Windows Collections

Windows Evidence List

Category	Name	Collection Type
System	Clipboard	Parsed & presented in Investigation Hub
System	Crash Dump Information	**File path shown in Investigation Hub
System	Recycle Bin Information	Parsed & presented in Investigation Hub
System	System Restore Points Information	Parsed & presented in Investigation Hub
System	Drivers List	Parsed & presented in Investigation Hub
System	Process and Modules	Parsed & presented in Investigation Hub
System	Antivirus Information	Parsed & presented in Investigation Hub
System	DNS Servers	Parsed & presented in Investigation Hub
System	Proxy List	Parsed & presented in Investigation Hub
System	Installed Applications	Parsed & presented in Investigation Hub
System	Firewall Rules	Parsed & presented in Investigation Hub
System	USB Storage History	Parsed & presented in Investigation Hub
System	Downloaded Files Information	Parsed & presented in Investigation Hub
System	Shadow Copy as CSV	Parsed & saved as CSV
System	EventTranscript DB	Parsed & presented in Investigation Hub
System	Users	Parsed & presented in Investigation Hub
System	Windows Timeline	Parsed & presented in Investigation Hub
System	LNK Files	Parsed & presented in Investigation Hub
System	User Access Logs (UAL)	Parsed & presented in Investigation Hub
System	SAM Users and Groups	Parsed & presented in Investigation Hub
System	Wireless Connection History	Parsed & presented in Investigation Hub
System	Windows Error Reporting Files	File collected
System	Winrar History	Parsed & presented in Investigation Hub
Persistence	WMI Active Script Event Consumers	File collected
Persistence	WMI Command Line Event Consumers	File collected
Persistence	Registry Items	Parsed & presented in Investigation Hub
Persistence	Scheduled Tasks	Parsed & presented in Investigation Hub
Persistence	Service List	Parsed & presented in Investigation Hub
Persistence	Startup Items	Parsed & presented in Investigation Hub
Disk	Volumes Information	Parsed & presented in Investigation Hub
Disk	MBR	Parsed & presented in Investigation Hub
Memory	RAM Image	File collected
Memory	Page File	File collected
Memory	Swap File	File collected
Memory	Hibernation File	File collected
Browser	Default Browser	Parsed & presented in Investigation Hub
Browser	Chrome Bookmarks	Parsed & presented in Investigation Hub
Browser	Chrome Cookies	Parsed & presented in Investigation Hub
Browser	Chrome User Profiles	Parsed & presented in Investigation Hub
Browser	Chrome Extensions	Parsed & presented in Investigation Hub
Browser	Chrome Local Storage	Parsed & presented in Investigation Hub
Browser	Chrome IndexedDB	Parsed & presented in Investigation Hub
Browser	Chrome Web Storage	Parsed & presented in Investigation Hub
Browser	Chrome Form History	Parsed & presented in Investigation Hub
Browser	Chrome Thumbnails	Parsed & presented in Investigation Hub
Browser	Chrome Favicons	Parsed & presented in Investigation Hub
Browser	Chrome Sessions	Parsed & presented in Investigation Hub
Browser	Chrome Login Data	Parsed & presented in Investigation Hub
Browser	Chrome Browsing History	Parsed & presented in Investigation Hub
Browser	Firefox Browsing History	Parsed & presented in Investigation Hub
Browser	IE 7,8,9 Browsing History	Parsed & presented in Investigation Hub
Browser	IE 10,11, Edge Browsing History	Parsed & presented in Investigation Hub
Browser	Opera Browsing History	Parsed & presented in Investigation Hub
Browser	Brave Browsing History	Parsed & presented in Investigation Hub
Browser	Vivaldi Browsing History	Parsed & presented in Investigation Hub
Browser	Chrome Downloads	Parsed & presented in Investigation Hub
Browser	Edge Downloads	Parsed & presented in Investigation Hub
Browser	Firefox Downloads	Parsed & presented in Investigation Hub
Browser	Opera Downloads	Parsed & presented in Investigation Hub
Browser	Brave Downloads	Parsed & presented in Investigation Hub
Browser	Vivaldi Downloads	Parsed & presented in Investigation Hub
Browser	QQ Downloads	Parsed & presented in Investigation Hub
Browser	Firefox Cookies	Parsed & presented in Investigation Hub
NTFS	$MFT as CSV	Parsed & saved as CSV
NTFS	$MFT	File collected
NTFS	$MFT Mirror	File collected
NTFS	USN Journal as CSV	Parsed & saved as CSV
NTFS	$Log File	File collected
NTFS	$USN Journal	File collected
NTFS	$Boot	File collected
NTFS	USN Journal $Max	File collected
NTFS	$Secure:$SDS	File collected
NTFS	$TxfLog $Top:$T	File collected
Registry	Registry Hives	File collected
Registry	Old Registry Hives	File collected
Registry	ShellBags	Parsed & presented in Investigation Hub
Registry	AppCompactCache	Parsed & presented in Investigation Hub
Registry	UserAssist	Parsed & presented in Investigation Hub
Registry	TypedPaths	Parsed & presented in Investigation Hub
Registry	FirstFolder	Parsed & presented in Investigation Hub
Registry	RecentDocs	Parsed & presented in Investigation Hub
Registry	WordWheelQuery	Parsed & presented in Investigation Hub
Registry	FileExts	Parsed & presented in Investigation Hub
Registry	ShellFolders	Parsed & presented in Investigation Hub
Registry	RunMRU	Parsed & presented in Investigation Hub
Registry	Map Network Drive MRU	Parsed & presented in Investigation Hub
Registry	TypedURLs	Parsed & presented in Investigation Hub
Registry	OfficeMRU	Parsed & presented in Investigation Hub
Registry	AppPaths	Parsed & presented in Investigation Hub
Registry	CIDSizeMRU	Parsed & presented in Investigation Hub
Registry	LastVisitedPidlMRU	Parsed & presented in Investigation Hub
Registry	OpenSavePidlMRU	Parsed & presented in Investigation Hub
Network	DNS Cache	Parsed & presented in Investigation Hub
Network	TCP Table	Parsed & presented in Investigation Hub
Network	UDP Table	Parsed & presented in Investigation Hub
Network	ARP Table	Parsed & presented in Investigation Hub
Network	IPv4 Routes	Parsed & presented in Investigation Hub
Network	Network Adapters	Parsed & presented in Investigation Hub
Network	Network Shares	Parsed & presented in Investigation Hub
Network	Hosts	File collected
Event Logs	EVT Files	File collected
Event Logs	EVTX Files	File collected
Event Logs	EVT Records	Parsed & presented in Investigation Hub
Process Execution	Prefetch Files	Parsed & presented in Investigation Hub
Process Execution	SRUM	Parsed & presented in Investigation Hub
Process Execution	Activities DB	Parsed & presented in Investigation Hub
Process Execution	AmCache	Parsed & presented in Investigation Hub
Process Execution	Recent File Cache	File collected
Process Execution	Parse LNK Files	Parsed & presented in Investigation Hub
Process Execution	Collect LNK Files	File collected
Other Evidence	ETL	File collected
Other Evidence	CLR	File collected
Other Evidence	Jump List	File collected
Other Evidence	LNK Files	Parsed & presented in Investigation Hub
Other Evidence	Windows Index Search	File collected
Other Evidence	Superfetch	File collected
Other Evidence	WBEM	File collected
Other Evidence	INF Setup	File collected
Other Evidence	SDB	File collected
Other Evidence	Powershell	File collected
Other Evidence	Thumbcache	File collected
Other Evidence	Iconcache	File collected
Other Evidence	RDP Cache	File collected

Category

Name

Collection Type

System

Clipboard

Parsed & presented in Investigation Hub

System

Crash Dump Information

**File path shown in Investigation Hub

System

Recycle Bin Information

Parsed & presented in Investigation Hub

System

System Restore Points Information

Parsed & presented in Investigation Hub

System

Drivers List

Parsed & presented in Investigation Hub

System

Process and Modules

Parsed & presented in Investigation Hub

System

Antivirus Information

Parsed & presented in Investigation Hub

System

DNS Servers

Parsed & presented in Investigation Hub

System

Proxy List

Parsed & presented in Investigation Hub

System

Installed Applications

Parsed & presented in Investigation Hub

System

Firewall Rules

Parsed & presented in Investigation Hub

System

USB Storage History

Parsed & presented in Investigation Hub

System

Downloaded Files Information

Parsed & presented in Investigation Hub

System

Shadow Copy as CSV

Parsed & saved as CSV

System

EventTranscript DB

Parsed & presented in Investigation Hub

System

Users

Parsed & presented in Investigation Hub

System

Windows Timeline

Parsed & presented in Investigation Hub

System

LNK Files

Parsed & presented in Investigation Hub

System

User Access Logs (UAL)

Parsed & presented in Investigation Hub

System

SAM Users and Groups

Parsed & presented in Investigation Hub

System

Wireless Connection History

Parsed & presented in Investigation Hub

System

Windows Error Reporting Files

File collected

System

Winrar History

Parsed & presented in Investigation Hub

Persistence

WMI Active Script Event Consumers

File collected

Persistence

WMI Command Line Event Consumers

File collected

Persistence

Registry Items

Parsed & presented in Investigation Hub

Persistence

Scheduled Tasks

Parsed & presented in Investigation Hub

Persistence

Service List

Parsed & presented in Investigation Hub

Persistence

Startup Items

Parsed & presented in Investigation Hub

Disk

Volumes Information

Parsed & presented in Investigation Hub

Disk

MBR

Parsed & presented in Investigation Hub

Memory

RAM Image

File collected

Memory

Page File

File collected

Memory

Swap File

File collected

Memory

Hibernation File

File collected

Browser

Default Browser

Parsed & presented in Investigation Hub

Browser

Chrome Bookmarks

Parsed & presented in Investigation Hub

Browser

Chrome Cookies

Parsed & presented in Investigation Hub

Browser

Chrome User Profiles

Parsed & presented in Investigation Hub

Browser

Chrome Extensions

Parsed & presented in Investigation Hub

Browser

Chrome Local Storage

Parsed & presented in Investigation Hub

Browser

Chrome IndexedDB

Parsed & presented in Investigation Hub

Browser

Chrome Web Storage

Parsed & presented in Investigation Hub

Browser

Chrome Form History

Parsed & presented in Investigation Hub

Browser

Chrome Thumbnails

Parsed & presented in Investigation Hub

Browser

Chrome Favicons

Parsed & presented in Investigation Hub

Browser

Chrome Sessions

Parsed & presented in Investigation Hub

Browser

Chrome Login Data

Parsed & presented in Investigation Hub

Browser

Chrome Browsing History

Parsed & presented in Investigation Hub

Browser

Firefox Browsing History

Parsed & presented in Investigation Hub

Browser

IE 7,8,9 Browsing History

Parsed & presented in Investigation Hub

Browser

IE 10,11, Edge Browsing History

Parsed & presented in Investigation Hub

Browser

Opera Browsing History

Parsed & presented in Investigation Hub

Browser

Brave Browsing History

Parsed & presented in Investigation Hub

Browser

Vivaldi Browsing History

Parsed & presented in Investigation Hub

Browser

Chrome Downloads

Parsed & presented in Investigation Hub

Browser

Edge Downloads

Parsed & presented in Investigation Hub

Browser

Firefox Downloads

Parsed & presented in Investigation Hub

Browser

Opera Downloads

Parsed & presented in Investigation Hub

Browser

Brave Downloads

Parsed & presented in Investigation Hub

Browser

Vivaldi Downloads

Parsed & presented in Investigation Hub

Browser

QQ Downloads

Parsed & presented in Investigation Hub

Browser

Firefox Cookies

Parsed & presented in Investigation Hub

NTFS

$MFT as CSV

Parsed & saved as CSV

NTFS

$MFT

File collected

NTFS

$MFT Mirror

File collected

NTFS

USN Journal as CSV

Parsed & saved as CSV

NTFS

$Log File

File collected

NTFS

$USN Journal

File collected

NTFS

$Boot

File collected

NTFS

USN Journal $Max

File collected

NTFS

$Secure:$SDS

File collected

NTFS

$TxfLog $Top:$T

File collected

Registry

Registry Hives

File collected

Registry

Old Registry Hives

File collected

Registry

ShellBags

Parsed & presented in Investigation Hub

Registry

AppCompactCache

Parsed & presented in Investigation Hub

Registry

UserAssist

Parsed & presented in Investigation Hub

Registry

TypedPaths

Parsed & presented in Investigation Hub

Registry

FirstFolder

Parsed & presented in Investigation Hub

Registry

RecentDocs

Parsed & presented in Investigation Hub

Registry

WordWheelQuery

Parsed & presented in Investigation Hub

Registry

FileExts

Parsed & presented in Investigation Hub

Registry

ShellFolders

Parsed & presented in Investigation Hub

Registry

RunMRU

Parsed & presented in Investigation Hub

Registry

Map Network Drive MRU

Parsed & presented in Investigation Hub

Registry

TypedURLs

Parsed & presented in Investigation Hub

Registry

OfficeMRU

Parsed & presented in Investigation Hub

Registry

AppPaths

Parsed & presented in Investigation Hub

Registry

CIDSizeMRU

Parsed & presented in Investigation Hub

Registry

LastVisitedPidlMRU

Parsed & presented in Investigation Hub

Registry

OpenSavePidlMRU

Parsed & presented in Investigation Hub

Network

DNS Cache

Parsed & presented in Investigation Hub

Network

TCP Table

Parsed & presented in Investigation Hub

Network

UDP Table

Parsed & presented in Investigation Hub

Network

ARP Table

Parsed & presented in Investigation Hub

Network

IPv4 Routes

Parsed & presented in Investigation Hub

Network

Network Adapters

Parsed & presented in Investigation Hub

Network

Network Shares

Parsed & presented in Investigation Hub

Network

Hosts

File collected

Event Logs

EVT Files

File collected

Event Logs

EVTX Files

File collected

Event Logs

EVT Records

Parsed & presented in Investigation Hub

Process Execution

Prefetch Files

Parsed & presented in Investigation Hub

Process Execution

SRUM

Parsed & presented in Investigation Hub

Process Execution

Activities DB

Parsed & presented in Investigation Hub

Process Execution

AmCache

Parsed & presented in Investigation Hub

Process Execution

Recent File Cache

File collected

Process Execution

Parse LNK Files

Parsed & presented in Investigation Hub

Process Execution

Collect LNK Files

File collected

Other Evidence

ETL

File collected

Other Evidence

CLR

File collected

Other Evidence

Jump List

File collected

Other Evidence

LNK Files

Parsed & presented in Investigation Hub

Other Evidence

Windows Index Search

File collected

Other Evidence

Superfetch

File collected

Other Evidence

WBEM

File collected

Other Evidence

INF Setup

File collected

Other Evidence

SDB

File collected

Other Evidence

Powershell

File collected

Other Evidence

Thumbcache

File collected

Other Evidence

Iconcache

File collected

Other Evidence

RDP Cache

File collected