Evidence: Windows Error Reporting Files
Description: Collect WER Files
Category: System
Platform: windows
Short Name: wrrfls
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Windows Error Reporting (WER) files contain crash reports and error diagnostics from applications and system components. These files are stored when an application crashes or encounters an error, providing detailed information about the failure.
Data Collected
This collector gathers structured data about windows error reporting files.
Collection Method
This collector gathers WER files from the ReportArchive directory, which contains archived error reports with crash dumps and diagnostic information.
Forensic Value
WER files are valuable for identifying application crashes, system instability, and potential exploitation attempts. They can reveal malicious software behavior, vulnerable application versions, and system compromise indicators.
