# Windows Collections ## **Windows Evidence List**


#	Evidence (click for details)	Category	Parsed	Sent to the Investigation Hub	Raw Files Collected
1	$Boot	DiskFilesystem	No	Yes	Yes
2	$Log File	DiskFilesystem	No	Yes	Yes
3	$Secure:$SDS	DiskFilesystem	No	Yes	Yes
4	$TxfLog $Tops:$T	DiskFilesystem	No	Yes	Yes
5	ARP Table	Network	Yes	Yes	No
6	AVG Logs	Applications	No	No	Yes
7	Action1 RMM Logs	Applications	No	No	Yes
8	Active Directory Logs	Applications	No	No	Yes
9	AmCache	System	Yes	Yes	Yes
10	AmmyAdmin Logs	Applications	No	No	Yes
11	Antivirus Information	System	Yes	Yes	No
12	AnyDesk Logs	Applications	No	No	Yes
13	Apache Logs	Applications	No	No	Yes
14	AppCompactCache	System	Yes	Yes	No
15	AppPaths	System	Yes	Yes	No
16	Avast Logs	Applications	No	No	Yes
17	Avira Logs	Applications	No	No	Yes
18	Bitdefender Logs	Applications	No	No	Yes
19	Brave Bookmarks	Applications	Yes	Yes	No
20	Brave Browsing History	Applications	Yes	Yes	No
21	Brave Cookies	Applications	Yes	Yes	No
22	Brave Downloads	Applications	Yes	Yes	No
23	Brave Extensions	Applications	Yes	Yes	No
24	Brave Favicons	Applications	Yes	Yes	No
25	Brave Form History	Applications	Yes	Yes	No
26	Brave Local Storage	Applications	Yes	Yes	No
27	Brave Login Data	Applications	Yes	Yes	No
28	Brave Sessions	Applications	Yes	Yes	No
29	Brave Thumbnails	Applications	Yes	Yes	No
30	Brave User Profiles	Applications	Yes	Yes	No
31	Brave Web Storage	Applications	Yes	Yes	No
32	CIDSizeMRU	System	Yes	Yes	No
33	CLR	System	No	Yes	Yes
34	Carbon Black Logs	Applications	No	No	Yes
35	Chrome Bookmarks	Applications	Yes	Yes	No
36	Chrome Browsing History	Applications	Yes	Yes	No
37	Chrome Cookies	Applications	Yes	Yes	No
38	Chrome Downloads	Applications	Yes	Yes	No
39	Chrome Extensions	Applications	Yes	Yes	No
40	Chrome Favicons	Applications	Yes	Yes	No
41	Chrome Form History	Applications	Yes	Yes	No
42	Chrome Local Storage	Applications	Yes	Yes	No
43	Chrome Login Data	Applications	Yes	Yes	No
44	Chrome Sessions	Applications	Yes	Yes	No
45	Chrome Thumbnails	Applications	Yes	Yes	No
46	Chrome User Profiles	Applications	Yes	Yes	No
47	Chrome Web Storage	Applications	Yes	Yes	No
48	Cisco AMP Logs	Applications	No	No	Yes
49	Collect LNK Files	System	Yes	Yes	Yes
50	Collect SRUM Database Files	System	No	No	Yes
51	ComboFix	Applications	No	No	Yes
52	Cortana History	Applications	No	No	Yes
53	Crash Dump Information	System	Yes	Yes	No
54	Cybereason Logs	Applications	No	No	Yes
55	Cylance Logs	Applications	No	No	Yes
56	DHCP Server Logs	Applications	No	No	Yes
57	DNS Cache	Network	Yes	Yes	No
58	DNS Server Logs	Applications	No	No	Yes
59	DNS Servers	Network	Yes	Yes	No
60	Deep Instinct Logs	Applications	No	No	Yes
61	Default Browser	Applications	Yes	Yes	No
62	Discord Desktop Cache	Applications	No	No	Yes
63	Docker Changes	Applications	Yes	Yes	No
64	Docker Container Logs	Applications	Yes	Yes	No
65	Docker Containers	Applications	Yes	Yes	No
66	Docker Image History	Applications	Yes	Yes	No
67	Docker Images	Applications	Yes	Yes	No
68	Docker Info	Applications	Yes	Yes	No
69	Docker Networks	Applications	Yes	Yes	No
70	Docker Processes	Applications	Yes	Yes	No
71	Docker Volumes	Applications	Yes	Yes	No
72	Downloaded Files Information	System	Yes	Yes	No
73	Driver Objects	System	Yes	Yes	No
74	Drivers List	System	Yes	Yes	No
75	Dropbox Cache	Applications	No	No	Yes
76	Dropbox Databases	Applications	No	No	Yes
77	Dropbox Logs	Applications	No	No	Yes
78	Dump Brave Indexed DB	Applications	Yes	Yes	No
79	Dump Chrome Indexed DB	Applications	Yes	Yes	No
80	Dump Edge Indexed DB	Applications	Yes	Yes	No
81	Dump Opera Indexed DB	Applications	Yes	Yes	No
82	Dump QQ Indexed DB	Applications	Yes	Yes	No
83	Dump Vivaldi Indexed DB	Applications	Yes	Yes	No
84	ETL	System	No	Yes	Yes
85	Edge Bookmarks	Applications	Yes	Yes	No
86	Edge Cookies	Applications	Yes	Yes	No
87	Edge Downloads	Applications	Yes	Yes	No
88	Edge Extensions	Applications	Yes	Yes	No
89	Edge Favicons	Applications	Yes	Yes	No
90	Edge Form History	Applications	Yes	Yes	No
91	Edge Local Storage	Applications	Yes	Yes	No
92	Edge Login Data	Applications	Yes	Yes	No
93	Edge Sessions	Applications	Yes	Yes	No
94	Edge Thumbnails	Applications	Yes	Yes	No
95	Edge User Profiles	Applications	Yes	Yes	No
96	Edge Web Storage	Applications	Yes	Yes	No
97	Elastic Logs	Applications	No	No	Yes
98	Environment Variables	System	Yes	Yes	No
99	Eset Logs	Applications	No	No	Yes
100	Event Log EVT Files	EventLogs	Yes	Yes	No
101	Event Log EVT Records	EventLogs	Yes	Yes	Yes
102	Event Log EVTX Files	EventLogs	Yes	Yes	No
103	EventTranscript DB	System	Yes	Yes	Yes
104	Evernote Databases	Applications	No	No	Yes
105	Evernote Drag and Drop Files	Applications	No	No	Yes
106	Evernote Logs	Applications	No	No	Yes
107	Everything History	Applications	No	No	Yes
108	F-Secure Logs	Applications	No	No	Yes
109	Facebook Cache	Applications	No	No	Yes
110	Facebook Databases	Applications	No	No	Yes
111	FileExts	System	Yes	Yes	No
112	FileZilla Sessions	Applications	No	No	Yes
113	FireEye Logs	Applications	No	No	Yes
114	Firefox Browsing History	Applications	Yes	Yes	No
115	Firefox Cookies	Applications	Yes	Yes	No
116	Firefox Downloads	Applications	Yes	Yes	No
117	Firefox Extensions	Applications	Yes	Yes	No
118	Firewall Rules	Network	Yes	Yes	No
119	FirstFolder	System	Yes	Yes	No
120	Github Desktop Cache	Applications	No	No	Yes
121	Github Desktop Databases	Applications	No	No	Yes
122	Github Desktop Logs	Applications	No	No	Yes
123	GoTo Logs	Applications	No	No	Yes
124	Google Drive Databases	Applications	No	No	Yes
125	Hibernation File	Memory	No	Yes	Yes
126	HitmanPro Logs	Applications	No	No	Yes
127	Hosts	Network	Yes	Yes	Yes
128	IE 10,11,Edge Browsing History	Applications	Yes	Yes	Yes
129	IE 7,8,9 Browsing History	Applications	Yes	Yes	Yes
130	IIS Logs	Applications	No	No	Yes
131	INF Setup	System	No	Yes	Yes
132	IPv4 Routes	Network	Yes	Yes	No
133	Iconcache	System	No	Yes	Yes
134	Installed Applications	System	Yes	Yes	No
135	JumpList Automatic Entries	System	Yes	Yes	No
136	JumpList Automatic Files	System	Yes	Yes	Yes
137	JumpList Custom Entries	System	Yes	Yes	No
138	JumpList Custom Files	System	Yes	Yes	Yes
139	Kaseya Logs	Applications	No	No	Yes
140	LastVisitedPidlMRU	System	Yes	Yes	No
141	Level Logs	Applications	No	No	Yes
142	LinkedIn Cache	Applications	No	No	Yes
143	LogMeIn Logs	Applications	No	No	Yes
144	MBR	DiskFilesystem	No	Yes	Yes
145	MFT	DiskFilesystem	No	Yes	Yes
146	MFT Mirror	DiskFilesystem	No	Yes	Yes
147	MFT as CSV	DiskFilesystem	Yes	No	No
148	MSSQL Logs	Applications	No	No	Yes
149	MalwareBytes Logs	Applications	No	No	Yes
150	Map Network Drive MRU	System	Yes	Yes	No
151	McAfee Logs	Applications	No	No	Yes
152	Microsoft Calendar	Applications	No	No	Yes
153	Microsoft Exchange Logs	Applications	No	No	Yes
154	Microsoft Mail	Applications	No	No	Yes
155	Microsoft Maps	Applications	No	No	Yes
156	Microsoft Outlook	Applications	No	No	Yes
157	Microsoft People	Applications	No	No	Yes
158	Microsoft Photos	Applications	No	No	Yes
159	Microsoft Sticky Notes	Applications	No	No	Yes
160	Microsoft Store Applications List	Applications	No	No	Yes
161	Microsoft Voice Record History	Applications	No	No	Yes
162	MongoDB Logs	Applications	No	No	Yes
163	Mozilla Thunderbird	Applications	No	No	Yes
164	NTDS.dit	System	No	Yes	Yes
165	Network Adapters	Network	Yes	Yes	No
166	Network Shares	Network	Yes	Yes	No
167	Notepad++ Sessions	Applications	No	No	Yes
168	Object Directory	System	Yes	Yes	No
169	OfficeMRU	System	Yes	Yes	No
170	Old Registry Hives	System	No	Yes	Yes
171	OneDrive Logs	Applications	No	No	Yes
172	OpenSavePidlMRU	System	Yes	Yes	No
173	OpenVPN Config	Applications	No	No	Yes
174	Opera Bookmarks	Applications	Yes	Yes	No
175	Opera Browsing History	Applications	Yes	Yes	No
176	Opera Cookies	Applications	Yes	Yes	No
177	Opera Downloads	Applications	Yes	Yes	No
178	Opera Extensions	Applications	Yes	Yes	No
179	Opera Favicons	Applications	Yes	Yes	No
180	Opera Form History	Applications	Yes	Yes	No
181	Opera Local Storage	Applications	Yes	Yes	No
182	Opera Login Data	Applications	Yes	Yes	No
183	Opera Sessions	Applications	Yes	Yes	No
184	Opera Thumbnails	Applications	Yes	Yes	No
185	Opera User Profiles	Applications	Yes	Yes	No
186	Opera Web Storage	Applications	Yes	Yes	No
187	PDB Information	System	Yes	Yes	No
188	Page File	Memory	No	Yes	Yes
189	Palo Alto Logs	Applications	No	No	Yes
190	Parse LNK Files	System	Yes	Yes	No
191	Parse SRUM Application Timeline	System	No	Yes	No
192	Parse SRUM Application Usage	System	No	Yes	No
193	Parse SRUM Energy Usage	System	No	Yes	No
194	Parse SRUM Network Connectivity	System	No	Yes	No
195	Parse SRUM Network Usage	System	No	Yes	No
196	Powershell ConsoleHost History	System	Yes	Yes	No
197	Powershell Logs	System	No	Yes	Yes
198	Prefetch Files	System	Yes	Yes	Yes
199	Proxy List	Network	Yes	Yes	No
200	QQ Bookmarks	Applications	Yes	Yes	No
201	QQ Browsing History	Applications	Yes	Yes	No
202	QQ Cookies	Applications	Yes	Yes	No
203	QQ Downloads	Applications	Yes	Yes	No
204	QQ Extensions	Applications	Yes	Yes	No
205	QQ Favicons	Applications	Yes	Yes	No
206	QQ Form History	Applications	Yes	Yes	No
207	QQ Local Storage	Applications	Yes	Yes	No
208	QQ Login Data	Applications	Yes	Yes	No
209	QQ Sessions	Applications	Yes	Yes	No
210	QQ Thumbnails	Applications	Yes	Yes	No
211	QQ User Profiles	Applications	Yes	Yes	No
212	QQ Web Storage	Applications	Yes	Yes	No
213	Quick Assist	System	Yes	Yes	No
214	RAM Image	Memory	No	Yes	Yes
215	RDP Cache	System	No	Yes	Yes
216	RealVNC Logs	Applications	No	No	Yes
217	Recent File Cache	System	No	Yes	Yes
218	RecentDocs	System	Yes	Yes	No
219	Recycle Bin Information	System	Yes	Yes	No
220	Registry Hives	System	No	Yes	Yes
221	Registry Items	System	Yes	Yes	Yes
222	RemComSvc Logs	Applications	No	No	Yes
223	Remote Utilities Logs	Applications	No	No	Yes
224	RogueKiller Reports	Applications	No	No	Yes
225	RunMRU	System	Yes	Yes	No
226	Running Processes and Modules	System	Yes	Yes	No
227	SAM Users and Groups	System	Yes	Yes	No
228	SDB	System	No	Yes	Yes
229	SRUM	System	Yes	Yes	Yes
230	SUPERAntiSpyware Logs	Applications	No	No	Yes
231	Scheduled Tasks	System	Yes	Yes	Yes
232	ScreenConnect (ConnectWise Control) Application Data	Applications	No	No	Yes
233	Search History	Applications	No	No	Yes
234	SentinelOne Logs	Applications	No	No	Yes
235	Service List	System	Yes	Yes	Yes
236	Shadow Copy as CSV	DiskFilesystem	Yes	Yes	No
237	ShellBags	System	Yes	Yes	No
238	ShellFolders	System	Yes	Yes	No
239	Skype Databases	Applications	No	No	Yes
240	Skype Media	Applications	No	No	Yes
241	Sophos Logs	Applications	No	No	Yes
242	Sourcefire FireAMP Logs	Applications	No	No	Yes
243	Splashtop Logs	Applications	No	No	Yes
244	Spotify Cache	Applications	No	No	Yes
245	Spotify Recently Played List	Applications	No	No	Yes
246	Startup Items	System	Yes	Yes	Yes
247	Sublime Text Sessions	Applications	No	No	Yes
248	Superfetch	System	No	Yes	Yes
249	Supremo Remote Desktop Logs	Applications	No	No	Yes
250	Swap File	Memory	No	Yes	Yes
251	Symantec Logs	Applications	No	No	Yes
252	System Restore Points Information	System	Yes	Yes	No
253	TCP Table	Network	Yes	Yes	No
254	Tanium Logs	Applications	No	No	Yes
255	Teamviewer Logs	Applications	No	No	Yes
256	Telegram Desktop Data	Applications	No	No	Yes
257	Telegram Desktop Download	Applications	No	No	Yes
258	Thumbcache	System	No	Yes	Yes
259	TightVNC Logs	Applications	No	No	Yes
260	Tortoise Git Logs	Applications	No	No	Yes
261	TotalAv Logs	Applications	No	No	Yes
262	Trend Micro Logs	Applications	No	No	Yes
263	Twitter Cache	Applications	No	No	Yes
264	Twitter Databases	Applications	No	No	Yes
265	TypedPaths	System	Yes	Yes	No
266	TypedURLs	System	Yes	Yes	No
267	UDP Table	Network	Yes	Yes	No
268	USB Storage History	DiskFilesystem	Yes	Yes	No
269	USN Journal	DiskFilesystem	No	Yes	Yes
270	USN Journal $Max	DiskFilesystem	No	Yes	Yes
271	USN Journal as CSV	DiskFilesystem	Yes	Yes	No
272	UltraVNC Logs	Applications	No	No	Yes
273	Ultraviewer Logs	Applications	No	No	Yes
274	User Access Logs (UAL)	System	Yes	Yes	Yes
275	User Folders	System	Yes	Yes	No
276	UserAssist	System	Yes	Yes	No
277	Users	System	Yes	Yes	No
278	VIPRE Logs	Applications	No	No	Yes
279	VMware Config	Applications	No	No	Yes
280	VMware Drag and Drop Files	Applications	No	No	Yes
281	VMware Logs	Applications	No	No	Yes
282	Visual Studio Team Explorer Config	Applications	No	No	Yes
283	Vivaldi Bookmarks	Applications	Yes	Yes	No
284	Vivaldi Browsing History	Applications	Yes	Yes	No
285	Vivaldi Cookies	Applications	Yes	Yes	No
286	Vivaldi Downloads	Applications	Yes	Yes	No
287	Vivaldi Extensions	Applications	Yes	Yes	No
288	Vivaldi Favicons	Applications	Yes	Yes	No
289	Vivaldi Form History	Applications	Yes	Yes	No
290	Vivaldi Local Storage	Applications	Yes	Yes	No
291	Vivaldi Login Data	Applications	Yes	Yes	No
292	Vivaldi Sessions	Applications	Yes	Yes	No
293	Vivaldi Thumbnails	Applications	Yes	Yes	No
294	Vivaldi User Profiles	Applications	Yes	Yes	No
295	Vivaldi Web Storage	Applications	Yes	Yes	No
296	Volumes Information	DiskFilesystem	Yes	Yes	No
297	WBEM	System	No	Yes	Yes
298	WMI Active Script	System	Yes	Yes	No
299	WMI Command Line	System	Yes	Yes	No
300	WSL	Applications	No	No	Yes
301	Webroot Logs	Applications	No	No	Yes
302	WhatsApp Desktop Cache	Applications	No	No	Yes
303	WhatsApp Desktop Cookie	Applications	No	No	Yes
304	WinRAR History	Applications	Yes	Yes	No
305	Windows Defender Logs	Applications	No	No	Yes
306	Windows Error Reporting Files	System	No	No	Yes
307	Windows Index Search	System	No	Yes	Yes
308	Windows Live Mail User Settings	Applications	No	No	Yes
309	Windows Notification History	Applications	No	No	Yes
310	Windows Timeline	System	Yes	Yes	Yes
311	Wireless Connection History	Network	Yes	Yes	No
312	WordWheelQuery	System	Yes	Yes	No
313	Xeox Logs	Applications	No	No	Yes
314	ZohoAssist Logs	Applications	No	No	Yes
315	Zoom Databases	Applications	No	No	Yes
316	Zoom Media	Applications	No	No	Yes
317	iTunes Backups	Applications	No	No	Yes