server Modified Compiled Files,Apps,inetpub\wwwroot\aspnet_client\system_web\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration
307,Exchange Server Modified Compiled Files,Apps,Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration
308,Exchange Setup Log file,Logs,ExchangeSetupLogs\ExchangeSetup.log,lazy_ntfs,The Exchange Setup log tracks the progress of every task during the Exchange installation and configuration.
309,Exchange TransportRoles log files,Logs,Program Files\Microsoft\Exchange Server\*\TransportRoles\Logs\**10\*.log,lazy_ntfs,Highly dependent on Exchange configuration
310,F-Secure Logs,Antivirus,ProgramData\F-Secure\Log\**10,lazy_ntfs,
311,F-Secure User Logs,Antivirus,Users\*\AppData\Local\F-Secure\Log\**10,lazy_ntfs,
312,F-Secure Scheduled Scan Reports,Antivirus,ProgramData\F-Secure\Antivirus\ScheduledScanReports\**10,lazy_ntfs,
313,Fences - Desktop Screenshots,Apps,Users\*\AppData\Roaming\Stardock\Fences\Backups,lazy_ntfs,Locates all screenshots taken automatically by the Fences application
314,FileZilla XML Log Files,Logs,Users\*\AppData\Roaming\FileZilla\*.xml*,lazy_ntfs,
315,FileZilla SQLite3 Log Files,Logs,Users\*\AppData\Roaming\FileZilla\*.sqlite3*,lazy_ntfs,
316,FileZilla Server XML Log Files,Logs,Users\*\AppData\Roaming\FileZilla Server\*.xml*,lazy_ntfs,
317,FileZilla Log Files,Logs,Program Files (x86)\FileZilla Server\Logs\*.log*,lazy_ntfs,
318,Addons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs,
319,Bookmarks,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*,lazy_ntfs,
320,Bookmarks,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups\**10,lazy_ntfs,
321,Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs,
322,Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*,lazy_ntfs,
323,Downloads,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs,
324,Extensions,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions.json,lazy_ntfs,
325,Favicons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs,
326,Form history,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs,
327,Permissions,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*,lazy_ntfs,
328,Places,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs,
329,Protections,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*,lazy_ntfs,
330,Search,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs,
331,Signons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs,
332,Storage Sync,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*,lazy_ntfs,
333,Webappstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs,
334,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\key*.db,lazy_ntfs,
335,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signon*.*,lazy_ntfs,
336,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json,lazy_ntfs,
337,Preferences,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\prefs.js,lazy_ntfs,
338,Sessionstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore*,lazy_ntfs,
339,Sessionstore Folder,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups\**10,lazy_ntfs,
340,Places XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs,
341,Downloads XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs,
342,Form history XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs,
343,Cookies XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs,
344,Signons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs,
345,Webappstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs,
346,Favicons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs,
347,Addons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs,
348,Search XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs,
349,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\key*.db,lazy_ntfs,
350,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signon*.*,lazy_ntfs,
351,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\logins.json,lazy_ntfs,
352,Sessionstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\sessionstore*,lazy_ntfs,
353,Free Commander - FreeCommander.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts.
354,Free Commander - FreeCommander.ftp.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.ftp.ini,lazy_ntfs,Locates an .ini file that contains the file path to the FTP log for Free Commander.
355,Free Commander - FreeCommander.hist.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.hist.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom for both left and right directory browsers.
356,Free Commander - FreeCommander.fav.xml,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.fav.xml,lazy_ntfs,Locates an .xml file that contains favorited files/folder by the user.
357,Free Commander - Backup Settings,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*\**10,lazy_ntfs,"Locates an exact copy of the above files which will have a timestamped folder name, i.e. Bkp_Settings-YYYY-MM-DD HH-MM-SS."
358,Free Commander - FTP Log,Apps,Users\*\AppData\Local\Temp\fc*.log,lazy_ntfs,Locates log file(s) that have a default naming convention of fc_ftplog_20210403 but can be modified by the user.
359,Free Commander - FTP Related Information,Apps,Users\*\AppData\Local\Temp\FreeCommander*\**10,lazy_ntfs,Locates a folder that may be named randomly that contains more FTP related information as well as .tmp files that are created while the user is traversing folders during an active FTP session. These files are deleted upon program exit.
360,FDM Database,App,Users\*\AppData\Local\Free Download Manager\**10\fdm.sqlite,lazy_ntfs,"fdm.sqlite shows Torrents, downloads, folder history, auth credentials and more. Will also pull fdm.sqlite in db_backup/"
361,FDM Backup Info,App,Users\*\AppData\Local\Free Download Manager\backup\backup.info,lazy_ntfs,"Backup info file - can change backup name from userdata.zip, so could give indication of file name"
362,FDM Database (userdata.zip),App,Users\*\AppData\Local\Free Download Manager\backup\userdata.zip,lazy_ntfs,fdm.sqlite can also appear in the backup folder in a compressed userdata.zip file
363,FreeFileSync,Apps,Users\*\AppData\Roaming\FreeFileSync\Logs,lazy_ntfs,Copies out all log files
364,Freenet,File Downloads,Users\*\AppData\Local\Freenet\node*,lazy_ntfs,
365,Freenet,File Downloads,Users\*\AppData\Local\Freenet\*completed.list.downloads,lazy_ntfs,
366,Freenet,File Downloads,Users\*\AppData\Local\Freenet\*completed.list.uploads,lazy_ntfs,
367,Freenet,File Downloads,Users\*\AppData\Local\Freenet\*.bak,lazy_ntfs,
368,Freenet,File Downloads,Users\*\AppData\Local\Freenet\downloads\**10,lazy_ntfs,
369,FrostWire Downloads,FileDownload,Users\*\Documents\FrostWire\Torrent Data\**10,lazy_ntfs,Locates files downloaded that land in the default location as specified by FrostWire
370,FrostWire AppData,FileDownload,Users\*\.frostwire5\frostwire.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system
371,FrostWire AppData,FileDownload,Users\*\.frostwire5\itunes.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system
372,Gigatribe Files Windows Vista/7/8/10,FileDownload,Users\*\AppData\Local\Shalsoft\**10,lazy_ntfs,Locates Gigatribe files and copies them
373,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Gigatribe\**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Gigatribe
374,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Shalsoft\**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Shalsoft
375,Google Drive Backup and Sync User Files,Apps,Users\*\Google Drive*\**10,lazy_ntfs,Older Google Drive Backup and Sync application only
376,Google Drive Backup and Sync Metadata,Apps,Users\*\AppData\Local\Google\Drive\**10,lazy_ntfs,Older version of Google Drive
377,Google Drive for Desktop Metadata,Apps,Users\*\AppData\Local\Google\DriveFS\**10,lazy_ntfs,Metadata folder the same for both newer Google Drive for Desktop and older Google File Stream application
378,Google Earth My Places file,Apps,Users\*\AppData\LocalLow\Google\GoogleEarth\myplaces.kml,lazy_ntfs,File which holds favorited locations
379,Google Earth My Places Backup file,Apps,Users\*\AppData\LocalLow\Google\GoogleEarth\myplaces.backup.kml,lazy_ntfs,Backup file which holds favorited locations
380,Google Earth My Places file (XP),Apps,Documents and Settings\*\Application Data\Google\GoogleEarth\myplaces.kml,lazy_ntfs,File which holds favorited locations
381,Google Earth My Places Backup file (XP),Apps,Documents and Settings\*\Application Data\Google\GoogleEarth\myplaces.backup.kml,lazy_ntfs,Backup file which holds favorited locations
382,Group Policy Files,Communication,Windows\System32\grouppolicy\**10,lazy_ntfs,
383,Computer Group Policy files,Communication,ProgramData\Microsoft\Group Policy\History\**10,lazy_ntfs,
384,User Group Policy files,Communication,Users\*\AppData\Local\Microsoft\Group Policy\History\**10,lazy_ntfs,
385,Local Group Policy INI Files,Communication,Windows.old\Windows\System32\grouppolicy\*.ini,lazy_ntfs,
386,Local Group Policy Files - Registry Policy Files,Communication,Windows\System32\grouppolicy\*.pol,lazy_ntfs,
387,Local Group Policy Files - Registry Policy Files,Communication,Windows.old\Windows\System32\grouppolicy\*.pol,lazy_ntfs,
388,Local Group Policy Files - Startup/Shutdown Scripts,Communication,Windows\System32\grouppolicy\*\Scripts\**10,lazy_ntfs,
389,Local Group Policy Files - Startup/Shutdown Scripts,Communication,Windows.old\Windows\System32\grouppolicy\*\Scripts\**10,lazy_ntfs,
390,HeidiSQL Backup files (*.sql),Apps,Users\*\AppData\Roaming\HeidiSQL\Backups\*,lazy_ntfs,
391,HeidiSQL (tabs.ini),Apps,Users\*\AppData\Roaming\HeidiSQL\tabs.ini,lazy_ntfs,
392,HexChat Chat Logs,Communications,Users\*\AppData\Roaming\HexChat\logs\**10,lazy_ntfs,
393,HitmanPro Logs,Antivirus,ProgramData\HitmanPro\Logs\**10,lazy_ntfs,
394,HitmanPro Alert Logs,Antivirus,ProgramData\HitmanPro.Alert\Logs\**10,lazy_ntfs,
395,HitmanPro Database,Antivirus,ProgramData\HitmanPro.Alert\excalibur.db,lazy_ntfs,SQLite DB
396,HostsFile,HostsFile,Windows\System32\drivers\etc\Hosts,lazy_ntfs,
397,IIS applicationHost.config,Apps,Windows\System32\inetsrv\config\applicationHost.config,lazy_ntfs,This configuration file stores the settings for all your Web sites and applications.
398,IIS administration.config,Apps,Windows\System32\inetsrv\config\administration.config,lazy_ntfs,This configuration file stores the settings for IIS management.
399,IIS redirection.config,Apps,Windows\System32\inetsrv\config\redirection.config,lazy_ntfs,This configuration file contains the settings that indicate the location where the centralized configuration files are stored.
400,web.config,Apps,inetpub\wwwroot\**10\web.config,lazy_ntfs,The web.config is a file that is read by IIS and the ASP.NET Core Module to configure an app hosted with IIS.
401,IIS log files,Logs,Windows\System32\LogFiles\W3SVC*\*.log,lazy_ntfs,
402,IIS log files,Logs,Windows.old\Windows\System32\LogFiles\W3SVC*\*.log,lazy_ntfs,
403,IIS log files,Logs,inetpub\logs\LogFiles\*.log,lazy_ntfs,
404,IIS log files,Logs,inetpub\logs\LogFiles\W3SVC*\*.log,lazy_ntfs,
405,IIS log files,Logs,Resources\Directory\*\LogFiles\Web\W3SVC*\*.log,lazy_ntfs,
406,IIS log files,Logs,Windows\system32\LogFiles\HTTPERR\*.log,lazy_ntfs,
407,ISLOnline Logs - Sessions - *.out,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light Client\*\ISLClient.out,lazy_ntfs,Collects client session logs for one or more sessions
408,ISLOnline Logs - Session Configurations,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light Client\*\conf\*,lazy_ntfs,Configurations for ISL Light sessions
409,ISL AlwaysOn Logs - Sessions List,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\session.xml,lazy_ntfs,Collects an xml file listing all sessions for ISL AlwaysOn (Unattended Access)
410,ISL AlwaysOn Logs - Sessions,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*\trace.out,lazy_ntfs,Detailed log for each session for ISL AlwaysOn (Unattended Access)
411,ISL AlwaysOn - App Logs,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\*.out,lazy_ntfs,Application logs containg various artifacts.
412,ISL Light Logs - Sessions,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light\*\trace.out,lazy_ntfs,Collects client session logs for one or more sessions
413,ISL AlwaysOn - Email Configuration,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\status\tray,lazy_ntfs,This file includes the email of the logged in user for ISL AlwaysOn (Unattended Access)
414,ISL AlwaysOn - Configuration,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\StaticConfiguration.ini,lazy_ntfs,"Configuration information (port, http/htpps) for ISL AlwaysOn (Unattended Access)"
415,ITarian,Apps,Program Files\ITarian\Endpoint Manager\rmmlogs,lazy_ntfs,
416,ITarian,Apps,Program Files (x86)\ITarian\Endpoint Manager\rmmlogs,lazy_ntfs,
417,Comodo,Apps,Program Files\Comodo\Endpoint Manager\rmmlogs,lazy_ntfs,
418,ITarian,Apps,Program Files (x86)\Comodo\Endpoint Manager\rmmlogs,lazy_ntfs,
419,IceChat Chat Logs,Communications,Users\*\AppData\Local\IceChat Networks\IceChat\Logs\**10,lazy_ntfs,
420,Windows IconCache DB,IconCache,Users\*\AppData\Local\IconCache.db,lazy_ntfs,
421,Idrive Cleanup Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Archive Cleanup\**10\*,lazy_ntfs,Contains individual log files for each archive cleanup operation
422,Idrive Backup Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Backup\**10\*,lazy_ntfs,Contains individual log files for each backup operation
423,Idrive Delete Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Delete\**10\*,lazy_ntfs,Contains individual log files for each delete operation
424,Idrive Restore Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Restore\*,lazy_ntfs,Contains individual log files for each restore operation
425,Idrive Backup Summary,Apps,ProgramData\IDrive\IBCOMMON\*\Session\LOGXML\*xml,lazy_ntfs,Contains summary of each backup session
426,Idrive Tracefile,Apps,ProgramData\IDrive\IBCOMMON\*\Tracefile.txt\Tracefile.txt,lazy_ntfs,Application log which includes error logs for failed uploads
427,Idrive Mapped Drives,Apps,ProgramData\IDrive\IBCOMMON\IDMappedDrives.txt,lazy_ntfs,List of mapped drives for backup
428,Idrive Backup Schedule,Apps,ProgramData\IDrive\IBCOMMON\schedule.xml,lazy_ntfs,Backup schedule configurations
429,Idrive Schedule History,Apps,ProgramData\IDrive\IBCOMMON\Sch_Trace.txt,lazy_ntfs,History of schedule configurations
430,Idrive Configuration,Apps,ProgramData\IDrive\IBCOMMON\idrive.ini,lazy_ntfs,List of Idrive configuration options
431,Idrive Local Drives,Apps,ProgramData\IDrive\IBCOMMON\get_Alldrives.txt,lazy_ntfs,List of all local drives
432,Idrive Exclusion Configurations,Apps,ProgramData\IDrive\IBCOMMON\Exclude*,lazy_ntfs,Files pertaining to exclusion configurations
433,Idrive User Details,Apps,ProgramData\IDrive\IBCOMMON\AutoComp.ini,lazy_ntfs,"Idrive username, Scheduler notification emails, local username"
434,Idrive SQL Databse,Apps,ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.ibds,lazy_ntfs,Sql database of local files that are backed up
435,ImgBurn - Application Log File,Apps,Users\*\AppData\Roaming\ImgBurn\Log Files\ImgBurn.log,lazy_ntfs,Contains the ImgBurn application log file.
436,Index.dat History,Communications,Documents and Settings\*\Local Settings\History\History.IE5\index.dat,lazy_ntfs,
437,Index.dat History subdirectory,Communications,Documents and Settings\*\Local Settings\History\History.IE5\*\index.dat,lazy_ntfs,
438,Index.dat cookies,Communications,Documents and Settings\*\Cookies\index.dat,lazy_ntfs,
439,Index.dat UserData,Communications,Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData\index.dat,lazy_ntfs,
440,Index.dat Office XP,Communications,Documents and Settings\*\Application Data\Microsoft\Office\Recent\index.dat,lazy_ntfs,
441,Index.dat Office,Communications,Users\*\AppData\Roaming\Microsoft\Office\Recent\index.dat,lazy_ntfs,
442,Local Internet Explorer folder,Communications,Users\*\AppData\Local\Microsoft\Internet Explorer\**10,lazy_ntfs,
443,Roaming Internet Explorer folder,Communications,Users\*\AppData\Roaming\Microsoft\Internet Explorer\**10,lazy_ntfs,
444,IE 9/10 History,Communications,Users\*\AppData\Local\Microsoft\Windows\History\**10,lazy_ntfs,
445,IE 9/10 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\Cookies\**10,lazy_ntfs,
446,IE 9/10 Download History,Communications,Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory\**10,lazy_ntfs,
447,IE 11 Metadata,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\*,lazy_ntfs,
448,IE 11 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCookies\**10,lazy_ntfs,
449,IrfanView Configuration File,FileKnowledge,Users\*\AppData\Roaming\IrfanView\i_view32.ini,lazy_ntfs,
450,JDownloader 2.0 Download Lists,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\downloadList*.zip,lazy_ntfs,"Zip folder which contains several files (00,00_00 and extraInfo) which list the download folder, the time it was created, the name of the download, origin URL, referral URL and more"
451,JDownloader 2.0 Link Collector,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\linkcollector*.zip,lazy_ntfs,"Zip folder which contains several files (0X,0X_00 and extraInfo) which list the websites crawled for links, the referral URLs, timestamps and more"
452,JDownloader 2.0 General Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.settings.GeneralSettings.json,lazy_ntfs,General user config for JDownloader 2.0. Holds default download folder.
453,JDownloader 2.0 Link Grabber Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.gui.views.linkgrabber.addlinksdialog.LinkgrabberSettings.json,lazy_ntfs,Linkgrabber Settings for JDownloader 2.0. Holds latest download destination folder.
454,JDownloader 2.0 Proxy Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.settings.InternetConnectionSettings.customproxylist.json,lazy_ntfs,Proxy configuration for JDownloader 2.0
455,Java WebStart Cache User Level - Default,Communication,Users\*\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
456,Java WebStart Cache User Level - IE Protected Mode,Communication,Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
457,Java WebStart Cache System level,Communication,Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
458,Java WebStart Cache System level,Communication,Windows.old\Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
459,Java WebStart Cache System level - IE Protected Mode,Communication,Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
460,Java WebStart Cache System level - IE Protected Mode,Communication,Windows.old\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
461,Java WebStart Cache System level (SysWow64),Communication,Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
462,Java WebStart Cache System level (SysWow64),Communication,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
463,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communication,Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
464,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communication,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
465,Java WebStart Cache User Level - XP,Communications,Documents and Settings\*\Application Data\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs,
466,JumpLists from CustomDestinations,JumpLists,Users\*\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\**10,lazy_ntfs,
467,JumpLists from CustomDestinations,JumpLists,Users\*\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\**10,lazy_ntfs,
468,Kali WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\debian_version,lazy_ntfs,
469,Kali WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\fstab,lazy_ntfs,
470,Kali WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\os-release,lazy_ntfs,
471,Kali WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\passwd,lazy_ntfs,
472,Kali WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\group,lazy_ntfs,
473,Kali WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\shadow,lazy_ntfs,
474,Kali WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\timezone,lazy_ntfs,
475,Kali WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\hostname,lazy_ntfs,
476,Kali WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\hosts,lazy_ntfs,
477,Kali WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\crontab,lazy_ntfs,
478,Kali WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs,
479,Kali WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\profile,lazy_ntfs,
480,Kali WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.bash_history,lazy_ntfs,
481,Kali WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.bashrc,lazy_ntfs,
482,Kali WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.profile,lazy_ntfs,
483,Kali WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs,
484,Kali WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs,
485,Kali WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\ext4.vhdx,lazy_ntfs,
486,Kaseya Live Connect Logs (XP),ApplicationLogs,Documents and Settings\*\Application Data\Kaseya\Log\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
487,Kaseya Live Connect Logs,ApplicationLogs,Users\*\AppData\Local\Kaseya\Log\KaseyaLiveConnect\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
488,Kaseya Agent Endpoint Service Logs (XP),ApplicationLogs,Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
489,Kaseya Agent Endpoint Service Logs,ApplicationLogs,ProgramData\Kaseya\Log\Endpoint\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
490,Kaseya Agent Service Log,ApplicationLogs,Program Files*\Kaseya\*\agentmon.log*,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
491,Kaseya Setup Log,ApplicationLogs,Users\*\AppData\Local\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
492,Kaseya Setup Log,ApplicationLogs,Windows\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
493,Kaseya Setup Log,ApplicationLogs,Windows.old\Windows\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
494,Kaseya Agent Edge Service Logs,ApplicationLogs,ProgramData\Kaseya\Log\KaseyaEdgeServices\**10,lazy_ntfs,https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
495,Keepass User Config,App,Users\*\AppData\Roaming\KeePass\*.xml,lazy_ntfs,Collecting Keepass User Configuration File
496,Keepass Config Xml,App,Program Files\KeePass Password Safe*\*.xml,lazy_ntfs,Collecting Keepass Configuration File
497,Keepass Application Details,App,Program Files\KeePass Password Safe*\*.config,lazy_ntfs,Collecting Keepass Application Details
498,Keepass Local Ini,App,Users\*\AppData\Local\KeePassXC\*.ini,lazy_ntfs,
499,Keepass Roaming Ini,App,Users\*\AppData\Roaming\KeePassXC\*.ini,lazy_ntfs,
500,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs,Also includes automatic and custom jumplist directories
501,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs,
502,Start Menu LNK Files,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\*.LNK,lazy_ntfs,
503,LNK Files from Recent (XP),LNKFiles,Documents and Settings\*\Recent\**10,lazy_ntfs,
504,Desktop LNK Files XP,LNKFiles,Documents and Settings\*\Desktop\*.LNK,lazy_ntfs,
505,Desktop LNK Files,LNKFiles,Users\*\Desktop\*.LNK,lazy_ntfs,
506,Restore point LNK Files XP,LNKFiles,System Volume Information\_restore*\RP*\*.LNK,lazy_ntfs,
507,LNK Files from C:\ProgramData,LNKFiles,ProgramData\Microsoft\Windows\Start Menu\Programs\*.LNK,lazy_ntfs,
508,Level RMM Client Application logs,ApplicationLogs,Program Files\Level\*.log,lazy_ntfs,Contains Application Log entries such as service start and incoming connections.
509,.bash_history,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_history,lazy_ntfs,
510,.bash_logout,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_logout,lazy_ntfs,
511,.bashrc,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bashrc,lazy_ntfs,
512,.profile,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.profile,lazy_ntfs,
513,User Files - Desktop,LiveUserFiles,Users\*\Desktop\**10,lazy_ntfs,
514,User Files - Documents,LiveUserFiles,Users\*\Documents\**10,lazy_ntfs,
515,User Files - Downloads,LiveUserFiles,Users\*\Downloads\**10,lazy_ntfs,
516,User Files - Dropbox,LiveUserFiles,Users\*\Dropbox*\**10,lazy_ntfs,
517,LogFiles,Logs,Windows\System32\LogFiles\**10,lazy_ntfs,
518,LogFiles,Logs,Windows.old\Windows\System32\LogFiles\**10,lazy_ntfs,
519,Error logging,Misc,windows\PFRO.log,lazy_ntfs,
520,LogMeIn ProgramData Logs,ApplicationLogs,ProgramData\LogMeIn\Logs\**10,lazy_ntfs,
521,LogMeIn Application Logs,ApplicationLogs,Users\*\AppData\Local\temp\LogMeInLogs\**10,lazy_ntfs,"Contains RemoteAssist (formerly GoToAssist), GoToMeeting, and other GoTo* logs"
522,MOF files,WMI,**10\*.MOF,lazy_ntfs,
523,MS SQL Errorlog,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG,lazy_ntfs,
524,MS SQL Errorlogs,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG.*,lazy_ntfs,
525,Macrium Reflect,Apps,ProgramData\Macrium\Macrium Service\*,lazy_ntfs,Copies out all log files
526,Macrium Reflect,Apps,ProgramData\Macrium\Reflect\*,lazy_ntfs,Copies out the Reflect folder which contains many important logs
527,Macrium Reflect,Apps,ProgramData\Macrium\Reflect Launcher,lazy_ntfs,Copies out the Reflect folder which contains many important logs
528,MalwareBytes Anti-Malware Logs,Antivirus,ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-*.xml,lazy_ntfs,
529,MalwareBytes Anti-Malware Service Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\logs\mbamservice.log*,lazy_ntfs,
530,MalwareBytes Anti-Malware Scan Logs,Antivirus,Users\*\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs\**10,lazy_ntfs,
531,MalwareBytes Anti-Malware Scan Results Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\ScanResults\**10,lazy_ntfs,
532,ManageEngine Desktop Central Log Files,Logs,ManageEngine\DesktopCentral_Server\logs\**10,lazy_ntfs,
533,ManageEngine ADSelfService Plus Log Files,Logs,ManageEngine\ADSelfService Plus\logs\**10,lazy_ntfs,
534,Mattermost - Chat Logs,Apps,Users\*\AppData\Roaming\Mattermost\IndexedDB\**10,lazy_ntfs,Locates Mattermost logs and copies them
535,McAfee Desktop Protection Logs XP,Antivirus,Users\All Users\Application Data\McAfee\DesktopProtection\**10,lazy_ntfs,
536,McAfee Desktop Protection Logs,Antivirus,ProgramData\McAfee\DesktopProtection\**10,lazy_ntfs,
537,McAfee Endpoint Security Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs\**10,lazy_ntfs,
538,McAfee Endpoint Security Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs_Old\**10,lazy_ntfs,
539,McAfee VirusScan Logs,Antivirus,ProgramData\Mcafee\VirusScan\**10,lazy_ntfs,
540,McAfee ePO Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs\**10,lazy_ntfs,
541,MediaMonkey - Media SQLite Database,Apps,Users\*\AppData\Roaming\MediaMonkey\MM.DB,lazy_ntfs,Locates SQLite DB that contains a complete enumeration of the user's media collection within MediaMonkey
542,MediaMonkey - MediaMonkey.ini,Apps,Users\*\AppData\Roaming\MediaMonkey\MediaMonkey.ini,lazy_ntfs,Locates .ini file which contains information about the user's MediaMonkey application instance
543,MegaSync Folder,ApplicationLogs,Users\*\AppData\Local\Mega Limited\MEGAsync\**10,lazy_ntfs,
544,hiberfil.sys,Memory,hiberfil.sys,lazy_ntfs,
545,pagefile.sys,Memory,pagefile.sys,lazy_ntfs,
546,swapfile.sys,Memory,swapfile.sys,lazy_ntfs,
547,Small Memory Dump directory,Memory,Windows\Minidump\*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump
548,Small Memory Dump directory,Memory,Windows.old\Windows\Minidump\*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump
549,MeshAgent .msh (configuration) file,Apps,Program Files\Mesh Agent\**10\*.msh,lazy_ntfs,Grabs all .msh (config) files present in this folder
550,MeshAgent log file,Logs,Program Files\Mesh Agent\**10\*.log,lazy_ntfs,Grabs all .log files present in this folder
551,Microsoft Office Backstage,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\BackstageinAppNavCache\**10,lazy_ntfs,
552,Microsoft OneNote - FullTextSearchIndex,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's text content
553,Microsoft OneNote - RecentNotebooks_SeenURLs,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications\RecentNotebooks_SeenURLs,lazy_ntfs,Grabs a file that appears to record recently seen OneNote notebooks
554,Microsoft OneNote - AccessibilityCheckerIndex,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's version sync error history
555,Microsoft OneNote - User NoteTags,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags\*LiveId.db,lazy_ntfs,Grabs a database that stores the user specified tags within OneNote to be used application-wide
556,Microsoft OneNote - RecentSearches,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches\RecentSearches.db,lazy_ntfs,Grabs a database that stores the user's recent searches within OneNote
557,Windows Safety Scanner Logs,Antivirus,Windows\Debug\msert.log,lazy_ntfs,
558,"Microsoft Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier",Apps,Users\*\AppData\Roaming\Microsoft\StickyNotes\StickyNotes.snt,lazy_ntfs,
559,Microsoft Sticky Notes - 1607 and later,Apps,Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\plum.sqlite*,lazy_ntfs,
560,Microsoft Teams IndexedDB Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\**10,lazy_ntfs,"LevelDB database which can contain inbound/outbound chat messages, call history and more"
561,Microsoft Teams Local Storage Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\Local Storage\leveldb\**10,lazy_ntfs,"LevelDB database which can contain meeting history, file transfer logs and more"
562,Microsoft Teams Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\Cache\**10,lazy_ntfs,Chromium cache which can be viewed with Nirsoft's ChromeCacheView
563,Microsoft Teams Config,Apps,Users\*\AppData\Roaming\Microsoft\Teams\desktop-config.json,lazy_ntfs,JSON config file for Teams
564,Microsoft Teams Logs (Windows 11),Apps,Users\*\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs,lazy_ntfs,Lots of log files for MS Teams
565,Microsoft To Do - SQLite Database of To Do tasks,Apps,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\todosqlite.db*,lazy_ntfs,
566,Microsoft To Do - User Avatar,Apps,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\4c444a17ebb042fb92df97d00d1c802a\avatars\UserAvatar.jpg,lazy_ntfs,
567,Midnight Commander -- All Configuation Files,Apps,Users\*\Midnight Commander\*,lazy_ntfs,Locates folder where all configuration files reside
568,Multi Commander - Application Folder,Apps,Users\*\AppData\Local\MultiCommander*\**10,lazy_ntfs,Locates the contents of the Application folder.
569,Multi Commander - Config Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\Config\**10,lazy_ntfs,Locates the contents of the Config folder.
570,Multi Commander - Log Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\Logs\**10,lazy_ntfs,Locates log file(s) related to user activity within Multi Commander.
571,Multi Commander - UserData Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\UserData\**10,lazy_ntfs,Locates the contents of the UserData folder.
572,Multi Commander - Log File,Apps,Users\*\AppData\Roaming\MultiCommander*\**10\*MultiCommander.log,lazy_ntfs,Locates log file(s) associated with Milti Commander. Commonly in YYYY-MM-DD (numbers)-MultiCommander.log naming convention.
573,.NET CLR UsageLogs (user-scoped),.NET CLR UsageLogs,Users\*\AppData\Local\Microsoft\CLR_*\**10\*.log,lazy_ntfs,
574,.NET CLR UsageLogs (system-scoped),.NET CLR UsageLogs,Windows*\System32\config\systemprofile\AppData\Local\Microsoft\CLR_*\**10\*.log,lazy_ntfs,
575,NGINX Log Files,Logs,nginx\logs\*.log,lazy_ntfs,
576,Usenet Clients - NZBGet Log File,FileDownload,ProgramData\NZBGet\nzbget.log,lazy_ntfs,Locates NZBGet download log file
577,Usenet Clients - NZBGet NZBs,FileDownload,ProgramData\NZBGet\nzb\*,lazy_ntfs,Locates NZBGet NZB files that were used by the user
578,Nessus Logs,Nessus,ProgramData\Tenable\Nessus\conf\**10,lazy_ntfs,
579,Nessus Logs,Nessus Logs,ProgramData\Tenable\Nessus\nessus\logs\**10,lazy_ntfs,
580,Net Monitor Server Logs,ApplicationLogs,ProgramData\Net Monitor for Employees Pro\log\*\**10,lazy_ntfs,Contains Net Monitor server logs
581,Net Monitor Server Data,Communication,ProgramData\Net Monitor for Employees Pro\data\**10,lazy_ntfs,Contains Net Monitor server data - Indicates what have been seen as the attacker
582,Net Monitor Server Config,Apps,ProgramData\Net Monitor for Employees Pro\config\**10,lazy_ntfs,Contains Net Monitor server config
583,Net Monitor Server Temp Folder,Apps,ProgramData\Net Monitor for Employees Pro\tmp\**10,lazy_ntfs,
584,Net Monitor Client Logs,ApplicationLogs,Program Files*\Net Monitor for Employees Pro\log\**10,lazy_ntfs,Contains Net Monitor client logs
585,Net Monitor Client Config,ApplicationLogs,Program Files*\Net Monitor for Employees Pro\config\**10,lazy_ntfs,Contains Net Monitor client config
586,Usenet Clients - Newsbin Pro,FileDownload,Users\*\AppData\Local\Newsbin\Downloaded.db3,lazy_ntfs,Locates Newsbin Pro download log database
587,Usenet Clients - Newsleecher,FileDownload,Users\*\AppData\Roaming\NewsLeecher\downloaded.dat,lazy_ntfs,Locates Newsleecher download .dat file
588,Nicotine++ Logs,FileDownload,Users\*\AppData\Roaming\nicotine\logs\**10,lazy_ntfs,"Locates Nicotine++ chat logs, room logs, transfer logs, and debug logs (if enabled)"
589,Nicotine++ Incomplete Downloads,FileDownload,Users\*\AppData\Roaming\nicotine\incomplete\**10,lazy_ntfs,Locates files that did not finish downloading
590,Nicotine++ Buddyfiles.db,FileDownload,Users\*\AppData\Roaming\nicotine\buddyfiles.db\**10,lazy_ntfs,Locates a DB that appears to include shared files from a user's buddy list
591,Nicotine++ Buddystreams.db,FileDownload,Users\*\AppData\Roaming\nicotine\buddystreams.db\**10,lazy_ntfs,Locates a DB that appears to include shared files from a user's buddy list
592,Nicotine++ Buddymtimes.db,FileDownload,Users\*\AppData\Roaming\nicotine\buddymtimes.db\**10,lazy_ntfs,"Locates a DB that appears to enumerate which files the user is sharing to their buddy list, from a folder level"
593,Nicotine++ Buddyfileindex.db,FileDownload,Users\*\AppData\Roaming\nicotine\buddyfileindex.db\**10,lazy_ntfs,"Locates a DB that appears to enumerate which files the user is sharing to their buddy list, from a file level"
594,Nicotine++ Buddywordindex.db,FileDownload,Users\*\AppData\Roaming\nicotine\buddywordindex.db\**10,lazy_ntfs,Unknown what this is for at this time
595,Nicotine++ Config Files,FileDownload,Users\*\AppData\Roaming\nicotine\config\**10,lazy_ntfs,Locates config files
596,Nicotine++ User Shares,FileDownload,Users\*\AppData\Roaming\nicotine\usershares\**10,lazy_ntfs,Locates a DB that appears to store a list of files per user that they are sharing within Nicotine++. Note: this requires the user to right-click -> browse files shared by that user
597,Nicotine++ Downloads.json,FileDownload,Users\*\AppData\Roaming\nicotine\downloads.json*,lazy_ntfs,Locates downloads.json
598,Nicotine++ Uploads.json,FileDownload,Users\*\AppData\Roaming\nicotine\uploads.json*,lazy_ntfs,Locates uploads.json
599,Notepad++ Unsaved Edits,Text Editor,Users\*\AppData\Roaming\Notepad++\backup\**10,lazy_ntfs,Locates non-saved Notepad++ files and copies them.
600,Notepad++ Config,Text Editor,Users\*\AppData\Roaming\Notepad++\config.xml,lazy_ntfs,"Retrieves config.xml which contains recently searched terms, replaced terms and recently opened documents"
601,Notepad++ Session,Text Editor,Users\*\AppData\Roaming\Notepad++\session.xml,lazy_ntfs,Retrieves session.xml which contains session date
602,Notepad Session Files,Windows Notepad,Users\*\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\*.bin,lazy_ntfs,Contains .bin files which consist of the files opened in each tab in Windows Notepad
603,Notion Local Storage,App,Users\*\AppData\Roaming\Notion\notion.db,lazy_ntfs,"Local storage file containing all pages, databases, users, etc."
604,Notion Custom Dictionary,App,Users\*\AppData\Roaming\Notion\Partitions\notion\Custom Dictionary.txt,lazy_ntfs,
605,Word Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\**10,lazy_ntfs,
606,Excel Autosave Location,ApplicationCompatibility,Users\*\AppData\Roaming\Microsoft\Excel\**10,lazy_ntfs,
607,Powerpoint Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Powerpoint\**10,lazy_ntfs,
608,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Publisher\**10,lazy_ntfs,
609,Office Diagnostics,Execution,Users\*\AppData\Local\Diagnostics\PCW.debugreport.xml,lazy_ntfs,Payloads for CVE-2022-30190 ('Follina') will be in this log
610,Office Elevated Diagnostics,Execution,Users\*\AppData\Local\ElevatedDiagnostics\PCW.debugreport.xml,lazy_ntfs,Payloads for CVE-2022-30190 ('Follina') will be in this log
611,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\**10,lazy_ntfs,
612,One Commander - All Configuration Files,Apps,Users\*\OneCommander\*,lazy_ntfs,Locates folder where all configuration files reside
613,One Commander - Other Configuration Files,Apps,Users\*\AppData\Local\Apps\2.0\*\*\onec*\**10,lazy_ntfs,Locates folder where all configuration files reside
614,OneDrive Metadata Logs,Apps,Users\*\AppData\Local\Microsoft\OneDrive\logs\**10,lazy_ntfs,
615,OneDrive Metadata Settings,Apps,Users\*\AppData\Local\Microsoft\OneDrive\settings\**10,lazy_ntfs,
616,OneDrive User Files,Apps,Users\*\OneDrive*\**10,lazy_ntfs,Caution -- This target will collect OneDrive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use or isolate system from network.
617,OpenSSH Config File,Apps,Users\*\.ssh\config,lazy_ntfs,"Config file can hold usernames, IP addresses and ports, key locations and configured shortcuts for servers e.g. ssh web-server"
618,OpenSSH Known Hosts,Apps,Users\*\.ssh\known_hosts,lazy_ntfs,"Known hosts file can hold a list of connected FQDNs/IP Addresses and ports if they are non-default, as well as public key fingerprints"
619,OpenSSH Public Keys,Apps,Users\*\.ssh\*.pub,lazy_ntfs,"Gets all public keys (*.pub). It is more difficult to find private keys as they typically do not have a file extension. However, the .pub files should be able to help find the private keys as they are typically named the same."
620,OpenSSH Default RSA Private Key,Apps,Users\*\.ssh\id_rsa,lazy_ntfs,Default name for an auto-generated SSH RSA private key
621,OpenSSH Default ECDSA Private Key,Apps,Users\*\.ssh\id_ecdsa,lazy_ntfs,Default name for an auto-generated SSH ECDSA private key
622,OpenSSH Default ECDSA-SK Private Key,Apps,Users\*\.ssh\id_ecdsa_sk,lazy_ntfs,Default name for an auto-generated SSH ECDSA private key using a Security Key
623,OpenSSH Default ED25519 Private Key,Apps,Users\*\.ssh\id_ed25519,lazy_ntfs,Default name for an auto-generated SSH ED25519 private key
624,OpenSSH Default ED25519-SK Private Key,Apps,Users\*\.ssh\id_ed25519_sk,lazy_ntfs,Default name for an auto-generated SSH ED25519 private key using a Security Key
625,OpenSSH Default DSA Private Key,Apps,Users\*\.ssh\id_dsa,lazy_ntfs,Default name for an auto-generated SSH DSA private key
626,OpenSSH Server Config File,Apps,ProgramData\ssh\sshd_config,lazy_ntfs,Config file can hold information on allowed/denied users
627,OpenSSH Server Logs,Apps,ProgramData\ssh\logs\*,lazy_ntfs,OpenSSH server logs
628,OpenSSH Host ECDSA Key,Apps,ProgramData\ssh\ssh_host_ecdsa_key,lazy_ntfs,Retrieves the host ECDSA key
629,OpenSSH Host ED25519 Key,Apps,ProgramData\ssh\ssh_host_ed25519_key,lazy_ntfs,Retrieves the host ED25519 key
630,OpenSSH Host DSA Key,Apps,ProgramData\ssh\ssh_host_dsa_key,lazy_ntfs,Retrieves the host DSA key
631,OpenSSH Host RSA Key,Apps,ProgramData\ssh\ssh_host_rsa_key,lazy_ntfs,Retrieves the host RSA key
632,OpenSSH User Authorized Keys,Apps,Users\*\.ssh\authorized_keys,lazy_ntfs,Retrieves the user's authorised public keys
633,OpenSSH User Authorized Keys 2,Apps,Users\*\.ssh\authorized_keys2,lazy_ntfs,Retrieves the user's authorised public keys from the second file
634,OpenSSH Authorized Administrator Keys,Apps,ProgramData\ssh\administrators_authorized_keys,lazy_ntfs,Retrieves the administrator group's authorised public keys
635,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\config\**10,lazy_ntfs,Contains OpenVPN Configs (Profiles)
636,OpenVPN Client Config,ApplicationLogs,Program Files*\OpenVPN\config\**10,lazy_ntfs,Contains OpenVPN Configs(Profiles)
637,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\log\*.log,lazy_ntfs,Contains OpenVPN Logs for each Config(Profile)
638,Opera - Local Folder,Communications,Users\*\AppData\Local\Opera Software\Opera Stable\**10,lazy_ntfs,Grabs entire contents of the Opera AppData\Local folder
639,Opera - Roaming Folder,Communications,Users\*\AppData\Roaming\Opera Software\Opera Stable\**10,lazy_ntfs,Grabs entire contents of the Opera AppData\Roaming folder
640,PST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.pst,lazy_ntfs,
641,OST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.ost,lazy_ntfs,
642,PST (2013 or 2016),Communications,Users\*\Documents\Outlook Files\*.pst,lazy_ntfs,
643,OST (2013 or 2016),Communications,Users\*\Documents\Outlook Files\*.ost,lazy_ntfs,
644,PST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.pst,lazy_ntfs,"Outlook Data File: POP accounts, archives, older installations"
645,OST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.ost,lazy_ntfs,"Offline Outlook Data File: M365, Exchange, IMAP"
646,NST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.nst,lazy_ntfs,Outlook Group Storage File: Group conversations and calendar
647,Outlook Attachment Temporary Storage,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\**10,lazy_ntfs,Outlook temporary storage folder for user attachments
648,PeaZip Configuration Files,FileKnowledge,Users\*\AppData\Roaming\PeaZip\**10,lazy_ntfs,
649,Perflogs,Application,PerfLogs\**10,lazy_ntfs,
650,PowerShell 7 Config JSON,PowerShell,Program Files\PowerShell\7\powershell.config.json,lazy_ntfs,
651,PowerShell Console Log,PowerShellConsoleLog,Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\*_history.txt,lazy_ntfs,
652,PowerShell Console Log Systemprofile,PowerShellConsoleLog,Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\*_history.txt,lazy_ntfs,
653,PowerShell Console Log WOW64 Systemprofile,PowerShellConsoleLog,Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\*_history.txt,lazy_ntfs,
654,PowerShell ISE - AutoSave Files,PowerShellConsoleLog,Users\*\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\AutoSaveFiles\*.ps1,lazy_ntfs,
655,PowerShell ISE - User Config,PowerShellConsoleLog,Users\*\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\*.config,lazy_ntfs,
656,PowerShell Transcripts - Default Location,PowerShellTranscripts,Users\*\Documents\PowerShell_transcript.*.txt,lazy_ntfs,
657,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Users\*\Documents\20*\PowerShell_transcript.*.txt,lazy_ntfs,
658,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Windows\SysWOW64\*\PowerShell_transcript.*.txt,lazy_ntfs,
659,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Program Files\Amazon\Ec2ConfigService\Scripts\*\PowerShell_transcript.*.txt,lazy_ntfs,
660,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Windows\System32\*\PowerShell_transcript.*.txt,lazy_ntfs,
661,Prefetch,Prefetch,Windows\prefetch\*.pf,lazy_ntfs,
662,Prefetch,Prefetch,Windows.old\Windows\prefetch\*.pf,lazy_ntfs,
663,ProgramData,Application Data,ProgramData\**10,lazy_ntfs,
664,ProtonVPN - Connection Logs,ApplicationLogs,Users\*\AppData\Local\ProtonVPN\Logs,lazy_ntfs,Locates ProtonVPN connection logs.
665,Puffin - data.db,Communications,Users\*\AppData\Local\PuffinSecureBrowser\data.db,lazy_ntfs,Grabs an important database file that contains browser history
666,Puffin - Autocomplete Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\autocompletes.dat,lazy_ntfs,Grabs a file that stores autocomplete data
667,Puffin - Password Forms Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\passwordForms.dat,lazy_ntfs,Grabs a file that stores some saved password data
668,Puffin - Password (Encrypted),Communications,Users\*\AppData\Local\PuffinSecureBrowser\credential.dat,lazy_ntfs,Grabs a file that stores passwords in an encrypted format
669,Puffin - Subscription Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\subscription,lazy_ntfs,Grabs a file that stores the user's email address that's associated with their Puffin subscription
670,Puffin - Cookies,Communications,Users\*\AppData\Local\PuffinSecureBrowser\cookies.dat,lazy_ntfs,Grabs a file that stores information related to cookies
671,Puffin - Image Cache,Communications,Users\*\AppData\Local\PuffinSecureBrowser\image_cache\**10,lazy_ntfs,Grabs a directory that caches images from websites visited
672,WNS,WNS,Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs,
673,WNS,WNS,Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs,
674,Q-Dir - .ini File,Apps,Users\*\AppData\Roaming\Q-Dir\Q-Dir.ini,lazy_ntfs,Locates .ini file associated with Q-Dir which stores useful user activity information.
675,Q-Dir - .qdr file,Apps,Users\*\AppData\Roaming\Q-Dir\start.qdr,lazy_ntfs,"Locates .qdr file associated with Q-Dir which stores useful user activity information, including the last 4 folders opened (encoded, unfortunately)."
676,QFinderPro,Apps,Users\*\AppData\Local\QNAP\QfinderPro,lazy_ntfs,Locates a JSON file that provides network location information for any QNAP connected devices.
677,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Proxy\**10\*.txt,lazy_ntfs,Collects the proxy logs for Qlik Sense
678,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Proxy\**10\*.log,lazy_ntfs,Collects the proxy logs for Qlik Sense
679,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Scheduler\**10\*.txt,lazy_ntfs,Collects the scheduler logs for Qlik Sense
680,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Scheduler\**10\*.log,lazy_ntfs,Collects the scheduler logs for Qlik Sense
681,RDP Cache Files,FileSystem,Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs,
682,Windows.old RDP Cache Files,FileSystem,Windows.old\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs,
683,RDP Cache Files,FileSystem,Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs,
684,RDP Jumplist Files,FileSystem,Users\*\AppData\Local\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\**10,lazy_ntfs,
685,RemoteConnectionManager Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs,
686,RemoteConnectionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs,
687,LocalSessionManager Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs,
688,LocalSessionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs,
689,RDPClient Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs,
690,RDPClient Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs,
691,RDPCoreTS Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP
692,RDPCoreTS Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP
693,Radmin Server 32bit Log,ApplicationLogs,Windows\SysWOW64\rserver30\Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections.
694,Radmin Server 64bit Log,ApplicationLogs,Windows\System32\rserver30\Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections.
695,Radmin Server 32bit Chats,ApplicationLogs,Windows\SysWOW64\rserver30\CHATLOGS\*\*.htm,lazy_ntfs,Previous chat logs
696,Radmin Server 64bit Chats,ApplicationLogs,Windows\System32\rserver30\CHATLOGS\*\*.htm,lazy_ntfs,Previous chat logs
697,Radmin Viewer Chats,ApplicationLogs,Users\*\Documents\ChatLogs\*\*.htm,lazy_ntfs,Previous chat logs
698,Rclone Config,Apps,**10\rclone.conf,lazy_ntfs,
699,RecentFileCache,ApplicationCompatability,Windows\AppCompat\Programs\RecentFileCache.bcf,lazy_ntfs,
700,RecentFileCache,ApplicationCompatability,Windows.old\Windows\AppCompat\Programs\RecentFileCache.bcf,lazy_ntfs,
701,LNK Files from Recent,File and Folder Usage,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs,
702,LNK Files from Microsoft Office Recent,File and Folder Usage,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs,
703,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\**10\$R*,lazy_ntfs,
704,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\*\$R*\**10,lazy_ntfs,
705,RECYCLER - WinXP,FileDeletion,RECYCLE*\**10\D*,lazy_ntfs,
706,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\**10\$I*,lazy_ntfs,
707,RECYCLER - WinXP,FileDeletion,RECYCLE*\**10\INFO2,lazy_ntfs,
708,Registry.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\Registry.dat*,lazy_ntfs,
709,User.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\User.dat*,lazy_ntfs,
710,UserClasses.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\UserClasses.dat*,lazy_ntfs,
711,BBI registry hive,Registry,Windows\System32\config\BBI,lazy_ntfs,
712,BBI registry hive,Registry,Windows.old\Windows\System32\config\BBI,lazy_ntfs,
713,BBI registry transaction files,Registry,Windows\System32\config\BBI.LOG*,lazy_ntfs,
714,BBI registry transaction files,Registry,Windows.old\System32\config\BBI.LOG*,lazy_ntfs,
715,BCD-Template registry hive,Registry,Windows\System32\config\BCD-Template,lazy_ntfs,
716,BCD-Template registry hive,Registry,Windows.old\Windows\System32\config\BCD-Template,lazy_ntfs,
717,BCD-Template registry transaction files,Registry,Windows\System32\config\BCD-Template.LOG*,lazy_ntfs,
718,BCD-Template registry transaction files,Registry,Windows.old\System32\config\BCD-Template.LOG*,lazy_ntfs,
719,COMPONENTS registry hive,Registry,Windows\System32\config\COMPONENTS,lazy_ntfs,
720,COMPONENTS registry hive,Registry,Windows.old\Windows\System32\config\COMPONENTS,lazy_ntfs,
721,COMPONENTS registry transaction files,Registry,Windows\System32\config\COMPONENTS.LOG*,lazy_ntfs,
722,COMPONENTS registry transaction files,Registry,Windows.old\System32\config\COMPONENTS.LOG*,lazy_ntfs,
723,DRIVERS registry hive,Registry,Windows\System32\config\DRIVERS,lazy_ntfs,
724,DRIVERS registry hive,Registry,Windows.old\Windows\System32\config\DRIVERS,lazy_ntfs,
725,DRIVERS registry transaction files,Registry,Windows\System32\config\DRIVERS.LOG*,lazy_ntfs,
726,DRIVERS registry transaction files,Registry,Windows.old\System32\config\DRIVERS.LOG*,lazy_ntfs,
727,ELAM registry hive,Registry,Windows\System32\config\ELAM,lazy_ntfs,
728,ELAM registry hive,Registry,Windows.old\Windows\System32\config\ELAM,lazy_ntfs,
729,ELAM registry transaction files,Registry,Windows\System32\config\ELAM.LOG*,lazy_ntfs,
730,ELAM registry transaction files,Registry,Windows.old\System32\config\ELAM.LOG*,lazy_ntfs,
731,userdiff registry hive,Registry,Windows\System32\config\userdiff,lazy_ntfs,
732,userdiff registry hive,Registry,Windows.old\Windows\System32\config\userdiff,lazy_ntfs,
733,userdiff registry transaction files,Registry,Windows\System32\config\userdiff.LOG*,lazy_ntfs,
734,userdiff registry transaction files,Registry,Windows.old\System32\config\userdiff.LOG*,lazy_ntfs,
735,VSMIDK registry hive,Registry,Windows\System32\config\VSMIDK,lazy_ntfs,
736,VSMIDK registry hive,Registry,Windows.old\Windows\System32\config\VSMIDK,lazy_ntfs,
737,VSMIDK registry transaction files,Registry,Windows\System32\config\VSMIDK.LOG*,lazy_ntfs,
738,VSMIDK registry transaction files,Registry,Windows.old\System32\config\VSMIDK.LOG*,lazy_ntfs,
739,SAM registry transaction files,Registry,Windows\System32\config\SAM.LOG*,lazy_ntfs,
740,SAM registry transaction files,Registry,Windows.old\Windows\System32\config\SAM.LOG*,lazy_ntfs,
741,SECURITY registry transaction files,Registry,Windows\System32\config\SECURITY.LOG*,lazy_ntfs,
742,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config\SECURITY.LOG*,lazy_ntfs,
743,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
744,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
745,SYSTEM registry transaction files,Registry,Windows\System32\config\SYSTEM.LOG*,lazy_ntfs,
746,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config\SYSTEM.LOG*,lazy_ntfs,
747,SAM registry hive,Registry,Windows\System32\config\SAM,lazy_ntfs,
748,SAM registry hive,Registry,Windows.old\Windows\System32\config\SAM,lazy_ntfs,
749,SECURITY registry hive,Registry,Windows\System32\config\SECURITY,lazy_ntfs,
750,SECURITY registry hive,Registry,Windows.old\Windows\System32\config\SECURITY,lazy_ntfs,
751,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs,
752,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs,
753,SYSTEM registry hive,Registry,Windows\System32\config\SYSTEM,lazy_ntfs,
754,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config\SYSTEM,lazy_ntfs,
755,RegBack registry transaction files,Registry,Windows\System32\config\RegBack\*.LOG*,lazy_ntfs,
756,RegBack registry transaction files,Registry,Windows.old\Windows\System32\config\RegBack\*.LOG*,lazy_ntfs,
757,SAM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SAM,lazy_ntfs,
758,SAM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SAM,lazy_ntfs,
759,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack\SECURITY,lazy_ntfs,
760,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SECURITY,lazy_ntfs,
761,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs,
762,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs,
763,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM,lazy_ntfs,
764,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM,lazy_ntfs,
765,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs,
766,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs,
767,System Profile registry hive,Registry,Windows\System32\config\systemprofile\NTUSER.DAT,lazy_ntfs,
768,System Profile registry hive,Registry,Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT,lazy_ntfs,
769,System Profile registry transaction files,Registry,Windows\System32\config\systemprofile\NTUSER.DAT.LOG*,lazy_ntfs,
770,System Profile registry transaction files,Registry,Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT.LOG*,lazy_ntfs,
771,Local Service registry hive,Registry,Windows\ServiceProfiles\LocalService\NTUSER.DAT,lazy_ntfs,
772,Local Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT,lazy_ntfs,
773,Local Service registry transaction files,Registry,Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*,lazy_ntfs,
774,Local Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*,lazy_ntfs,
775,Network Service registry hive,Registry,Windows\ServiceProfiles\NetworkService\NTUSER.DAT,lazy_ntfs,
776,Network Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT,lazy_ntfs,
777,Network Service registry transaction files,Registry,Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*,lazy_ntfs,
778,Network Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*,lazy_ntfs,
779,System Restore Points Registry Hives (XP),Registry,System Volume Information\_restore*\RP*\snapshot\_REGISTRY_*,lazy_ntfs,
780,NTUSER.DAT registry hive XP,Registry,Documents and Settings\*\NTUSER.DAT,lazy_ntfs,
781,NTUSER.DAT registry hive,Registry,Users\*\NTUSER.DAT,lazy_ntfs,
782,NTUSER.DAT registry transaction files,Registry,Users\*\NTUSER.DAT.LOG*,lazy_ntfs,
783,NTUSER.DAT DEFAULT registry hive,Registry,Windows\System32\config\DEFAULT,lazy_ntfs,
784,NTUSER.DAT DEFAULT registry hive,Registry,Windows.old\Windows\System32\config\DEFAULT,lazy_ntfs,
785,NTUSER.DAT DEFAULT transaction files,Registry,Windows\System32\config\DEFAULT.LOG*,lazy_ntfs,
786,NTUSER.DAT DEFAULT transaction files,Registry,Windows.old\Windows\System32\config\DEFAULT.LOG*,lazy_ntfs,
787,UsrClass.dat registry hive,Registry,Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat,lazy_ntfs,
788,UsrClass.dat registry transaction files,Registry,Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG*,lazy_ntfs,
789,RemoteUtilities Connection Logs,Remote Access,Program Files*\Remote Utilities - Host\Logs\rut_log_*.html,lazy_ntfs,Includes connection log files
790,RemoteUtilities Install Log,Remote Access,ProgramData\Remote Utilities\install.log,lazy_ntfs,Includes Install log file
791,NTUSER.DAT registry hive,Registry,**10\NTUSER.DAT,lazy_ntfs,
792,NTUSER.DAT registry transaction files,Registry,**10\NTUSER.DAT.LOG*,lazy_ntfs,
793,NTUSER.DAT DEFAULT registry hive,Registry,**10\DEFAULT,lazy_ntfs,
794,NTUSER.DAT DEFAULT transaction files,Registry,**10\DEFAULT.LOG*,lazy_ntfs,
795,UsrClass.dat registry hive,Registry,**10\UsrClass.dat,lazy_ntfs,
796,UsrClass.dat registry transaction files,Registry,**10\UsrClass.dat.LOG*,lazy_ntfs,
797,LNK Files,LNKFiles,**10\*.LNK,lazy_ntfs,
797,Desktop LNK Files,LNKFiles,**10\*.LNK,lazy_ntfs,
798,Word Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\*,lazy_ntfs,
798,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\*,lazy_ntfs,
799,Excel Autosave Location,ApplicationCompatibility,Users\*\AppData\Roaming\Microsoft\Excel\*,lazy_ntfs,
800,PowerPoint Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\PowerPoint\*,lazy_ntfs,
801,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Publisher\*,lazy_ntfs,
802,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\*,lazy_ntfs,
802,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\*,lazy_ntfs,
803,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
803,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
804,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs,
804,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs,
805,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
805,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
806,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
806,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
807,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs,
807,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs,
808,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs,
808,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs,
809,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
809,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
810,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs,
810,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs,
811,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
811,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
812,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
812,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
813,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs,
813,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs,
814,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
814,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
815,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs,
815,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs,
816,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs,
816,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs,
817,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs,
817,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs,
818,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
818,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
819,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs,
819,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs,
820,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs,
820,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs,
821,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
821,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
822,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
822,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
823,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs,
823,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs,
824,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
824,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
825,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
825,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
826,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
826,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
827,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
827,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption
828,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs,
828,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs,
829,Amcache,ApplicationCompatibility,**10\Amcache.hve,lazy_ntfs,
830,Amcache transaction files,ApplicationCompatibility,**10\Amcache.hve.LOG*,lazy_ntfs,
831,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs,
831,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs,
832,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs,
832,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs,
833,Robo-FTP User Scripts,Apps,Program Files\Robo-FTP 3.12\UserData\*\Scripts\*.s,lazy_ntfs,Custom scripts created by each user
834,Robo-FTP User Debug Logs,Apps,Program Files\Robo-FTP 3.12\UserData\*\Debug\*.log,lazy_ntfs,"Debug logs generated for each user, if enabled"
835,Robo-FTP User Script/Trace Logs,Apps,Program Files\Robo-FTP 3.12\UserData\*\Logs\*,lazy_ntfs,Script and Trace logs generated for each user
836,Robo-FTP User XML Config,Apps,Program Files\Robo-FTP 3.12\UserData\*\config.xml,lazy_ntfs,Config.xml unique to each user. Contains list of custom scripts and ftp sites
837,Robo-FTP User SSH Keys,Apps,Program Files\Robo-FTP 3.12\UserData\*\SSH Keys\*,lazy_ntfs,Saved SSH keys for each user
838,Robo-FTP User SSL Certificates,Apps,Program Files\Robo-FTP 3.12\UserData\*\SSL Certificates\*,lazy_ntfs,Saved SSL Certificates for each user
839,Robo-FTP User PGP Keys,Apps,Program Files\Robo-FTP 3.12\UserData\*\PGP Keys\*,lazy_ntfs,Saved PGP Keys for each user
840,Robo-FTP SSH Keys,Apps,Program Files\Robo-FTP 3.12\ProgramData\SSH Keys\*,lazy_ntfs,Shared SSH keys
841,Robo-FTP SSL Certificates,Apps,Program Files\Robo-FTP 3.12\ProgramData\SSL Certificates\*,lazy_ntfs,Shared SSL Certificates
842,Robo-FTP PGP Keys,Apps,Program Files\Robo-FTP 3.12\ProgramData\PGP Keys\*,lazy_ntfs,Shared PGP Keys
843,Robo-FTP Debug Logs,Apps,Program Files\Robo-FTP 3.12\ProgramData\Debug\*,lazy_ntfs,Debug logs generated by Robo-FTP
844,Robo-FTP Script/Trace Logs,Apps,Program Files\Robo-FTP 3.12\ProgramData\Logs\*,lazy_ntfs,Script and Trace logs generated by Robo-FTP
845,Robo-FTP XML Config,Apps,Program Files\Robo-FTP 3.12\ProgramData\config.xml,lazy_ntfs,Config.xml. Contains list of custom scripts and ftp sites
846,Robo-FTP Jobs,Apps,Program Files\Robo-FTP 3.12\ProgramData\SchedulerService.sqlite,lazy_ntfs,Contains details of scheduled jobs
847,RogueKiller Reports,Antivirus,ProgramData\RogueKiller\logs\AdliceReport_*.json,lazy_ntfs,
848,RustDesk logs,Communications,Users\*\AppData\Roaming\RustDesk\*,lazy_ntfs,Collects all log files related to RustDesk
849,RustDesk logs,Communications,Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server,lazy_ntfs,Collects all log files related to RustDesk
850,Usenet Clients - SABnzbd Download Logs,FileDownload,Users\*\AppData\Local\sabnzbd\logs\sabnzbd.log,lazy_ntfs,Locates SABnzbd download log
851,Usenet Clients - SABnzbd History.db,FileDownload,Users\*\AppData\Local\sabnzbd\admin\history1.db,lazy_ntfs,Locates SABnzbd history log
852,SCCM Client Log Files,Logs,Windows\CCM\Logs,lazy_ntfs,
853,SDB Files,Executables,Windows\apppatch\Custom\*.sdb,lazy_ntfs,
854,SDB Files,Executables,Windows.old\Windows\apppatch\Custom\*.sdb,lazy_ntfs,
855,SDB Files x64,Executables,Windows\apppatch\Custom\Custom64\*.sdb,lazy_ntfs,
856,SDB Files x64,Executables,Windows.old\Windows\apppatch\Custom\Custom64\*.sdb,lazy_ntfs,
857,4K Video Downloader,SQLDatabases,Users\*\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader\*.sqlite,lazy_ntfs,Grabs database(s) that stores user download history
858,Microsoft OneNote - FullTextSearchIndex,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's text content
859,Microsoft OneNote - RecentNotebooks_SeenURLs,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications\RecentNotebooks_SeenURLs,lazy_ntfs,Grabs a file that appears to record recently seen OneNote notebooks
860,Microsoft OneNote - AccessibilityCheckerIndex,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's version sync error history
861,Microsoft OneNote - User NoteTags,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags\*LiveId.db,lazy_ntfs,Grabs a database that stores the user specified tags within OneNote to be used application-wide
862,Microsoft OneNote - RecentSearches,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches\RecentSearches.db,lazy_ntfs,Grabs a database that stores the user's recent searches within OneNote
863,Microsoft Sticky Notes - 1607 and later,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\plum.sqlite*,lazy_ntfs,
864,Microsoft To Do - SQLite Database of To Do tasks,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\todosqlite.db*,lazy_ntfs,
865,Robo-FTP Jobs,Apps,Program Files\Robo-FTP *\ProgramData\SchedulerService.sqlite,lazy_ntfs,
866,TeraCopy - History Databases,SQLDatabases,Users\*\AppData\Roaming\TeraCopy\History\*.db,lazy_ntfs,
867,TeraCopy - Main Database,SQLDatabases,Users\*\AppData\Roaming\TeraCopy\main.db,lazy_ntfs,
868,Notion Local Storage,App,Users\*\AppData\Roaming\Notion\notion.db,lazy_ntfs,
869,IDrive Backed Up Files,App,ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.idbs,lazy_ntfs,
870,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\filecache.db*,lazy_ntfs,Getting individual files because folder may contain very large extraneous files
871,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\config.dbx,lazy_ntfs,Getting individual files because folder may contain very large extraneous files
872,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\home.db,lazy_ntfs,SQlite database which appears to keep track of the user's recent Dropbox activity
873,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\icon.db,lazy_ntfs,SQLite database which appears to keep track of icons in the user's Drobox sync history which can give an indication as to which files and folders are present
874,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync_history.db,lazy_ntfs,SQLite database which appears to keep track of the user's Drobox sync history
875,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync\nucleus.sqlite3*,lazy_ntfs,SQLite database which appears to contain a table for deleted files
876,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\host.db,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together."
877,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\host.dbx,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together."
878,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync\aggregation.dbx,lazy_ntfs,SQLite database which appears to contain snapshot table of the user's Dropbox contents in JSON with timestamps in UNIX Epoch
879,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\avatarcache.db,lazy_ntfs,SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed
879,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\avatarcache.db,lazy_ntfs,SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed
880,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\cloud_graph\cloud_graph.db,lazy_ntfs,Windows_GoogleDrive_CloudGraphDB.smap
881,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\TempData\*\change_buffer\**10,lazy_ntfs,DB(s) with seemingly randomized filename(s) that track file system changes within Google Drive
882,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\snapshot.db,lazy_ntfs,Windows_GoogleDrive_SnapshotDB.smap
883,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\sync_config.db,lazy_ntfs,Windows_GoogleDrive_SyncConfigDB.smap
884,FileZilla SQLite3 Log Files,SQLDatabases,Users\*\AppData\Roaming\FileZilla\*.sqlite3*,lazy_ntfs,
885,Chrome bookmarks XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
886,Chrome Cookies XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*,lazy_ntfs,
887,Chrome Current Session XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
888,Chrome Current Tabs XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
889,Chrome Favicons XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
890,Chrome History XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*,lazy_ntfs,
891,Chrome Last Session XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
892,Chrome Last Tabs XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
893,Chrome Login Data XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
894,Chrome Preferences XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
895,Chrome Shortcuts XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
896,Chrome Top Sites XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
897,Chrome Visited Links XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
898,Chrome Web Data XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
899,Chrome bookmarks,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs,
900,Chrome Cookies,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Cookies*,lazy_ntfs,
901,Chrome Current Session,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs,
902,Chrome Current Tabs,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs,
903,Chrome Download Metadata,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs,
904,Chrome Extension Cookies,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs,
905,Chrome Favicons,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs,
906,Chrome History,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs,
907,Chrome Last Session,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs,
908,Chrome Last Tabs,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs,
909,Chrome Login Data,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs,
910,Chrome Media History,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs,
911,Chrome Network Action Predictor,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs,
912,Chrome Network Persistent State,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs,
913,Chrome Preferences,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs,
914,Chrome Quota Manager,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs,
915,Chrome Reporting and NEL,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs,
916,Chrome Shortcuts,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs,
917,Chrome Top Sites,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs,
918,Chrome Trust Tokens,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs,
919,Chrome SyncData Database,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
920,Chrome Visited Links,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs,
921,Chrome Web Data,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs,
922,Edge bookmarks,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs,
922,Edge Bookmarks,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs,
923,Edge Collections,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections\collectionsSQLite,lazy_ntfs,
924,Edge Cookies,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Cookies*,lazy_ntfs,
925,Edge Current Session,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Session,lazy_ntfs,
926,Edge Current Tabs,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Tabs,lazy_ntfs,
927,Edge Favicons,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Favicons*,lazy_ntfs,
928,Edge History,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\History*,lazy_ntfs,
929,Edge Last Session,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Session,lazy_ntfs,
930,Edge Last Tabs,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Tabs,lazy_ntfs,
931,Edge Login Data,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Login Data,lazy_ntfs,
932,Edge Media History,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Media History*,lazy_ntfs,
933,Edge Network Action Predictor,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network Action Predictor,lazy_ntfs,
934,Edge Preferences,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences,lazy_ntfs,
935,Edge Shortcuts,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Shortcuts*,lazy_ntfs,
936,Edge Top Sites,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Top Sites*,lazy_ntfs,
937,Edge SyncData Database,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs,
938,Edge Visited Links,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Visited Links,lazy_ntfs,
939,Edge Web Data,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Web Data*,lazy_ntfs,
940,Addons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs,
941,Bookmarks,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*,lazy_ntfs,
942,Cookies,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs,
943,Cookies,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*,lazy_ntfs,
944,Downloads,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs,
945,Favicons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs,
946,Form history,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs,
947,Permissions,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*,lazy_ntfs,
948,Places,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs,
949,Protections,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*,lazy_ntfs,
950,Search,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs,
951,Signons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs,
952,Storage Sync,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*,lazy_ntfs,
953,Webappstore,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs,
954,Windows 10 Notification DB,SQLDatabases,Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs,
955,Windows 10 Notification DB,SQLDatabases,Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs,
956,ActivitiesCache.db,SQLDatabases,Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db*,lazy_ntfs,
957,Update Store.db,OS Upgrade,ProgramData\USOPrivate\UpdateStore\store.db,lazy_ntfs,
958,Bitdefender SQLite DB Files,Antivirus,"Program Files*\Bitdefender*\**10\*.{db,db-wal,db-shm}",lazy_ntfs,Bitdefender SQLite databases
959,EventTranscript.db,SystemEvents,ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs,
960,EventTranscript.db,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs,
961,SRUM,Execution,Windows\System32\SRU\**10,lazy_ntfs,
962,SRUM,Execution,Windows.old\Windows\System32\SRU\**10,lazy_ntfs,
963,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs,
964,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs,
965,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
966,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
967,SUM Database (.mdb files),Logs,Windows\System32\LogFiles\SUM\*.mdb,lazy_ntfs,"Grabs Current.mdb, SystemIdentity.mdb, and [GUID].mdb"
968,SUPERAntiSpyware Logs,Antivirus,Users\*\AppData\Roaming\SUPERAntiSpyware\Logs\**10,lazy_ntfs,
969,SUSE Linux Enterprise Server WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\os-release,lazy_ntfs,
970,SUSE Linux Enterprise Server WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\fstab,lazy_ntfs,
971,SUSE Linux Enterprise Server WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\passwd,lazy_ntfs,
972,SUSE Linux Enterprise Server WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\group,lazy_ntfs,
973,SUSE Linux Enterprise Server WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\shadow,lazy_ntfs,
974,SUSE Linux Enterprise Server WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\timezone,lazy_ntfs,
975,SUSE Linux Enterprise Server WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\hostname,lazy_ntfs,
976,SUSE Linux Enterprise Server WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\hosts,lazy_ntfs,
977,SUSE Linux Enterprise Server WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs,
978,SUSE Linux Enterprise Server WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\profile,lazy_ntfs,
979,SUSE Linux Enterprise Server WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.bash_history,lazy_ntfs,
980,SUSE Linux Enterprise Server WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.bashrc,lazy_ntfs,
981,SUSE Linux Enterprise Server WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.profile,lazy_ntfs,
982,SUSE Linux Enterprise Server WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\ext4.vhdx,lazy_ntfs,
983,at .job,Persistence,Windows\Tasks\*.job,lazy_ntfs,
984,at .job,Persistence,Windows.old\Windows\Tasks\*.job,lazy_ntfs,
985,at SchedLgU.txt,Persistence,Windows\SchedLgU.txt,lazy_ntfs,
986,at SchedLgU.txt,Persistence,Windows.old\Windows\SchedLgU.txt,lazy_ntfs,
987,XML,Persistence,Windows\System32\Tasks\**10,lazy_ntfs,
988,XML,Persistence,Windows\syswow64\Tasks\**10,lazy_ntfs,
989,XML,Persistence,Windows.old\Windows\System32\Tasks\**10,lazy_ntfs,
990,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data\Session.db,lazy_ntfs,SQLite database with session information
991,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data\User.xml,lazy_ntfs,Contains each user's last authenticated time
992,ScreenConnect User Config,ApplicationLogs,ProgramData\ScreenConnect Client*\user.config,lazy_ntfs,Contains server domain and IP info
993,SecureAge Antvirus Logs,Antivirus,ProgramData\SecureAge Technology\SecureAge\log\**10,lazy_ntfs,
994,SentinelOne EDR Log,Antivirus,programdata\sentinel\logs\**10,lazy_ntfs,Logs are in Binary Format (.binlog)
995,Session App Folder,Apps,Users\*\AppData\Roaming\Session\**10,lazy_ntfs,Session App Folder
996,ShareX,Apps,Users\*\Documents\ShareX\**10,lazy_ntfs,Locates and captures all files within the default ShareX folder path
997,Shareaza Logs,FileDownload,Users\*\AppData\Roaming\Shareaza\**10,lazy_ntfs,Locates Shareaza logs and copies them.
998,Siemens TIA Settings,ICS,Users\*\AppData\Roaming\Siemens\Automation\Portal*\Settings\**10,lazy_ntfs,
999,Signal Attachments cache,Communications,Users\*\AppData\Roaming\Signal\attachments.noindex\**10,lazy_ntfs,Profile pictures (and possibly attachments) for users who this individual has as contacts or has communicated with
1000,Signal Logs,Communications,Users\*\AppData\Roaming\Signal\logs\**10,lazy_ntfs,"Logs for Signal. Most recent has the extension .log while old ones will have extension .log.0, .log.1 etc."
1001,Signal config.json,Communications,Users\*\AppData\Roaming\Signal\config.json,lazy_ntfs,config.json holds the db.sqlite SQLCipher raw key
1002,Signal Database,Communications,Users\*\AppData\Roaming\Signal\sql\db.sqlite,lazy_ntfs,"Stores attachment details, conversations, messages, and more"
1003,SignatureCatalog,FileMetadata,Windows\System32\CatRoot\**10,lazy_ntfs,
1004,SignatureCatalog,FileMetadata,Windows.old\Windows\System32\CatRoot\**10,lazy_ntfs,
1005,main.db (App <v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\main.db,lazy_ntfs,
1006,skype.db (App +v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\skype.db,lazy_ntfs,
1007,main.db XP,Communications,Documents and Settings\*\Application Data\Skype\*\main.db,lazy_ntfs,
1008,main.db Win7+,Communications,Users\*\AppData\Roaming\Skype\*\main.db,lazy_ntfs,
1009,s4l-[username].db (App +v8),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\s4l-*.db,lazy_ntfs,
1010,leveldb (Skype for Desktop +v8),Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb\**10,lazy_ntfs,
1011,Skype for Destkop v8+ Chromium Cache,Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\Cache\**10,lazy_ntfs,Can be viewed with Nirsoft's ChromeCacheView
1012,Slack - Chat Logs,Apps,Users\*\AppData\Roaming\Slack\IndexedDB\**10,lazy_ntfs,Locates Slack logs and copies them
1013,Slack LevelDB Files,Apps,Users\*\AppData\Roaming\Slack\Local Storage\leveldb\**10,lazy_ntfs,
1014,Slack Electron Logs,Apps,Users\*\AppData\Roaming\Slack\logs\**10,lazy_ntfs,Current Slack application is based on Electron and additional logging can be found here.
1015,Slack Cache,Apps,Users\*\AppData\Roaming\Slack\Cache\**10,lazy_ntfs,Collects Slack cache files. This folder can be parsed like a Chrome Browser cache using a tool like Nirsoft ChromeCacheView
1016,Slack Storage,Apps,Users\*\AppData\Roaming\Slack\storage\**10,lazy_ntfs,User activity logs can be present including slack-downloads log
1017,Snagit - Captures,Apps,Users\*\AppData\Local\TechSmith\Snagit\DataStore,lazy_ntfs,Locates all Snagit captures
1018,Snip & Sketch,FileKnowledge,Users\*\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\*.png,lazy_ntfs,Pulls all temporary .png images generated by the Snip & Sketch screen capture tool built into Windows
1019,Sophos Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs\**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"
1020,Sophos Logs,Antivirus,ProgramData\Sophos\*\Logs\**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"
1021,Sophos Logs,Antivirus,ProgramData\Sophos\Logs\**10,lazy_ntfs,Contains SophosUnifiedSupport.log
1022,Soulseek Chat Logs,FileDownload,Users\*\AppData\Local\SoulseekQt\Soulseek Chat Logs\**10,lazy_ntfs,Locates Soulseek chat logs and copies them. Chat logs are in plaintext. Current as of version 2019.7.22.
1023,Soulseek Search History/Shared Folders/Settings,FileDownload,Users\*\AppData\Local\SoulseekQt\1\*.dat,lazy_ntfs,"Locates .dat file(s) containing: search history, active searches (search_record), current shared folders (shared_file_folder), and wish list items (wish_list_item)."
1024,SpeedCommander - .ini File,Apps,Users\*\AppData\Roaming\SpeedProject\SpeedCommander 19\*,lazy_ntfs,Locates folder where all configuration files reside
1025,Splashtop Log Files,Software,Program Files*\Splashtop\Splashtop Remote\Server\log\**10,lazy_ntfs,Collects logs for Splashtop
1026,Splashtop Log Files in ProgramData,Software,ProgramData\Splashtop\Temp\log\**10,lazy_ntfs,Collects logs for Splashtop
1027,User startup folders,Persistence,Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs,lazy_ntfs,
1028,System-wide startup folder,Persistence,ProgramData\Microsoft\Windows\Start Menu\Programs,lazy_ntfs,
1029,StartupInfo XML Files,Persistence,Windows\System32\WDI\LogFiles\StartupInfo\*.xml,lazy_ntfs,
1030,StartupInfo XML Files,Persistence,Windows.old\Windows\System32\WDI\LogFiles\StartupInfo\*.xml,lazy_ntfs,
1031,Steam Game Image files,Apps,Program Files\Steam\appcache\librarycache\**10,lazy_ntfs,Locates the directory containing image resources of installed/uninstalled games.
1032,Steam Login Metadata file,Apps,Program Files\Steam\config\**10\loginusers.vdf,lazy_ntfs,Locates file containing Steam username and persona name.
1033,Steam Friend List and Username History file,Apps,Program Files\Steam\userdata\*\config\**10\localconfig.vdf,lazy_ntfs,Locates file containing Steam Friend List and Username History.
1034,Steam User Avatar files,Apps,Program Files\Steam\config\avatarcache\**10,lazy_ntfs,Locates the directory containing avatar cache.
1035,Steam Game Tray Icon files,Apps,Program Files\Steam\steam\games\**10,lazy_ntfs,Locates the directory containing game icons appearing from tray menu.
1036,Steam Startup Times Log file,Apps,Program Files\Steam\logs\**10\bootstrap_log.txt,lazy_ntfs,Locates the directory containing log for Steam startup times.
1037,Steam Game Image files,Apps,Program Files (x86)\Steam\appcache\librarycache\**10,lazy_ntfs,Locates the directory containing image resources of installed/uninstalled games.
1038,Steam Login Metadata file,Apps,Program Files (x86)\Steam\config\**10\loginusers.vdf,lazy_ntfs,Locates file containing Steam username and persona name.
1039,Steam Friend List and Username History file,Apps,Program Files (x86)\Steam\userdata\*\config\**10\localconfig.vdf,lazy_ntfs,Locates file containing Steam Friend List and Username History.
1040,Steam User Avatar files,Apps,Program Files (x86)\Steam\config\avatarcache\**10,lazy_ntfs,Locates the directory containing avatar cache.
1041,Steam Game Tray Icon files,Apps,Program Files (x86)\Steam\steam\games\**10,lazy_ntfs,Locates the directory containing game icons appearing from tray menu.
1042,Steam Startup Times Log file,Apps,Program Files (x86)\Steam\logs\**10\bootstrap_log.txt,lazy_ntfs,Locates the directory containing log for Steam startup times.
1043,SublimeText 2/3 Auto Save Session,Text Editor,Users\*\AppData\Roaming\Sublime Text*\Settings\Session.sublime_session,lazy_ntfs,Sublime Text 2/3 stores unsaved (temporary) files and its content in its Session.sublime_session file
1044,SublimeText 4 Auto Save Session,Text Editor,Users\*\AppData\Roaming\Sublime Text*\Local\*.sublime_session,lazy_ntfs,Sublime Text 4 stores unsaved (temporary) files and its content in its .sublime_session files
1045,SugarSync Log File,Apps,Users\*\AppData\Local\SugarSync\sc1.log,lazy_ntfs,Locates a log file the gives a play-by-play of what the user synced when.
1046,SugarSync - Shared Folders (Default Location),Apps,Users\*\Documents\SugarSync Shared Folders\**10,lazy_ntfs,
1047,SugarSync - My SugarSync (Default Location),Apps,Users\*\Documents\My SugarSync\**10,lazy_ntfs,
1048,SumatraPDF Settings - SessionData,FileKnowledge,Users\*\AppData\Local\SumatraPDF\SumatraPDF-settings.txt,lazy_ntfs,Settings file which contains information about previous user session
1049,SumatraPDF Cache,FileKnowledge,Users\*\AppData\Local\SumatraPDF\sumatrapdfcache,lazy_ntfs,Folder contains a PNG snapshot of each PDF file the user had open at the time of last application close
1050,Supremo Connection Logs,Communications,ProgramData\SupremoRemoteDesktop\Log\*.log,lazy_ntfs,Includes Supremo.00.Client.log and Supremo.00.Incoming.log
1051,Supremo File Transfer Inbox,Communications,ProgramData\SupremoRemoteDesktop\Inbox,lazy_ntfs,Includes files transferred to the inbox folder during a remote session. See Supremo.00.FileTransfer.log
1052,Symantec Endpoint Protection Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV\**10,lazy_ntfs,
1053,Symantec Endpoint Protection Logs,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs\**10,lazy_ntfs,
1054,Symantec Endpoint Protection User Logs,Antivirus,Users\*\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\**10,lazy_ntfs,
1055,Symantec Event Log Win7+,EventLogs,Windows\System32\winevt\logs\Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log
1056,Symantec Event Log Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log
1057,Symantec Endpoint Protection Quarantine (XP),Antivirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\**10,lazy_ntfs,
1058,Symantec Endpoint Protection Quarantine,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine\**10,lazy_ntfs,
1059,ccSubSDK Database,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK\**10,lazy_ntfs,
1060,registrationInfo.xml,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\registrationInfo.xml,lazy_ntfs,
1061,Syscache,Program Execution,System Volume Information\Syscache.hve,lazy_ntfs,
1062,Syscache transaction files,Program Execution,System Volume Information\Syscache.hve.LOG*,lazy_ntfs,
1063,Tablacus Explorer - remember.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\remember.xml,lazy_ntfs,
1064,Tablacus Explorer - window.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\window.xml,lazy_ntfs,
1065,Tablacus Explorer - window1.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\window1.xml,lazy_ntfs,
1066,TeamViewer Connection Logs,Communications,Program Files*\TeamViewer\connections*.txt,lazy_ntfs,Includes connections_incoming.txt and connections.txt
1067,TeamViewer Application Logs,ApplicationLogs,Program Files*\TeamViewer\TeamViewer*_Logfile*,lazy_ntfs,Includes TeamViewer<version>_Logfile.log and TeamViewer<version>_Logfile_OLD.log
1068,TeamViewer Application User Logs,ApplicationLogs,Users\*\AppData\Roaming\TeamViewer\TeamViewer*_Logfile*,lazy_ntfs,Alternate location for TeamViewer<version>_Logfile.log
1069,TeamViewer Configuration Files,ApplicationLogs,Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport\**10,lazy_ntfs,Includes miscellaneous config files
1070,Telegram app folder,Apps,Users\*\AppData\Roaming\Telegram Desktop\**10,lazy_ntfs,Telegram app folder structure
1071,Telegram downloaded files,Apps,Users\*\Downloads\Telegram Desktop\**10,lazy_ntfs,Chat Attachments
1072,TeraCopy,TeraCopy,Users\*\AppData\Roaming\TeraCopy\**10,lazy_ntfs,
1073,Thumbcache DB,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db,lazy_ntfs,
1074,Mozilla Thunderbird Install Date,Apps,Users\*\AppData\Roaming\Thunderbird\Crash Reports\InstallTime*,lazy_ntfs,Holds install time in Unix Seconds timestamp
1075,Mozilla Thunderbird Profiles.ini,Apps,Users\*\AppData\Roaming\Thunderbird\profiles.ini,lazy_ntfs,Profiles list - can hold references to other profiles held elsewhere on the device
1076,Mozilla Thunderbird prefs.js,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\prefs.js,lazy_ntfs,User Preferences for that profile
1077,Mozilla Thunderbird Global Messages Database,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\global-messages-db.sqlite,lazy_ntfs,"Holds list of contacts, emails, and other potentially useful artifacts"
1078,Mozilla Thunderbird logins.json,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\logins.json,lazy_ntfs,"Holds last time online login used, last time password changed, hostname, HTTP(s) URL and more"
1079,Mozilla Thunderbird places.sqlite,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\places.sqlite,lazy_ntfs,"Holds history for Thunderbird - as it contains portions of Firefox embedded, it can be used to visit websites too"
1080,Mozilla Thunderbird ImapMail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\ImapMail\**10\INBOX,lazy_ntfs,"Holds all email files with headers, content etc"
1081,Mozilla Thunderbird Mail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Mail\**10\INBOX,lazy_ntfs,"Holds all email files with headers, content etc"
1082,Mozilla Thunderbird Calendar Data,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\calendar-data\local.sqlite,lazy_ntfs,Holds local calendar data
1083,Mozilla Thunderbird Attachments,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Attachments\*,lazy_ntfs,Holds attachments
1084,Mozilla Thunderbird Address Book,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\abook.sqlite,lazy_ntfs,Holds local address book
1085,Torrents,FileDownload,**10\*.torrent,lazy_ntfs,
1086,TotalAV Logs,Antivirus,Program Files*\TotalAV\logs\**10,lazy_ntfs,
1087,TotalAV Logs,Antivirus,ProgramData\TotalAV\logs\**10,lazy_ntfs,
1088,Total Commander - .ini File,Apps,Users\*\AppData\Roaming\GHISLER\wincmd.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information.
1089,Total Commander - Log File,Apps,**10\totalcmd.log,lazy_ntfs,Locates log file associated with Total Commander. NOTE: this log file is NOT enabled by default and the filename can be modified.
1090,Total Commander - Temp Files Created During Folder Traversal,Apps,Users\*\AppData\Local\Temp\FTP*.tmp,lazy_ntfs,Locates .tmp files which are created during the user's folder traversal and provide insight into contents of each folder traversed.
1091,Total Commander - FTP .ini File,Apps,Users\*\AppData\Roaming\GHISLER\wcx_ftp.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful FTP information.
1092,Total Commander - File Tree,Apps,Users\*\AppData\Local\GHISLER\treeinfo*.wc,lazy_ntfs,Locates a file that contains an exhaustive file tree of a user's file system.
1093,Total Commander - Frequent Directory Listing,Apps,Users\*\AppData\Local\GHISLER\tcDirFrq.txt,lazy_ntfs,Locates a file that contains a frequently accessed folder listing.
1094,Total Commander - FTP Logs,Apps,Users\*\AppData\Local\Temp\tcftp.log,lazy_ntfs,Locates a file that contains the Total Commander FTP logs.
1095,TreeSize - ScanHistory.XML,Apps,Users\*\AppData\Roaming\JAM Software\TreeSize\scanhistory.xml,lazy_ntfs,Locates XML file that provides a list of previously scanned directories by the user.
1096,Trend Micro Logs,Antivirus,ProgramData\Trend Micro\**10,lazy_ntfs,
1097,Trend Micro Security Agent Report Logs,Antivirus,Program Files*\Trend Micro\Security Agent\Report\*.log,lazy_ntfs,
1098,Trend Micro Security Agent Connection Logs,Antivirus,Program Files*\Trend Micro\Security Agent\ConnLog\*.log,lazy_ntfs,
1099,Unified endpoint management and security solutions from ManageEngine,RMM Tool,Program Files (x86)\ManageEngine\UEMS_Agent\logs\**10\*.log,lazy_ntfs,Collects all logs for UEMS
1100,Unified endpoint management and security solutions from ManageEngine,RMM Tool,Users\*\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs\**10\*.log,lazy_ntfs,Collects User logs for UEMS
1101,Setupapi.log XP,USBDevices,Windows\setupapi.log,lazy_ntfs,
1102,Setupapi.log Win7+,USBDevices,Windows\inf\setupapi.*.log,lazy_ntfs,
1103,Setupapi.log Win7+,USBDevices,Windows.old\Windows\inf\setupapi.*.log,lazy_ntfs,
1104,Ubuntu WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\os-release,lazy_ntfs,
1105,Ubuntu WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\fstab,lazy_ntfs,
1106,Ubuntu WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\passwd,lazy_ntfs,
1107,Ubuntu WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\group,lazy_ntfs,
1108,Ubuntu WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\shadow,lazy_ntfs,
1109,Ubuntu WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\timezone,lazy_ntfs,
1110,Ubuntu WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\hostname,lazy_ntfs,
1111,Ubuntu WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\hosts,lazy_ntfs,
1112,Ubuntu WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\crontab,lazy_ntfs,
1113,Ubuntu WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs,
1114,Ubuntu WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\profile,lazy_ntfs,
1115,Ubuntu WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.bash_history,lazy_ntfs,
1116,Ubuntu WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.bashrc,lazy_ntfs,
1117,Ubuntu WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.profile,lazy_ntfs,
1118,Ubuntu WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs,
1119,Ubuntu WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs,
1120,Ubuntu WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\ext4.vhdx,lazy_ntfs,
1121,UltraViewer User Logs,Remote Access,Users\*\AppData\Roaming\UltraViewer\**10,lazy_ntfs,"Includes all files related to UltraViewer chat, connections, and recordings"
1122,UltraViewer System Logs,Remote Access,Windows\SysWOW64\config\systemprofile\AppData\Roaming\UltraViewer\**10,lazy_ntfs,"Includes all files related to UltraViewer chat, connections, and recordings"
1123,UltraViewer Service Log,Remote Access,Program Files*\UltraViewer\UltraViewerService_log.txt,lazy_ntfs,UltraViewer Service log file
1124,UltraViewer Connection Log,Remote Access,Program Files*\UltraViewer\ConnectionLog.Log,lazy_ntfs,UltraViewer Service level connection log
1125,Usenet (NZB) Files,FileDownload,**10\*.nzb,lazy_ntfs,
1126,Users,Application,Users\*\**10,lazy_ntfs,
1127,VIPRE Business Agent Logs,Antivirus,ProgramData\VIPRE Business Agent\Logs\**10,lazy_ntfs,
1128,VIPRE Business User Logs (v7+),Antivirus,Users\*\AppData\Roaming\VIPRE Business\**10,lazy_ntfs,
1129,VIPRE Business User Logs (v5-v6),Antivirus,Users\*\AppData\Roaming\GFI Software\AntiMalware\Logs\**10,lazy_ntfs,
1130,VIPRE Business User Logs (up to v4),Antivirus,Users\*\AppData\Roaming\Sunbelt Software\AntiMalware\Logs\**10,lazy_ntfs,
1131,VLC Recently Opened Files,Apps,Users\*\AppData\Roaming\vlc\vlc-qt-interface.ini,lazy_ntfs,Configuration file for VLC. Holds [RecentsMRL] key which lists recently opened files as well as sometimes retaining timestamps for file opening
1132,VLC Recorded Files,Apps,Users\*\Videos\vlc-*.avi,lazy_ntfs,"Recorded files in VLC. Sometimes the Record button may be pressed instead of Play by suspects, which can record them watching content with VLC"
1133,VMware - Virtual Machine Inventory,Apps,Users\*\AppData\Roaming\VMware,lazy_ntfs,Locates an inventory of all Virtual Machines on disk.
1134,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmem,lazy_ntfs,Captures all raw memory from VMware virtual machines.
1135,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmss,lazy_ntfs,Captures all memory images from VMware virtual machines.
1136,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmsn,lazy_ntfs,Captures all memory images from VMware virtual machines.
1137,RealVNC Log,ApplicationLogs,Users\*\AppData\Local\RealVNC\vncserver.log,lazy_ntfs,https://www.realvnc.com/en/connect/docs/logging.html#logging
1138,RealVNC Log,ApplicationLogs,ProgramData\RealVNC-Service\vncserver.log,lazy_ntfs,https://help.realvnc.com/hc/en-us/articles/360002254238-All-About-Logging-
1139,TightVNC Application Logs,ApplicationLogs,ProgramData\TightVNC\Server\Logs,lazy_ntfs,https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1160&context=adf
1140,Viber Config Database,Apps,Users\*\AppData\Roaming\ViberPC\config.db,lazy_ntfs,Configuration file for Viber
1141,Viber Users Data Database,Apps,Users\*\AppData\Roaming\ViberPC\*\viber.db,lazy_ntfs,"Viber data for that user, containing Calls, Chat Messages, Contacts and more"
1142,Viber Users Avatars Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Avatars,lazy_ntfs,Cache of the Avatars for other Viber users
1143,Viber Users Backgrounds Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Backgrounds,lazy_ntfs,Store of the backgrounds
1144,Viber Users Thumbnails Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Thumbnails,lazy_ntfs,Cache of the thumbnails for uploaded/downloaded images
1145,VirtualBox VM configs,Apps,**10\*.vbox,lazy_ntfs,Locates all .vbox VM configuration files on disk
1146,VirtualBox VM backup configs,Apps,**10\*.vbox-prev,lazy_ntfs,Locates all backup .vbox VM configuration files on disk
1147,VirtualBox Logs,Apps,**10\VBox.log,lazy_ntfs,Locates all VBox.log files on disk
1148,VirtualBox Backup Logs,Apps,**10\VBox.log.*,lazy_ntfs,Locates all backup VBox.log files on disk - these can show historic VM usage
1149,VirtualBox Hardening Logs,Apps,**10\VBoxHardening.log,lazy_ntfs,Locates all VBoxHardening.log files on disk
1150,VirtualBox,Memory,**10\*.sav,lazy_ntfs,Captures all partial memory images from VirtualBox.
1151,VHD,Disk Images,**10\*.VHD,lazy_ntfs,
1152,VHDX,Disk Images,**10\*.VHDX,lazy_ntfs,
1153,VDI,Disk Images,**10\*.VDI,lazy_ntfs,
1154,VMDK,Disk Images,**10\*.VMDK,lazy_ntfs,
1155,VSCode Opened Files,Apps,Users\*\AppData\Roaming\Code\User\History\*\**10,lazy_ntfs,Grabs the files in the VSCode history. These are files the user has opened with VSCode
1156,VSCode Workspaces,Apps,Users\*\AppData\Roaming\Code\User\globalStorage\storage.json*,lazy_ntfs,Grabs the file containing information about the users workspaces
1157,VSCode User extensions,Apps,Users\*\AppData\Roaming\Code\CachedExtensions\user*,lazy_ntfs,Grabs the files relating to the users installed extensions
1158,VSCode User settings,Apps,Users\*\AppData\Roaming\Code\User\settings.json*,lazy_ntfs,Grabs the file containing the settings the user has set.
1159,VSCode User Preferences,Apps,Users\*\AppData\Roaming\Code\preferences*,lazy_ntfs,Grabs the file containing the preferences the user has set.
1160,VSCode Network Cookies,Apps,Users\*\AppData\Roaming\Code\Network\Cookies*,lazy_ntfs,Grabs the cookie files. Same format as Chromium Cookies
1161,VSCode Network Persistent State,Apps,Users\*\AppData\Roaming\Code\Network\Network Persistent State*,lazy_ntfs,Grabs the Network Persistent State file. Same format as in Chromium
1162,VSCode Logs,Apps,Users\*\AppData\Roaming\Code\logs\**10,lazy_ntfs,"Grabs the VSCode logs. Further analysis is needed to determine which logs are junk, and which can be vital."
1163,Vivaldi Cookies,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\**10\Cookies*,lazy_ntfs,
1164,Vivaldi Network Persistent State,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\**10\Network Persistent State,lazy_ntfs,
1165,Vivaldi Favicons,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Favicons*,lazy_ntfs,
1166,Vivaldi History,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\History*,lazy_ntfs,
1167,Vivaldi Sessions Folder,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Sessions\*,lazy_ntfs,
1168,Vivaldi Login Data,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Login Data,lazy_ntfs,
1169,Vivaldi Network Action Predictor,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Network Action Predictor,lazy_ntfs,
1170,Vivaldi Preferences,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Preferences,lazy_ntfs,
1171,Vivaldi Top Sites,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Top Sites*,lazy_ntfs,
1172,Vivaldi Bookmarks,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Bookmarks*,lazy_ntfs,
1173,Vivaldi Visited Links,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Visited Links,lazy_ntfs,
1174,Vivaldi Web Data,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Web Data*,lazy_ntfs,
1175,Vivaldi User Tracking,Communications,Users\*\.vivaldi_reporting_data*,lazy_ntfs,
1176,Vivaldi Calendar,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Calendar*,lazy_ntfs,
1177,Vivaldi Contacts,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Contacts*,lazy_ntfs,
1178,Vivaldi Notes,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Notes*,lazy_ntfs,
1179,Vivaldi Download Metadata,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\DownloadMetadata*,lazy_ntfs,
1180,WBEM,WBEM,Windows\System32\wbem\Repository\**10,lazy_ntfs,
1181,WBEM,WBEM,Windows.old\Windows\System32\wbem\Repository\**10,lazy_ntfs,
1182,WER Files,Executables,ProgramData\Microsoft\Windows\WER\**10,lazy_ntfs,
1183,WER Files,Executables,Users\*\AppData\Local\Microsoft\Windows\WER\**10,lazy_ntfs,
1184,Crash Dumps,SQL Exploitation,Users\*\AppData\Local\CrashDumps\*.dmp,lazy_ntfs,
1185,Crash Dumps,SQL Exploitation,Windows\*.dmp,lazy_ntfs,
1186,Crash Dumps,SQL Exploitation,Windows.old\Windows\*.dmp,lazy_ntfs,
1187,Webroot Program Data,Antivirus,ProgramData\WRData\WRLog.log,lazy_ntfs,
1188,WhatsApp Cache,Apps,Users\*\AppData\Roaming\WhatsApp\Cache,lazy_ntfs,"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files"
1189,WhatsApp Local Storage,Apps,Users\*\AppData\Roaming\WhatsApp\Local Storage\leveldb,lazy_ntfs,"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper"
1190,Microsoft Store WhatsApp Cache,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache,lazy_ntfs,"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files"
1191,Microsoft Store WhatsApp Local Storage,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Local Storage\leveldb,lazy_ntfs,"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper"
1192,Microsoft Store WhatsApp Desktop Profile Pictures,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\profilePictures,lazy_ntfs,"Copies the local store of contacts profile pictures, simply open with a photos software"
1193,Microsoft Store WhatsApp Shared Media,Apps,"Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\shared\transfers\**10\*.{jpg,mp4,pdf,webp}",lazy_ntfs,"Copies the shared media, can get very large."
1194,DetectionHistory,Antivirus,ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\**10,lazy_ntfs,
1195,WinSCP (.ini file),Logs,**10\WinSCP.ini,lazy_ntfs,
1196,Recall folder,FileKnowledge,Users\*\AppData\Local\CoreAIPlatform.00\UKP\**10,lazy_ntfs,
1197,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Microsoft AntiMalware\Support\**10,lazy_ntfs,
1198,Windows Defender Event Logs,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs,
1199,Windows Defender Event Logs,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs,
1200,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Windows Defender\Support\**10,lazy_ntfs,
1201,Windows Defender Logs,Antivirus,Windows\Temp\MpCmdRun.log,lazy_ntfs,
1202,Windows Defender Logs,Antivirus,Windows.old\Windows\Temp\MpCmdRun.log,lazy_ntfs,
1203,DetectionHistory,Antivirus,ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\**10,lazy_ntfs,
1204,Windows Defender Quarantine,Antivirus,ProgramData\Microsoft\Windows Defender\Quarantine\**10,lazy_ntfs,
1205,Windows Defender Detections.log,Antivirus,ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log,lazy_ntfs,
1206,Windows Firewall Logs,WindowsFirewallLogs,Windows\System32\LogFiles\Firewall\pfirewall.*,lazy_ntfs,
1207,Windows Firewall Logs,WindowsFirewallLogs,Windows.old\Windows\System32\LogFiles\Firewall\pfirewall.*,lazy_ntfs,
1208,Cryptokeys,Windows Hello,Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\**10,lazy_ntfs,
1209,Masterkey,Windows Hello,Windows\System32\Microsoft\Protect\S-1-5-18\User\**10,lazy_ntfs,
1210,NGC,Windows Hello,Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\**10,lazy_ntfs,
1211,SECURITY registry transaction files,Registry,Windows\System32\config\SECURITY.LOG*,lazy_ntfs,
1212,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config\SECURITY.LOG*,lazy_ntfs,
1213,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
1214,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs,
1215,SYSTEM registry transaction files,Registry,Windows\System32\config\SYSTEM.LOG*,lazy_ntfs,
1216,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config\SYSTEM.LOG*,lazy_ntfs,
1217,SECURITY registry hive,Registry,Windows\System32\config\SECURITY,lazy_ntfs,
1218,SECURITY registry hive,Registry,Windows.old\Windows\System32\config\SECURITY,lazy_ntfs,
1219,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs,
1220,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs,
1221,SYSTEM registry hive,Registry,Windows\System32\config\SYSTEM,lazy_ntfs,
1222,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config\SYSTEM,lazy_ntfs,
1223,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack\SECURITY,lazy_ntfs,
1224,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SECURITY,lazy_ntfs,
1225,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs,
1226,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs,
1227,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM,lazy_ntfs,
1228,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM,lazy_ntfs,
1229,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs,
1230,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs,
1231,WindowsIndexSearch,FileKnowledge,programdata\microsoft\search\data\applications\windows\*,lazy_ntfs,
1232,GatherLogs,FileKnowledge,programdata\microsoft\search\data\applications\windows\GatherLogs\**10,lazy_ntfs,
1233,Network setting files,Misc,windows\system32\drivers\etc\**10,lazy_ntfs,
1234,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs,
1235,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs,
1236,MigLog.xml,OS Upgrade,Windows\Panther\MigLog.xml,lazy_ntfs,
1237,Setupact.log,OS Upgrade,Windows\Panther\Setupact.log,lazy_ntfs,
1238,HumanReadable.xml,OS Upgrade,Windows\Panther\*HumanReadable.xml,lazy_ntfs,
1239,FolderMoveLog.txt,OS Upgrade,Windows\Panther\Rollback\FolderMoveLog.txt,lazy_ntfs,
1240,Update Store.db,OS Upgrade,ProgramData\USOPrivate\UpdateStore\store.db,lazy_ntfs,
1241,Windows Power Diagnostics,Diagnostics,ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\**10,lazy_ntfs,
1242,DNS Netlogon files,DNS,Windows\System32\config\**10\netlogon.*,lazy_ntfs,
1243,DNS files,DNS,Windows\System32\dns\**10,lazy_ntfs,
1244,DHCP files,DHCP,Windows\System32\dhcp\**10,lazy_ntfs,
1245,Diagnostic Logs for WSA,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalState\diagnostics\logcat\*.log,lazy_ntfs,Filenames should be %timestamp%.log
1246,App download artifacts (PNG),Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\*.png,lazy_ntfs,Will provide examiners with indicators of which apps were downloaded
1247,App download artifacts (ICO),Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\*.ico,lazy_ntfs,Will provide examiners with indicators of which apps were downloaded WHEN since .ico files appear immediately when download of an application completes
1248,Appcompatdb.json,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalState\appcompatdb.json,lazy_ntfs,"Grabs the appcompatdb.json, unknown exactly what this is but further relevance could be uncovered after more research is conducted"
1249,userdata.vhdx,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\userdata.vhdx,lazy_ntfs,Grabs the user's data which appears to be stored in a VHDX
1250,Legacy .rbs files relating to Windows Telemetry and Diagnostics,SystemEvents,ProgramData\Microsoft\Diagnosis\events*.rbs,lazy_ntfs,
1251,Legacy .rbs files relating to Windows Telemetry and Diagnostics,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\events*.rbs,lazy_ntfs,
1252,ActivitiesCache.db,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\**10\ActivitiesCache.db*,lazy_ntfs,
1253,Windows Update Session Orchestrator logs,EventLogs,ProgramData\USOShared\Logs\System\**10\*.etl,lazy_ntfs,
1254,Windows Update logs,EventLogs,Windows\Logs\WindowsUpdate\**10\WindowsUpdate*.etl,lazy_ntfs,
1255,Windows Component-Based Servicing logs,EventLogs,Windows\Logs\CBS\**10\CBS*.log,lazy_ntfs,
1256,Windows Your Phone - All Databases,Apps,Users\*\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed\**10,lazy_ntfs,Locates all Your Phone database files
1257,System Volume Information,Folder capture,System Volume Information\**10,lazy_ntfs,
1258,XYplorer - .ini file,Apps,Users\*\AppData\Roaming\XYplorer\XYplorer.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information.
1259,XYplorer - .ini file for each respective pane,Apps,Users\*\AppData\Roaming\XYplorer\Panes\*\**10\pane.ini,lazy_ntfs,Locates the .ini file for the left and right pane.
1260,XYplorer - AutoBackup folder,Apps,Users\*\AppData\Roaming\XYplorer\AutoBackup\**10,lazy_ntfs,Locates the AutoBackup folder and copies its contents.
1261,XYplorer - .dat files,Apps,Users\*\AppData\Roaming\XYplorer\**10\*.dat,lazy_ntfs,"Locates the .dat files in the XYplorer's AppData folder, all of which are updated upon program's exit."
1262,Xeox RMM Client Application logs,ApplicationLogs,Program Files\Xeox\*.log,lazy_ntfs,Contains Application Log entries such as service start and incomming connections.
1263,Yandex Cookies,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\**10\Cookies*,lazy_ntfs,
1264,Yandex Network Persistent State,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\**10\Network Persistent State,lazy_ntfs,
1265,Yandex Favicons,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Favicons*,lazy_ntfs,
1266,Yandex History,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\History*,lazy_ntfs,
1267,Yandex Sessions Folder,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Sessions\*,lazy_ntfs,
1268,Yandex Login Data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Ya Passman Data*,lazy_ntfs,
1269,Yandex Network Action Predictor,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Network Action Predictor,lazy_ntfs,
1270,Yandex Preferences,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Preferences,lazy_ntfs,
1271,Yandex Top Sites,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Top Sites*,lazy_ntfs,
1272,Yandex Bookmarks,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Bookmarks*,lazy_ntfs,
1273,Yandex Visited Links,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Visited Links,lazy_ntfs,
1274,Yandex Web Data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Web Data*,lazy_ntfs,
1275,Yandex Autofill data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Ya Autofill Data*,lazy_ntfs,
1276,Yandex Passman logs,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Passman Logs*,lazy_ntfs,
1277,Yandex Shortcuts,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Shortcuts*,lazy_ntfs,
1278,Zoho Assist log files in AppData\Local,Apps,Users\*\AppData\Local\ZohoMeeting\log\**10,lazy_ntfs,Zoho Assist log files in AppData
ocal
1279,Zoho Assist .conf files in AppData\Local,Apps,Users\*\AppData\Local\ZohoMeeting\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Connection/Settings)
1280,Zoho Assist log files in ProgramData,Apps,ProgramData\ZohoMeeting\log\**10,lazy_ntfs,Zoho Assist log files in ProgramData
1281,Zoho Assist .conf files,Apps,ProgramData\ZohoMeeting\**10\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Connection/Proxy/Settings)
1282,Zoho Assist log files in Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\logs\**10,lazy_ntfs,Zoho Assist log files in Program Files*
1283,Zoho Assist .conf files in Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Service/Settings)
1284,Zoho Assist .txt files in Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\*.txt,lazy_ntfs,Grabs all .txt files present in this folder (Service/Settings)
1285,Zoom client logs,Apps,Users\*\AppData\Roaming\Zoom\logs\**10\*,lazy_ntfs,Zoom client artifacts
1286,Zoom client logs (Windows XP),Apps,Documents and Settings\*\Application Data\Zoom\**10\*,lazy_ntfs,Zoom client artifacts (Windows XP)
1287,Zoom client recordings,Apps,Users\*\Documents\Zoom\**10\*,lazy_ntfs,Zoom recording artifacts
1288,Zoom plugin (Outlook),Apps,Users\*\AppData\Roaming\Zoom Plugin\*.json,lazy_ntfs,Zoom plugin artifacts
1289,eMule Logs and Configuration Files,FileDownload,Users\*\AppData\Local\eMule\**10,lazy_ntfs,Locates eMule logs and configuration files and copies them.
1290,eMule part.met files,FileDownload,**10\*.part.met,lazy_ntfs,Locates eMule *.part.met files and copies them.
1291,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple\Mobilesync\Backup\**10,lazy_ntfs,
1292,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple Computer\Mobilesync\Backup\**10,lazy_ntfs,
1293,iTunes Backup Folder - iOS13,Communications,Users\*\Apple\Mobilesync\Backup\**10,lazy_ntfs,
1294,mIRC Chat Logs (Vista+),Communications,Users\*\AppData\Roaming\mIRC\logs\**10,lazy_ntfs,
1295,mIRC Chat Logs (2000/XP),Communications,Documents and Settings\*\Application Data\mIRC\logs\**10,lazy_ntfs,
1296,mRemoteNG Logs,Communications,Users\*\AppData\Roaming\mRemoteNG\mRemoteNG.log,lazy_ntfs,Contains log entries for remote connections
1297,mRemoteNG Connection Configuration and Backups,Communications,Users\*\AppData\Roaming\mRemoteNG\confCons.xml*,lazy_ntfs,"Contains connection config, often with obfuscated credentials"
1298,mRemoteNG Program Settings,Communications,Users\*\AppData\*\mRemoteNG\**10\user.config,lazy_ntfs,Contains user-specific program settings
1299,openSUSE WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\os-release,lazy_ntfs,
1300,openSUSE WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\fstab,lazy_ntfs,
1301,openSUSE WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\passwd,lazy_ntfs,
1302,openSUSE WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\group,lazy_ntfs,
1303,openSUSE WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\shadow,lazy_ntfs,
1304,openSUSE WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\timezone,lazy_ntfs,
1305,openSUSE WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\hostname,lazy_ntfs,
1306,openSUSE WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\hosts,lazy_ntfs,
1307,openSUSE WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs,
1308,openSUSE WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\profile,lazy_ntfs,
1309,openSUSE WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.bash_history,lazy_ntfs,
1310,openSUSE WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.bashrc,lazy_ntfs,
1311,openSUSE WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.profile,lazy_ntfs,
1312,openSUSE WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\ext4.vhdx,lazy_ntfs,
1313,pCloud Database,Apps,Users\*\AppData\Local\pCloud\*.db,lazy_ntfs,Database contains all files sync'd with pCloud account.
1314,pCloud Database WAL File,Apps,Users\*\AppData\Local\pCloud\*.db-wal,lazy_ntfs,Write-Ahead Log for pCloud database file.
1315,pCloud Database Shared Memory File,Apps,Users\*\AppData\Local\pCloud\*.db-shm,lazy_ntfs,Shared Memory for the pCloud database file.
1316,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Roaming\qBittorrent\*.ini,lazy_ntfs,
1317,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\logs\*,lazy_ntfs,
1318,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\GeoDB\*,lazy_ntfs,Locate .mmdb file for network peer connection analysis.
1319,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\BT_backup\*,lazy_ntfs,Locate active (in-progress) torrent files.
1320,TorrentClients - uTorrent,FileDownload,Users\*\AppData\Roaming\uTorrent\*.dat,lazy_ntfs,
1322,PowerShell Scheduled_Jobs,Persistence,Users\*\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10,lazy_ntfs,
1323,PowerShell Scheduled_Jobs Output,Persistence,Users\*\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\**10,lazy_ntfs,
1324,PowerShell Scheduled_Jobs Systemprofile,Persistence,Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10,lazy_ntfs,
1325,PowerShell Scheduled_Jobs Output Systemprofile,Persistence,Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\**10,lazy_ntfs,
1326,PowerShell Scheduled_Jobs WOW64 Systemprofile,Persistence,Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**10,lazy_ntfs,
1327,PowerShell Scheduled_Jobs Output WOW64 Systemprofile,Persistence,Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\**10,lazy_ntfs,
- name: KapeTargets
type: hidden
description: |
Each parameter above represents a group of rules to be
triggered. This table specifies which rule IDs will be included
when the parameter is checked.
default: |
Group,RuleIds
_BasicCollection,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 36, 37, 38, 39, 51, 280, 281, 282, 500, 501, 502, 503, 504, 505, 506, 507, 651, 652, 653, 654, 655, 661, 662, 699, 700, 706, 707, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788, 961, 962, 963, 964, 965, 966, 983, 984, 985, 986, 987, 988, 989, 1061, 1062, 1073, 1101, 1102, 1103, 1231, 1232, 1322, 1323, 1324, 1325, 1326, 1327]"
_KapeTriage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 169, 172, 173, 174, 175, 176, 177, 179, 225, 226, 227, 228, 229, 230, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 263, 280, 281, 282, 310, 311, 312, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 376, 377, 393, 394, 395, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 486, 487, 488, 489, 490, 491, 492, 493, 494, 500, 501, 502, 503, 504, 505, 506, 507, 508, 520, 521, 528, 529, 530, 531, 535, 536, 537, 538, 539, 540, 549, 550, 557, 580, 581, 582, 583, 584, 585, 614, 615, 638, 639, 651, 652, 653, 654, 655, 661, 662, 665, 666, 667, 668, 669, 670, 671, 681, 682, 683, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 698, 699, 700, 706, 707, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788, 789, 790, 847, 848, 849, 961, 962, 963, 964, 965, 966, 967, 968, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992, 993, 994, 1019, 1020, 1021, 1025, 1026, 1050, 1051, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1066, 1067, 1068, 1069, 1086, 1087, 1096, 1097, 1098, 1099, 1100, 1121, 1122, 1123, 1124, 1127, 1128, 1129, 1130, 1137, 1138, 1139, 1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1252, 1262, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278, 1279, 1280, 1281, 1282, 1283, 1284, 1296, 1297, 1298, 1322, 1323, 1324, 1325, 1326, 1327]"
_SANS_Triage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 80, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 165, 169, 172, 173, 174, 175, 176, 177, 179, 215, 216, 225, 226, 227, 228, 229, 230, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 263, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 310, 311, 312, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 376, 377, 382, 383, 384, 385, 386, 387, 388, 389, 392, 393, 394, 395, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 486, 487, 488, 489, 490, 491, 492, 493, 494, 500, 501, 502, 503, 504, 505, 506, 507, 508, 520, 521, 528, 529, 530, 531, 534, 535, 536, 537, 538, 539, 540, 549, 550, 557, 560, 561, 562, 563, 564, 573, 574, 580, 581, 582, 583, 584, 585, 614, 615, 638, 639, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 665, 666, 667, 668, 669, 670, 671, 681, 682, 683, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 698, 699, 700, 706, 707, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788, 789, 790, 847, 848, 849, 961, 962, 963, 964, 965, 966, 967, 968, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992, 993, 994, 999, 1000, 1001, 1002, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1016, 1019, 1020, 1021, 1025, 1026, 1050, 1051, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1066, 1067, 1068, 1069, 1070, 1071, 1073, 1086, 1087, 1096, 1097, 1098, 1099, 1100, 1101, 1102, 1103, 1121, 1122, 1123, 1124, 1127, 1128, 1129, 1130, 1137, 1138, 1139, 1140, 1141, 1142, 1143, 1144, 1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1188, 1189, 1190, 1191, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1207, 1231, 1232, 1252, 1262, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278, 1279, 1280, 1281, 1282, 1283, 1284, 1294, 1295, 1296, 1297, 1298, 1322, 1323, 1324, 1325, 1326, 1327]"
_Boot,[1]
_J,"[2, 3, 4, 5]"
_LogFile,[6]
_MFT,[7]
_MFTMirr,[8]
_SDS,"[9, 10]"
_T,"[11, 12]"
1Password,"[13, 14, 15]"
4KVideoDownloader,"[16, 17]"
AVG,"[18, 19, 20, 21, 22, 23, 24]"
AceText,[25]
AcronisTrueImage,"[26, 27, 28]"
Action1,[29]
ActiveDirectoryNTDS,[30]
ActiveDirectorySysvol,[31]
AgentRansack,"[32, 33, 34, 35]"
Amcache,"[36, 37, 38, 39]"
Ammyy,[40]
Antivirus,"[18, 19, 20, 21, 22, 23, 24, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 169, 172, 173, 174, 175, 176, 177, 233, 234, 235, 236, 237, 238, 263, 310, 311, 312, 393, 394, 395, 528, 529, 530, 531, 535, 536, 537, 538, 539, 540, 557, 847, 968, 993, 994, 1019, 1020, 1021, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1086, 1087, 1096, 1097, 1098, 1127, 1128, 1129, 1130, 1187, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205]"
AnyDesk,"[41, 42, 43, 44, 45, 46, 47, 48, 49]"
ApacheAccessLog,[50]
AppCompatPCA,[51]
AppData,[52]
AppXPackages,"[53, 54, 55, 56, 57]"
ApplicationEvents,"[58, 59, 60, 61]"
AsperaConnect,"[62, 63]"
AteraAgent,"[64, 65, 66, 67, 68]"
Avast,"[69, 70, 71, 72, 73, 74]"
AviraAVLogs,"[75, 76, 77]"
BCD,"[78, 79]"
BITS,[80]
BitTorrent,[81]
Bitdefender,"[82, 83, 84]"
BoxDrive_Metadata,"[85, 86]"
BoxDrive_UserFiles,"[87, 88]"
BraveBrowser,"[89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108]"
BrowserCache,"[109, 110, 111, 112, 113, 114, 115, 116]"
CertUtil,"[117, 118, 119, 120]"
Chrome,"[121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161]"
ChromeExtensions,"[162, 163]"
ChromeFileSystem,[164]
CiscoJabber,[165]
ClipboardMaster,"[166, 167, 168]"
CloudStorage_All,"[85, 86, 87, 88, 225, 226, 227, 228, 229, 230, 231, 375, 376, 377, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 614, 615, 616, 698, 1045, 1046, 1047, 1313, 1314, 1315]"
CloudStorage_Metadata,"[85, 86, 225, 226, 227, 228, 229, 230, 376, 377, 614, 615, 698]"
CloudStorage_OneDriveExplorer,"[614, 615, 703, 704, 705, 706, 707, 780, 781, 782, 783, 784, 785, 786, 787, 788]"
CombinedLogs,"[280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 573, 574, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 1101, 1102, 1103, 1206, 1207]"
Combofix,[169]
ConfluenceLogs,"[170, 171]"
Cybereason,"[172, 173, 174]"
Cylance,"[175, 176, 177]"
DC__,[178]
DWAgent,[179]
Debian,"[180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197]"
DirectoryOpus,"[198, 199, 200, 201, 202, 203, 204, 205, 206]"
DirectoryTraversal_AudioFiles,[207]
DirectoryTraversal_ExcelDocuments,[208]
DirectoryTraversal_PDFDocuments,[209]
DirectoryTraversal_PictureFiles,[210]
DirectoryTraversal_SQLiteDatabases,[211]
DirectoryTraversal_VideoFiles,[212]
DirectoryTraversal_WildCardExample,[213]
DirectoryTraversal_WordDocuments,[214]
Discord,"[215, 216]"
DoubleCommander,"[217, 218, 219, 220, 221, 222, 223]"
Drivers,[224]
Dropbox_Metadata,"[225, 226, 227, 228, 229, 230]"
Dropbox_UserFiles,[231]
EFCommander,[232]
ESET,"[233, 234, 235, 236, 237, 238]"
Edge,[239]
EdgeChromium,"[240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261]"
EdgeChromiumExtensions,[262]
Emsisoft,[263]
EncapsulationLogging,"[264, 265, 266, 267]"
EventLogs_RDP,"[268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279]"
EventLogs,"[280, 281, 282]"
EventTraceLogs,"[283, 284, 285, 286, 287, 288, 289, 290, 291, 292]"
EventTranscriptDB,"[293, 294, 295]"
Evernote,"[296, 297, 298]"
Everything__VoidTools_,"[299, 300, 301, 302]"
EvidenceOfExecution,"[36, 37, 38, 39, 51, 661, 662, 699, 700, 1061, 1062]"
Exchange,"[303, 308, 309]"
ExchangeClientAccess,[303]
ExchangeCve_2021_26855,"[304, 305, 306, 307]"
ExchangeSetupLog,[308]
ExchangeTransport,[309]
FSecure,"[310, 311, 312]"
FTPClients,"[314, 315, 316, 317, 1195]"
Fences,[313]
FileExplorerReplacements,"[198, 199, 200, 201, 202, 203, 204, 205, 206, 217, 218, 219, 220, 221, 222, 223, 232, 353, 354, 355, 356, 357, 358, 359, 567, 568, 569, 570, 571, 572, 612, 613, 674, 675, 1024, 1063, 1064, 1065, 1088, 1089, 1090, 1091, 1092, 1093, 1094, 1258, 1259, 1260, 1261]"
FileSystem,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12]"
FileZillaClient,"[314, 315]"
FileZillaServer,"[316, 317]"
Firefox,"[318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352]"
FreeCommander,"[353, 354, 355, 356, 357, 358, 359]"
FreeDownloadManager,"[360, 361, 362]"
FreeFileSync,[363]
Freenet,"[364, 365, 366, 367, 368]"
FrostWire,"[369, 370, 371]"
Gigatribe,"[372, 373, 374]"
GoogleDriveBackupSync_UserFiles,[375]
GoogleDrive_Metadata,"[376, 377]"
GoogleEarth,"[378, 379, 380, 381]"
GroupPolicy,"[382, 383, 384, 385, 386, 387, 388, 389]"
HeidiSQL,"[390, 391]"
HexChat,[392]
HitmanPro,"[393, 394, 395]"
HostsFile,[396]
IISConfiguration,"[397, 398, 399, 400]"
IISLogFiles,"[401, 402, 403, 404, 405, 406]"
IRCClients,"[392, 419, 1294, 1295]"
ISLOnline,"[407, 408, 409, 410, 411, 412, 413, 414]"
ITarian,"[415, 416, 417, 418]"
IceChat,[419]
IconCacheDB,[420]
Idrive,"[421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434]"
ImgBurn,[435]
InternetExplorer,"[436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448]"
IrfanView,[449]
JDownloader2,"[450, 451, 452, 453, 454]"
JavaWebCache,"[455, 456, 457, 458, 459, 460, 461, 462, 463, 464, 465]"
JumpLists,"[466, 467]"
Kali,"[468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, 482, 483, 484, 485]"
KapeTriage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 169, 172, 173, 174, 175, 176, 177, 179, 225, 226, 227, 228, 229, 230, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 263, 280, 281, 282, 310, 311, 312, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 376, 377, 393, 394, 395, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 486, 487, 488, 489, 490, 491, 492, 493, 494, 500, 501, 502, 503, 504, 505, 506, 507, 508, 520, 521, 528, 529, 530, 531, 535, 536, 537, 538, 539, 540, 549, 550, 557, 580, 581, 582, 583, 584, 585, 614, 615, 638, 639, 651, 652, 653, 654, 655, 661, 662, 665, 666, 667, 668, 669, 670, 671, 681, 682, 683, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 698, 699, 700, 706, 707, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788, 789, 790, 847, 848, 849, 961, 962, 963, 964, 965, 966, 967, 968, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992, 993, 994, 1019, 1020, 1021, 1025, 1026, 1050, 1051, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1066, 1067, 1068, 1069, 1086, 1087, 1096, 1097, 1098, 1099, 1100, 1121, 1122, 1123, 1124, 1127, 1128, 1129, 1130, 1137, 1138, 1139, 1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1252, 1262, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278, 1279, 1280, 1281, 1282, 1283, 1284, 1296, 1297, 1298, 1322, 1323, 1324, 1325, 1326, 1327]"
Kaseya,"[486, 487, 488, 489, 490, 491, 492, 493, 494]"
Keepass,"[495, 496, 497]"
KeepassXC,"[498, 499]"
LNKFilesAndJumpLists,"[500, 501, 502, 503, 504, 505, 506, 507]"
Level,[508]
LinuxOnWindowsProfileFiles,"[509, 510, 511, 512]"
LiveUserFiles,"[513, 514, 515, 516]"
LogFiles,"[517, 518, 519]"
LogMeIn,"[58, 59, 60, 61, 520, 521]"
MOF,[522]
MSSQLErrorLog,"[523, 524]"
MacriumReflect,"[525, 526, 527]"
Malwarebytes,"[528, 529, 530, 531]"
ManageEngineLogs,"[532, 533]"
Mattermost,[534]
McAfee,"[535, 536, 537, 538, 539]"
McAfee_ePO,[540]
MediaMonkey,"[541, 542]"
Megasync,[543]
MemoryFiles,"[544, 545, 546, 547, 548]"
MeshAgent,"[549, 550]"
MessagingClients,"[165, 215, 216, 392, 419, 534, 560, 561, 562, 563, 564, 999, 1000, 1001, 1002, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1016, 1070, 1071, 1140, 1141, 1142, 1143, 1144, 1188, 1189, 1190, 1191, 1294, 1295]"
MicrosoftOfficeBackstage,[551]
MicrosoftOneNote,"[552, 553, 554, 555, 556]"
MicrosoftSafetyScanner,[557]
MicrosoftStickyNotes,"[558, 559]"
MicrosoftTeams,"[560, 561, 562, 563, 564]"
MicrosoftToDo,"[565, 566]"
MidnightCommander,[567]
MiniTimelineCollection,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 280, 281, 282, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788]"
MultiCommander,"[568, 569, 570, 571, 572]"
NETCLRUsageLogs,"[573, 574]"
NGINXLogs,[575]
NZBGet,"[576, 577]"
Nessus,"[578, 579]"
NetMonitorforEmployeesProfessional,"[580, 581, 582, 583, 584, 585]"
NewsbinPro,[586]
Newsleecher,[587]
Nicotine__,"[588, 589, 590, 591, 592, 593, 594, 595, 596, 597, 598]"
Notepad__,"[599, 600, 601]"
Notepad,[602]
Notion,"[603, 604]"
OfficeAutosave,"[605, 606, 607, 608]"
OfficeDiagnostics,"[609, 610]"
OfficeDocumentCache,[611]
OneCommander,"[612, 613]"
OneDrive_Metadata,"[614, 615]"
OneDrive_UserFiles,[616]
OpenSSHClient,"[617, 618, 619, 620, 621, 622, 623, 624, 625]"
OpenSSHServer,"[626, 627, 628, 629, 630, 631, 632, 633, 634]"
OpenVPNClient,"[635, 636, 637]"
Opera,"[638, 639]"
OutlookPSTOST,"[640, 641, 642, 643, 644, 645, 646, 647]"
P2PClients,"[178, 369, 370, 371, 372, 373, 374, 997, 1022, 1023, 1289, 1290]"
PeaZip,[648]
PerfLogs,[649]
PowerShell7Config,[650]
PowerShellConsole,"[651, 652, 653, 654, 655]"
PowerShellTranscripts,"[656, 657, 658, 659, 660]"
Prefetch,"[661, 662]"
ProgramData,[663]
ProgramExecution,"[36, 37, 38, 39, 51, 466, 467, 573, 574, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 699, 700, 1061, 1062, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1252]"
ProtonVPN,[664]
PuffinSecureBrowser,"[665, 666, 667, 668, 669, 670, 671]"
PushNotification,"[672, 673]"
Q_Dir,"[674, 675]"
QFinderPro__QNAP_,[676]
QlikSense,"[677, 678, 679, 680]"
RDPCache,"[681, 682, 683]"
RDPJumplist,[684]
RDPLogs,"[685, 686, 687, 688, 689, 690, 691, 692]"
Radmin,"[693, 694, 695, 696, 697]"
RcloneConf,[698]
RecentFileCache,"[699, 700]"
RecentFolders,"[701, 702]"
RecycleBin,"[703, 704, 705, 706, 707]"
RecycleBin_DataFiles,"[703, 704, 705]"
RecycleBin_InfoFiles,"[706, 707]"
RegistryHives,"[708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788]"
RegistryHivesMSIXApps,"[708, 709, 710]"
RegistryHivesOther,"[711, 712, 713, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738]"
RegistryHivesSystem,"[739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779]"
RegistryHivesUser,"[780, 781, 782, 783, 784, 785, 786, 787, 788]"
RemoteAdmin,"[29, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 58, 59, 60, 61, 179, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 486, 487, 488, 489, 490, 491, 492, 493, 494, 508, 520, 521, 549, 550, 580, 581, 582, 583, 584, 585, 681, 682, 683, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 789, 790, 848, 849, 990, 991, 992, 1025, 1026, 1050, 1051, 1066, 1067, 1068, 1069, 1099, 1100, 1121, 1122, 1123, 1124, 1137, 1138, 1139, 1262, 1278, 1279, 1280, 1281, 1282, 1283, 1284, 1296, 1297, 1298]"
RemoteUtilities_app,"[789, 790]"
RoamingProfile,"[791, 792, 793, 794, 795, 796, 797, 798, 799, 800, 801, 802, 803, 804, 805, 806, 807, 808, 809, 810, 811, 812, 813, 814, 815, 816, 817, 818, 819, 820, 821, 822, 823, 824, 825, 826, 827, 828, 829, 830, 831, 832]"
Robo_FTP,"[833, 834, 835, 836, 837, 838, 839, 840, 841, 842, 843, 844, 845, 846]"
RogueKiller,[847]
RustDesk,"[848, 849]"
SABnbzd,"[850, 851]"
SCCMClientLogs,[852]
SDB,"[853, 854, 855, 856]"
SOFELK,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 36, 37, 38, 39, 51, 280, 281, 282, 500, 501, 502, 503, 504, 505, 506, 507, 661, 662, 699, 700, 1061, 1062]"
SQLiteDatabases,"[857, 858, 859, 860, 861, 862, 863, 864, 865, 866, 867, 868, 869, 870, 871, 872, 873, 874, 875, 876, 877, 878, 879, 880, 881, 882, 883, 884, 885, 886, 887, 888, 889, 890, 891, 892, 893, 894, 895, 896, 897, 898, 899, 900, 901, 902, 903, 904, 905, 906, 907, 908, 909, 910, 911, 912, 913, 914, 915, 916, 917, 918, 919, 920, 921, 922, 923, 924, 925, 926, 927, 928, 929, 930, 931, 932, 933, 934, 935, 936, 937, 938, 939, 940, 941, 942, 943, 944, 945, 946, 947, 948, 949, 950, 951, 952, 953, 954, 955, 956, 957, 958, 959, 960]"
SRUM,"[961, 962, 963, 964, 965, 966]"
SUM,[967]
SUPERAntiSpyware,[968]
SUSELinuxEnterpriseServer,"[969, 970, 971, 972, 973, 974, 975, 976, 977, 978, 979, 980, 981, 982]"
ScheduledTasks,"[983, 984, 985, 986, 987, 988, 989, 1322, 1323, 1324, 1325, 1326, 1327]"
ScreenConnect,"[58, 59, 60, 61, 990, 991, 992]"
SecureAge,[993]
SentinelOne,[994]
ServerTriage,"[50, 170, 171, 303, 308, 309, 316, 317, 401, 402, 403, 404, 405, 406, 523, 524, 532, 533, 575, 626, 627, 628, 629, 630, 631, 632, 633, 634]"
Session,[995]
ShareX,[996]
Shareaza,[997]
SiemensTIA,[998]
Signal,"[999, 1000, 1001, 1002]"
SignatureCatalog,"[1003, 1004]"
Skype,"[1005, 1006, 1007, 1008, 1009, 1010, 1011]"
Slack,"[1012, 1013, 1014, 1015, 1016]"
Snagit,[1017]
SnipAndSketch,[1018]
Sophos,"[58, 59, 60, 61, 1019, 1020, 1021]"
Soulseek,"[1022, 1023]"
SpeedCommander,[1024]
Splashtop,"[1025, 1026]"
StartupFolders,"[1027, 1028]"
StartupInfo,"[1029, 1030]"
Steam,"[1031, 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039, 1040, 1041, 1042]"
SublimeText,"[1043, 1044]"
SugarSync,"[1045, 1046, 1047]"
SumatraPDF,"[1048, 1049]"
SupremoRemoteDesktop,"[1050, 1051]"
Symantec_AV_Logs,"[58, 59, 60, 61, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060]"
Syscache,"[1061, 1062]"
TablacusExplorer,"[1063, 1064, 1065]"
TeamViewerLogs,"[1066, 1067, 1068, 1069]"
Telegram,"[1070, 1071]"
TeraCopy,[1072]
ThumbCache,[1073]
Thunderbird,"[1074, 1075, 1076, 1077, 1078, 1079, 1080, 1081, 1082, 1083, 1084]"
TorrentClients,"[81, 1316, 1317, 1318, 1319, 1320]"
Torrents,[1085]
TotalAV,"[1086, 1087]"
TotalCommander,"[1088, 1089, 1090, 1091, 1092, 1093, 1094]"
TreeSize,[1095]
TrendMicro,"[1096, 1097, 1098]"
UEMS,"[1099, 1100]"
USBDetective,"[36, 37, 38, 39, 280, 281, 282, 500, 501, 502, 503, 504, 505, 506, 507, 708, 709, 710, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788, 1101, 1102, 1103]"
USBDevicesLogs,"[1101, 1102, 1103]"
Ubuntu,"[1104, 1105, 1106, 1107, 1108, 1109, 1110, 1111, 1112, 1113, 1114, 1115, 1116, 1117, 1118, 1119, 1120]"
Ultraviewer,"[1121, 1122, 1123, 1124]"
Usenet,[1125]
UsenetClients,"[576, 577, 586, 587, 850, 851]"
UsersFolders,[1126]
VIPRE,"[1127, 1128, 1129, 1130]"
VLC_Media_Player,"[1131, 1132]"
VMware,"[1133, 1134, 1135, 1136, 1151, 1152, 1153, 1154]"
VMwareInventory,[1133]
VMwareMemory,"[1134, 1135, 1136]"
VNCLogs,"[58, 59, 60, 61, 1137, 1138, 1139]"
Viber,"[1140, 1141, 1142, 1143, 1144]"
VirtualBox,"[1145, 1146, 1147, 1148, 1149, 1150, 1151, 1152, 1153, 1154]"
VirtualBoxConfig,"[1145, 1146]"
VirtualBoxLogs,"[1147, 1148, 1149]"
VirtualBoxMemory,[1150]
VirtualDisks,"[1151, 1152, 1153, 1154]"
VisualStudioCode,"[1155, 1156, 1157, 1158, 1159, 1160, 1161, 1162]"
Vivaldi,"[1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179]"
WBEM,"[1180, 1181]"
WER,"[1182, 1183, 1184, 1185, 1186]"
WSL,"[180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, 482, 483, 484, 485, 969, 970, 971, 972, 973, 974, 975, 976, 977, 978, 979, 980, 981, 982, 1104, 1105, 1106, 1107, 1108, 1109, 1110, 1111, 1112, 1113, 1114, 1115, 1116, 1117, 1118, 1119, 1120, 1299, 1300, 1301, 1302, 1303, 1304, 1305, 1306, 1307, 1308, 1309, 1310, 1311, 1312]"
WebBrowsers,"[89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 638, 639, 665, 666, 667, 668, 669, 670, 671, 1163, 1164, 1165, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277]"
WebServers,"[50, 401, 402, 403, 404, 405, 406, 523, 524, 575]"
Webroot,[1187]
WhatsApp,"[1188, 1189, 1190, 1191]"
WhatsApp_Media,"[1192, 1193]"
WinDefendDetectionHist,[1194]
WinSCP,[1195]
WindowsCopilotRecall,[1196]
WindowsDefender,"[1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205]"
WindowsFirewall,"[1206, 1207]"
WindowsHello,"[1208, 1209, 1210, 1211, 1212, 1213, 1214, 1215, 1216, 1217, 1218, 1219, 1220, 1221, 1222, 1223, 1224, 1225, 1226, 1227, 1228, 1229, 1230]"
WindowsIndexSearch,"[1231, 1232]"
WindowsNetwork,[1233]
WindowsNotificationsDB,"[1234, 1235]"
WindowsOSUpgradeArtifacts,"[1236, 1237, 1238, 1239, 1240]"
WindowsPowerDiagnostics,[1241]
WindowsServerDNSAndDHCP,"[1242, 1243, 1244]"
WindowsSubsystemforAndroid,"[1245, 1246, 1247, 1248, 1249]"
WindowsTelemetryDiagnosticsLegacy,"[1250, 1251]"
WindowsTimeline,[1252]
WindowsUpdate,"[1253, 1254, 1255]"
WindowsYourPhone,[1256]
XPRestorePoints,[1257]
XYplorer,"[1258, 1259, 1260, 1261]"
Xeox,[1262]
Yandex,"[1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277]"
ZohoAssist,"[1278, 1279, 1280, 1281, 1282, 1283, 1284]"
Zoom,"[1285, 1286, 1287, 1288]"
eMule,"[1289, 1290]"
iTunesBackup,"[1291, 1292, 1293]"
mIRC,"[1294, 1295]"
mRemoteNG,"[1296, 1297, 1298]"
openSUSE,"[1299, 1300, 1301, 1302, 1303, 1304, 1305, 1306, 1307, 1308, 1309, 1310, 1311, 1312]"
pCloudDatabase,"[1313, 1314, 1315]"
qBittorrent,"[1316, 1317, 1318, 1319]"
uTorrent,[1320]
- name: NTFS_CACHE_TIME
type: int
description: How often to flush the NTFS cache. (Default is never).
default: "1000000"
sources:
- name: All File Metadata
query: |
LET VSS_MAX_AGE_DAYS <= VSSAnalysisAge
-- Filter the KapeTargets list by the groups that are enabled in
-- the scope. Only the rows which contain a Group name defined
-- as TRUE in the scope (parameter) will be included. We then
-- merge all the Ids into a single flattened list we can check
-- against.
LET targets <= SELECT * FROM foreach(row={
SELECT * FROM parse_csv(accessor="data", filename=KapeTargets)
WHERE get(member=Group) AND log(message="Selecting " + Group)
}, query={
SELECT _value AS Id FROM foreach(row=RuleIds)
})
LET EnabledIds <= targets.Id
-- Filter only the rules in the rule table that have an Id we
-- want. Targets with $ in their name probably refer to ntfs
-- special files and so they are designated as ntfs
-- accessor. Other targets may need ntfs parsing but not
-- necessary - they are designated with the lazy_ntfs accessor.
LET rule_specs_ntfs <= SELECT Id, Glob
FROM parse_csv(filename=KapeRules, accessor="data")
WHERE Id in EnabledIds AND Accessor='ntfs'
AND log(message="ntfs: Selecting glob " + Glob)
LET rule_specs_lazy_ntfs <= SELECT Id, Glob
FROM parse_csv(filename=KapeRules, accessor="data")
WHERE Id in EnabledIds AND Accessor='lazy_ntfs'
AND log(message="auto: Selecting glob " + Glob)
-- Call the generic VSS file collector with the globs we want in
-- a new CSV file.
LET all_results_from_device(Device) = SELECT * FROM if(
condition=VSSAnalysisAge > 0,
then={
-- Process everything with the ntfs_vss accessor.
SELECT * FROM Artifact.Generic.Collectors.File(
Root=Device,
Accessor="ntfs_vss",
collectionSpec=rule_specs_ntfs + rule_specs_lazy_ntfs)
}, else={
SELECT * FROM chain(async=TRUE,
a={
-- Special files we access with the ntfs parser.
SELECT * FROM Artifact.Generic.Collectors.File(
Root=Device,
Accessor="ntfs",
collectionSpec=rule_specs_ntfs)
}, b={
-- Prefer the auto accessor if possible since it
-- will fall back to ntfs if required but otherwise
-- will be faster.
SELECT * FROM Artifact.Generic.Collectors.File(
Root=Device,
Accessor=if(condition=UseAutoAccessor,
then="auto", else="lazy_ntfs"),
collectionSpec=rule_specs_lazy_ntfs)
})
})
// This materializes all the files into memory and then into
// a tempfile if the list is too long.
LET all_results <= SELECT * FROM foreach(
row=split(string=Device, sep="\\s*,\\s*"),
query={
SELECT * FROM all_results_from_device(Device=_value)
})
SELECT * FROM all_results WHERE _Source =~ "Metadata"
- name: Uploads
query: |
SELECT * FROM all_results WHERE _Source =~ "Uploads"
notebook:
- type: vql_suggestion
name: Post process collection
template: |
/*
# Post process this collection.
Uncomment the following and evaluate the cell to create new
collections based on the files collected from this artifact.
The below VQL will apply remapping so standard artifacts will
see the KapeFiles.Targets collection below as a virtual
Windows Client. The artifacts will be collected to a temporary
container and then re-imported as new collections into this
client.
NOTE: This is only a stop gap in case the proper artifacts
were not collected in the first place. Parsing artifacts
through a remapped collection is not as accurate as parsing
directly on the endpoint. See
https://docs.velociraptor.app/training/playbooks/preservation/
for more info.
*/
LET _ <= import(artifact="Windows.KapeFiles.Remapping")
LET tmp <= tempfile()
LET Results = SELECT import_collection(filename=Container, client_id=ClientId) AS Import
FROM collect(artifacts=[
"Windows.Forensics.Usn",
"Windows.NTFS.MFT",
],
args=dict(`Windows.Forensics.Usn`=dict(),
`Windows.NTFS.MFT`=dict()),
output=tmp,
remapping=GetRemapping(FlowId=FlowId, ClientId=ClientId))
// SELECT * FROM Results