Evidence Types

Brief overview to Evidence Types

You can use the command line options for enabling each evidence type separately when Custom collection profile is selected by providing --profile custom option.
Name
Long Form
Short Form
Default
Clipboard
--Clipboard
-clp
TRUE
Crash Dump Info
--CrashDumpInfo
-cdi
TRUE
Recycle Bin Info
--RecycleBinInfo
-rbi
TRUE
Restore Point Info
--RestorePointInfo
-rpi
TRUE
Driver Info
--DriverInfo
-dri
TRUE
Process Info
--ProcessInfo
-pri
TRUE
Screenshots
--Screenshots
-scr
TRUE
AntiVirus Info
--AVInfo
-avi
TRUE
DNS Server
--DNSServer
-dnss
TRUE
Proxy Info
--ProxyInfo
-prxy
TRUE
Downloads Info
--DownloadsInfo
-dli
FALSE
Autoruns
--Autoruns
-aui
TRUE
Installed Apps
--InstalledApps
-apps
TRUE
Firewall Rules
--Firewall
-frwl
TRUE
Volume Info
--VolumeInfo
-voli
TRUE
MBR
--MBR
-mbr
FALSE
RAM
--RAM
-ram
TRUE
PageFile
--PageFile
-pgf
TRUE
SwapFile
--SwapFile
-swp
FALSE
Hibernation File
--HibernationFile
-hbr
FALSE
Chrome History
--ChromeHistory
-chst
TRUE
Firefox History
--FirefoxHistory
-fhst
TRUE
IE History
--InternetExplorerHistory
-ihst
TRUE
Edge History
--EdgeHistory
-ehst
TRUE
Opera History
--OperaHistory
-ohst
TRUE
MFT as CSV
--MFTCsv
-mftcsv
TRUE
MFT as Binary
--MFTBin
-mft
FALSE
MFT Mirror
--MFTMirr
-mftmir
FALSE
Ntfs LogFile
--NtfsLogFile
-ntfslog
TRUE
Ntfs UsnJournal
--NtfsUsnJournal
-usnjrn
TRUE
Registry Hives
--Hives
-hiv
TRUE
Registry Hives (Windows.Old)
--HivesOld
-hivold
TRUE
ShellBags
--ShellBags
-sbgs
TRUE
App Compat Cache
--AppCompatCache
-appcc
TRUE
DNS Cache
--DNSCache
-dnsc
TRUE
TCP Table
--TCPTable
-tcpt
TRUE
UDP Table
--UDPTable
-udpt
TRUE
ARP Table
--ARPTable
-arpt
TRUE
IPv4 Routes
--IPv4Routes
-ipv4
TRUE
Network Adapters
--NetworkAdapters
-netadp
TRUE
Network Shares
--NetworkShares
-netshr
TRUE
Hosts File
--HostsFile
-hosts
TRUE
EVT
--EVT
-evt
TRUE
EVTX
--EVTX
-evtx
TRUE
Event Records
--EVTR
-evtr
TRUE
WMI Active Script
--WMIActiveScript
-wmiasc
TRUE
WMI Command Line
--WMICommandLine
-wmicec
TRUE
Prefetch
--Prefetch
-pf
TRUE
SRUM
--Srum
-srum
TRUE
Activities DB
--ActivitiesDb
-adb
TRUE
AmCache
--AmCache
-amc
TRUE
RecentFileCache
--RecentFileCache
-rfc
TRUE
ETL
--ETL
-etl
FALSE
CLR
--CLR
-clr
FALSE
JumpList
--JumpList
-jmplst
TRUE
LNK Files
--LnkFiles
-lnkf
TRUE
Index Search
--IndexSearch
-indxs
FALSE
SuperFetch
--SuperFetch
-sprf
FALSE
WBEM
--WBEM
-wbem
FALSE
INF LOG
--INFLOG
-infl
FALSE
Shim Database
--SDB
-sdb
FALSE
Powershell
--Powershell
-pwrs
TRUE
Thumb Cache
--Thumbcache
-tc
FALSE
Icon Cache
--Iconcache
-ic
FALSE
RDP Cache
--RDPcache
-rdpc
FALSE
​

TACTICAL - Previous

Command Line Options

Next - TACTICAL

Artifact Types

Last modified 1yr ago

Name	Long Form	Short Form	Default
Clipboard	--Clipboard	-clp	TRUE
Crash Dump Info	--CrashDumpInfo	-cdi	TRUE
Recycle Bin Info	--RecycleBinInfo	-rbi	TRUE
Restore Point Info	--RestorePointInfo	-rpi	TRUE
Driver Info	--DriverInfo	-dri	TRUE
Process Info	--ProcessInfo	-pri	TRUE
Screenshots	--Screenshots	-scr	TRUE
AntiVirus Info	--AVInfo	-avi	TRUE
DNS Server	--DNSServer	-dnss	TRUE
Proxy Info	--ProxyInfo	-prxy	TRUE
Downloads Info	--DownloadsInfo	-dli	FALSE
Autoruns	--Autoruns	-aui	TRUE
Installed Apps	--InstalledApps	-apps	TRUE
Firewall Rules	--Firewall	-frwl	TRUE
Volume Info	--VolumeInfo	-voli	TRUE
MBR	--MBR	-mbr	FALSE
RAM	--RAM	-ram	TRUE
PageFile	--PageFile	-pgf	TRUE
SwapFile	--SwapFile	-swp	FALSE
Hibernation File	--HibernationFile	-hbr	FALSE
Chrome History	--ChromeHistory	-chst	TRUE
Firefox History	--FirefoxHistory	-fhst	TRUE
IE History	--InternetExplorerHistory	-ihst	TRUE
Edge History	--EdgeHistory	-ehst	TRUE
Opera History	--OperaHistory	-ohst	TRUE
MFT as CSV	--MFTCsv	-mftcsv	TRUE
MFT as Binary	--MFTBin	-mft	FALSE
MFT Mirror	--MFTMirr	-mftmir	FALSE
Ntfs LogFile	--NtfsLogFile	-ntfslog	TRUE
Ntfs UsnJournal	--NtfsUsnJournal	-usnjrn	TRUE
Registry Hives	--Hives	-hiv	TRUE
Registry Hives (Windows.Old)	--HivesOld	-hivold	TRUE
ShellBags	--ShellBags	-sbgs	TRUE
App Compat Cache	--AppCompatCache	-appcc	TRUE
DNS Cache	--DNSCache	-dnsc	TRUE
TCP Table	--TCPTable	-tcpt	TRUE
UDP Table	--UDPTable	-udpt	TRUE
ARP Table	--ARPTable	-arpt	TRUE
IPv4 Routes	--IPv4Routes	-ipv4	TRUE
Network Adapters	--NetworkAdapters	-netadp	TRUE
Network Shares	--NetworkShares	-netshr	TRUE
Hosts File	--HostsFile	-hosts	TRUE
EVT	--EVT	-evt	TRUE
EVTX	--EVTX	-evtx	TRUE
Event Records	--EVTR	-evtr	TRUE
WMI Active Script	--WMIActiveScript	-wmiasc	TRUE
WMI Command Line	--WMICommandLine	-wmicec	TRUE
Prefetch	--Prefetch	-pf	TRUE
SRUM	--Srum	-srum	TRUE
Activities DB	--ActivitiesDb	-adb	TRUE
AmCache	--AmCache	-amc	TRUE
RecentFileCache	--RecentFileCache	-rfc	TRUE
ETL	--ETL	-etl	FALSE
CLR	--CLR	-clr	FALSE
JumpList	--JumpList	-jmplst	TRUE
LNK Files	--LnkFiles	-lnkf	TRUE
Index Search	--IndexSearch	-indxs	FALSE
SuperFetch	--SuperFetch	-sprf	FALSE
WBEM	--WBEM	-wbem	FALSE
INF LOG	--INFLOG	-infl	FALSE
Shim Database	--SDB	-sdb	FALSE
Powershell	--Powershell	-pwrs	TRUE
Thumb Cache	--Thumbcache	-tc	FALSE
Icon Cache	--Iconcache	-ic	FALSE
RDP Cache	--RDPcache	-rdpc	FALSE