Windows Collections
Windows Evidence List
Category | Name | Collection Type |
---|---|---|
System | Clipboard | Parsed & presented in Investigation Hub |
System | Crash Dump Information | **File path shown in Investigation Hub |
System | Recycle Bin Information | Parsed & presented in Investigation Hub |
System | System Restore Points Information | Parsed & presented in Investigation Hub |
System | Drivers List | Parsed & presented in Investigation Hub |
System | Process and Modules | Parsed & presented in Investigation Hub |
System | Antivirus Information | Parsed & presented in Investigation Hub |
System | DNS Servers | Parsed & presented in Investigation Hub |
System | Proxy List | Parsed & presented in Investigation Hub |
System | Installed Applications | Parsed & presented in Investigation Hub |
System | Firewall Rules | Parsed & presented in Investigation Hub |
System | USB Storage History | Parsed & presented in Investigation Hub |
System | Downloaded Files Information | Parsed & presented in Investigation Hub |
System | Shadow Copy as CSV | Parsed & saved as CSV |
System | EventTranscript DB | Parsed & presented in Investigation Hub |
System | Users | Parsed & presented in Investigation Hub |
System | Windows Timeline | Parsed & presented in Investigation Hub |
System | LNK Files | Parsed & presented in Investigation Hub |
System | User Access Logs (UAL) | Parsed & presented in Investigation Hub |
System | SAM Users and Groups | Parsed & presented in Investigation Hub |
System | Wireless Connection History | Parsed & presented in Investigation Hub |
System | Windows Error Reporting Files | File collected |
System | Winrar History | Parsed & presented in Investigation Hub |
Persistence | WMI Active Script Event Consumers | File collected |
Persistence | WMI Command Line Event Consumers | File collected |
Persistence | Registry Items | Parsed & presented in Investigation Hub |
Persistence | Scheduled Tasks | Parsed & presented in Investigation Hub |
Persistence | Service List | Parsed & presented in Investigation Hub |
Persistence | Startup Items | Parsed & presented in Investigation Hub |
Disk | Volumes Information | Parsed & presented in Investigation Hub |
Disk | MBR | Parsed & presented in Investigation Hub |
Memory | RAM Image | File collected |
Memory | Page File | File collected |
Memory | Swap File | File collected |
Memory | Hibernation File | File collected |
Browser | Default Browser | Parsed & presented in Investigation Hub |
Browser | Chrome Bookmarks | Parsed & presented in Investigation Hub |
Browser | Chrome Cookies | Parsed & presented in Investigation Hub |
Browser | Chrome User Profiles | Parsed & presented in Investigation Hub |
Browser | Chrome Extensions | Parsed & presented in Investigation Hub |
Browser | Chrome Local Storage | Parsed & presented in Investigation Hub |
Browser | Chrome IndexedDB | Parsed & presented in Investigation Hub |
Browser | Chrome Web Storage | Parsed & presented in Investigation Hub |
Browser | Chrome Form History | Parsed & presented in Investigation Hub |
Browser | Chrome Thumbnails | Parsed & presented in Investigation Hub |
Browser | Chrome Favicons | Parsed & presented in Investigation Hub |
Browser | Chrome Sessions | Parsed & presented in Investigation Hub |
Browser | Chrome Login Data | Parsed & presented in Investigation Hub |
Browser | Chrome Browsing History | Parsed & presented in Investigation Hub |
Browser | Firefox Browsing History | Parsed & presented in Investigation Hub |
Browser | IE 7,8,9 Browsing History | Parsed & presented in Investigation Hub |
Browser | IE 10,11, Edge Browsing History | Parsed & presented in Investigation Hub |
Browser | Opera Browsing History | Parsed & presented in Investigation Hub |
Browser | Brave Browsing History | Parsed & presented in Investigation Hub |
Browser | Vivaldi Browsing History | Parsed & presented in Investigation Hub |
Browser | Chrome Downloads | Parsed & presented in Investigation Hub |
Browser | Edge Downloads | Parsed & presented in Investigation Hub |
Browser | Firefox Downloads | Parsed & presented in Investigation Hub |
Browser | Opera Downloads | Parsed & presented in Investigation Hub |
Browser | Brave Downloads | Parsed & presented in Investigation Hub |
Browser | Vivaldi Downloads | Parsed & presented in Investigation Hub |
Browser | QQ Downloads | Parsed & presented in Investigation Hub |
Browser | Firefox Cookies | Parsed & presented in Investigation Hub |
NTFS | $MFT as CSV | Parsed & saved as CSV |
NTFS | $MFT | File collected |
NTFS | $MFT Mirror | File collected |
NTFS | USN Journal as CSV | Parsed & saved as CSV |
NTFS | $Log File | File collected |
NTFS | $USN Journal | File collected |
NTFS | $Boot | File collected |
NTFS | USN Journal $Max | File collected |
NTFS | $Secure:$SDS | File collected |
NTFS | $TxfLog $Top:$T | File collected |
Registry | Registry Hives | File collected |
Registry | Old Registry Hives | File collected |
Registry | ShellBags | Parsed & presented in Investigation Hub |
Registry | AppCompactCache | Parsed & presented in Investigation Hub |
Registry | UserAssist | Parsed & presented in Investigation Hub |
Registry | TypedPaths | Parsed & presented in Investigation Hub |
Registry | FirstFolder | Parsed & presented in Investigation Hub |
Registry | RecentDocs | Parsed & presented in Investigation Hub |
Registry | WordWheelQuery | Parsed & presented in Investigation Hub |
Registry | FileExts | Parsed & presented in Investigation Hub |
Registry | ShellFolders | Parsed & presented in Investigation Hub |
Registry | RunMRU | Parsed & presented in Investigation Hub |
Registry | Map Network Drive MRU | Parsed & presented in Investigation Hub |
Registry | TypedURLs | Parsed & presented in Investigation Hub |
Registry | OfficeMRU | Parsed & presented in Investigation Hub |
Registry | AppPaths | Parsed & presented in Investigation Hub |
Registry | CIDSizeMRU | Parsed & presented in Investigation Hub |
Registry | LastVisitedPidlMRU | Parsed & presented in Investigation Hub |
Registry | OpenSavePidlMRU | Parsed & presented in Investigation Hub |
Network | DNS Cache | Parsed & presented in Investigation Hub |
Network | TCP Table | Parsed & presented in Investigation Hub |
Network | UDP Table | Parsed & presented in Investigation Hub |
Network | ARP Table | Parsed & presented in Investigation Hub |
Network | IPv4 Routes | Parsed & presented in Investigation Hub |
Network | Network Adapters | Parsed & presented in Investigation Hub |
Network | Network Shares | Parsed & presented in Investigation Hub |
Network | Hosts | File collected |
Event Logs | EVT Files | File collected |
Event Logs | EVTX Files | File collected |
Event Logs | EVT Records | Parsed & presented in Investigation Hub |
Process Execution | Prefetch Files | Parsed & presented in Investigation Hub |
Process Execution | SRUM | Parsed & presented in Investigation Hub |
Process Execution | Activities DB | Parsed & presented in Investigation Hub |
Process Execution | AmCache | Parsed & presented in Investigation Hub |
Process Execution | Recent File Cache | File collected |
Process Execution | Parse LNK Files | Parsed & presented in Investigation Hub |
Process Execution | Collect LNK Files | File collected |
Other Evidence | ETL | File collected |
Other Evidence | CLR | File collected |
Other Evidence | Jump List | File collected |
Other Evidence | LNK Files | Parsed & presented in Investigation Hub |
Other Evidence | Windows Index Search | File collected |
Other Evidence | Superfetch | File collected |
Other Evidence | WBEM | File collected |
Other Evidence | INF Setup | File collected |
Other Evidence | SDB | File collected |
Other Evidence | Powershell | File collected |
Other Evidence | Thumbcache | File collected |
Other Evidence | Iconcache | File collected |
Other Evidence | RDP Cache | File collected |
Windows Artifact List:
Category | Name | Collection Type |
---|---|---|
Server | Apache Logs | File collected |
Server | MongoDB Logs | File collected |
Server | IIS Logs | File collected |
Server | MSSQL Logs | File collected |
Server | Microsoft Exchange Logs | File collected |
Server | DHCP Server Logs | File collected |
Server | DNS Server Logs | File collected |
Server | Active Directory Logs | File collected |
Microsoft Applications | Microsoft Photos | File collected |
Microsoft Applications | Cortana History | File collected |
Microsoft Applications | Microsoft Store Applications List | File collected |
Microsoft Applications | Microsoft Stick Notes | File collected |
Microsoft Applications | Microsoft Maps | File collected |
Microsoft Applications | Microsoft Voice Record History | File collected |
Microsoft Applications | Windows Notification History | File collected |
Microsoft Applications | Search History | File collected |
Microsoft Applications | Microsoft People | File collected |
Microsoft Applications | Microsoft Calendar | File collected |
Communication | AnyDesk Logs | File collected |
Communication | Discord Desktop Cache | File collected |
Communication | LogMein Logs | File collected |
Communication | Microsoft Mail | File collected |
Communication | Microsoft Outlook | File collected |
Communication | Mozilla Thunderbird | File collected |
Communication | RemComSvc Logs | File collected |
Communication | Skype Databases | File collected |
Communication | Skype Media | File collected |
Communication | Teamviewer Logs | File collected |
Communication | Telegram Desktop Data | File collected |
Communication | Telegram Desktop Download | File collected |
Communication | Ultraviewer Logs | File collected |
Communication | WhatsApp Desktop Cache | File collected |
Communication | WhatsApp Desktop Cookie | File collected |
Communication | Windows Live Mail User Settings | File collected |
Communication | Zoom Databases | File collected |
Communication | Zoom Media | File collected |
Communication | Xeox Logs | File collected |
Communication | ZohoAssist Logs | File collected |
Communication | Supremo Remote Desktop Logs | File collected |
Communication | TightVNC Logs | File collected |
Communication | AmmyAdmin Logs | File collected |
Communication | GoTo Logs | File collected |
Communication | Kaseya Logs | File collected |
Communication | Level Logs | File collected |
Communication | Remote Utilities Logs | File collected |
Communication | RealVNC Logs | File collected |
Communication | Splashtop Windows Logs | File collected |
Communication | UltraVNC Logs | File collected |
Communication | Action1 RMM Logs | File collected |
Social Artifacts | Twitter Databases | File collected |
Social Artifacts | Twitter Cache | File collected |
Social Artifacts | Facebook Databases | File collected |
Social Artifacts | Facebook Cache | File collected |
Social Artifacts | Linkedin Cache | File collected |
Social Artifacts | Spotify Recently Played List | File collected |
Social Artifacts | Spotify Cache | File collected |
Productivity Artifacts | Sublime Text Sessions | File collected |
Productivity Artifacts | Notepad++ Sessions | File collected |
Productivity Artifacts | OpenVPN Config | File collected |
Productivity Artifacts | Everything History | File collected |
Productivity Artifacts | Evernote Databases | File collected |
Productivity Artifacts | Evernote Drag and Drop Files | File collected |
Productivity Artifacts | Evernote Logs | File collected |
Utilities Artifacts | iTunes Backups | File collected |
Utilities Artifacts | VMware Config | File collected |
Utilities Artifacts | VMware Drag and Drop Files | File collected |
Utilities Artifacts | VMware Logs | File collected |
Developer Tools | FileZilla Sessions | File collected |
Developer Tools | Visual Studio Team Explorer Config | File collected |
Developer Tools | GitHub Desktop Databases | File collected |
Developer Tools | GitHub Desktop Cache | File collected |
Developer Tools | GitHub Desktop Logs | File collected |
Developer Tools | WSL | File collected |
Developer Tools | Tortoise Git Logs | File collected |
Cloud Artifacts | Google Drive Databases | File collected |
Cloud Artifacts | Dropbox Databases | File collected |
Cloud Artifacts | Dropbox Logs | File collected |
Cloud Artifacts | Dropbox Cache | File collected |
Cloud Artifacts | OneDrive Logs | File collected |
Antivirus Logs | AVG Logs | File collected |
Antivirus Logs | Avast Logs | File collected |
Antivirus Logs | Avira Logs | File collected |
Antivirus Logs | Bitdefender Logs | File collected |
Antivirus Logs | Carbon Black Logs | File collected |
Antivirus Logs | Cisco AMP Logs | File collected |
Antivirus Logs | ComboFix | File collected |
Antivirus Logs | Cybereason Logs | File collected |
Antivirus Logs | Cylance Logs | File collected |
Antivirus Logs | Deep Instinct Logs | File collected |
Antivirus Logs | Elastic Logs | File collected |
Antivirus Logs | Eset Logs | File collected |
Antivirus Logs | F-Secure Logs | File collected |
Antivirus Logs | FireEye Logs | File collected |
Antivirus Logs | HitmanPro Logs | File collected |
Antivirus Logs | MalwareBytes Logs | File collected |
Antivirus Logs | McAfee Logs | File collected |
Antivirus Logs | Palo Alto Logs | File collected |
Antivirus Logs | RogueKiller Reports | File collected |
Antivirus Logs | SentinelOne Logs | File collected |
Antivirus Logs | Sophos Logs | File collected |
Antivirus Logs | Sourcefire FireAMP Logs | File collected |
Antivirus Logs | SUPERAntiSpyware Logs | File collected |
Antivirus Logs | Symantec Logs | File collected |
Antivirus Logs | Tanium Logs | File collected |
Antivirus Logs | TotalAv Logs | File collected |
Antivirus Logs | Trend Micro Logs | File collected |
Antivirus Logs | VIPRE Logs | File collected |
Antivirus Logs | Webroot Logs | File collected |
Antivirus Logs | Windows Defender Logs | File collected |
Last updated