From a889cdd1ed023ccf15224b522d8a49e06672cd85 Mon Sep 17 00:00:00 2001 From: Mike Cohen Date: Sat, 31 Aug 2024 16:14:21 +1000 Subject: [PATCH] Updated References (#904) --- .wordlist.txt | 3 + .../pages/admin.client.remove.md | 6 +- .../pages/admin.events.postprocessuploads.md | 4 +- .../pages/generic.client.cleanuptemp.md | 3 +- .../pages/generic.client.info.md | 5 + .../pages/generic.client.locallogs.md | 12 +- .../generic.network.interfaceaddresses.md | 6 +- .../pages/linux.debian.packages.md | 180 +- .../pages/linux.forensics.journal.md | 88 +- .../pages/linux.ssh.authorizedkeys.md | 67 +- .../pages/linux.utils.installdeb.md | 193 + .../pages/notebooks.timelines.md | 67 + .../pages/server.import.artifactexchange.md | 48 +- .../pages/server.internal.clientscheduled.md | 24 + .../pages/server.internal.timelineadd.md | 29 + .../pages/server.internal.tooldependencies.md | 22 +- .../pages/server.monitor.health.md | 2 +- .../server.monitoring.timesketchupload.md | 60 + .../pages/server.utils.addtimeline.md | 3 + .../pages/server.utils.createcollector.md | 20 +- .../pages/server.utils.createmsi.md | 27 +- .../pages/server.utils.deletemanyflows.md | 6 +- .../pages/server.utils.timesketchupload.md | 157 + .../pages/windows.carving.usn.md | 190 +- .../pages/windows.eventlogs.evtxhunter.md | 5 +- .../pages/windows.forensics.rdpcache.md | 159 +- .../pages/windows.forensics.shellbags.md | 2 +- .../pages/windows.forensics.srum.md | 40 +- .../pages/windows.forensics.usn.md | 116 +- .../pages/windows.kapefiles.remapping.md | 181 + .../pages/windows.kapefiles.targets.md | 3145 ++++++++-------- .../pages/windows.memory.acquisition.md | 77 +- .../pages/windows.sys.allusers.md | 14 +- .../pages/windows.sys.users.md | 5 +- .../deployment/references/_reference.html | 560 +-- .../tips/collect_artifact_unknown.md | 86 + .../knowledge_base/tips/deleting_old_data.md | 2 + content/vql_reference/basic/_index.md | 2 +- content/vql_reference/basic/array/_index.md | 44 +- content/vql_reference/basic/atexit/_index.md | 3 +- .../vql_reference/basic/timestamp/_index.md | 21 +- .../vql_reference/event/watch_etw/_index.md | 3 + content/vql_reference/misc/_index.md | 14 + .../vql_reference/misc/carve_usn/_index.md | 51 + content/vql_reference/misc/link_to/_index.md | 34 + .../vql_reference/misc/notebook_get/_index.md | 1 + .../misc/notebook_update/_index.md | 35 + .../misc/parse_journald/_index.md | 32 + .../misc/profile_goroutines/_index.md | 7 + content/vql_reference/misc/query/_index.md | 114 + .../vql_reference/misc/similarity/_index.md | 28 + content/vql_reference/misc/threads/_index.md | 30 + .../misc/timeline_delete/_index.md | 31 + .../vql_reference/misc/timelines/_index.md | 30 + .../misc/timestamp_format/_index.md | 47 + .../vql_reference/misc/user_options/_index.md | 51 + .../misc/watch_journald/_index.md | 32 + content/vql_reference/misc/winpmem/_index.md | 59 + content/vql_reference/misc/yara/_index.md | 40 + .../vql_reference/misc/yara_lint/_index.md | 43 + content/vql_reference/parsers/_index.md | 2 +- .../parsers/parse_ntfs/_index.md | 19 +- .../parsers/parse_ntfs_i30/_index.md | 4 + .../parsers/parse_ntfs_ranges/_index.md | 5 + .../vql_reference/parsers/parse_usn/_index.md | 23 +- content/vql_reference/plugin/_index.md | 1 - .../vql_reference/plugin/collect/_index.md | 1 + .../vql_reference/server/clients/_index.md | 2 - .../server/splunk_upload/_index.md | 6 +- .../vql_reference/server/timeline/_index.md | 1 + .../server/timeline_add/_index.md | 8 +- static/artifact_reference/data.json | 91 +- static/kb/data.json | 20 +- static/reference/data.json | 3261 +++++++++++++++-- 74 files changed, 7328 insertions(+), 2482 deletions(-) create mode 100644 content/artifact_references/pages/linux.utils.installdeb.md create mode 100644 content/artifact_references/pages/notebooks.timelines.md create mode 100644 content/artifact_references/pages/server.internal.clientscheduled.md create mode 100644 content/artifact_references/pages/server.internal.timelineadd.md create mode 100644 content/artifact_references/pages/server.monitoring.timesketchupload.md create mode 100644 content/artifact_references/pages/server.utils.timesketchupload.md create mode 100644 content/artifact_references/pages/windows.kapefiles.remapping.md create mode 100644 content/knowledge_base/tips/collect_artifact_unknown.md create mode 100644 content/vql_reference/misc/carve_usn/_index.md create mode 100644 content/vql_reference/misc/link_to/_index.md create mode 100644 content/vql_reference/misc/notebook_update/_index.md create mode 100644 content/vql_reference/misc/parse_journald/_index.md create mode 100644 content/vql_reference/misc/similarity/_index.md create mode 100644 content/vql_reference/misc/threads/_index.md create mode 100644 content/vql_reference/misc/timeline_delete/_index.md create mode 100644 content/vql_reference/misc/timelines/_index.md create mode 100644 content/vql_reference/misc/timestamp_format/_index.md create mode 100644 content/vql_reference/misc/user_options/_index.md create mode 100644 content/vql_reference/misc/watch_journald/_index.md create mode 100644 content/vql_reference/misc/winpmem/_index.md create mode 100644 content/vql_reference/misc/yara/_index.md create mode 100644 content/vql_reference/misc/yara_lint/_index.md diff --git a/.wordlist.txt b/.wordlist.txt index bfe2bb34503..7cb36ce67cb 100644 --- a/.wordlist.txt +++ b/.wordlist.txt @@ -1538,3 +1538,6 @@ reliancecyber vvv wsarecv OpenSSL + +journald +lang diff --git a/content/artifact_references/pages/admin.client.remove.md b/content/artifact_references/pages/admin.client.remove.md index 5925c01e680..1fa58bf37f1 100644 --- a/content/artifact_references/pages/admin.client.remove.md +++ b/content/artifact_references/pages/admin.client.remove.md @@ -24,15 +24,17 @@ parameters: - name: Age description: Remove clients older than this many days default: "7" + type: int - name: ReallyDoIt type: bool sources: - query: | + LET Threshold <= timestamp(epoch=now() - Age * 3600 * 24 ) LET old_clients = SELECT os_info.fqdn AS Fqdn, client_id, - timestamp(epoch=last_seen_at/1000000) AS LastSeen FROM clients() - WHERE LastSeen < now() - ( atoi(string=Age) * 3600 * 24 ) + timestamp(epoch=last_seen_at) AS LastSeen FROM clients() + WHERE LastSeen < Threshold SELECT * FROM foreach(row=old_clients, query={ diff --git a/content/artifact_references/pages/admin.events.postprocessuploads.md b/content/artifact_references/pages/admin.events.postprocessuploads.md index b75745c71d5..a177db5a85b 100644 --- a/content/artifact_references/pages/admin.events.postprocessuploads.md +++ b/content/artifact_references/pages/admin.events.postprocessuploads.md @@ -37,6 +37,7 @@ required_permissions: parameters: - name: uploadPostProcessCommand + type: json_array description: | The command to run - must be a json array of strings! The list of files will be appended to the end of the command. @@ -51,8 +52,7 @@ parameters: sources: - query: | LET files = SELECT Flow, - array(a1=parse_json_array(data=uploadPostProcessCommand), - a2=file_store(path=Flow.uploaded_files)) as Argv + uploadPostProcessCommand + file_store(path=Flow.uploaded_files) AS Argv FROM watch_monitoring(artifact='System.Flow.Completion') WHERE uploadPostProcessArtifact in Flow.artifacts_with_results diff --git a/content/artifact_references/pages/generic.client.cleanuptemp.md b/content/artifact_references/pages/generic.client.cleanuptemp.md index bbc9ad1051f..a7ec1f32c7b 100644 --- a/content/artifact_references/pages/generic.client.cleanuptemp.md +++ b/content/artifact_references/pages/generic.client.cleanuptemp.md @@ -26,10 +26,11 @@ parameters: sources: - query: | + LET Threshold <= timestamp(epoch=now() - AgeSeconds ) SELECT OSPath, Size, Mtime, if(condition=ReadllyDoIt, then=rm(filename=OSPath)) AS Removed FROM glob(globs=expand(path=TempGlob)) - WHERE NOT IsDir AND Mtime < now() - AgeSeconds + WHERE NOT IsDir AND Mtime < Threshold diff --git a/content/artifact_references/pages/generic.client.info.md b/content/artifact_references/pages/generic.client.info.md index ffd27e220b9..5f32bfd4f1f 100644 --- a/content/artifact_references/pages/generic.client.info.md +++ b/content/artifact_references/pages/generic.client.info.md @@ -53,6 +53,11 @@ sources: Interfaces.MAC AS MACAddresses FROM info() + - name: DetailedInfo + query: | + LET Info = SELECT * FROM info() + SELECT _key AS Param, _value AS Value FROM items(item=Info[0]) + - name: LinuxInfo description: Linux specific information about the host precondition: SELECT OS From info() where OS = 'linux' diff --git a/content/artifact_references/pages/generic.client.locallogs.md b/content/artifact_references/pages/generic.client.locallogs.md index 00f1189da43..ec48b56fba2 100644 --- a/content/artifact_references/pages/generic.client.locallogs.md +++ b/content/artifact_references/pages/generic.client.locallogs.md @@ -37,6 +37,16 @@ parameters: description: | By default we do not forward any of the logs to the server but this allows logs to be forwarded as well as written locally. +- name: Component + default: generic + description: The log component to forward (default "generic") + type: choices + choices: + - generic + - client + - frontend + - gui + - api sources: - query: | @@ -47,7 +57,7 @@ sources: filename=expand(path=LocalFilename), query={ SELECT timestamp(epoch=now()) AS Timestamp, * - FROM logging(component="client") + FROM logging(component=Component) }) WHERE AlsoForward diff --git a/content/artifact_references/pages/generic.network.interfaceaddresses.md b/content/artifact_references/pages/generic.network.interfaceaddresses.md index 2809e92b4d4..e2752b1c54e 100644 --- a/content/artifact_references/pages/generic.network.interfaceaddresses.md +++ b/content/artifact_references/pages/generic.network.interfaceaddresses.md @@ -20,10 +20,12 @@ aliases: sources: - query: | LET interface_address = - SELECT Index, MTU, Name, HardwareAddr, Flags, Addrs + SELECT Index, MTU, Name, + HardwareAddr.String AS HardwareAddr, + Flags, Addrs from interfaces() - SELECT Index, MTU, Name, HardwareAddr.String As HardwareAddr, + SELECT Index, MTU, Name, HardwareAddr, Flags, Addrs.IP as IP, Addrs.Mask.String as Mask FROM flatten(query=interface_address) diff --git a/content/artifact_references/pages/linux.debian.packages.md b/content/artifact_references/pages/linux.debian.packages.md index 8c887cd7c73..09a6fdfe205 100644 --- a/content/artifact_references/pages/linux.debian.packages.md +++ b/content/artifact_references/pages/linux.debian.packages.md @@ -4,39 +4,169 @@ hidden: true tags: [Client Artifact] --- -Parse dpkg status file. +List all packages installed on the system, both deb packages and "snaps". +The installed deb package information is fetched from the DPKG status file, +while the snap package list is fetched from the snap daemon through a UNIX +socket HTTP call (since detailed snap package information is not easily +in files). + +The following columns are parsed from the DPKG status file: + + - Package + - InstalledSize + - Version + - Source + - _Description + - Architecture + +The following columns are parsed from the snap package response (/v2/snaps): + +- Name +- _Summary +- _Description +- InstalledSize +- Publisher +- InstalledAt +- Version +- Channel + +Both package sources provide more information than this and, and the artifact +can easily be modified to include more details. + 

 name: Linux.Debian.Packages
-description: Parse dpkg status file.
+description: |
+ List all packages installed on the system, both deb packages and "snaps".
+ The installed deb package information is fetched from the DPKG status file,
+ while the snap package list is fetched from the snap daemon through a UNIX
+ socket HTTP call (since detailed snap package information is not easily
+ in files).
+
+ The following columns are parsed from the DPKG status file:
+
+  - Package
+  - InstalledSize
+  - Version
+  - Source
+  - _Description
+  - Architecture
+
+ The following columns are parsed from the snap package response (/v2/snaps):
+
+ - Name
+ - _Summary
+ - _Description
+ - InstalledSize
+ - Publisher
+ - InstalledAt
+ - Version
+ - Channel
+
+ Both package sources provide more information than this and, and the artifact
+ can easily be modified to include more details.
+
 parameters:
   - name: linuxDpkgStatus
+    description: The DPKG status file to read deb package information from
     default: /var/lib/dpkg/status
+  - name: snapdSocket
+    description: |
+     The location of the snap deamon UNIX socket, used for fetching the snap
+     list through a HTTP API call. If snap is not used, the failed query
+     response will simply be ignored.
+    default: /run/snapd.socket
+
+precondition: |
+ SELECT OS
+ FROM info()
+ WHERE OS = 'linux'
+
 sources:
-  - precondition: |
-      SELECT OS From info() where OS = 'linux'
+  - name: DebPackages
+    notebook:
+      - type: none
+
     query: |
-        /* First pass - split file into records start with
-           Package and end with \n\n.
-
-           Then parse each record using multiple RegExs.
-        */
-        LET packages = SELECT parse_string_with_regex(
-            string=Record,
-            regex=['Package:\\s(?P<Package>.+)',
-                   'Installed-Size:\\s(?P<InstalledSize>.+)',
-                   'Version:\\s(?P<Version>.+)',
-                   'Source:\\s(?P<Source>.+)',
-                   'Architecture:\\s(?P<Architecture>.+)']) as Record
-            FROM parse_records_with_regex(
-                   file=linuxDpkgStatus,
-                   regex='(?sm)^(?P<Record>Package:.+?)\\n\\n')
-
-        SELECT Record.Package as Package,
-               atoi(string=Record.InstalledSize) as InstalledSize,
-               Record.Version as Version,
-               Record.Source as Source,
-               Record.Architecture as Architecture from packages
+     LET ColumnTypes <= dict(`_Description`='nobreak')
+
+     /* First pass - split file into records start with
+        Package and end with \n\n.
+        Then parse each record using multiple RegExs.
+     */
+     LET packages = SELECT parse_string_with_regex(
+         string=Record,
+         regex=['Package:\\s(?P<Package>.+)',
+                'Installed-Size:\\s(?P<InstalledSize>.+)',
+                'Version:\\s(?P<Version>.+)',
+                'Source:\\s(?P<Source>.+)',
+                '''Description:\s+(?P<Description>.+(\n\s+.+)*)''',
+                'Architecture:\\s(?P<Architecture>.+)']) AS Record
+     FROM parse_records_with_regex(file=linuxDpkgStatus,
+                                     regex='(?sm)^(?P<Record>Package:.+?)\\n\\n')
+
+     SELECT Record.Package AS Package,
+            humanize(bytes=atoi(string=Record.InstalledSize)) AS InstalledSize,
+            Record.Version AS Version,
+            Record.Source AS Source,
+            regex_replace(source=Record.Description,
+                          re='''^\s+\.$''') AS _Description,
+            Record.Architecture AS Architecture
+     FROM packages
+
+  - name: Snaps
+    query: |
+     LET ColumnTypes <= dict(`_Summary`='nobreak', `_Description`='nobreak')
+
+     LET SnapSocketCheck = SELECT
+         parse_json(data=Content).result AS Result
+       FROM http_client(url=snapdSocket + ':unix/v2/snaps')
+       WHERE Response = 200
+         OR NOT log(message="Error fetching snap: %v", args=Content)
+
+     SELECT * FROM foreach(
+         row=SnapSocketCheck,
+         query={
+           SELECT name AS Name,
+                  summary AS _Summary,
+                  description AS _Description,
+                  humanize(bytes=`installed-size`) AS InstalledSize,
+                  publisher.`display-name` AS Publisher,
+                  timestamp(string=`install-date`) AS InstalledAt,
+                  version AS Version,
+                  channel AS Channel,
+                  id AS PackageId
+           FROM foreach(row=Result)
+         })
+
+    notebook:
+      - type: vql
+        template: |
+          /*
+          ## Combined results
+          */
+          LET ColumnTypes <= dict(`_Description`='nobreak')
+
+          SELECT *
+          FROM chain(
+            debs={
+              SELECT Package AS Name,
+                     'deb' AS Type,
+                     InstalledSize,
+                     Version,
+                     _Description,
+                     Architecture
+              FROM source(artifact="Linux.Debian.Packages/DebPackages")
+            },
+            snaps={
+              SELECT Name,
+                     'snap' AS Type,
+                     InstalledSize,
+                     Version,
+                     _Description,
+                     NULL AS Architecture
+              FROM source(artifact="Linux.Debian.Packages/Snaps")
+            })
diff --git a/content/artifact_references/pages/linux.forensics.journal.md b/content/artifact_references/pages/linux.forensics.journal.md index 64a76a01bc4..2b31e20d121 100644 --- a/content/artifact_references/pages/linux.forensics.journal.md +++ b/content/artifact_references/pages/linux.forensics.journal.md @@ -11,7 +11,7 @@ store logs. You can read these logs using journalctl command: This artifact uses the Velociraptor Binary parser to parse the binary format. The format is documented -https://www.freedesktop.org/wiki/Software/systemd/journal-files/ +https://systemd.io/JOURNAL_FILE_FORMAT/ 

@@ -24,13 +24,14 @@ description: |
 
   This artifact uses the Velociraptor Binary parser to parse the
   binary format. The format is documented
-  https://www.freedesktop.org/wiki/Software/systemd/journal-files/
+  https://systemd.io/JOURNAL_FILE_FORMAT/
+
 
 parameters:
 - name: JournalGlob
   type: glob
   description: A Glob expression for finding journal files.
-  default: /run/log/journal/*/*.journal
+  default: /{run,var}/log/journal/*/*.journal
 
 - name: OnlyShowMessage
   type: bool
@@ -46,6 +47,22 @@ export: |
       ["Signature", 0, "String", {
           "length": 8,
       }],
+      ["compatible_flags", 8, uint32],
+      ["incompatible_flags", 12, Flags, {
+        type: uint32,
+        bitmap: {
+          COMPRESSED_XZ: 0,
+          COMPRESSED_LZ4: 1,
+          KEYED_HASH: 2,
+          COMPRESSED_ZSTD: 3,
+          COMPACT: 4,
+        }
+      }],
+      ["IsCompact", 12, BitField, {
+         type: uint32,
+         start_bit: 4,
+         end_bit: 5,
+      }],
       ["header_size", 88, "uint64"],
       ["arena_size", 96, "uint64"],
       ["n_objects", 144, uint64],
@@ -91,7 +108,7 @@ export: |
      }]
     ]],
     ["DataObject", 0, [
-      ["payload", 48, String]
+      ["payload", "x=>DataOffset",  String]
     ]],
 
     # This is basically a single log line -
@@ -100,17 +117,27 @@ export: |
       ["seqnum", 0, "uint64"],
       ["realtime", 8, "uint64"],
       ["monotonic", 16, "uint64"],
-      ["items", 48, Array, {
-          "type": EntryItem,
-          "count": 50,
-          "sentinel": "x=>x.object.payload = NULL",
+      ["_items", 48, Array, {
+         "type": EntryItem,
+         "count": 50,
+         "sentinel": "x=>NOT x.object",
+      }],
+      ["_items_compact", 48, Array, {
+         "type": CompatEntryItem,
+         "count": 50,
+         "sentinel": "x=>NOT x.object",
+      }],
+      ["items", 0, Value, {
+         value: "x=>if(condition=IsCompact, then=x._items_compact, else=x._items)",
       }]
     ]],
+
+    ["CompatEntryItem", 4, [
+       ["object", 0, uint32]
+    ]],
     ["EntryItem", 16, [
-     ["object", 0, "Pointer", {
-         "type": "ObjectHeader",
-     }],
-    ]]
+       ["object", 0, "uint64"],
+    ]],
     ]
     '''
 
@@ -123,18 +150,43 @@ export: |
          struct="Header").Objects)
       WHERE type = "OBJECT_ENTRY"
 
+
     -- Now parse the ObjectEntry in each offset
-    LET _ParseFile(File) = SELECT Offset,
+    LET _ParseFile(File) =
+      SELECT Offset,
         parse_binary(
          filename=File, profile=JournalProfile,
          struct="ObjectHeader", offset=Offset) AS Parsed
-    FROM Offsets(File=File)
+      FROM Offsets(File=File)
+
 
     -- Extract the timestamps and all the attributes
-    LET ParseFile(File) = SELECT File, Offset,
-       timestamp(epoch=Parsed.payload.realtime) AS Timestamp,
-       Parsed.payload.items.object.payload.payload AS Data
-    FROM _ParseFile(File=File)
+    LET ParseFile(File) = SELECT * FROM foreach(row={
+       -- If the file is compact the payload is shifted by 8 bytes.
+       SELECT parse_binary(
+          filename=File,
+          profile=JournalProfile,
+          struct="Header").IsCompact * 8 + 48 AS DataOffset,
+       parse_binary(
+          filename=File,
+          profile=JournalProfile,
+          struct="Header").IsCompact AS IsCompact
+       FROM scope()
+
+    }, query={
+      SELECT File, Offset,
+         timestamp(epoch=Parsed.payload.realtime) AS Timestamp,
+         {
+           SELECT parse_binary(
+              filename=File,
+              profile=JournalProfile,
+              struct="ObjectHeader",
+              offset=_value).payload.payload AS Line
+           FROM foreach(row=Parsed.payload.items.object)
+           WHERE Line
+        } AS Data
+      FROM _ParseFile(File=File)
+    })
 
 sources:
 - query: |
diff --git a/content/artifact_references/pages/linux.ssh.authorizedkeys.md b/content/artifact_references/pages/linux.ssh.authorizedkeys.md
index 2e0725ef8a2..6ee9e31a3f5 100644
--- a/content/artifact_references/pages/linux.ssh.authorizedkeys.md
+++ b/content/artifact_references/pages/linux.ssh.authorizedkeys.md
@@ -6,36 +6,83 @@ tags: [Client Artifact]
 
 Find and parse ssh authorized keys files.
 
+From `man authorized_keys`:
+
+`AUTHORIZED_KEYS FILE FORMAT`: Each line of the file contains one
+key (empty lines and lines starting with a ‘#’ are ignored as
+comments). Public keys consist of the following space-separated
+fields: options, keytype, base64-encoded key, comment. The options
+field is optional.
+
+
 

 name: Linux.Ssh.AuthorizedKeys
-description: Find and parse ssh authorized keys files.
+description: |
+  Find and parse ssh authorized keys files.
+
+  From `man authorized_keys`:
+
+  `AUTHORIZED_KEYS FILE FORMAT`: Each line of the file contains one
+  key (empty lines and lines starting with a ‘#’ are ignored as
+  comments). Public keys consist of the following space-separated
+  fields: options, keytype, base64-encoded key, comment. The options
+  field is optional.
+
 parameters:
   - name: sshKeyFiles
     default: '.ssh/authorized_keys*'
     description: Glob of authorized_keys file relative to a user's home directory.
+  - name: keyTypes
+    type: regex
+    description: A regex to identify supported key types
+    default: "sk-ecdsa-sha2-nistp256|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|sk-ssh-ed25519|ssh-ed25519|ssh-dss|ssh-rsa"
+
+  - name: AlsoUpload
+    type: bool
+    description: Also upload the raw files for closer inspection.
 
 sources:
   - precondition: |
       SELECT OS From info() where OS = 'linux'
 
     query: |
+      -- Find all eligible files.
       LET authorized_keys = SELECT * from foreach(
           row={
              SELECT Uid, User, Homedir from Artifact.Linux.Sys.Users()
           },
           query={
-             SELECT OSPath, Mtime, Ctime, User, Uid
+             SELECT OSPath,
+                    if(condition=AlsoUpload, then=upload(file=OSPath)) AS _Upload,
+                    Mtime, Ctime, User, Uid
              FROM glob(root=Homedir, globs=sshKeyFiles)
+             WHERE log(message="Parsing file %v", args=OSPath, dedup=-1)
           })
 
-      SELECT * from foreach(
-          row=authorized_keys,
-          query={
-            SELECT Uid, User, OSPath, Key, Comment, Mtime
-            FROM split_records(
-               filenames=OSPath, regex=" +", columns=["Type", "Key", "Comment"])
-               WHERE Type =~ "ssh"
-          })
+      -- Split each line into parts considering possible quoting
+      LET Parse(OSPath) =
+         -- Pad a bit so index does not wrap.
+         SELECT ParseParts(Parts=commandline_split(command=Line, bash_style=TRUE) + ("", "", "", "", "")) AS Parsed
+         FROM parse_lines(filename=OSPath)
+         WHERE NOT Line =~ "^#" AND Parsed.keytype =~ keyTypes
+
+      -- The option may or may not be there - determine by the key regex
+      LET ParseParts(Parts) = if(condition= Parts[0] =~ keyTypes,
+        -- No options
+        then=dict(options="", keytype=Parts[0], base64key=Parts[1], comment=Parts[2] || ""),
+
+        -- The line has options
+        else=dict(options=ParseOptions(Opts=Parts[0]),
+                  keytype=Parts[1], base64key=Parts[2], comment=Parts[3] || ""))
+
+      -- Option can have value or just be bare
+      LET ParseOptions(Opts) = split(string=Opts, sep_string=",")
+
+      SELECT * FROM foreach(row=authorized_keys,
+      query={
+        SELECT Uid, User, OSPath, _Upload, *
+        FROM foreach(column="Parsed", row= Parse(OSPath=OSPath))
+      })
 
 

 
diff --git a/content/artifact_references/pages/linux.utils.installdeb.md b/content/artifact_references/pages/linux.utils.installdeb.md
new file mode 100644
index 00000000000..f1d90445963
--- /dev/null
+++ b/content/artifact_references/pages/linux.utils.installdeb.md
@@ -0,0 +1,193 @@
+---
+title: Linux.Utils.InstallDeb
+hidden: true
+tags: [Client Artifact]
+---
+
+Install a deb package and configure it with debconf answers. The package
+may either be specified by name or be an uploaded file. If the package
+already exists, it may be optionally reconfigured with debconf answers.
+
+
+

+name: Linux.Utils.InstallDeb
+author: Andreas Misje – @misje
+description: |
+   Install a deb package and configure it with debconf answers. The package
+   may either be specified by name or be an uploaded file. If the package
+   already exists, it may be optionally reconfigured with debconf answers.
+
+type: CLIENT
+
+required_permissions:
+   - EXECVE
+
+reference:
+   - https://manpages.debian.org/bookworm/debconf-doc/debconf-devel.7.en.html#Type
+
+parameters:
+   - name: DebName
+     description: |
+        Package to install (by name). Ignored if DebFile is set. An absolute path
+        to a deb file that already exists on the system is also accepted.
+
+   - name: DebFile
+     description: |
+        Package to install (by file). Remember to click "Upload"! When set,
+        DebName is ignored. Use DebName with an absolute file path if the
+        file already exists on the system and does not need to be uploaded.
+     type: upload
+
+   - name: UpdateSources
+     description: |
+        Run `apt-get update` before installing the package. This is not necessary
+        if the package has no dependencies, and it should be disabled if there
+        is no Internet.
+     type: bool
+     default: True
+
+   - name: ForceConfNew
+     type: bool
+     description: |
+        Use the configuration delivered by the package instead of keeping the
+        local changes.
+
+   - name: ReconfigureIfInstalled
+     type: bool
+     description: |
+        If the package is already installed, run pre-seed debconf and
+        `dpkg-reconfigure` instead.
+
+   - name: DebConfValues
+     type: csv
+     description: |
+        debconf is a system used by many packages for interactive configuration.
+        When using a non-interactive frontend (like this artifact), answers may
+        by provided as a "pre-seed" file. Example line:
+
+        "wireshark-common/install-setuid,boolean,false"
+     default: |
+        Key,Type,Value
+
+column_types:
+  - name: Stdout
+    type: nobreak
+
+  - name: Stderr
+    type: nobreak
+
+sources:
+  - precondition:
+      SELECT OS From info() where OS = 'linux'
+
+    query: |
+     LET Package <= if(
+         condition=DebFile,
+         then=tempfile(data=DebFile, extension='_amd64.deb'),
+         else=DebName)
+
+     /* The file name is lost from the uploaded file, so extract it from the
+        package instead: */
+     LET PackageInfo = SELECT Stdout
+       FROM execve(argv=['/usr/bin/dpkg-deb', '--field', Package, 'Package'])
+
+     LET PackageName = if(
+         condition=DebFile,
+         then=PackageInfo[0].Stdout[:-1], // remove "\n"
+         else=DebName)
+
+     /* The file format is "package_name question type answer": */
+     LET PreSeedLines = SELECT
+                               join(
+                                 sep=' ',
+                                 array=(PackageName, Key, Type, Value, )) AS Line
+       FROM DebConfValues
+
+     LET PreSeedFile <= tempfile(data=join(sep='\n', array=PreSeedLines.Line))
+
+     LET AptOpts <= ('-f', '-y', '-o', 'Debug::pkgProblemResolver=yes', '--no-install-recommends', ) + if(
+         condition=ForceConfNew,
+         then=('-o', 'Dpkg::Options::="--force-confnew"', ),
+         else=[])
+
+     LET PreSeed = SELECT
+                          'Pre-seed debconf' AS Step,
+                          *
+       FROM if(
+         condition=DebConfValues,
+         then={
+           SELECT *
+           FROM execve(argv=['/usr/bin/debconf-set-selections', PreSeedFile, ])
+           WHERE log(
+             message=format(
+               format='Pre-seeding %v',
+               args=[PackageName, ]),
+             level='INFO')
+         })
+
+     LET Install = SELECT *
+       FROM chain(
+         a_update={
+           SELECT
+                  'Update index' AS Step,
+                  *
+           FROM if(
+             condition=UpdateSources,
+             then={
+               SELECT *
+               FROM execve(argv=['/usr/bin/apt-get', '-y', 'update'])
+               WHERE log(
+                 message='Updating package index before installing',
+                 level='INFO')
+             })
+         },
+         b_debconf=PreSeed,
+         c_install={
+           SELECT
+                  'Installing package' AS Step,
+                  *
+           FROM execve(argv=('/usr/bin/apt-get', 'install', ) + AptOpts + (Package, ))
+           WHERE log(
+             message=format(
+               format='Installing deb package %v',
+               args=[PackageName, ]),
+             level='INFO')
+         })
+
+     LET IsInstalled = SELECT *
+       FROM stat(
+         filename=path_join(
+           components=('/var/lib/dpkg/info', PackageName + '.list')))
+       WHERE log(
+         message=format(
+           format='Package %v is already installed',
+           args=[PackageName, ]),
+         level='INFO')
+
+     SELECT *
+     FROM if(
+       condition=IsInstalled,
+       then=if(
+         condition=ReconfigureIfInstalled,
+         then={
+           SELECT *
+           FROM chain(
+             a_debconf=PreSeed,
+             b_reconfigure={
+               SELECT
+                      'Reconfiguring package' AS Step,
+                      *
+               FROM execve(argv=['/usr/sbin/dpkg-reconfigure', PackageName, ],
+                           env=dict(
+                             DEBIAN_FRONTEND='noninteractive'))
+               WHERE log(
+                 message=format(
+                   format='Reconfiguring deb package %v',
+                   args=[PackageName, ]),
+                 level='INFO')
+             })
+         }),
+       else=Install)
+
+

+
diff --git a/content/artifact_references/pages/notebooks.timelines.md b/content/artifact_references/pages/notebooks.timelines.md
new file mode 100644
index 00000000000..9542f1e6b25
--- /dev/null
+++ b/content/artifact_references/pages/notebooks.timelines.md
@@ -0,0 +1,67 @@
+---
+title: Notebooks.Timelines
+hidden: true
+tags: [notebook]
+---
+
+The notebook creates a default Super-Timeline.
+
+Timelines are used to visualize time series data from other
+collections in the same place. This notebook template creates an
+initial timeline.
+
+Once this timeline is created, you can add any time series table in
+other notebooks (e.g. Collection or Hunt notebooks) to this super
+timeline.
+
+
+

+name: Notebooks.Timelines
+description: |
+  The notebook creates a default Super-Timeline.
+
+  Timelines are used to visualize time series data from other
+  collections in the same place. This notebook template creates an
+  initial timeline.
+
+  Once this timeline is created, you can add any time series table in
+  other notebooks (e.g. Collection or Hunt notebooks) to this super
+  timeline.
+
+type: NOTEBOOK
+
+parameters:
+  - name: TimelineName
+    description: The name of the super timeline to create.
+    default: Supertimeline
+
+sources:
+  - notebook:
+      - type: markdown
+        template: |
+          # {{ Scope "TimelineName" }}
+
+          Add to this timeline any time-series data from any other
+          notebooks:
+
+          1. Click the `Add Timeline` button at the top of any table.
+          2. Switch to global notebook timelines and select this timeline.
+          3. Select the timestamp and message columns to add a timeline.
+
+          {{ Scope "TimelineName" | Timeline }}
+
+      - type: vql
+        template: |
+          /*
+          # Timeline Annotations
+
+          Refresh this to list all timeline annotations as a table.
+          */
+          SELECT *
+          FROM timeline(notebook_id=NotebookId,
+                        components="Annotation",
+                        timeline=TimelineName)
+          ORDER BY Timestamp
+
+

+
diff --git a/content/artifact_references/pages/server.import.artifactexchange.md b/content/artifact_references/pages/server.import.artifactexchange.md
index 65032211823..b12f56dcc22 100644
--- a/content/artifact_references/pages/server.import.artifactexchange.md
+++ b/content/artifact_references/pages/server.import.artifactexchange.md
@@ -4,15 +4,55 @@ hidden: true
 tags: [Server Artifact]
 ---
 
-This artifact will automatically import the latest
-artifact exchange bundle into the current server.
+This artifact will automatically import the latest artifact
+exchange bundle into the current server.
+
+## Security note
+
+The artifact exchange is not officially supported by the
+Velociraptor team and contains contributions from the
+community. The quality, security and stability of artifacts from
+the exchange is not guaranteed. Some artifacts from the exchange
+will fetch external binaries and run them on your endpoints! These
+binaries are not reviewed or endorsed by the Velociraptor team or
+Rapid7!
+
+Contributions to the exchange must meet a lower quality bar than
+built in artifacts (for example lacking tests), which means that
+they may break at any time or not work as described!
+
+Collecting any of the artifacts in the exchange is purely at your
+own risk!.
+
+We strongly suggest users review exchange artifacts carefully
+before deploying them on their network!
 
 
 

 name: Server.Import.ArtifactExchange
 description: |
-   This artifact will automatically import the latest
-   artifact exchange bundle into the current server.
+   This artifact will automatically import the latest artifact
+   exchange bundle into the current server.
+
+   ## Security note
+
+   The artifact exchange is not officially supported by the
+   Velociraptor team and contains contributions from the
+   community. The quality, security and stability of artifacts from
+   the exchange is not guaranteed. Some artifacts from the exchange
+   will fetch external binaries and run them on your endpoints! These
+   binaries are not reviewed or endorsed by the Velociraptor team or
+   Rapid7!
+
+   Contributions to the exchange must meet a lower quality bar than
+   built in artifacts (for example lacking tests), which means that
+   they may break at any time or not work as described!
+
+   Collecting any of the artifacts in the exchange is purely at your
+   own risk!.
+
+   We strongly suggest users review exchange artifacts carefully
+   before deploying them on their network!
 
 type: SERVER
 
diff --git a/content/artifact_references/pages/server.internal.clientscheduled.md b/content/artifact_references/pages/server.internal.clientscheduled.md
new file mode 100644
index 00000000000..90fa56918a5
--- /dev/null
+++ b/content/artifact_references/pages/server.internal.clientscheduled.md
@@ -0,0 +1,24 @@
+---
+title: Server.Internal.ClientScheduled
+hidden: true
+tags: [Internal Artifact]
+---
+
+This event will be fired when a client was sent flows to process.
+
+
+

+name: Server.Internal.ClientScheduled
+description: |
+  This event will be fired when a client was sent flows to process.
+
+type: INTERNAL
+column_types:
+  - name: ClientId
+  - name: InFlightFlows
+    description: New flows scheduled for the client
+  - name: ClearFlows
+    description: If this is set we clear all in flight flows.
+
+

+
diff --git a/content/artifact_references/pages/server.internal.timelineadd.md b/content/artifact_references/pages/server.internal.timelineadd.md
new file mode 100644
index 00000000000..70d93e02cfb
--- /dev/null
+++ b/content/artifact_references/pages/server.internal.timelineadd.md
@@ -0,0 +1,29 @@
+---
+title: Server.Internal.TimelineAdd
+hidden: true
+tags: [Server Event Artifact]
+---
+
+This artifact will fire whenever a timeline is added to a super
+timeline. You can use this to monitor for users adding timelines and
+forward them to an external timeline system (e.g. TimeSketch)
+
+
+

+name: Server.Internal.TimelineAdd
+type: SERVER_EVENT
+description: |
+  This artifact will fire whenever a timeline is added to a super
+  timeline. You can use this to monitor for users adding timelines and
+  forward them to an external timeline system (e.g. TimeSketch)
+
+column_types:
+  - name: NotebookId
+  - name: SuperTimelineName
+  - name: Timeline
+
+  # What type of event this is: can be Delete, AddTimeline
+  - name: Action
+
+

+
diff --git a/content/artifact_references/pages/server.internal.tooldependencies.md b/content/artifact_references/pages/server.internal.tooldependencies.md
index 8538100eee3..e9889714e19 100644
--- a/content/artifact_references/pages/server.internal.tooldependencies.md
+++ b/content/artifact_references/pages/server.internal.tooldependencies.md
@@ -20,19 +20,19 @@ description: |
 
 tools:
   - name: VelociraptorWindows
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-windows-amd64.exe
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.0-rc1-windows-amd64.exe
     serve_locally: true
-    version: 0.72.3
+    version: 0.73.0-rc1
 
   - name: VelociraptorWindows_x86
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-windows-386.exe
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.0-rc1-windows-386.exe
     serve_locally: true
-    version: 0.72.3
+    version: 0.73.0-rc1
 
   - name: VelociraptorLinux
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-linux-amd64-musl
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.0-rc1-linux-amd64-musl
     serve_locally: true
-    version: 0.72.3
+    version: 0.73.0-rc1
 
   # On MacOS we can not embed the config in the binary so we use a
   # shell script stub instead. See
@@ -40,18 +40,18 @@ tools:
 
   # A Generic collector to be used with the --embedded_config flag.
   - name: VelociraptorCollector
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-collector
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-collector
     serve_locally: true
 
   - name: VelociraptorWindowsMSI
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-windows-amd64.msi
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.0-rc1-windows-amd64.msi
     serve_locally: true
-    version: 0.72.3
+    version: 0.73.0-rc1
 
   - name: VelociraptorWindows_x86MSI
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-windows-386.msi
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.0-rc1-windows-386.msi
     serve_locally: true
-    version: 0.72.3
+    version: 0.73.0-rc1
 
 

 
diff --git a/content/artifact_references/pages/server.monitor.health.md b/content/artifact_references/pages/server.monitor.health.md
index 0b52e6cea21..7cb125c2fe9 100644
--- a/content/artifact_references/pages/server.monitor.health.md
+++ b/content/artifact_references/pages/server.monitor.health.md
@@ -43,7 +43,7 @@ reports:
       {{ define "CPU" }}
           SELECT _ts as Timestamp,
               CPUPercent,
-              MemoryUse / 1048576 AS MemoryUse,
+              int(int=MemoryUse / 1048576) AS MemoryUse_Mb,
               TotalFrontends
           FROM source(source="Prometheus",
                       start_time=StartTime, end_time=EndTime,
diff --git a/content/artifact_references/pages/server.monitoring.timesketchupload.md b/content/artifact_references/pages/server.monitoring.timesketchupload.md
new file mode 100644
index 00000000000..72a2671277e
--- /dev/null
+++ b/content/artifact_references/pages/server.monitoring.timesketchupload.md
@@ -0,0 +1,60 @@
+---
+title: Server.Monitoring.TimesketchUpload
+hidden: true
+tags: [Server Event Artifact]
+---
+
+This artifact will automatically upload any Velociraptor timelines to Timesketch.
+
+
+

+name: Server.Monitoring.TimesketchUpload
+description: |
+  This artifact will automatically upload any Velociraptor timelines to Timesketch.
+
+
+type: SERVER_EVENT
+
+parameters:
+  - name: SketchRegex
+    description: |
+      Only upload Super timelines matching this regex to their
+      corresponding Sketches.
+    default: .
+
+  - name: TimelineRegex
+    default: .
+    description: |
+      Only upload Timelines with a name matching this regex to
+      Timesketch.
+
+  - name: TimesketchCLICommand
+    default: "timesketch"
+    description: |
+      The path to the timesketch cli binary. If you installed in a
+      virtual environment this will be inside that environment.
+
+required_permissions:
+  - EXECVE
+
+imports:
+  - Server.Utils.TimesketchUpload
+
+sources:
+  - query: |
+      SELECT * FROM foreach(row={
+         SELECT NotebookId, SuperTimelineName, Timeline
+         FROM watch_monitoring(artifact="Server.Internal.TimelineAdd")
+         WHERE Action = "AddTimeline"
+           AND SuperTimelineName =~ SketchRegex
+           AND Timeline =~ TimelineRegex
+      }, query={
+         SELECT * FROM ImportToTS(
+             SuperTimelineName=SuperTimelineName,
+             NotebookId=NotebookId,
+             TimelineName=Timeline,
+             SketchName=SuperTimelineName)
+      })
+
+

+
diff --git a/content/artifact_references/pages/server.utils.addtimeline.md b/content/artifact_references/pages/server.utils.addtimeline.md
index 6e4697a23a0..e1cbad5c28f 100644
--- a/content/artifact_references/pages/server.utils.addtimeline.md
+++ b/content/artifact_references/pages/server.utils.addtimeline.md
@@ -24,6 +24,8 @@ parameters:
     description: A query that will be parsed and run.
   - name: Key
     description: Sort column for time
+  - name: MessageColumn
+    description: The name of the column to appear as the message
   - name: RemoveLimit
     description: If specified, we remove the limit clause before adding to the timeline.
     type: bool
@@ -36,6 +38,7 @@ sources:
          notebook_id=NotebookId,
          timeline=Timeline,
          name=ChildName,
+         message_column=MessageColumn,
          query={
            SELECT * FROM query(query=if(condition=RemoveLimit,
              then=regex_replace(re="(?i)LIMIT [0-9]+", replace="", source=Query),
diff --git a/content/artifact_references/pages/server.utils.createcollector.md b/content/artifact_references/pages/server.utils.createcollector.md
index 18080bb57c4..7f6d8fa8e8b 100644
--- a/content/artifact_references/pages/server.utils.createcollector.md
+++ b/content/artifact_references/pages/server.utils.createcollector.md
@@ -31,6 +31,8 @@ parameters:
       - Windows_x86
       - Linux
       - MacOS
+      - MacOSArm
+      - Generic
 
   - name: artifacts
     description: A list of artifacts to collect
@@ -101,6 +103,11 @@ parameters:
     type: int
     description: Compression level (0=no compression).
 
+  - name: opt_concurrency
+    default: "2"
+    type: int
+    description: Number of concurrency queries
+
   - name: opt_format
     default: "jsonl"
     description: Output format (jsonl or csv)
@@ -115,6 +122,11 @@ parameters:
       The filename to use. You can expand environment variables as
       well as the following %FQDN% and %TIMESTAMP%.
 
+  - name: opt_collector_filename
+    type: string
+    description: |
+      If used, this option overrides the default filename of the collector being built.
+
   - name: opt_cpu_limit
     default: "0"
     type: int
@@ -158,6 +170,7 @@ parameters:
             timeout=Timeout,
             password=pass[0].Pass,
             level=Level,
+            concurrency=Concurrency,
             format=Format,
             metadata=ContainerMetadata)
 
@@ -336,6 +349,7 @@ parameters:
           timeout=Timeout,
           password=pass[0].Pass,
           level=Level,
+          concurrency=Concurrency,
           metadata=ContainerMetadata)
 
       LET _ <= if(condition=NOT Result[0].Upload.Path,
@@ -400,9 +414,8 @@ sources:
       LET Target <= tool_name[0].Type
 
       // This is what we will call it.
-      LET CollectorName <= format(
-          format='Collector_%v',
-          args=inventory_get(tool=Target).Definition.filename)
+      LET CollectorName <= opt_collector_filename ||
+          format(format='Collector_%v', args=inventory_get(tool=Target).Definition.filename)
 
       LET CollectionArtifact <= SELECT Value FROM switch(
         a = { SELECT CommonCollections + StandardCollection AS Value
@@ -462,6 +475,7 @@ sources:
                          type="json"
                          ),
                     dict(name="Level", default=opt_level, type="int"),
+                    dict(name="Concurrency", default=opt_concurrency, type="int"),
                     dict(name="Format", default=opt_format),
                     dict(name="OutputPrefix", default=opt_output_directory),
                     dict(name="FilenameTemplate", default=opt_filename_template),
diff --git a/content/artifact_references/pages/server.utils.createmsi.md b/content/artifact_references/pages/server.utils.createmsi.md
index 67cd43962e8..b491458f2dc 100644
--- a/content/artifact_references/pages/server.utils.createmsi.md
+++ b/content/artifact_references/pages/server.utils.createmsi.md
@@ -6,27 +6,52 @@ tags: [Server Artifact]
 
 Build an MSI ready for deployment in the current org.
 
+This artifact depends on the following tools:
+
+* 
+* 
+
+You can replace those with suitable MSI builds.
+
 
 

 name: Server.Utils.CreateMSI
 description: |
   Build an MSI ready for deployment in the current org.
 
+  This artifact depends on the following tools:
+
+  * <velo-tool-viewer name="VelociraptorWindowsMSI" />
+  * <velo-tool-viewer name="VelociraptorWindows_x86MSI" />
+
+  You can replace those with suitable MSI builds.
+
 type: SERVER
 
 parameters:
+  - name: CustomConfig
+    description: Supply a custom client config instead of using the one from the current org
+    type: yaml
   - name: AlsoBuild_x86
     description: Also build 32 bit MSI for deployment.
     type: bool
 
 sources:
 - query: |
+    LET ValidateConfig(Config) = Config.Client.server_urls
+          AND Config.Client.ca_certificate =~ "(?ms)-----BEGIN CERTIFICATE-----.+-----END CERTIFICATE-----"
+          AND Config.Client.nonce
+
+    LET client_config <= if(condition=ValidateConfig(Config=CustomConfig),
+                         then=CustomConfig,
+                         else=org()._client_config)
+
     LET Build(Target) = repack(
         upload_name=format(
           format='Org_%v_%v',
           args=[org().name, inventory_get(tool=Target).Definition.filename]),
         target=Target,
-        config=serialize(format='yaml', item=org()._client_config))
+        config=serialize(format='yaml', item=client_config))
 
     SELECT * FROM chain(a={
        SELECT Build(Target="VelociraptorWindowsMSI") FROM scope()
diff --git a/content/artifact_references/pages/server.utils.deletemanyflows.md b/content/artifact_references/pages/server.utils.deletemanyflows.md
index 911c34600cf..16b8957e0c0 100644
--- a/content/artifact_references/pages/server.utils.deletemanyflows.md
+++ b/content/artifact_references/pages/server.utils.deletemanyflows.md
@@ -41,17 +41,17 @@ parameters:
      description: Only select flows created before this date. If not set we choose all flows.
      type: timestamp
    - name: CreatorRegex
-     default: "H\\..+"
+     default: "."
      type: regex
      description: |
-       Match flows created by this user (e.g. hunts all start with "H.")
+       Match flows created by this user.
    - name: ReallyDoIt
      type: bool
      description: Does not delete until you press the ReallyDoIt button!
 
 sources:
   - query: |
-        LET DateBefore <= DateBefore || now()
+        LET DateBefore <= DateBefore || timestamp(epoch=now())
         LET hits = SELECT * FROM foreach(row={
             SELECT client_id,
                    os_info.hostname AS hostname
diff --git a/content/artifact_references/pages/server.utils.timesketchupload.md b/content/artifact_references/pages/server.utils.timesketchupload.md
new file mode 100644
index 00000000000..8b4ef842fed
--- /dev/null
+++ b/content/artifact_references/pages/server.utils.timesketchupload.md
@@ -0,0 +1,157 @@
+---
+title: Server.Utils.TimesketchUpload
+hidden: true
+tags: [Server Artifact]
+---
+
+Timesketch is an interactive collaborative timeline analysis tool
+that can be found at https://timesketch.org/
+
+This artifact uploads Velociraptor's timelines to Timesketch using
+the Timesketch client library. The artifact assumes the client
+library is installed and configured on the server.
+
+To install the Timesketch client library:
+```
+pip install timesketch-import-client timesketch-cli-client
+```
+
+To configure the client library to access your Timesketch instance
+see instructions https://timesketch.org/guides/user/cli-client/ and
+https://timesketch.org/guides/user/upload-data/
+
+This artifact assumes that the timesketch CLI is preconfigured with
+the correct credentials in the `.timesketchrc` file.
+
+
+

+name: Server.Utils.TimesketchUpload
+description: |
+  Timesketch is an interactive collaborative timeline analysis tool
+  that can be found at https://timesketch.org/
+
+  This artifact uploads Velociraptor's timelines to Timesketch using
+  the Timesketch client library. The artifact assumes the client
+  library is installed and configured on the server.
+
+  To install the Timesketch client library:
+  ```
+  pip install timesketch-import-client timesketch-cli-client
+  ```
+
+  To configure the client library to access your Timesketch instance
+  see instructions https://timesketch.org/guides/user/cli-client/ and
+  https://timesketch.org/guides/user/upload-data/
+
+  This artifact assumes that the timesketch CLI is preconfigured with
+  the correct credentials in the `.timesketchrc` file.
+
+required_permissions:
+  - EXECVE
+
+parameters:
+  - name: NotebookId
+    description: The notebook ID that contains the super timeline
+  - name: SuperTimeline
+    description: The name of the super timeline
+  - name: Timeline
+    description: The name of the timeline within the super timeline.
+  - name: TimesketchCLICommand
+    default: "timesketch"
+    description: |
+      The path to the timesketch cli binary. If you installed in a
+      virtual environment this will be inside that environment.
+
+type: SERVER
+
+export: |
+  LET timesketch_import_command = TimesketchCLICommand + "_importer"
+
+  -- The uploader tool can create a new "Sketch" but if we want to
+  -- just add a timeline to an existing sketch we need to specify the
+  -- ID. This function finds the ID for the specified Sketch if it
+  -- exists. NOTE that you can have multiple Sketches with the same
+  -- name! We pick the first.
+  LET GetIdToSketch(Sketch) = SELECT * FROM foreach(row={
+    SELECT Stdout
+      FROM execve(
+          argv=[TimesketchCLICommand, "--output-format",
+              "json", "sketch", "list"], length=10000)
+  }, query={
+    SELECT * FROM parse_json_array(data=Stdout)
+  })
+  WHERE name = Sketch
+
+  -- Enumerate all the timelines in a super timeline
+  LET _GetAllTimelines(SuperTimelineName, NotebookId) = SELECT *
+   FROM foreach(row={
+     SELECT *
+     FROM timelines(notebook_id=NotebookId)
+     WHERE name = SuperTimelineName
+  }, query={ SELECT * FROM timelines })
+
+  LET _GetTimelineMetdata(SuperTimelineName, NotebookId, TimelineName) =
+  SELECT * FROM _GetAllTimelines(
+      SuperTimelineName=SuperTimelineName, NotebookId=NotebookId)
+  WHERE Id = TimelineName
+
+  -- Gets the metadata of a named timeline
+  LET GetTimelineMetdata(SuperTimelineName, NotebookId, TimelineName) =
+     _GetTimelineMetdata(SuperTimelineName= SuperTimelineName,
+                         NotebookId = NotebookId,
+                         TimelineName=TimelineName)[0]
+
+  -- Timesketch insists the file have the .csv extension.
+  LET tmp <= tempfile(extension=".csv")
+
+  -- We copy the timeline to a temp csv file then upload that. This
+  -- might seem inefficient but timesketch is written in python so it
+  -- is already very slow. The extra tempfile does not make much
+  -- difference in practice.
+  LET WriteTmpFile(NotebookId, SuperTimelineName, TimelineName) =
+       SELECT count() AS Count
+       FROM write_csv(filename=tmp, query={
+          SELECT Timestamp as timestamp, Message as message, *
+          FROM timeline(notebook_id=NotebookId, timeline=SuperTimelineName,
+                        components=TimelineName)
+       })
+       GROUP BY 1
+
+  LET ImportToTS(SuperTimelineName, NotebookId, TimelineName, SketchName) =
+  SELECT * FROM chain(a={
+     SELECT format(format="Exporting %v rows to %v", args=[WriteTmpFile(
+       NotebookId=NotebookId, SuperTimelineName=SuperTimelineName,
+       TimelineName=TimelineName)[0].Count, tmp]) AS Stdout
+     FROM scope()
+  }, c={
+    SELECT * FROM foreach(row={
+
+      -- This is unfortunately slow and unnecessary but Timesketch
+      -- does not have a flag that just says - add timeline to
+      -- existing sketch. So we have to type to find the sketch ID
+      -- first.
+      SELECT GetIdToSketch(Sketch=SketchName)[0].id || 0 AS SketchID
+      FROM scope()
+
+    }, query={
+
+      -- Launch the import library and display the output.
+      SELECT Stdout, Stderr, SketchID,
+             SketchName, TimelineName
+      FROM execve(argv=[timesketch_import_command, "--sketch_name",
+                        SketchName, "--sketch_id", SketchID,
+                        "--timeline_name", TimelineName,
+                        tmp], sep="\n")
+    })
+  })
+
+sources:
+  - query: |
+      SELECT * FROM ImportToTS(
+         SuperTimelineName=SuperTimelineName,
+         NotebookId=NotebookId,
+         TimelineName=TimelineName,
+         SketchName=SketchName)
+
+

+
diff --git a/content/artifact_references/pages/windows.carving.usn.md b/content/artifact_references/pages/windows.carving.usn.md
index 29dd872ce09..3c2b0ee0226 100644
--- a/content/artifact_references/pages/windows.carving.usn.md
+++ b/content/artifact_references/pages/windows.carving.usn.md
@@ -65,9 +65,16 @@ description: |
      Windows.Carving.USNFiles artifact instead.
 
 parameters:
-  - name: DriveToScan
+  - name: Device
     default: "C:"
-  - name: FileRegex
+    description: The NTFS drive to carve
+  - name: MFTFile
+    description: Alternatively provide an MFTFile to use for resolving paths.
+  - name: USNFile
+    description: Alternatively provide a previously extracted USN file to carve or an image file.
+  - name: Accessor
+    description: The accessor to use.
+  - name: FileNameRegex
     description: "Regex search over File Name"
     default: "."
     type: regex
@@ -78,102 +85,6 @@ parameters:
     type: timestamp
     description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"
 
-export: |
-  -- Profile to parse the USN record
-  LET USNProfile = '''[
-            ["USN_RECORD_V2", 4, [
-                ["RecordLength", 0, "unsigned long"],
-                ["MajorVersion", 4, "unsigned short"],
-                ["MinorVersion", 6, "unsigned short"],
-                ["FileReferenceNumberSequence", 8, "BitField", {
-                    "type": "unsigned long long",
-                    "start_bit": 48,
-                    "end_bit": 63
-                }],
-                ["FileReferenceNumberID", 8, "BitField", {
-                    "type": "unsigned long long",
-                    "start_bit": 0,
-                    "end_bit": 48
-                }],
-                ["ParentFileReferenceNumberSequence", 16, "BitField", {
-                    "type": "unsigned long long",
-                    "start_bit": 48,
-                    "end_bit": 63
-                }],
-                ["ParentFileReferenceNumberID", 16, "BitField", {
-                    "type": "unsigned long long",
-                    "start_bit": 0,
-                    "end_bit": 48
-                }],
-
-                ["Usn", 24, "unsigned long long"],
-                ["TimeStamp", 32, "WinFileTime"],
-                ["Reason", 40, "Flags", {
-                    "type": "unsigned long",
-                    "bitmap": {
-                        "DATA_OVERWRITE": 0,
-                        "DATA_EXTEND": 1,
-                        "DATA_TRUNCATION": 2,
-                        "NAMED_DATA_OVERWRITE": 4,
-                        "NAMED_DATA_EXTEND": 5,
-                        "NAMED_DATA_TRUNCATION": 6,
-                        "FILE_CREATE": 8,
-                        "FILE_DELETE": 9,
-                        "EA_CHANGE": 10,
-                        "SECURITY_CHANGE": 11,
-                        "RENAME_OLD_NAME": 12,
-                        "RENAME_NEW_NAME": 13,
-                        "INDEXABLE_CHANGE": 14,
-                        "BASIC_INFO_CHANGE": 15,
-                        "HARD_LINK_CHANGE": 16,
-                        "COMPRESSION_CHANGE": 17,
-                        "ENCRYPTION_CHANGE": 18,
-                        "OBJECT_ID_CHANGE": 19,
-                        "REPARSE_POINT_CHANGE": 20,
-                        "STREAM_CHANGE": 21,
-                        "CLOSE": 31
-                    }
-                }],
-                ["SourceInfo", 44, "Flags", {
-                    "type": "unsigned long",
-                    "bitmap": {
-                        "DATA_MANAGEMENT": 0,
-                        "AUXILIARY_DATA": 1,
-                        "REPLICATION_MANAGEMENT": 2
-                    }
-                }],
-                ["SecurityId", 48, "unsigned long"],
-                ["FileAttributes", 52, "Flags", {
-                    "type": "unsigned long",
-                    "bitmap": {
-                        "READONLY": 0,
-                        "HIDDEN": 1,
-                        "SYSTEM": 2,
-                        "DIRECTORY": 4,
-                        "ARCHIVE": 5,
-                        "DEVICE": 6,
-                        "NORMAL": 7,
-                        "TEMPORARY": 8,
-                        "SPARSE_FILE": 9,
-                        "REPARSE_POINT": 10,
-                        "COMPRESSED": 11,
-                        "OFFLINE": 12,
-                        "NOT_CONTENT_INDEXED": 13,
-                        "ENCRYPTED": 14,
-                        "INTEGRITY_STREAM": 15,
-                        "VIRTUAL": 16,
-                        "NO_SCRUB_DATA": 17
-                    }
-                }],
-                ["FileNameLength", 56, "unsigned short"],
-                ["FileNameOffset", 58, "unsigned short"],
-                ["Filename", "x=>x.FileNameOffset", "String", {
-                    encoding: "utf16",
-                    length: "x=>x.FileNameLength",
-                }]
-            ]]]
-        '''
-
 sources:
   - precondition:
       SELECT OS From info() where OS = 'windows'
@@ -185,44 +96,51 @@ sources:
         LET DateBeforeTime <= if(condition=DateBefore,
             then=DateBefore, else="2200-01-01")
 
-        LET Device <= '''\\.\''' + DriveToScan
-
-        -- This rule performs an initial reduction for speed, then we
-        -- reduce further using other conditions.
-        LET YaraRule = '''rule X {
-            strings:
-              // First byte is the record length < 255 second byte should be 0-1 (0-512 bytes per record)
-              // Version Major and Minor must be 2 and 0
-              // D7 01 is the ending of a reasonable WinFileTime
-              // Name Offset and Name Length are short ints but should be < 255
-              $a = { ?? (00 | 01) 00 00 02 00 00 00 [24] ?? ?? ?? ?? ?? ?? D? 01 [16] ?? 00 3c 00  }
-            condition:
-              any of them
-        }
-        '''
-
-        -- Find all the records in the drive.
-        LET Hits = SELECT String.Offset AS Offset, parse_binary(
-           filename=Device, accessor="ntfs", struct="USN_RECORD_V2",
-           profile=USNProfile, offset=String.Offset) AS _Parsed
-        FROM yara(files=Device, accessor="ntfs", rules=YaraRule, number=200000000)
-        WHERE _Parsed.RecordLength > 60 AND  // Record must be at least 60 bytes
-              _Parsed.FileNameLength > 3 AND _Parsed.FileNameLength < 100
-
-        LET FlatHits = SELECT Offset, _Parsed.TimeStamp AS TimeStamp, _Parsed.Filename AS Name,
-               _Parsed.FileReferenceNumberID AS MFTId,
-               parse_ntfs(device=Device, mft=_Parsed.FileReferenceNumberID) AS MFTEntry,
-               _Parsed.ParentFileReferenceNumberID AS ParentMFTId,
-               _Parsed.Reason AS Reason
-        FROM Hits
-        WHERE Name =~ FileRegex AND
-              TimeStamp < DateBeforeTime AND
-              TimeStamp > DateAfterTime
-
-        SELECT Offset, TimeStamp, Name, MFTId,
-               MFTEntry.OSPath AS OSPath,
-               ParentMFTId, Reason
-        FROM FlatHits
+        -- If the user specified an MFTFile then ignore the device
+        LET Device <= if(condition=MFTFile OR USNFile, then=NULL,
+          else=if(condition=Device,
+          then=pathspec(parse=Device, path_type="ntfs")))
+
+        LET Parse(MFT, USN, Accessor) = SELECT *
+              FROM carve_usn(accessor=Accessor,
+                             mft_filename=MFT, usn_filename=USN)
+              WHERE Filename =~ FileNameRegex
+                AND Timestamp < DateBeforeTime
+                AND Timestamp > DateAfterTime
+
+        SELECT *
+        FROM if(condition=Device, then={
+          SELECT Timestamp,
+            Filename,
+            Device + OSPath AS OSPath,
+            _Links,
+            Reason,
+            _FileMFTID as MFTId,
+            _FileMFTSequence as Sequence,
+            _ParentMFTID as ParentMFTId,
+            _ParentMFTSequence as ParentSequence,
+            FileAttributes,
+            SourceInfo,
+            Usn
+          FROM Parse(Accessor="ntfs",
+              MFT=Device + "$MFT",
+              USN=Device)
+        }, else={
+          SELECT Timestamp,
+            Filename,
+            OSPath,
+            _Links,
+            Reason,
+            _FileMFTID as MFTId,
+            _FileMFTSequence as Sequence,
+            _ParentMFTID as ParentMFTId,
+            _ParentMFTSequence as ParentSequence,
+            FileAttributes,
+            SourceInfo,
+            Usn
+          FROM Parse(Accessor=Accessor,
+              MFT=MFTFile, USN=USNFile)
+        })
 
 

 
diff --git a/content/artifact_references/pages/windows.eventlogs.evtxhunter.md b/content/artifact_references/pages/windows.eventlogs.evtxhunter.md
index bd99da09f79..16f7687c2e0 100644
--- a/content/artifact_references/pages/windows.eventlogs.evtxhunter.md
+++ b/content/artifact_references/pages/windows.eventlogs.evtxhunter.md
@@ -103,6 +103,9 @@ parameters:
     type: timestamp
     description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"
 
+imports:
+  - Windows.Sys.AllUsers
+
 sources:
   - query: |
       LET VSS_MAX_AGE_DAYS <= VSSAnalysisAge
@@ -131,7 +134,7 @@ sources:
                     System.EventID.Value as EventID,
                     System.EventRecordID as EventRecordID,
                     System.Security.UserID as UserSID,
-                    lookupSID(sid=System.Security.UserID) as Username,
+                    LookupSIDCache(SID=System.Security.UserID || "") AS Username,
                     get(field="EventData") as EventData,
                     get(field="UserData") as UserData,
                     get(field="Message") as Message,
diff --git a/content/artifact_references/pages/windows.forensics.rdpcache.md b/content/artifact_references/pages/windows.forensics.rdpcache.md
index f5e19d0bac5..ffcae3d2e4b 100644
--- a/content/artifact_references/pages/windows.forensics.rdpcache.md
+++ b/content/artifact_references/pages/windows.forensics.rdpcache.md
@@ -4,32 +4,36 @@ hidden: true
 tags: [Client Artifact]
 ---
 
-This artifact views and enables simplified upload of RDP 
+This artifact parses, views and enables simplified upload of RDP 
 cache files. 
 
+By default the artifact will parse .BIN RDPcache files.
+   
 Filters include User regex to target a user and Accessor to target
 vss via ntfs_vss.
 
 Best combined with:
 
-- Windows.EventLogs.RDPAuth to collect RDP focused event logs.
-- Windows.Registry.RDP to collect user RDP mru and server info
+   - Windows.EventLogs.RDPAuth to collect RDP focused event logs.
+   - Windows.Registry.RDP to collect user RDP mru and server info
 
 
 

 name: Windows.Forensics.RDPCache
 author: Matt Green - @mgreen27
 description: |
-   This artifact views and enables simplified upload of RDP 
-   cache files. 
-   
-   Filters include User regex to target a user and Accessor to target
-   vss via ntfs_vss.
-
-   Best combined with:
-
-   - Windows.EventLogs.RDPAuth to collect RDP focused event logs.
-   - Windows.Registry.RDP to collect user RDP mru and server info
+    This artifact parses, views and enables simplified upload of RDP 
+    cache files. 
+    
+    By default the artifact will parse .BIN RDPcache files.
+       
+    Filters include User regex to target a user and Accessor to target
+    vss via ntfs_vss.
+    
+    Best combined with:
+    
+       - Windows.EventLogs.RDPAuth to collect RDP focused event logs.
+       - Windows.Registry.RDP to collect user RDP mru and server info
 
 reference:
    - https://github.com/ANSSI-FR/bmc-tools
@@ -44,20 +48,143 @@ parameters:
      default: .
      description: Regex filter of user to target. StartOf(^) and EndOf($)) regex may behave unexpectanly.
      type: regex
+   - name: ParseCache
+     description: If selected will parse .BIN RDPcache files.
+     type: bool
+   - name: Workers
+     default: 100
+     type: int
+     description: Number of workers to use for ParseCache
    - name: UploadRDPCache
+     description: If selected will upload raw cache files. Can be used for offline processing/preservation.
      type: bool
 
 sources:
-  - query: |
+  - name: TargetFiles
+    description: RDP BitmapCache files in scope. 
+    query: |
       LET results = SELECT OSPath, Size, Mtime, Atime, Ctime, Btime
         FROM glob(globs=RDPCacheGlob,accessor=Accessor)
         WHERE OSPath =~ UserRegex
-      
+        
       LET upload_results = SELECT *, upload(file=OSPath) as CacheUpload
         FROM results
-      
+    
       SELECT * FROM if(condition= UploadRDPCache,
         then= upload_results,
         else= results )
+        
+  - name: Parsed
+    description: Parsed RDP BitmapCache files. 
+    query: |
+      LET PROFILE = '''[
+        ["BIN_CONTAINER", 0, [
+            [Magic, 0, String, {length: 8, term_hex : "FFFFFF" }],
+            [Version, 8, uint32],
+            [CachedFiles, 12, Array, {
+                "type": "rgb32b",
+                "count": 10000,
+                "max_count": 2000,
+                "sentinel": "x=>x.__Size < 15",
+            }],
+        ]],
+        ["rgb32b","x=>x.__Size",[
+            [__key1, 0, uint32],
+            [__key1, 4, uint32],
+            ["Width", 8, "uint16"],
+            ["Height", 10, "uint16"],
+            [DataLength, 0, Value,{ value: "x=> 4 * x.Width * x.Height"}],
+            [DataOffset, 0, Value,{ "value": "x=>x.StartOf + 12"}],
+            ["__Size", 0, Value,{ "value": "x=>x.DataLength + 12"}],
+            ["Index", 0, Value,{ "value": "x=>count() - 1 "}],
+        ]]]'''
+        
+      LET parse_rgb32b(data) = SELECT
+            _value  as Offset,
+            _value + 3 as EndOffset,
+            len(list=data) as Length,
+            data[(_value):(_value + 3)] + unhex(string="FF") as Buffer
+        FROM range(step=4,end=len(list=data))
+        
+      LET fix_bmp(data) = SELECT 
+            _value  as Offset,
+            _value + 255 as EndOffset,
+            join(array=data[ (_value):(_value + 256 ) ],sep='') as Buffer
+        FROM range(step=256, end= len(list=data) )
+        ORDER BY Offset DESC
+        
+      LET parse_container = SELECT * OSPath,Name,Size as FileSize,
+            read_file(filename=OSPath,length=12) as Header,
+            parse_binary(filename=OSPath,profile=PROFILE,struct='BIN_CONTAINER') as Parsed
+        FROM foreach(row={
+            SELECT * FROM glob(globs=RDPCacheGlob,accessor=Accessor) 
+            WHERE OSPath =~ '\.bin$'
+                AND OSPath =~ UserRegex
+                AND NOT IsDir
+        })
+        
+      LET find_index_differential = SELECT *, 0 - Parsed.CachedFiles.Index[0] as IndexDif
+        FROM parse_container
+      
+      LET parse_cache = SELECT * FROM foreach(row=find_index_differential, query={
+        SELECT OSPath, IndexDif,
+            OSPath.Dirname + ( OSPath.Basename + '_' + format(format='%04v',args= Index + IndexDif ) + '.bmp' ) as BmpName,
+            FileSize,Header,Width,Height,DataLength,DataOffset
+        FROM foreach(row=Parsed.CachedFiles)
+      })
+      
+      LET extract_data = SELECT *
+        FROM foreach(row=parse_cache,query={
+            SELECT
+                OSPath,BmpName,FileSize,Header,Width,Height,DataLength,DataOffset,
+                join(array=parse_rgb32b(data=read_file(filename=OSPath,offset=DataOffset,length=DataLength)).Buffer,sep='') as Data 
+            FROM scope()
+        }, workers=Workers)
+      
+      -- change endianess for unint32
+      LET pack_lt_l(data) = unhex(string=join(array=[ 
+        format(format='%02x',args=unhex(string=format(format='%08x',args=data))[3]), 
+        format(format='%02x',args=unhex(string=format(format='%08x',args=data))[2]),
+        format(format='%02x',args=unhex(string=format(format='%08x',args=data))[1]),
+        format(format='%02x',args=unhex(string=format(format='%08x',args=data))[0]) 
+            ],sep=''))
+            
+      -- build bmp file, adding appropriate header
+      LET build_bmp(data,width,height) = join(array=[ 
+                "BM",
+                pack_lt_l(data=len(list=data) + 122),
+                unhex(string="000000007A0000006C000000"),
+                pack_lt_l(data=width),
+                pack_lt_l(data=height),
+                unhex(string="0100200003000000"),
+                pack_lt_l(data=len(list=data)),
+                unhex(string="000000000000000000000000000000000000FF0000FF0000FF000000000000FF"),
+                " niW",
+                unhex(string="00" * 36),
+                unhex(string="000000000000000000000000"),
+                data 
+            ], sep='')
+        
+        SELECT * FROM if(condition= ParseCache,
+            then={
+                SELECT 
+                    BmpName, Header, Width, Height, DataLength, DataOffset,
+                    upload(
+                        file=build_bmp(data=join(array=fix_bmp(data=Data).Buffer,sep=''), 
+                        width=Width, height=Height),
+                        name=BmpName,
+                        accessor='data' ) as BmpUpload,
+                    OSPath as SourceFile
+                FROM extract_data
+                ORDER BY BmpName
+            }, 
+            else= Null )
+            
+      
+column_types:
+  - name: BmpUpload
+    type: upload_preview
+  - name: CacheUpload
+    type: upload_preview
 

 
diff --git a/content/artifact_references/pages/windows.forensics.shellbags.md b/content/artifact_references/pages/windows.forensics.shellbags.md
index be97ba25ec3..b3d876fcecb 100644
--- a/content/artifact_references/pages/windows.forensics.shellbags.md
+++ b/content/artifact_references/pages/windows.forensics.shellbags.md
@@ -56,7 +56,7 @@ sources:
               root=pathspec(DelegatePath=HivePath),
               globs=KeyGlob,
               accessor="raw_reg")
-           WHERE Data.type =~ "BINARY" AND OSPath.Path =~ "[0-9]\\\\@$"
+           WHERE Data.type =~ "BINARY" AND OSPath.Basename =~ "^[0-9]+$"
         })
 
       LET ParsedValues = SELECT
diff --git a/content/artifact_references/pages/windows.forensics.srum.md b/content/artifact_references/pages/windows.forensics.srum.md
index 777467a54ef..343675f2b7d 100644
--- a/content/artifact_references/pages/windows.forensics.srum.md
+++ b/content/artifact_references/pages/windows.forensics.srum.md
@@ -42,15 +42,13 @@ parameters:
     type: bool
 
 export: |
-  LET resolveESEId(OSPath, Accessor, Id) = cache(
+  LET ResolveESEId(OSPath, Accessor, Id) = cache(
       name="ESE",
       func=srum_lookup_id(file=OSPath, accessor=Accessor, id=Id),
       key=format(format="%v-%v-%v", args=[OSPath, Accessor, Id]))
 
-  LET lookupSIDCache(OSPath, Accessor, Id) = cache(
-      name="SID",
-      func=lookupSID(sid=srum_lookup_id(file=OSPath, accessor=Accessor, id=Id)),
-      key=format(format="%v-%v-%v", args=[OSPath, Accessor, Id]))
+imports:
+  - Windows.Sys.AllUsers
 
 sources:
   - name: Upload
@@ -66,12 +64,12 @@ sources:
 
         SELECT  AutoIncId AS ID,
                 TimeStamp,
-                resolveESEId(OSPath=SRUMFiles.OSPath,
+                ResolveESEId(OSPath=SRUMFiles.OSPath,
                              Accessor=accessor, Id=AppId) AS App,
-                resolveESEId(OSPath=SRUMFiles.OSPath,
+                ResolveESEId(OSPath=SRUMFiles.OSPath,
                              Accessor=accessor, Id=UserId) AS UserSid,
-                lookupSIDCache(OSPath=SRUMFiles.OSPath,
-                          Accessor=accessor, Id=UserId) AS User,
+                LookupSIDCache(SID=srum_lookup_id(
+                    file=SRUMFiles, accessor=accessor, id=UserId) || "") AS User,
                 timestamp(winfiletime=EndTime) AS EndTime,
                 DurationMS,
                 NetworkBytesRaw
@@ -85,12 +83,12 @@ sources:
 
         SELECT AutoIncId as SRUMId,
                TimeStamp,
-               resolveESEId(OSPath=SRUMFiles.OSPath,
+               ResolveESEId(OSPath=SRUMFiles.OSPath,
                             Accessor=accessor, Id=AppId) AS App,
-               resolveESEId(OSPath=SRUMFiles.OSPath,
+               ResolveESEId(OSPath=SRUMFiles.OSPath,
                             Accessor=accessor, Id=UserId) AS UserSid,
-               lookupSIDCache(OSPath=SRUMFiles.OSPath,
-                         Accessor=accessor, Id=UserId) AS User,
+               LookupSIDCache(SID=srum_lookup_id(
+                    file=SRUMFiles, accessor=accessor, id=UserId) || "") AS User,
                ForegroundCycleTime,
                BackgroundCycleTime,
                FaceTime,
@@ -116,12 +114,12 @@ sources:
 
         SELECT AutoIncId as SRUMId,
              TimeStamp,
-             resolveESEId(OSPath=SRUMFiles.OSPath,
+             ResolveESEId(OSPath=SRUMFiles.OSPath,
                           Accessor=accessor, Id=AppId) AS App,
-             resolveESEId(OSPath=SRUMFiles.OSPath,
+             ResolveESEId(OSPath=SRUMFiles.OSPath,
                           Accessor=accessor, Id=UserId) AS UserSid,
-             lookupSIDCache(OSPath=SRUMFiles.OSPath,
-                       Accessor=accessor, Id=UserId) AS User,
+             LookupSIDCache(SID=srum_lookup_id(
+                    file=SRUMFiles, accessor=accessor, id=UserId) || "") AS User,
              InterfaceLuid,
              ConnectedTime,
              timestamp(winfiletime=ConnectStartTime) AS StartTime
@@ -135,12 +133,12 @@ sources:
 
         SELECT AutoIncId as SRUMId,
              TimeStamp,
-             resolveESEId(OSPath=SRUMFiles.OSPath,
+             ResolveESEId(OSPath=SRUMFiles.OSPath,
                           Accessor=accessor, Id=AppId) AS App,
-             resolveESEId(OSPath=SRUMFiles.OSPath,
+             ResolveESEId(OSPath=SRUMFiles.OSPath,
                           Accessor=accessor, Id=UserId) AS UserSid,
-             lookupSID(OSPath=SRUMFiles.OSPath,
-                       Accessor=accessor, Id=UserId) AS User,
+             LookupSIDCache(SID=srum_lookup_id(
+                    file=SRUMFiles, accessor=accessor, id=UserId) || "") AS User,
              UserId,
              BytesSent,
              BytesRecvd,
diff --git a/content/artifact_references/pages/windows.forensics.usn.md b/content/artifact_references/pages/windows.forensics.usn.md
index d056bc70064..9a6d7f882a0 100644
--- a/content/artifact_references/pages/windows.forensics.usn.md
+++ b/content/artifact_references/pages/windows.forensics.usn.md
@@ -50,6 +50,12 @@ parameters:
   - name: Device
     description: The NTFS drive to parse
     default: "C:\\"
+  - name: MFTFile
+    description: Alternatively provide an MFTFile to use for resolving paths.
+  - name: USNFile
+    description: Alternatively provide a previously extracted USN file to parse.
+  - name: Accessor
+    description: The accessor to use.
   - name: AllDrives
     description: Dump USN from all drives and VSC
     type: bool
@@ -74,6 +80,11 @@ parameters:
   - name: DateBefore
     type: timestamp
     description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"
+  - name: FastPaths
+    type: bool
+    description: When set use a faster but less accurate path reassembly algorithm.
+
+
 sources:
   - precondition:
       SELECT OS From info() where OS =~ 'windows'
@@ -85,47 +96,82 @@ sources:
       LET DateBeforeTime <= if(condition=DateBefore,
             then=timestamp(epoch=DateBefore), else=timestamp(epoch="2200-01-01"))
 
-      LET all_drives = SELECT OSPath.Components[0] AS Drive
-        FROM glob(globs="/*/$Extend/$UsnJrnl:$J", accessor="ntfs")
-        WHERE log(message="Processing " + Drive)
-
-      SELECT
-            Timestamp,
-            Filename,
-            Device, OSPath,
-            _Links,
-            Reason,
-            _FileMFTID as MFTId,
-            _FileMFTSequence as Sequence,
-            _ParentMFTID as ParentMFTId,
-            _ParentMFTSequence as ParentSequence,
-            FileAttributes,
-            SourceInfo,
-            Usn
-      FROM if(condition=AllDrives,
-          then={
-            SELECT * FROM foreach(row=all_drives,
-            query={
-              SELECT *, Drive AS Device
-              FROM parse_usn(
-                 device=Drive, accessor="ntfs")
+      -- If the user specified an MFTFile then ignore the device
+      LET Device <= if(condition=MFTFile OR USNFile, then="",
+          else=if(condition=Device,
+          then=pathspec(parse=Device, path_type="ntfs")))
+
+      LET Parse(MFT, USN, Accessor) = SELECT *
+              FROM parse_usn(accessor=Accessor, fast_paths=FastPaths,
+                             mft_filename=MFT, usn_filename=USN)
               WHERE Filename =~ FileNameRegex
-                AND str(str=_FileMFTID) =~ MFT_ID_Regex
-                AND str(str=_ParentMFTID) =~ Parent_MFT_ID_Regex
+                AND _FileMFTID =~ MFT_ID_Regex
+                AND _ParentMFTID =~ Parent_MFT_ID_Regex
                 AND Timestamp < DateBeforeTime
                 AND Timestamp > DateAfterTime
                 AND _Links =~ PathRegex
-            })
+
+      LET all_drives = SELECT * FROM foreach(
+      row={
+        SELECT OSPath[:1] AS Drive
+        FROM glob(globs="/*/$Extend/$UsnJrnl:$J", accessor="ntfs")
+        WHERE log(message=format(format="Processing Drive %v", args=Drive))
+      }, query={
+        SELECT Timestamp,
+               Filename,
+               Drive + OSPath AS OSPath,
+               _Links,
+               Reason,
+               _FileMFTID as MFTId,
+               _FileMFTSequence as Sequence,
+               _ParentMFTID as ParentMFTId,
+               _ParentMFTSequence as ParentSequence,
+               FileAttributes,
+               SourceInfo,
+               Usn
+        FROM Parse(MFT=Drive + "$MFT",
+                   USN=Drive + "$Extend/$UsnJrnl:$J",
+                   Accessor="ntfs")
+      })
+
+      SELECT *
+      FROM if(condition=AllDrives, then=all_drives, else={
+        SELECT * FROM if(condition=Device AND
+              log(message=format(format="Processing Device %v", args=Device)),
+          then={
+            SELECT Timestamp,
+               Filename,
+               Device + OSPath AS OSPath,
+               _Links,
+               Reason,
+               _FileMFTID as MFTId,
+               _FileMFTSequence as Sequence,
+               _ParentMFTID as ParentMFTId,
+               _ParentMFTSequence as ParentSequence,
+               FileAttributes,
+               SourceInfo,
+               Usn
+            FROM Parse(MFT=Device + "$MFT",
+                 USN=Device + "$Extend/$UsnJrnl:$J",
+                 Accessor="ntfs")
+
           }, else={
-            SELECT *, Device
-            FROM parse_usn(device=Device, accessor="ntfs")
-            WHERE Filename =~ FileNameRegex
-                AND str(str=_FileMFTID) =~ MFT_ID_Regex
-                AND str(str=_ParentMFTID) =~ Parent_MFT_ID_Regex
-                AND Timestamp < DateBeforeTime
-                AND Timestamp > DateAfterTime
-                AND _Links =~ PathRegex
+            SELECT Timestamp,
+               Filename,
+               OSPath,
+               _Links,
+               Reason,
+               _FileMFTID as MFTId,
+               _FileMFTSequence as Sequence,
+               _ParentMFTID as ParentMFTId,
+               _ParentMFTSequence as ParentSequence,
+               FileAttributes,
+               SourceInfo,
+               Usn
+            FROM Parse(MFT=MFTFile,
+                 USN=USNFile, Accessor=Accessor)
           })
+      })
diff --git a/content/artifact_references/pages/windows.kapefiles.remapping.md b/content/artifact_references/pages/windows.kapefiles.remapping.md new file mode 100644 index 00000000000..572acc238ea --- /dev/null +++ b/content/artifact_references/pages/windows.kapefiles.remapping.md @@ -0,0 +1,181 @@ +--- +title: Windows.KapeFiles.Remapping +hidden: true +tags: [Client Artifact] +--- + +This artifact automates the rebuilding of remapping rules to be +able to easily post process the results of the +Windows.KapeFiles.Targets. + +Use as follows in the flow notebook cell of a collection: + +```vql +LET _ <= + SELECT * FROM Artifact.Windows.KapeFiles.Remapping(ClientId=ClientId, FlowId=FlowId) + +SELECT * FROM Artifact.Windows.System.TaskScheduler() +``` + +NOTE: Not all plugins are enabled in this mode for obvious reasons +(e.g. pslist, wmi etc). + +See https://docs.velociraptor.app/blog/2022/2022-08-04-post-processing/ + + +

+name: Windows.KapeFiles.Remapping
+description: |
+   This artifact automates the rebuilding of remapping rules to be
+   able to easily post process the results of the
+   Windows.KapeFiles.Targets.
+
+   Use as follows in the flow notebook cell of a collection:
+
+   ```vql
+   LET _ <=
+      SELECT * FROM Artifact.Windows.KapeFiles.Remapping(ClientId=ClientId, FlowId=FlowId)
+
+   SELECT * FROM Artifact.Windows.System.TaskScheduler()
+   ```
+
+   NOTE: Not all plugins are enabled in this mode for obvious reasons
+   (e.g. pslist, wmi etc).
+
+   See https://docs.velociraptor.app/blog/2022/2022-08-04-post-processing/
+
+type: CLIENT
+
+parameters:
+   - name: ClientId
+     description: The ClientID of the collection we need to remap
+   - name: FlowId
+     description: The FlowID of the collection
+
+export: |
+   -- Get the base path of files in the filestore for this client id
+   -- and flow id
+   LET GetBasePath(FlowId, ClientId) = regex_transform(
+     source="/clients/ClientId/collections/FlowId/uploads",
+     map=dict(FlowId=FlowId, ClientId=ClientId))
+
+   -- Get the registry mount for the users
+   LET HiveMount(BasePath, Target) = regex_transform(source='''
+   - type: mount
+     from:
+       accessor: raw_reg
+       prefix: |-
+         {
+           "Path": "/",
+           "DelegateAccessor": "fs",
+           "DelegatePath": "BasePath"
+         }
+       path_type: registry
+     "on":
+       accessor: registry
+       prefix: Target
+       path_type: registry
+   ''', map=dict(BasePath=BasePath, Target=Target), key=Target)
+
+   -- Map regular files from the fs accessor to the designated accessor
+   LET AccessorMount(Accessor, BasePath) = regex_transform(source='''
+   - type: mount
+     from:
+       accessor: fs
+       prefix: "BasePath/AccessorName"
+     "on":
+       accessor: AccessorName
+       prefix: ""
+       path_type: AccessorName
+   ''', map=dict(BasePath=BasePath, AccessorName=Accessor), key=Accessor)
+
+   -- ShadowMount just copy accessors into the new remapped environment.
+   LET ShadowMount(Accessor) = regex_transform(source='''
+   - type: shadow
+     from:
+       accessor: AccessorName
+     "on":
+       accessor: AccessorName
+   ''', map=dict(AccessorName=Accessor), key=Accessor)
+
+   -- Common mounts that are used in all cases.
+   LET CommonMount = '''remappings:
+   - type: permissions
+     permissions:
+       - COLLECT_CLIENT
+       - FILESYSTEM_READ
+       - FILESYSTEM_WRITE
+       - READ_RESULTS
+       - MACHINE_STATE
+       - SERVER_ADMIN
+   - type: impersonation
+     os: windows
+     hostname: Virtual Host
+     env:
+       - key: SystemRoot
+         value: C:\Windows
+       - key: WinDir
+         value: C:\Windows
+     disabled_functions:
+       - amsi
+       - lookupSID
+       - token
+     disabled_plugins:
+       - users
+       - certificates
+       - handles
+       - pslist
+       - interfaces
+       - modules
+       - netstat
+       - partitions
+       - proc_dump
+       - proc_yara
+       - vad
+       - winobj
+       - wmi
+   '''
+
+   -- Build remapping parts by searching for registry hives to mount.
+   LET Parts(BasePath) = SELECT * FROM chain(
+   a={
+
+     -- Mount all ntuser.dat hives that were fetched. Username is
+     -- taken to be containing directory.
+     SELECT OSPath,
+             HiveMount(BasePath=OSPath.String,
+                       Target="HKEY_USERS/" + OSPath[-2]) AS Mount
+     FROM glob(globs="*/C:/Users/*/ntuser.dat", accessor="fs", root=BasePath)
+     WHERE NOT OSPath.Basename =~ "idx$"
+
+   }, b={
+     -- Mount the main system registry hives
+     SELECT OSPath,
+            HiveMount(BasePath=OSPath.String,
+                      Target="HKEY_LOCAL_MACHINE/" + OSPath[-1]) AS Mount
+     FROM glob(globs="*/C:/Windows/System32/Config/{SOFTWARE,SYSTEM}",
+               accessor="fs", root=BasePath)
+     WHERE NOT OSPath.Basename =~ "idx$"
+
+   }, e={
+     SELECT ShadowMount(Accessor=_value) AS Mount
+     FROM foreach(row=["raw_reg", "zip", "data", "scope", "gzip"])
+   })
+
+   -- Mount all files to be accessible by auto, ntfs and file accessor.
+   LET GetRemappingByBase(BasePath) = join(array=CommonMount +
+       AccessorMount(BasePath=BasePath, Accessor="auto") +
+       AccessorMount(BasePath=BasePath, Accessor="ntfs") +
+       AccessorMount(BasePath=BasePath, Accessor="file") +
+       Parts(BasePath=BasePath).Mount, sep="")
+
+   LET GetRemapping(FlowId, ClientId) = GetRemappingByBase(
+       BasePath=GetBasePath(FlowId=FlowId, ClientId=ClientId))
+
+sources:
+  - query: |
+      SELECT remap(clear=TRUE, config=GetRemapping) AS Remapping
+      FROM scope()
+
+
+ diff --git a/content/artifact_references/pages/windows.kapefiles.targets.md b/content/artifact_references/pages/windows.kapefiles.targets.md index acbafe7a485..31770680722 100644 --- a/content/artifact_references/pages/windows.kapefiles.targets.md +++ b/content/artifact_references/pages/windows.kapefiles.targets.md @@ -73,13 +73,13 @@ parameters: for everything which will be much slower. - name: _BasicCollection - description: "Basic Collection (by Phill Moore): $Boot, $J, $J, $LogFile, $MFT, $Max, $Max, $SDS, $SDS, $T, $T, Amcache, Amcache, Amcache transaction files, Amcache transaction files, AppCompat PCA Folder, Desktop LNK Files, Desktop LNK Files XP, Event logs Win7+, Event logs Win7+, Event logs XP, GatherLogs, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, PowerShell Console Log, Prefetch, Prefetch, RECYCLER - WinXP, RecentFileCache, RecentFileCache, Recycle Bin - Windows Vista+, RegBack registry transaction files, RegBack registry transaction files, Registry.dat MSIX Hive, Restore point LNK Files XP, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SRUM, SRUM, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, Setupapi.log Win7+, Setupapi.log Win7+, Setupapi.log XP, Start Menu LNK Files, Syscache, Syscache transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), Thumbcache DB, User.dat MSIX Hive, UserClasses.dat MSIX Hive, UsrClass.dat registry hive, UsrClass.dat registry transaction files, WindowsIndexSearch, XML, XML, XML, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt" + description: "Basic Collection (by Phill Moore): $Boot, $J, $J, $LogFile, $MFT, $Max, $Max, $SDS, $SDS, $T, $T, Amcache, Amcache, Amcache transaction files, Amcache transaction files, AppCompat PCA Folder, Desktop LNK Files, Desktop LNK Files XP, Event logs Win7+, Event logs Win7+, Event logs XP, GatherLogs, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, Prefetch, Prefetch, RECYCLER - WinXP, RecentFileCache, RecentFileCache, Recycle Bin - Windows Vista+, RegBack registry transaction files, RegBack registry transaction files, Registry.dat MSIX Hive, Restore point LNK Files XP, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SRUM, SRUM, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, Setupapi.log Win7+, Setupapi.log Win7+, Setupapi.log XP, Start Menu LNK Files, Syscache, Syscache transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), Thumbcache DB, User.dat MSIX Hive, UserClasses.dat MSIX Hive, UsrClass.dat registry hive, UsrClass.dat registry transaction files, WindowsIndexSearch, XML, XML, XML, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt" type: bool - name: _KapeTriage - description: "Calls Kape Triage (by Phill Moore): $Boot, $J, $J, $LogFile, $MFT, $Max, $Max, $SDS, $SDS, $T, $T, AVG AV Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG FileInfo DB, AVG Persistent Logs, AVG Report Logs, AVG lsdbj2 JSON, Action1 Client Application logs, ActivitiesCache.db, Addons, Addons XP, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Ammyy Program Data, AnyDesk Chat Logs - User Profile, AnyDesk Logs - ProgramData - *.conf, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Videos, AppCompat PCA Folder, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Avast AV Index, Avast AV Logs, Avast AV Logs (XP), Avast AV User Logs, Avast Icarus Logs, Avast Persistent Data Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Bookmarks, Bookmarks, Bookmarks, Box Drive Application Metadata, Box Sync Application Metadata, Chrome Cookies, Chrome Cookies XP, Chrome Current Session, Chrome Current Session XP, Chrome Current Tabs, Chrome Current Tabs XP, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome Favicons XP, Chrome History, Chrome History XP, Chrome Last Session, Chrome Last Session XP, Chrome Last Tabs, Chrome Last Tabs XP, Chrome Login Data, Chrome Login Data XP, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Preferences XP, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Sessions Folder, Chrome Shortcuts, Chrome Shortcuts XP, Chrome Snapshots Folder, Chrome SyncData Database, Chrome Top Sites, Chrome Top Sites XP, Chrome Trust Tokens, Chrome Visited Links, Chrome Visited Links XP, Chrome Web Data, Chrome Web Data XP, Chrome bookmarks, Chrome bookmarks XP, ComboFix, Cookies, Cookies, Cookies, Cookies XP, Crash Dumps, Crash Dumps, Crash Dumps, Current Session, Current Tabs, Cybereason Anti-Ransomware Logs, Cybereason Application Control and NGAV Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cylance Optics Logs, Cylance Program Files Logs, Cylance ProgramData Logs, DWAgent Log Files, Desktop LNK Files, Desktop LNK Files XP, DetectionHistory, Download Metadata, Downloads, Downloads XP, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET NOD32 AV Logs (XP), ESET Remote Administrator Logs, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Sessions Folder, Edge Shortcuts, Edge Snapshots Folder, Edge SyncData Database, Edge Top Sites, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Edge bookmarks, Edge folder, Emsisoft Scan Logs, Event logs Win7+, Event logs Win7+, Event logs XP, Extensions, F-Secure Logs, F-Secure Scheduled Scan Reports, F-Secure User Logs, Favicons, Favicons, Favicons XP, Form history, Form history XP, Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata, History, HitmanPro Alert Logs, HitmanPro Database, HitmanPro Logs, IE 11 Cookies, IE 11 Metadata, IE 9/10 Cookies, IE 9/10 Download History, IE 9/10 History, ISL AlwaysOn - App Logs, ISL AlwaysOn - Configuration, ISL AlwaysOn - Email Configuration, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn Logs - Sessions List, ISL Light Logs - Sessions, ISLOnline Logs - Session Configurations, ISLOnline Logs - Sessions - *.out, Index.dat History, Index.dat History subdirectory, Index.dat Office, Index.dat Office XP, Index.dat UserData, Index.dat cookies, Kaseya Agent Edge Service Logs, Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Level RMM Client Application logs, Local Internet Explorer folder, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Local User Quarantine, LocalSessionManager Event Logs, LocalSessionManager Event Logs, LogMeIn Application Logs, LogMeIn ProgramData Logs, Login Data, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, MalwareBytes Anti-Malware Service Logs, McAfee Desktop Protection Logs, McAfee Desktop Protection Logs XP, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Net Monitor Client Config, Net Monitor Client Logs, Net Monitor Server Config, Net Monitor Server Data, Net Monitor Server Logs, Net Monitor Server Temp Folder, Network Action Predictor, Network Persistent State, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, OneDrive Metadata Logs, OneDrive Metadata Settings, Opera - Local Folder, Opera - Roaming Folder, Password, Password, Password, Password XP, Password XP, Password XP, Permissions, Places, Places XP, PowerShell Console Log, Preferences, Preferences, Prefetch, Prefetch, Protections, Publisher Info DB/Brave Rewards, Puffin - Autocomplete Data, Puffin - Cookies, Puffin - Image Cache, Puffin - Password (Encrypted), Puffin - Password Forms Data, Puffin - Subscription Data, Puffin - data.db, Quota Manager, RDP Cache Files, RDP Cache Files, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, RECYCLER - WinXP, Radmin Server 32bit Chats, Radmin Server 32bit Log, Radmin Server 64bit Chats, Radmin Server 64bit Log, Radmin Viewer Chats, Rclone Config, RealVNC Log, RealVNC Log, RecentFileCache, RecentFileCache, Recycle Bin - Windows Vista+, RegBack registry transaction files, RegBack registry transaction files, Registry.dat MSIX Hive, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, RemoteUtilities Connection Logs, RemoteUtilities Install Log, Reporting and NEL, Restore point LNK Files XP, Roaming Internet Explorer folder, RogueKiller Reports, RustDesk logs, RustDesk logs, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SRUM, SRUM, SUM Database (.mdb files), SUPERAntiSpyware Logs, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, SYSTEM user quarantine, ScreenConnect Session Database, ScreenConnect Session Database, ScreenConnect User Config, Search, Search XP, Secure Preferences, SecureAge Antvirus Logs, SentinelOne EDR Log, Sessions Folder, Sessionstore, Sessionstore Folder, Sessionstore XP, Shortcuts, Signons, Signons XP, Sophos Logs, Sophos Logs (XP), Splashtop Log Files, Splashtop Log Files in ProgramData, Start Menu LNK Files, Storage Sync, Supremo Connection Logs, Supremo File Transfer Inbox, Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, Syscache, Syscache transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, TeamViewer Connection Logs, TightVNC Application Logs, Top Sites, TotalAV Logs, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs, UltraViewer Connection Log, UltraViewer Service Log, UltraViewer System Logs, UltraViewer User Logs, User.dat MSIX Hive, UserClasses.dat MSIX Hive, UsrClass.dat registry hive, UsrClass.dat registry transaction files, VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+), Visited Links, Vivaldi Bookmarks, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Cookies, Vivaldi Download Metadata, Vivaldi Favicons, Vivaldi History, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Network Persistent State, Vivaldi Notes, Vivaldi Preferences, Vivaldi Sessions Folder, Vivaldi Top Sites, Vivaldi User Tracking, Vivaldi Visited Links, Vivaldi Web Data, WBEM, WBEM, WER Files, WER Files, Web Data, Webappstore, Webappstore XP, Webroot Program Data, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Quarantine, Windows Protect Folder, Windows Protect Folder, Windows Protect Folder, Windows.old RDP Cache Files, XML, XML, XML, Xeox RMM Client Application logs, Yandex Autofill data, Yandex Bookmarks, Yandex Cookies, Yandex Favicons, Yandex History, Yandex Login Data, Yandex Network Action Predictor, Yandex Network Persistent State, Yandex Passman logs, Yandex Preferences, Yandex Sessions Folder, Yandex Shortcuts, Yandex Top Sites, Yandex Visited Links, Yandex Web Data, Zoho Assist .conf files, Zoho Assist .conf files in Program Files*, Zoho Assist .conf files in AppData\Local, Zoho Assist .txt files in Program Files*, Zoho Assist log files in AppData\Local, Zoho Assist log files in Program Files*, Zoho Assist log files in ProgramData, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt, ccSubSDK Database, mRemoteNG Connection Configuration and Backups, mRemoteNG Logs, mRemoteNG Program Settings, registrationInfo.xml" + description: "Calls Kape Triage (by Phill Moore): $Boot, $J, $J, $LogFile, $MFT, $Max, $Max, $SDS, $SDS, $T, $T, AVG AV Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG FileInfo DB, AVG Persistent Logs, AVG Report Logs, AVG lsdbj2 JSON, Action1 Client Application logs, ActivitiesCache.db, Addons, Addons XP, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Ammyy Program Data, AnyDesk Chat Logs - User Profile, AnyDesk Logs - ProgramData - *.conf, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Videos, AppCompat PCA Folder, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Avast AV Index, Avast AV Logs, Avast AV Logs (XP), Avast AV User Logs, Avast Icarus Logs, Avast Persistent Data Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Bookmarks, Bookmarks, Bookmarks, Box Drive Application Metadata, Box Sync Application Metadata, Chrome Cookies, Chrome Cookies XP, Chrome Current Session, Chrome Current Session XP, Chrome Current Tabs, Chrome Current Tabs XP, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome Favicons XP, Chrome History, Chrome History XP, Chrome Last Session, Chrome Last Session XP, Chrome Last Tabs, Chrome Last Tabs XP, Chrome Login Data, Chrome Login Data XP, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Preferences XP, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Sessions Folder, Chrome Shortcuts, Chrome Shortcuts XP, Chrome Snapshots Folder, Chrome SyncData Database, Chrome Top Sites, Chrome Top Sites XP, Chrome Trust Tokens, Chrome Visited Links, Chrome Visited Links XP, Chrome Web Data, Chrome Web Data XP, Chrome bookmarks, Chrome bookmarks XP, ComboFix, Comodo, Cookies, Cookies, Cookies, Cookies XP, Crash Dumps, Crash Dumps, Crash Dumps, Current Session, Current Tabs, Cybereason Anti-Ransomware Logs, Cybereason Application Control and NGAV Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cylance Optics Logs, Cylance Program Files Logs, Cylance ProgramData Logs, DWAgent Log Files, Desktop LNK Files, Desktop LNK Files XP, DetectionHistory, Download Metadata, Downloads, Downloads XP, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET NOD32 AV Logs (XP), ESET Remote Administrator Logs, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Sessions Folder, Edge Shortcuts, Edge Snapshots Folder, Edge SyncData Database, Edge Top Sites, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Edge bookmarks, Edge folder, Emsisoft Scan Logs, Event logs Win7+, Event logs Win7+, Event logs XP, Extensions, F-Secure Logs, F-Secure Scheduled Scan Reports, F-Secure User Logs, Favicons, Favicons, Favicons XP, Form history, Form history XP, Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata, History, HitmanPro Alert Logs, HitmanPro Database, HitmanPro Logs, IE 11 Cookies, IE 11 Metadata, IE 9/10 Cookies, IE 9/10 Download History, IE 9/10 History, ISL AlwaysOn - App Logs, ISL AlwaysOn - Configuration, ISL AlwaysOn - Email Configuration, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn Logs - Sessions List, ISL Light Logs - Sessions, ISLOnline Logs - Session Configurations, ISLOnline Logs - Sessions - *.out, ITarian, ITarian, ITarian, Index.dat History, Index.dat History subdirectory, Index.dat Office, Index.dat Office XP, Index.dat UserData, Index.dat cookies, Kaseya Agent Edge Service Logs, Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Level RMM Client Application logs, Local Internet Explorer folder, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Local User Quarantine, LocalSessionManager Event Logs, LocalSessionManager Event Logs, LogMeIn Application Logs, LogMeIn ProgramData Logs, Login Data, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, MalwareBytes Anti-Malware Service Logs, McAfee Desktop Protection Logs, McAfee Desktop Protection Logs XP, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, MeshAgent .msh (configuration) file, MeshAgent log file, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Net Monitor Client Config, Net Monitor Client Logs, Net Monitor Server Config, Net Monitor Server Data, Net Monitor Server Logs, Net Monitor Server Temp Folder, Network Action Predictor, Network Persistent State, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, OneDrive Metadata Logs, OneDrive Metadata Settings, Opera - Local Folder, Opera - Roaming Folder, Password, Password, Password, Password XP, Password XP, Password XP, Permissions, Places, Places XP, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, Preferences, Preferences, Prefetch, Prefetch, Protections, Publisher Info DB/Brave Rewards, Puffin - Autocomplete Data, Puffin - Cookies, Puffin - Image Cache, Puffin - Password (Encrypted), Puffin - Password Forms Data, Puffin - Subscription Data, Puffin - data.db, Quota Manager, RDP Cache Files, RDP Cache Files, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, RECYCLER - WinXP, Radmin Server 32bit Chats, Radmin Server 32bit Log, Radmin Server 64bit Chats, Radmin Server 64bit Log, Radmin Viewer Chats, Rclone Config, RealVNC Log, RealVNC Log, RecentFileCache, RecentFileCache, Recycle Bin - Windows Vista+, RegBack registry transaction files, RegBack registry transaction files, Registry.dat MSIX Hive, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, RemoteUtilities Connection Logs, RemoteUtilities Install Log, Reporting and NEL, Restore point LNK Files XP, Roaming Internet Explorer folder, RogueKiller Reports, RustDesk logs, RustDesk logs, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SRUM, SRUM, SUM Database (.mdb files), SUPERAntiSpyware Logs, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, SYSTEM user quarantine, ScreenConnect Session Database, ScreenConnect Session Database, ScreenConnect User Config, Search, Search XP, Secure Preferences, SecureAge Antvirus Logs, SentinelOne EDR Log, Sessions Folder, Sessionstore, Sessionstore Folder, Sessionstore XP, Shortcuts, Signons, Signons XP, Sophos Logs, Sophos Logs (XP), Splashtop Log Files, Splashtop Log Files in ProgramData, Start Menu LNK Files, Storage Sync, Supremo Connection Logs, Supremo File Transfer Inbox, Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, Syscache, Syscache transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, TeamViewer Connection Logs, TightVNC Application Logs, Top Sites, TotalAV Logs, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs, UltraViewer Connection Log, UltraViewer Service Log, UltraViewer System Logs, UltraViewer User Logs, Unified endpoint management and security solutions from ManageEngine, Unified endpoint management and security solutions from ManageEngine, User.dat MSIX Hive, UserClasses.dat MSIX Hive, UsrClass.dat registry hive, UsrClass.dat registry transaction files, VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+), Visited Links, Vivaldi Bookmarks, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Cookies, Vivaldi Download Metadata, Vivaldi Favicons, Vivaldi History, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Network Persistent State, Vivaldi Notes, Vivaldi Preferences, Vivaldi Sessions Folder, Vivaldi Top Sites, Vivaldi User Tracking, Vivaldi Visited Links, Vivaldi Web Data, WBEM, WBEM, WER Files, WER Files, Web Data, Webappstore, Webappstore XP, Webroot Program Data, Windows Defender Detections.log, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Quarantine, Windows Protect Folder, Windows Protect Folder, Windows Protect Folder, Windows Safety Scanner Logs, Windows.old RDP Cache Files, XML, XML, XML, Xeox RMM Client Application logs, Yandex Autofill data, Yandex Bookmarks, Yandex Cookies, Yandex Favicons, Yandex History, Yandex Login Data, Yandex Network Action Predictor, Yandex Network Persistent State, Yandex Passman logs, Yandex Preferences, Yandex Sessions Folder, Yandex Shortcuts, Yandex Top Sites, Yandex Visited Links, Yandex Web Data, Zoho Assist .conf files, Zoho Assist .conf files in Program Files*, Zoho Assist .conf files in AppData\Local, Zoho Assist .txt files in Program Files*, Zoho Assist log files in AppData\Local, Zoho Assist log files in Program Files*, Zoho Assist log files in ProgramData, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt, ccSubSDK Database, mRemoteNG Connection Configuration and Backups, mRemoteNG Logs, mRemoteNG Program Settings, registrationInfo.xml" type: bool - name: _SANS_Triage - description: "SANS Triage Collection (by Mark Hallman): $Boot, $J, $J, $LogFile, $MFT, $Max, $Max, $SDS, $SDS, $T, $T, .NET CLR UsageLogs (system-scoped), .NET CLR UsageLogs (user-scoped), AVG AV Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG FileInfo DB, AVG Persistent Logs, AVG Report Logs, AVG lsdbj2 JSON, Action1 Client Application logs, ActivitiesCache.db, Addons, Addons XP, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Ammyy Program Data, AnyDesk Chat Logs - User Profile, AnyDesk Logs - ProgramData - *.conf, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Videos, AppCompat PCA Folder, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Avast AV Index, Avast AV Logs, Avast AV Logs (XP), Avast AV User Logs, Avast Icarus Logs, Avast Persistent Data Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, BITS files, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Bookmarks, Bookmarks, Bookmarks, Box Drive Application Metadata, Box Sync Application Metadata, Chrome Cookies, Chrome Cookies XP, Chrome Current Session, Chrome Current Session XP, Chrome Current Tabs, Chrome Current Tabs XP, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome Favicons XP, Chrome History, Chrome History XP, Chrome Last Session, Chrome Last Session XP, Chrome Last Tabs, Chrome Last Tabs XP, Chrome Login Data, Chrome Login Data XP, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Preferences XP, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Sessions Folder, Chrome Shortcuts, Chrome Shortcuts XP, Chrome Snapshots Folder, Chrome SyncData Database, Chrome Top Sites, Chrome Top Sites XP, Chrome Trust Tokens, Chrome Visited Links, Chrome Visited Links XP, Chrome Web Data, Chrome Web Data XP, Chrome bookmarks, Chrome bookmarks XP, Cisco Jabber Database, ComboFix, Computer Group Policy files, Cookies, Cookies, Cookies, Cookies XP, Crash Dumps, Crash Dumps, Crash Dumps, Current Session, Current Tabs, Cybereason Anti-Ransomware Logs, Cybereason Application Control and NGAV Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cylance Optics Logs, Cylance Program Files Logs, Cylance ProgramData Logs, DWAgent Log Files, Delivery Optimization Trace Logs, Desktop LNK Files, Desktop LNK Files XP, DetectionHistory, Discord Cache Files, Discord Local Storage LevelDB Files, Download Metadata, Downloads, Downloads XP, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET NOD32 AV Logs (XP), ESET Remote Administrator Logs, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Sessions Folder, Edge Shortcuts, Edge Snapshots Folder, Edge SyncData Database, Edge Top Sites, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Edge bookmarks, Edge folder, Emsisoft Scan Logs, Energy-NTKL Trace Logs, Event logs Win7+, Event logs Win7+, Event logs XP, Extensions, F-Secure Logs, F-Secure Scheduled Scan Reports, F-Secure User Logs, Favicons, Favicons, Favicons XP, Form history, Form history XP, GatherLogs, Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata, Group Policy Files, HexChat Chat Logs, History, HitmanPro Alert Logs, HitmanPro Database, HitmanPro Logs, IE 11 Cookies, IE 11 Metadata, IE 9/10 Cookies, IE 9/10 Download History, IE 9/10 History, ISL AlwaysOn - App Logs, ISL AlwaysOn - Configuration, ISL AlwaysOn - Email Configuration, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn Logs - Sessions List, ISL Light Logs - Sessions, ISLOnline Logs - Session Configurations, ISLOnline Logs - Sessions - *.out, IceChat Chat Logs, Index.dat History, Index.dat History subdirectory, Index.dat Office, Index.dat Office XP, Index.dat UserData, Index.dat cookies, Kaseya Agent Edge Service Logs, Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Level RMM Client Application logs, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Startup/Shutdown Scripts, Local Group Policy Files - Startup/Shutdown Scripts, Local Group Policy INI Files, Local Internet Explorer folder, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Local User Quarantine, LocalSessionManager Event Logs, LocalSessionManager Event Logs, LogMeIn Application Logs, LogMeIn ProgramData Logs, Login Data, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, MalwareBytes Anti-Malware Service Logs, Mattermost - Chat Logs, McAfee Desktop Protection Logs, McAfee Desktop Protection Logs XP, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, Microsoft Store WhatsApp Cache, Microsoft Store WhatsApp Local Storage, Microsoft Teams Cache, Microsoft Teams Config, Microsoft Teams IndexedDB Cache, Microsoft Teams Local Storage Cache, Microsoft Teams Logs (Windows 11), NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Net Monitor Client Config, Net Monitor Client Logs, Net Monitor Server Config, Net Monitor Server Data, Net Monitor Server Logs, Net Monitor Server Temp Folder, Network Action Predictor, Network Persistent State, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, OneDrive Metadata Logs, OneDrive Metadata Settings, Opera - Local Folder, Opera - Roaming Folder, Password, Password, Password, Password XP, Password XP, Password XP, Permissions, Places, Places XP, PowerShell Console Log, Preferences, Preferences, Prefetch, Prefetch, Protections, Publisher Info DB/Brave Rewards, Puffin - Autocomplete Data, Puffin - Cookies, Puffin - Image Cache, Puffin - Password (Encrypted), Puffin - Password Forms Data, Puffin - Subscription Data, Puffin - data.db, Quota Manager, RDP Cache Files, RDP Cache Files, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, RECYCLER - WinXP, Radmin Server 32bit Chats, Radmin Server 32bit Log, Radmin Server 64bit Chats, Radmin Server 64bit Log, Radmin Viewer Chats, Rclone Config, RealVNC Log, RealVNC Log, RecentFileCache, RecentFileCache, Recycle Bin - Windows Vista+, RegBack registry transaction files, RegBack registry transaction files, Registry.dat MSIX Hive, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, RemoteUtilities Connection Logs, RemoteUtilities Install Log, Reporting and NEL, Restore point LNK Files XP, Roaming Internet Explorer folder, RogueKiller Reports, RustDesk logs, RustDesk logs, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SRUM, SRUM, SUM Database (.mdb files), SUPERAntiSpyware Logs, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, SYSTEM user quarantine, ScreenConnect Session Database, ScreenConnect Session Database, ScreenConnect User Config, Search, Search XP, Secure Preferences, SecureAge Antvirus Logs, SentinelOne EDR Log, Sessions Folder, Sessionstore, Sessionstore Folder, Sessionstore XP, Setupapi.log Win7+, Setupapi.log Win7+, Setupapi.log XP, Shortcuts, Signal Attachments cache, Signal Database, Signal Logs, Signal config.json, Signons, Signons XP, Skype for Destkop v8+ Chromium Cache, Slack - Chat Logs, Slack Cache, Slack Electron Logs, Slack LevelDB Files, Slack Storage, SleepStudy Trace Logs, SleepStudy Trace Logs, Sophos Logs, Sophos Logs (XP), Splashtop Log Files, Splashtop Log Files in ProgramData, Start Menu LNK Files, Storage Sync, Supremo Connection Logs, Supremo File Transfer Inbox, Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, Syscache, Syscache transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, TeamViewer Connection Logs, Telegram app folder, Telegram downloaded files, Thumbcache DB, TightVNC Application Logs, Top Sites, TotalAV Logs, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs, UltraViewer Connection Log, UltraViewer Service Log, UltraViewer System Logs, UltraViewer User Logs, User Group Policy files, User.dat MSIX Hive, UserClasses.dat MSIX Hive, UsrClass.dat registry hive, UsrClass.dat registry transaction files, VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+), Viber Config Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Data Database, Viber Users Thumbnails Cache, Visited Links, Vivaldi Bookmarks, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Cookies, Vivaldi Download Metadata, Vivaldi Favicons, Vivaldi History, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Network Persistent State, Vivaldi Notes, Vivaldi Preferences, Vivaldi Sessions Folder, Vivaldi Top Sites, Vivaldi User Tracking, Vivaldi Visited Links, Vivaldi Web Data, WBEM, WBEM, WDI Trace Logs 1, WDI Trace Logs 1, WDI Trace Logs 2, WDI Trace Logs 2, WER Files, WER Files, WMI Trace Logs, WMI Trace Logs, Web Data, Webappstore, Webappstore XP, Webroot Program Data, WhatsApp Cache, WhatsApp Local Storage, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Quarantine, Windows Firewall Logs, Windows Firewall Logs, Windows Protect Folder, Windows Protect Folder, Windows Protect Folder, Windows.old RDP Cache Files, WindowsIndexSearch, XML, XML, XML, Xeox RMM Client Application logs, Yandex Autofill data, Yandex Bookmarks, Yandex Cookies, Yandex Favicons, Yandex History, Yandex Login Data, Yandex Network Action Predictor, Yandex Network Persistent State, Yandex Passman logs, Yandex Preferences, Yandex Sessions Folder, Yandex Shortcuts, Yandex Top Sites, Yandex Visited Links, Yandex Web Data, Zoho Assist .conf files, Zoho Assist .conf files in Program Files*, Zoho Assist .conf files in AppData\Local, Zoho Assist .txt files in Program Files*, Zoho Assist log files in AppData\Local, Zoho Assist log files in Program Files*, Zoho Assist log files in ProgramData, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt, ccSubSDK Database, leveldb (Skype for Desktop +v8), mIRC Chat Logs (2000/XP), mIRC Chat Logs (Vista+), mRemoteNG Connection Configuration and Backups, mRemoteNG Logs, mRemoteNG Program Settings, main.db (App <v12), main.db Win7+, main.db XP, registrationInfo.xml, s4l-[username].db (App +v8), skype.db (App +v12)" + description: "SANS Triage Collection (by Mark Hallman): $Boot, $J, $J, $LogFile, $MFT, $Max, $Max, $SDS, $SDS, $T, $T, .NET CLR UsageLogs (system-scoped), .NET CLR UsageLogs (user-scoped), AVG AV Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG FileInfo DB, AVG Persistent Logs, AVG Report Logs, AVG lsdbj2 JSON, Action1 Client Application logs, ActivitiesCache.db, Addons, Addons XP, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Ammyy Program Data, AnyDesk Chat Logs - User Profile, AnyDesk Logs - ProgramData - *.conf, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Videos, AppCompat PCA Folder, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Avast AV Index, Avast AV Logs, Avast AV Logs (XP), Avast AV User Logs, Avast Icarus Logs, Avast Persistent Data Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, BITS files, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Bookmarks, Bookmarks, Bookmarks, Box Drive Application Metadata, Box Sync Application Metadata, Chrome Cookies, Chrome Cookies XP, Chrome Current Session, Chrome Current Session XP, Chrome Current Tabs, Chrome Current Tabs XP, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome Favicons XP, Chrome History, Chrome History XP, Chrome Last Session, Chrome Last Session XP, Chrome Last Tabs, Chrome Last Tabs XP, Chrome Login Data, Chrome Login Data XP, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Preferences XP, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Sessions Folder, Chrome Shortcuts, Chrome Shortcuts XP, Chrome Snapshots Folder, Chrome SyncData Database, Chrome Top Sites, Chrome Top Sites XP, Chrome Trust Tokens, Chrome Visited Links, Chrome Visited Links XP, Chrome Web Data, Chrome Web Data XP, Chrome bookmarks, Chrome bookmarks XP, Cisco Jabber Database, ComboFix, Comodo, Computer Group Policy files, Cookies, Cookies, Cookies, Cookies XP, Crash Dumps, Crash Dumps, Crash Dumps, Current Session, Current Tabs, Cybereason Anti-Ransomware Logs, Cybereason Application Control and NGAV Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cylance Optics Logs, Cylance Program Files Logs, Cylance ProgramData Logs, DWAgent Log Files, Delivery Optimization Trace Logs, Desktop LNK Files, Desktop LNK Files XP, DetectionHistory, Discord Cache Files, Discord Local Storage LevelDB Files, Download Metadata, Downloads, Downloads XP, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET NOD32 AV Logs (XP), ESET Remote Administrator Logs, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Sessions Folder, Edge Shortcuts, Edge Snapshots Folder, Edge SyncData Database, Edge Top Sites, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Edge bookmarks, Edge folder, Emsisoft Scan Logs, Energy-NTKL Trace Logs, Event logs Win7+, Event logs Win7+, Event logs XP, Extensions, F-Secure Logs, F-Secure Scheduled Scan Reports, F-Secure User Logs, Favicons, Favicons, Favicons XP, Form history, Form history XP, GatherLogs, Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata, Group Policy Files, HexChat Chat Logs, History, HitmanPro Alert Logs, HitmanPro Database, HitmanPro Logs, IE 11 Cookies, IE 11 Metadata, IE 9/10 Cookies, IE 9/10 Download History, IE 9/10 History, ISL AlwaysOn - App Logs, ISL AlwaysOn - Configuration, ISL AlwaysOn - Email Configuration, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn Logs - Sessions List, ISL Light Logs - Sessions, ISLOnline Logs - Session Configurations, ISLOnline Logs - Sessions - *.out, ITarian, ITarian, ITarian, IceChat Chat Logs, Index.dat History, Index.dat History subdirectory, Index.dat Office, Index.dat Office XP, Index.dat UserData, Index.dat cookies, Kaseya Agent Edge Service Logs, Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Level RMM Client Application logs, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Startup/Shutdown Scripts, Local Group Policy Files - Startup/Shutdown Scripts, Local Group Policy INI Files, Local Internet Explorer folder, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Local User Quarantine, LocalSessionManager Event Logs, LocalSessionManager Event Logs, LogMeIn Application Logs, LogMeIn ProgramData Logs, Login Data, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, MalwareBytes Anti-Malware Service Logs, Mattermost - Chat Logs, McAfee Desktop Protection Logs, McAfee Desktop Protection Logs XP, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, MeshAgent .msh (configuration) file, MeshAgent log file, Microsoft Store WhatsApp Cache, Microsoft Store WhatsApp Local Storage, Microsoft Teams Cache, Microsoft Teams Config, Microsoft Teams IndexedDB Cache, Microsoft Teams Local Storage Cache, Microsoft Teams Logs (Windows 11), NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Net Monitor Client Config, Net Monitor Client Logs, Net Monitor Server Config, Net Monitor Server Data, Net Monitor Server Logs, Net Monitor Server Temp Folder, Network Action Predictor, Network Persistent State, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, OneDrive Metadata Logs, OneDrive Metadata Settings, Opera - Local Folder, Opera - Roaming Folder, Password, Password, Password, Password XP, Password XP, Password XP, Permissions, Places, Places XP, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, Preferences, Preferences, Prefetch, Prefetch, Protections, Publisher Info DB/Brave Rewards, Puffin - Autocomplete Data, Puffin - Cookies, Puffin - Image Cache, Puffin - Password (Encrypted), Puffin - Password Forms Data, Puffin - Subscription Data, Puffin - data.db, Quota Manager, RDP Cache Files, RDP Cache Files, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, RECYCLER - WinXP, Radmin Server 32bit Chats, Radmin Server 32bit Log, Radmin Server 64bit Chats, Radmin Server 64bit Log, Radmin Viewer Chats, Rclone Config, RealVNC Log, RealVNC Log, RecentFileCache, RecentFileCache, Recycle Bin - Windows Vista+, RegBack registry transaction files, RegBack registry transaction files, Registry.dat MSIX Hive, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, RemoteUtilities Connection Logs, RemoteUtilities Install Log, Reporting and NEL, Restore point LNK Files XP, Roaming Internet Explorer folder, RogueKiller Reports, RustDesk logs, RustDesk logs, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SRUM, SRUM, SUM Database (.mdb files), SUPERAntiSpyware Logs, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, SYSTEM user quarantine, ScreenConnect Session Database, ScreenConnect Session Database, ScreenConnect User Config, Search, Search XP, Secure Preferences, SecureAge Antvirus Logs, SentinelOne EDR Log, Sessions Folder, Sessionstore, Sessionstore Folder, Sessionstore XP, Setupapi.log Win7+, Setupapi.log Win7+, Setupapi.log XP, Shortcuts, Signal Attachments cache, Signal Database, Signal Logs, Signal config.json, Signons, Signons XP, Skype for Destkop v8+ Chromium Cache, Slack - Chat Logs, Slack Cache, Slack Electron Logs, Slack LevelDB Files, Slack Storage, SleepStudy Trace Logs, SleepStudy Trace Logs, Sophos Logs, Sophos Logs (XP), Splashtop Log Files, Splashtop Log Files in ProgramData, Start Menu LNK Files, Storage Sync, Supremo Connection Logs, Supremo File Transfer Inbox, Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, Syscache, Syscache transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, TeamViewer Connection Logs, Telegram app folder, Telegram downloaded files, Thumbcache DB, TightVNC Application Logs, Top Sites, TotalAV Logs, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs, UltraViewer Connection Log, UltraViewer Service Log, UltraViewer System Logs, UltraViewer User Logs, Unified endpoint management and security solutions from ManageEngine, Unified endpoint management and security solutions from ManageEngine, User Group Policy files, User.dat MSIX Hive, UserClasses.dat MSIX Hive, UsrClass.dat registry hive, UsrClass.dat registry transaction files, VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+), Viber Config Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Data Database, Viber Users Thumbnails Cache, Visited Links, Vivaldi Bookmarks, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Cookies, Vivaldi Download Metadata, Vivaldi Favicons, Vivaldi History, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Network Persistent State, Vivaldi Notes, Vivaldi Preferences, Vivaldi Sessions Folder, Vivaldi Top Sites, Vivaldi User Tracking, Vivaldi Visited Links, Vivaldi Web Data, WBEM, WBEM, WDI Trace Logs 1, WDI Trace Logs 1, WDI Trace Logs 2, WDI Trace Logs 2, WER Files, WER Files, WMI Trace Logs, WMI Trace Logs, Web Data, Webappstore, Webappstore XP, Webroot Program Data, WhatsApp Cache, WhatsApp Local Storage, Windows Defender Detections.log, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Quarantine, Windows Firewall Logs, Windows Firewall Logs, Windows Protect Folder, Windows Protect Folder, Windows Protect Folder, Windows Safety Scanner Logs, Windows.old RDP Cache Files, WindowsIndexSearch, XML, XML, XML, Xeox RMM Client Application logs, Yandex Autofill data, Yandex Bookmarks, Yandex Cookies, Yandex Favicons, Yandex History, Yandex Login Data, Yandex Network Action Predictor, Yandex Network Persistent State, Yandex Passman logs, Yandex Preferences, Yandex Sessions Folder, Yandex Shortcuts, Yandex Top Sites, Yandex Visited Links, Yandex Web Data, Zoho Assist .conf files, Zoho Assist .conf files in Program Files*, Zoho Assist .conf files in AppData\Local, Zoho Assist .txt files in Program Files*, Zoho Assist log files in AppData\Local, Zoho Assist log files in Program Files*, Zoho Assist log files in ProgramData, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt, ccSubSDK Database, leveldb (Skype for Desktop +v8), mIRC Chat Logs (2000/XP), mIRC Chat Logs (Vista+), mRemoteNG Connection Configuration and Backups, mRemoteNG Logs, mRemoteNG Program Settings, main.db (App <v12), main.db Win7+, main.db XP, registrationInfo.xml, s4l-[username].db (App +v8), skype.db (App +v12)" type: bool - name: _Boot description: "$Boot (by Eric Zimmerman): $Boot" @@ -136,7 +136,7 @@ parameters: description: "Ammyy Data (by Drew Ervin): Ammyy Program Data" type: bool - name: Antivirus - description: "Antivirus (by Andrew Rathbun): AVG AV Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG FileInfo DB, AVG Persistent Logs, AVG Report Logs, AVG lsdbj2 JSON, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Avast AV Index, Avast AV Logs, Avast AV Logs (XP), Avast AV User Logs, Avast Icarus Logs, Avast Persistent Data Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, ComboFix, Cybereason Anti-Ransomware Logs, Cybereason Application Control and NGAV Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cylance Optics Logs, Cylance Program Files Logs, Cylance ProgramData Logs, DetectionHistory, ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET NOD32 AV Logs (XP), ESET Remote Administrator Logs, Emsisoft Scan Logs, F-Secure Logs, F-Secure Scheduled Scan Reports, F-Secure User Logs, HitmanPro Alert Logs, HitmanPro Database, HitmanPro Logs, Local User Quarantine, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, MalwareBytes Anti-Malware Service Logs, McAfee Desktop Protection Logs, McAfee Desktop Protection Logs XP, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, RogueKiller Reports, SUPERAntiSpyware Logs, SYSTEM user quarantine, SecureAge Antvirus Logs, SentinelOne EDR Log, Sophos Logs, Sophos Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, TotalAV Logs, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs, VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+), Webroot Program Data, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Quarantine, ccSubSDK Database, registrationInfo.xml" + description: "Antivirus (by Andrew Rathbun): AVG AV Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG FileInfo DB, AVG Persistent Logs, AVG Report Logs, AVG lsdbj2 JSON, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Avast AV Index, Avast AV Logs, Avast AV Logs (XP), Avast AV User Logs, Avast Icarus Logs, Avast Persistent Data Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, ComboFix, Cybereason Anti-Ransomware Logs, Cybereason Application Control and NGAV Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cylance Optics Logs, Cylance Program Files Logs, Cylance ProgramData Logs, DetectionHistory, ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET NOD32 AV Logs (XP), ESET Remote Administrator Logs, Emsisoft Scan Logs, F-Secure Logs, F-Secure Scheduled Scan Reports, F-Secure User Logs, HitmanPro Alert Logs, HitmanPro Database, HitmanPro Logs, Local User Quarantine, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, MalwareBytes Anti-Malware Service Logs, McAfee Desktop Protection Logs, McAfee Desktop Protection Logs XP, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, RogueKiller Reports, SUPERAntiSpyware Logs, SYSTEM user quarantine, SecureAge Antvirus Logs, SentinelOne EDR Log, Sophos Logs, Sophos Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, TotalAV Logs, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs, VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+), Webroot Program Data, Windows Defender Detections.log, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Quarantine, Windows Safety Scanner Logs, ccSubSDK Database, registrationInfo.xml" type: bool - name: AnyDesk description: "AnyDesk (by Andrew Rathbun, Scott Hanson, and Nicole Jao): AnyDesk Chat Logs - User Profile, AnyDesk Logs - ProgramData - *.conf, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Videos" @@ -193,7 +193,7 @@ parameters: description: "Browser Caches (by Bjorn Vanhaeren): Brave Cache Folder, Chrome Cache Folder, Chromium Edge Cache Folder, Edge WebcacheV01.dat, Firefox Cache Folder, IE 11 Cache, IE 9/10 Cache, IE Index.dat temp internet files" type: bool - name: CertUtil - description: "Certutil (by NVISO (@NVISOsecurity)): INetCache, System CryptnetUrlCache, User CryptnetUrlCache" + description: "Certutil (by NVISO (@NVISOsecurity), 2thewes): INetCache, System CryptnetUrlCache, System WOW64 CryptnetUrlCache, User CryptnetUrlCache" type: bool - name: Chrome description: "Chrome (by Eric Zimmerman and Andrew Rathbun): Chrome Cookies, Chrome Cookies XP, Chrome Current Session, Chrome Current Session XP, Chrome Current Tabs, Chrome Current Tabs XP, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome Favicons XP, Chrome History, Chrome History XP, Chrome Last Session, Chrome Last Session XP, Chrome Last Tabs, Chrome Last Tabs XP, Chrome Login Data, Chrome Login Data XP, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Preferences XP, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Sessions Folder, Chrome Shortcuts, Chrome Shortcuts XP, Chrome Snapshots Folder, Chrome SyncData Database, Chrome Top Sites, Chrome Top Sites XP, Chrome Trust Tokens, Chrome Visited Links, Chrome Visited Links XP, Chrome Web Data, Chrome Web Data XP, Chrome bookmarks, Chrome bookmarks XP, Windows Protect Folder" @@ -220,7 +220,7 @@ parameters: description: "OneDrive and other files used with OneDriveExplorer (by Brian Maloney): NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, OneDrive Metadata Logs, OneDrive Metadata Settings, RECYCLER - WinXP, RECYCLER - WinXP, Recycle Bin - Windows Vista+, Recycle Bin - Windows Vista+, Recycle Bin - Windows Vista+, UsrClass.dat registry hive, UsrClass.dat registry transaction files" type: bool - name: CombinedLogs - description: "Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs (by Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs target): .NET CLR UsageLogs (system-scoped), .NET CLR UsageLogs (user-scoped), Delivery Optimization Trace Logs, Energy-NTKL Trace Logs, Event logs Win7+, Event logs Win7+, Event logs XP, PowerShell Console Log, Setupapi.log Win7+, Setupapi.log Win7+, Setupapi.log XP, SleepStudy Trace Logs, SleepStudy Trace Logs, WDI Trace Logs 1, WDI Trace Logs 1, WDI Trace Logs 2, WDI Trace Logs 2, WMI Trace Logs, WMI Trace Logs, Windows Firewall Logs, Windows Firewall Logs" + description: "Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs (by Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs and PowerShell Transcripts target): .NET CLR UsageLogs (system-scoped), .NET CLR UsageLogs (user-scoped), Delivery Optimization Trace Logs, Energy-NTKL Trace Logs, Event logs Win7+, Event logs Win7+, Event logs XP, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, Setupapi.log Win7+, Setupapi.log Win7+, Setupapi.log XP, SleepStudy Trace Logs, SleepStudy Trace Logs, WDI Trace Logs 1, WDI Trace Logs 1, WDI Trace Logs 2, WDI Trace Logs 2, WMI Trace Logs, WMI Trace Logs, Windows Firewall Logs, Windows Firewall Logs" type: bool - name: Combofix description: "ComboFix Antivirus Data (by Drew Ervin): ComboFix" @@ -328,7 +328,7 @@ parameters: description: "Evidence of execution related files (by Eric Zimmerman): Amcache, Amcache, Amcache transaction files, Amcache transaction files, AppCompat PCA Folder, Prefetch, Prefetch, RecentFileCache, RecentFileCache, Syscache, Syscache transaction files" type: bool - name: Exchange - description: "Exchange Log Files (by Keith Twombley): Exchange TransportRoles log files, Exchange client access log files" + description: "Exchange Log Files (by Keith Twombley): Exchange Setup Log file, Exchange TransportRoles log files, Exchange client access log files" type: bool - name: ExchangeClientAccess description: "Exchange Client Access Log Files (by Keith Twombley): Exchange client access log files" @@ -336,6 +336,9 @@ parameters: - name: ExchangeCve_2021_26855 description: "Exchange Server Vulnerability *.Compiled Files (by Dennis Reneau): Exchange Server Modified Compiled Files, Exchange Server Modified Compiled Files, Exchange Server Modified Compiled Files, Exchange Server Modified Compiled Files" type: bool + - name: ExchangeSetupLog + description: "Exchange Setup Log (by 2thewes): Exchange Setup Log file" + type: bool - name: ExchangeTransport description: "Exchange Transport Log Files (by Keith Twombley): Exchange TransportRoles log files" type: bool @@ -414,9 +417,15 @@ parameters: - name: ISLOnline description: "ISLOnline Remote Access Tool (by Thomas Burnette): ISL AlwaysOn - App Logs, ISL AlwaysOn - Configuration, ISL AlwaysOn - Email Configuration, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn Logs - Sessions List, ISL Light Logs - Sessions, ISLOnline Logs - Session Configurations, ISLOnline Logs - Sessions - *.out" type: bool + - name: ITarian + description: "ITarian RMM (by Phill Moore): Comodo, ITarian, ITarian, ITarian" + type: bool - name: IceChat description: "IceChat (by Andrew Rathbun): IceChat Chat Logs" type: bool + - name: IconCacheDB + description: "IconCache.db files (by Herbert Bärschneider @SEC Consult): Windows IconCache DB" + type: bool - name: Idrive description: "Idrive Backup Artifacts (by Thomas Burnette): Idrive Backup Operations, Idrive Backup Schedule, Idrive Backup Summary, Idrive Cleanup Operations, Idrive Configuration, Idrive Delete Operations, Idrive Exclusion Configurations, Idrive Local Drives, Idrive Mapped Drives, Idrive Restore Operations, Idrive SQL Databse, Idrive Schedule History, Idrive Tracefile, Idrive User Details" type: bool @@ -439,7 +448,7 @@ parameters: description: "Kali on Windows Subsystem for Linux (by Matt Dawson): Kali WSL .bash_history, Kali WSL .bashrc, Kali WSL .profile, Kali WSL /etc/bash.bashrc, Kali WSL /etc/crontab, Kali WSL /etc/debian_version, Kali WSL /etc/fstab, Kali WSL /etc/group, Kali WSL /etc/hostname, Kali WSL /etc/hosts, Kali WSL /etc/os-release, Kali WSL /etc/passwd, Kali WSL /etc/profile, Kali WSL /etc/shadow, Kali WSL /etc/timezone, Kali WSL Apt Logs, Kali WSL User Crontabs, Kali WSL ext4.vhdx" type: bool - name: KapeTriage - description: "KapeTriage collects most of the files needed for a DFIR Investigation. This Target pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, SUM data, Cloud metadata, WER, WBEM, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, JumpLists, 3rd party remote access software logs, 3rd party antivirus software logs, Windows 10/11 Timeline database, and $I Recycle Bin files. (by Scott Downie): $Boot, $J, $J, $LogFile, $MFT, $Max, $Max, $SDS, $SDS, $T, $T, AVG AV Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG FileInfo DB, AVG Persistent Logs, AVG Report Logs, AVG lsdbj2 JSON, Action1 Client Application logs, ActivitiesCache.db, Addons, Addons XP, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Ammyy Program Data, AnyDesk Chat Logs - User Profile, AnyDesk Logs - ProgramData - *.conf, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Videos, AppCompat PCA Folder, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Avast AV Index, Avast AV Logs, Avast AV Logs (XP), Avast AV User Logs, Avast Icarus Logs, Avast Persistent Data Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Bookmarks, Bookmarks, Bookmarks, Box Drive Application Metadata, Box Sync Application Metadata, Chrome Cookies, Chrome Cookies XP, Chrome Current Session, Chrome Current Session XP, Chrome Current Tabs, Chrome Current Tabs XP, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome Favicons XP, Chrome History, Chrome History XP, Chrome Last Session, Chrome Last Session XP, Chrome Last Tabs, Chrome Last Tabs XP, Chrome Login Data, Chrome Login Data XP, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Preferences XP, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Sessions Folder, Chrome Shortcuts, Chrome Shortcuts XP, Chrome Snapshots Folder, Chrome SyncData Database, Chrome Top Sites, Chrome Top Sites XP, Chrome Trust Tokens, Chrome Visited Links, Chrome Visited Links XP, Chrome Web Data, Chrome Web Data XP, Chrome bookmarks, Chrome bookmarks XP, ComboFix, Cookies, Cookies, Cookies, Cookies XP, Crash Dumps, Crash Dumps, Crash Dumps, Current Session, Current Tabs, Cybereason Anti-Ransomware Logs, Cybereason Application Control and NGAV Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cylance Optics Logs, Cylance Program Files Logs, Cylance ProgramData Logs, DWAgent Log Files, Desktop LNK Files, Desktop LNK Files XP, DetectionHistory, Download Metadata, Downloads, Downloads XP, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET NOD32 AV Logs (XP), ESET Remote Administrator Logs, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Sessions Folder, Edge Shortcuts, Edge Snapshots Folder, Edge SyncData Database, Edge Top Sites, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Edge bookmarks, Edge folder, Emsisoft Scan Logs, Event logs Win7+, Event logs Win7+, Event logs XP, Extensions, F-Secure Logs, F-Secure Scheduled Scan Reports, F-Secure User Logs, Favicons, Favicons, Favicons XP, Form history, Form history XP, Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata, History, HitmanPro Alert Logs, HitmanPro Database, HitmanPro Logs, IE 11 Cookies, IE 11 Metadata, IE 9/10 Cookies, IE 9/10 Download History, IE 9/10 History, ISL AlwaysOn - App Logs, ISL AlwaysOn - Configuration, ISL AlwaysOn - Email Configuration, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn Logs - Sessions List, ISL Light Logs - Sessions, ISLOnline Logs - Session Configurations, ISLOnline Logs - Sessions - *.out, Index.dat History, Index.dat History subdirectory, Index.dat Office, Index.dat Office XP, Index.dat UserData, Index.dat cookies, Kaseya Agent Edge Service Logs, Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Level RMM Client Application logs, Local Internet Explorer folder, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Local User Quarantine, LocalSessionManager Event Logs, LocalSessionManager Event Logs, LogMeIn Application Logs, LogMeIn ProgramData Logs, Login Data, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, MalwareBytes Anti-Malware Service Logs, McAfee Desktop Protection Logs, McAfee Desktop Protection Logs XP, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Net Monitor Client Config, Net Monitor Client Logs, Net Monitor Server Config, Net Monitor Server Data, Net Monitor Server Logs, Net Monitor Server Temp Folder, Network Action Predictor, Network Persistent State, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, OneDrive Metadata Logs, OneDrive Metadata Settings, Opera - Local Folder, Opera - Roaming Folder, Password, Password, Password, Password XP, Password XP, Password XP, Permissions, Places, Places XP, PowerShell Console Log, Preferences, Preferences, Prefetch, Prefetch, Protections, Publisher Info DB/Brave Rewards, Puffin - Autocomplete Data, Puffin - Cookies, Puffin - Image Cache, Puffin - Password (Encrypted), Puffin - Password Forms Data, Puffin - Subscription Data, Puffin - data.db, Quota Manager, RDP Cache Files, RDP Cache Files, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, RECYCLER - WinXP, Radmin Server 32bit Chats, Radmin Server 32bit Log, Radmin Server 64bit Chats, Radmin Server 64bit Log, Radmin Viewer Chats, Rclone Config, RealVNC Log, RealVNC Log, RecentFileCache, RecentFileCache, Recycle Bin - Windows Vista+, RegBack registry transaction files, RegBack registry transaction files, Registry.dat MSIX Hive, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, RemoteUtilities Connection Logs, RemoteUtilities Install Log, Reporting and NEL, Restore point LNK Files XP, Roaming Internet Explorer folder, RogueKiller Reports, RustDesk logs, RustDesk logs, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SRUM, SRUM, SUM Database (.mdb files), SUPERAntiSpyware Logs, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, SYSTEM user quarantine, ScreenConnect Session Database, ScreenConnect Session Database, ScreenConnect User Config, Search, Search XP, Secure Preferences, SecureAge Antvirus Logs, SentinelOne EDR Log, Sessions Folder, Sessionstore, Sessionstore Folder, Sessionstore XP, Shortcuts, Signons, Signons XP, Sophos Logs, Sophos Logs (XP), Splashtop Log Files, Splashtop Log Files in ProgramData, Start Menu LNK Files, Storage Sync, Supremo Connection Logs, Supremo File Transfer Inbox, Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, Syscache, Syscache transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, TeamViewer Connection Logs, TightVNC Application Logs, Top Sites, TotalAV Logs, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs, UltraViewer Connection Log, UltraViewer Service Log, UltraViewer System Logs, UltraViewer User Logs, User.dat MSIX Hive, UserClasses.dat MSIX Hive, UsrClass.dat registry hive, UsrClass.dat registry transaction files, VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+), Visited Links, Vivaldi Bookmarks, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Cookies, Vivaldi Download Metadata, Vivaldi Favicons, Vivaldi History, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Network Persistent State, Vivaldi Notes, Vivaldi Preferences, Vivaldi Sessions Folder, Vivaldi Top Sites, Vivaldi User Tracking, Vivaldi Visited Links, Vivaldi Web Data, WBEM, WBEM, WER Files, WER Files, Web Data, Webappstore, Webappstore XP, Webroot Program Data, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Quarantine, Windows Protect Folder, Windows Protect Folder, Windows Protect Folder, Windows.old RDP Cache Files, XML, XML, XML, Xeox RMM Client Application logs, Yandex Autofill data, Yandex Bookmarks, Yandex Cookies, Yandex Favicons, Yandex History, Yandex Login Data, Yandex Network Action Predictor, Yandex Network Persistent State, Yandex Passman logs, Yandex Preferences, Yandex Sessions Folder, Yandex Shortcuts, Yandex Top Sites, Yandex Visited Links, Yandex Web Data, Zoho Assist .conf files, Zoho Assist .conf files in Program Files*, Zoho Assist .conf files in AppData\Local, Zoho Assist .txt files in Program Files*, Zoho Assist log files in AppData\Local, Zoho Assist log files in Program Files*, Zoho Assist log files in ProgramData, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt, ccSubSDK Database, mRemoteNG Connection Configuration and Backups, mRemoteNG Logs, mRemoteNG Program Settings, registrationInfo.xml" + description: "KapeTriage collects most of the files needed for a DFIR Investigation. This Target pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, SUM data, Cloud metadata, WER, WBEM, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, JumpLists, 3rd party remote access software logs, 3rd party antivirus software logs, Windows 10/11 Timeline database, and $I Recycle Bin files. (by Scott Downie): $Boot, $J, $J, $LogFile, $MFT, $Max, $Max, $SDS, $SDS, $T, $T, AVG AV Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG FileInfo DB, AVG Persistent Logs, AVG Report Logs, AVG lsdbj2 JSON, Action1 Client Application logs, ActivitiesCache.db, Addons, Addons XP, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Ammyy Program Data, AnyDesk Chat Logs - User Profile, AnyDesk Logs - ProgramData - *.conf, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Videos, AppCompat PCA Folder, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Avast AV Index, Avast AV Logs, Avast AV Logs (XP), Avast AV User Logs, Avast Icarus Logs, Avast Persistent Data Logs, Avira Activity Logs, Avira Security Logs, Avira VPN Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Bitdefender SQLite DB Files, Bookmarks, Bookmarks, Bookmarks, Box Drive Application Metadata, Box Sync Application Metadata, Chrome Cookies, Chrome Cookies XP, Chrome Current Session, Chrome Current Session XP, Chrome Current Tabs, Chrome Current Tabs XP, Chrome Download Metadata, Chrome Extension Cookies, Chrome Favicons, Chrome Favicons XP, Chrome History, Chrome History XP, Chrome Last Session, Chrome Last Session XP, Chrome Last Tabs, Chrome Last Tabs XP, Chrome Login Data, Chrome Login Data XP, Chrome Media History, Chrome Network Action Predictor, Chrome Network Persistent State, Chrome Preferences, Chrome Preferences XP, Chrome Quota Manager, Chrome Reporting and NEL, Chrome Sessions Folder, Chrome Shortcuts, Chrome Shortcuts XP, Chrome Snapshots Folder, Chrome SyncData Database, Chrome Top Sites, Chrome Top Sites XP, Chrome Trust Tokens, Chrome Visited Links, Chrome Visited Links XP, Chrome Web Data, Chrome Web Data XP, Chrome bookmarks, Chrome bookmarks XP, ComboFix, Comodo, Cookies, Cookies, Cookies, Cookies XP, Crash Dumps, Crash Dumps, Crash Dumps, Current Session, Current Tabs, Cybereason Anti-Ransomware Logs, Cybereason Application Control and NGAV Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cylance Optics Logs, Cylance Program Files Logs, Cylance ProgramData Logs, DWAgent Log Files, Desktop LNK Files, Desktop LNK Files XP, DetectionHistory, Download Metadata, Downloads, Downloads XP, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, ESET NOD32 AV Logs, ESET NOD32 AV Logs, ESET NOD32 AV Logs (XP), ESET Remote Administrator Logs, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Media History, Edge Network Action Predictor, Edge Preferences, Edge Sessions Folder, Edge Shortcuts, Edge Snapshots Folder, Edge SyncData Database, Edge Top Sites, Edge Visited Links, Edge Web Data, Edge WebAssistDatabase, Edge bookmarks, Edge folder, Emsisoft Scan Logs, Event logs Win7+, Event logs Win7+, Event logs XP, Extensions, F-Secure Logs, F-Secure Scheduled Scan Reports, F-Secure User Logs, Favicons, Favicons, Favicons XP, Form history, Form history XP, Google Drive Backup and Sync Metadata, Google Drive for Desktop Metadata, History, HitmanPro Alert Logs, HitmanPro Database, HitmanPro Logs, IE 11 Cookies, IE 11 Metadata, IE 9/10 Cookies, IE 9/10 Download History, IE 9/10 History, ISL AlwaysOn - App Logs, ISL AlwaysOn - Configuration, ISL AlwaysOn - Email Configuration, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn Logs - Sessions List, ISL Light Logs - Sessions, ISLOnline Logs - Session Configurations, ISLOnline Logs - Sessions - *.out, ITarian, ITarian, ITarian, Index.dat History, Index.dat History subdirectory, Index.dat Office, Index.dat Office XP, Index.dat UserData, Index.dat cookies, Kaseya Agent Edge Service Logs, Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Level RMM Client Application logs, Local Internet Explorer folder, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Local User Quarantine, LocalSessionManager Event Logs, LocalSessionManager Event Logs, LogMeIn Application Logs, LogMeIn ProgramData Logs, Login Data, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, MalwareBytes Anti-Malware Service Logs, McAfee Desktop Protection Logs, McAfee Desktop Protection Logs XP, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, MeshAgent .msh (configuration) file, MeshAgent log file, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Net Monitor Client Config, Net Monitor Client Logs, Net Monitor Server Config, Net Monitor Server Data, Net Monitor Server Logs, Net Monitor Server Temp Folder, Network Action Predictor, Network Persistent State, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, OneDrive Metadata Logs, OneDrive Metadata Settings, Opera - Local Folder, Opera - Roaming Folder, Password, Password, Password, Password XP, Password XP, Password XP, Permissions, Places, Places XP, PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile, Preferences, Preferences, Prefetch, Prefetch, Protections, Publisher Info DB/Brave Rewards, Puffin - Autocomplete Data, Puffin - Cookies, Puffin - Image Cache, Puffin - Password (Encrypted), Puffin - Password Forms Data, Puffin - Subscription Data, Puffin - data.db, Quota Manager, RDP Cache Files, RDP Cache Files, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, RECYCLER - WinXP, Radmin Server 32bit Chats, Radmin Server 32bit Log, Radmin Server 64bit Chats, Radmin Server 64bit Log, Radmin Viewer Chats, Rclone Config, RealVNC Log, RealVNC Log, RecentFileCache, RecentFileCache, Recycle Bin - Windows Vista+, RegBack registry transaction files, RegBack registry transaction files, Registry.dat MSIX Hive, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, RemoteUtilities Connection Logs, RemoteUtilities Install Log, Reporting and NEL, Restore point LNK Files XP, Roaming Internet Explorer folder, RogueKiller Reports, RustDesk logs, RustDesk logs, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SRUM, SRUM, SUM Database (.mdb files), SUPERAntiSpyware Logs, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, SYSTEM user quarantine, ScreenConnect Session Database, ScreenConnect Session Database, ScreenConnect User Config, Search, Search XP, Secure Preferences, SecureAge Antvirus Logs, SentinelOne EDR Log, Sessions Folder, Sessionstore, Sessionstore Folder, Sessionstore XP, Shortcuts, Signons, Signons XP, Sophos Logs, Sophos Logs (XP), Splashtop Log Files, Splashtop Log Files in ProgramData, Start Menu LNK Files, Storage Sync, Supremo Connection Logs, Supremo File Transfer Inbox, Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, Syscache, Syscache transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, TeamViewer Connection Logs, TightVNC Application Logs, Top Sites, TotalAV Logs, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs, UltraViewer Connection Log, UltraViewer Service Log, UltraViewer System Logs, UltraViewer User Logs, Unified endpoint management and security solutions from ManageEngine, Unified endpoint management and security solutions from ManageEngine, User.dat MSIX Hive, UserClasses.dat MSIX Hive, UsrClass.dat registry hive, UsrClass.dat registry transaction files, VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+), Visited Links, Vivaldi Bookmarks, Vivaldi Calendar, Vivaldi Contacts, Vivaldi Cookies, Vivaldi Download Metadata, Vivaldi Favicons, Vivaldi History, Vivaldi Login Data, Vivaldi Network Action Predictor, Vivaldi Network Persistent State, Vivaldi Notes, Vivaldi Preferences, Vivaldi Sessions Folder, Vivaldi Top Sites, Vivaldi User Tracking, Vivaldi Visited Links, Vivaldi Web Data, WBEM, WBEM, WER Files, WER Files, Web Data, Webappstore, Webappstore XP, Webroot Program Data, Windows Defender Detections.log, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Quarantine, Windows Protect Folder, Windows Protect Folder, Windows Protect Folder, Windows Safety Scanner Logs, Windows.old RDP Cache Files, XML, XML, XML, Xeox RMM Client Application logs, Yandex Autofill data, Yandex Bookmarks, Yandex Cookies, Yandex Favicons, Yandex History, Yandex Login Data, Yandex Network Action Predictor, Yandex Network Persistent State, Yandex Passman logs, Yandex Preferences, Yandex Sessions Folder, Yandex Shortcuts, Yandex Top Sites, Yandex Visited Links, Yandex Web Data, Zoho Assist .conf files, Zoho Assist .conf files in Program Files*, Zoho Assist .conf files in AppData\Local, Zoho Assist .txt files in Program Files*, Zoho Assist log files in AppData\Local, Zoho Assist log files in Program Files*, Zoho Assist log files in ProgramData, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt, ccSubSDK Database, mRemoteNG Connection Configuration and Backups, mRemoteNG Logs, mRemoteNG Program Settings, registrationInfo.xml" type: bool - name: Kaseya description: "Kaseya Data (by Drew Ervin and Andrew Rathbun): Kaseya Agent Edge Service Logs, Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log" @@ -501,6 +510,9 @@ parameters: - name: MemoryFiles description: "Memory Files (by Ahmed Elshaer, Teo Kia Meng): Small Memory Dump directory, Small Memory Dump directory, hiberfil.sys, pagefile.sys, swapfile.sys" type: bool + - name: MeshAgent + description: "MeshAgent log and configuration files (by Geir Olav Skei, Atea IRT): MeshAgent .msh (configuration) file, MeshAgent log file" + type: bool - name: MessagingClients description: "Messaging and communication apps (by Gregor Wegberg): Cisco Jabber Database, Discord Cache Files, Discord Local Storage LevelDB Files, HexChat Chat Logs, IceChat Chat Logs, Mattermost - Chat Logs, Microsoft Store WhatsApp Cache, Microsoft Store WhatsApp Local Storage, Microsoft Teams Cache, Microsoft Teams Config, Microsoft Teams IndexedDB Cache, Microsoft Teams Local Storage Cache, Microsoft Teams Logs (Windows 11), Signal Attachments cache, Signal Database, Signal Logs, Signal config.json, Skype for Destkop v8+ Chromium Cache, Slack - Chat Logs, Slack Cache, Slack Electron Logs, Slack LevelDB Files, Slack Storage, Telegram app folder, Telegram downloaded files, Viber Config Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Data Database, Viber Users Thumbnails Cache, WhatsApp Cache, WhatsApp Local Storage, leveldb (Skype for Desktop +v8), mIRC Chat Logs (2000/XP), mIRC Chat Logs (Vista+), main.db (App <v12), main.db Win7+, main.db XP, s4l-[username].db (App +v8), skype.db (App +v12)" type: bool @@ -510,6 +522,9 @@ parameters: - name: MicrosoftOneNote description: "Microsoft OneNote (by Andrew Rathbun): Microsoft OneNote - AccessibilityCheckerIndex, Microsoft OneNote - FullTextSearchIndex, Microsoft OneNote - RecentNotebooks_SeenURLs, Microsoft OneNote - RecentSearches, Microsoft OneNote - User NoteTags" type: bool + - name: MicrosoftSafetyScanner + description: "Microsoft Safety Scanner (by Geir Olav Skei): Windows Safety Scanner Logs" + type: bool - name: MicrosoftStickyNotes description: "Microsoft Sticky Notes (by Andrew Rathbun): Microsoft Sticky Notes - 1607 and later, Microsoft Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier" type: bool @@ -607,10 +622,10 @@ parameters: description: "PowerShell 7 Runtime Config (by Andrew Rathbun): PowerShell 7 Config JSON" type: bool - name: PowerShellConsole - description: "PowerShell Console Log File (by Mike Cary): PowerShell Console Log" + description: "PowerShell Console Log File (by Mike Cary, 2thewes): PowerShell Console Log, PowerShell Console Log Systemprofile, PowerShell Console Log WOW64 Systemprofile" type: bool - name: PowerShellTranscripts - description: "PowerShell Transcripts (by Andrew Rathbun and Chad Tilbury): PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location" + description: "PowerShell Transcripts (by Andrew Rathbun and Chad Tilbury): PowerShell Transcripts - Default Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location, PowerShell Transcripts - Observed Location" type: bool - name: Prefetch description: "Prefetch files (by Eric Zimmerman): Prefetch, Prefetch" @@ -633,9 +648,15 @@ parameters: - name: QFinderPro__QNAP_ description: "QFinderPro (QNAP) (by Andrew Rathbun): QFinderPro" type: bool + - name: QlikSense + description: "Qlik Sense (by Abdelkarim CHORFI - CERT CWATCH - ALMOND): Qlik Sense Logs, Qlik Sense Logs, Qlik Sense Logs, Qlik Sense Logs" + type: bool - name: RDPCache description: "RDP Cache Files (by Hadar Yudovich): RDP Cache Files, RDP Cache Files, Windows.old RDP Cache Files" type: bool + - name: RDPJumplist + description: "RDP Jumplist Files (by Vito Alfano): RDP Jumplist Files" + type: bool - name: RDPLogs description: "RDP Logs (by Drew Ervin): LocalSessionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs" type: bool @@ -673,7 +694,7 @@ parameters: description: "User Related Registry hives (by Eric Zimmerman / Mark Hallman): NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files" type: bool - name: RemoteAdmin - description: "Composite target for files related to remote administration tools (by Drew Ervin, Mathias Frank, Andrew Rathbun): Action1 Client Application logs, Ammyy Program Data, AnyDesk Chat Logs - User Profile, AnyDesk Logs - ProgramData - *.conf, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Videos, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, DWAgent Log Files, ISL AlwaysOn - App Logs, ISL AlwaysOn - Configuration, ISL AlwaysOn - Email Configuration, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn Logs - Sessions List, ISL Light Logs - Sessions, ISLOnline Logs - Session Configurations, ISLOnline Logs - Sessions - *.out, Kaseya Agent Edge Service Logs, Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, Level RMM Client Application logs, LocalSessionManager Event Logs, LocalSessionManager Event Logs, LogMeIn Application Logs, LogMeIn ProgramData Logs, Net Monitor Client Config, Net Monitor Client Logs, Net Monitor Server Config, Net Monitor Server Data, Net Monitor Server Logs, Net Monitor Server Temp Folder, RDP Cache Files, RDP Cache Files, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, Radmin Server 32bit Chats, Radmin Server 32bit Log, Radmin Server 64bit Chats, Radmin Server 64bit Log, Radmin Viewer Chats, RealVNC Log, RealVNC Log, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, RemoteUtilities Connection Logs, RemoteUtilities Install Log, RustDesk logs, RustDesk logs, ScreenConnect Session Database, ScreenConnect Session Database, ScreenConnect User Config, Splashtop Log Files, Splashtop Log Files in ProgramData, Supremo Connection Logs, Supremo File Transfer Inbox, TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, TeamViewer Connection Logs, TightVNC Application Logs, UltraViewer Connection Log, UltraViewer Service Log, UltraViewer System Logs, UltraViewer User Logs, Windows.old RDP Cache Files, Xeox RMM Client Application logs, Zoho Assist .conf files, Zoho Assist .conf files in Program Files*, Zoho Assist .conf files in AppData\Local, Zoho Assist .txt files in Program Files*, Zoho Assist log files in AppData\Local, Zoho Assist log files in Program Files*, Zoho Assist log files in ProgramData, mRemoteNG Connection Configuration and Backups, mRemoteNG Logs, mRemoteNG Program Settings" + description: "Composite target for files related to remote administration tools (by Drew Ervin, Mathias Frank, Andrew Rathbun, Phill Moore): Action1 Client Application logs, Ammyy Program Data, AnyDesk Chat Logs - User Profile, AnyDesk Logs - ProgramData - *.conf, AnyDesk Logs - ProgramData - *.trace, AnyDesk Logs - ProgramData - connection_trace.txt, AnyDesk Logs - System User Account, AnyDesk Logs - User Profile - *.conf, AnyDesk Logs - User Profile - *.trace, AnyDesk Logs - User Profile - connection_trace.txt, AnyDesk Videos, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Comodo, DWAgent Log Files, ISL AlwaysOn - App Logs, ISL AlwaysOn - Configuration, ISL AlwaysOn - Email Configuration, ISL AlwaysOn Logs - Sessions, ISL AlwaysOn Logs - Sessions List, ISL Light Logs - Sessions, ISLOnline Logs - Session Configurations, ISLOnline Logs - Sessions - *.out, ITarian, ITarian, ITarian, Kaseya Agent Edge Service Logs, Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, Level RMM Client Application logs, LocalSessionManager Event Logs, LocalSessionManager Event Logs, LogMeIn Application Logs, LogMeIn ProgramData Logs, MeshAgent .msh (configuration) file, MeshAgent log file, Net Monitor Client Config, Net Monitor Client Logs, Net Monitor Server Config, Net Monitor Server Data, Net Monitor Server Logs, Net Monitor Server Temp Folder, RDP Cache Files, RDP Cache Files, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, Radmin Server 32bit Chats, Radmin Server 32bit Log, Radmin Server 64bit Chats, Radmin Server 64bit Log, Radmin Viewer Chats, RealVNC Log, RealVNC Log, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, RemoteUtilities Connection Logs, RemoteUtilities Install Log, RustDesk logs, RustDesk logs, ScreenConnect Session Database, ScreenConnect Session Database, ScreenConnect User Config, Splashtop Log Files, Splashtop Log Files in ProgramData, Supremo Connection Logs, Supremo File Transfer Inbox, TeamViewer Application Logs, TeamViewer Application User Logs, TeamViewer Configuration Files, TeamViewer Connection Logs, TightVNC Application Logs, UltraViewer Connection Log, UltraViewer Service Log, UltraViewer System Logs, UltraViewer User Logs, Unified endpoint management and security solutions from ManageEngine, Unified endpoint management and security solutions from ManageEngine, Windows.old RDP Cache Files, Xeox RMM Client Application logs, Zoho Assist .conf files, Zoho Assist .conf files in Program Files*, Zoho Assist .conf files in AppData\Local, Zoho Assist .txt files in Program Files*, Zoho Assist log files in AppData\Local, Zoho Assist log files in Program Files*, Zoho Assist log files in ProgramData, mRemoteNG Connection Configuration and Backups, mRemoteNG Logs, mRemoteNG Program Settings" type: bool - name: RemoteUtilities_app description: "Remote Utilities (by Ryan McVicar): RemoteUtilities Connection Logs, RemoteUtilities Install Log" @@ -730,7 +751,7 @@ parameters: description: "Sentinel One Logs (by Kirtan Shah): SentinelOne EDR Log" type: bool - name: ServerTriage - description: "A compound target for gathering artifacts common to servers. (by Eric Capuano): Apache Access Log, Confluence Wiki Log Files, Confluence Wiki Log Files, Exchange TransportRoles log files, Exchange client access log files, FileZilla Log Files, FileZilla Server XML Log Files, IIS log files, IIS log files, IIS log files, IIS log files, IIS log files, IIS log files, MS SQL Errorlog, MS SQL Errorlogs, ManageEngine ADSelfService Plus Log Files, ManageEngine Desktop Central Log Files, NGINX Log Files, OpenSSH Authorized Administrator Keys, OpenSSH Host DSA Key, OpenSSH Host ECDSA Key, OpenSSH Host ED25519 Key, OpenSSH Host RSA Key, OpenSSH Server Config File, OpenSSH Server Logs, OpenSSH User Authorized Keys, OpenSSH User Authorized Keys 2" + description: "A compound target for gathering artifacts common to servers. (by Eric Capuano): Apache Access Log, Confluence Wiki Log Files, Confluence Wiki Log Files, Exchange Setup Log file, Exchange TransportRoles log files, Exchange client access log files, FileZilla Log Files, FileZilla Server XML Log Files, IIS log files, IIS log files, IIS log files, IIS log files, IIS log files, IIS log files, MS SQL Errorlog, MS SQL Errorlogs, ManageEngine ADSelfService Plus Log Files, ManageEngine Desktop Central Log Files, NGINX Log Files, OpenSSH Authorized Administrator Keys, OpenSSH Host DSA Key, OpenSSH Host ECDSA Key, OpenSSH Host ED25519 Key, OpenSSH Host RSA Key, OpenSSH Server Config File, OpenSSH Server Logs, OpenSSH User Authorized Keys, OpenSSH User Authorized Keys 2" type: bool - name: ShareX description: "ShareX (by Andrew Rathbun): ShareX" @@ -790,7 +811,7 @@ parameters: description: "SumatraPDF (by Andrew Rathbun): SumatraPDF Cache, SumatraPDF Settings - SessionData" type: bool - name: SupremoRemoteDesktop - description: "Supremo Remote Desktop Control Logs (by Sandro Heckendorn): Supremo Connection Logs, Supremo File Transfer Inbox" + description: "Supremo Remote Desktop Control Logs (by epoxigen): Supremo Connection Logs, Supremo File Transfer Inbox" type: bool - name: Symantec_AV_Logs description: "Symantec AV Logs (by Brian Maloney): Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, ccSubSDK Database, registrationInfo.xml" @@ -834,6 +855,9 @@ parameters: - name: TrendMicro description: "Trend Micro Data (by Drew Ervin): Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs" type: bool + - name: UEMS + description: "UEMS Manage Engine Agent (by Abdelkarim CHORFI - CERT CWATCH - ALMOND): Unified endpoint management and security solutions from ManageEngine, Unified endpoint management and security solutions from ManageEngine" + type: bool - name: USBDetective description: "Collects files that can be input into USB Detective for parsing (by Kevin Pagano): Amcache, Amcache, Amcache transaction files, Amcache transaction files, Desktop LNK Files, Desktop LNK Files XP, Event logs Win7+, Event logs Win7+, Event logs XP, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, RegBack registry transaction files, RegBack registry transaction files, Registry.dat MSIX Hive, Restore point LNK Files XP, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, Setupapi.log Win7+, Setupapi.log Win7+, Setupapi.log XP, Start Menu LNK Files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), User.dat MSIX Hive, UserClasses.dat MSIX Hive, UsrClass.dat registry hive, UsrClass.dat registry transaction files" type: bool @@ -852,6 +876,9 @@ parameters: - name: UsenetClients description: "Usenet Clients (by Andrew Rathbun): Usenet Clients - NZBGet Log File, Usenet Clients - NZBGet NZBs, Usenet Clients - Newsbin Pro, Usenet Clients - Newsleecher, Usenet Clients - SABnzbd Download Logs, Usenet Clients - SABnzbd History.db" type: bool + - name: UsersFolders + description: "Users folders Dump (by Vito Alfano): Users" + type: bool - name: VIPRE description: "VIPRE Data (by Drew Ervin): VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+)" type: bool @@ -924,8 +951,11 @@ parameters: - name: WinSCP description: "WinSCP (by Andrew Rathbun): WinSCP (.ini file)" type: bool + - name: WindowsCopilotRecall + description: "Windows Copilot+ Recall (by Zach Stanford/Phill Moore): Recall folder" + type: bool - name: WindowsDefender - description: "Windows Defender Data (by Drew Ervin): DetectionHistory, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Quarantine" + description: "Windows Defender Data (by Drew Ervin): DetectionHistory, Windows Defender Detections.log, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Quarantine" type: bool - name: WindowsFirewall description: "Windows Firewall Logs (by Mike Cary): Windows Firewall Logs, Windows Firewall Logs" @@ -1094,7 +1124,7 @@ parameters: 81,TorrentClients - BitTorrent,FileDownload,Users\*\AppData\Roaming\BitTorrent\*.dat,lazy_ntfs, 82,Bitdefender Endpoint Security Logs,Antivirus,ProgramData\Bitdefender\Endpoint Security\Logs\**10,lazy_ntfs, 83,Bitdefender Internet Security Logs,Antivirus,ProgramData\Bitdefender\Desktop\Profiles\Logs\**10,lazy_ntfs, - 84,Bitdefender SQLite DB Files,Antivirus,Program Files*\Bitdefender*\**10\regex:*.+\.(db|db-wal|db-shm),ntfs,Bitdefender SQLite databases + 84,Bitdefender SQLite DB Files,Antivirus,"Program Files*\Bitdefender*\**10\*.{db,db-wal,db-shm}",lazy_ntfs,Bitdefender SQLite databases 85,Box Drive Application Metadata,Apps,Users\*\AppData\Local\Box\Box\**10,lazy_ntfs, 86,Box Sync Application Metadata,Apps,Users\*\AppData\Local\Box Sync\**10,lazy_ntfs, 87,Box Drive User Files,Apps,Users\*\Box\**10,lazy_ntfs,Caution! This target will collect Box Drive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use or isolate system from network @@ -1128,1209 +1158,1232 @@ parameters: 115,Edge WebcacheV01.dat,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\*,lazy_ntfs, 116,Brave Cache Folder,Communications,Users\%users%\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Cache\Cache_Data\**10,lazy_ntfs, 117,System CryptnetUrlCache,FileKnowledge,Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\**10,lazy_ntfs, - 118,User CryptnetUrlCache,FileKnowledge,Users\*\AppData\LocalLow\Microsoft\CryptnetUrlCache\**10,lazy_ntfs, - 119,INetCache,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\INetCache\IE\**10,lazy_ntfs, - 120,Chrome bookmarks XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, - 121,Chrome Cookies XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*,lazy_ntfs, - 122,Chrome Current Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session,lazy_ntfs, - 123,Chrome Current Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, - 124,Chrome Favicons XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, - 125,Chrome History XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*,lazy_ntfs, - 126,Chrome Last Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session,lazy_ntfs, - 127,Chrome Last Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, - 128,Chrome Login Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data,lazy_ntfs, - 129,Chrome Preferences XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences,lazy_ntfs, - 130,Chrome Shortcuts XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, - 131,Chrome Top Sites XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, - 132,Chrome Visited Links XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, - 133,Chrome Web Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, - 134,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, - 135,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs, - 136,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs, - 137,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, - 138,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\DownloadMetadata,lazy_ntfs, - 139,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs, - 140,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, - 141,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs, - 142,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs, - 143,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, - 144,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs, - 145,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs, - 146,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs, - 147,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs, - 148,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs, - 149,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs, - 150,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs, - 151,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs, - 152,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, - 153,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, - 154,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs, - 155,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, - 156,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, - 157,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, - 158,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption - 159,Chrome Snapshots Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\Snapshots\*\**10,lazy_ntfs,Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #. - 160,Chrome Extension Files,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions\**10,lazy_ntfs, - 161,Chrome Extension Files XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions\**10,lazy_ntfs, - 162,Chrome HTML5 File System Folder,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\File System\**10,lazy_ntfs, - 163,Cisco Jabber Database,Communications,Users\*\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History\*.db,lazy_ntfs,The Cisco Jabber process needs to be killed before database can be copied. - 164,ClipboardMaster - Clipboard History - Text,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\Clipboard.clm4,lazy_ntfs,Locates the user’s clipboard history (text) for ClipboardMaster - 165,ClipboardMaster - Clipboard History - Images,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\pics\**10,lazy_ntfs,Locates the user’s clipboard history (images) for ClipboardMaster - 166,ClipboardMaster - Clipboard History - Backups,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\Clipboard.clm4.ba*,lazy_ntfs,Locates the user’s clipboard history (backups) for ClipboardMaster - 167,ComboFix,Antivirus,ComboFix.txt,lazy_ntfs, - 168,Confluence Wiki Log Files,Logs,Atlassian\Application Data\Confluence\logs\*.log*,lazy_ntfs, - 169,Confluence Wiki Log Files,Logs,Program Files\Atlassian\Confluence\logs\*.log,lazy_ntfs, - 170,Cybereason Anti-Ransomware Logs,Antivirus,ProgramData\crs1\Logs\**10,lazy_ntfs, - 171,Cybereason Sensor Communications and Anti-Malware Logs,Antivirus,ProgramData\apv2\Logs\**10,lazy_ntfs, - 172,Cybereason Application Control and NGAV Logs,Antivirus,ProgramData\crb1\Logs\**10,lazy_ntfs, - 173,Cylance ProgramData Logs,Antivirus,ProgramData\Cylance\Desktop\**10,lazy_ntfs, - 174,Cylance Optics Logs,Antivirus,ProgramData\Cylance\Optics\Log\**10,lazy_ntfs, - 175,Cylance Program Files Logs,Antivirus,Program Files\Cylance\Desktop\log\**10,lazy_ntfs, - 176,DC++ Chat Logs,FileDownload,Users\*\AppData\Local\DC++\Logs\**10,lazy_ntfs,Locates DC++ hub/chat logs and copies them. Current as of version 0.868. - 177,DWAgent Log Files,Logs,ProgramData\DWAgent*\*.log*,lazy_ntfs, - 178,Debian WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\debian_version,lazy_ntfs, - 179,Debian WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\fstab,lazy_ntfs, - 180,Debian WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\os-release,lazy_ntfs, - 181,Debian WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\passwd,lazy_ntfs, - 182,Debian WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\group,lazy_ntfs, - 183,Debian WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\shadow,lazy_ntfs, - 184,Debian WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\timezone,lazy_ntfs, - 185,Debian WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\hostname,lazy_ntfs, - 186,Debian WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\hosts,lazy_ntfs, - 187,Debian WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\crontab,lazy_ntfs, - 188,Debian WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs, - 189,Debian WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\profile,lazy_ntfs, - 190,Debian WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.bash_history,lazy_ntfs, - 191,Debian WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.bashrc,lazy_ntfs, - 192,Debian WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.profile,lazy_ntfs, - 193,Debian WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs, - 194,Debian WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs, - 195,Debian WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\ext4.vhdx,lazy_ntfs, - 196,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_folders.osd,lazy_ntfs,Locates .osd file which contains names of folders that have been renamed manually by the user. - 197,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_files.osd,lazy_ntfs,Locates .osd file which contains names of files that have been renamed manually by the user. - 198,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_contains.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with contents related to the search query. - 199,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_name.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with a filename related to the search query. - 200,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_path.osd,lazy_ntfs,Locates .osd file which contains file paths related to user activity - not exactly sure how these are generated at this time. - 201,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\recent.osd,lazy_ntfs,Locates .osd file which contains file paths related to recent user activity. Effectively the DOpus Shellbags-equivalent. Appears to be for last 10 folder visited within the Lister. - 202,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\backupconfig.osd,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus. - 203,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache\*,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus. - 204,Directory Opus,Apps,Users\*\AppData\Roaming\GPSoftware\Directory Opus\Logs\*,lazy_ntfs,Locates .txt files that will be named with the IP address of the FTP server Directory Opus was used to connect to. All-activity.txt will simply be a combination of all other .txt files present in this directory. - 205,Audio files,Multimedia,**10\regex:*.+\.(3gp|aa|aac|act|aiff|alac|amr|ape|au|awb|dss|dvf|flac|gsm|iklax|ivs|m4a|m4b|m4p|mmf|mp3|mpc|msv|nmf|ogg|oga|mogg|opus|ra|rm|raw|rf64|sln|tta|voc|vox|wav|wma|wv|webm),ntfs,Covers most (if not all) audio file formats - 206,Excel and Excel-like Documents,Documents,**10\regex:*.+\.(xls|xlsx|csv|tsv|xlt|xlm|xlsm|xltx|xltm|xlsb|xla|xlam|xll|xlw|ods|fodp|qpw),ntfs,"Covers all document file formats for Excel, OpenOffice, LibreOffice, Apache OpenOffice, WPS Office, SoftMaker Office, and more" - 207,PDF and PDF-like Documents,Documents,**10\regex:*.+\.(pdf|xps|oxps),ntfs,Covers all PDF and PDF-like document formats - 208,Picture files,Multimedia,**10\regex:*.+\.(ai|bmp|bpg|cdr|cpc|eps|exr|flif|gif|heif|ilbm|ima|jp2|j2k|jpf|jpm|jpg2|j2c|jpc|jpx|mj2jpeg|jpg|jxl|kra|ora|pcx|pgf|pgm|png|pnm|ppm|psb|psd|psp|svg|tga|tiff|webp|xaml|xcf),ntfs,Covers most (if not all) picture file formats - 209,SQLite Files (.db* and .sqlite*),Databases,**10\regex:*.+\.(db*|sqlite*|),ntfs,Covers all common file extensions for SQLite databases - 210,Video files,Multimedia,**10\regex:*.+\.(3g2|3gp|amv|asf|avi|drc|flv|f4v|f4p|f4a|f4b|gif|gifv|m4v|mkv|mov|qt|mp4|m4p|mpg|mpeg|m2v|mp2|mpe|mpv|mts|m2ts|ts|mxf|nsv|ogv|ogg|rm|rmvb|roq|svi|viv|vob|webm|wmv|yuv),ntfs,Covers most (if not all) video file formats - 211,Zips,Archives,**10\*.zip,lazy_ntfs,This is an example of how to walk a drive for a file mask. Probably do not want to use this one as is - 212,Word and Word-like Documents,Documents,**10\regex:*.+\.(doc|docx|docm|dotx|dotm|docb|dot|wbk|odt|fodt|rtf|wp*|tmd),ntfs,"Covers all document file formats for Word, OpenOffice, LibreOffice, Apache OpenOffice, WPS Office, SoftMaker Office, and more" - 213,Discord Cache Files,Communications,Users\*\AppData\Roaming\discord\cache\**10,lazy_ntfs,Gets cached data from Discord app - 214,Discord Local Storage LevelDB Files,Communications,Users\*\AppData\Roaming\discord\local storage\leveldb\**10,lazy_ntfs,Gets LevelDB database from Discord app - 215,Double Commander - history.xml,Apps,Users\*\AppData\Roaming\doublecmd\history.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from bottom to top. - 216,Double Commander - doublecmd.xml,Apps,Users\*\AppData\Roaming\doublecmd\doublecmd.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom. - 217,Double Commander - FTP Log,Apps,Users\*\AppData\Roaming\doublecmd\doublecmd*.log,lazy_ntfs,Locates log files that'll be named with the following naming convention: doublecmd_2021-04-03.log. - 218,Double Commander - multiarc.ini,Apps,Users\*\AppData\Roaming\doublecmd\multiarc.ini,lazy_ntfs, - 219,Double Commander - session.ini,Apps,Users\*\AppData\Roaming\doublecmd\session.ini,lazy_ntfs, - 220,Double Commander - pixmaps.txt,Apps,Users\*\AppData\Roaming\doublecmd\pixmaps.txt,lazy_ntfs, - 221,Double Commander - shortcuts.scf,Apps,Users\*\AppData\Roaming\doublecmd\shortcuts.scf,lazy_ntfs, - 222,Drivers,Drivers,Windows\system32\drivers\**10\*.sys,lazy_ntfs, - 223,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\info.json,lazy_ntfs,Getting individual files because folder may contain very large extraneous files. Info.json contains user's Dropbox folder location - 224,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\host.db,lazy_ntfs,SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. - 225,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\machine_storage\tray-thumbnails.db,lazy_ntfs,SQLite database containing references to image files at one time present in a user’s Dropbox instance. - 226,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\host.dbx,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together." - 227,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption of Dropbox databases - 228,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\instance*\**10,lazy_ntfs,instance folder holds multiple SQLite databases related to Dropbox activity and contents - 229,Dropbox User Files,Apps,Users\*\Dropbox*\**10,lazy_ntfs,"Default storage location for Dropbox Personal and Business (when using wildcard), but can be user-defined. Check info.json file in user Dropbox metadata files to identify default folder." - 230,EF Commander - .ini File,Apps,Users\*\AppData\Roaming\EFSoftware\*,lazy_ntfs,Locates folder where all configuration files reside - 231,ESET NOD32 AV Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\**10,lazy_ntfs, - 232,ESET NOD32 AV Logs,Antivirus,ProgramData\ESET\ESET NOD32 Antivirus\Logs\**10,lazy_ntfs,Parser available at https://github.com/laciKE/EsetLogParser - 233,ESET NOD32 AV Logs,Antivirus,ProgramData\ESET\ESET Security\Logs\**10,lazy_ntfs, - 234,ESET Remote Administrator Logs,Antivirus,ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs,lazy_ntfs,Remote Administrator logs include information on tasks executed on the target. - 235,Local User Quarantine,Antivirus,Users\*\AppData\Local\ESET\ESET Security\Quarantine\**10,lazy_ntfs, - 236,SYSTEM user quarantine,Antivirus,\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\**10,lazy_ntfs, - 237,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs, - 238,Edge bookmarks,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs, - 239,Edge Collections,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections\collectionsSQLite,lazy_ntfs, - 240,Edge Cookies,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\**10\Cookies*,lazy_ntfs, - 241,Edge Current Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Session,lazy_ntfs, - 242,Edge Current Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Tabs,lazy_ntfs, - 243,Edge Favicons,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Favicons*,lazy_ntfs, - 244,Edge History,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\History*,lazy_ntfs, - 245,Edge Last Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Session,lazy_ntfs, - 246,Edge Last Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Tabs,lazy_ntfs, - 247,Edge Sessions Folder,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sessions\*,lazy_ntfs, - 248,Edge Login Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Login Data,lazy_ntfs, - 249,Edge Media History,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Media History*,lazy_ntfs, - 250,Edge Network Action Predictor,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network Action Predictor,lazy_ntfs, - 251,Edge Preferences,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences,lazy_ntfs, - 252,Edge Shortcuts,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Shortcuts*,lazy_ntfs, - 253,Edge Top Sites,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Top Sites*,lazy_ntfs, - 254,Edge SyncData Database,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, - 255,Edge Bookmarks,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs, - 256,Edge Visited Links,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Visited Links,lazy_ntfs, - 257,Edge Web Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Web Data*,lazy_ntfs, - 258,Edge WebAssistDatabase,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\WebAssistDatabase*,lazy_ntfs, - 259,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline DPAPI decryption - 260,Edge Snapshots Folder,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\Snapshots\*\**10,lazy_ntfs,"Grabs folder that appears to have snapshots of Edge Chromium SQLite DBs organized by version #. In testing, there were 3 previous versions of Edge Chromium separated into different folders" - 261,Edge Chromium Extension Files,Communication,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Extensions\**10,lazy_ntfs, - 262,Emsisoft Scan Logs,ApplicationLogs,ProgramData\Emsisoft\Reports\scan*.txt,lazy_ntfs,Can contain file detection and quarantine info - 263,EncapsulationLogging,Executables,Windows\Appcompat\Programs\EncapsulationLogging.hve,lazy_ntfs, - 264,EncapsulationLogging,Executables,Windows.old\Windows\Appcompat\Programs\EncapsulationLogging.hve,lazy_ntfs, - 265,EncapsulationLogging Logs,Executables,Windows\Appcompat\Programs\EncapsulationLogging.hve.log*,lazy_ntfs, - 266,EncapsulationLogging Logs,Executables,Windows.old\Windows\Appcompat\Programs\EncapsulationLogging.hve.log*,lazy_ntfs, - 267,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\System.evtx,lazy_ntfs, - 268,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\System.evtx,lazy_ntfs, - 269,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\Security.evtx,lazy_ntfs, - 270,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\Security.evtx,lazy_ntfs, - 271,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx,lazy_ntfs, - 272,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx,lazy_ntfs, - 273,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx,lazy_ntfs, - 274,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx,lazy_ntfs, - 275,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx,lazy_ntfs, - 276,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx,lazy_ntfs, - 277,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,lazy_ntfs, - 278,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,lazy_ntfs, - 279,Event logs XP,EventLogs,Windows\System32\config\*.evt,lazy_ntfs, - 280,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\*.evtx,lazy_ntfs, - 281,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\*.evtx,lazy_ntfs, - 282,WDI Trace Logs 1,Event Trace Logs,Windows\System32\WDI\LogFiles\*.etl*,lazy_ntfs, - 283,WDI Trace Logs 1,Event Trace Logs,Windows.old\Windows\System32\WDI\LogFiles\*.etl*,lazy_ntfs, - 284,WDI Trace Logs 2,Event Trace Logs,Windows\System32\WDI\{*\**10,lazy_ntfs, - 285,WDI Trace Logs 2,Event Trace Logs,Windows.old\Windows\System32\WDI\{*\**10,lazy_ntfs, - 286,WMI Trace Logs,Event Trace Logs,Windows\System32\LogFiles\WMI\**10,lazy_ntfs, - 287,WMI Trace Logs,Event Trace Logs,Windows.old\Windows\System32\LogFiles\WMI\**10,lazy_ntfs, - 288,SleepStudy Trace Logs,Event Trace Logs,Windows\System32\SleepStudy\**10,lazy_ntfs, - 289,SleepStudy Trace Logs,Event Trace Logs,Windows.old\Windows\System32\SleepStudy\**10,lazy_ntfs, - 290,Energy-NTKL Trace Logs,Event Trace Logs,ProgramData\Microsoft\Windows\PowerEfficiency Diagnostics\energy-ntkl.etl,lazy_ntfs, - 291,Delivery Optimization Trace Logs,Event Trace Logs,Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\*.etl*,lazy_ntfs, - 292,EventTranscript.db,SystemEvents,ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs, - 293,EventTranscript.db,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs, - 294,Microsoft Office Diagnostic Logs,SystemEvents,Users\%User%\AppData\Local\Temp\Diagnostics\**10,lazy_ntfs, - 295,Evernote Accounts,App,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\.accounts,lazy_ntfs,Holds username and email of accounts - 296,Evernote Notebooks,App,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\*.exb,lazy_ntfs,SQLite Database of the notes - 297,Evernote Notebook Snippets,App,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\*.exb.snippets,lazy_ntfs,Note 'Snippets' - 298,Everything (VoidTools),FileSystem,Users\*\AppData\Local\Everything\Everything.db,lazy_ntfs,Copies out Everything.db - 299,Everything (VoidTools) - Run History,FileSystem,Users\*\AppData\Roaming\Everything\Run History.csv,lazy_ntfs,Copies out a CSV containing the history of items ran from Everything's search results window - 300,Everything (VoidTools) - Search History,FileSystem,Users\*\AppData\Roaming\Everything\Search History.csv,lazy_ntfs,Copies out a CSV containing the history of items searched for within Everything with timestamps - 301,Everything (VoidTools) - .ini file,FileSystem,Users\*\AppData\Roaming\Everything\Everything.ini,lazy_ntfs,Copies out the .ini file for Everything - 302,Exchange client access log files,Logs,Program Files\Microsoft\Exchange Server\*\Logging\**10\*.log,lazy_ntfs,Highly dependent on Exchange configuration - 303,Exchange Server Modified Compiled Files,Apps,Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files\**10\Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled,ntfs,Highly dependent on Exchange configuration - 304,Exchange Server Modified Compiled Files,Apps,inetpub\wwwroot\aspnet_client\**10\Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled,ntfs,Highly dependent on Exchange configuration - 305,Exchange Server Modified Compiled Files,Apps,inetpub\wwwroot\aspnet_client\system_web\**10\Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled,ntfs,Highly dependent on Exchange configuration - 306,Exchange Server Modified Compiled Files,Apps,Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\**10\Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled,ntfs,Highly dependent on Exchange configuration - 307,Exchange TransportRoles log files,Logs,Program Files\Microsoft\Exchange Server\*\TransportRoles\Logs\**10\*.log,lazy_ntfs,Highly dependent on Exchange configuration - 308,F-Secure Logs,Antivirus,ProgramData\F-Secure\Log\**10,lazy_ntfs, - 309,F-Secure User Logs,Antivirus,Users\*\AppData\Local\F-Secure\Log\**10,lazy_ntfs, - 310,F-Secure Scheduled Scan Reports,Antivirus,ProgramData\F-Secure\Antivirus\ScheduledScanReports\**10,lazy_ntfs, - 311,Fences - Desktop Screenshots,Apps,Users\*\AppData\Roaming\Stardock\Fences\Backups,lazy_ntfs,Locates all screenshots taken automatically by the Fences application - 312,FileZilla XML Log Files,Logs,Users\*\AppData\Roaming\FileZilla\*.xml*,lazy_ntfs, - 313,FileZilla SQLite3 Log Files,Logs,Users\*\AppData\Roaming\FileZilla\*.sqlite3*,lazy_ntfs, - 314,FileZilla Server XML Log Files,Logs,Users\*\AppData\Roaming\FileZilla Server\*.xml*,lazy_ntfs, - 315,FileZilla Log Files,Logs,Program Files (x86)\FileZilla Server\Logs\*.log*,lazy_ntfs, - 316,Addons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs, - 317,Bookmarks,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*,lazy_ntfs, - 318,Bookmarks,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups\**10,lazy_ntfs, - 319,Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs, - 320,Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*,lazy_ntfs, - 321,Downloads,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs, - 322,Extensions,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions.json,lazy_ntfs, - 323,Favicons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs, - 324,Form history,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs, - 325,Permissions,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*,lazy_ntfs, - 326,Places,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs, - 327,Protections,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*,lazy_ntfs, - 328,Search,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs, - 329,Signons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs, - 330,Storage Sync,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*,lazy_ntfs, - 331,Webappstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs, - 332,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\key*.db,lazy_ntfs, - 333,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signon*.*,lazy_ntfs, - 334,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json,lazy_ntfs, - 335,Preferences,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\prefs.js,lazy_ntfs, - 336,Sessionstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore*,lazy_ntfs, - 337,Sessionstore Folder,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups\**10,lazy_ntfs, - 338,Places XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs, - 339,Downloads XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs, - 340,Form history XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs, - 341,Cookies XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs, - 342,Signons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs, - 343,Webappstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs, - 344,Favicons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs, - 345,Addons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs, - 346,Search XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs, - 347,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\key*.db,lazy_ntfs, - 348,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signon*.*,lazy_ntfs, - 349,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\logins.json,lazy_ntfs, - 350,Sessionstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\sessionstore*,lazy_ntfs, - 351,Free Commander - FreeCommander.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts. - 352,Free Commander - FreeCommander.ftp.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.ftp.ini,lazy_ntfs,Locates an .ini file that contains the file path to the FTP log for Free Commander. - 353,Free Commander - FreeCommander.hist.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.hist.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom for both left and right directory browsers. - 354,Free Commander - FreeCommander.fav.xml,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.fav.xml,lazy_ntfs,Locates an .xml file that contains favorited files/folder by the user. - 355,Free Commander - Backup Settings,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*\**10,lazy_ntfs,"Locates an exact copy of the above files which will have a timestamped folder name, i.e. Bkp_Settings-YYYY-MM-DD HH-MM-SS." - 356,Free Commander - FTP Log,Apps,Users\*\AppData\Local\Temp\fc*.log,lazy_ntfs,Locates log file(s) that have a default naming convention of fc_ftplog_20210403 but can be modified by the user. - 357,Free Commander - FTP Related Information,Apps,Users\*\AppData\Local\Temp\FreeCommander*\**10,lazy_ntfs,Locates a folder that may be named randomly that contains more FTP related information as well as .tmp files that are created while the user is traversing folders during an active FTP session. These files are deleted upon program exit. - 358,FDM Database,App,Users\*\AppData\Local\Free Download Manager\**10\fdm.sqlite,lazy_ntfs,"fdm.sqlite shows Torrents, downloads, folder history, auth credentials and more. Will also pull fdm.sqlite in db_backup/" - 359,FDM Backup Info,App,Users\*\AppData\Local\Free Download Manager\backup\backup.info,lazy_ntfs,"Backup info file - can change backup name from userdata.zip, so could give indication of file name" - 360,FDM Database (userdata.zip),App,Users\*\AppData\Local\Free Download Manager\backup\userdata.zip,lazy_ntfs,fdm.sqlite can also appear in the backup folder in a compressed userdata.zip file - 361,FreeFileSync,Apps,Users\*\AppData\Roaming\FreeFileSync\Logs,lazy_ntfs,Copies out all log files - 362,Freenet,File Downloads,Users\*\AppData\Local\Freenet\node*,lazy_ntfs, - 363,Freenet,File Downloads,Users\*\AppData\Local\Freenet\*completed.list.downloads,lazy_ntfs, - 364,Freenet,File Downloads,Users\*\AppData\Local\Freenet\*completed.list.uploads,lazy_ntfs, - 365,Freenet,File Downloads,Users\*\AppData\Local\Freenet\*.bak,lazy_ntfs, - 366,Freenet,File Downloads,Users\*\AppData\Local\Freenet\downloads\**10,lazy_ntfs, - 367,FrostWire Downloads,FileDownload,Users\*\Documents\FrostWire\Torrent Data\**10,lazy_ntfs,Locates files downloaded that land in the default location as specified by FrostWire - 368,FrostWire AppData,FileDownload,Users\*\.frostwire5\frostwire.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system - 369,FrostWire AppData,FileDownload,Users\*\.frostwire5\itunes.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system - 370,Gigatribe Files Windows Vista/7/8/10,FileDownload,Users\*\AppData\Local\Shalsoft\**10,lazy_ntfs,Locates Gigatribe files and copies them - 371,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Gigatribe\**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Gigatribe - 372,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Shalsoft\**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Shalsoft - 373,Google Drive Backup and Sync User Files,Apps,Users\*\Google Drive*\**10,lazy_ntfs,Older Google Drive Backup and Sync application only - 374,Google Drive Backup and Sync Metadata,Apps,Users\*\AppData\Local\Google\Drive\**10,lazy_ntfs,Older version of Google Drive - 375,Google Drive for Desktop Metadata,Apps,Users\*\AppData\Local\Google\DriveFS\**10,lazy_ntfs,Metadata folder the same for both newer Google Drive for Desktop and older Google File Stream application - 376,Google Earth My Places file,Apps,Users\*\AppData\LocalLow\Google\GoogleEarth\myplaces.kml,lazy_ntfs,File which holds favorited locations - 377,Google Earth My Places Backup file,Apps,Users\*\AppData\LocalLow\Google\GoogleEarth\myplaces.backup.kml,lazy_ntfs,Backup file which holds favorited locations - 378,Google Earth My Places file (XP),Apps,Documents and Settings\*\Application Data\Google\GoogleEarth\myplaces.kml,lazy_ntfs,File which holds favorited locations - 379,Google Earth My Places Backup file (XP),Apps,Documents and Settings\*\Application Data\Google\GoogleEarth\myplaces.backup.kml,lazy_ntfs,Backup file which holds favorited locations - 380,Group Policy Files,Communication,Windows\System32\grouppolicy\**10,lazy_ntfs, - 381,Computer Group Policy files,Communication,ProgramData\Microsoft\Group Policy\History\**10,lazy_ntfs, - 382,User Group Policy files,Communication,Users\*\AppData\Local\Microsoft\Group Policy\History\**10,lazy_ntfs, - 383,Local Group Policy INI Files,Communication,Windows.old\Windows\System32\grouppolicy\*.ini,lazy_ntfs, - 384,Local Group Policy Files - Registry Policy Files,Communication,Windows\System32\grouppolicy\*.pol,lazy_ntfs, - 385,Local Group Policy Files - Registry Policy Files,Communication,Windows.old\Windows\System32\grouppolicy\*.pol,lazy_ntfs, - 386,Local Group Policy Files - Startup/Shutdown Scripts,Communication,Windows\System32\grouppolicy\*\Scripts\**10,lazy_ntfs, - 387,Local Group Policy Files - Startup/Shutdown Scripts,Communication,Windows.old\Windows\System32\grouppolicy\*\Scripts\**10,lazy_ntfs, - 388,HeidiSQL Backup files (*.sql),Apps,Users\*\AppData\Roaming\HeidiSQL\Backups\*,lazy_ntfs, - 389,HeidiSQL (tabs.ini),Apps,Users\*\AppData\Roaming\HeidiSQL\tabs.ini,lazy_ntfs, - 390,HexChat Chat Logs,Communications,Users\*\AppData\Roaming\HexChat\logs\**10,lazy_ntfs, - 391,HitmanPro Logs,Antivirus,ProgramData\HitmanPro\Logs\**10,lazy_ntfs, - 392,HitmanPro Alert Logs,Antivirus,ProgramData\HitmanPro.Alert\Logs\**10,lazy_ntfs, - 393,HitmanPro Database,Antivirus,ProgramData\HitmanPro.Alert\excalibur.db,lazy_ntfs,SQLite DB - 394,IIS applicationHost.config,Apps,Windows\System32\inetsrv\config\applicationHost.config,lazy_ntfs,This configuration file stores the settings for all your Web sites and applications. - 395,IIS administration.config,Apps,Windows\System32\inetsrv\config\administration.config,lazy_ntfs,This configuration file stores the settings for IIS management. - 396,IIS redirection.config,Apps,Windows\System32\inetsrv\config\redirection.config,lazy_ntfs,This configuration file contains the settings that indicate the location where the centralized configuration files are stored. - 397,web.config,Apps,inetpub\wwwroot\**10\web.config,lazy_ntfs,The web.config is a file that is read by IIS and the ASP.NET Core Module to configure an app hosted with IIS. - 398,IIS log files,Logs,Windows\System32\LogFiles\W3SVC*\*.log,lazy_ntfs, - 399,IIS log files,Logs,Windows.old\Windows\System32\LogFiles\W3SVC*\*.log,lazy_ntfs, - 400,IIS log files,Logs,inetpub\logs\LogFiles\*.log,lazy_ntfs, - 401,IIS log files,Logs,inetpub\logs\LogFiles\W3SVC*\*.log,lazy_ntfs, - 402,IIS log files,Logs,Resources\Directory\*\LogFiles\Web\W3SVC*\*.log,lazy_ntfs, - 403,IIS log files,Logs,Windows\system32\LogFiles\HTTPERR\*.log,lazy_ntfs, - 404,ISLOnline Logs - Sessions - *.out,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light Client\*\ISLClient.out,lazy_ntfs,Collects client session logs for one or more sessions - 405,ISLOnline Logs - Session Configurations,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light Client\*\conf\*,lazy_ntfs,Configurations for ISL Light sessions - 406,ISL AlwaysOn Logs - Sessions List,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\session.xml,lazy_ntfs,Collects an xml file listing all sessions for ISL AlwaysOn (Unattended Access) - 407,ISL AlwaysOn Logs - Sessions,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*\trace.out,lazy_ntfs,Detailed log for each session for ISL AlwaysOn (Unattended Access) - 408,ISL AlwaysOn - App Logs,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\*.out,lazy_ntfs,Application logs containg various artifacts. - 409,ISL Light Logs - Sessions,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light\*\trace.out,lazy_ntfs,Collects client session logs for one or more sessions - 410,ISL AlwaysOn - Email Configuration,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\status\tray,lazy_ntfs,This file includes the email of the logged in user for ISL AlwaysOn (Unattended Access) - 411,ISL AlwaysOn - Configuration,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\StaticConfiguration.ini,lazy_ntfs,"Configuration information (port, http/htpps) for ISL AlwaysOn (Unattended Access)" - 412,IceChat Chat Logs,Communications,Users\*\AppData\Local\IceChat Networks\IceChat\Logs\**10,lazy_ntfs, - 413,Idrive Cleanup Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Archive Cleanup\**10\*,lazy_ntfs,Contains individual log files for each archive cleanup operation - 414,Idrive Backup Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Backup\**10\*,lazy_ntfs,Contains individual log files for each backup operation - 415,Idrive Delete Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Delete\**10\*,lazy_ntfs,Contains individual log files for each delete operation - 416,Idrive Restore Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Restore\*,lazy_ntfs,Contains individual log files for each restore operation - 417,Idrive Backup Summary,Apps,ProgramData\IDrive\IBCOMMON\*\Session\LOGXML\*xml,lazy_ntfs,Contains summary of each backup session - 418,Idrive Tracefile,Apps,ProgramData\IDrive\IBCOMMON\*\Tracefile.txt\Tracefile.txt,lazy_ntfs,Application log which includes error logs for failed uploads - 419,Idrive Mapped Drives,Apps,ProgramData\IDrive\IBCOMMON\IDMappedDrives.txt,lazy_ntfs,List of mapped drives for backup - 420,Idrive Backup Schedule,Apps,ProgramData\IDrive\IBCOMMON\schedule.xml,lazy_ntfs,Backup schedule configurations - 421,Idrive Schedule History,Apps,ProgramData\IDrive\IBCOMMON\Sch_Trace.txt,lazy_ntfs,History of schedule configurations - 422,Idrive Configuration,Apps,ProgramData\IDrive\IBCOMMON\idrive.ini,lazy_ntfs,List of Idrive configuration options - 423,Idrive Local Drives,Apps,ProgramData\IDrive\IBCOMMON\get_Alldrives.txt,lazy_ntfs,List of all local drives - 424,Idrive Exclusion Configurations,Apps,ProgramData\IDrive\IBCOMMON\Exclude*,lazy_ntfs,Files pertaining to exclusion configurations - 425,Idrive User Details,Apps,ProgramData\IDrive\IBCOMMON\AutoComp.ini,lazy_ntfs,"Idrive username, Scheduler notification emails, local username" - 426,Idrive SQL Databse,Apps,ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.ibds,lazy_ntfs,Sql database of local files that are backed up - 427,ImgBurn - Application Log File,Apps,Users\*\AppData\Roaming\ImgBurn\Log Files\ImgBurn.log,lazy_ntfs,Contains the ImgBurn application log file. - 428,Index.dat History,Communications,Documents and Settings\*\Local Settings\History\History.IE5\index.dat,lazy_ntfs, - 429,Index.dat History subdirectory,Communications,Documents and Settings\*\Local Settings\History\History.IE5\*\index.dat,lazy_ntfs, - 430,Index.dat cookies,Communications,Documents and Settings\*\Cookies\index.dat,lazy_ntfs, - 431,Index.dat UserData,Communications,Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData\index.dat,lazy_ntfs, - 432,Index.dat Office XP,Communications,Documents and Settings\*\Application Data\Microsoft\Office\Recent\index.dat,lazy_ntfs, - 433,Index.dat Office,Communications,Users\*\AppData\Roaming\Microsoft\Office\Recent\index.dat,lazy_ntfs, - 434,Local Internet Explorer folder,Communications,Users\*\AppData\Local\Microsoft\Internet Explorer\**10,lazy_ntfs, - 435,Roaming Internet Explorer folder,Communications,Users\*\AppData\Roaming\Microsoft\Internet Explorer\**10,lazy_ntfs, - 436,IE 9/10 History,Communications,Users\*\AppData\Local\Microsoft\Windows\History\**10,lazy_ntfs, - 437,IE 9/10 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\Cookies\**10,lazy_ntfs, - 438,IE 9/10 Download History,Communications,Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory\**10,lazy_ntfs, - 439,IE 11 Metadata,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\*,lazy_ntfs, - 440,IE 11 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCookies\**10,lazy_ntfs, - 441,IrfanView Configuration File,FileKnowledge,Users\*\AppData\Roaming\IrfanView\i_view32.ini,lazy_ntfs, - 442,JDownloader 2.0 Download Lists,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\downloadList*.zip,lazy_ntfs,"Zip folder which contains several files (00,00_00 and extraInfo) which list the download folder, the time it was created, the name of the download, origin URL, referral URL and more" - 443,JDownloader 2.0 Link Collector,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\linkcollector*.zip,lazy_ntfs,"Zip folder which contains several files (0X,0X_00 and extraInfo) which list the websites crawled for links, the referral URLs, timestamps and more" - 444,JDownloader 2.0 General Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.settings.GeneralSettings.json,lazy_ntfs,General user config for JDownloader 2.0. Holds default download folder. - 445,JDownloader 2.0 Link Grabber Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.gui.views.linkgrabber.addlinksdialog.LinkgrabberSettings.json,lazy_ntfs,Linkgrabber Settings for JDownloader 2.0. Holds latest download destination folder. - 446,JDownloader 2.0 Proxy Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.settings.InternetConnectionSettings.customproxylist.json,lazy_ntfs,Proxy configuration for JDownloader 2.0 - 447,Java WebStart Cache User Level - Default,Communication,Users\*\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, - 448,Java WebStart Cache User Level - IE Protected Mode,Communication,Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, - 449,Java WebStart Cache System level,Communication,Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, - 450,Java WebStart Cache System level,Communication,Windows.old\Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, - 451,Java WebStart Cache System level - IE Protected Mode,Communication,Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, - 452,Java WebStart Cache System level - IE Protected Mode,Communication,Windows.old\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, - 453,Java WebStart Cache System level (SysWow64),Communication,Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, - 454,Java WebStart Cache System level (SysWow64),Communication,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, - 455,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communication,Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, - 456,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communication,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, - 457,Java WebStart Cache User Level - XP,Communications,Documents and Settings\*\Application Data\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, - 458,Kali WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\debian_version,lazy_ntfs, - 459,Kali WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\fstab,lazy_ntfs, - 460,Kali WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\os-release,lazy_ntfs, - 461,Kali WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\passwd,lazy_ntfs, - 462,Kali WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\group,lazy_ntfs, - 463,Kali WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\shadow,lazy_ntfs, - 464,Kali WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\timezone,lazy_ntfs, - 465,Kali WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\hostname,lazy_ntfs, - 466,Kali WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\hosts,lazy_ntfs, - 467,Kali WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\crontab,lazy_ntfs, - 468,Kali WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs, - 469,Kali WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\profile,lazy_ntfs, - 470,Kali WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.bash_history,lazy_ntfs, - 471,Kali WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.bashrc,lazy_ntfs, - 472,Kali WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.profile,lazy_ntfs, - 473,Kali WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs, - 474,Kali WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs, - 475,Kali WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\ext4.vhdx,lazy_ntfs, - 476,Kaseya Live Connect Logs (XP),ApplicationLogs,Documents and Settings\*\Application Data\Kaseya\Log\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations - 477,Kaseya Live Connect Logs,ApplicationLogs,Users\*\AppData\Local\Kaseya\Log\KaseyaLiveConnect\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations - 478,Kaseya Agent Endpoint Service Logs (XP),ApplicationLogs,Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations - 479,Kaseya Agent Endpoint Service Logs,ApplicationLogs,ProgramData\Kaseya\Log\Endpoint\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations - 480,Kaseya Agent Service Log,ApplicationLogs,Program Files*\Kaseya\*\agentmon.log*,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations - 481,Kaseya Setup Log,ApplicationLogs,Users\*\AppData\Local\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448 - 482,Kaseya Setup Log,ApplicationLogs,Windows\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448 - 483,Kaseya Setup Log,ApplicationLogs,Windows.old\Windows\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448 - 484,Kaseya Agent Edge Service Logs,ApplicationLogs,ProgramData\Kaseya\Log\KaseyaEdgeServices\**10,lazy_ntfs,https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident - 485,Keepass User Config,App,Users\*\AppData\Roaming\KeePass\*.xml,lazy_ntfs,Collecting Keepass User Configuration File - 486,Keepass Config Xml,App,Program Files\KeePass Password Safe*\*.xml,lazy_ntfs,Collecting Keepass Configuration File - 487,Keepass Application Details,App,Program Files\KeePass Password Safe*\*.config,lazy_ntfs,Collecting Keepass Application Details - 488,Keepass Local Ini,App,Users\*\AppData\Local\KeePassXC\*.ini,lazy_ntfs, - 489,Keepass Roaming Ini,App,Users\*\AppData\Roaming\KeePassXC\*.ini,lazy_ntfs, - 490,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs,Also includes automatic and custom jumplist directories - 491,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs, - 492,Start Menu LNK Files,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\*.LNK,lazy_ntfs, - 493,LNK Files from Recent (XP),LNKFiles,Documents and Settings\*\Recent\**10,lazy_ntfs, - 494,Desktop LNK Files XP,LNKFiles,Documents and Settings\*\Desktop\*.LNK,lazy_ntfs, - 495,Desktop LNK Files,LNKFiles,Users\*\Desktop\*.LNK,lazy_ntfs, - 496,Restore point LNK Files XP,LNKFiles,System Volume Information\_restore*\RP*\*.LNK,lazy_ntfs, - 497,LNK Files from C:\ProgramData,LNKFiles,ProgramData\Microsoft\Windows\Start Menu\Programs\*.LNK,lazy_ntfs, - 498,Level RMM Client Application logs,ApplicationLogs,Program Files\Level\*.log,lazy_ntfs,Contains Application Log entries such as service start and incoming connections. - 499,.bash_history,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_history,lazy_ntfs, - 500,.bash_logout,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_logout,lazy_ntfs, - 501,.bashrc,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bashrc,lazy_ntfs, - 502,.profile,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.profile,lazy_ntfs, - 503,User Files - Desktop,LiveUserFiles,Users\*\Desktop\**10,lazy_ntfs, - 504,User Files - Documents,LiveUserFiles,Users\*\Documents\**10,lazy_ntfs, - 505,User Files - Downloads,LiveUserFiles,Users\*\Downloads\**10,lazy_ntfs, - 506,User Files - Dropbox,LiveUserFiles,Users\*\Dropbox*\**10,lazy_ntfs, - 507,LogFiles,Logs,Windows\System32\LogFiles\**10,lazy_ntfs, - 508,LogFiles,Logs,Windows.old\Windows\System32\LogFiles\**10,lazy_ntfs, - 509,Error logging,Misc,windows\PFRO.log,lazy_ntfs, - 510,LogMeIn ProgramData Logs,ApplicationLogs,ProgramData\LogMeIn\Logs\**10,lazy_ntfs, - 511,LogMeIn Application Logs,ApplicationLogs,Users\*\AppData\Local\temp\LogMeInLogs\**10,lazy_ntfs,"Contains RemoteAssist (formerly GoToAssist), GoToMeeting, and other GoTo* logs" - 512,MOF files,WMI,**10\*.MOF,lazy_ntfs, - 513,MS SQL Errorlog,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG,lazy_ntfs, - 514,MS SQL Errorlogs,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG.*,lazy_ntfs, - 515,Macrium Reflect,Apps,ProgramData\Macrium\Macrium Service\*,lazy_ntfs,Copies out all log files - 516,Macrium Reflect,Apps,ProgramData\Macrium\Reflect\*,lazy_ntfs,Copies out the Reflect folder which contains many important logs - 517,Macrium Reflect,Apps,ProgramData\Macrium\Reflect Launcher,lazy_ntfs,Copies out the Reflect folder which contains many important logs - 518,MalwareBytes Anti-Malware Logs,Antivirus,ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-*.xml,lazy_ntfs, - 519,MalwareBytes Anti-Malware Service Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\logs\mbamservice.log*,lazy_ntfs, - 520,MalwareBytes Anti-Malware Scan Logs,Antivirus,Users\*\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs\**10,lazy_ntfs, - 521,MalwareBytes Anti-Malware Scan Results Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\ScanResults\**10,lazy_ntfs, - 522,ManageEngine Desktop Central Log Files,Logs,ManageEngine\DesktopCentral_Server\logs\**10,lazy_ntfs, - 523,ManageEngine ADSelfService Plus Log Files,Logs,ManageEngine\ADSelfService Plus\logs\**10,lazy_ntfs, - 524,Mattermost - Chat Logs,Apps,Users\*\AppData\Roaming\Mattermost\IndexedDB\**10,lazy_ntfs,Locates Mattermost logs and copies them - 525,McAfee Desktop Protection Logs XP,Antivirus,Users\All Users\Application Data\McAfee\DesktopProtection\**10,lazy_ntfs, - 526,McAfee Desktop Protection Logs,Antivirus,ProgramData\McAfee\DesktopProtection\**10,lazy_ntfs, - 527,McAfee Endpoint Security Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs\**10,lazy_ntfs, - 528,McAfee Endpoint Security Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs_Old\**10,lazy_ntfs, - 529,McAfee VirusScan Logs,Antivirus,ProgramData\Mcafee\VirusScan\**10,lazy_ntfs, - 530,McAfee ePO Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs\**10,lazy_ntfs, - 531,MediaMonkey - Media SQLite Database,Apps,Users\*\AppData\Roaming\MediaMonkey\MM.DB,lazy_ntfs,Locates SQLite DB that contains a complete enumeration of the user's media collection within MediaMonkey - 532,MediaMonkey - MediaMonkey.ini,Apps,Users\*\AppData\Roaming\MediaMonkey\MediaMonkey.ini,lazy_ntfs,Locates .ini file which contains information about the user's MediaMonkey application instance - 533,MegaSync Folder,ApplicationLogs,Users\*\AppData\Local\Mega Limited\MEGAsync\**10,lazy_ntfs, - 534,hiberfil.sys,Memory,hiberfil.sys,lazy_ntfs, - 535,pagefile.sys,Memory,pagefile.sys,lazy_ntfs, - 536,swapfile.sys,Memory,swapfile.sys,lazy_ntfs, - 537,Small Memory Dump directory,Memory,Windows\Minidump\*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump - 538,Small Memory Dump directory,Memory,Windows.old\Windows\Minidump\*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump - 539,Microsoft Office Backstage,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\BackstageinAppNavCache\**10,lazy_ntfs, - 540,Microsoft OneNote - FullTextSearchIndex,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's text content - 541,Microsoft OneNote - RecentNotebooks_SeenURLs,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications\RecentNotebooks_SeenURLs,lazy_ntfs,Grabs a file that appears to record recently seen OneNote notebooks - 542,Microsoft OneNote - AccessibilityCheckerIndex,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's version sync error history - 543,Microsoft OneNote - User NoteTags,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags\*LiveId.db,lazy_ntfs,Grabs a database that stores the user specified tags within OneNote to be used application-wide - 544,Microsoft OneNote - RecentSearches,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches\RecentSearches.db,lazy_ntfs,Grabs a database that stores the user's recent searches within OneNote - 545,"Microsoft Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier",Apps,Users\*\AppData\Roaming\Microsoft\StickyNotes\StickyNotes.snt,lazy_ntfs, - 546,Microsoft Sticky Notes - 1607 and later,Apps,Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\plum.sqlite*,lazy_ntfs, - 547,Microsoft Teams IndexedDB Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\**10,lazy_ntfs,"LevelDB database which can contain inbound/outbound chat messages, call history and more" - 548,Microsoft Teams Local Storage Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\Local Storage\leveldb\**10,lazy_ntfs,"LevelDB database which can contain meeting history, file transfer logs and more" - 549,Microsoft Teams Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\Cache\**10,lazy_ntfs,Chromium cache which can be viewed with Nirsoft's ChromeCacheView - 550,Microsoft Teams Config,Apps,Users\*\AppData\Roaming\Microsoft\Teams\desktop-config.json,lazy_ntfs,JSON config file for Teams - 551,Microsoft Teams Logs (Windows 11),Apps,Users\%User%\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs,lazy_ntfs,Lots of log files for MS Teams - 552,Microsoft To Do - SQLite Database of To Do tasks,Apps,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\todosqlite.db*,lazy_ntfs, - 553,Microsoft To Do - User Avatar,Apps,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\4c444a17ebb042fb92df97d00d1c802a\avatars\UserAvatar.jpg,lazy_ntfs, - 554,Midnight Commander -- All Configuation Files,Apps,Users\*\Midnight Commander\*,lazy_ntfs,Locates folder where all configuration files reside - 555,Multi Commander - Application Folder,Apps,Users\*\AppData\Local\MultiCommander*\**10,lazy_ntfs,Locates the contents of the Application folder. - 556,Multi Commander - Config Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\Config\**10,lazy_ntfs,Locates the contents of the Config folder. - 557,Multi Commander - Log Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\Logs\**10,lazy_ntfs,Locates log file(s) related to user activity within Multi Commander. - 558,Multi Commander - UserData Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\UserData\**10,lazy_ntfs,Locates the contents of the UserData folder. - 559,Multi Commander - Log File,Apps,Users\*\AppData\Roaming\MultiCommander*\**10\*MultiCommander.log,lazy_ntfs,Locates log file(s) associated with Milti Commander. Commonly in YYYY-MM-DD (numbers)-MultiCommander.log naming convention. - 560,.NET CLR UsageLogs (user-scoped),.NET CLR UsageLogs,Users\*\AppData\Local\Microsoft\CLR_*\**10\*.log,lazy_ntfs, - 561,.NET CLR UsageLogs (system-scoped),.NET CLR UsageLogs,Windows*\System32\config\systemprofile\AppData\Local\Microsoft\CLR_*\**10\*.log,lazy_ntfs, - 562,NGINX Log Files,Logs,nginx\logs\*.log,lazy_ntfs, - 563,Usenet Clients - NZBGet Log File,FileDownload,ProgramData\NZBGet\nzbget.log,lazy_ntfs,Locates NZBGet download log file - 564,Usenet Clients - NZBGet NZBs,FileDownload,ProgramData\NZBGet\nzb\*,lazy_ntfs,Locates NZBGet NZB files that were used by the user - 565,Nessus Logs,Nessus,ProgramData\Tenable\Nessus\conf\**10,lazy_ntfs, - 566,Nessus Logs,Nessus Logs,ProgramData\Tenable\Nessus\nessus\logs\**10,lazy_ntfs, - 567,Net Monitor Server Logs,ApplicationLogs,ProgramData\Net Monitor for Employees Pro\log\*\**10,lazy_ntfs,Contains Net Monitor server logs - 568,Net Monitor Server Data,Communication,ProgramData\Net Monitor for Employees Pro\data\**10,lazy_ntfs,Contains Net Monitor server data - Indicates what have been seen as the attacker - 569,Net Monitor Server Config,Apps,ProgramData\Net Monitor for Employees Pro\config\**10,lazy_ntfs,Contains Net Monitor server config - 570,Net Monitor Server Temp Folder,Apps,ProgramData\Net Monitor for Employees Pro\tmp\**10,lazy_ntfs, - 571,Net Monitor Client Logs,ApplicationLogs,Program Files*\Net Monitor for Employees Pro\log\**10,lazy_ntfs,Contains Net Monitor client logs - 572,Net Monitor Client Config,ApplicationLogs,Program Files*\Net Monitor for Employees Pro\config\**10,lazy_ntfs,Contains Net Monitor client config - 573,Usenet Clients - Newsbin Pro,FileDownload,Users\*\AppData\Local\Newsbin\Downloaded.db3,lazy_ntfs,Locates Newsbin Pro download log database - 574,Usenet Clients - Newsleecher,FileDownload,Users\*\AppData\Roaming\NewsLeecher\downloaded.dat,lazy_ntfs,Locates Newsleecher download .dat file - 575,Nicotine++ Logs,FileDownload,Users\%User%\AppData\Roaming\nicotine\logs\**10,lazy_ntfs,"Locates Nicotine++ chat logs, room logs, transfer logs, and debug logs (if enabled)" - 576,Nicotine++ Incomplete Downloads,FileDownload,Users\%User%\AppData\Roaming\nicotine\incomplete\**10,lazy_ntfs,Locates files that did not finish downloading - 577,Nicotine++ Buddyfiles.db,FileDownload,Users\%User%\AppData\Roaming\nicotine\buddyfiles.db\**10,lazy_ntfs,Locates a DB that appears to include shared files from a user's buddy list - 578,Nicotine++ Buddystreams.db,FileDownload,Users\%User%\AppData\Roaming\nicotine\buddystreams.db\**10,lazy_ntfs,Locates a DB that appears to include shared files from a user's buddy list - 579,Nicotine++ Buddymtimes.db,FileDownload,Users\%User%\AppData\Roaming\nicotine\buddymtimes.db\**10,lazy_ntfs,"Locates a DB that appears to enumerate which files the user is sharing to their buddy list, from a folder level" - 580,Nicotine++ Buddyfileindex.db,FileDownload,Users\%User%\AppData\Roaming\nicotine\buddyfileindex.db\**10,lazy_ntfs,"Locates a DB that appears to enumerate which files the user is sharing to their buddy list, from a file level" - 581,Nicotine++ Buddywordindex.db,FileDownload,Users\%User%\AppData\Roaming\nicotine\buddywordindex.db\**10,lazy_ntfs,Unknown what this is for at this time - 582,Nicotine++ Config Files,FileDownload,Users\%User%\AppData\Roaming\nicotine\config\**10,lazy_ntfs,Locates config files - 583,Nicotine++ User Shares,FileDownload,Users\%User%\AppData\Roaming\nicotine\usershares\**10,lazy_ntfs,Locates a DB that appears to store a list of files per user that they are sharing within Nicotine++. Note: this requires the user to right-click -> browse files shared by that user - 584,Nicotine++ Downloads.json,FileDownload,Users\%User%\AppData\Roaming\nicotine\downloads.json*,lazy_ntfs,Locates downloads.json - 585,Nicotine++ Uploads.json,FileDownload,Users\%User%\AppData\Roaming\nicotine\uploads.json*,lazy_ntfs,Locates uploads.json - 586,Notepad++ Unsaved Edits,Text Editor,Users\*\AppData\Roaming\Notepad++\backup\**10,lazy_ntfs,Locates non-saved Notepad++ files and copies them. - 587,Notepad++ Config,Text Editor,Users\*\AppData\Roaming\Notepad++\config.xml,lazy_ntfs,"Retrieves config.xml which contains recently searched terms, replaced terms and recently opened documents" - 588,Notepad++ Session,Text Editor,Users\*\AppData\Roaming\Notepad++\session.xml,lazy_ntfs,Retrieves session.xml which contains session date - 589,Notepad Session Files,Windows Notepad,Users\*\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\*.bin,lazy_ntfs,Contains .bin files which consist of the files opened in each tab in Windows Notepad - 590,Notion Local Storage,App,Users\*\AppData\Roaming\Notion\notion.db,lazy_ntfs,"Local storage file containing all pages, databases, users, etc." - 591,Notion Custom Dictionary,App,Users\*\AppData\Roaming\Notion\Partitions\notion\Custom Dictionary.txt,lazy_ntfs, - 592,Word Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\**10,lazy_ntfs, - 593,Excel Autosave Location,ApplicationCompatibility,Users\*\AppData\Roaming\Microsoft\Excel\**10,lazy_ntfs, - 594,Powerpoint Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Powerpoint\**10,lazy_ntfs, - 595,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Publisher\**10,lazy_ntfs, - 596,Office Diagnostics,Execution,Users\*\AppData\Local\Diagnostics\PCW.debugreport.xml,lazy_ntfs,Payloads for CVE-2022-30190 ('Follina') will be in this log - 597,Office Elevated Diagnostics,Execution,Users\*\AppData\Local\ElevatedDiagnostics\PCW.debugreport.xml,lazy_ntfs,Payloads for CVE-2022-30190 ('Follina') will be in this log - 598,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\**10,lazy_ntfs, - 599,One Commander - All Configuration Files,Apps,Users\*\OneCommander\*,lazy_ntfs,Locates folder where all configuration files reside - 600,One Commander - Other Configuration Files,Apps,Users\*\AppData\Local\Apps\2.0\*\*\onec*\**10,lazy_ntfs,Locates folder where all configuration files reside - 601,OneDrive Metadata Logs,Apps,Users\*\AppData\Local\Microsoft\OneDrive\logs\**10,lazy_ntfs, - 602,OneDrive Metadata Settings,Apps,Users\*\AppData\Local\Microsoft\OneDrive\settings\**10,lazy_ntfs, - 603,OneDrive User Files,Apps,Users\*\OneDrive*\**10,lazy_ntfs,Caution -- This target will collect OneDrive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use or isolate system from network. - 604,OpenSSH Config File,Apps,Users\*\.ssh\config,lazy_ntfs,"Config file can hold usernames, IP addresses and ports, key locations and configured shortcuts for servers e.g. ssh web-server" - 605,OpenSSH Known Hosts,Apps,Users\*\.ssh\known_hosts,lazy_ntfs,"Known hosts file can hold a list of connected FQDNs/IP Addresses and ports if they are non-default, as well as public key fingerprints" - 606,OpenSSH Public Keys,Apps,Users\*\.ssh\*.pub,lazy_ntfs,"Gets all public keys (*.pub). It is more difficult to find private keys as they typically do not have a file extension. However, the .pub files should be able to help find the private keys as they are typically named the same." - 607,OpenSSH Default RSA Private Key,Apps,Users\*\.ssh\id_rsa,lazy_ntfs,Default name for an auto-generated SSH RSA private key - 608,OpenSSH Default ECDSA Private Key,Apps,Users\*\.ssh\id_ecdsa,lazy_ntfs,Default name for an auto-generated SSH ECDSA private key - 609,OpenSSH Default ECDSA-SK Private Key,Apps,Users\*\.ssh\id_ecdsa_sk,lazy_ntfs,Default name for an auto-generated SSH ECDSA private key using a Security Key - 610,OpenSSH Default ED25519 Private Key,Apps,Users\*\.ssh\id_ed25519,lazy_ntfs,Default name for an auto-generated SSH ED25519 private key - 611,OpenSSH Default ED25519-SK Private Key,Apps,Users\*\.ssh\id_ed25519_sk,lazy_ntfs,Default name for an auto-generated SSH ED25519 private key using a Security Key - 612,OpenSSH Default DSA Private Key,Apps,Users\*\.ssh\id_dsa,lazy_ntfs,Default name for an auto-generated SSH DSA private key - 613,OpenSSH Server Config File,Apps,ProgramData\ssh\sshd_config,lazy_ntfs,Config file can hold information on allowed/denied users - 614,OpenSSH Server Logs,Apps,ProgramData\ssh\logs\*,lazy_ntfs,OpenSSH server logs - 615,OpenSSH Host ECDSA Key,Apps,ProgramData\ssh\ssh_host_ecdsa_key,lazy_ntfs,Retrieves the host ECDSA key - 616,OpenSSH Host ED25519 Key,Apps,ProgramData\ssh\ssh_host_ed25519_key,lazy_ntfs,Retrieves the host ED25519 key - 617,OpenSSH Host DSA Key,Apps,ProgramData\ssh\ssh_host_dsa_key,lazy_ntfs,Retrieves the host DSA key - 618,OpenSSH Host RSA Key,Apps,ProgramData\ssh\ssh_host_rsa_key,lazy_ntfs,Retrieves the host RSA key - 619,OpenSSH User Authorized Keys,Apps,Users\*\.ssh\authorized_keys,lazy_ntfs,Retrieves the user's authorised public keys - 620,OpenSSH User Authorized Keys 2,Apps,Users\*\.ssh\authorized_keys2,lazy_ntfs,Retrieves the user's authorised public keys from the second file - 621,OpenSSH Authorized Administrator Keys,Apps,ProgramData\ssh\administrators_authorized_keys,lazy_ntfs,Retrieves the administrator group's authorised public keys - 622,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\config\**10,lazy_ntfs,Contains OpenVPN Configs (Profiles) - 623,OpenVPN Client Config,ApplicationLogs,Program Files*\OpenVPN\config\**10,lazy_ntfs,Contains OpenVPN Configs(Profiles) - 624,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\log\*.log,lazy_ntfs,Contains OpenVPN Logs for each Config(Profile) - 625,Opera - Local Folder,Communications,Users\*\AppData\Local\Opera Software\Opera Stable\**10,lazy_ntfs,Grabs entire contents of the Opera AppData\Local folder - 626,Opera - Roaming Folder,Communications,Users\*\AppData\Roaming\Opera Software\Opera Stable\**10,lazy_ntfs,Grabs entire contents of the Opera AppData\Roaming folder - 627,PST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.pst,lazy_ntfs, - 628,OST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.ost,lazy_ntfs, - 629,PST (2013 or 2016),Communications,Users\*\Documents\Outlook Files\*.pst,lazy_ntfs, - 630,OST (2013 or 2016),Communications,Users\*\Documents\Outlook Files\*.ost,lazy_ntfs, - 631,PST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.pst,lazy_ntfs,"Outlook Data File: POP accounts, archives, older installations" - 632,OST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.ost,lazy_ntfs,"Offline Outlook Data File: M365, Exchange, IMAP" - 633,NST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.nst,lazy_ntfs,Outlook Group Storage File: Group conversations and calendar - 634,Outlook Attachment Temporary Storage,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\**10,lazy_ntfs,Outlook temporary storage folder for user attachments - 635,PeaZip Configuration Files,FileKnowledge,Users\*\AppData\Roaming\PeaZip\**10,lazy_ntfs, - 636,Perflogs,Application,PerfLogs\**10,lazy_ntfs, - 637,PowerShell 7 Config JSON,PowerShell,Program Files\PowerShell\7\powershell.config.json,lazy_ntfs, - 638,PowerShell Console Log,PowerShellConsoleLog,Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\*_history.txt,lazy_ntfs, - 639,PowerShell Transcripts - Default Location,PowerShellTranscripts,Users\*\Documents\20*\PowerShell_transcript.*.txt,lazy_ntfs, - 640,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Windows\SysWOW64\*\PowerShell_transcript.*.txt,lazy_ntfs, - 641,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Program Files\Amazon\Ec2ConfigService\Scripts\*\PowerShell_transcript.*.txt,lazy_ntfs, - 642,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Windows\System32\*\PowerShell_transcript.*.txt,lazy_ntfs, - 643,Prefetch,Prefetch,Windows\prefetch\*.pf,lazy_ntfs, - 644,Prefetch,Prefetch,Windows.old\Windows\prefetch\*.pf,lazy_ntfs, - 645,ProgramData,Application Data,ProgramData\**10,lazy_ntfs, - 646,ProtonVPN - Connection Logs,ApplicationLogs,Users\*\AppData\Local\ProtonVPN\Logs,lazy_ntfs,Locates ProtonVPN connection logs. - 647,Puffin - data.db,Communications,Users\*\AppData\Local\PuffinSecureBrowser\data.db,lazy_ntfs,Grabs an important database file that contains browser history - 648,Puffin - Autocomplete Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\autocompletes.dat,lazy_ntfs,Grabs a file that stores autocomplete data - 649,Puffin - Password Forms Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\passwordForms.dat,lazy_ntfs,Grabs a file that stores some saved password data - 650,Puffin - Password (Encrypted),Communications,Users\*\AppData\Local\PuffinSecureBrowser\credential.dat,lazy_ntfs,Grabs a file that stores passwords in an encrypted format - 651,Puffin - Subscription Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\subscription,lazy_ntfs,Grabs a file that stores the user's email address that's associated with their Puffin subscription - 652,Puffin - Cookies,Communications,Users\*\AppData\Local\PuffinSecureBrowser\cookies.dat,lazy_ntfs,Grabs a file that stores information related to cookies - 653,Puffin - Image Cache,Communications,Users\*\AppData\Local\PuffinSecureBrowser\image_cache\**10,lazy_ntfs,Grabs a directory that caches images from websites visited - 654,WNS,WNS,Users\%user\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs, - 655,WNS,WNS,Users\%user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs, - 656,Q-Dir - .ini File,Apps,Users\*\AppData\Roaming\Q-Dir\Q-Dir.ini,lazy_ntfs,Locates .ini file associated with Q-Dir which stores useful user activity information. - 657,Q-Dir - .qdr file,Apps,Users\*\AppData\Roaming\Q-Dir\start.qdr,lazy_ntfs,"Locates .qdr file associated with Q-Dir which stores useful user activity information, including the last 4 folders opened (encoded, unfortunately)." - 658,QFinderPro,Apps,Users\*\AppData\Local\QNAP\QfinderPro,lazy_ntfs,Locates a JSON file that provides network location information for any QNAP connected devices. - 659,RDP Cache Files,FileSystem,Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs, - 660,Windows.old RDP Cache Files,FileSystem,Windows.old\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs, - 661,RDP Cache Files,FileSystem,Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs, - 662,RemoteConnectionManager Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs, - 663,RemoteConnectionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs, - 664,LocalSessionManager Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs, - 665,LocalSessionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs, - 666,RDPClient Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs, - 667,RDPClient Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs, - 668,RDPCoreTS Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP - 669,RDPCoreTS Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP - 670,Radmin Server 32bit Log,ApplicationLogs,Windows\SysWOW64\rserver30\Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections. - 671,Radmin Server 64bit Log,ApplicationLogs,Windows\System32\rserver30\Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections. - 672,Radmin Server 32bit Chats,ApplicationLogs,Windows\SysWOW64\rserver30\CHATLOGS\*\*.htm,lazy_ntfs,Previous chat logs - 673,Radmin Server 64bit Chats,ApplicationLogs,Windows\System32\rserver30\CHATLOGS\*\*.htm,lazy_ntfs,Previous chat logs - 674,Radmin Viewer Chats,ApplicationLogs,Users\*\Documents\ChatLogs\*\*.htm,lazy_ntfs,Previous chat logs - 675,Rclone Config,Apps,**10\rclone.conf,lazy_ntfs, - 676,RecentFileCache,ApplicationCompatability,Windows\AppCompat\Programs\RecentFileCache.bcf,lazy_ntfs, - 677,RecentFileCache,ApplicationCompatability,Windows.old\Windows\AppCompat\Programs\RecentFileCache.bcf,lazy_ntfs, - 678,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\**10\$R*,lazy_ntfs, - 679,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\*\$R*\**10,lazy_ntfs, - 680,RECYCLER - WinXP,FileDeletion,RECYCLE*\**10\D*,lazy_ntfs, - 681,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\**10\$I*,lazy_ntfs, - 682,RECYCLER - WinXP,FileDeletion,RECYCLE*\**10\INFO2,lazy_ntfs, - 683,Registry.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\Registry.dat*,lazy_ntfs, - 684,User.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\User.dat*,lazy_ntfs, - 685,UserClasses.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\UserClasses.dat*,lazy_ntfs, - 686,BBI registry hive,Registry,Windows\System32\config\BBI,lazy_ntfs, - 687,BBI registry hive,Registry,Windows.old\Windows\System32\config\BBI,lazy_ntfs, - 688,BBI registry transaction files,Registry,Windows\System32\config\BBI.LOG*,lazy_ntfs, - 689,BBI registry transaction files,Registry,Windows.old\System32\config\BBI.LOG*,lazy_ntfs, - 690,BCD-Template registry hive,Registry,Windows\System32\config\BCD-Template,lazy_ntfs, - 691,BCD-Template registry hive,Registry,Windows.old\Windows\System32\config\BCD-Template,lazy_ntfs, - 692,BCD-Template registry transaction files,Registry,Windows\System32\config\BCD-Template.LOG*,lazy_ntfs, - 693,BCD-Template registry transaction files,Registry,Windows.old\System32\config\BCD-Template.LOG*,lazy_ntfs, - 694,COMPONENTS registry hive,Registry,Windows\System32\config\COMPONENTS,lazy_ntfs, - 695,COMPONENTS registry hive,Registry,Windows.old\Windows\System32\config\COMPONENTS,lazy_ntfs, - 696,COMPONENTS registry transaction files,Registry,Windows\System32\config\COMPONENTS.LOG*,lazy_ntfs, - 697,COMPONENTS registry transaction files,Registry,Windows.old\System32\config\COMPONENTS.LOG*,lazy_ntfs, - 698,DRIVERS registry hive,Registry,Windows\System32\config\DRIVERS,lazy_ntfs, - 699,DRIVERS registry hive,Registry,Windows.old\Windows\System32\config\DRIVERS,lazy_ntfs, - 700,DRIVERS registry transaction files,Registry,Windows\System32\config\DRIVERS.LOG*,lazy_ntfs, - 701,DRIVERS registry transaction files,Registry,Windows.old\System32\config\DRIVERS.LOG*,lazy_ntfs, - 702,ELAM registry hive,Registry,Windows\System32\config\ELAM,lazy_ntfs, - 703,ELAM registry hive,Registry,Windows.old\Windows\System32\config\ELAM,lazy_ntfs, - 704,ELAM registry transaction files,Registry,Windows\System32\config\ELAM.LOG*,lazy_ntfs, - 705,ELAM registry transaction files,Registry,Windows.old\System32\config\ELAM.LOG*,lazy_ntfs, - 706,userdiff registry hive,Registry,Windows\System32\config\userdiff,lazy_ntfs, - 707,userdiff registry hive,Registry,Windows.old\Windows\System32\config\userdiff,lazy_ntfs, - 708,userdiff registry transaction files,Registry,Windows\System32\config\userdiff.LOG*,lazy_ntfs, - 709,userdiff registry transaction files,Registry,Windows.old\System32\config\userdiff.LOG*,lazy_ntfs, - 710,VSMIDK registry hive,Registry,Windows\System32\config\VSMIDK,lazy_ntfs, - 711,VSMIDK registry hive,Registry,Windows.old\Windows\System32\config\VSMIDK,lazy_ntfs, - 712,VSMIDK registry transaction files,Registry,Windows\System32\config\VSMIDK.LOG*,lazy_ntfs, - 713,VSMIDK registry transaction files,Registry,Windows.old\System32\config\VSMIDK.LOG*,lazy_ntfs, - 714,SAM registry transaction files,Registry,Windows\System32\config\SAM.LOG*,lazy_ntfs, - 715,SAM registry transaction files,Registry,Windows.old\Windows\System32\config\SAM.LOG*,lazy_ntfs, - 716,SECURITY registry transaction files,Registry,Windows\System32\config\SECURITY.LOG*,lazy_ntfs, - 717,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config\SECURITY.LOG*,lazy_ntfs, - 718,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, - 719,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, - 720,SYSTEM registry transaction files,Registry,Windows\System32\config\SYSTEM.LOG*,lazy_ntfs, - 721,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config\SYSTEM.LOG*,lazy_ntfs, - 722,SAM registry hive,Registry,Windows\System32\config\SAM,lazy_ntfs, - 723,SAM registry hive,Registry,Windows.old\Windows\System32\config\SAM,lazy_ntfs, - 724,SECURITY registry hive,Registry,Windows\System32\config\SECURITY,lazy_ntfs, - 725,SECURITY registry hive,Registry,Windows.old\Windows\System32\config\SECURITY,lazy_ntfs, - 726,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs, - 727,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs, - 728,SYSTEM registry hive,Registry,Windows\System32\config\SYSTEM,lazy_ntfs, - 729,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config\SYSTEM,lazy_ntfs, - 730,RegBack registry transaction files,Registry,Windows\System32\config\RegBack\*.LOG*,lazy_ntfs, - 731,RegBack registry transaction files,Registry,Windows.old\Windows\System32\config\RegBack\*.LOG*,lazy_ntfs, - 732,SAM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SAM,lazy_ntfs, - 733,SAM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SAM,lazy_ntfs, - 734,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack\SECURITY,lazy_ntfs, - 735,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SECURITY,lazy_ntfs, - 736,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs, - 737,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs, - 738,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM,lazy_ntfs, - 739,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM,lazy_ntfs, - 740,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs, - 741,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs, - 742,System Profile registry hive,Registry,Windows\System32\config\systemprofile\NTUSER.DAT,lazy_ntfs, - 743,System Profile registry hive,Registry,Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT,lazy_ntfs, - 744,System Profile registry transaction files,Registry,Windows\System32\config\systemprofile\NTUSER.DAT.LOG*,lazy_ntfs, - 745,System Profile registry transaction files,Registry,Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT.LOG*,lazy_ntfs, - 746,Local Service registry hive,Registry,Windows\ServiceProfiles\LocalService\NTUSER.DAT,lazy_ntfs, - 747,Local Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT,lazy_ntfs, - 748,Local Service registry transaction files,Registry,Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*,lazy_ntfs, - 749,Local Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*,lazy_ntfs, - 750,Network Service registry hive,Registry,Windows\ServiceProfiles\NetworkService\NTUSER.DAT,lazy_ntfs, - 751,Network Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT,lazy_ntfs, - 752,Network Service registry transaction files,Registry,Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*,lazy_ntfs, - 753,Network Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*,lazy_ntfs, - 754,System Restore Points Registry Hives (XP),Registry,System Volume Information\_restore*\RP*\snapshot\_REGISTRY_*,lazy_ntfs, - 755,NTUSER.DAT registry hive XP,Registry,Documents and Settings\*\NTUSER.DAT,lazy_ntfs, - 756,NTUSER.DAT registry hive,Registry,Users\*\NTUSER.DAT,lazy_ntfs, - 757,NTUSER.DAT registry transaction files,Registry,Users\*\NTUSER.DAT.LOG*,lazy_ntfs, - 758,NTUSER.DAT DEFAULT registry hive,Registry,Windows\System32\config\DEFAULT,lazy_ntfs, - 759,NTUSER.DAT DEFAULT registry hive,Registry,Windows.old\Windows\System32\config\DEFAULT,lazy_ntfs, - 760,NTUSER.DAT DEFAULT transaction files,Registry,Windows\System32\config\DEFAULT.LOG*,lazy_ntfs, - 761,NTUSER.DAT DEFAULT transaction files,Registry,Windows.old\Windows\System32\config\DEFAULT.LOG*,lazy_ntfs, - 762,UsrClass.dat registry hive,Registry,Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat,lazy_ntfs, - 763,UsrClass.dat registry transaction files,Registry,Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG*,lazy_ntfs, - 764,RemoteUtilities Connection Logs,Remote Access,Program Files*\Remote Utilities - Host\Logs\rut_log_*.html,lazy_ntfs,Includes connection log files - 765,RemoteUtilities Install Log,Remote Access,ProgramData\Remote Utilities\install.log,lazy_ntfs,Includes Install log file - 766,NTUSER.DAT registry hive,Registry,**10\NTUSER.DAT,lazy_ntfs, - 767,NTUSER.DAT registry transaction files,Registry,**10\NTUSER.DAT.LOG*,lazy_ntfs, - 768,NTUSER.DAT DEFAULT registry hive,Registry,**10\DEFAULT,lazy_ntfs, - 769,NTUSER.DAT DEFAULT transaction files,Registry,**10\DEFAULT.LOG*,lazy_ntfs, - 770,UsrClass.dat registry hive,Registry,**10\UsrClass.dat,lazy_ntfs, - 771,UsrClass.dat registry transaction files,Registry,**10\UsrClass.dat.LOG*,lazy_ntfs, - 772,LNK Files,LNKFiles,**10\*.LNK,lazy_ntfs, - 773,Word Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\*,lazy_ntfs, - 774,Excel Autosave Location,ApplicationCompatibility,Users\*\AppData\Roaming\Microsoft\Excel\*,lazy_ntfs, - 775,PowerPoint Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\PowerPoint\*,lazy_ntfs, - 776,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Publisher\*,lazy_ntfs, - 777,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\*,lazy_ntfs, - 778,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\*,lazy_ntfs, - 779,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\*,lazy_ntfs, - 780,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, - 781,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, - 782,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs, - 783,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs, - 784,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs, - 785,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs, - 786,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, - 787,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, - 788,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs, - 789,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs, - 790,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs, - 791,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs, - 792,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, - 793,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, - 794,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs, - 795,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs, - 796,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs, - 797,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs, - 798,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, - 799,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, - 800,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs, - 801,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs, - 802,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs, - 803,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs, - 804,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs, - 805,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs, - 806,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs, - 807,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs, - 808,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs, - 809,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs, - 810,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs, - 811,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs, - 812,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs, - 813,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs, - 814,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs, - 815,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs, - 816,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, - 817,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, - 818,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, - 819,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, - 820,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs, - 821,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs, - 822,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, - 823,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, - 824,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, - 825,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, - 826,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, - 827,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, - 828,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption - 829,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption - 830,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs, - 831,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs, - 832,Amcache,ApplicationCompatibility,**10\Amcache.hve,lazy_ntfs, - 833,Amcache transaction files,ApplicationCompatibility,**10\Amcache.hve.LOG*,lazy_ntfs, - 834,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs, - 835,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs, - 836,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs, - 837,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs, - 838,Desktop LNK Files,LNKFiles,**10\*.LNK,lazy_ntfs, - 839,Robo-FTP User Scripts,Apps,Program Files\Robo-FTP 3.12\UserData\*\Scripts\*.s,lazy_ntfs,Custom scripts created by each user - 840,Robo-FTP User Debug Logs,Apps,Program Files\Robo-FTP 3.12\UserData\*\Debug\*.log,lazy_ntfs,"Debug logs generated for each user, if enabled" - 841,Robo-FTP User Script/Trace Logs,Apps,Program Files\Robo-FTP 3.12\UserData\*\Logs\*,lazy_ntfs,Script and Trace logs generated for each user - 842,Robo-FTP User XML Config,Apps,Program Files\Robo-FTP 3.12\UserData\*\config.xml,lazy_ntfs,Config.xml unique to each user. Contains list of custom scripts and ftp sites - 843,Robo-FTP User SSH Keys,Apps,Program Files\Robo-FTP 3.12\UserData\*\SSH Keys\*,lazy_ntfs,Saved SSH keys for each user - 844,Robo-FTP User SSL Certificates,Apps,Program Files\Robo-FTP 3.12\UserData\*\SSL Certificates\*,lazy_ntfs,Saved SSL Certificates for each user - 845,Robo-FTP User PGP Keys,Apps,Program Files\Robo-FTP 3.12\UserData\*\PGP Keys\*,lazy_ntfs,Saved PGP Keys for each user - 846,Robo-FTP SSH Keys,Apps,Program Files\Robo-FTP 3.12\ProgramData\SSH Keys\*,lazy_ntfs,Shared SSH keys - 847,Robo-FTP SSL Certificates,Apps,Program Files\Robo-FTP 3.12\ProgramData\SSL Certificates\*,lazy_ntfs,Shared SSL Certificates - 848,Robo-FTP PGP Keys,Apps,Program Files\Robo-FTP 3.12\ProgramData\PGP Keys\*,lazy_ntfs,Shared PGP Keys - 849,Robo-FTP Debug Logs,Apps,Program Files\Robo-FTP 3.12\ProgramData\Debug\*,lazy_ntfs,Debug logs generated by Robo-FTP - 850,Robo-FTP Script/Trace Logs,Apps,Program Files\Robo-FTP 3.12\ProgramData\Logs\*,lazy_ntfs,Script and Trace logs generated by Robo-FTP - 851,Robo-FTP XML Config,Apps,Program Files\Robo-FTP 3.12\ProgramData\config.xml,lazy_ntfs,Config.xml. Contains list of custom scripts and ftp sites - 852,Robo-FTP Jobs,Apps,Program Files\Robo-FTP 3.12\ProgramData\SchedulerService.sqlite,lazy_ntfs,Contains details of scheduled jobs - 853,RogueKiller Reports,Antivirus,ProgramData\RogueKiller\logs\AdliceReport_*.json,lazy_ntfs, - 854,RustDesk logs,Communications,Users\*\AppData\Roaming\RustDesk\*,lazy_ntfs,Collects all log files related to RustDesk - 855,RustDesk logs,Communications,Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server,lazy_ntfs,Collects all log files related to RustDesk - 856,Usenet Clients - SABnzbd Download Logs,FileDownload,Users\*\AppData\Local\sabnzbd\logs\sabnzbd.log,lazy_ntfs,Locates SABnzbd download log - 857,Usenet Clients - SABnzbd History.db,FileDownload,Users\*\AppData\Local\sabnzbd\admin\history1.db,lazy_ntfs,Locates SABnzbd history log - 858,SCCM Client Log Files,Logs,Windows\CCM\Logs,lazy_ntfs, - 859,SDB Files,Executables,Windows\apppatch\Custom\*.sdb,lazy_ntfs, - 860,SDB Files,Executables,Windows.old\Windows\apppatch\Custom\*.sdb,lazy_ntfs, - 861,SDB Files x64,Executables,Windows\apppatch\Custom\Custom64\*.sdb,lazy_ntfs, - 862,SDB Files x64,Executables,Windows.old\Windows\apppatch\Custom\Custom64\*.sdb,lazy_ntfs, - 863,4K Video Downloader,SQLDatabases,Users\*\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader\*.sqlite,lazy_ntfs,Grabs database(s) that stores user download history - 864,Microsoft OneNote - FullTextSearchIndex,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's text content - 865,Microsoft OneNote - RecentNotebooks_SeenURLs,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications\RecentNotebooks_SeenURLs,lazy_ntfs,Grabs a file that appears to record recently seen OneNote notebooks - 866,Microsoft OneNote - AccessibilityCheckerIndex,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's version sync error history - 867,Microsoft OneNote - User NoteTags,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags\*LiveId.db,lazy_ntfs,Grabs a database that stores the user specified tags within OneNote to be used application-wide - 868,Microsoft OneNote - RecentSearches,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches\RecentSearches.db,lazy_ntfs,Grabs a database that stores the user's recent searches within OneNote - 869,Microsoft Sticky Notes - 1607 and later,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\plum.sqlite*,lazy_ntfs, - 870,Microsoft To Do - SQLite Database of To Do tasks,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\todosqlite.db*,lazy_ntfs, - 871,Robo-FTP Jobs,Apps,Program Files\Robo-FTP *\ProgramData\SchedulerService.sqlite,lazy_ntfs, - 872,TeraCopy - History Databases,SQLDatabases,Users\*\AppData\Roaming\TeraCopy\History\*.db,lazy_ntfs, - 873,TeraCopy - Main Database,SQLDatabases,Users\*\AppData\Roaming\TeraCopy\main.db,lazy_ntfs, - 874,Notion Local Storage,App,Users\*\AppData\Roaming\Notion\notion.db,lazy_ntfs, - 875,IDrive Backed Up Files,App,ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.idbs,lazy_ntfs, - 876,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\filecache.db*,lazy_ntfs,Getting individual files because folder may contain very large extraneous files - 877,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\config.dbx,lazy_ntfs,Getting individual files because folder may contain very large extraneous files - 878,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\home.db,lazy_ntfs,SQlite database which appears to keep track of the user's recent Dropbox activity - 879,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\icon.db,lazy_ntfs,SQLite database which appears to keep track of icons in the user's Drobox sync history which can give an indication as to which files and folders are present - 880,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync_history.db,lazy_ntfs,SQLite database which appears to keep track of the user's Drobox sync history - 881,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync\nucleus.sqlite3*,lazy_ntfs,SQLite database which appears to contain a table for deleted files - 882,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\host.db,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together." - 883,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\host.dbx,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together." - 884,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync\aggregation.dbx,lazy_ntfs,SQLite database which appears to contain snapshot table of the user's Dropbox contents in JSON with timestamps in UNIX Epoch - 885,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\avatarcache.db,lazy_ntfs,SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed - 886,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\avatarcache.db,lazy_ntfs,SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed - 887,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\cloud_graph\cloud_graph.db,lazy_ntfs,Windows_GoogleDrive_CloudGraphDB.smap - 888,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\TempData\*\change_buffer\**10,lazy_ntfs,DB(s) with seemingly randomized filename(s) that track file system changes within Google Drive - 889,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\snapshot.db,lazy_ntfs,Windows_GoogleDrive_SnapshotDB.smap - 890,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\sync_config.db,lazy_ntfs,Windows_GoogleDrive_SyncConfigDB.smap - 891,FileZilla SQLite3 Log Files,SQLDatabases,Users\*\AppData\Roaming\FileZilla\*.sqlite3*,lazy_ntfs, - 892,Chrome bookmarks XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, - 893,Chrome Cookies XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*,lazy_ntfs, - 894,Chrome Current Session XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session,lazy_ntfs, - 895,Chrome Current Tabs XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, - 896,Chrome Favicons XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, - 897,Chrome History XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*,lazy_ntfs, - 898,Chrome Last Session XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session,lazy_ntfs, - 899,Chrome Last Tabs XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, - 900,Chrome Login Data XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data,lazy_ntfs, - 901,Chrome Preferences XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences,lazy_ntfs, - 902,Chrome Shortcuts XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, - 903,Chrome Top Sites XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, - 904,Chrome Visited Links XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, - 905,Chrome Web Data XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, - 906,Chrome bookmarks,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, - 907,Chrome Cookies,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Cookies*,lazy_ntfs, - 908,Chrome Current Session,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs, - 909,Chrome Current Tabs,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, - 910,Chrome Download Metadata,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs, - 911,Chrome Extension Cookies,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs, - 912,Chrome Favicons,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, - 913,Chrome History,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs, - 914,Chrome Last Session,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs, - 915,Chrome Last Tabs,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, - 916,Chrome Login Data,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs, - 917,Chrome Media History,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs, - 918,Chrome Network Action Predictor,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs, - 919,Chrome Network Persistent State,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs, - 920,Chrome Preferences,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs, - 921,Chrome Quota Manager,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs, - 922,Chrome Reporting and NEL,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs, - 923,Chrome Shortcuts,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, - 924,Chrome Top Sites,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, - 925,Chrome Trust Tokens,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs, - 926,Chrome SyncData Database,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, - 927,Chrome Visited Links,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, - 928,Chrome Web Data,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, - 929,Edge bookmarks,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs, - 930,Edge Collections,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections\collectionsSQLite,lazy_ntfs, - 931,Edge Cookies,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Cookies*,lazy_ntfs, - 932,Edge Current Session,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Session,lazy_ntfs, - 933,Edge Current Tabs,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Tabs,lazy_ntfs, - 934,Edge Favicons,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Favicons*,lazy_ntfs, - 935,Edge History,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\History*,lazy_ntfs, - 936,Edge Last Session,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Session,lazy_ntfs, - 937,Edge Last Tabs,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Tabs,lazy_ntfs, - 938,Edge Login Data,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Login Data,lazy_ntfs, - 939,Edge Media History,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Media History*,lazy_ntfs, - 940,Edge Network Action Predictor,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network Action Predictor,lazy_ntfs, - 941,Edge Preferences,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences,lazy_ntfs, - 942,Edge Shortcuts,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Shortcuts*,lazy_ntfs, - 943,Edge Top Sites,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Top Sites*,lazy_ntfs, - 944,Edge SyncData Database,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, - 945,Edge Bookmarks,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs, - 946,Edge Visited Links,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Visited Links,lazy_ntfs, - 947,Edge Web Data,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Web Data*,lazy_ntfs, - 948,Addons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs, - 949,Bookmarks,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*,lazy_ntfs, - 950,Cookies,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs, - 951,Cookies,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*,lazy_ntfs, - 952,Downloads,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs, - 953,Favicons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs, - 954,Form history,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs, - 955,Permissions,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*,lazy_ntfs, - 956,Places,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs, - 957,Protections,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*,lazy_ntfs, - 958,Search,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs, - 959,Signons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs, - 960,Storage Sync,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*,lazy_ntfs, - 961,Webappstore,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs, - 962,Windows 10 Notification DB,SQLDatabases,Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs, - 963,Windows 10 Notification DB,SQLDatabases,Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs, - 964,ActivitiesCache.db,SQLDatabases,Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db*,lazy_ntfs, - 965,Update Store.db,OS Upgrade,ProgramData\USOPrivate\UpdateStore\store.db,lazy_ntfs, - 966,Bitdefender SQLite DB Files,Antivirus,Program Files*\Bitdefender*\**10\regex:*.+\.(db|db-wal|db-shm),ntfs,Bitdefender SQLite databases - 967,EventTranscript.db,SystemEvents,ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs, - 968,EventTranscript.db,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs, - 969,SRUM,Execution,Windows\System32\SRU\**10,lazy_ntfs, - 970,SRUM,Execution,Windows.old\Windows\System32\SRU\**10,lazy_ntfs, - 971,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs, - 972,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs, - 973,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, - 974,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, - 975,SUM Database (.mdb files),Logs,Windows\System32\LogFiles\SUM\*.mdb,lazy_ntfs,"Grabs Current.mdb, SystemIdentity.mdb, and [GUID].mdb" - 976,SUPERAntiSpyware Logs,Antivirus,Users\*\AppData\Roaming\SUPERAntiSpyware\Logs\**10,lazy_ntfs, - 977,SUSE Linux Enterprise Server WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\os-release,lazy_ntfs, - 978,SUSE Linux Enterprise Server WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\fstab,lazy_ntfs, - 979,SUSE Linux Enterprise Server WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\passwd,lazy_ntfs, - 980,SUSE Linux Enterprise Server WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\group,lazy_ntfs, - 981,SUSE Linux Enterprise Server WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\shadow,lazy_ntfs, - 982,SUSE Linux Enterprise Server WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\timezone,lazy_ntfs, - 983,SUSE Linux Enterprise Server WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\hostname,lazy_ntfs, - 984,SUSE Linux Enterprise Server WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\hosts,lazy_ntfs, - 985,SUSE Linux Enterprise Server WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs, - 986,SUSE Linux Enterprise Server WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\profile,lazy_ntfs, - 987,SUSE Linux Enterprise Server WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.bash_history,lazy_ntfs, - 988,SUSE Linux Enterprise Server WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.bashrc,lazy_ntfs, - 989,SUSE Linux Enterprise Server WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.profile,lazy_ntfs, - 990,SUSE Linux Enterprise Server WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\ext4.vhdx,lazy_ntfs, - 991,at .job,Persistence,Windows\Tasks\*.job,lazy_ntfs, - 992,at .job,Persistence,Windows.old\Windows\Tasks\*.job,lazy_ntfs, - 993,at SchedLgU.txt,Persistence,Windows\SchedLgU.txt,lazy_ntfs, - 994,at SchedLgU.txt,Persistence,Windows.old\Windows\SchedLgU.txt,lazy_ntfs, - 995,XML,Persistence,Windows\System32\Tasks\**10,lazy_ntfs, - 996,XML,Persistence,Windows\syswow64\Tasks\**10,lazy_ntfs, - 997,XML,Persistence,Windows.old\Windows\System32\Tasks\**10,lazy_ntfs, - 998,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data\Session.db,lazy_ntfs,SQLite database with session information - 999,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data\User.xml,lazy_ntfs,Contains each user's last authenticated time - 1000,ScreenConnect User Config,ApplicationLogs,ProgramData\ScreenConnect Client*\user.config,lazy_ntfs,Contains server domain and IP info - 1001,SecureAge Antvirus Logs,Antivirus,ProgramData\SecureAge Technology\SecureAge\log\**10,lazy_ntfs, - 1002,SentinelOne EDR Log,Antivirus,programdata\sentinel\logs\**10,lazy_ntfs,Logs are in Binary Format (.binlog) - 1003,ShareX,Apps,Users\*\Documents\ShareX\**10,lazy_ntfs,Locates and captures all files within the default ShareX folder path - 1004,Shareaza Logs,FileDownload,Users\*\AppData\Roaming\Shareaza\**10,lazy_ntfs,Locates Shareaza logs and copies them. - 1005,Siemens TIA Settings,ICS,Users\*\AppData\Roaming\Siemens\Automation\Portal*\Settings\**10,lazy_ntfs, - 1006,Signal Attachments cache,Communications,Users\*\AppData\Roaming\Signal\attachments.noindex\**10,lazy_ntfs,Profile pictures (and possibly attachments) for users who this individual has as contacts or has communicated with - 1007,Signal Logs,Communications,Users\*\AppData\Roaming\Signal\logs\**10,lazy_ntfs,"Logs for Signal. Most recent has the extension .log while old ones will have extension .log.0, .log.1 etc." - 1008,Signal config.json,Communications,Users\*\AppData\Roaming\Signal\config.json,lazy_ntfs,config.json holds the db.sqlite SQLCipher raw key - 1009,Signal Database,Communications,Users\*\AppData\Roaming\Signal\sql\db.sqlite,lazy_ntfs,"Stores attachment details, conversations, messages, and more" - 1010,SignatureCatalog,FileMetadata,Windows\System32\CatRoot\**10,lazy_ntfs, - 1011,SignatureCatalog,FileMetadata,Windows.old\Windows\System32\CatRoot\**10,lazy_ntfs, - 1012,main.db (App <v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\main.db,lazy_ntfs, - 1013,skype.db (App +v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\skype.db,lazy_ntfs, - 1014,main.db XP,Communications,Documents and Settings\*\Application Data\Skype\*\main.db,lazy_ntfs, - 1015,main.db Win7+,Communications,Users\*\AppData\Roaming\Skype\*\main.db,lazy_ntfs, - 1016,s4l-[username].db (App +v8),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\s4l-*.db,lazy_ntfs, - 1017,leveldb (Skype for Desktop +v8),Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb\**10,lazy_ntfs, - 1018,Skype for Destkop v8+ Chromium Cache,Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\Cache\**10,lazy_ntfs,Can be viewed with Nirsoft's ChromeCacheView - 1019,Slack - Chat Logs,Apps,Users\*\AppData\Roaming\Slack\IndexedDB\**10,lazy_ntfs,Locates Slack logs and copies them - 1020,Slack LevelDB Files,Apps,Users\*\AppData\Roaming\Slack\Local Storage\leveldb\**10,lazy_ntfs, - 1021,Slack Electron Logs,Apps,Users\*\AppData\Roaming\Slack\logs\**10,lazy_ntfs,Current Slack application is based on Electron and additional logging can be found here. - 1022,Slack Cache,Apps,Users\*\AppData\Roaming\Slack\Cache\**10,lazy_ntfs,Collects Slack cache files. This folder can be parsed like a Chrome Browser cache using a tool like Nirsoft ChromeCacheView - 1023,Slack Storage,Apps,Users\*\AppData\Roaming\Slack\storage\**10,lazy_ntfs,User activity logs can be present including slack-downloads log - 1024,Snagit - Captures,Apps,Users\*\AppData\Local\TechSmith\Snagit\DataStore,lazy_ntfs,Locates all Snagit captures - 1025,Snip & Sketch,FileKnowledge,Users\*\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\*.png,lazy_ntfs,Pulls all temporary .png images generated by the Snip & Sketch screen capture tool built into Windows - 1026,Sophos Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs\**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection" - 1027,Sophos Logs,Antivirus,ProgramData\Sophos\Sophos *\Logs\**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection" - 1028,Soulseek Chat Logs,FileDownload,Users\*\AppData\Local\SoulseekQt\Soulseek Chat Logs\**10,lazy_ntfs,Locates Soulseek chat logs and copies them. Chat logs are in plaintext. Current as of version 2019.7.22. - 1029,Soulseek Search History/Shared Folders/Settings,FileDownload,Users\*\AppData\Local\SoulseekQt\1\*.dat,lazy_ntfs,"Locates .dat file(s) containing: search history, active searches (search_record), current shared folders (shared_file_folder), and wish list items (wish_list_item)." - 1030,SpeedCommander - .ini File,Apps,Users\*\AppData\Roaming\SpeedProject\SpeedCommander 19\*,lazy_ntfs,Locates folder where all configuration files reside - 1031,Splashtop Log Files,Software,Program Files*\Splashtop\Splashtop Remote\Server\log\**10,lazy_ntfs,Collects logs for Splashtop - 1032,Splashtop Log Files in ProgramData,Software,ProgramData\Splashtop\Temp\log\**10,lazy_ntfs,Collects logs for Splashtop - 1033,User startup folders,Persistence,Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup,lazy_ntfs, - 1034,System-wide startup folder,Persistence,ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp,lazy_ntfs, - 1035,StartupInfo XML Files,Persistence,Windows\System32\WDI\LogFiles\StartupInfo\*.xml,lazy_ntfs, - 1036,StartupInfo XML Files,Persistence,Windows.old\Windows\System32\WDI\LogFiles\StartupInfo\*.xml,lazy_ntfs, - 1037,Steam Game Image files,Apps,Program Files\Steam\appcache\librarycache\**10,lazy_ntfs,Locates the directory containing image resources of installed/uninstalled games. - 1038,Steam Login Metadata file,Apps,Program Files\Steam\config\**10\loginusers.vdf,lazy_ntfs,Locates file containing Steam username and persona name. - 1039,Steam Friend List and Username History file,Apps,Program Files\Steam\userdata\*\config\**10\localconfig.vdf,lazy_ntfs,Locates file containing Steam Friend List and Username History. - 1040,Steam User Avatar files,Apps,Program Files\Steam\config\avatarcache\**10,lazy_ntfs,Locates the directory containing avatar cache. - 1041,Steam Game Tray Icon files,Apps,Program Files\Steam\steam\games\**10,lazy_ntfs,Locates the directory containing game icons appearing from tray menu. - 1042,Steam Startup Times Log file,Apps,Program Files\Steam\logs\**10\bootstrap_log.txt,lazy_ntfs,Locates the directory containing log for Steam startup times. - 1043,Steam Game Image files,Apps,Program Files (x86)\Steam\appcache\librarycache\**10,lazy_ntfs,Locates the directory containing image resources of installed/uninstalled games. - 1044,Steam Login Metadata file,Apps,Program Files (x86)\Steam\config\**10\loginusers.vdf,lazy_ntfs,Locates file containing Steam username and persona name. - 1045,Steam Friend List and Username History file,Apps,Program Files (x86)\Steam\userdata\*\config\**10\localconfig.vdf,lazy_ntfs,Locates file containing Steam Friend List and Username History. - 1046,Steam User Avatar files,Apps,Program Files (x86)\Steam\config\avatarcache\**10,lazy_ntfs,Locates the directory containing avatar cache. - 1047,Steam Game Tray Icon files,Apps,Program Files (x86)\Steam\steam\games\**10,lazy_ntfs,Locates the directory containing game icons appearing from tray menu. - 1048,Steam Startup Times Log file,Apps,Program Files (x86)\Steam\logs\**10\bootstrap_log.txt,lazy_ntfs,Locates the directory containing log for Steam startup times. - 1049,SublimeText 2/3 Auto Save Session,Text Editor,Users\*\AppData\Roaming\Sublime Text*\Settings\Session.sublime_session,lazy_ntfs,Sublime Text 2/3 stores unsaved (temporary) files and its content in its Session.sublime_session file - 1050,SublimeText 4 Auto Save Session,Text Editor,Users\*\AppData\Roaming\Sublime Text*\Local\*.sublime_session,lazy_ntfs,Sublime Text 4 stores unsaved (temporary) files and its content in its .sublime_session files - 1051,SugarSync Log File,Apps,Users\*\AppData\Local\SugarSync\sc1.log,lazy_ntfs,Locates a log file the gives a play-by-play of what the user synced when. - 1052,SugarSync - Shared Folders (Default Location),Apps,Users\*\Documents\SugarSync Shared Folders\**10,lazy_ntfs, - 1053,SugarSync - My SugarSync (Default Location),Apps,Users\*\Documents\My SugarSync\**10,lazy_ntfs, - 1054,SumatraPDF Settings - SessionData,FileKnowledge,Users\*\AppData\Local\SumatraPDF\SumatraPDF-settings.txt,lazy_ntfs,Settings file which contains information about previous user session - 1055,SumatraPDF Cache,FileKnowledge,Users\*\AppData\Local\SumatraPDF\sumatrapdfcache,lazy_ntfs,Folder contains a PNG snapshot of each PDF file the user had open at the time of last application close - 1056,Supremo Connection Logs,Communications,ProgramData\SupremoRemoteDesktop\Log\*.log,lazy_ntfs,Includes Supremo.00.Client.log and Supremo.00.Incoming.log - 1057,Supremo File Transfer Inbox,Communications,ProgramData\SupremoRemoteDesktop\Inbox,lazy_ntfs,Includes all files transferred to the inbox folder during a remote session - 1058,Symantec Endpoint Protection Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV\**10,lazy_ntfs, - 1059,Symantec Endpoint Protection Logs,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs\**10,lazy_ntfs, - 1060,Symantec Endpoint Protection User Logs,Antivirus,Users\*\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\**10,lazy_ntfs, - 1061,Symantec Event Log Win7+,EventLogs,Windows\System32\winevt\logs\Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log - 1062,Symantec Event Log Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log - 1063,Symantec Endpoint Protection Quarantine (XP),Antivirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\**10,lazy_ntfs, - 1064,Symantec Endpoint Protection Quarantine,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine\**10,lazy_ntfs, - 1065,ccSubSDK Database,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK\**10,lazy_ntfs, - 1066,registrationInfo.xml,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\registrationInfo.xml,lazy_ntfs, - 1067,Syscache,Program Execution,System Volume Information\Syscache.hve,lazy_ntfs, - 1068,Syscache transaction files,Program Execution,System Volume Information\Syscache.hve.LOG*,lazy_ntfs, - 1069,Tablacus Explorer - remember.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\remember.xml,lazy_ntfs, - 1070,Tablacus Explorer - window.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\window.xml,lazy_ntfs, - 1071,Tablacus Explorer - window1.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\window1.xml,lazy_ntfs, - 1072,TeamViewer Connection Logs,Communications,Program Files*\TeamViewer\connections*.txt,lazy_ntfs,Includes connections_incoming.txt and connections.txt - 1073,TeamViewer Application Logs,ApplicationLogs,Program Files*\TeamViewer\TeamViewer*_Logfile*,lazy_ntfs,Includes TeamViewer<version>_Logfile.log and TeamViewer<version>_Logfile_OLD.log - 1074,TeamViewer Application User Logs,ApplicationLogs,Users\*\AppData\Roaming\TeamViewer\TeamViewer*_Logfile*,lazy_ntfs,Alternate location for TeamViewer<version>_Logfile.log - 1075,TeamViewer Configuration Files,ApplicationLogs,Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport\**10,lazy_ntfs,Includes miscellaneous config files - 1076,Telegram app folder,Apps,Users\*\AppData\Roaming\Telegram Desktop\**10,lazy_ntfs,Telegram app folder structure - 1077,Telegram downloaded files,Apps,Users\*\Downloads\Telegram Desktop\**10,lazy_ntfs,Chat Attachments - 1078,TeraCopy,TeraCopy,Users\*\AppData\Roaming\TeraCopy\**10,lazy_ntfs, - 1079,Thumbcache DB,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db,lazy_ntfs, - 1080,Mozilla Thunderbird Install Date,Apps,Users\*\AppData\Roaming\Thunderbird\Crash Reports\InstallTime*,lazy_ntfs,Holds install time in Unix Seconds timestamp - 1081,Mozilla Thunderbird Profiles.ini,Apps,Users\*\AppData\Roaming\Thunderbird\profiles.ini,lazy_ntfs,Profiles list - can hold references to other profiles held elsewhere on the device - 1082,Mozilla Thunderbird prefs.js,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\prefs.js,lazy_ntfs,User Preferences for that profile - 1083,Mozilla Thunderbird Global Messages Database,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\global-messages-db.sqlite,lazy_ntfs,"Holds list of contacts, emails, and other potentially useful artifacts" - 1084,Mozilla Thunderbird logins.json,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\logins.json,lazy_ntfs,"Holds last time online login used, last time password changed, hostname, HTTP(s) URL and more" - 1085,Mozilla Thunderbird places.sqlite,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\places.sqlite,lazy_ntfs,"Holds history for Thunderbird - as it contains portions of Firefox embedded, it can be used to visit websites too" - 1086,Mozilla Thunderbird ImapMail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\ImapMail\**10\INBOX,lazy_ntfs,"Holds all email files with headers, content etc" - 1087,Mozilla Thunderbird Mail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Mail\**10\INBOX,lazy_ntfs,"Holds all email files with headers, content etc" - 1088,Mozilla Thunderbird Calendar Data,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\calendar-data\local.sqlite,lazy_ntfs,Holds local calendar data - 1089,Mozilla Thunderbird Attachments,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Attachments\*,lazy_ntfs,Holds attachments - 1090,Mozilla Thunderbird Address Book,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\abook.sqlite,lazy_ntfs,Holds local address book - 1091,Torrents,FileDownload,**10\*.torrent,lazy_ntfs, - 1092,TotalAV Logs,Antivirus,Program Files*\TotalAV\logs\**10,lazy_ntfs, - 1093,TotalAV Logs,Antivirus,ProgramData\TotalAV\logs\**10,lazy_ntfs, - 1094,Total Commander - .ini File,Apps,Users\*\AppData\Roaming\GHISLER\wincmd.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information. - 1095,Total Commander - Log File,Apps,**10\totalcmd.log,lazy_ntfs,Locates log file associated with Total Commander. NOTE: this log file is NOT enabled by default and the filename can be modified. - 1096,Total Commander - Temp Files Created During Folder Traversal,Apps,Users\*\AppData\Local\Temp\FTP*.tmp,lazy_ntfs,Locates .tmp files which are created during the user's folder traversal and provide insight into contents of each folder traversed. - 1097,Total Commander - FTP .ini File,Apps,Users\*\AppData\Roaming\GHISLER\wcx_ftp.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful FTP information. - 1098,Total Commander - File Tree,Apps,Users\*\AppData\Local\GHISLER\treeinfo*.wc,lazy_ntfs,Locates a file that contains an exhaustive file tree of a user's file system. - 1099,Total Commander - Frequent Directory Listing,Apps,Users\*\AppData\Local\GHISLER\tcDirFrq.txt,lazy_ntfs,Locates a file that contains a frequently accessed folder listing. - 1100,Total Commander - FTP Logs,Apps,Users\*\AppData\Local\Temp\tcftp.log,lazy_ntfs,Locates a file that contains the Total Commander FTP logs. - 1101,TreeSize - ScanHistory.XML,Apps,Users\*\AppData\Roaming\JAM Software\TreeSize\scanhistory.xml,lazy_ntfs,Locates XML file that provides a list of previously scanned directories by the user. - 1102,Trend Micro Logs,Antivirus,ProgramData\Trend Micro\**10,lazy_ntfs, - 1103,Trend Micro Security Agent Report Logs,Antivirus,Program Files*\Trend Micro\Security Agent\Report\*.log,lazy_ntfs, - 1104,Trend Micro Security Agent Connection Logs,Antivirus,Program Files*\Trend Micro\Security Agent\ConnLog\*.log,lazy_ntfs, - 1105,Setupapi.log XP,USBDevices,Windows\setupapi.log,lazy_ntfs, - 1106,Setupapi.log Win7+,USBDevices,Windows\inf\setupapi.*.log,lazy_ntfs, - 1107,Setupapi.log Win7+,USBDevices,Windows.old\Windows\inf\setupapi.*.log,lazy_ntfs, - 1108,Ubuntu WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\os-release,lazy_ntfs, - 1109,Ubuntu WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\fstab,lazy_ntfs, - 1110,Ubuntu WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\passwd,lazy_ntfs, - 1111,Ubuntu WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\group,lazy_ntfs, - 1112,Ubuntu WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\shadow,lazy_ntfs, - 1113,Ubuntu WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\timezone,lazy_ntfs, - 1114,Ubuntu WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\hostname,lazy_ntfs, - 1115,Ubuntu WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\hosts,lazy_ntfs, - 1116,Ubuntu WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\crontab,lazy_ntfs, - 1117,Ubuntu WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs, - 1118,Ubuntu WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\profile,lazy_ntfs, - 1119,Ubuntu WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.bash_history,lazy_ntfs, - 1120,Ubuntu WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.bashrc,lazy_ntfs, - 1121,Ubuntu WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.profile,lazy_ntfs, - 1122,Ubuntu WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs, - 1123,Ubuntu WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs, - 1124,Ubuntu WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\ext4.vhdx,lazy_ntfs, - 1125,UltraViewer User Logs,Remote Access,Users\*\AppData\Roaming\UltraViewer\**10,lazy_ntfs,"Includes all files related to UltraViewer chat, connections, and recordings" - 1126,UltraViewer System Logs,Remote Access,Windows\SysWOW64\config\systemprofile\AppData\Roaming\UltraViewer\**10,lazy_ntfs,"Includes all files related to UltraViewer chat, connections, and recordings" - 1127,UltraViewer Service Log,Remote Access,Program Files*\UltraViewer\UltraViewerService_log.txt,lazy_ntfs,UltraViewer Service log file - 1128,UltraViewer Connection Log,Remote Access,Program Files*\UltraViewer\ConnectionLog.Log,lazy_ntfs,UltraViewer Service level connection log - 1129,Usenet (NZB) Files,FileDownload,**10\*.nzb,lazy_ntfs, - 1130,VIPRE Business Agent Logs,Antivirus,ProgramData\VIPRE Business Agent\Logs\**10,lazy_ntfs, - 1131,VIPRE Business User Logs (v7+),Antivirus,Users\*\AppData\Roaming\VIPRE Business\**10,lazy_ntfs, - 1132,VIPRE Business User Logs (v5-v6),Antivirus,Users\*\AppData\Roaming\GFI Software\AntiMalware\Logs\**10,lazy_ntfs, - 1133,VIPRE Business User Logs (up to v4),Antivirus,Users\*\AppData\Roaming\Sunbelt Software\AntiMalware\Logs\**10,lazy_ntfs, - 1134,VLC Recently Opened Files,Apps,Users\*\AppData\Roaming\vlc\vlc-qt-interface.ini,lazy_ntfs,Configuration file for VLC. Holds [RecentsMRL] key which lists recently opened files as well as sometimes retaining timestamps for file opening - 1135,VLC Recorded Files,Apps,Users\*\Videos\vlc-*.avi,lazy_ntfs,"Recorded files in VLC. Sometimes the Record button may be pressed instead of Play by suspects, which can record them watching content with VLC" - 1136,VMware - Virtual Machine Inventory,Apps,Users\*\AppData\Roaming\VMware,lazy_ntfs,Locates an inventory of all Virtual Machines on disk. - 1137,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmem,lazy_ntfs,Captures all raw memory from VMware virtual machines. - 1138,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmss,lazy_ntfs,Captures all memory images from VMware virtual machines. - 1139,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmsn,lazy_ntfs,Captures all memory images from VMware virtual machines. - 1140,RealVNC Log,ApplicationLogs,Users\*\AppData\Local\RealVNC\vncserver.log,lazy_ntfs,https://www.realvnc.com/en/connect/docs/logging.html#logging - 1141,RealVNC Log,ApplicationLogs,ProgramData\RealVNC-Service\vncserver.log,lazy_ntfs,https://help.realvnc.com/hc/en-us/articles/360002254238-All-About-Logging- - 1142,TightVNC Application Logs,ApplicationLogs,ProgramData\TightVNC\Server\Logs,lazy_ntfs,https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1160&context=adf - 1143,Viber Config Database,Apps,Users\*\AppData\Roaming\ViberPC\config.db,lazy_ntfs,Configuration file for Viber - 1144,Viber Users Data Database,Apps,Users\*\AppData\Roaming\ViberPC\*\viber.db,lazy_ntfs,"Viber data for that user, containing Calls, Chat Messages, Contacts and more" - 1145,Viber Users Avatars Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Avatars,lazy_ntfs,Cache of the Avatars for other Viber users - 1146,Viber Users Backgrounds Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Backgrounds,lazy_ntfs,Store of the backgrounds - 1147,Viber Users Thumbnails Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Thumbnails,lazy_ntfs,Cache of the thumbnails for uploaded/downloaded images - 1148,VirtualBox VM configs,Apps,**10\*.vbox,lazy_ntfs,Locates all .vbox VM configuration files on disk - 1149,VirtualBox VM backup configs,Apps,**10\*.vbox-prev,lazy_ntfs,Locates all backup .vbox VM configuration files on disk - 1150,VirtualBox Logs,Apps,**10\VBox.log,lazy_ntfs,Locates all VBox.log files on disk - 1151,VirtualBox Backup Logs,Apps,**10\VBox.log.*,lazy_ntfs,Locates all backup VBox.log files on disk - these can show historic VM usage - 1152,VirtualBox Hardening Logs,Apps,**10\VBoxHardening.log,lazy_ntfs,Locates all VBoxHardening.log files on disk - 1153,VirtualBox,Memory,**10\*.sav,lazy_ntfs,Captures all partial memory images from VirtualBox. - 1154,VHD,Disk Images,**10\*.VHD,lazy_ntfs, - 1155,VHDX,Disk Images,**10\*.VHDX,lazy_ntfs, - 1156,VDI,Disk Images,**10\*.VDI,lazy_ntfs, - 1157,VMDK,Disk Images,**10\*.VMDK,lazy_ntfs, - 1158,VSCode Opened Files,Apps,Users\*\AppData\Roaming\Code\User\History\*\**10,lazy_ntfs,Grabs the files in the VSCode history. These are files the user has opened with VSCode - 1159,VSCode Workspaces,Apps,Users\*\AppData\Roaming\Code\User\globalStorage\storage.json*,lazy_ntfs,Grabs the file containing information about the users workspaces - 1160,VSCode User extensions,Apps,Users\*\AppData\Roaming\Code\CachedExtensions\user*,lazy_ntfs,Grabs the files relating to the users installed extensions - 1161,VSCode User settings,Apps,Users\*\AppData\Roaming\Code\User\settings.json*,lazy_ntfs,Grabs the file containing the settings the user has set. - 1162,VSCode User Preferences,Apps,Users\*\AppData\Roaming\Code\preferences*,lazy_ntfs,Grabs the file containing the preferences the user has set. - 1163,VSCode Network Cookies,Apps,Users\*\AppData\Roaming\Code\Network\Cookies*,lazy_ntfs,Grabs the cookie files. Same format as Chromium Cookies - 1164,VSCode Network Persistent State,Apps,Users\*\AppData\Roaming\Code\Network\Network Persistent State*,lazy_ntfs,Grabs the Network Persistent State file. Same format as in Chromium - 1165,VSCode Logs,Apps,Users\*\AppData\Roaming\Code\logs\**10,lazy_ntfs,"Grabs the VSCode logs. Further analysis is needed to determine which logs are junk, and which can be vital." - 1166,Vivaldi Cookies,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\**10\Cookies*,lazy_ntfs, - 1167,Vivaldi Network Persistent State,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\**10\Network Persistent State,lazy_ntfs, - 1168,Vivaldi Favicons,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Favicons*,lazy_ntfs, - 1169,Vivaldi History,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\History*,lazy_ntfs, - 1170,Vivaldi Sessions Folder,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Sessions\*,lazy_ntfs, - 1171,Vivaldi Login Data,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Login Data,lazy_ntfs, - 1172,Vivaldi Network Action Predictor,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Network Action Predictor,lazy_ntfs, - 1173,Vivaldi Preferences,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Preferences,lazy_ntfs, - 1174,Vivaldi Top Sites,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Top Sites*,lazy_ntfs, - 1175,Vivaldi Bookmarks,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Bookmarks*,lazy_ntfs, - 1176,Vivaldi Visited Links,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Visited Links,lazy_ntfs, - 1177,Vivaldi Web Data,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Web Data*,lazy_ntfs, - 1178,Vivaldi User Tracking,Communications,Users\*\.vivaldi_reporting_data*,lazy_ntfs, - 1179,Vivaldi Calendar,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Calendar*,lazy_ntfs, - 1180,Vivaldi Contacts,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Contacts*,lazy_ntfs, - 1181,Vivaldi Notes,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Notes*,lazy_ntfs, - 1182,Vivaldi Download Metadata,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\DownloadMetadata*,lazy_ntfs, - 1183,WBEM,WBEM,Windows\System32\wbem\Repository\**10,lazy_ntfs, - 1184,WBEM,WBEM,Windows.old\Windows\System32\wbem\Repository\**10,lazy_ntfs, - 1185,WER Files,Executables,ProgramData\Microsoft\Windows\WER\**10,lazy_ntfs, - 1186,WER Files,Executables,Users\*\AppData\Local\Microsoft\Windows\WER\**10,lazy_ntfs, - 1187,Crash Dumps,SQL Exploitation,Users\*\AppData\Local\CrashDumps\*.dmp,lazy_ntfs, - 1188,Crash Dumps,SQL Exploitation,Windows\*.dmp,lazy_ntfs, - 1189,Crash Dumps,SQL Exploitation,Windows.old\Windows\*.dmp,lazy_ntfs, - 1190,Webroot Program Data,Antivirus,ProgramData\WRData\WRLog.log,lazy_ntfs, - 1191,WhatsApp Cache,Apps,Users\*\AppData\Roaming\WhatsApp\Cache,lazy_ntfs,"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files" - 1192,WhatsApp Local Storage,Apps,Users\*\AppData\Roaming\WhatsApp\Local Storage\leveldb,lazy_ntfs,"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper" - 1193,Microsoft Store WhatsApp Cache,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache,lazy_ntfs,"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files" - 1194,Microsoft Store WhatsApp Local Storage,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Local Storage\leveldb,lazy_ntfs,"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper" - 1195,Microsoft Store WhatsApp Desktop Profile Pictures,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\profilePictures,lazy_ntfs,"Copies the local store of contacts profile pictures, simply open with a photos software" - 1196,Microsoft Store WhatsApp Shared Media,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\shared\transfers\**10\regex:.*\.(jpg|mp4|pdf|webp),ntfs,"Copies the shared media, can get very large." - 1197,DetectionHistory,Antivirus,ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\**10,lazy_ntfs, - 1198,WinSCP (.ini file),Logs,**10\WinSCP.ini,lazy_ntfs, - 1199,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Microsoft AntiMalware\Support\**10,lazy_ntfs, - 1200,Windows Defender Event Logs,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs, - 1201,Windows Defender Event Logs,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs, - 1202,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Windows Defender\Support\**10,lazy_ntfs, - 1203,Windows Defender Logs,Antivirus,Windows\Temp\MpCmdRun.log,lazy_ntfs, - 1204,Windows Defender Logs,Antivirus,Windows.old\Windows\Temp\MpCmdRun.log,lazy_ntfs, - 1205,DetectionHistory,Antivirus,ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\**10,lazy_ntfs, - 1206,Windows Defender Quarantine,Antivirus,ProgramData\Microsoft\Windows Defender\Quarantine\**10,lazy_ntfs, - 1207,Windows Firewall Logs,WindowsFirewallLogs,Windows\System32\LogFiles\Firewall\pfirewall.*,lazy_ntfs, - 1208,Windows Firewall Logs,WindowsFirewallLogs,Windows.old\Windows\System32\LogFiles\Firewall\pfirewall.*,lazy_ntfs, - 1209,Cryptokeys,Windows Hello,Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\**10,lazy_ntfs, - 1210,Masterkey,Windows Hello,Windows\System32\Microsoft\Protect\S-1-5-18\User\**10,lazy_ntfs, - 1211,NGC,Windows Hello,Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\**10,lazy_ntfs, - 1212,SECURITY registry transaction files,Registry,Windows\System32\config\SECURITY.LOG*,lazy_ntfs, - 1213,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config\SECURITY.LOG*,lazy_ntfs, - 1214,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, - 1215,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, - 1216,SYSTEM registry transaction files,Registry,Windows\System32\config\SYSTEM.LOG*,lazy_ntfs, - 1217,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config\SYSTEM.LOG*,lazy_ntfs, - 1218,SECURITY registry hive,Registry,Windows\System32\config\SECURITY,lazy_ntfs, - 1219,SECURITY registry hive,Registry,Windows.old\Windows\System32\config\SECURITY,lazy_ntfs, - 1220,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs, - 1221,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs, - 1222,SYSTEM registry hive,Registry,Windows\System32\config\SYSTEM,lazy_ntfs, - 1223,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config\SYSTEM,lazy_ntfs, - 1224,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack\SECURITY,lazy_ntfs, - 1225,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SECURITY,lazy_ntfs, - 1226,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs, - 1227,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs, - 1228,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM,lazy_ntfs, - 1229,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM,lazy_ntfs, - 1230,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs, - 1231,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs, - 1232,WindowsIndexSearch,FileKnowledge,programdata\microsoft\search\data\applications\windows\*,lazy_ntfs, - 1233,GatherLogs,FileKnowledge,programdata\microsoft\search\data\applications\windows\GatherLogs\**10,lazy_ntfs, - 1234,Network setting files,Misc,windows\system32\drivers\etc\**10,lazy_ntfs, - 1235,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs, - 1236,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs, - 1237,MigLog.xml,OS Upgrade,Windows\Panther\MigLog.xml,lazy_ntfs, - 1238,Setupact.log,OS Upgrade,Windows\Panther\Setupact.log,lazy_ntfs, - 1239,HumanReadable.xml,OS Upgrade,Windows\Panther\*HumanReadable.xml,lazy_ntfs, - 1240,FolderMoveLog.txt,OS Upgrade,Windows\Panther\Rollback\FolderMoveLog.txt,lazy_ntfs, - 1241,Update Store.db,OS Upgrade,ProgramData\USOPrivate\UpdateStore\store.db,lazy_ntfs, - 1242,Windows Power Diagnostics,Diagnostics,ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\**10,lazy_ntfs, - 1243,DNS Netlogon files,DNS,Windows\System32\config\**10\netlogon.*,lazy_ntfs, - 1244,DNS files,DNS,Windows\System32\dns\**10,lazy_ntfs, - 1245,DHCP files,DHCP,Windows\System32\dhcp\**10,lazy_ntfs, - 1246,Diagnostic Logs for WSA,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalState\diagnostics\logcat\*.log,lazy_ntfs,Filenames should be %timestamp%.log - 1247,App download artifacts (PNG),Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\*.png,lazy_ntfs,Will provide examiners with indicators of which apps were downloaded - 1248,App download artifacts (ICO),Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\*.ico,lazy_ntfs,Will provide examiners with indicators of which apps were downloaded WHEN since .ico files appear immediately when download of an application completes - 1249,Appcompatdb.json,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalState\appcompatdb.json,lazy_ntfs,"Grabs the appcompatdb.json, unknown exactly what this is but further relevance could be uncovered after more research is conducted" - 1250,userdata.vhdx,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\userdata.vhdx,lazy_ntfs,Grabs the user's data which appears to be stored in a VHDX - 1251,Legacy .rbs files relating to Windows Telemetry and Diagnostics,SystemEvents,ProgramData\Microsoft\Diagnosis\events*.rbs,lazy_ntfs, - 1252,Legacy .rbs files relating to Windows Telemetry and Diagnostics,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\events*.rbs,lazy_ntfs, - 1253,ActivitiesCache.db,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db*,lazy_ntfs, - 1254,Windows Update Session Orchestrator logs,EventLogs,ProgramData\USOShared\Logs\System\**10\*.etl,lazy_ntfs, - 1255,Windows Update logs,EventLogs,Windows\Logs\WindowsUpdate\**10\WindowsUpdate*.etl,lazy_ntfs, - 1256,Windows Component-Based Servicing logs,EventLogs,Windows\Logs\CBS\**10\CBS*.log,lazy_ntfs, - 1257,Windows Your Phone - All Databases,Apps,Users\*\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed\**10,lazy_ntfs,Locates all Your Phone database files - 1258,System Volume Information,Folder capture,System Volume Information\**10,lazy_ntfs, - 1259,XYplorer - .ini file,Apps,Users\*\AppData\Roaming\XYplorer\XYplorer.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information. - 1260,XYplorer - .ini file for each respective pane,Apps,Users\*\AppData\Roaming\XYplorer\Panes\*\**10\pane.ini,lazy_ntfs,Locates the .ini file for the left and right pane. - 1261,XYplorer - AutoBackup folder,Apps,Users\*\AppData\Roaming\XYplorer\AutoBackup\**10,lazy_ntfs,Locates the AutoBackup folder and copies its contents. - 1262,XYplorer - .dat files,Apps,Users\*\AppData\Roaming\XYplorer\**10\*.dat,lazy_ntfs,"Locates the .dat files in the XYplorer's AppData folder, all of which are updated upon program's exit." - 1263,Xeox RMM Client Application logs,ApplicationLogs,Program Files\Xeox\*.log,lazy_ntfs,Contains Application Log entries such as service start and incomming connections. - 1264,Yandex Cookies,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\**10\Cookies*,lazy_ntfs, - 1265,Yandex Network Persistent State,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\**10\Network Persistent State,lazy_ntfs, - 1266,Yandex Favicons,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Favicons*,lazy_ntfs, - 1267,Yandex History,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\History*,lazy_ntfs, - 1268,Yandex Sessions Folder,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Sessions\*,lazy_ntfs, - 1269,Yandex Login Data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Ya Passman Data*,lazy_ntfs, - 1270,Yandex Network Action Predictor,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Network Action Predictor,lazy_ntfs, - 1271,Yandex Preferences,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Preferences,lazy_ntfs, - 1272,Yandex Top Sites,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Top Sites*,lazy_ntfs, - 1273,Yandex Bookmarks,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Bookmarks*,lazy_ntfs, - 1274,Yandex Visited Links,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Visited Links,lazy_ntfs, - 1275,Yandex Web Data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Web Data*,lazy_ntfs, - 1276,Yandex Autofill data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Ya Autofill Data*,lazy_ntfs, - 1277,Yandex Passman logs,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Passman Logs*,lazy_ntfs, - 1278,Yandex Shortcuts,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Shortcuts*,lazy_ntfs, - 1279,Zoho Assist log files in AppData\Local,Apps,Users\*\AppData\Local\ZohoMeeting\log\**10,lazy_ntfs,Zoho Assist log files in AppData + 118,System WOW64 CryptnetUrlCache,FileKnowledge,Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\**10,lazy_ntfs, + 119,User CryptnetUrlCache,FileKnowledge,Users\*\AppData\LocalLow\Microsoft\CryptnetUrlCache\**10,lazy_ntfs, + 120,INetCache,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\INetCache\IE\**10,lazy_ntfs, + 121,Chrome bookmarks XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, + 122,Chrome Cookies XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*,lazy_ntfs, + 123,Chrome Current Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session,lazy_ntfs, + 124,Chrome Current Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, + 125,Chrome Favicons XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, + 126,Chrome History XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*,lazy_ntfs, + 127,Chrome Last Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session,lazy_ntfs, + 128,Chrome Last Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, + 129,Chrome Login Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data,lazy_ntfs, + 130,Chrome Preferences XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences,lazy_ntfs, + 131,Chrome Shortcuts XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, + 132,Chrome Top Sites XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, + 133,Chrome Visited Links XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, + 134,Chrome Web Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, + 135,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, + 136,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs, + 137,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs, + 138,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, + 139,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\DownloadMetadata,lazy_ntfs, + 140,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs, + 141,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, + 142,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs, + 143,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs, + 144,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, + 145,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs, + 146,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs, + 147,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs, + 148,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs, + 149,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs, + 150,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs, + 151,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs, + 152,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs, + 153,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, + 154,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, + 155,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs, + 156,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, + 157,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, + 158,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, + 159,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption + 160,Chrome Snapshots Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\Snapshots\*\**10,lazy_ntfs,Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #. + 161,Chrome Extension Files,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions\**10,lazy_ntfs, + 162,Chrome Extension Files XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions\**10,lazy_ntfs, + 163,Chrome HTML5 File System Folder,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\File System\**10,lazy_ntfs, + 164,Cisco Jabber Database,Communications,Users\*\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History\*.db,lazy_ntfs,The Cisco Jabber process needs to be killed before database can be copied. + 165,ClipboardMaster - Clipboard History - Text,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\Clipboard.clm4,lazy_ntfs,Locates the user’s clipboard history (text) for ClipboardMaster + 166,ClipboardMaster - Clipboard History - Images,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\pics\**10,lazy_ntfs,Locates the user’s clipboard history (images) for ClipboardMaster + 167,ClipboardMaster - Clipboard History - Backups,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\Clipboard.clm4.ba*,lazy_ntfs,Locates the user’s clipboard history (backups) for ClipboardMaster + 168,ComboFix,Antivirus,ComboFix.txt,lazy_ntfs, + 169,Confluence Wiki Log Files,Logs,Atlassian\Application Data\Confluence\logs\*.log*,lazy_ntfs, + 170,Confluence Wiki Log Files,Logs,Program Files\Atlassian\Confluence\logs\*.log,lazy_ntfs, + 171,Cybereason Anti-Ransomware Logs,Antivirus,ProgramData\crs1\Logs\**10,lazy_ntfs, + 172,Cybereason Sensor Communications and Anti-Malware Logs,Antivirus,ProgramData\apv2\Logs\**10,lazy_ntfs, + 173,Cybereason Application Control and NGAV Logs,Antivirus,ProgramData\crb1\Logs\**10,lazy_ntfs, + 174,Cylance ProgramData Logs,Antivirus,ProgramData\Cylance\Desktop\**10,lazy_ntfs, + 175,Cylance Optics Logs,Antivirus,ProgramData\Cylance\Optics\Log\**10,lazy_ntfs, + 176,Cylance Program Files Logs,Antivirus,Program Files\Cylance\Desktop\log\**10,lazy_ntfs, + 177,DC++ Chat Logs,FileDownload,Users\*\AppData\Local\DC++\Logs\**10,lazy_ntfs,Locates DC++ hub/chat logs and copies them. Current as of version 0.868. + 178,DWAgent Log Files,Logs,ProgramData\DWAgent*\*.log*,lazy_ntfs, + 179,Debian WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\debian_version,lazy_ntfs, + 180,Debian WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\fstab,lazy_ntfs, + 181,Debian WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\os-release,lazy_ntfs, + 182,Debian WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\passwd,lazy_ntfs, + 183,Debian WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\group,lazy_ntfs, + 184,Debian WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\shadow,lazy_ntfs, + 185,Debian WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\timezone,lazy_ntfs, + 186,Debian WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\hostname,lazy_ntfs, + 187,Debian WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\hosts,lazy_ntfs, + 188,Debian WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\crontab,lazy_ntfs, + 189,Debian WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs, + 190,Debian WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\profile,lazy_ntfs, + 191,Debian WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.bash_history,lazy_ntfs, + 192,Debian WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.bashrc,lazy_ntfs, + 193,Debian WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**10\.profile,lazy_ntfs, + 194,Debian WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs, + 195,Debian WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs, + 196,Debian WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\ext4.vhdx,lazy_ntfs, + 197,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_folders.osd,lazy_ntfs,Locates .osd file which contains names of folders that have been renamed manually by the user. + 198,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_files.osd,lazy_ntfs,Locates .osd file which contains names of files that have been renamed manually by the user. + 199,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_contains.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with contents related to the search query. + 200,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_name.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with a filename related to the search query. + 201,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_path.osd,lazy_ntfs,Locates .osd file which contains file paths related to user activity - not exactly sure how these are generated at this time. + 202,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\recent.osd,lazy_ntfs,Locates .osd file which contains file paths related to recent user activity. Effectively the DOpus Shellbags-equivalent. Appears to be for last 10 folder visited within the Lister. + 203,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\backupconfig.osd,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus. + 204,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache\*,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus. + 205,Directory Opus,Apps,Users\*\AppData\Roaming\GPSoftware\Directory Opus\Logs\*,lazy_ntfs,Locates .txt files that will be named with the IP address of the FTP server Directory Opus was used to connect to. All-activity.txt will simply be a combination of all other .txt files present in this directory. + 206,Audio files,Multimedia,"**10\*.{3gp,aa,aac,act,aiff,alac,amr,ape,au,awb,dss,dvf,flac,gsm,iklax,ivs,m4a,m4b,m4p,mmf,mp3,mpc,msv,nmf,ogg,oga,mogg,opus,ra,rm,raw,rf64,sln,tta,voc,vox,wav,wma,wv,webm}",lazy_ntfs,Covers most (if not all) audio file formats + 207,Excel and Excel-like Documents,Documents,"**10\*.{xls,xlsx,csv,tsv,xlt,xlm,xlsm,xltx,xltm,xlsb,xla,xlam,xll,xlw,ods,fodp,qpw}",lazy_ntfs,"Covers all document file formats for Excel, OpenOffice, LibreOffice, Apache OpenOffice, WPS Office, SoftMaker Office, and more" + 208,PDF and PDF-like Documents,Documents,"**10\*.{pdf,xps,oxps}",lazy_ntfs,Covers all PDF and PDF-like document formats + 209,Picture files,Multimedia,"**10\*.{ai,bmp,bpg,cdr,cpc,eps,exr,flif,gif,heif,ilbm,ima,jp2,j2k,jpf,jpm,jpg2,j2c,jpc,jpx,mj2jpeg,jpg,jxl,kra,ora,pcx,pgf,pgm,png,pnm,ppm,psb,psd,psp,svg,tga,tiff,webp,xaml,xcf}",lazy_ntfs,Covers most (if not all) picture file formats + 210,SQLite Files (.db* and .sqlite*),Databases,"**10\*.{db,sqlite}*)",lazy_ntfs,Covers all common file extensions for SQLite databases + 211,Video files,Multimedia,"**10\*.{3g2,3gp,amv,asf,avi,drc,flv,f4v,f4p,f4a,f4b,gif,gifv,m4v,mkv,mov,qt,mp4,m4p,mpg,mpeg,m2v,mp2,mpe,mpv,mts,m2ts,ts,mxf,nsv,ogv,ogg,rm,rmvb,roq,svi,viv,vob,webm,wmv,yuv}",lazy_ntfs,Covers most (if not all) video file formats + 212,Zips,Archives,**10\*.zip,lazy_ntfs,This is an example of how to walk a drive for a file mask. Probably do not want to use this one as is + 213,Word and Word-like Documents,Documents,"**10\*.{doc,docx,docm,dotx,dotm,docb,dot,wbk,odt,fodt,rtf,wp*,tmd}",lazy_ntfs,"Covers all document file formats for Word, OpenOffice, LibreOffice, Apache OpenOffice, WPS Office, SoftMaker Office, and more" + 214,Discord Cache Files,Communications,Users\*\AppData\Roaming\discord\cache\**10,lazy_ntfs,Gets cached data from Discord app + 215,Discord Local Storage LevelDB Files,Communications,Users\*\AppData\Roaming\discord\local storage\leveldb\**10,lazy_ntfs,Gets LevelDB database from Discord app + 216,Double Commander - history.xml,Apps,Users\*\AppData\Roaming\doublecmd\history.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from bottom to top. + 217,Double Commander - doublecmd.xml,Apps,Users\*\AppData\Roaming\doublecmd\doublecmd.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom. + 218,Double Commander - FTP Log,Apps,Users\*\AppData\Roaming\doublecmd\doublecmd*.log,lazy_ntfs,Locates log files that'll be named with the following naming convention: doublecmd_2021-04-03.log. + 219,Double Commander - multiarc.ini,Apps,Users\*\AppData\Roaming\doublecmd\multiarc.ini,lazy_ntfs, + 220,Double Commander - session.ini,Apps,Users\*\AppData\Roaming\doublecmd\session.ini,lazy_ntfs, + 221,Double Commander - pixmaps.txt,Apps,Users\*\AppData\Roaming\doublecmd\pixmaps.txt,lazy_ntfs, + 222,Double Commander - shortcuts.scf,Apps,Users\*\AppData\Roaming\doublecmd\shortcuts.scf,lazy_ntfs, + 223,Drivers,Drivers,Windows\system32\drivers\**10\*.sys,lazy_ntfs, + 224,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\info.json,lazy_ntfs,Getting individual files because folder may contain very large extraneous files. Info.json contains user's Dropbox folder location + 225,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\host.db,lazy_ntfs,SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. + 226,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\machine_storage\tray-thumbnails.db,lazy_ntfs,SQLite database containing references to image files at one time present in a user’s Dropbox instance. + 227,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\host.dbx,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together." + 228,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption of Dropbox databases + 229,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\instance*\**10,lazy_ntfs,instance folder holds multiple SQLite databases related to Dropbox activity and contents + 230,Dropbox User Files,Apps,Users\*\Dropbox*\**10,lazy_ntfs,"Default storage location for Dropbox Personal and Business (when using wildcard), but can be user-defined. Check info.json file in user Dropbox metadata files to identify default folder." + 231,EF Commander - .ini File,Apps,Users\*\AppData\Roaming\EFSoftware\*,lazy_ntfs,Locates folder where all configuration files reside + 232,ESET NOD32 AV Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\**10,lazy_ntfs, + 233,ESET NOD32 AV Logs,Antivirus,ProgramData\ESET\ESET NOD32 Antivirus\Logs\**10,lazy_ntfs,Parser available at https://github.com/laciKE/EsetLogParser + 234,ESET NOD32 AV Logs,Antivirus,ProgramData\ESET\ESET Security\Logs\**10,lazy_ntfs, + 235,ESET Remote Administrator Logs,Antivirus,ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs,lazy_ntfs,Remote Administrator logs include information on tasks executed on the target. + 236,Local User Quarantine,Antivirus,Users\*\AppData\Local\ESET\ESET Security\Quarantine\**10,lazy_ntfs, + 237,SYSTEM user quarantine,Antivirus,Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\**10,lazy_ntfs, + 238,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs, + 239,Edge bookmarks,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs, + 240,Edge Collections,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections\collectionsSQLite,lazy_ntfs, + 241,Edge Cookies,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network\Cookies*,lazy_ntfs, + 242,Edge Current Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Session,lazy_ntfs, + 243,Edge Current Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Tabs,lazy_ntfs, + 244,Edge Favicons,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Favicons*,lazy_ntfs, + 245,Edge History,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\History*,lazy_ntfs, + 246,Edge Last Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Session,lazy_ntfs, + 247,Edge Last Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Tabs,lazy_ntfs, + 248,Edge Sessions Folder,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sessions\*,lazy_ntfs, + 249,Edge Login Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Login Data,lazy_ntfs, + 250,Edge Media History,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Media History*,lazy_ntfs, + 251,Edge Network Action Predictor,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network Action Predictor,lazy_ntfs, + 252,Edge Preferences,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences,lazy_ntfs, + 253,Edge Shortcuts,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Shortcuts*,lazy_ntfs, + 254,Edge Top Sites,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Top Sites*,lazy_ntfs, + 255,Edge SyncData Database,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, + 256,Edge Bookmarks,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs, + 257,Edge Visited Links,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Visited Links,lazy_ntfs, + 258,Edge Web Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Web Data*,lazy_ntfs, + 259,Edge WebAssistDatabase,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\WebAssistDatabase*,lazy_ntfs, + 260,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline DPAPI decryption + 261,Edge Snapshots Folder,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\Snapshots\*\**10,lazy_ntfs,"Grabs folder that appears to have snapshots of Edge Chromium SQLite DBs organized by version #. In testing, there were 3 previous versions of Edge Chromium separated into different folders" + 262,Edge Chromium Extension Files,Communication,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Extensions\**10,lazy_ntfs, + 263,Emsisoft Scan Logs,ApplicationLogs,ProgramData\Emsisoft\Reports\scan*.txt,lazy_ntfs,Can contain file detection and quarantine info + 264,EncapsulationLogging,Executables,Windows\Appcompat\Programs\EncapsulationLogging.hve,lazy_ntfs, + 265,EncapsulationLogging,Executables,Windows.old\Windows\Appcompat\Programs\EncapsulationLogging.hve,lazy_ntfs, + 266,EncapsulationLogging Logs,Executables,Windows\Appcompat\Programs\EncapsulationLogging.hve.log*,lazy_ntfs, + 267,EncapsulationLogging Logs,Executables,Windows.old\Windows\Appcompat\Programs\EncapsulationLogging.hve.log*,lazy_ntfs, + 268,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\System.evtx,lazy_ntfs, + 269,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\System.evtx,lazy_ntfs, + 270,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\Security.evtx,lazy_ntfs, + 271,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\Security.evtx,lazy_ntfs, + 272,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx,lazy_ntfs, + 273,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx,lazy_ntfs, + 274,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx,lazy_ntfs, + 275,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx,lazy_ntfs, + 276,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx,lazy_ntfs, + 277,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx,lazy_ntfs, + 278,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,lazy_ntfs, + 279,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,lazy_ntfs, + 280,Event logs XP,EventLogs,Windows\System32\config\*.evt,lazy_ntfs, + 281,Event logs Win7+,EventLogs,Windows\System32\winevt\logs\*.evtx,lazy_ntfs, + 282,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\*.evtx,lazy_ntfs, + 283,WDI Trace Logs 1,Event Trace Logs,Windows\System32\WDI\LogFiles\*.etl*,lazy_ntfs, + 284,WDI Trace Logs 1,Event Trace Logs,Windows.old\Windows\System32\WDI\LogFiles\*.etl*,lazy_ntfs, + 285,WDI Trace Logs 2,Event Trace Logs,Windows\System32\WDI\{*\**10,lazy_ntfs, + 286,WDI Trace Logs 2,Event Trace Logs,Windows.old\Windows\System32\WDI\{*\**10,lazy_ntfs, + 287,WMI Trace Logs,Event Trace Logs,Windows\System32\LogFiles\WMI\**10,lazy_ntfs, + 288,WMI Trace Logs,Event Trace Logs,Windows.old\Windows\System32\LogFiles\WMI\**10,lazy_ntfs, + 289,SleepStudy Trace Logs,Event Trace Logs,Windows\System32\SleepStudy\**10,lazy_ntfs, + 290,SleepStudy Trace Logs,Event Trace Logs,Windows.old\Windows\System32\SleepStudy\**10,lazy_ntfs, + 291,Energy-NTKL Trace Logs,Event Trace Logs,ProgramData\Microsoft\Windows\PowerEfficiency Diagnostics\energy-ntkl.etl,lazy_ntfs, + 292,Delivery Optimization Trace Logs,Event Trace Logs,Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\*.etl*,lazy_ntfs, + 293,EventTranscript.db,SystemEvents,ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs, + 294,EventTranscript.db,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs, + 295,Microsoft Office Diagnostic Logs,SystemEvents,Users\%User%\AppData\Local\Temp\Diagnostics\**10,lazy_ntfs, + 296,Evernote Accounts,App,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\.accounts,lazy_ntfs,Holds username and email of accounts + 297,Evernote Notebooks,App,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\*.exb,lazy_ntfs,SQLite Database of the notes + 298,Evernote Notebook Snippets,App,Users\*\AppData\Local\Evernote\Evernote\Databases\**10\*.exb.snippets,lazy_ntfs,Note 'Snippets' + 299,Everything (VoidTools),FileSystem,Users\*\AppData\Local\Everything\Everything.db,lazy_ntfs,Copies out Everything.db + 300,Everything (VoidTools) - Run History,FileSystem,Users\*\AppData\Roaming\Everything\Run History.csv,lazy_ntfs,Copies out a CSV containing the history of items ran from Everything's search results window + 301,Everything (VoidTools) - Search History,FileSystem,Users\*\AppData\Roaming\Everything\Search History.csv,lazy_ntfs,Copies out a CSV containing the history of items searched for within Everything with timestamps + 302,Everything (VoidTools) - .ini file,FileSystem,Users\*\AppData\Roaming\Everything\Everything.ini,lazy_ntfs,Copies out the .ini file for Everything + 303,Exchange client access log files,Logs,Program Files\Microsoft\Exchange Server\*\Logging\**10\*.log,lazy_ntfs,Highly dependent on Exchange configuration + 304,Exchange Server Modified Compiled Files,Apps,Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration + 305,Exchange Server Modified Compiled Files,Apps,inetpub\wwwroot\aspnet_client\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration + 306,Exchange Server Modified Compiled Files,Apps,inetpub\wwwroot\aspnet_client\system_web\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration + 307,Exchange Server Modified Compiled Files,Apps,Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\**10\*.compiled,lazy_ntfs,Highly dependent on Exchange configuration + 308,Exchange Setup Log file,Logs,ExchangeSetupLogs\ExchangeSetup.log,lazy_ntfs,The Exchange Setup log tracks the progress of every task during the Exchange installation and configuration. + 309,Exchange TransportRoles log files,Logs,Program Files\Microsoft\Exchange Server\*\TransportRoles\Logs\**10\*.log,lazy_ntfs,Highly dependent on Exchange configuration + 310,F-Secure Logs,Antivirus,ProgramData\F-Secure\Log\**10,lazy_ntfs, + 311,F-Secure User Logs,Antivirus,Users\*\AppData\Local\F-Secure\Log\**10,lazy_ntfs, + 312,F-Secure Scheduled Scan Reports,Antivirus,ProgramData\F-Secure\Antivirus\ScheduledScanReports\**10,lazy_ntfs, + 313,Fences - Desktop Screenshots,Apps,Users\*\AppData\Roaming\Stardock\Fences\Backups,lazy_ntfs,Locates all screenshots taken automatically by the Fences application + 314,FileZilla XML Log Files,Logs,Users\*\AppData\Roaming\FileZilla\*.xml*,lazy_ntfs, + 315,FileZilla SQLite3 Log Files,Logs,Users\*\AppData\Roaming\FileZilla\*.sqlite3*,lazy_ntfs, + 316,FileZilla Server XML Log Files,Logs,Users\*\AppData\Roaming\FileZilla Server\*.xml*,lazy_ntfs, + 317,FileZilla Log Files,Logs,Program Files (x86)\FileZilla Server\Logs\*.log*,lazy_ntfs, + 318,Addons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs, + 319,Bookmarks,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*,lazy_ntfs, + 320,Bookmarks,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups\**10,lazy_ntfs, + 321,Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs, + 322,Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*,lazy_ntfs, + 323,Downloads,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs, + 324,Extensions,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions.json,lazy_ntfs, + 325,Favicons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs, + 326,Form history,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs, + 327,Permissions,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*,lazy_ntfs, + 328,Places,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs, + 329,Protections,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*,lazy_ntfs, + 330,Search,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs, + 331,Signons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs, + 332,Storage Sync,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*,lazy_ntfs, + 333,Webappstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs, + 334,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\key*.db,lazy_ntfs, + 335,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signon*.*,lazy_ntfs, + 336,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json,lazy_ntfs, + 337,Preferences,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\prefs.js,lazy_ntfs, + 338,Sessionstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore*,lazy_ntfs, + 339,Sessionstore Folder,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups\**10,lazy_ntfs, + 340,Places XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs, + 341,Downloads XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs, + 342,Form history XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs, + 343,Cookies XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs, + 344,Signons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs, + 345,Webappstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs, + 346,Favicons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs, + 347,Addons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs, + 348,Search XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs, + 349,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\key*.db,lazy_ntfs, + 350,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signon*.*,lazy_ntfs, + 351,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\logins.json,lazy_ntfs, + 352,Sessionstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\sessionstore*,lazy_ntfs, + 353,Free Commander - FreeCommander.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts. + 354,Free Commander - FreeCommander.ftp.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.ftp.ini,lazy_ntfs,Locates an .ini file that contains the file path to the FTP log for Free Commander. + 355,Free Commander - FreeCommander.hist.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.hist.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom for both left and right directory browsers. + 356,Free Commander - FreeCommander.fav.xml,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.fav.xml,lazy_ntfs,Locates an .xml file that contains favorited files/folder by the user. + 357,Free Commander - Backup Settings,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*\**10,lazy_ntfs,"Locates an exact copy of the above files which will have a timestamped folder name, i.e. Bkp_Settings-YYYY-MM-DD HH-MM-SS." + 358,Free Commander - FTP Log,Apps,Users\*\AppData\Local\Temp\fc*.log,lazy_ntfs,Locates log file(s) that have a default naming convention of fc_ftplog_20210403 but can be modified by the user. + 359,Free Commander - FTP Related Information,Apps,Users\*\AppData\Local\Temp\FreeCommander*\**10,lazy_ntfs,Locates a folder that may be named randomly that contains more FTP related information as well as .tmp files that are created while the user is traversing folders during an active FTP session. These files are deleted upon program exit. + 360,FDM Database,App,Users\*\AppData\Local\Free Download Manager\**10\fdm.sqlite,lazy_ntfs,"fdm.sqlite shows Torrents, downloads, folder history, auth credentials and more. Will also pull fdm.sqlite in db_backup/" + 361,FDM Backup Info,App,Users\*\AppData\Local\Free Download Manager\backup\backup.info,lazy_ntfs,"Backup info file - can change backup name from userdata.zip, so could give indication of file name" + 362,FDM Database (userdata.zip),App,Users\*\AppData\Local\Free Download Manager\backup\userdata.zip,lazy_ntfs,fdm.sqlite can also appear in the backup folder in a compressed userdata.zip file + 363,FreeFileSync,Apps,Users\*\AppData\Roaming\FreeFileSync\Logs,lazy_ntfs,Copies out all log files + 364,Freenet,File Downloads,Users\*\AppData\Local\Freenet\node*,lazy_ntfs, + 365,Freenet,File Downloads,Users\*\AppData\Local\Freenet\*completed.list.downloads,lazy_ntfs, + 366,Freenet,File Downloads,Users\*\AppData\Local\Freenet\*completed.list.uploads,lazy_ntfs, + 367,Freenet,File Downloads,Users\*\AppData\Local\Freenet\*.bak,lazy_ntfs, + 368,Freenet,File Downloads,Users\*\AppData\Local\Freenet\downloads\**10,lazy_ntfs, + 369,FrostWire Downloads,FileDownload,Users\*\Documents\FrostWire\Torrent Data\**10,lazy_ntfs,Locates files downloaded that land in the default location as specified by FrostWire + 370,FrostWire AppData,FileDownload,Users\*\.frostwire5\frostwire.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system + 371,FrostWire AppData,FileDownload,Users\*\.frostwire5\itunes.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system + 372,Gigatribe Files Windows Vista/7/8/10,FileDownload,Users\*\AppData\Local\Shalsoft\**10,lazy_ntfs,Locates Gigatribe files and copies them + 373,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Gigatribe\**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Gigatribe + 374,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Shalsoft\**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Shalsoft + 375,Google Drive Backup and Sync User Files,Apps,Users\*\Google Drive*\**10,lazy_ntfs,Older Google Drive Backup and Sync application only + 376,Google Drive Backup and Sync Metadata,Apps,Users\*\AppData\Local\Google\Drive\**10,lazy_ntfs,Older version of Google Drive + 377,Google Drive for Desktop Metadata,Apps,Users\*\AppData\Local\Google\DriveFS\**10,lazy_ntfs,Metadata folder the same for both newer Google Drive for Desktop and older Google File Stream application + 378,Google Earth My Places file,Apps,Users\*\AppData\LocalLow\Google\GoogleEarth\myplaces.kml,lazy_ntfs,File which holds favorited locations + 379,Google Earth My Places Backup file,Apps,Users\*\AppData\LocalLow\Google\GoogleEarth\myplaces.backup.kml,lazy_ntfs,Backup file which holds favorited locations + 380,Google Earth My Places file (XP),Apps,Documents and Settings\*\Application Data\Google\GoogleEarth\myplaces.kml,lazy_ntfs,File which holds favorited locations + 381,Google Earth My Places Backup file (XP),Apps,Documents and Settings\*\Application Data\Google\GoogleEarth\myplaces.backup.kml,lazy_ntfs,Backup file which holds favorited locations + 382,Group Policy Files,Communication,Windows\System32\grouppolicy\**10,lazy_ntfs, + 383,Computer Group Policy files,Communication,ProgramData\Microsoft\Group Policy\History\**10,lazy_ntfs, + 384,User Group Policy files,Communication,Users\*\AppData\Local\Microsoft\Group Policy\History\**10,lazy_ntfs, + 385,Local Group Policy INI Files,Communication,Windows.old\Windows\System32\grouppolicy\*.ini,lazy_ntfs, + 386,Local Group Policy Files - Registry Policy Files,Communication,Windows\System32\grouppolicy\*.pol,lazy_ntfs, + 387,Local Group Policy Files - Registry Policy Files,Communication,Windows.old\Windows\System32\grouppolicy\*.pol,lazy_ntfs, + 388,Local Group Policy Files - Startup/Shutdown Scripts,Communication,Windows\System32\grouppolicy\*\Scripts\**10,lazy_ntfs, + 389,Local Group Policy Files - Startup/Shutdown Scripts,Communication,Windows.old\Windows\System32\grouppolicy\*\Scripts\**10,lazy_ntfs, + 390,HeidiSQL Backup files (*.sql),Apps,Users\*\AppData\Roaming\HeidiSQL\Backups\*,lazy_ntfs, + 391,HeidiSQL (tabs.ini),Apps,Users\*\AppData\Roaming\HeidiSQL\tabs.ini,lazy_ntfs, + 392,HexChat Chat Logs,Communications,Users\*\AppData\Roaming\HexChat\logs\**10,lazy_ntfs, + 393,HitmanPro Logs,Antivirus,ProgramData\HitmanPro\Logs\**10,lazy_ntfs, + 394,HitmanPro Alert Logs,Antivirus,ProgramData\HitmanPro.Alert\Logs\**10,lazy_ntfs, + 395,HitmanPro Database,Antivirus,ProgramData\HitmanPro.Alert\excalibur.db,lazy_ntfs,SQLite DB + 396,IIS applicationHost.config,Apps,Windows\System32\inetsrv\config\applicationHost.config,lazy_ntfs,This configuration file stores the settings for all your Web sites and applications. + 397,IIS administration.config,Apps,Windows\System32\inetsrv\config\administration.config,lazy_ntfs,This configuration file stores the settings for IIS management. + 398,IIS redirection.config,Apps,Windows\System32\inetsrv\config\redirection.config,lazy_ntfs,This configuration file contains the settings that indicate the location where the centralized configuration files are stored. + 399,web.config,Apps,inetpub\wwwroot\**10\web.config,lazy_ntfs,The web.config is a file that is read by IIS and the ASP.NET Core Module to configure an app hosted with IIS. + 400,IIS log files,Logs,Windows\System32\LogFiles\W3SVC*\*.log,lazy_ntfs, + 401,IIS log files,Logs,Windows.old\Windows\System32\LogFiles\W3SVC*\*.log,lazy_ntfs, + 402,IIS log files,Logs,inetpub\logs\LogFiles\*.log,lazy_ntfs, + 403,IIS log files,Logs,inetpub\logs\LogFiles\W3SVC*\*.log,lazy_ntfs, + 404,IIS log files,Logs,Resources\Directory\*\LogFiles\Web\W3SVC*\*.log,lazy_ntfs, + 405,IIS log files,Logs,Windows\system32\LogFiles\HTTPERR\*.log,lazy_ntfs, + 406,ISLOnline Logs - Sessions - *.out,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light Client\*\ISLClient.out,lazy_ntfs,Collects client session logs for one or more sessions + 407,ISLOnline Logs - Session Configurations,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light Client\*\conf\*,lazy_ntfs,Configurations for ISL Light sessions + 408,ISL AlwaysOn Logs - Sessions List,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\session.xml,lazy_ntfs,Collects an xml file listing all sessions for ISL AlwaysOn (Unattended Access) + 409,ISL AlwaysOn Logs - Sessions,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*\trace.out,lazy_ntfs,Detailed log for each session for ISL AlwaysOn (Unattended Access) + 410,ISL AlwaysOn - App Logs,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\*.out,lazy_ntfs,Application logs containg various artifacts. + 411,ISL Light Logs - Sessions,Communications,Users\*\AppData\Local\ISL Online Cache\ISL Light\*\trace.out,lazy_ntfs,Collects client session logs for one or more sessions + 412,ISL AlwaysOn - Email Configuration,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\status\tray,lazy_ntfs,This file includes the email of the logged in user for ISL AlwaysOn (Unattended Access) + 413,ISL AlwaysOn - Configuration,Communications,Program Files (x86)\ISL Online\ISL AlwaysOn\StaticConfiguration.ini,lazy_ntfs,"Configuration information (port, http/htpps) for ISL AlwaysOn (Unattended Access)" + 414,ITarian,Apps,Program Files\ITarian\Endpoint Manager\rmmlogs,lazy_ntfs, + 415,ITarian,Apps,Program Files (x86)\ITarian\Endpoint Manager\rmmlogs,lazy_ntfs, + 416,Comodo,Apps,Program Files\Comodo\Endpoint Manager\rmmlogs,lazy_ntfs, + 417,ITarian,Apps,Program Files (x86)\Comodo\Endpoint Manager\rmmlogs,lazy_ntfs, + 418,IceChat Chat Logs,Communications,Users\*\AppData\Local\IceChat Networks\IceChat\Logs\**10,lazy_ntfs, + 419,Windows IconCache DB,IconCache,Users\*\AppData\Local\IconCache.db,lazy_ntfs, + 420,Idrive Cleanup Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Archive Cleanup\**10\*,lazy_ntfs,Contains individual log files for each archive cleanup operation + 421,Idrive Backup Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Backup\**10\*,lazy_ntfs,Contains individual log files for each backup operation + 422,Idrive Delete Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Delete\**10\*,lazy_ntfs,Contains individual log files for each delete operation + 423,Idrive Restore Operations,Apps,ProgramData\IDrive\IBCOMMON\*\Session\Restore\*,lazy_ntfs,Contains individual log files for each restore operation + 424,Idrive Backup Summary,Apps,ProgramData\IDrive\IBCOMMON\*\Session\LOGXML\*xml,lazy_ntfs,Contains summary of each backup session + 425,Idrive Tracefile,Apps,ProgramData\IDrive\IBCOMMON\*\Tracefile.txt\Tracefile.txt,lazy_ntfs,Application log which includes error logs for failed uploads + 426,Idrive Mapped Drives,Apps,ProgramData\IDrive\IBCOMMON\IDMappedDrives.txt,lazy_ntfs,List of mapped drives for backup + 427,Idrive Backup Schedule,Apps,ProgramData\IDrive\IBCOMMON\schedule.xml,lazy_ntfs,Backup schedule configurations + 428,Idrive Schedule History,Apps,ProgramData\IDrive\IBCOMMON\Sch_Trace.txt,lazy_ntfs,History of schedule configurations + 429,Idrive Configuration,Apps,ProgramData\IDrive\IBCOMMON\idrive.ini,lazy_ntfs,List of Idrive configuration options + 430,Idrive Local Drives,Apps,ProgramData\IDrive\IBCOMMON\get_Alldrives.txt,lazy_ntfs,List of all local drives + 431,Idrive Exclusion Configurations,Apps,ProgramData\IDrive\IBCOMMON\Exclude*,lazy_ntfs,Files pertaining to exclusion configurations + 432,Idrive User Details,Apps,ProgramData\IDrive\IBCOMMON\AutoComp.ini,lazy_ntfs,"Idrive username, Scheduler notification emails, local username" + 433,Idrive SQL Databse,Apps,ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.ibds,lazy_ntfs,Sql database of local files that are backed up + 434,ImgBurn - Application Log File,Apps,Users\*\AppData\Roaming\ImgBurn\Log Files\ImgBurn.log,lazy_ntfs,Contains the ImgBurn application log file. + 435,Index.dat History,Communications,Documents and Settings\*\Local Settings\History\History.IE5\index.dat,lazy_ntfs, + 436,Index.dat History subdirectory,Communications,Documents and Settings\*\Local Settings\History\History.IE5\*\index.dat,lazy_ntfs, + 437,Index.dat cookies,Communications,Documents and Settings\*\Cookies\index.dat,lazy_ntfs, + 438,Index.dat UserData,Communications,Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData\index.dat,lazy_ntfs, + 439,Index.dat Office XP,Communications,Documents and Settings\*\Application Data\Microsoft\Office\Recent\index.dat,lazy_ntfs, + 440,Index.dat Office,Communications,Users\*\AppData\Roaming\Microsoft\Office\Recent\index.dat,lazy_ntfs, + 441,Local Internet Explorer folder,Communications,Users\*\AppData\Local\Microsoft\Internet Explorer\**10,lazy_ntfs, + 442,Roaming Internet Explorer folder,Communications,Users\*\AppData\Roaming\Microsoft\Internet Explorer\**10,lazy_ntfs, + 443,IE 9/10 History,Communications,Users\*\AppData\Local\Microsoft\Windows\History\**10,lazy_ntfs, + 444,IE 9/10 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\Cookies\**10,lazy_ntfs, + 445,IE 9/10 Download History,Communications,Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory\**10,lazy_ntfs, + 446,IE 11 Metadata,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\*,lazy_ntfs, + 447,IE 11 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCookies\**10,lazy_ntfs, + 448,IrfanView Configuration File,FileKnowledge,Users\*\AppData\Roaming\IrfanView\i_view32.ini,lazy_ntfs, + 449,JDownloader 2.0 Download Lists,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\downloadList*.zip,lazy_ntfs,"Zip folder which contains several files (00,00_00 and extraInfo) which list the download folder, the time it was created, the name of the download, origin URL, referral URL and more" + 450,JDownloader 2.0 Link Collector,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\linkcollector*.zip,lazy_ntfs,"Zip folder which contains several files (0X,0X_00 and extraInfo) which list the websites crawled for links, the referral URLs, timestamps and more" + 451,JDownloader 2.0 General Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.settings.GeneralSettings.json,lazy_ntfs,General user config for JDownloader 2.0. Holds default download folder. + 452,JDownloader 2.0 Link Grabber Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.gui.views.linkgrabber.addlinksdialog.LinkgrabberSettings.json,lazy_ntfs,Linkgrabber Settings for JDownloader 2.0. Holds latest download destination folder. + 453,JDownloader 2.0 Proxy Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg\**10\org.jdownloader.settings.InternetConnectionSettings.customproxylist.json,lazy_ntfs,Proxy configuration for JDownloader 2.0 + 454,Java WebStart Cache User Level - Default,Communication,Users\*\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, + 455,Java WebStart Cache User Level - IE Protected Mode,Communication,Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, + 456,Java WebStart Cache System level,Communication,Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, + 457,Java WebStart Cache System level,Communication,Windows.old\Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, + 458,Java WebStart Cache System level - IE Protected Mode,Communication,Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, + 459,Java WebStart Cache System level - IE Protected Mode,Communication,Windows.old\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, + 460,Java WebStart Cache System level (SysWow64),Communication,Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, + 461,Java WebStart Cache System level (SysWow64),Communication,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, + 462,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communication,Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, + 463,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communication,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, + 464,Java WebStart Cache User Level - XP,Communications,Documents and Settings\*\Application Data\Sun\Java\Deployment\cache\*\*\*.idx,lazy_ntfs, + 465,Kali WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\debian_version,lazy_ntfs, + 466,Kali WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\fstab,lazy_ntfs, + 467,Kali WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\os-release,lazy_ntfs, + 468,Kali WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\passwd,lazy_ntfs, + 469,Kali WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\group,lazy_ntfs, + 470,Kali WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\shadow,lazy_ntfs, + 471,Kali WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\timezone,lazy_ntfs, + 472,Kali WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\hostname,lazy_ntfs, + 473,Kali WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\hosts,lazy_ntfs, + 474,Kali WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\crontab,lazy_ntfs, + 475,Kali WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs, + 476,Kali WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\profile,lazy_ntfs, + 477,Kali WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.bash_history,lazy_ntfs, + 478,Kali WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.bashrc,lazy_ntfs, + 479,Kali WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**10\.profile,lazy_ntfs, + 480,Kali WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs, + 481,Kali WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs, + 482,Kali WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\ext4.vhdx,lazy_ntfs, + 483,Kaseya Live Connect Logs (XP),ApplicationLogs,Documents and Settings\*\Application Data\Kaseya\Log\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations + 484,Kaseya Live Connect Logs,ApplicationLogs,Users\*\AppData\Local\Kaseya\Log\KaseyaLiveConnect\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations + 485,Kaseya Agent Endpoint Service Logs (XP),ApplicationLogs,Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations + 486,Kaseya Agent Endpoint Service Logs,ApplicationLogs,ProgramData\Kaseya\Log\Endpoint\**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations + 487,Kaseya Agent Service Log,ApplicationLogs,Program Files*\Kaseya\*\agentmon.log*,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations + 488,Kaseya Setup Log,ApplicationLogs,Users\*\AppData\Local\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448 + 489,Kaseya Setup Log,ApplicationLogs,Windows\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448 + 490,Kaseya Setup Log,ApplicationLogs,Windows.old\Windows\Temp\KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448 + 491,Kaseya Agent Edge Service Logs,ApplicationLogs,ProgramData\Kaseya\Log\KaseyaEdgeServices\**10,lazy_ntfs,https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident + 492,Keepass User Config,App,Users\*\AppData\Roaming\KeePass\*.xml,lazy_ntfs,Collecting Keepass User Configuration File + 493,Keepass Config Xml,App,Program Files\KeePass Password Safe*\*.xml,lazy_ntfs,Collecting Keepass Configuration File + 494,Keepass Application Details,App,Program Files\KeePass Password Safe*\*.config,lazy_ntfs,Collecting Keepass Application Details + 495,Keepass Local Ini,App,Users\*\AppData\Local\KeePassXC\*.ini,lazy_ntfs, + 496,Keepass Roaming Ini,App,Users\*\AppData\Roaming\KeePassXC\*.ini,lazy_ntfs, + 497,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs,Also includes automatic and custom jumplist directories + 498,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs, + 499,Start Menu LNK Files,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\*.LNK,lazy_ntfs, + 500,LNK Files from Recent (XP),LNKFiles,Documents and Settings\*\Recent\**10,lazy_ntfs, + 501,Desktop LNK Files XP,LNKFiles,Documents and Settings\*\Desktop\*.LNK,lazy_ntfs, + 502,Desktop LNK Files,LNKFiles,Users\*\Desktop\*.LNK,lazy_ntfs, + 503,Restore point LNK Files XP,LNKFiles,System Volume Information\_restore*\RP*\*.LNK,lazy_ntfs, + 504,LNK Files from C:\ProgramData,LNKFiles,ProgramData\Microsoft\Windows\Start Menu\Programs\*.LNK,lazy_ntfs, + 505,Level RMM Client Application logs,ApplicationLogs,Program Files\Level\*.log,lazy_ntfs,Contains Application Log entries such as service start and incoming connections. + 506,.bash_history,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_history,lazy_ntfs, + 507,.bash_logout,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_logout,lazy_ntfs, + 508,.bashrc,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bashrc,lazy_ntfs, + 509,.profile,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.profile,lazy_ntfs, + 510,User Files - Desktop,LiveUserFiles,Users\*\Desktop\**10,lazy_ntfs, + 511,User Files - Documents,LiveUserFiles,Users\*\Documents\**10,lazy_ntfs, + 512,User Files - Downloads,LiveUserFiles,Users\*\Downloads\**10,lazy_ntfs, + 513,User Files - Dropbox,LiveUserFiles,Users\*\Dropbox*\**10,lazy_ntfs, + 514,LogFiles,Logs,Windows\System32\LogFiles\**10,lazy_ntfs, + 515,LogFiles,Logs,Windows.old\Windows\System32\LogFiles\**10,lazy_ntfs, + 516,Error logging,Misc,windows\PFRO.log,lazy_ntfs, + 517,LogMeIn ProgramData Logs,ApplicationLogs,ProgramData\LogMeIn\Logs\**10,lazy_ntfs, + 518,LogMeIn Application Logs,ApplicationLogs,Users\*\AppData\Local\temp\LogMeInLogs\**10,lazy_ntfs,"Contains RemoteAssist (formerly GoToAssist), GoToMeeting, and other GoTo* logs" + 519,MOF files,WMI,**10\*.MOF,lazy_ntfs, + 520,MS SQL Errorlog,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG,lazy_ntfs, + 521,MS SQL Errorlogs,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG.*,lazy_ntfs, + 522,Macrium Reflect,Apps,ProgramData\Macrium\Macrium Service\*,lazy_ntfs,Copies out all log files + 523,Macrium Reflect,Apps,ProgramData\Macrium\Reflect\*,lazy_ntfs,Copies out the Reflect folder which contains many important logs + 524,Macrium Reflect,Apps,ProgramData\Macrium\Reflect Launcher,lazy_ntfs,Copies out the Reflect folder which contains many important logs + 525,MalwareBytes Anti-Malware Logs,Antivirus,ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-*.xml,lazy_ntfs, + 526,MalwareBytes Anti-Malware Service Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\logs\mbamservice.log*,lazy_ntfs, + 527,MalwareBytes Anti-Malware Scan Logs,Antivirus,Users\*\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs\**10,lazy_ntfs, + 528,MalwareBytes Anti-Malware Scan Results Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\ScanResults\**10,lazy_ntfs, + 529,ManageEngine Desktop Central Log Files,Logs,ManageEngine\DesktopCentral_Server\logs\**10,lazy_ntfs, + 530,ManageEngine ADSelfService Plus Log Files,Logs,ManageEngine\ADSelfService Plus\logs\**10,lazy_ntfs, + 531,Mattermost - Chat Logs,Apps,Users\*\AppData\Roaming\Mattermost\IndexedDB\**10,lazy_ntfs,Locates Mattermost logs and copies them + 532,McAfee Desktop Protection Logs XP,Antivirus,Users\All Users\Application Data\McAfee\DesktopProtection\**10,lazy_ntfs, + 533,McAfee Desktop Protection Logs,Antivirus,ProgramData\McAfee\DesktopProtection\**10,lazy_ntfs, + 534,McAfee Endpoint Security Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs\**10,lazy_ntfs, + 535,McAfee Endpoint Security Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs_Old\**10,lazy_ntfs, + 536,McAfee VirusScan Logs,Antivirus,ProgramData\Mcafee\VirusScan\**10,lazy_ntfs, + 537,McAfee ePO Logs,Antivirus,ProgramData\McAfee\Endpoint Security\Logs\**10,lazy_ntfs, + 538,MediaMonkey - Media SQLite Database,Apps,Users\*\AppData\Roaming\MediaMonkey\MM.DB,lazy_ntfs,Locates SQLite DB that contains a complete enumeration of the user's media collection within MediaMonkey + 539,MediaMonkey - MediaMonkey.ini,Apps,Users\*\AppData\Roaming\MediaMonkey\MediaMonkey.ini,lazy_ntfs,Locates .ini file which contains information about the user's MediaMonkey application instance + 540,MegaSync Folder,ApplicationLogs,Users\*\AppData\Local\Mega Limited\MEGAsync\**10,lazy_ntfs, + 541,hiberfil.sys,Memory,hiberfil.sys,lazy_ntfs, + 542,pagefile.sys,Memory,pagefile.sys,lazy_ntfs, + 543,swapfile.sys,Memory,swapfile.sys,lazy_ntfs, + 544,Small Memory Dump directory,Memory,Windows\Minidump\*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump + 545,Small Memory Dump directory,Memory,Windows.old\Windows\Minidump\*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump + 546,MeshAgent .msh (configuration) file,Apps,Program Files\Mesh Agent\**10\*.msh,lazy_ntfs,Grabs all .msh (config) files present in this folder + 547,MeshAgent log file,Logs,Program Files\Mesh Agent\**10\*.log,lazy_ntfs,Grabs all .log files present in this folder + 548,Microsoft Office Backstage,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\BackstageinAppNavCache\**10,lazy_ntfs, + 549,Microsoft OneNote - FullTextSearchIndex,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's text content + 550,Microsoft OneNote - RecentNotebooks_SeenURLs,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications\RecentNotebooks_SeenURLs,lazy_ntfs,Grabs a file that appears to record recently seen OneNote notebooks + 551,Microsoft OneNote - AccessibilityCheckerIndex,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's version sync error history + 552,Microsoft OneNote - User NoteTags,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags\*LiveId.db,lazy_ntfs,Grabs a database that stores the user specified tags within OneNote to be used application-wide + 553,Microsoft OneNote - RecentSearches,Apps,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches\RecentSearches.db,lazy_ntfs,Grabs a database that stores the user's recent searches within OneNote + 554,Windows Safety Scanner Logs,Antivirus,Windows\Debug\msert.log,lazy_ntfs, + 555,"Microsoft Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier",Apps,Users\*\AppData\Roaming\Microsoft\StickyNotes\StickyNotes.snt,lazy_ntfs, + 556,Microsoft Sticky Notes - 1607 and later,Apps,Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\plum.sqlite*,lazy_ntfs, + 557,Microsoft Teams IndexedDB Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\**10,lazy_ntfs,"LevelDB database which can contain inbound/outbound chat messages, call history and more" + 558,Microsoft Teams Local Storage Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\Local Storage\leveldb\**10,lazy_ntfs,"LevelDB database which can contain meeting history, file transfer logs and more" + 559,Microsoft Teams Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\Cache\**10,lazy_ntfs,Chromium cache which can be viewed with Nirsoft's ChromeCacheView + 560,Microsoft Teams Config,Apps,Users\*\AppData\Roaming\Microsoft\Teams\desktop-config.json,lazy_ntfs,JSON config file for Teams + 561,Microsoft Teams Logs (Windows 11),Apps,Users\%User%\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs,lazy_ntfs,Lots of log files for MS Teams + 562,Microsoft To Do - SQLite Database of To Do tasks,Apps,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\todosqlite.db*,lazy_ntfs, + 563,Microsoft To Do - User Avatar,Apps,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\4c444a17ebb042fb92df97d00d1c802a\avatars\UserAvatar.jpg,lazy_ntfs, + 564,Midnight Commander -- All Configuation Files,Apps,Users\*\Midnight Commander\*,lazy_ntfs,Locates folder where all configuration files reside + 565,Multi Commander - Application Folder,Apps,Users\*\AppData\Local\MultiCommander*\**10,lazy_ntfs,Locates the contents of the Application folder. + 566,Multi Commander - Config Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\Config\**10,lazy_ntfs,Locates the contents of the Config folder. + 567,Multi Commander - Log Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\Logs\**10,lazy_ntfs,Locates log file(s) related to user activity within Multi Commander. + 568,Multi Commander - UserData Folder,Apps,Users\*\AppData\Roaming\MultiCommander*\UserData\**10,lazy_ntfs,Locates the contents of the UserData folder. + 569,Multi Commander - Log File,Apps,Users\*\AppData\Roaming\MultiCommander*\**10\*MultiCommander.log,lazy_ntfs,Locates log file(s) associated with Milti Commander. Commonly in YYYY-MM-DD (numbers)-MultiCommander.log naming convention. + 570,.NET CLR UsageLogs (user-scoped),.NET CLR UsageLogs,Users\*\AppData\Local\Microsoft\CLR_*\**10\*.log,lazy_ntfs, + 571,.NET CLR UsageLogs (system-scoped),.NET CLR UsageLogs,Windows*\System32\config\systemprofile\AppData\Local\Microsoft\CLR_*\**10\*.log,lazy_ntfs, + 572,NGINX Log Files,Logs,nginx\logs\*.log,lazy_ntfs, + 573,Usenet Clients - NZBGet Log File,FileDownload,ProgramData\NZBGet\nzbget.log,lazy_ntfs,Locates NZBGet download log file + 574,Usenet Clients - NZBGet NZBs,FileDownload,ProgramData\NZBGet\nzb\*,lazy_ntfs,Locates NZBGet NZB files that were used by the user + 575,Nessus Logs,Nessus,ProgramData\Tenable\Nessus\conf\**10,lazy_ntfs, + 576,Nessus Logs,Nessus Logs,ProgramData\Tenable\Nessus\nessus\logs\**10,lazy_ntfs, + 577,Net Monitor Server Logs,ApplicationLogs,ProgramData\Net Monitor for Employees Pro\log\*\**10,lazy_ntfs,Contains Net Monitor server logs + 578,Net Monitor Server Data,Communication,ProgramData\Net Monitor for Employees Pro\data\**10,lazy_ntfs,Contains Net Monitor server data - Indicates what have been seen as the attacker + 579,Net Monitor Server Config,Apps,ProgramData\Net Monitor for Employees Pro\config\**10,lazy_ntfs,Contains Net Monitor server config + 580,Net Monitor Server Temp Folder,Apps,ProgramData\Net Monitor for Employees Pro\tmp\**10,lazy_ntfs, + 581,Net Monitor Client Logs,ApplicationLogs,Program Files*\Net Monitor for Employees Pro\log\**10,lazy_ntfs,Contains Net Monitor client logs + 582,Net Monitor Client Config,ApplicationLogs,Program Files*\Net Monitor for Employees Pro\config\**10,lazy_ntfs,Contains Net Monitor client config + 583,Usenet Clients - Newsbin Pro,FileDownload,Users\*\AppData\Local\Newsbin\Downloaded.db3,lazy_ntfs,Locates Newsbin Pro download log database + 584,Usenet Clients - Newsleecher,FileDownload,Users\*\AppData\Roaming\NewsLeecher\downloaded.dat,lazy_ntfs,Locates Newsleecher download .dat file + 585,Nicotine++ Logs,FileDownload,Users\%User%\AppData\Roaming\nicotine\logs\**10,lazy_ntfs,"Locates Nicotine++ chat logs, room logs, transfer logs, and debug logs (if enabled)" + 586,Nicotine++ Incomplete Downloads,FileDownload,Users\%User%\AppData\Roaming\nicotine\incomplete\**10,lazy_ntfs,Locates files that did not finish downloading + 587,Nicotine++ Buddyfiles.db,FileDownload,Users\%User%\AppData\Roaming\nicotine\buddyfiles.db\**10,lazy_ntfs,Locates a DB that appears to include shared files from a user's buddy list + 588,Nicotine++ Buddystreams.db,FileDownload,Users\%User%\AppData\Roaming\nicotine\buddystreams.db\**10,lazy_ntfs,Locates a DB that appears to include shared files from a user's buddy list + 589,Nicotine++ Buddymtimes.db,FileDownload,Users\%User%\AppData\Roaming\nicotine\buddymtimes.db\**10,lazy_ntfs,"Locates a DB that appears to enumerate which files the user is sharing to their buddy list, from a folder level" + 590,Nicotine++ Buddyfileindex.db,FileDownload,Users\%User%\AppData\Roaming\nicotine\buddyfileindex.db\**10,lazy_ntfs,"Locates a DB that appears to enumerate which files the user is sharing to their buddy list, from a file level" + 591,Nicotine++ Buddywordindex.db,FileDownload,Users\%User%\AppData\Roaming\nicotine\buddywordindex.db\**10,lazy_ntfs,Unknown what this is for at this time + 592,Nicotine++ Config Files,FileDownload,Users\%User%\AppData\Roaming\nicotine\config\**10,lazy_ntfs,Locates config files + 593,Nicotine++ User Shares,FileDownload,Users\%User%\AppData\Roaming\nicotine\usershares\**10,lazy_ntfs,Locates a DB that appears to store a list of files per user that they are sharing within Nicotine++. Note: this requires the user to right-click -> browse files shared by that user + 594,Nicotine++ Downloads.json,FileDownload,Users\%User%\AppData\Roaming\nicotine\downloads.json*,lazy_ntfs,Locates downloads.json + 595,Nicotine++ Uploads.json,FileDownload,Users\%User%\AppData\Roaming\nicotine\uploads.json*,lazy_ntfs,Locates uploads.json + 596,Notepad++ Unsaved Edits,Text Editor,Users\*\AppData\Roaming\Notepad++\backup\**10,lazy_ntfs,Locates non-saved Notepad++ files and copies them. + 597,Notepad++ Config,Text Editor,Users\*\AppData\Roaming\Notepad++\config.xml,lazy_ntfs,"Retrieves config.xml which contains recently searched terms, replaced terms and recently opened documents" + 598,Notepad++ Session,Text Editor,Users\*\AppData\Roaming\Notepad++\session.xml,lazy_ntfs,Retrieves session.xml which contains session date + 599,Notepad Session Files,Windows Notepad,Users\*\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\*.bin,lazy_ntfs,Contains .bin files which consist of the files opened in each tab in Windows Notepad + 600,Notion Local Storage,App,Users\*\AppData\Roaming\Notion\notion.db,lazy_ntfs,"Local storage file containing all pages, databases, users, etc." + 601,Notion Custom Dictionary,App,Users\*\AppData\Roaming\Notion\Partitions\notion\Custom Dictionary.txt,lazy_ntfs, + 602,Word Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\**10,lazy_ntfs, + 603,Excel Autosave Location,ApplicationCompatibility,Users\*\AppData\Roaming\Microsoft\Excel\**10,lazy_ntfs, + 604,Powerpoint Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Powerpoint\**10,lazy_ntfs, + 605,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Publisher\**10,lazy_ntfs, + 606,Office Diagnostics,Execution,Users\*\AppData\Local\Diagnostics\PCW.debugreport.xml,lazy_ntfs,Payloads for CVE-2022-30190 ('Follina') will be in this log + 607,Office Elevated Diagnostics,Execution,Users\*\AppData\Local\ElevatedDiagnostics\PCW.debugreport.xml,lazy_ntfs,Payloads for CVE-2022-30190 ('Follina') will be in this log + 608,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\**10,lazy_ntfs, + 609,One Commander - All Configuration Files,Apps,Users\*\OneCommander\*,lazy_ntfs,Locates folder where all configuration files reside + 610,One Commander - Other Configuration Files,Apps,Users\*\AppData\Local\Apps\2.0\*\*\onec*\**10,lazy_ntfs,Locates folder where all configuration files reside + 611,OneDrive Metadata Logs,Apps,Users\*\AppData\Local\Microsoft\OneDrive\logs\**10,lazy_ntfs, + 612,OneDrive Metadata Settings,Apps,Users\*\AppData\Local\Microsoft\OneDrive\settings\**10,lazy_ntfs, + 613,OneDrive User Files,Apps,Users\*\OneDrive*\**10,lazy_ntfs,Caution -- This target will collect OneDrive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use or isolate system from network. + 614,OpenSSH Config File,Apps,Users\*\.ssh\config,lazy_ntfs,"Config file can hold usernames, IP addresses and ports, key locations and configured shortcuts for servers e.g. ssh web-server" + 615,OpenSSH Known Hosts,Apps,Users\*\.ssh\known_hosts,lazy_ntfs,"Known hosts file can hold a list of connected FQDNs/IP Addresses and ports if they are non-default, as well as public key fingerprints" + 616,OpenSSH Public Keys,Apps,Users\*\.ssh\*.pub,lazy_ntfs,"Gets all public keys (*.pub). It is more difficult to find private keys as they typically do not have a file extension. However, the .pub files should be able to help find the private keys as they are typically named the same." + 617,OpenSSH Default RSA Private Key,Apps,Users\*\.ssh\id_rsa,lazy_ntfs,Default name for an auto-generated SSH RSA private key + 618,OpenSSH Default ECDSA Private Key,Apps,Users\*\.ssh\id_ecdsa,lazy_ntfs,Default name for an auto-generated SSH ECDSA private key + 619,OpenSSH Default ECDSA-SK Private Key,Apps,Users\*\.ssh\id_ecdsa_sk,lazy_ntfs,Default name for an auto-generated SSH ECDSA private key using a Security Key + 620,OpenSSH Default ED25519 Private Key,Apps,Users\*\.ssh\id_ed25519,lazy_ntfs,Default name for an auto-generated SSH ED25519 private key + 621,OpenSSH Default ED25519-SK Private Key,Apps,Users\*\.ssh\id_ed25519_sk,lazy_ntfs,Default name for an auto-generated SSH ED25519 private key using a Security Key + 622,OpenSSH Default DSA Private Key,Apps,Users\*\.ssh\id_dsa,lazy_ntfs,Default name for an auto-generated SSH DSA private key + 623,OpenSSH Server Config File,Apps,ProgramData\ssh\sshd_config,lazy_ntfs,Config file can hold information on allowed/denied users + 624,OpenSSH Server Logs,Apps,ProgramData\ssh\logs\*,lazy_ntfs,OpenSSH server logs + 625,OpenSSH Host ECDSA Key,Apps,ProgramData\ssh\ssh_host_ecdsa_key,lazy_ntfs,Retrieves the host ECDSA key + 626,OpenSSH Host ED25519 Key,Apps,ProgramData\ssh\ssh_host_ed25519_key,lazy_ntfs,Retrieves the host ED25519 key + 627,OpenSSH Host DSA Key,Apps,ProgramData\ssh\ssh_host_dsa_key,lazy_ntfs,Retrieves the host DSA key + 628,OpenSSH Host RSA Key,Apps,ProgramData\ssh\ssh_host_rsa_key,lazy_ntfs,Retrieves the host RSA key + 629,OpenSSH User Authorized Keys,Apps,Users\*\.ssh\authorized_keys,lazy_ntfs,Retrieves the user's authorised public keys + 630,OpenSSH User Authorized Keys 2,Apps,Users\*\.ssh\authorized_keys2,lazy_ntfs,Retrieves the user's authorised public keys from the second file + 631,OpenSSH Authorized Administrator Keys,Apps,ProgramData\ssh\administrators_authorized_keys,lazy_ntfs,Retrieves the administrator group's authorised public keys + 632,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\config\**10,lazy_ntfs,Contains OpenVPN Configs (Profiles) + 633,OpenVPN Client Config,ApplicationLogs,Program Files*\OpenVPN\config\**10,lazy_ntfs,Contains OpenVPN Configs(Profiles) + 634,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\log\*.log,lazy_ntfs,Contains OpenVPN Logs for each Config(Profile) + 635,Opera - Local Folder,Communications,Users\*\AppData\Local\Opera Software\Opera Stable\**10,lazy_ntfs,Grabs entire contents of the Opera AppData\Local folder + 636,Opera - Roaming Folder,Communications,Users\*\AppData\Roaming\Opera Software\Opera Stable\**10,lazy_ntfs,Grabs entire contents of the Opera AppData\Roaming folder + 637,PST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.pst,lazy_ntfs, + 638,OST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.ost,lazy_ntfs, + 639,PST (2013 or 2016),Communications,Users\*\Documents\Outlook Files\*.pst,lazy_ntfs, + 640,OST (2013 or 2016),Communications,Users\*\Documents\Outlook Files\*.ost,lazy_ntfs, + 641,PST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.pst,lazy_ntfs,"Outlook Data File: POP accounts, archives, older installations" + 642,OST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.ost,lazy_ntfs,"Offline Outlook Data File: M365, Exchange, IMAP" + 643,NST,Communications,Users\*\AppData\Local\Microsoft\Outlook\*.nst,lazy_ntfs,Outlook Group Storage File: Group conversations and calendar + 644,Outlook Attachment Temporary Storage,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\**10,lazy_ntfs,Outlook temporary storage folder for user attachments + 645,PeaZip Configuration Files,FileKnowledge,Users\*\AppData\Roaming\PeaZip\**10,lazy_ntfs, + 646,Perflogs,Application,PerfLogs\**10,lazy_ntfs, + 647,PowerShell 7 Config JSON,PowerShell,Program Files\PowerShell\7\powershell.config.json,lazy_ntfs, + 648,PowerShell Console Log,PowerShellConsoleLog,Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\*_history.txt,lazy_ntfs, + 649,PowerShell Console Log Systemprofile,PowerShellConsoleLog,Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\*_history.txt,lazy_ntfs, + 650,PowerShell Console Log WOW64 Systemprofile,PowerShellConsoleLog,Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\*_history.txt,lazy_ntfs, + 651,PowerShell Transcripts - Default Location,PowerShellTranscripts,Users\*\Documents\PowerShell_transcript.*.txt,lazy_ntfs, + 652,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Users\*\Documents\20*\PowerShell_transcript.*.txt,lazy_ntfs, + 653,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Windows\SysWOW64\*\PowerShell_transcript.*.txt,lazy_ntfs, + 654,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Program Files\Amazon\Ec2ConfigService\Scripts\*\PowerShell_transcript.*.txt,lazy_ntfs, + 655,PowerShell Transcripts - Observed Location,PowerShellTranscripts,Windows\System32\*\PowerShell_transcript.*.txt,lazy_ntfs, + 656,Prefetch,Prefetch,Windows\prefetch\*.pf,lazy_ntfs, + 657,Prefetch,Prefetch,Windows.old\Windows\prefetch\*.pf,lazy_ntfs, + 658,ProgramData,Application Data,ProgramData\**10,lazy_ntfs, + 659,ProtonVPN - Connection Logs,ApplicationLogs,Users\*\AppData\Local\ProtonVPN\Logs,lazy_ntfs,Locates ProtonVPN connection logs. + 660,Puffin - data.db,Communications,Users\*\AppData\Local\PuffinSecureBrowser\data.db,lazy_ntfs,Grabs an important database file that contains browser history + 661,Puffin - Autocomplete Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\autocompletes.dat,lazy_ntfs,Grabs a file that stores autocomplete data + 662,Puffin - Password Forms Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\passwordForms.dat,lazy_ntfs,Grabs a file that stores some saved password data + 663,Puffin - Password (Encrypted),Communications,Users\*\AppData\Local\PuffinSecureBrowser\credential.dat,lazy_ntfs,Grabs a file that stores passwords in an encrypted format + 664,Puffin - Subscription Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser\subscription,lazy_ntfs,Grabs a file that stores the user's email address that's associated with their Puffin subscription + 665,Puffin - Cookies,Communications,Users\*\AppData\Local\PuffinSecureBrowser\cookies.dat,lazy_ntfs,Grabs a file that stores information related to cookies + 666,Puffin - Image Cache,Communications,Users\*\AppData\Local\PuffinSecureBrowser\image_cache\**10,lazy_ntfs,Grabs a directory that caches images from websites visited + 667,WNS,WNS,Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs, + 668,WNS,WNS,Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs, + 669,Q-Dir - .ini File,Apps,Users\*\AppData\Roaming\Q-Dir\Q-Dir.ini,lazy_ntfs,Locates .ini file associated with Q-Dir which stores useful user activity information. + 670,Q-Dir - .qdr file,Apps,Users\*\AppData\Roaming\Q-Dir\start.qdr,lazy_ntfs,"Locates .qdr file associated with Q-Dir which stores useful user activity information, including the last 4 folders opened (encoded, unfortunately)." + 671,QFinderPro,Apps,Users\*\AppData\Local\QNAP\QfinderPro,lazy_ntfs,Locates a JSON file that provides network location information for any QNAP connected devices. + 672,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Proxy\**10\*.txt,lazy_ntfs,Collects the proxy logs for Qlik Sense + 673,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Proxy\**10\*.log,lazy_ntfs,Collects the proxy logs for Qlik Sense + 674,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Scheduler\**10\*.txt,lazy_ntfs,Collects the scheduler logs for Qlik Sense + 675,Qlik Sense Logs,Software,ProgramData\Qlik\Sense\Log\Scheduler\**10\*.log,lazy_ntfs,Collects the scheduler logs for Qlik Sense + 676,RDP Cache Files,FileSystem,Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs, + 677,Windows.old RDP Cache Files,FileSystem,Windows.old\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs, + 678,RDP Cache Files,FileSystem,Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs, + 679,RDP Jumplist Files,FileSystem,Users\*\AppData\Local\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\**10,lazy_ntfs, + 680,RemoteConnectionManager Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs, + 681,RemoteConnectionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs, + 682,LocalSessionManager Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs, + 683,LocalSessionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs, + 684,RDPClient Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs, + 685,RDPClient Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs, + 686,RDPCoreTS Event Logs,EventLogs,Windows\System32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP + 687,RDPCoreTS Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP + 688,Radmin Server 32bit Log,ApplicationLogs,Windows\SysWOW64\rserver30\Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections. + 689,Radmin Server 64bit Log,ApplicationLogs,Windows\System32\rserver30\Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections. + 690,Radmin Server 32bit Chats,ApplicationLogs,Windows\SysWOW64\rserver30\CHATLOGS\*\*.htm,lazy_ntfs,Previous chat logs + 691,Radmin Server 64bit Chats,ApplicationLogs,Windows\System32\rserver30\CHATLOGS\*\*.htm,lazy_ntfs,Previous chat logs + 692,Radmin Viewer Chats,ApplicationLogs,Users\*\Documents\ChatLogs\*\*.htm,lazy_ntfs,Previous chat logs + 693,Rclone Config,Apps,**10\rclone.conf,lazy_ntfs, + 694,RecentFileCache,ApplicationCompatability,Windows\AppCompat\Programs\RecentFileCache.bcf,lazy_ntfs, + 695,RecentFileCache,ApplicationCompatability,Windows.old\Windows\AppCompat\Programs\RecentFileCache.bcf,lazy_ntfs, + 696,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\**10\$R*,lazy_ntfs, + 697,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\*\$R*\**10,lazy_ntfs, + 698,RECYCLER - WinXP,FileDeletion,RECYCLE*\**10\D*,lazy_ntfs, + 699,Recycle Bin - Windows Vista+,FileDeletion,$Recycle.Bin\**10\$I*,lazy_ntfs, + 700,RECYCLER - WinXP,FileDeletion,RECYCLE*\**10\INFO2,lazy_ntfs, + 701,Registry.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\Registry.dat*,lazy_ntfs, + 702,User.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\User.dat*,lazy_ntfs, + 703,UserClasses.dat MSIX Hive,Registry,Users\*\AppData\Local\Packages\*\SystemAppData\Helium\UserClasses.dat*,lazy_ntfs, + 704,BBI registry hive,Registry,Windows\System32\config\BBI,lazy_ntfs, + 705,BBI registry hive,Registry,Windows.old\Windows\System32\config\BBI,lazy_ntfs, + 706,BBI registry transaction files,Registry,Windows\System32\config\BBI.LOG*,lazy_ntfs, + 707,BBI registry transaction files,Registry,Windows.old\System32\config\BBI.LOG*,lazy_ntfs, + 708,BCD-Template registry hive,Registry,Windows\System32\config\BCD-Template,lazy_ntfs, + 709,BCD-Template registry hive,Registry,Windows.old\Windows\System32\config\BCD-Template,lazy_ntfs, + 710,BCD-Template registry transaction files,Registry,Windows\System32\config\BCD-Template.LOG*,lazy_ntfs, + 711,BCD-Template registry transaction files,Registry,Windows.old\System32\config\BCD-Template.LOG*,lazy_ntfs, + 712,COMPONENTS registry hive,Registry,Windows\System32\config\COMPONENTS,lazy_ntfs, + 713,COMPONENTS registry hive,Registry,Windows.old\Windows\System32\config\COMPONENTS,lazy_ntfs, + 714,COMPONENTS registry transaction files,Registry,Windows\System32\config\COMPONENTS.LOG*,lazy_ntfs, + 715,COMPONENTS registry transaction files,Registry,Windows.old\System32\config\COMPONENTS.LOG*,lazy_ntfs, + 716,DRIVERS registry hive,Registry,Windows\System32\config\DRIVERS,lazy_ntfs, + 717,DRIVERS registry hive,Registry,Windows.old\Windows\System32\config\DRIVERS,lazy_ntfs, + 718,DRIVERS registry transaction files,Registry,Windows\System32\config\DRIVERS.LOG*,lazy_ntfs, + 719,DRIVERS registry transaction files,Registry,Windows.old\System32\config\DRIVERS.LOG*,lazy_ntfs, + 720,ELAM registry hive,Registry,Windows\System32\config\ELAM,lazy_ntfs, + 721,ELAM registry hive,Registry,Windows.old\Windows\System32\config\ELAM,lazy_ntfs, + 722,ELAM registry transaction files,Registry,Windows\System32\config\ELAM.LOG*,lazy_ntfs, + 723,ELAM registry transaction files,Registry,Windows.old\System32\config\ELAM.LOG*,lazy_ntfs, + 724,userdiff registry hive,Registry,Windows\System32\config\userdiff,lazy_ntfs, + 725,userdiff registry hive,Registry,Windows.old\Windows\System32\config\userdiff,lazy_ntfs, + 726,userdiff registry transaction files,Registry,Windows\System32\config\userdiff.LOG*,lazy_ntfs, + 727,userdiff registry transaction files,Registry,Windows.old\System32\config\userdiff.LOG*,lazy_ntfs, + 728,VSMIDK registry hive,Registry,Windows\System32\config\VSMIDK,lazy_ntfs, + 729,VSMIDK registry hive,Registry,Windows.old\Windows\System32\config\VSMIDK,lazy_ntfs, + 730,VSMIDK registry transaction files,Registry,Windows\System32\config\VSMIDK.LOG*,lazy_ntfs, + 731,VSMIDK registry transaction files,Registry,Windows.old\System32\config\VSMIDK.LOG*,lazy_ntfs, + 732,SAM registry transaction files,Registry,Windows\System32\config\SAM.LOG*,lazy_ntfs, + 733,SAM registry transaction files,Registry,Windows.old\Windows\System32\config\SAM.LOG*,lazy_ntfs, + 734,SECURITY registry transaction files,Registry,Windows\System32\config\SECURITY.LOG*,lazy_ntfs, + 735,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config\SECURITY.LOG*,lazy_ntfs, + 736,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, + 737,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, + 738,SYSTEM registry transaction files,Registry,Windows\System32\config\SYSTEM.LOG*,lazy_ntfs, + 739,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config\SYSTEM.LOG*,lazy_ntfs, + 740,SAM registry hive,Registry,Windows\System32\config\SAM,lazy_ntfs, + 741,SAM registry hive,Registry,Windows.old\Windows\System32\config\SAM,lazy_ntfs, + 742,SECURITY registry hive,Registry,Windows\System32\config\SECURITY,lazy_ntfs, + 743,SECURITY registry hive,Registry,Windows.old\Windows\System32\config\SECURITY,lazy_ntfs, + 744,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs, + 745,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs, + 746,SYSTEM registry hive,Registry,Windows\System32\config\SYSTEM,lazy_ntfs, + 747,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config\SYSTEM,lazy_ntfs, + 748,RegBack registry transaction files,Registry,Windows\System32\config\RegBack\*.LOG*,lazy_ntfs, + 749,RegBack registry transaction files,Registry,Windows.old\Windows\System32\config\RegBack\*.LOG*,lazy_ntfs, + 750,SAM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SAM,lazy_ntfs, + 751,SAM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SAM,lazy_ntfs, + 752,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack\SECURITY,lazy_ntfs, + 753,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SECURITY,lazy_ntfs, + 754,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs, + 755,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs, + 756,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM,lazy_ntfs, + 757,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM,lazy_ntfs, + 758,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs, + 759,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs, + 760,System Profile registry hive,Registry,Windows\System32\config\systemprofile\NTUSER.DAT,lazy_ntfs, + 761,System Profile registry hive,Registry,Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT,lazy_ntfs, + 762,System Profile registry transaction files,Registry,Windows\System32\config\systemprofile\NTUSER.DAT.LOG*,lazy_ntfs, + 763,System Profile registry transaction files,Registry,Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT.LOG*,lazy_ntfs, + 764,Local Service registry hive,Registry,Windows\ServiceProfiles\LocalService\NTUSER.DAT,lazy_ntfs, + 765,Local Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT,lazy_ntfs, + 766,Local Service registry transaction files,Registry,Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*,lazy_ntfs, + 767,Local Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*,lazy_ntfs, + 768,Network Service registry hive,Registry,Windows\ServiceProfiles\NetworkService\NTUSER.DAT,lazy_ntfs, + 769,Network Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT,lazy_ntfs, + 770,Network Service registry transaction files,Registry,Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*,lazy_ntfs, + 771,Network Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*,lazy_ntfs, + 772,System Restore Points Registry Hives (XP),Registry,System Volume Information\_restore*\RP*\snapshot\_REGISTRY_*,lazy_ntfs, + 773,NTUSER.DAT registry hive XP,Registry,Documents and Settings\*\NTUSER.DAT,lazy_ntfs, + 774,NTUSER.DAT registry hive,Registry,Users\*\NTUSER.DAT,lazy_ntfs, + 775,NTUSER.DAT registry transaction files,Registry,Users\*\NTUSER.DAT.LOG*,lazy_ntfs, + 776,NTUSER.DAT DEFAULT registry hive,Registry,Windows\System32\config\DEFAULT,lazy_ntfs, + 777,NTUSER.DAT DEFAULT registry hive,Registry,Windows.old\Windows\System32\config\DEFAULT,lazy_ntfs, + 778,NTUSER.DAT DEFAULT transaction files,Registry,Windows\System32\config\DEFAULT.LOG*,lazy_ntfs, + 779,NTUSER.DAT DEFAULT transaction files,Registry,Windows.old\Windows\System32\config\DEFAULT.LOG*,lazy_ntfs, + 780,UsrClass.dat registry hive,Registry,Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat,lazy_ntfs, + 781,UsrClass.dat registry transaction files,Registry,Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG*,lazy_ntfs, + 782,RemoteUtilities Connection Logs,Remote Access,Program Files*\Remote Utilities - Host\Logs\rut_log_*.html,lazy_ntfs,Includes connection log files + 783,RemoteUtilities Install Log,Remote Access,ProgramData\Remote Utilities\install.log,lazy_ntfs,Includes Install log file + 784,NTUSER.DAT registry hive,Registry,**10\NTUSER.DAT,lazy_ntfs, + 785,NTUSER.DAT registry transaction files,Registry,**10\NTUSER.DAT.LOG*,lazy_ntfs, + 786,NTUSER.DAT DEFAULT registry hive,Registry,**10\DEFAULT,lazy_ntfs, + 787,NTUSER.DAT DEFAULT transaction files,Registry,**10\DEFAULT.LOG*,lazy_ntfs, + 788,UsrClass.dat registry hive,Registry,**10\UsrClass.dat,lazy_ntfs, + 789,UsrClass.dat registry transaction files,Registry,**10\UsrClass.dat.LOG*,lazy_ntfs, + 790,LNK Files,LNKFiles,**10\*.LNK,lazy_ntfs, + 791,Word Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\*,lazy_ntfs, + 792,Excel Autosave Location,ApplicationCompatibility,Users\*\AppData\Roaming\Microsoft\Excel\*,lazy_ntfs, + 793,PowerPoint Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\PowerPoint\*,lazy_ntfs, + 794,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Publisher\*,lazy_ntfs, + 795,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word\*,lazy_ntfs, + 796,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\*,lazy_ntfs, + 797,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\*,lazy_ntfs, + 798,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, + 799,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, + 800,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs, + 801,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\**10\Cookies*,lazy_ntfs, + 802,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs, + 803,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs, + 804,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, + 805,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, + 806,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs, + 807,Chrome Download Metadata,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs, + 808,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs, + 809,Chrome Extension Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs, + 810,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, + 811,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, + 812,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs, + 813,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs, + 814,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs, + 815,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs, + 816,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, + 817,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, + 818,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs, + 819,Chrome Sessions Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*,lazy_ntfs, + 820,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs, + 821,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs, + 822,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs, + 823,Chrome Media History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs, + 824,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs, + 825,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs, + 826,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs, + 827,Chrome Network Persistent State,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs, + 828,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs, + 829,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs, + 830,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs, + 831,Chrome Quota Manager,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs, + 832,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs, + 833,Chrome Reporting and NEL,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs, + 834,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, + 835,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, + 836,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, + 837,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, + 838,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs, + 839,Chrome Trust Tokens,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs, + 840,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, + 841,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, + 842,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, + 843,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, + 844,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, + 845,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, + 846,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption + 847,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*\**10,lazy_ntfs,Required for offline decryption + 848,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs, + 849,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**10,lazy_ntfs, + 850,Amcache,ApplicationCompatibility,**10\Amcache.hve,lazy_ntfs, + 851,Amcache transaction files,ApplicationCompatibility,**10\Amcache.hve.LOG*,lazy_ntfs, + 852,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs, + 853,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent\**10,lazy_ntfs, + 854,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs, + 855,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent\**10,lazy_ntfs, + 856,Desktop LNK Files,LNKFiles,**10\*.LNK,lazy_ntfs, + 857,Robo-FTP User Scripts,Apps,Program Files\Robo-FTP 3.12\UserData\*\Scripts\*.s,lazy_ntfs,Custom scripts created by each user + 858,Robo-FTP User Debug Logs,Apps,Program Files\Robo-FTP 3.12\UserData\*\Debug\*.log,lazy_ntfs,"Debug logs generated for each user, if enabled" + 859,Robo-FTP User Script/Trace Logs,Apps,Program Files\Robo-FTP 3.12\UserData\*\Logs\*,lazy_ntfs,Script and Trace logs generated for each user + 860,Robo-FTP User XML Config,Apps,Program Files\Robo-FTP 3.12\UserData\*\config.xml,lazy_ntfs,Config.xml unique to each user. Contains list of custom scripts and ftp sites + 861,Robo-FTP User SSH Keys,Apps,Program Files\Robo-FTP 3.12\UserData\*\SSH Keys\*,lazy_ntfs,Saved SSH keys for each user + 862,Robo-FTP User SSL Certificates,Apps,Program Files\Robo-FTP 3.12\UserData\*\SSL Certificates\*,lazy_ntfs,Saved SSL Certificates for each user + 863,Robo-FTP User PGP Keys,Apps,Program Files\Robo-FTP 3.12\UserData\*\PGP Keys\*,lazy_ntfs,Saved PGP Keys for each user + 864,Robo-FTP SSH Keys,Apps,Program Files\Robo-FTP 3.12\ProgramData\SSH Keys\*,lazy_ntfs,Shared SSH keys + 865,Robo-FTP SSL Certificates,Apps,Program Files\Robo-FTP 3.12\ProgramData\SSL Certificates\*,lazy_ntfs,Shared SSL Certificates + 866,Robo-FTP PGP Keys,Apps,Program Files\Robo-FTP 3.12\ProgramData\PGP Keys\*,lazy_ntfs,Shared PGP Keys + 867,Robo-FTP Debug Logs,Apps,Program Files\Robo-FTP 3.12\ProgramData\Debug\*,lazy_ntfs,Debug logs generated by Robo-FTP + 868,Robo-FTP Script/Trace Logs,Apps,Program Files\Robo-FTP 3.12\ProgramData\Logs\*,lazy_ntfs,Script and Trace logs generated by Robo-FTP + 869,Robo-FTP XML Config,Apps,Program Files\Robo-FTP 3.12\ProgramData\config.xml,lazy_ntfs,Config.xml. Contains list of custom scripts and ftp sites + 870,Robo-FTP Jobs,Apps,Program Files\Robo-FTP 3.12\ProgramData\SchedulerService.sqlite,lazy_ntfs,Contains details of scheduled jobs + 871,RogueKiller Reports,Antivirus,ProgramData\RogueKiller\logs\AdliceReport_*.json,lazy_ntfs, + 872,RustDesk logs,Communications,Users\*\AppData\Roaming\RustDesk\*,lazy_ntfs,Collects all log files related to RustDesk + 873,RustDesk logs,Communications,Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server,lazy_ntfs,Collects all log files related to RustDesk + 874,Usenet Clients - SABnzbd Download Logs,FileDownload,Users\*\AppData\Local\sabnzbd\logs\sabnzbd.log,lazy_ntfs,Locates SABnzbd download log + 875,Usenet Clients - SABnzbd History.db,FileDownload,Users\*\AppData\Local\sabnzbd\admin\history1.db,lazy_ntfs,Locates SABnzbd history log + 876,SCCM Client Log Files,Logs,Windows\CCM\Logs,lazy_ntfs, + 877,SDB Files,Executables,Windows\apppatch\Custom\*.sdb,lazy_ntfs, + 878,SDB Files,Executables,Windows.old\Windows\apppatch\Custom\*.sdb,lazy_ntfs, + 879,SDB Files x64,Executables,Windows\apppatch\Custom\Custom64\*.sdb,lazy_ntfs, + 880,SDB Files x64,Executables,Windows.old\Windows\apppatch\Custom\Custom64\*.sdb,lazy_ntfs, + 881,4K Video Downloader,SQLDatabases,Users\*\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader\*.sqlite,lazy_ntfs,Grabs database(s) that stores user download history + 882,Microsoft OneNote - FullTextSearchIndex,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's text content + 883,Microsoft OneNote - RecentNotebooks_SeenURLs,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications\RecentNotebooks_SeenURLs,lazy_ntfs,Grabs a file that appears to record recently seen OneNote notebooks + 884,Microsoft OneNote - AccessibilityCheckerIndex,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex,lazy_ntfs,Grabs database(s) comprising of each OneNote notebook's version sync error history + 885,Microsoft OneNote - User NoteTags,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags\*LiveId.db,lazy_ntfs,Grabs a database that stores the user specified tags within OneNote to be used application-wide + 886,Microsoft OneNote - RecentSearches,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches\RecentSearches.db,lazy_ntfs,Grabs a database that stores the user's recent searches within OneNote + 887,Microsoft Sticky Notes - 1607 and later,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\plum.sqlite*,lazy_ntfs, + 888,Microsoft To Do - SQLite Database of To Do tasks,SQLDatabases,Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\todosqlite.db*,lazy_ntfs, + 889,Robo-FTP Jobs,Apps,Program Files\Robo-FTP *\ProgramData\SchedulerService.sqlite,lazy_ntfs, + 890,TeraCopy - History Databases,SQLDatabases,Users\*\AppData\Roaming\TeraCopy\History\*.db,lazy_ntfs, + 891,TeraCopy - Main Database,SQLDatabases,Users\*\AppData\Roaming\TeraCopy\main.db,lazy_ntfs, + 892,Notion Local Storage,App,Users\*\AppData\Roaming\Notion\notion.db,lazy_ntfs, + 893,IDrive Backed Up Files,App,ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.idbs,lazy_ntfs, + 894,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\filecache.db*,lazy_ntfs,Getting individual files because folder may contain very large extraneous files + 895,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\config.dbx,lazy_ntfs,Getting individual files because folder may contain very large extraneous files + 896,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\home.db,lazy_ntfs,SQlite database which appears to keep track of the user's recent Dropbox activity + 897,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\icon.db,lazy_ntfs,SQLite database which appears to keep track of icons in the user's Drobox sync history which can give an indication as to which files and folders are present + 898,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync_history.db,lazy_ntfs,SQLite database which appears to keep track of the user's Drobox sync history + 899,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync\nucleus.sqlite3*,lazy_ntfs,SQLite database which appears to contain a table for deleted files + 900,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\host.db,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together." + 901,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\host.dbx,lazy_ntfs,"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together." + 902,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\sync\aggregation.dbx,lazy_ntfs,SQLite database which appears to contain snapshot table of the user's Dropbox contents in JSON with timestamps in UNIX Epoch + 903,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\avatarcache.db,lazy_ntfs,SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed + 904,Dropbox Metadata,SQLDatabases,Users\*\AppData\Local\Dropbox\*\avatarcache.db,lazy_ntfs,SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed + 905,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\cloud_graph\cloud_graph.db,lazy_ntfs,Windows_GoogleDrive_CloudGraphDB.smap + 906,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\TempData\*\change_buffer\**10,lazy_ntfs,DB(s) with seemingly randomized filename(s) that track file system changes within Google Drive + 907,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\snapshot.db,lazy_ntfs,Windows_GoogleDrive_SnapshotDB.smap + 908,Google File Stream Metadata,SQLDatabases,Users\*\AppData\Local\Google\Drive\*\sync_config.db,lazy_ntfs,Windows_GoogleDrive_SyncConfigDB.smap + 909,FileZilla SQLite3 Log Files,SQLDatabases,Users\*\AppData\Roaming\FileZilla\*.sqlite3*,lazy_ntfs, + 910,Chrome bookmarks XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, + 911,Chrome Cookies XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*,lazy_ntfs, + 912,Chrome Current Session XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session,lazy_ntfs, + 913,Chrome Current Tabs XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, + 914,Chrome Favicons XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, + 915,Chrome History XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*,lazy_ntfs, + 916,Chrome Last Session XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session,lazy_ntfs, + 917,Chrome Last Tabs XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, + 918,Chrome Login Data XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data,lazy_ntfs, + 919,Chrome Preferences XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences,lazy_ntfs, + 920,Chrome Shortcuts XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, + 921,Chrome Top Sites XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, + 922,Chrome Visited Links XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, + 923,Chrome Web Data XP,SQLDatabases,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, + 924,Chrome bookmarks,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*,lazy_ntfs, + 925,Chrome Cookies,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Cookies*,lazy_ntfs, + 926,Chrome Current Session,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session,lazy_ntfs, + 927,Chrome Current Tabs,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs,lazy_ntfs, + 928,Chrome Download Metadata,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata,lazy_ntfs, + 929,Chrome Extension Cookies,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies,lazy_ntfs, + 930,Chrome Favicons,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*,lazy_ntfs, + 931,Chrome History,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\History*,lazy_ntfs, + 932,Chrome Last Session,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session,lazy_ntfs, + 933,Chrome Last Tabs,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs,lazy_ntfs, + 934,Chrome Login Data,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data,lazy_ntfs, + 935,Chrome Media History,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*,lazy_ntfs, + 936,Chrome Network Action Predictor,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor,lazy_ntfs, + 937,Chrome Network Persistent State,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State,lazy_ntfs, + 938,Chrome Preferences,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences,lazy_ntfs, + 939,Chrome Quota Manager,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager,lazy_ntfs, + 940,Chrome Reporting and NEL,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL,lazy_ntfs, + 941,Chrome Shortcuts,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*,lazy_ntfs, + 942,Chrome Top Sites,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*,lazy_ntfs, + 943,Chrome Trust Tokens,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*,lazy_ntfs, + 944,Chrome SyncData Database,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, + 945,Chrome Visited Links,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links,lazy_ntfs, + 946,Chrome Web Data,SQLDatabases,Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*,lazy_ntfs, + 947,Edge bookmarks,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs, + 948,Edge Collections,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections\collectionsSQLite,lazy_ntfs, + 949,Edge Cookies,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Cookies*,lazy_ntfs, + 950,Edge Current Session,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Session,lazy_ntfs, + 951,Edge Current Tabs,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Tabs,lazy_ntfs, + 952,Edge Favicons,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Favicons*,lazy_ntfs, + 953,Edge History,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\History*,lazy_ntfs, + 954,Edge Last Session,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Session,lazy_ntfs, + 955,Edge Last Tabs,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Tabs,lazy_ntfs, + 956,Edge Login Data,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Login Data,lazy_ntfs, + 957,Edge Media History,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Media History*,lazy_ntfs, + 958,Edge Network Action Predictor,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network Action Predictor,lazy_ntfs, + 959,Edge Preferences,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences,lazy_ntfs, + 960,Edge Shortcuts,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Shortcuts*,lazy_ntfs, + 961,Edge Top Sites,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Top Sites*,lazy_ntfs, + 962,Edge SyncData Database,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data\SyncData.sqlite3,lazy_ntfs, + 963,Edge Bookmarks,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*,lazy_ntfs, + 964,Edge Visited Links,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Visited Links,lazy_ntfs, + 965,Edge Web Data,SQLDatabases,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Web Data*,lazy_ntfs, + 966,Addons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*,lazy_ntfs, + 967,Bookmarks,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*,lazy_ntfs, + 968,Cookies,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*,lazy_ntfs, + 969,Cookies,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*,lazy_ntfs, + 970,Downloads,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*,lazy_ntfs, + 971,Favicons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*,lazy_ntfs, + 972,Form history,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*,lazy_ntfs, + 973,Permissions,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*,lazy_ntfs, + 974,Places,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*,lazy_ntfs, + 975,Protections,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*,lazy_ntfs, + 976,Search,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*,lazy_ntfs, + 977,Signons,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*,lazy_ntfs, + 978,Storage Sync,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*,lazy_ntfs, + 979,Webappstore,SQLDatabases,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*,lazy_ntfs, + 980,Windows 10 Notification DB,SQLDatabases,Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs, + 981,Windows 10 Notification DB,SQLDatabases,Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs, + 982,ActivitiesCache.db,SQLDatabases,Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db*,lazy_ntfs, + 983,Update Store.db,OS Upgrade,ProgramData\USOPrivate\UpdateStore\store.db,lazy_ntfs, + 984,Bitdefender SQLite DB Files,Antivirus,"Program Files*\Bitdefender*\**10\*.{db,db-wal,db-shm}",lazy_ntfs,Bitdefender SQLite databases + 985,EventTranscript.db,SystemEvents,ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs, + 986,EventTranscript.db,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*,lazy_ntfs, + 987,SRUM,Execution,Windows\System32\SRU\**10,lazy_ntfs, + 988,SRUM,Execution,Windows.old\Windows\System32\SRU\**10,lazy_ntfs, + 989,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs, + 990,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs, + 991,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, + 992,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, + 993,SUM Database (.mdb files),Logs,Windows\System32\LogFiles\SUM\*.mdb,lazy_ntfs,"Grabs Current.mdb, SystemIdentity.mdb, and [GUID].mdb" + 994,SUPERAntiSpyware Logs,Antivirus,Users\*\AppData\Roaming\SUPERAntiSpyware\Logs\**10,lazy_ntfs, + 995,SUSE Linux Enterprise Server WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\os-release,lazy_ntfs, + 996,SUSE Linux Enterprise Server WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\fstab,lazy_ntfs, + 997,SUSE Linux Enterprise Server WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\passwd,lazy_ntfs, + 998,SUSE Linux Enterprise Server WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\group,lazy_ntfs, + 999,SUSE Linux Enterprise Server WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\shadow,lazy_ntfs, + 1000,SUSE Linux Enterprise Server WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\timezone,lazy_ntfs, + 1001,SUSE Linux Enterprise Server WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\hostname,lazy_ntfs, + 1002,SUSE Linux Enterprise Server WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\hosts,lazy_ntfs, + 1003,SUSE Linux Enterprise Server WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs, + 1004,SUSE Linux Enterprise Server WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\profile,lazy_ntfs, + 1005,SUSE Linux Enterprise Server WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.bash_history,lazy_ntfs, + 1006,SUSE Linux Enterprise Server WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.bashrc,lazy_ntfs, + 1007,SUSE Linux Enterprise Server WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**10\.profile,lazy_ntfs, + 1008,SUSE Linux Enterprise Server WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\ext4.vhdx,lazy_ntfs, + 1009,at .job,Persistence,Windows\Tasks\*.job,lazy_ntfs, + 1010,at .job,Persistence,Windows.old\Windows\Tasks\*.job,lazy_ntfs, + 1011,at SchedLgU.txt,Persistence,Windows\SchedLgU.txt,lazy_ntfs, + 1012,at SchedLgU.txt,Persistence,Windows.old\Windows\SchedLgU.txt,lazy_ntfs, + 1013,XML,Persistence,Windows\System32\Tasks\**10,lazy_ntfs, + 1014,XML,Persistence,Windows\syswow64\Tasks\**10,lazy_ntfs, + 1015,XML,Persistence,Windows.old\Windows\System32\Tasks\**10,lazy_ntfs, + 1016,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data\Session.db,lazy_ntfs,SQLite database with session information + 1017,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data\User.xml,lazy_ntfs,Contains each user's last authenticated time + 1018,ScreenConnect User Config,ApplicationLogs,ProgramData\ScreenConnect Client*\user.config,lazy_ntfs,Contains server domain and IP info + 1019,SecureAge Antvirus Logs,Antivirus,ProgramData\SecureAge Technology\SecureAge\log\**10,lazy_ntfs, + 1020,SentinelOne EDR Log,Antivirus,programdata\sentinel\logs\**10,lazy_ntfs,Logs are in Binary Format (.binlog) + 1021,ShareX,Apps,Users\*\Documents\ShareX\**10,lazy_ntfs,Locates and captures all files within the default ShareX folder path + 1022,Shareaza Logs,FileDownload,Users\*\AppData\Roaming\Shareaza\**10,lazy_ntfs,Locates Shareaza logs and copies them. + 1023,Siemens TIA Settings,ICS,Users\*\AppData\Roaming\Siemens\Automation\Portal*\Settings\**10,lazy_ntfs, + 1024,Signal Attachments cache,Communications,Users\*\AppData\Roaming\Signal\attachments.noindex\**10,lazy_ntfs,Profile pictures (and possibly attachments) for users who this individual has as contacts or has communicated with + 1025,Signal Logs,Communications,Users\*\AppData\Roaming\Signal\logs\**10,lazy_ntfs,"Logs for Signal. Most recent has the extension .log while old ones will have extension .log.0, .log.1 etc." + 1026,Signal config.json,Communications,Users\*\AppData\Roaming\Signal\config.json,lazy_ntfs,config.json holds the db.sqlite SQLCipher raw key + 1027,Signal Database,Communications,Users\*\AppData\Roaming\Signal\sql\db.sqlite,lazy_ntfs,"Stores attachment details, conversations, messages, and more" + 1028,SignatureCatalog,FileMetadata,Windows\System32\CatRoot\**10,lazy_ntfs, + 1029,SignatureCatalog,FileMetadata,Windows.old\Windows\System32\CatRoot\**10,lazy_ntfs, + 1030,main.db (App <v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\main.db,lazy_ntfs, + 1031,skype.db (App +v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\skype.db,lazy_ntfs, + 1032,main.db XP,Communications,Documents and Settings\*\Application Data\Skype\*\main.db,lazy_ntfs, + 1033,main.db Win7+,Communications,Users\*\AppData\Roaming\Skype\*\main.db,lazy_ntfs, + 1034,s4l-[username].db (App +v8),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\s4l-*.db,lazy_ntfs, + 1035,leveldb (Skype for Desktop +v8),Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb\**10,lazy_ntfs, + 1036,Skype for Destkop v8+ Chromium Cache,Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\Cache\**10,lazy_ntfs,Can be viewed with Nirsoft's ChromeCacheView + 1037,Slack - Chat Logs,Apps,Users\*\AppData\Roaming\Slack\IndexedDB\**10,lazy_ntfs,Locates Slack logs and copies them + 1038,Slack LevelDB Files,Apps,Users\*\AppData\Roaming\Slack\Local Storage\leveldb\**10,lazy_ntfs, + 1039,Slack Electron Logs,Apps,Users\*\AppData\Roaming\Slack\logs\**10,lazy_ntfs,Current Slack application is based on Electron and additional logging can be found here. + 1040,Slack Cache,Apps,Users\*\AppData\Roaming\Slack\Cache\**10,lazy_ntfs,Collects Slack cache files. This folder can be parsed like a Chrome Browser cache using a tool like Nirsoft ChromeCacheView + 1041,Slack Storage,Apps,Users\*\AppData\Roaming\Slack\storage\**10,lazy_ntfs,User activity logs can be present including slack-downloads log + 1042,Snagit - Captures,Apps,Users\*\AppData\Local\TechSmith\Snagit\DataStore,lazy_ntfs,Locates all Snagit captures + 1043,Snip & Sketch,FileKnowledge,Users\*\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\*.png,lazy_ntfs,Pulls all temporary .png images generated by the Snip & Sketch screen capture tool built into Windows + 1044,Sophos Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs\**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection" + 1045,Sophos Logs,Antivirus,ProgramData\Sophos\Sophos *\Logs\**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection" + 1046,Soulseek Chat Logs,FileDownload,Users\*\AppData\Local\SoulseekQt\Soulseek Chat Logs\**10,lazy_ntfs,Locates Soulseek chat logs and copies them. Chat logs are in plaintext. Current as of version 2019.7.22. + 1047,Soulseek Search History/Shared Folders/Settings,FileDownload,Users\*\AppData\Local\SoulseekQt\1\*.dat,lazy_ntfs,"Locates .dat file(s) containing: search history, active searches (search_record), current shared folders (shared_file_folder), and wish list items (wish_list_item)." + 1048,SpeedCommander - .ini File,Apps,Users\*\AppData\Roaming\SpeedProject\SpeedCommander 19\*,lazy_ntfs,Locates folder where all configuration files reside + 1049,Splashtop Log Files,Software,Program Files*\Splashtop\Splashtop Remote\Server\log\**10,lazy_ntfs,Collects logs for Splashtop + 1050,Splashtop Log Files in ProgramData,Software,ProgramData\Splashtop\Temp\log\**10,lazy_ntfs,Collects logs for Splashtop + 1051,User startup folders,Persistence,Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup,lazy_ntfs, + 1052,System-wide startup folder,Persistence,ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp,lazy_ntfs, + 1053,StartupInfo XML Files,Persistence,Windows\System32\WDI\LogFiles\StartupInfo\*.xml,lazy_ntfs, + 1054,StartupInfo XML Files,Persistence,Windows.old\Windows\System32\WDI\LogFiles\StartupInfo\*.xml,lazy_ntfs, + 1055,Steam Game Image files,Apps,Program Files\Steam\appcache\librarycache\**10,lazy_ntfs,Locates the directory containing image resources of installed/uninstalled games. + 1056,Steam Login Metadata file,Apps,Program Files\Steam\config\**10\loginusers.vdf,lazy_ntfs,Locates file containing Steam username and persona name. + 1057,Steam Friend List and Username History file,Apps,Program Files\Steam\userdata\*\config\**10\localconfig.vdf,lazy_ntfs,Locates file containing Steam Friend List and Username History. + 1058,Steam User Avatar files,Apps,Program Files\Steam\config\avatarcache\**10,lazy_ntfs,Locates the directory containing avatar cache. + 1059,Steam Game Tray Icon files,Apps,Program Files\Steam\steam\games\**10,lazy_ntfs,Locates the directory containing game icons appearing from tray menu. + 1060,Steam Startup Times Log file,Apps,Program Files\Steam\logs\**10\bootstrap_log.txt,lazy_ntfs,Locates the directory containing log for Steam startup times. + 1061,Steam Game Image files,Apps,Program Files (x86)\Steam\appcache\librarycache\**10,lazy_ntfs,Locates the directory containing image resources of installed/uninstalled games. + 1062,Steam Login Metadata file,Apps,Program Files (x86)\Steam\config\**10\loginusers.vdf,lazy_ntfs,Locates file containing Steam username and persona name. + 1063,Steam Friend List and Username History file,Apps,Program Files (x86)\Steam\userdata\*\config\**10\localconfig.vdf,lazy_ntfs,Locates file containing Steam Friend List and Username History. + 1064,Steam User Avatar files,Apps,Program Files (x86)\Steam\config\avatarcache\**10,lazy_ntfs,Locates the directory containing avatar cache. + 1065,Steam Game Tray Icon files,Apps,Program Files (x86)\Steam\steam\games\**10,lazy_ntfs,Locates the directory containing game icons appearing from tray menu. + 1066,Steam Startup Times Log file,Apps,Program Files (x86)\Steam\logs\**10\bootstrap_log.txt,lazy_ntfs,Locates the directory containing log for Steam startup times. + 1067,SublimeText 2/3 Auto Save Session,Text Editor,Users\*\AppData\Roaming\Sublime Text*\Settings\Session.sublime_session,lazy_ntfs,Sublime Text 2/3 stores unsaved (temporary) files and its content in its Session.sublime_session file + 1068,SublimeText 4 Auto Save Session,Text Editor,Users\*\AppData\Roaming\Sublime Text*\Local\*.sublime_session,lazy_ntfs,Sublime Text 4 stores unsaved (temporary) files and its content in its .sublime_session files + 1069,SugarSync Log File,Apps,Users\*\AppData\Local\SugarSync\sc1.log,lazy_ntfs,Locates a log file the gives a play-by-play of what the user synced when. + 1070,SugarSync - Shared Folders (Default Location),Apps,Users\*\Documents\SugarSync Shared Folders\**10,lazy_ntfs, + 1071,SugarSync - My SugarSync (Default Location),Apps,Users\*\Documents\My SugarSync\**10,lazy_ntfs, + 1072,SumatraPDF Settings - SessionData,FileKnowledge,Users\*\AppData\Local\SumatraPDF\SumatraPDF-settings.txt,lazy_ntfs,Settings file which contains information about previous user session + 1073,SumatraPDF Cache,FileKnowledge,Users\*\AppData\Local\SumatraPDF\sumatrapdfcache,lazy_ntfs,Folder contains a PNG snapshot of each PDF file the user had open at the time of last application close + 1074,Supremo Connection Logs,Communications,ProgramData\SupremoRemoteDesktop\Log\*.log,lazy_ntfs,Includes Supremo.00.Client.log and Supremo.00.Incoming.log + 1075,Supremo File Transfer Inbox,Communications,ProgramData\SupremoRemoteDesktop\Inbox,lazy_ntfs,Includes files transferred to the inbox folder during a remote session. See Supremo.00.FileTransfer.log + 1076,Symantec Endpoint Protection Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV\**10,lazy_ntfs, + 1077,Symantec Endpoint Protection Logs,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs\**10,lazy_ntfs, + 1078,Symantec Endpoint Protection User Logs,Antivirus,Users\*\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\**10,lazy_ntfs, + 1079,Symantec Event Log Win7+,EventLogs,Windows\System32\winevt\logs\Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log + 1080,Symantec Event Log Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs\Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log + 1081,Symantec Endpoint Protection Quarantine (XP),Antivirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\**10,lazy_ntfs, + 1082,Symantec Endpoint Protection Quarantine,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine\**10,lazy_ntfs, + 1083,ccSubSDK Database,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK\**10,lazy_ntfs, + 1084,registrationInfo.xml,Antivirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\registrationInfo.xml,lazy_ntfs, + 1085,Syscache,Program Execution,System Volume Information\Syscache.hve,lazy_ntfs, + 1086,Syscache transaction files,Program Execution,System Volume Information\Syscache.hve.LOG*,lazy_ntfs, + 1087,Tablacus Explorer - remember.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\remember.xml,lazy_ntfs, + 1088,Tablacus Explorer - window.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\window.xml,lazy_ntfs, + 1089,Tablacus Explorer - window1.xml,Logs,Users\*\AppData\Local\Temp\*\config\**10\window1.xml,lazy_ntfs, + 1090,TeamViewer Connection Logs,Communications,Program Files*\TeamViewer\connections*.txt,lazy_ntfs,Includes connections_incoming.txt and connections.txt + 1091,TeamViewer Application Logs,ApplicationLogs,Program Files*\TeamViewer\TeamViewer*_Logfile*,lazy_ntfs,Includes TeamViewer<version>_Logfile.log and TeamViewer<version>_Logfile_OLD.log + 1092,TeamViewer Application User Logs,ApplicationLogs,Users\*\AppData\Roaming\TeamViewer\TeamViewer*_Logfile*,lazy_ntfs,Alternate location for TeamViewer<version>_Logfile.log + 1093,TeamViewer Configuration Files,ApplicationLogs,Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport\**10,lazy_ntfs,Includes miscellaneous config files + 1094,Telegram app folder,Apps,Users\*\AppData\Roaming\Telegram Desktop\**10,lazy_ntfs,Telegram app folder structure + 1095,Telegram downloaded files,Apps,Users\*\Downloads\Telegram Desktop\**10,lazy_ntfs,Chat Attachments + 1096,TeraCopy,TeraCopy,Users\*\AppData\Roaming\TeraCopy\**10,lazy_ntfs, + 1097,Thumbcache DB,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db,lazy_ntfs, + 1098,Mozilla Thunderbird Install Date,Apps,Users\*\AppData\Roaming\Thunderbird\Crash Reports\InstallTime*,lazy_ntfs,Holds install time in Unix Seconds timestamp + 1099,Mozilla Thunderbird Profiles.ini,Apps,Users\*\AppData\Roaming\Thunderbird\profiles.ini,lazy_ntfs,Profiles list - can hold references to other profiles held elsewhere on the device + 1100,Mozilla Thunderbird prefs.js,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\prefs.js,lazy_ntfs,User Preferences for that profile + 1101,Mozilla Thunderbird Global Messages Database,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\global-messages-db.sqlite,lazy_ntfs,"Holds list of contacts, emails, and other potentially useful artifacts" + 1102,Mozilla Thunderbird logins.json,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\logins.json,lazy_ntfs,"Holds last time online login used, last time password changed, hostname, HTTP(s) URL and more" + 1103,Mozilla Thunderbird places.sqlite,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\places.sqlite,lazy_ntfs,"Holds history for Thunderbird - as it contains portions of Firefox embedded, it can be used to visit websites too" + 1104,Mozilla Thunderbird ImapMail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\ImapMail\**10\INBOX,lazy_ntfs,"Holds all email files with headers, content etc" + 1105,Mozilla Thunderbird Mail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Mail\**10\INBOX,lazy_ntfs,"Holds all email files with headers, content etc" + 1106,Mozilla Thunderbird Calendar Data,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\calendar-data\local.sqlite,lazy_ntfs,Holds local calendar data + 1107,Mozilla Thunderbird Attachments,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Attachments\*,lazy_ntfs,Holds attachments + 1108,Mozilla Thunderbird Address Book,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\abook.sqlite,lazy_ntfs,Holds local address book + 1109,Torrents,FileDownload,**10\*.torrent,lazy_ntfs, + 1110,TotalAV Logs,Antivirus,Program Files*\TotalAV\logs\**10,lazy_ntfs, + 1111,TotalAV Logs,Antivirus,ProgramData\TotalAV\logs\**10,lazy_ntfs, + 1112,Total Commander - .ini File,Apps,Users\*\AppData\Roaming\GHISLER\wincmd.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information. + 1113,Total Commander - Log File,Apps,**10\totalcmd.log,lazy_ntfs,Locates log file associated with Total Commander. NOTE: this log file is NOT enabled by default and the filename can be modified. + 1114,Total Commander - Temp Files Created During Folder Traversal,Apps,Users\*\AppData\Local\Temp\FTP*.tmp,lazy_ntfs,Locates .tmp files which are created during the user's folder traversal and provide insight into contents of each folder traversed. + 1115,Total Commander - FTP .ini File,Apps,Users\*\AppData\Roaming\GHISLER\wcx_ftp.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful FTP information. + 1116,Total Commander - File Tree,Apps,Users\*\AppData\Local\GHISLER\treeinfo*.wc,lazy_ntfs,Locates a file that contains an exhaustive file tree of a user's file system. + 1117,Total Commander - Frequent Directory Listing,Apps,Users\*\AppData\Local\GHISLER\tcDirFrq.txt,lazy_ntfs,Locates a file that contains a frequently accessed folder listing. + 1118,Total Commander - FTP Logs,Apps,Users\*\AppData\Local\Temp\tcftp.log,lazy_ntfs,Locates a file that contains the Total Commander FTP logs. + 1119,TreeSize - ScanHistory.XML,Apps,Users\*\AppData\Roaming\JAM Software\TreeSize\scanhistory.xml,lazy_ntfs,Locates XML file that provides a list of previously scanned directories by the user. + 1120,Trend Micro Logs,Antivirus,ProgramData\Trend Micro\**10,lazy_ntfs, + 1121,Trend Micro Security Agent Report Logs,Antivirus,Program Files*\Trend Micro\Security Agent\Report\*.log,lazy_ntfs, + 1122,Trend Micro Security Agent Connection Logs,Antivirus,Program Files*\Trend Micro\Security Agent\ConnLog\*.log,lazy_ntfs, + 1123,Unified endpoint management and security solutions from ManageEngine,RMM Tool,Program Files (x86)\ManageEngine\UEMS_Agent\logs\**10\*.log,lazy_ntfs,Collects all logs for UEMS + 1124,Unified endpoint management and security solutions from ManageEngine,RMM Tool,Users\*\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs\**10\*.log,lazy_ntfs,Collects User logs for UEMS + 1125,Setupapi.log XP,USBDevices,Windows\setupapi.log,lazy_ntfs, + 1126,Setupapi.log Win7+,USBDevices,Windows\inf\setupapi.*.log,lazy_ntfs, + 1127,Setupapi.log Win7+,USBDevices,Windows.old\Windows\inf\setupapi.*.log,lazy_ntfs, + 1128,Ubuntu WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\os-release,lazy_ntfs, + 1129,Ubuntu WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\fstab,lazy_ntfs, + 1130,Ubuntu WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\passwd,lazy_ntfs, + 1131,Ubuntu WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\group,lazy_ntfs, + 1132,Ubuntu WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\shadow,lazy_ntfs, + 1133,Ubuntu WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\timezone,lazy_ntfs, + 1134,Ubuntu WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\hostname,lazy_ntfs, + 1135,Ubuntu WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\hosts,lazy_ntfs, + 1136,Ubuntu WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\crontab,lazy_ntfs, + 1137,Ubuntu WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs, + 1138,Ubuntu WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\profile,lazy_ntfs, + 1139,Ubuntu WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.bash_history,lazy_ntfs, + 1140,Ubuntu WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.bashrc,lazy_ntfs, + 1141,Ubuntu WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**10\.profile,lazy_ntfs, + 1142,Ubuntu WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\spool\cron\crontabs\**10,lazy_ntfs, + 1143,Ubuntu WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\log\apt\**10\*.log,lazy_ntfs, + 1144,Ubuntu WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\ext4.vhdx,lazy_ntfs, + 1145,UltraViewer User Logs,Remote Access,Users\*\AppData\Roaming\UltraViewer\**10,lazy_ntfs,"Includes all files related to UltraViewer chat, connections, and recordings" + 1146,UltraViewer System Logs,Remote Access,Windows\SysWOW64\config\systemprofile\AppData\Roaming\UltraViewer\**10,lazy_ntfs,"Includes all files related to UltraViewer chat, connections, and recordings" + 1147,UltraViewer Service Log,Remote Access,Program Files*\UltraViewer\UltraViewerService_log.txt,lazy_ntfs,UltraViewer Service log file + 1148,UltraViewer Connection Log,Remote Access,Program Files*\UltraViewer\ConnectionLog.Log,lazy_ntfs,UltraViewer Service level connection log + 1149,Usenet (NZB) Files,FileDownload,**10\*.nzb,lazy_ntfs, + 1150,Users,Application,Users\*\**10,lazy_ntfs, + 1151,VIPRE Business Agent Logs,Antivirus,ProgramData\VIPRE Business Agent\Logs\**10,lazy_ntfs, + 1152,VIPRE Business User Logs (v7+),Antivirus,Users\*\AppData\Roaming\VIPRE Business\**10,lazy_ntfs, + 1153,VIPRE Business User Logs (v5-v6),Antivirus,Users\*\AppData\Roaming\GFI Software\AntiMalware\Logs\**10,lazy_ntfs, + 1154,VIPRE Business User Logs (up to v4),Antivirus,Users\*\AppData\Roaming\Sunbelt Software\AntiMalware\Logs\**10,lazy_ntfs, + 1155,VLC Recently Opened Files,Apps,Users\*\AppData\Roaming\vlc\vlc-qt-interface.ini,lazy_ntfs,Configuration file for VLC. Holds [RecentsMRL] key which lists recently opened files as well as sometimes retaining timestamps for file opening + 1156,VLC Recorded Files,Apps,Users\*\Videos\vlc-*.avi,lazy_ntfs,"Recorded files in VLC. Sometimes the Record button may be pressed instead of Play by suspects, which can record them watching content with VLC" + 1157,VMware - Virtual Machine Inventory,Apps,Users\*\AppData\Roaming\VMware,lazy_ntfs,Locates an inventory of all Virtual Machines on disk. + 1158,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmem,lazy_ntfs,Captures all raw memory from VMware virtual machines. + 1159,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmss,lazy_ntfs,Captures all memory images from VMware virtual machines. + 1160,VMware (Fusion/Workstation/Server/Player),Memory,**10\*.vmsn,lazy_ntfs,Captures all memory images from VMware virtual machines. + 1161,RealVNC Log,ApplicationLogs,Users\*\AppData\Local\RealVNC\vncserver.log,lazy_ntfs,https://www.realvnc.com/en/connect/docs/logging.html#logging + 1162,RealVNC Log,ApplicationLogs,ProgramData\RealVNC-Service\vncserver.log,lazy_ntfs,https://help.realvnc.com/hc/en-us/articles/360002254238-All-About-Logging- + 1163,TightVNC Application Logs,ApplicationLogs,ProgramData\TightVNC\Server\Logs,lazy_ntfs,https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1160&context=adf + 1164,Viber Config Database,Apps,Users\*\AppData\Roaming\ViberPC\config.db,lazy_ntfs,Configuration file for Viber + 1165,Viber Users Data Database,Apps,Users\*\AppData\Roaming\ViberPC\*\viber.db,lazy_ntfs,"Viber data for that user, containing Calls, Chat Messages, Contacts and more" + 1166,Viber Users Avatars Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Avatars,lazy_ntfs,Cache of the Avatars for other Viber users + 1167,Viber Users Backgrounds Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Backgrounds,lazy_ntfs,Store of the backgrounds + 1168,Viber Users Thumbnails Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Thumbnails,lazy_ntfs,Cache of the thumbnails for uploaded/downloaded images + 1169,VirtualBox VM configs,Apps,**10\*.vbox,lazy_ntfs,Locates all .vbox VM configuration files on disk + 1170,VirtualBox VM backup configs,Apps,**10\*.vbox-prev,lazy_ntfs,Locates all backup .vbox VM configuration files on disk + 1171,VirtualBox Logs,Apps,**10\VBox.log,lazy_ntfs,Locates all VBox.log files on disk + 1172,VirtualBox Backup Logs,Apps,**10\VBox.log.*,lazy_ntfs,Locates all backup VBox.log files on disk - these can show historic VM usage + 1173,VirtualBox Hardening Logs,Apps,**10\VBoxHardening.log,lazy_ntfs,Locates all VBoxHardening.log files on disk + 1174,VirtualBox,Memory,**10\*.sav,lazy_ntfs,Captures all partial memory images from VirtualBox. + 1175,VHD,Disk Images,**10\*.VHD,lazy_ntfs, + 1176,VHDX,Disk Images,**10\*.VHDX,lazy_ntfs, + 1177,VDI,Disk Images,**10\*.VDI,lazy_ntfs, + 1178,VMDK,Disk Images,**10\*.VMDK,lazy_ntfs, + 1179,VSCode Opened Files,Apps,Users\*\AppData\Roaming\Code\User\History\*\**10,lazy_ntfs,Grabs the files in the VSCode history. These are files the user has opened with VSCode + 1180,VSCode Workspaces,Apps,Users\*\AppData\Roaming\Code\User\globalStorage\storage.json*,lazy_ntfs,Grabs the file containing information about the users workspaces + 1181,VSCode User extensions,Apps,Users\*\AppData\Roaming\Code\CachedExtensions\user*,lazy_ntfs,Grabs the files relating to the users installed extensions + 1182,VSCode User settings,Apps,Users\*\AppData\Roaming\Code\User\settings.json*,lazy_ntfs,Grabs the file containing the settings the user has set. + 1183,VSCode User Preferences,Apps,Users\*\AppData\Roaming\Code\preferences*,lazy_ntfs,Grabs the file containing the preferences the user has set. + 1184,VSCode Network Cookies,Apps,Users\*\AppData\Roaming\Code\Network\Cookies*,lazy_ntfs,Grabs the cookie files. Same format as Chromium Cookies + 1185,VSCode Network Persistent State,Apps,Users\*\AppData\Roaming\Code\Network\Network Persistent State*,lazy_ntfs,Grabs the Network Persistent State file. Same format as in Chromium + 1186,VSCode Logs,Apps,Users\*\AppData\Roaming\Code\logs\**10,lazy_ntfs,"Grabs the VSCode logs. Further analysis is needed to determine which logs are junk, and which can be vital." + 1187,Vivaldi Cookies,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\**10\Cookies*,lazy_ntfs, + 1188,Vivaldi Network Persistent State,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\**10\Network Persistent State,lazy_ntfs, + 1189,Vivaldi Favicons,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Favicons*,lazy_ntfs, + 1190,Vivaldi History,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\History*,lazy_ntfs, + 1191,Vivaldi Sessions Folder,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Sessions\*,lazy_ntfs, + 1192,Vivaldi Login Data,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Login Data,lazy_ntfs, + 1193,Vivaldi Network Action Predictor,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Network Action Predictor,lazy_ntfs, + 1194,Vivaldi Preferences,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Preferences,lazy_ntfs, + 1195,Vivaldi Top Sites,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Top Sites*,lazy_ntfs, + 1196,Vivaldi Bookmarks,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Bookmarks*,lazy_ntfs, + 1197,Vivaldi Visited Links,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Visited Links,lazy_ntfs, + 1198,Vivaldi Web Data,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Web Data*,lazy_ntfs, + 1199,Vivaldi User Tracking,Communications,Users\*\.vivaldi_reporting_data*,lazy_ntfs, + 1200,Vivaldi Calendar,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Calendar*,lazy_ntfs, + 1201,Vivaldi Contacts,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Contacts*,lazy_ntfs, + 1202,Vivaldi Notes,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\Notes*,lazy_ntfs, + 1203,Vivaldi Download Metadata,Communications,Users\*\AppData\Local\Vivaldi\User Data\*\DownloadMetadata*,lazy_ntfs, + 1204,WBEM,WBEM,Windows\System32\wbem\Repository\**10,lazy_ntfs, + 1205,WBEM,WBEM,Windows.old\Windows\System32\wbem\Repository\**10,lazy_ntfs, + 1206,WER Files,Executables,ProgramData\Microsoft\Windows\WER\**10,lazy_ntfs, + 1207,WER Files,Executables,Users\*\AppData\Local\Microsoft\Windows\WER\**10,lazy_ntfs, + 1208,Crash Dumps,SQL Exploitation,Users\*\AppData\Local\CrashDumps\*.dmp,lazy_ntfs, + 1209,Crash Dumps,SQL Exploitation,Windows\*.dmp,lazy_ntfs, + 1210,Crash Dumps,SQL Exploitation,Windows.old\Windows\*.dmp,lazy_ntfs, + 1211,Webroot Program Data,Antivirus,ProgramData\WRData\WRLog.log,lazy_ntfs, + 1212,WhatsApp Cache,Apps,Users\*\AppData\Roaming\WhatsApp\Cache,lazy_ntfs,"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files" + 1213,WhatsApp Local Storage,Apps,Users\*\AppData\Roaming\WhatsApp\Local Storage\leveldb,lazy_ntfs,"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper" + 1214,Microsoft Store WhatsApp Cache,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache,lazy_ntfs,"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files" + 1215,Microsoft Store WhatsApp Local Storage,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Local Storage\leveldb,lazy_ntfs,"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper" + 1216,Microsoft Store WhatsApp Desktop Profile Pictures,Apps,Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\profilePictures,lazy_ntfs,"Copies the local store of contacts profile pictures, simply open with a photos software" + 1217,Microsoft Store WhatsApp Shared Media,Apps,"Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\shared\transfers\**10\*.{jpg,mp4,pdf,webp}",lazy_ntfs,"Copies the shared media, can get very large." + 1218,DetectionHistory,Antivirus,ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\**10,lazy_ntfs, + 1219,WinSCP (.ini file),Logs,**10\WinSCP.ini,lazy_ntfs, + 1220,Recall folder,FileKnowledge,Users\*\AppData\Local\CoreAIPlatform.00\UKP\**10,lazy_ntfs, + 1221,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Microsoft AntiMalware\Support\**10,lazy_ntfs, + 1222,Windows Defender Event Logs,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs, + 1223,Windows Defender Event Logs,EventLogs,Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs, + 1224,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Windows Defender\Support\**10,lazy_ntfs, + 1225,Windows Defender Logs,Antivirus,Windows\Temp\MpCmdRun.log,lazy_ntfs, + 1226,Windows Defender Logs,Antivirus,Windows.old\Windows\Temp\MpCmdRun.log,lazy_ntfs, + 1227,DetectionHistory,Antivirus,ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\**10,lazy_ntfs, + 1228,Windows Defender Quarantine,Antivirus,ProgramData\Microsoft\Windows Defender\Quarantine\**10,lazy_ntfs, + 1229,Windows Defender Detections.log,Antivirus,ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log,lazy_ntfs, + 1230,Windows Firewall Logs,WindowsFirewallLogs,Windows\System32\LogFiles\Firewall\pfirewall.*,lazy_ntfs, + 1231,Windows Firewall Logs,WindowsFirewallLogs,Windows.old\Windows\System32\LogFiles\Firewall\pfirewall.*,lazy_ntfs, + 1232,Cryptokeys,Windows Hello,Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\**10,lazy_ntfs, + 1233,Masterkey,Windows Hello,Windows\System32\Microsoft\Protect\S-1-5-18\User\**10,lazy_ntfs, + 1234,NGC,Windows Hello,Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\**10,lazy_ntfs, + 1235,SECURITY registry transaction files,Registry,Windows\System32\config\SECURITY.LOG*,lazy_ntfs, + 1236,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config\SECURITY.LOG*,lazy_ntfs, + 1237,SOFTWARE registry transaction files,Registry,Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, + 1238,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config\SOFTWARE.LOG*,lazy_ntfs, + 1239,SYSTEM registry transaction files,Registry,Windows\System32\config\SYSTEM.LOG*,lazy_ntfs, + 1240,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config\SYSTEM.LOG*,lazy_ntfs, + 1241,SECURITY registry hive,Registry,Windows\System32\config\SECURITY,lazy_ntfs, + 1242,SECURITY registry hive,Registry,Windows.old\Windows\System32\config\SECURITY,lazy_ntfs, + 1243,SOFTWARE registry hive,Registry,Windows\System32\config\SOFTWARE,lazy_ntfs, + 1244,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config\SOFTWARE,lazy_ntfs, + 1245,SYSTEM registry hive,Registry,Windows\System32\config\SYSTEM,lazy_ntfs, + 1246,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config\SYSTEM,lazy_ntfs, + 1247,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack\SECURITY,lazy_ntfs, + 1248,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SECURITY,lazy_ntfs, + 1249,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs, + 1250,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SOFTWARE,lazy_ntfs, + 1251,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM,lazy_ntfs, + 1252,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM,lazy_ntfs, + 1253,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs, + 1254,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack\SYSTEM1,lazy_ntfs, + 1255,WindowsIndexSearch,FileKnowledge,programdata\microsoft\search\data\applications\windows\*,lazy_ntfs, + 1256,GatherLogs,FileKnowledge,programdata\microsoft\search\data\applications\windows\GatherLogs\**10,lazy_ntfs, + 1257,Network setting files,Misc,windows\system32\drivers\etc\**10,lazy_ntfs, + 1258,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db,lazy_ntfs, + 1259,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat,lazy_ntfs, + 1260,MigLog.xml,OS Upgrade,Windows\Panther\MigLog.xml,lazy_ntfs, + 1261,Setupact.log,OS Upgrade,Windows\Panther\Setupact.log,lazy_ntfs, + 1262,HumanReadable.xml,OS Upgrade,Windows\Panther\*HumanReadable.xml,lazy_ntfs, + 1263,FolderMoveLog.txt,OS Upgrade,Windows\Panther\Rollback\FolderMoveLog.txt,lazy_ntfs, + 1264,Update Store.db,OS Upgrade,ProgramData\USOPrivate\UpdateStore\store.db,lazy_ntfs, + 1265,Windows Power Diagnostics,Diagnostics,ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\**10,lazy_ntfs, + 1266,DNS Netlogon files,DNS,Windows\System32\config\**10\netlogon.*,lazy_ntfs, + 1267,DNS files,DNS,Windows\System32\dns\**10,lazy_ntfs, + 1268,DHCP files,DHCP,Windows\System32\dhcp\**10,lazy_ntfs, + 1269,Diagnostic Logs for WSA,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalState\diagnostics\logcat\*.log,lazy_ntfs,Filenames should be %timestamp%.log + 1270,App download artifacts (PNG),Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\*.png,lazy_ntfs,Will provide examiners with indicators of which apps were downloaded + 1271,App download artifacts (ICO),Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\*.ico,lazy_ntfs,Will provide examiners with indicators of which apps were downloaded WHEN since .ico files appear immediately when download of an application completes + 1272,Appcompatdb.json,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalState\appcompatdb.json,lazy_ntfs,"Grabs the appcompatdb.json, unknown exactly what this is but further relevance could be uncovered after more research is conducted" + 1273,userdata.vhdx,Windows Subsystem for Android,Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\userdata.vhdx,lazy_ntfs,Grabs the user's data which appears to be stored in a VHDX + 1274,Legacy .rbs files relating to Windows Telemetry and Diagnostics,SystemEvents,ProgramData\Microsoft\Diagnosis\events*.rbs,lazy_ntfs, + 1275,Legacy .rbs files relating to Windows Telemetry and Diagnostics,SystemEvents,Windows.old\ProgramData\Microsoft\Diagnosis\events*.rbs,lazy_ntfs, + 1276,ActivitiesCache.db,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db*,lazy_ntfs, + 1277,Windows Update Session Orchestrator logs,EventLogs,ProgramData\USOShared\Logs\System\**10\*.etl,lazy_ntfs, + 1278,Windows Update logs,EventLogs,Windows\Logs\WindowsUpdate\**10\WindowsUpdate*.etl,lazy_ntfs, + 1279,Windows Component-Based Servicing logs,EventLogs,Windows\Logs\CBS\**10\CBS*.log,lazy_ntfs, + 1280,Windows Your Phone - All Databases,Apps,Users\*\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed\**10,lazy_ntfs,Locates all Your Phone database files + 1281,System Volume Information,Folder capture,System Volume Information\**10,lazy_ntfs, + 1282,XYplorer - .ini file,Apps,Users\*\AppData\Roaming\XYplorer\XYplorer.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information. + 1283,XYplorer - .ini file for each respective pane,Apps,Users\*\AppData\Roaming\XYplorer\Panes\*\**10\pane.ini,lazy_ntfs,Locates the .ini file for the left and right pane. + 1284,XYplorer - AutoBackup folder,Apps,Users\*\AppData\Roaming\XYplorer\AutoBackup\**10,lazy_ntfs,Locates the AutoBackup folder and copies its contents. + 1285,XYplorer - .dat files,Apps,Users\*\AppData\Roaming\XYplorer\**10\*.dat,lazy_ntfs,"Locates the .dat files in the XYplorer's AppData folder, all of which are updated upon program's exit." + 1286,Xeox RMM Client Application logs,ApplicationLogs,Program Files\Xeox\*.log,lazy_ntfs,Contains Application Log entries such as service start and incomming connections. + 1287,Yandex Cookies,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\**10\Cookies*,lazy_ntfs, + 1288,Yandex Network Persistent State,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\**10\Network Persistent State,lazy_ntfs, + 1289,Yandex Favicons,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Favicons*,lazy_ntfs, + 1290,Yandex History,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\History*,lazy_ntfs, + 1291,Yandex Sessions Folder,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Sessions\*,lazy_ntfs, + 1292,Yandex Login Data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Ya Passman Data*,lazy_ntfs, + 1293,Yandex Network Action Predictor,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Network Action Predictor,lazy_ntfs, + 1294,Yandex Preferences,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Preferences,lazy_ntfs, + 1295,Yandex Top Sites,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Top Sites*,lazy_ntfs, + 1296,Yandex Bookmarks,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Bookmarks*,lazy_ntfs, + 1297,Yandex Visited Links,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Visited Links,lazy_ntfs, + 1298,Yandex Web Data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Web Data*,lazy_ntfs, + 1299,Yandex Autofill data,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Ya Autofill Data*,lazy_ntfs, + 1300,Yandex Passman logs,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Passman Logs*,lazy_ntfs, + 1301,Yandex Shortcuts,Communications,Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Shortcuts*,lazy_ntfs, + 1302,Zoho Assist log files in AppData\Local,Apps,Users\*\AppData\Local\ZohoMeeting\log\**10,lazy_ntfs,Zoho Assist log files in AppData ocal - 1280,Zoho Assist .conf files in AppData\Local,Apps,Users\*\AppData\Local\ZohoMeeting\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Connection/Settings) - 1281,Zoho Assist log files in ProgramData,Apps,ProgramData\ZohoMeeting\log\**10,lazy_ntfs,Zoho Assist log files in ProgramData - 1282,Zoho Assist .conf files,Apps,ProgramData\ZohoMeeting\**10\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Connection/Proxy/Settings) - 1283,Zoho Assist log files in Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\logs\**10,lazy_ntfs,Zoho Assist log files in Program Files* - 1284,Zoho Assist .conf files in Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Service/Settings) - 1285,Zoho Assist .txt files in Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\*.txt,lazy_ntfs,Grabs all .txt files present in this folder (Service/Settings) - 1286,Zoom client logs,Apps,Users\*\AppData\Roaming\Zoom\logs\**10\*,lazy_ntfs,Zoom client artifacts - 1287,Zoom client logs (Windows XP),Apps,Documents and Settings\*\Application Data\Zoom\**10\*,lazy_ntfs,Zoom client artifacts (Windows XP) - 1288,Zoom client recordings,Apps,Users\*\Documents\Zoom\**10\*,lazy_ntfs,Zoom recording artifacts - 1289,Zoom plugin (Outlook),Apps,Users\*\AppData\Roaming\Zoom Plugin\*.json,lazy_ntfs,Zoom plugin artifacts - 1290,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple\Mobilesync\Backup\**10,lazy_ntfs, - 1291,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple Computer\Mobilesync\Backup\**10,lazy_ntfs, - 1292,iTunes Backup Folder - iOS13,Communications,Users\*\Apple\Mobilesync\Backup\**10,lazy_ntfs, - 1293,mIRC Chat Logs (Vista+),Communications,Users\*\AppData\Roaming\mIRC\logs\**10,lazy_ntfs, - 1294,mIRC Chat Logs (2000/XP),Communications,Documents and Settings\*\Application Data\mIRC\logs\**10,lazy_ntfs, - 1295,mRemoteNG Logs,Communications,Users\*\AppData\Roaming\mRemoteNG\mRemoteNG.log,lazy_ntfs,Contains log entries for remote connections - 1296,mRemoteNG Connection Configuration and Backups,Communications,Users\*\AppData\Roaming\mRemoteNG\confCons.xml*,lazy_ntfs,"Contains connection config, often with obfuscated credentials" - 1297,mRemoteNG Program Settings,Communications,Users\*\AppData\*\mRemoteNG\**10\user.config,lazy_ntfs,Contains user-specific program settings - 1298,openSUSE WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\os-release,lazy_ntfs, - 1299,openSUSE WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\fstab,lazy_ntfs, - 1300,openSUSE WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\passwd,lazy_ntfs, - 1301,openSUSE WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\group,lazy_ntfs, - 1302,openSUSE WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\shadow,lazy_ntfs, - 1303,openSUSE WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\timezone,lazy_ntfs, - 1304,openSUSE WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\hostname,lazy_ntfs, - 1305,openSUSE WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\hosts,lazy_ntfs, - 1306,openSUSE WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs, - 1307,openSUSE WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\profile,lazy_ntfs, - 1308,openSUSE WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.bash_history,lazy_ntfs, - 1309,openSUSE WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.bashrc,lazy_ntfs, - 1310,openSUSE WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.profile,lazy_ntfs, - 1311,openSUSE WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\ext4.vhdx,lazy_ntfs, - 1312,pCloud Database,Apps,Users\*\AppData\Local\pCloud\*.db,lazy_ntfs,Database contains all files sync'd with pCloud account. - 1313,pCloud Database WAL File,Apps,Users\*\AppData\Local\pCloud\*.db-wal,lazy_ntfs,Write-Ahead Log for pCloud database file. - 1314,pCloud Database Shared Memory File,Apps,Users\*\AppData\Local\pCloud\*.db-shm,lazy_ntfs,Shared Memory for the pCloud database file. - 1315,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Roaming\qBittorrent\*.ini,lazy_ntfs, - 1316,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\logs\*,lazy_ntfs, - 1317,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\GeoDB\*,lazy_ntfs,Locate .mmdb file for network peer connection analysis. - 1318,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\BT_backup\*,lazy_ntfs,Locate active (in-progress) torrent files. - 1319,TorrentClients - uTorrent,FileDownload,Users\*\AppData\Roaming\uTorrent\*.dat,lazy_ntfs, + 1303,Zoho Assist .conf files in AppData\Local,Apps,Users\*\AppData\Local\ZohoMeeting\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Connection/Settings) + 1304,Zoho Assist log files in ProgramData,Apps,ProgramData\ZohoMeeting\log\**10,lazy_ntfs,Zoho Assist log files in ProgramData + 1305,Zoho Assist .conf files,Apps,ProgramData\ZohoMeeting\**10\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Connection/Proxy/Settings) + 1306,Zoho Assist log files in Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\logs\**10,lazy_ntfs,Zoho Assist log files in Program Files* + 1307,Zoho Assist .conf files in Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\*.conf,lazy_ntfs,Grabs all .conf files present in this folder (Service/Settings) + 1308,Zoho Assist .txt files in Program Files*,Apps,Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\*.txt,lazy_ntfs,Grabs all .txt files present in this folder (Service/Settings) + 1309,Zoom client logs,Apps,Users\*\AppData\Roaming\Zoom\logs\**10\*,lazy_ntfs,Zoom client artifacts + 1310,Zoom client logs (Windows XP),Apps,Documents and Settings\*\Application Data\Zoom\**10\*,lazy_ntfs,Zoom client artifacts (Windows XP) + 1311,Zoom client recordings,Apps,Users\*\Documents\Zoom\**10\*,lazy_ntfs,Zoom recording artifacts + 1312,Zoom plugin (Outlook),Apps,Users\*\AppData\Roaming\Zoom Plugin\*.json,lazy_ntfs,Zoom plugin artifacts + 1313,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple\Mobilesync\Backup\**10,lazy_ntfs, + 1314,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple Computer\Mobilesync\Backup\**10,lazy_ntfs, + 1315,iTunes Backup Folder - iOS13,Communications,Users\*\Apple\Mobilesync\Backup\**10,lazy_ntfs, + 1316,mIRC Chat Logs (Vista+),Communications,Users\*\AppData\Roaming\mIRC\logs\**10,lazy_ntfs, + 1317,mIRC Chat Logs (2000/XP),Communications,Documents and Settings\*\Application Data\mIRC\logs\**10,lazy_ntfs, + 1318,mRemoteNG Logs,Communications,Users\*\AppData\Roaming\mRemoteNG\mRemoteNG.log,lazy_ntfs,Contains log entries for remote connections + 1319,mRemoteNG Connection Configuration and Backups,Communications,Users\*\AppData\Roaming\mRemoteNG\confCons.xml*,lazy_ntfs,"Contains connection config, often with obfuscated credentials" + 1320,mRemoteNG Program Settings,Communications,Users\*\AppData\*\mRemoteNG\**10\user.config,lazy_ntfs,Contains user-specific program settings + 1321,openSUSE WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\os-release,lazy_ntfs, + 1322,openSUSE WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\fstab,lazy_ntfs, + 1323,openSUSE WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\passwd,lazy_ntfs, + 1324,openSUSE WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\group,lazy_ntfs, + 1325,openSUSE WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\shadow,lazy_ntfs, + 1326,openSUSE WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\timezone,lazy_ntfs, + 1327,openSUSE WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\hostname,lazy_ntfs, + 1328,openSUSE WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\hosts,lazy_ntfs, + 1329,openSUSE WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\bash.bashrc,lazy_ntfs, + 1330,openSUSE WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\profile,lazy_ntfs, + 1331,openSUSE WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.bash_history,lazy_ntfs, + 1332,openSUSE WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.bashrc,lazy_ntfs, + 1333,openSUSE WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**10\.profile,lazy_ntfs, + 1334,openSUSE WSL ext4.vhdx,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\ext4.vhdx,lazy_ntfs, + 1335,pCloud Database,Apps,Users\*\AppData\Local\pCloud\*.db,lazy_ntfs,Database contains all files sync'd with pCloud account. + 1336,pCloud Database WAL File,Apps,Users\*\AppData\Local\pCloud\*.db-wal,lazy_ntfs,Write-Ahead Log for pCloud database file. + 1337,pCloud Database Shared Memory File,Apps,Users\*\AppData\Local\pCloud\*.db-shm,lazy_ntfs,Shared Memory for the pCloud database file. + 1338,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Roaming\qBittorrent\*.ini,lazy_ntfs, + 1339,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\logs\*,lazy_ntfs, + 1340,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\GeoDB\*,lazy_ntfs,Locate .mmdb file for network peer connection analysis. + 1341,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\BT_backup\*,lazy_ntfs,Locate active (in-progress) torrent files. + 1342,TorrentClients - uTorrent,FileDownload,Users\*\AppData\Roaming\uTorrent\*.dat,lazy_ntfs, - name: KapeTargets type: hidden description: | @@ -2339,9 +2392,9 @@ parameters: when the parameter is checked. default: | Group,RuleIds - _BasicCollection,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 36, 37, 38, 39, 51, 279, 280, 281, 490, 491, 492, 493, 494, 495, 496, 497, 638, 643, 644, 676, 677, 681, 682, 683, 684, 685, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 969, 970, 971, 972, 973, 974, 991, 992, 993, 994, 995, 996, 997, 1067, 1068, 1079, 1105, 1106, 1107, 1232, 1233]" - _KapeTriage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 167, 170, 171, 172, 173, 174, 175, 177, 223, 224, 225, 226, 227, 228, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 262, 279, 280, 281, 308, 309, 310, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 374, 375, 391, 392, 393, 404, 405, 406, 407, 408, 409, 410, 411, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 476, 477, 478, 479, 480, 481, 482, 483, 484, 490, 491, 492, 493, 494, 495, 496, 497, 498, 510, 511, 518, 519, 520, 521, 525, 526, 527, 528, 529, 530, 567, 568, 569, 570, 571, 572, 601, 602, 625, 626, 638, 643, 644, 647, 648, 649, 650, 651, 652, 653, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671, 672, 673, 674, 675, 676, 677, 681, 682, 683, 684, 685, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 853, 854, 855, 969, 970, 971, 972, 973, 974, 975, 976, 991, 992, 993, 994, 995, 996, 997, 998, 999, 1000, 1001, 1002, 1026, 1027, 1031, 1032, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066, 1067, 1068, 1072, 1073, 1074, 1075, 1092, 1093, 1102, 1103, 1104, 1125, 1126, 1127, 1128, 1130, 1131, 1132, 1133, 1140, 1141, 1142, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1188, 1189, 1190, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1253, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278, 1279, 1280, 1281, 1282, 1283, 1284, 1285, 1295, 1296, 1297]" - _SANS_Triage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 80, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 163, 167, 170, 171, 172, 173, 174, 175, 177, 213, 214, 223, 224, 225, 226, 227, 228, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 262, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 308, 309, 310, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 374, 375, 380, 381, 382, 383, 384, 385, 386, 387, 390, 391, 392, 393, 404, 405, 406, 407, 408, 409, 410, 411, 412, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 476, 477, 478, 479, 480, 481, 482, 483, 484, 490, 491, 492, 493, 494, 495, 496, 497, 498, 510, 511, 518, 519, 520, 521, 524, 525, 526, 527, 528, 529, 530, 547, 548, 549, 550, 551, 560, 561, 567, 568, 569, 570, 571, 572, 601, 602, 625, 626, 638, 643, 644, 647, 648, 649, 650, 651, 652, 653, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671, 672, 673, 674, 675, 676, 677, 681, 682, 683, 684, 685, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 853, 854, 855, 969, 970, 971, 972, 973, 974, 975, 976, 991, 992, 993, 994, 995, 996, 997, 998, 999, 1000, 1001, 1002, 1006, 1007, 1008, 1009, 1012, 1013, 1014, 1015, 1016, 1017, 1018, 1019, 1020, 1021, 1022, 1023, 1026, 1027, 1031, 1032, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066, 1067, 1068, 1072, 1073, 1074, 1075, 1076, 1077, 1079, 1092, 1093, 1102, 1103, 1104, 1105, 1106, 1107, 1125, 1126, 1127, 1128, 1130, 1131, 1132, 1133, 1140, 1141, 1142, 1143, 1144, 1145, 1146, 1147, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1188, 1189, 1190, 1191, 1192, 1193, 1194, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1207, 1208, 1232, 1233, 1253, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278, 1279, 1280, 1281, 1282, 1283, 1284, 1285, 1293, 1294, 1295, 1296, 1297]" + _BasicCollection,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 36, 37, 38, 39, 51, 280, 281, 282, 497, 498, 499, 500, 501, 502, 503, 504, 648, 649, 650, 656, 657, 694, 695, 699, 700, 701, 702, 703, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 987, 988, 989, 990, 991, 992, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1085, 1086, 1097, 1125, 1126, 1127, 1255, 1256]" + _KapeTriage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 168, 171, 172, 173, 174, 175, 176, 178, 224, 225, 226, 227, 228, 229, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 263, 280, 281, 282, 310, 311, 312, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 376, 377, 393, 394, 395, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 483, 484, 485, 486, 487, 488, 489, 490, 491, 497, 498, 499, 500, 501, 502, 503, 504, 505, 517, 518, 525, 526, 527, 528, 532, 533, 534, 535, 536, 537, 546, 547, 554, 577, 578, 579, 580, 581, 582, 611, 612, 635, 636, 648, 649, 650, 656, 657, 660, 661, 662, 663, 664, 665, 666, 676, 677, 678, 680, 681, 682, 683, 684, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 699, 700, 701, 702, 703, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 871, 872, 873, 987, 988, 989, 990, 991, 992, 993, 994, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1016, 1017, 1018, 1019, 1020, 1044, 1045, 1049, 1050, 1074, 1075, 1076, 1077, 1078, 1079, 1080, 1081, 1082, 1083, 1084, 1085, 1086, 1090, 1091, 1092, 1093, 1110, 1111, 1120, 1121, 1122, 1123, 1124, 1145, 1146, 1147, 1148, 1151, 1152, 1153, 1154, 1161, 1162, 1163, 1187, 1188, 1189, 1190, 1191, 1192, 1193, 1194, 1195, 1196, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1207, 1208, 1209, 1210, 1211, 1221, 1222, 1223, 1224, 1225, 1226, 1227, 1228, 1229, 1276, 1286, 1287, 1288, 1289, 1290, 1291, 1292, 1293, 1294, 1295, 1296, 1297, 1298, 1299, 1300, 1301, 1302, 1303, 1304, 1305, 1306, 1307, 1308, 1318, 1319, 1320]" + _SANS_Triage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 80, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 164, 168, 171, 172, 173, 174, 175, 176, 178, 214, 215, 224, 225, 226, 227, 228, 229, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 263, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 310, 311, 312, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 376, 377, 382, 383, 384, 385, 386, 387, 388, 389, 392, 393, 394, 395, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 483, 484, 485, 486, 487, 488, 489, 490, 491, 497, 498, 499, 500, 501, 502, 503, 504, 505, 517, 518, 525, 526, 527, 528, 531, 532, 533, 534, 535, 536, 537, 546, 547, 554, 557, 558, 559, 560, 561, 570, 571, 577, 578, 579, 580, 581, 582, 611, 612, 635, 636, 648, 649, 650, 651, 652, 653, 654, 655, 656, 657, 660, 661, 662, 663, 664, 665, 666, 676, 677, 678, 680, 681, 682, 683, 684, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 699, 700, 701, 702, 703, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 871, 872, 873, 987, 988, 989, 990, 991, 992, 993, 994, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1016, 1017, 1018, 1019, 1020, 1024, 1025, 1026, 1027, 1030, 1031, 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039, 1040, 1041, 1044, 1045, 1049, 1050, 1074, 1075, 1076, 1077, 1078, 1079, 1080, 1081, 1082, 1083, 1084, 1085, 1086, 1090, 1091, 1092, 1093, 1094, 1095, 1097, 1110, 1111, 1120, 1121, 1122, 1123, 1124, 1125, 1126, 1127, 1145, 1146, 1147, 1148, 1151, 1152, 1153, 1154, 1161, 1162, 1163, 1164, 1165, 1166, 1167, 1168, 1187, 1188, 1189, 1190, 1191, 1192, 1193, 1194, 1195, 1196, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1207, 1208, 1209, 1210, 1211, 1212, 1213, 1214, 1215, 1221, 1222, 1223, 1224, 1225, 1226, 1227, 1228, 1229, 1230, 1231, 1255, 1256, 1276, 1286, 1287, 1288, 1289, 1290, 1291, 1292, 1293, 1294, 1295, 1296, 1297, 1298, 1299, 1300, 1301, 1302, 1303, 1304, 1305, 1306, 1307, 1308, 1316, 1317, 1318, 1319, 1320]" _Boot,[1] _J,"[2, 3, 4, 5]" _LogFile,[6] @@ -2360,7 +2413,7 @@ parameters: AgentRansack,"[32, 33, 34, 35]" Amcache,"[36, 37, 38, 39]" Ammyy,[40] - Antivirus,"[18, 19, 20, 21, 22, 23, 24, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 167, 170, 171, 172, 173, 174, 175, 231, 232, 233, 234, 235, 236, 262, 308, 309, 310, 391, 392, 393, 518, 519, 520, 521, 525, 526, 527, 528, 529, 530, 853, 976, 1001, 1002, 1026, 1027, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066, 1092, 1093, 1102, 1103, 1104, 1130, 1131, 1132, 1133, 1190, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206]" + Antivirus,"[18, 19, 20, 21, 22, 23, 24, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 168, 171, 172, 173, 174, 175, 176, 232, 233, 234, 235, 236, 237, 263, 310, 311, 312, 393, 394, 395, 525, 526, 527, 528, 532, 533, 534, 535, 536, 537, 554, 871, 994, 1019, 1020, 1044, 1045, 1076, 1077, 1078, 1079, 1080, 1081, 1082, 1083, 1084, 1110, 1111, 1120, 1121, 1122, 1151, 1152, 1153, 1154, 1211, 1221, 1222, 1223, 1224, 1225, 1226, 1227, 1228, 1229]" AnyDesk,"[41, 42, 43, 44, 45, 46, 47, 48, 49]" ApacheAccessLog,[50] AppCompatPCA,[51] @@ -2379,277 +2432,287 @@ parameters: BoxDrive_UserFiles,"[87, 88]" BraveBrowser,"[89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108]" BrowserCache,"[109, 110, 111, 112, 113, 114, 115, 116]" - CertUtil,"[117, 118, 119]" - Chrome,"[120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159]" - ChromeExtensions,"[160, 161]" - ChromeFileSystem,[162] - CiscoJabber,[163] - ClipboardMaster,"[164, 165, 166]" - CloudStorage_All,"[85, 86, 87, 88, 223, 224, 225, 226, 227, 228, 229, 373, 374, 375, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 601, 602, 603, 675, 1051, 1052, 1053, 1312, 1313, 1314]" - CloudStorage_Metadata,"[85, 86, 223, 224, 225, 226, 227, 228, 374, 375, 601, 602, 675]" - CloudStorage_OneDriveExplorer,"[601, 602, 678, 679, 680, 681, 682, 755, 756, 757, 758, 759, 760, 761, 762, 763]" - CombinedLogs,"[279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 560, 561, 638, 1105, 1106, 1107, 1207, 1208]" - Combofix,[167] - ConfluenceLogs,"[168, 169]" - Cybereason,"[170, 171, 172]" - Cylance,"[173, 174, 175]" - DC__,[176] - DWAgent,[177] - Debian,"[178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195]" - DirectoryOpus,"[196, 197, 198, 199, 200, 201, 202, 203, 204]" - DirectoryTraversal_AudioFiles,[205] - DirectoryTraversal_ExcelDocuments,[206] - DirectoryTraversal_PDFDocuments,[207] - DirectoryTraversal_PictureFiles,[208] - DirectoryTraversal_SQLiteDatabases,[209] - DirectoryTraversal_VideoFiles,[210] - DirectoryTraversal_WildCardExample,[211] - DirectoryTraversal_WordDocuments,[212] - Discord,"[213, 214]" - DoubleCommander,"[215, 216, 217, 218, 219, 220, 221]" - Drivers,[222] - Dropbox_Metadata,"[223, 224, 225, 226, 227, 228]" - Dropbox_UserFiles,[229] - EFCommander,[230] - ESET,"[231, 232, 233, 234, 235, 236]" - Edge,[237] - EdgeChromium,"[238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260]" - EdgeChromiumExtensions,[261] - Emsisoft,[262] - EncapsulationLogging,"[263, 264, 265, 266]" - EventLogs_RDP,"[267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278]" - EventLogs,"[279, 280, 281]" - EventTraceLogs,"[282, 283, 284, 285, 286, 287, 288, 289, 290, 291]" - EventTranscriptDB,"[292, 293, 294]" - Evernote,"[295, 296, 297]" - Everything__VoidTools_,"[298, 299, 300, 301]" - EvidenceOfExecution,"[36, 37, 38, 39, 51, 643, 644, 676, 677, 1067, 1068]" - Exchange,"[302, 307]" - ExchangeClientAccess,[302] - ExchangeCve_2021_26855,"[303, 304, 305, 306]" - ExchangeTransport,[307] - FSecure,"[308, 309, 310]" - FTPClients,"[312, 313, 314, 315, 1198]" - Fences,[311] - FileExplorerReplacements,"[196, 197, 198, 199, 200, 201, 202, 203, 204, 215, 216, 217, 218, 219, 220, 221, 230, 351, 352, 353, 354, 355, 356, 357, 554, 555, 556, 557, 558, 559, 599, 600, 656, 657, 1030, 1069, 1070, 1071, 1094, 1095, 1096, 1097, 1098, 1099, 1100, 1259, 1260, 1261, 1262]" + CertUtil,"[117, 118, 119, 120]" + Chrome,"[121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160]" + ChromeExtensions,"[161, 162]" + ChromeFileSystem,[163] + CiscoJabber,[164] + ClipboardMaster,"[165, 166, 167]" + CloudStorage_All,"[85, 86, 87, 88, 224, 225, 226, 227, 228, 229, 230, 375, 376, 377, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 611, 612, 613, 693, 1069, 1070, 1071, 1335, 1336, 1337]" + CloudStorage_Metadata,"[85, 86, 224, 225, 226, 227, 228, 229, 376, 377, 611, 612, 693]" + CloudStorage_OneDriveExplorer,"[611, 612, 696, 697, 698, 699, 700, 773, 774, 775, 776, 777, 778, 779, 780, 781]" + CombinedLogs,"[280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 570, 571, 648, 649, 650, 651, 652, 653, 654, 655, 1125, 1126, 1127, 1230, 1231]" + Combofix,[168] + ConfluenceLogs,"[169, 170]" + Cybereason,"[171, 172, 173]" + Cylance,"[174, 175, 176]" + DC__,[177] + DWAgent,[178] + Debian,"[179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196]" + DirectoryOpus,"[197, 198, 199, 200, 201, 202, 203, 204, 205]" + DirectoryTraversal_AudioFiles,[206] + DirectoryTraversal_ExcelDocuments,[207] + DirectoryTraversal_PDFDocuments,[208] + DirectoryTraversal_PictureFiles,[209] + DirectoryTraversal_SQLiteDatabases,[210] + DirectoryTraversal_VideoFiles,[211] + DirectoryTraversal_WildCardExample,[212] + DirectoryTraversal_WordDocuments,[213] + Discord,"[214, 215]" + DoubleCommander,"[216, 217, 218, 219, 220, 221, 222]" + Drivers,[223] + Dropbox_Metadata,"[224, 225, 226, 227, 228, 229]" + Dropbox_UserFiles,[230] + EFCommander,[231] + ESET,"[232, 233, 234, 235, 236, 237]" + Edge,[238] + EdgeChromium,"[239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261]" + EdgeChromiumExtensions,[262] + Emsisoft,[263] + EncapsulationLogging,"[264, 265, 266, 267]" + EventLogs_RDP,"[268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279]" + EventLogs,"[280, 281, 282]" + EventTraceLogs,"[283, 284, 285, 286, 287, 288, 289, 290, 291, 292]" + EventTranscriptDB,"[293, 294, 295]" + Evernote,"[296, 297, 298]" + Everything__VoidTools_,"[299, 300, 301, 302]" + EvidenceOfExecution,"[36, 37, 38, 39, 51, 656, 657, 694, 695, 1085, 1086]" + Exchange,"[303, 308, 309]" + ExchangeClientAccess,[303] + ExchangeCve_2021_26855,"[304, 305, 306, 307]" + ExchangeSetupLog,[308] + ExchangeTransport,[309] + FSecure,"[310, 311, 312]" + FTPClients,"[314, 315, 316, 317, 1219]" + Fences,[313] + FileExplorerReplacements,"[197, 198, 199, 200, 201, 202, 203, 204, 205, 216, 217, 218, 219, 220, 221, 222, 231, 353, 354, 355, 356, 357, 358, 359, 564, 565, 566, 567, 568, 569, 609, 610, 669, 670, 1048, 1087, 1088, 1089, 1112, 1113, 1114, 1115, 1116, 1117, 1118, 1282, 1283, 1284, 1285]" FileSystem,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12]" - FileZillaClient,"[312, 313]" - FileZillaServer,"[314, 315]" - Firefox,"[316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350]" - FreeCommander,"[351, 352, 353, 354, 355, 356, 357]" - FreeDownloadManager,"[358, 359, 360]" - FreeFileSync,[361] - Freenet,"[362, 363, 364, 365, 366]" - FrostWire,"[367, 368, 369]" - Gigatribe,"[370, 371, 372]" - GoogleDriveBackupSync_UserFiles,[373] - GoogleDrive_Metadata,"[374, 375]" - GoogleEarth,"[376, 377, 378, 379]" - GroupPolicy,"[380, 381, 382, 383, 384, 385, 386, 387]" - HeidiSQL,"[388, 389]" - HexChat,[390] - HitmanPro,"[391, 392, 393]" - IISConfiguration,"[394, 395, 396, 397]" - IISLogFiles,"[398, 399, 400, 401, 402, 403]" - IRCClients,"[390, 412, 1293, 1294]" - ISLOnline,"[404, 405, 406, 407, 408, 409, 410, 411]" - IceChat,[412] - Idrive,"[413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426]" - ImgBurn,[427] - InternetExplorer,"[428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440]" - IrfanView,[441] - JDownloader2,"[442, 443, 444, 445, 446]" - JavaWebCache,"[447, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457]" - Kali,"[458, 459, 460, 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475]" - KapeTriage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 167, 170, 171, 172, 173, 174, 175, 177, 223, 224, 225, 226, 227, 228, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 262, 279, 280, 281, 308, 309, 310, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 374, 375, 391, 392, 393, 404, 405, 406, 407, 408, 409, 410, 411, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 476, 477, 478, 479, 480, 481, 482, 483, 484, 490, 491, 492, 493, 494, 495, 496, 497, 498, 510, 511, 518, 519, 520, 521, 525, 526, 527, 528, 529, 530, 567, 568, 569, 570, 571, 572, 601, 602, 625, 626, 638, 643, 644, 647, 648, 649, 650, 651, 652, 653, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671, 672, 673, 674, 675, 676, 677, 681, 682, 683, 684, 685, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 853, 854, 855, 969, 970, 971, 972, 973, 974, 975, 976, 991, 992, 993, 994, 995, 996, 997, 998, 999, 1000, 1001, 1002, 1026, 1027, 1031, 1032, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066, 1067, 1068, 1072, 1073, 1074, 1075, 1092, 1093, 1102, 1103, 1104, 1125, 1126, 1127, 1128, 1130, 1131, 1132, 1133, 1140, 1141, 1142, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1188, 1189, 1190, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1253, 1263, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278, 1279, 1280, 1281, 1282, 1283, 1284, 1285, 1295, 1296, 1297]" - Kaseya,"[476, 477, 478, 479, 480, 481, 482, 483, 484]" - Keepass,"[485, 486, 487]" - KeepassXC,"[488, 489]" - LNKFilesAndJumpLists,"[490, 491, 492, 493, 494, 495, 496, 497]" - Level,[498] - LinuxOnWindowsProfileFiles,"[499, 500, 501, 502]" - LiveUserFiles,"[503, 504, 505, 506]" - LogFiles,"[507, 508, 509]" - LogMeIn,"[58, 59, 60, 61, 510, 511]" - MOF,[512] - MSSQLErrorLog,"[513, 514]" - MacriumReflect,"[515, 516, 517]" - Malwarebytes,"[518, 519, 520, 521]" - ManageEngineLogs,"[522, 523]" - Mattermost,[524] - McAfee,"[525, 526, 527, 528, 529]" - McAfee_ePO,[530] - MediaMonkey,"[531, 532]" - Megasync,[533] - MemoryFiles,"[534, 535, 536, 537, 538]" - MessagingClients,"[163, 213, 214, 390, 412, 524, 547, 548, 549, 550, 551, 1006, 1007, 1008, 1009, 1012, 1013, 1014, 1015, 1016, 1017, 1018, 1019, 1020, 1021, 1022, 1023, 1076, 1077, 1143, 1144, 1145, 1146, 1147, 1191, 1192, 1193, 1194, 1293, 1294]" - MicrosoftOfficeBackstage,[539] - MicrosoftOneNote,"[540, 541, 542, 543, 544]" - MicrosoftStickyNotes,"[545, 546]" - MicrosoftTeams,"[547, 548, 549, 550, 551]" - MicrosoftToDo,"[552, 553]" - MidnightCommander,[554] - MiniTimelineCollection,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 279, 280, 281, 683, 684, 685, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763]" - MultiCommander,"[555, 556, 557, 558, 559]" - NETCLRUsageLogs,"[560, 561]" - NGINXLogs,[562] - NZBGet,"[563, 564]" - Nessus,"[565, 566]" - NetMonitorforEmployeesProfessional,"[567, 568, 569, 570, 571, 572]" - NewsbinPro,[573] - Newsleecher,[574] - Nicotine__,"[575, 576, 577, 578, 579, 580, 581, 582, 583, 584, 585]" - Notepad__,"[586, 587, 588]" - Notepad,[589] - Notion,"[590, 591]" - OfficeAutosave,"[592, 593, 594, 595]" - OfficeDiagnostics,"[596, 597]" - OfficeDocumentCache,[598] - OneCommander,"[599, 600]" - OneDrive_Metadata,"[601, 602]" - OneDrive_UserFiles,[603] - OpenSSHClient,"[604, 605, 606, 607, 608, 609, 610, 611, 612]" - OpenSSHServer,"[613, 614, 615, 616, 617, 618, 619, 620, 621]" - OpenVPNClient,"[622, 623, 624]" - Opera,"[625, 626]" - OutlookPSTOST,"[627, 628, 629, 630, 631, 632, 633, 634]" - P2PClients,"[176, 367, 368, 369, 370, 371, 372, 1004, 1028, 1029]" - PeaZip,[635] - PerfLogs,[636] - PowerShell7Config,[637] - PowerShellConsole,[638] - PowerShellTranscripts,"[639, 640, 641, 642]" - Prefetch,"[643, 644]" - ProgramData,[645] - ProtonVPN,[646] - PuffinSecureBrowser,"[647, 648, 649, 650, 651, 652, 653]" - PushNotification,"[654, 655]" - Q_Dir,"[656, 657]" - QFinderPro__QNAP_,[658] - RDPCache,"[659, 660, 661]" - RDPLogs,"[662, 663, 664, 665, 666, 667, 668, 669]" - Radmin,"[670, 671, 672, 673, 674]" - RcloneConf,[675] - RecentFileCache,"[676, 677]" - RecycleBin,"[678, 679, 680, 681, 682]" - RecycleBin_DataFiles,"[678, 679, 680]" - RecycleBin_InfoFiles,"[681, 682]" - RegistryHives,"[683, 684, 685, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763]" - RegistryHivesMSIXApps,"[683, 684, 685]" - RegistryHivesOther,"[686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 698, 699, 700, 701, 702, 703, 704, 705, 706, 707, 708, 709, 710, 711, 712, 713]" - RegistryHivesSystem,"[714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754]" - RegistryHivesUser,"[755, 756, 757, 758, 759, 760, 761, 762, 763]" - RemoteAdmin,"[29, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 58, 59, 60, 61, 177, 404, 405, 406, 407, 408, 409, 410, 411, 476, 477, 478, 479, 480, 481, 482, 483, 484, 498, 510, 511, 567, 568, 569, 570, 571, 572, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671, 672, 673, 674, 764, 765, 854, 855, 998, 999, 1000, 1031, 1032, 1056, 1057, 1072, 1073, 1074, 1075, 1125, 1126, 1127, 1128, 1140, 1141, 1142, 1263, 1279, 1280, 1281, 1282, 1283, 1284, 1285, 1295, 1296, 1297]" - RemoteUtilities_app,"[764, 765]" - RoamingProfile,"[766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788, 789, 790, 791, 792, 793, 794, 795, 796, 797, 798, 799, 800, 801, 802, 803, 804, 805, 806, 807, 808, 809, 810, 811, 812, 813, 814, 815, 816, 817, 818, 819, 820, 821, 822, 823, 824, 825, 826, 827, 828, 829, 830, 831, 832, 833, 834, 835, 836, 837, 838]" - Robo_FTP,"[839, 840, 841, 842, 843, 844, 845, 846, 847, 848, 849, 850, 851, 852]" - RogueKiller,[853] - RustDesk,"[854, 855]" - SABnbzd,"[856, 857]" - SCCMClientLogs,[858] - SDB,"[859, 860, 861, 862]" - SOFELK,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 36, 37, 38, 39, 51, 279, 280, 281, 490, 491, 492, 493, 494, 495, 496, 497, 643, 644, 676, 677, 1067, 1068]" - SQLiteDatabases,"[863, 864, 865, 866, 867, 868, 869, 870, 871, 872, 873, 874, 875, 876, 877, 878, 879, 880, 881, 882, 883, 884, 885, 886, 887, 888, 889, 890, 891, 892, 893, 894, 895, 896, 897, 898, 899, 900, 901, 902, 903, 904, 905, 906, 907, 908, 909, 910, 911, 912, 913, 914, 915, 916, 917, 918, 919, 920, 921, 922, 923, 924, 925, 926, 927, 928, 929, 930, 931, 932, 933, 934, 935, 936, 937, 938, 939, 940, 941, 942, 943, 944, 945, 946, 947, 948, 949, 950, 951, 952, 953, 954, 955, 956, 957, 958, 959, 960, 961, 962, 963, 964, 965, 966, 967, 968]" - SRUM,"[969, 970, 971, 972, 973, 974]" - SUM,[975] - SUPERAntiSpyware,[976] - SUSELinuxEnterpriseServer,"[977, 978, 979, 980, 981, 982, 983, 984, 985, 986, 987, 988, 989, 990]" - ScheduledTasks,"[991, 992, 993, 994, 995, 996, 997]" - ScreenConnect,"[58, 59, 60, 61, 998, 999, 1000]" - SecureAge,[1001] - SentinelOne,[1002] - ServerTriage,"[50, 168, 169, 302, 307, 314, 315, 398, 399, 400, 401, 402, 403, 513, 514, 522, 523, 562, 613, 614, 615, 616, 617, 618, 619, 620, 621]" - ShareX,[1003] - Shareaza,[1004] - SiemensTIA,[1005] - Signal,"[1006, 1007, 1008, 1009]" - SignatureCatalog,"[1010, 1011]" - Skype,"[1012, 1013, 1014, 1015, 1016, 1017, 1018]" - Slack,"[1019, 1020, 1021, 1022, 1023]" - Snagit,[1024] - SnipAndSketch,[1025] - Sophos,"[58, 59, 60, 61, 1026, 1027]" - Soulseek,"[1028, 1029]" - SpeedCommander,[1030] - Splashtop,"[1031, 1032]" - StartupFolders,"[1033, 1034]" - StartupInfo,"[1035, 1036]" - Steam,"[1037, 1038, 1039, 1040, 1041, 1042, 1043, 1044, 1045, 1046, 1047, 1048]" - SublimeText,"[1049, 1050]" - SugarSync,"[1051, 1052, 1053]" - SumatraPDF,"[1054, 1055]" - SupremoRemoteDesktop,"[1056, 1057]" - Symantec_AV_Logs,"[58, 59, 60, 61, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066]" - Syscache,"[1067, 1068]" - TablacusExplorer,"[1069, 1070, 1071]" - TeamViewerLogs,"[1072, 1073, 1074, 1075]" - Telegram,"[1076, 1077]" - TeraCopy,[1078] - ThumbCache,[1079] - Thunderbird,"[1080, 1081, 1082, 1083, 1084, 1085, 1086, 1087, 1088, 1089, 1090]" - TorrentClients,"[81, 1315, 1316, 1317, 1318, 1319]" - Torrents,[1091] - TotalAV,"[1092, 1093]" - TotalCommander,"[1094, 1095, 1096, 1097, 1098, 1099, 1100]" - TreeSize,[1101] - TrendMicro,"[1102, 1103, 1104]" - USBDetective,"[36, 37, 38, 39, 279, 280, 281, 490, 491, 492, 493, 494, 495, 496, 497, 683, 684, 685, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 1105, 1106, 1107]" - USBDevicesLogs,"[1105, 1106, 1107]" - Ubuntu,"[1108, 1109, 1110, 1111, 1112, 1113, 1114, 1115, 1116, 1117, 1118, 1119, 1120, 1121, 1122, 1123, 1124]" - Ultraviewer,"[1125, 1126, 1127, 1128]" - Usenet,[1129] - UsenetClients,"[563, 564, 573, 574, 856, 857]" - VIPRE,"[1130, 1131, 1132, 1133]" - VLC_Media_Player,"[1134, 1135]" - VMware,"[1136, 1137, 1138, 1139, 1154, 1155, 1156, 1157]" - VMwareInventory,[1136] - VMwareMemory,"[1137, 1138, 1139]" - VNCLogs,"[58, 59, 60, 61, 1140, 1141, 1142]" - Viber,"[1143, 1144, 1145, 1146, 1147]" - VirtualBox,"[1148, 1149, 1150, 1151, 1152, 1153, 1154, 1155, 1156, 1157]" - VirtualBoxConfig,"[1148, 1149]" - VirtualBoxLogs,"[1150, 1151, 1152]" - VirtualBoxMemory,[1153] - VirtualDisks,"[1154, 1155, 1156, 1157]" - VisualStudioCode,"[1158, 1159, 1160, 1161, 1162, 1163, 1164, 1165]" - Vivaldi,"[1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182]" - WBEM,"[1183, 1184]" - WER,"[1185, 1186, 1187, 1188, 1189]" - WSL,"[178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 458, 459, 460, 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 977, 978, 979, 980, 981, 982, 983, 984, 985, 986, 987, 988, 989, 990, 1108, 1109, 1110, 1111, 1112, 1113, 1114, 1115, 1116, 1117, 1118, 1119, 1120, 1121, 1122, 1123, 1124, 1298, 1299, 1300, 1301, 1302, 1303, 1304, 1305, 1306, 1307, 1308, 1309, 1310, 1311]" - WebBrowsers,"[89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 625, 626, 647, 648, 649, 650, 651, 652, 653, 1166, 1167, 1168, 1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178, 1179, 1180, 1181, 1182, 1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278]" - WebServers,"[50, 398, 399, 400, 401, 402, 403, 513, 514, 562]" - Webroot,[1190] - WhatsApp,"[1191, 1192, 1193, 1194]" - WhatsApp_Media,"[1195, 1196]" - WinDefendDetectionHist,[1197] - WinSCP,[1198] - WindowsDefender,"[1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206]" - WindowsFirewall,"[1207, 1208]" - WindowsHello,"[1209, 1210, 1211, 1212, 1213, 1214, 1215, 1216, 1217, 1218, 1219, 1220, 1221, 1222, 1223, 1224, 1225, 1226, 1227, 1228, 1229, 1230, 1231]" - WindowsIndexSearch,"[1232, 1233]" - WindowsNetwork,[1234] - WindowsNotificationsDB,"[1235, 1236]" - WindowsOSUpgradeArtifacts,"[1237, 1238, 1239, 1240, 1241]" - WindowsPowerDiagnostics,[1242] - WindowsServerDNSAndDHCP,"[1243, 1244, 1245]" - WindowsSubsystemforAndroid,"[1246, 1247, 1248, 1249, 1250]" - WindowsTelemetryDiagnosticsLegacy,"[1251, 1252]" - WindowsTimeline,[1253] - WindowsUpdate,"[1254, 1255, 1256]" - WindowsYourPhone,[1257] - XPRestorePoints,[1258] - XYplorer,"[1259, 1260, 1261, 1262]" - Xeox,[1263] - Yandex,"[1264, 1265, 1266, 1267, 1268, 1269, 1270, 1271, 1272, 1273, 1274, 1275, 1276, 1277, 1278]" - ZohoAssist,"[1279, 1280, 1281, 1282, 1283, 1284, 1285]" - Zoom,"[1286, 1287, 1288, 1289]" - iTunesBackup,"[1290, 1291, 1292]" - mIRC,"[1293, 1294]" - mRemoteNG,"[1295, 1296, 1297]" - openSUSE,"[1298, 1299, 1300, 1301, 1302, 1303, 1304, 1305, 1306, 1307, 1308, 1309, 1310, 1311]" - pCloudDatabase,"[1312, 1313, 1314]" - qBittorrent,"[1315, 1316, 1317, 1318]" - uTorrent,[1319] + FileZillaClient,"[314, 315]" + FileZillaServer,"[316, 317]" + Firefox,"[318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352]" + FreeCommander,"[353, 354, 355, 356, 357, 358, 359]" + FreeDownloadManager,"[360, 361, 362]" + FreeFileSync,[363] + Freenet,"[364, 365, 366, 367, 368]" + FrostWire,"[369, 370, 371]" + Gigatribe,"[372, 373, 374]" + GoogleDriveBackupSync_UserFiles,[375] + GoogleDrive_Metadata,"[376, 377]" + GoogleEarth,"[378, 379, 380, 381]" + GroupPolicy,"[382, 383, 384, 385, 386, 387, 388, 389]" + HeidiSQL,"[390, 391]" + HexChat,[392] + HitmanPro,"[393, 394, 395]" + IISConfiguration,"[396, 397, 398, 399]" + IISLogFiles,"[400, 401, 402, 403, 404, 405]" + IRCClients,"[392, 418, 1316, 1317]" + ISLOnline,"[406, 407, 408, 409, 410, 411, 412, 413]" + ITarian,"[414, 415, 416, 417]" + IceChat,[418] + IconCacheDB,[419] + Idrive,"[420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433]" + ImgBurn,[434] + InternetExplorer,"[435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447]" + IrfanView,[448] + JDownloader2,"[449, 450, 451, 452, 453]" + JavaWebCache,"[454, 455, 456, 457, 458, 459, 460, 461, 462, 463, 464]" + Kali,"[465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, 482]" + KapeTriage,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 18, 19, 20, 21, 22, 23, 24, 29, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51, 58, 59, 60, 61, 69, 70, 71, 72, 73, 74, 75, 76, 77, 82, 83, 84, 85, 86, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 168, 171, 172, 173, 174, 175, 176, 178, 224, 225, 226, 227, 228, 229, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 263, 280, 281, 282, 310, 311, 312, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 376, 377, 393, 394, 395, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 483, 484, 485, 486, 487, 488, 489, 490, 491, 497, 498, 499, 500, 501, 502, 503, 504, 505, 517, 518, 525, 526, 527, 528, 532, 533, 534, 535, 536, 537, 546, 547, 554, 577, 578, 579, 580, 581, 582, 611, 612, 635, 636, 648, 649, 650, 656, 657, 660, 661, 662, 663, 664, 665, 666, 676, 677, 678, 680, 681, 682, 683, 684, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 699, 700, 701, 702, 703, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 871, 872, 873, 987, 988, 989, 990, 991, 992, 993, 994, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1016, 1017, 1018, 1019, 1020, 1044, 1045, 1049, 1050, 1074, 1075, 1076, 1077, 1078, 1079, 1080, 1081, 1082, 1083, 1084, 1085, 1086, 1090, 1091, 1092, 1093, 1110, 1111, 1120, 1121, 1122, 1123, 1124, 1145, 1146, 1147, 1148, 1151, 1152, 1153, 1154, 1161, 1162, 1163, 1187, 1188, 1189, 1190, 1191, 1192, 1193, 1194, 1195, 1196, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1207, 1208, 1209, 1210, 1211, 1221, 1222, 1223, 1224, 1225, 1226, 1227, 1228, 1229, 1276, 1286, 1287, 1288, 1289, 1290, 1291, 1292, 1293, 1294, 1295, 1296, 1297, 1298, 1299, 1300, 1301, 1302, 1303, 1304, 1305, 1306, 1307, 1308, 1318, 1319, 1320]" + Kaseya,"[483, 484, 485, 486, 487, 488, 489, 490, 491]" + Keepass,"[492, 493, 494]" + KeepassXC,"[495, 496]" + LNKFilesAndJumpLists,"[497, 498, 499, 500, 501, 502, 503, 504]" + Level,[505] + LinuxOnWindowsProfileFiles,"[506, 507, 508, 509]" + LiveUserFiles,"[510, 511, 512, 513]" + LogFiles,"[514, 515, 516]" + LogMeIn,"[58, 59, 60, 61, 517, 518]" + MOF,[519] + MSSQLErrorLog,"[520, 521]" + MacriumReflect,"[522, 523, 524]" + Malwarebytes,"[525, 526, 527, 528]" + ManageEngineLogs,"[529, 530]" + Mattermost,[531] + McAfee,"[532, 533, 534, 535, 536]" + McAfee_ePO,[537] + MediaMonkey,"[538, 539]" + Megasync,[540] + MemoryFiles,"[541, 542, 543, 544, 545]" + MeshAgent,"[546, 547]" + MessagingClients,"[164, 214, 215, 392, 418, 531, 557, 558, 559, 560, 561, 1024, 1025, 1026, 1027, 1030, 1031, 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039, 1040, 1041, 1094, 1095, 1164, 1165, 1166, 1167, 1168, 1212, 1213, 1214, 1215, 1316, 1317]" + MicrosoftOfficeBackstage,[548] + MicrosoftOneNote,"[549, 550, 551, 552, 553]" + MicrosoftSafetyScanner,[554] + MicrosoftStickyNotes,"[555, 556]" + MicrosoftTeams,"[557, 558, 559, 560, 561]" + MicrosoftToDo,"[562, 563]" + MidnightCommander,[564] + MiniTimelineCollection,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 280, 281, 282, 701, 702, 703, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781]" + MultiCommander,"[565, 566, 567, 568, 569]" + NETCLRUsageLogs,"[570, 571]" + NGINXLogs,[572] + NZBGet,"[573, 574]" + Nessus,"[575, 576]" + NetMonitorforEmployeesProfessional,"[577, 578, 579, 580, 581, 582]" + NewsbinPro,[583] + Newsleecher,[584] + Nicotine__,"[585, 586, 587, 588, 589, 590, 591, 592, 593, 594, 595]" + Notepad__,"[596, 597, 598]" + Notepad,[599] + Notion,"[600, 601]" + OfficeAutosave,"[602, 603, 604, 605]" + OfficeDiagnostics,"[606, 607]" + OfficeDocumentCache,[608] + OneCommander,"[609, 610]" + OneDrive_Metadata,"[611, 612]" + OneDrive_UserFiles,[613] + OpenSSHClient,"[614, 615, 616, 617, 618, 619, 620, 621, 622]" + OpenSSHServer,"[623, 624, 625, 626, 627, 628, 629, 630, 631]" + OpenVPNClient,"[632, 633, 634]" + Opera,"[635, 636]" + OutlookPSTOST,"[637, 638, 639, 640, 641, 642, 643, 644]" + P2PClients,"[177, 369, 370, 371, 372, 373, 374, 1022, 1046, 1047]" + PeaZip,[645] + PerfLogs,[646] + PowerShell7Config,[647] + PowerShellConsole,"[648, 649, 650]" + PowerShellTranscripts,"[651, 652, 653, 654, 655]" + Prefetch,"[656, 657]" + ProgramData,[658] + ProtonVPN,[659] + PuffinSecureBrowser,"[660, 661, 662, 663, 664, 665, 666]" + PushNotification,"[667, 668]" + Q_Dir,"[669, 670]" + QFinderPro__QNAP_,[671] + QlikSense,"[672, 673, 674, 675]" + RDPCache,"[676, 677, 678]" + RDPJumplist,[679] + RDPLogs,"[680, 681, 682, 683, 684, 685, 686, 687]" + Radmin,"[688, 689, 690, 691, 692]" + RcloneConf,[693] + RecentFileCache,"[694, 695]" + RecycleBin,"[696, 697, 698, 699, 700]" + RecycleBin_DataFiles,"[696, 697, 698]" + RecycleBin_InfoFiles,"[699, 700]" + RegistryHives,"[701, 702, 703, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781]" + RegistryHivesMSIXApps,"[701, 702, 703]" + RegistryHivesOther,"[704, 705, 706, 707, 708, 709, 710, 711, 712, 713, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731]" + RegistryHivesSystem,"[732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772]" + RegistryHivesUser,"[773, 774, 775, 776, 777, 778, 779, 780, 781]" + RemoteAdmin,"[29, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 58, 59, 60, 61, 178, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 483, 484, 485, 486, 487, 488, 489, 490, 491, 505, 517, 518, 546, 547, 577, 578, 579, 580, 581, 582, 676, 677, 678, 680, 681, 682, 683, 684, 685, 686, 687, 688, 689, 690, 691, 692, 782, 783, 872, 873, 1016, 1017, 1018, 1049, 1050, 1074, 1075, 1090, 1091, 1092, 1093, 1123, 1124, 1145, 1146, 1147, 1148, 1161, 1162, 1163, 1286, 1302, 1303, 1304, 1305, 1306, 1307, 1308, 1318, 1319, 1320]" + RemoteUtilities_app,"[782, 783]" + RoamingProfile,"[784, 785, 786, 787, 788, 789, 790, 791, 792, 793, 794, 795, 796, 797, 798, 799, 800, 801, 802, 803, 804, 805, 806, 807, 808, 809, 810, 811, 812, 813, 814, 815, 816, 817, 818, 819, 820, 821, 822, 823, 824, 825, 826, 827, 828, 829, 830, 831, 832, 833, 834, 835, 836, 837, 838, 839, 840, 841, 842, 843, 844, 845, 846, 847, 848, 849, 850, 851, 852, 853, 854, 855, 856]" + Robo_FTP,"[857, 858, 859, 860, 861, 862, 863, 864, 865, 866, 867, 868, 869, 870]" + RogueKiller,[871] + RustDesk,"[872, 873]" + SABnbzd,"[874, 875]" + SCCMClientLogs,[876] + SDB,"[877, 878, 879, 880]" + SOFELK,"[1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 36, 37, 38, 39, 51, 280, 281, 282, 497, 498, 499, 500, 501, 502, 503, 504, 656, 657, 694, 695, 1085, 1086]" + SQLiteDatabases,"[881, 882, 883, 884, 885, 886, 887, 888, 889, 890, 891, 892, 893, 894, 895, 896, 897, 898, 899, 900, 901, 902, 903, 904, 905, 906, 907, 908, 909, 910, 911, 912, 913, 914, 915, 916, 917, 918, 919, 920, 921, 922, 923, 924, 925, 926, 927, 928, 929, 930, 931, 932, 933, 934, 935, 936, 937, 938, 939, 940, 941, 942, 943, 944, 945, 946, 947, 948, 949, 950, 951, 952, 953, 954, 955, 956, 957, 958, 959, 960, 961, 962, 963, 964, 965, 966, 967, 968, 969, 970, 971, 972, 973, 974, 975, 976, 977, 978, 979, 980, 981, 982, 983, 984, 985, 986]" + SRUM,"[987, 988, 989, 990, 991, 992]" + SUM,[993] + SUPERAntiSpyware,[994] + SUSELinuxEnterpriseServer,"[995, 996, 997, 998, 999, 1000, 1001, 1002, 1003, 1004, 1005, 1006, 1007, 1008]" + ScheduledTasks,"[1009, 1010, 1011, 1012, 1013, 1014, 1015]" + ScreenConnect,"[58, 59, 60, 61, 1016, 1017, 1018]" + SecureAge,[1019] + SentinelOne,[1020] + ServerTriage,"[50, 169, 170, 303, 308, 309, 316, 317, 400, 401, 402, 403, 404, 405, 520, 521, 529, 530, 572, 623, 624, 625, 626, 627, 628, 629, 630, 631]" + ShareX,[1021] + Shareaza,[1022] + SiemensTIA,[1023] + Signal,"[1024, 1025, 1026, 1027]" + SignatureCatalog,"[1028, 1029]" + Skype,"[1030, 1031, 1032, 1033, 1034, 1035, 1036]" + Slack,"[1037, 1038, 1039, 1040, 1041]" + Snagit,[1042] + SnipAndSketch,[1043] + Sophos,"[58, 59, 60, 61, 1044, 1045]" + Soulseek,"[1046, 1047]" + SpeedCommander,[1048] + Splashtop,"[1049, 1050]" + StartupFolders,"[1051, 1052]" + StartupInfo,"[1053, 1054]" + Steam,"[1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066]" + SublimeText,"[1067, 1068]" + SugarSync,"[1069, 1070, 1071]" + SumatraPDF,"[1072, 1073]" + SupremoRemoteDesktop,"[1074, 1075]" + Symantec_AV_Logs,"[58, 59, 60, 61, 1076, 1077, 1078, 1079, 1080, 1081, 1082, 1083, 1084]" + Syscache,"[1085, 1086]" + TablacusExplorer,"[1087, 1088, 1089]" + TeamViewerLogs,"[1090, 1091, 1092, 1093]" + Telegram,"[1094, 1095]" + TeraCopy,[1096] + ThumbCache,[1097] + Thunderbird,"[1098, 1099, 1100, 1101, 1102, 1103, 1104, 1105, 1106, 1107, 1108]" + TorrentClients,"[81, 1338, 1339, 1340, 1341, 1342]" + Torrents,[1109] + TotalAV,"[1110, 1111]" + TotalCommander,"[1112, 1113, 1114, 1115, 1116, 1117, 1118]" + TreeSize,[1119] + TrendMicro,"[1120, 1121, 1122]" + UEMS,"[1123, 1124]" + USBDetective,"[36, 37, 38, 39, 280, 281, 282, 497, 498, 499, 500, 501, 502, 503, 504, 701, 702, 703, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 1125, 1126, 1127]" + USBDevicesLogs,"[1125, 1126, 1127]" + Ubuntu,"[1128, 1129, 1130, 1131, 1132, 1133, 1134, 1135, 1136, 1137, 1138, 1139, 1140, 1141, 1142, 1143, 1144]" + Ultraviewer,"[1145, 1146, 1147, 1148]" + Usenet,[1149] + UsenetClients,"[573, 574, 583, 584, 874, 875]" + UsersFolders,[1150] + VIPRE,"[1151, 1152, 1153, 1154]" + VLC_Media_Player,"[1155, 1156]" + VMware,"[1157, 1158, 1159, 1160, 1175, 1176, 1177, 1178]" + VMwareInventory,[1157] + VMwareMemory,"[1158, 1159, 1160]" + VNCLogs,"[58, 59, 60, 61, 1161, 1162, 1163]" + Viber,"[1164, 1165, 1166, 1167, 1168]" + VirtualBox,"[1169, 1170, 1171, 1172, 1173, 1174, 1175, 1176, 1177, 1178]" + VirtualBoxConfig,"[1169, 1170]" + VirtualBoxLogs,"[1171, 1172, 1173]" + VirtualBoxMemory,[1174] + VirtualDisks,"[1175, 1176, 1177, 1178]" + VisualStudioCode,"[1179, 1180, 1181, 1182, 1183, 1184, 1185, 1186]" + Vivaldi,"[1187, 1188, 1189, 1190, 1191, 1192, 1193, 1194, 1195, 1196, 1197, 1198, 1199, 1200, 1201, 1202, 1203]" + WBEM,"[1204, 1205]" + WER,"[1206, 1207, 1208, 1209, 1210]" + WSL,"[179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, 482, 995, 996, 997, 998, 999, 1000, 1001, 1002, 1003, 1004, 1005, 1006, 1007, 1008, 1128, 1129, 1130, 1131, 1132, 1133, 1134, 1135, 1136, 1137, 1138, 1139, 1140, 1141, 1142, 1143, 1144, 1321, 1322, 1323, 1324, 1325, 1326, 1327, 1328, 1329, 1330, 1331, 1332, 1333, 1334]" + WebBrowsers,"[89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 635, 636, 660, 661, 662, 663, 664, 665, 666, 1187, 1188, 1189, 1190, 1191, 1192, 1193, 1194, 1195, 1196, 1197, 1198, 1199, 1200, 1201, 1202, 1203, 1287, 1288, 1289, 1290, 1291, 1292, 1293, 1294, 1295, 1296, 1297, 1298, 1299, 1300, 1301]" + WebServers,"[50, 400, 401, 402, 403, 404, 405, 520, 521, 572]" + Webroot,[1211] + WhatsApp,"[1212, 1213, 1214, 1215]" + WhatsApp_Media,"[1216, 1217]" + WinDefendDetectionHist,[1218] + WinSCP,[1219] + WindowsCopilotRecall,[1220] + WindowsDefender,"[1221, 1222, 1223, 1224, 1225, 1226, 1227, 1228, 1229]" + WindowsFirewall,"[1230, 1231]" + WindowsHello,"[1232, 1233, 1234, 1235, 1236, 1237, 1238, 1239, 1240, 1241, 1242, 1243, 1244, 1245, 1246, 1247, 1248, 1249, 1250, 1251, 1252, 1253, 1254]" + WindowsIndexSearch,"[1255, 1256]" + WindowsNetwork,[1257] + WindowsNotificationsDB,"[1258, 1259]" + WindowsOSUpgradeArtifacts,"[1260, 1261, 1262, 1263, 1264]" + WindowsPowerDiagnostics,[1265] + WindowsServerDNSAndDHCP,"[1266, 1267, 1268]" + WindowsSubsystemforAndroid,"[1269, 1270, 1271, 1272, 1273]" + WindowsTelemetryDiagnosticsLegacy,"[1274, 1275]" + WindowsTimeline,[1276] + WindowsUpdate,"[1277, 1278, 1279]" + WindowsYourPhone,[1280] + XPRestorePoints,[1281] + XYplorer,"[1282, 1283, 1284, 1285]" + Xeox,[1286] + Yandex,"[1287, 1288, 1289, 1290, 1291, 1292, 1293, 1294, 1295, 1296, 1297, 1298, 1299, 1300, 1301]" + ZohoAssist,"[1302, 1303, 1304, 1305, 1306, 1307, 1308]" + Zoom,"[1309, 1310, 1311, 1312]" + iTunesBackup,"[1313, 1314, 1315]" + mIRC,"[1316, 1317]" + mRemoteNG,"[1318, 1319, 1320]" + openSUSE,"[1321, 1322, 1323, 1324, 1325, 1326, 1327, 1328, 1329, 1330, 1331, 1332, 1333, 1334]" + pCloudDatabase,"[1335, 1336, 1337]" + qBittorrent,"[1338, 1339, 1340, 1341]" + uTorrent,[1342] - name: NTFS_CACHE_TIME type: int @@ -2661,11 +2724,19 @@ sources: query: | LET VSS_MAX_AGE_DAYS <= VSSAnalysisAge - -- Select all the rule Ids to be included depending on the group - -- selection. - LET targets <= SELECT * FROM parse_csv( - filename=KapeTargets, accessor="data") - WHERE get(member=Group) AND log(message="Selecting " + Group) + -- Filter the KapeTargets list by the groups that are enabled in + -- the scope. Only the rows which contain a Group name defined + -- as TRUE in the scope (parameter) will be included. We then + -- merge all the Ids into a single flattened list we can check + -- against. + LET targets <= SELECT * FROM foreach(row={ + SELECT * FROM parse_csv(accessor="data", filename=KapeTargets) + WHERE get(member=Group) AND log(message="Selecting " + Group) + }, query={ + SELECT _value AS Id FROM foreach(row=RuleIds) + }) + + LET EnabledIds <= targets.Id -- Filter only the rules in the rule table that have an Id we -- want. Targets with $ in their name probably refer to ntfs @@ -2674,12 +2745,12 @@ sources: -- necessary - they are designated with the lazy_ntfs accessor. LET rule_specs_ntfs <= SELECT Id, Glob FROM parse_csv(filename=KapeRules, accessor="data") - WHERE Id in array(array=targets.RuleIds) AND Accessor='ntfs' + WHERE Id in EnabledIds AND Accessor='ntfs' AND log(message="ntfs: Selecting glob " + Glob) LET rule_specs_lazy_ntfs <= SELECT Id, Glob FROM parse_csv(filename=KapeRules, accessor="data") - WHERE Id in array(array=targets.RuleIds) AND Accessor='lazy_ntfs' + WHERE Id in EnabledIds AND Accessor='lazy_ntfs' AND log(message="auto: Selecting glob " + Glob) -- Call the generic VSS file collector with the globs we want in @@ -2728,60 +2799,46 @@ sources: query: | SELECT * FROM all_results WHERE _Source =~ "Uploads" -reports: - - type: CLIENT - template: | - {{ import "Reporting.Default" "Templates" }} - - <!-- Default report in case the artifact does not have one --> - ## {{ .Name }} - - {{ $name := .Name }} - - {{ template "hidden_paragraph_start" dict "description" "View Artifact Description" }} - - {{ Markdown .Description }} - - ### References</h3> - - {{ range .Reference }} - * [{{ . }}]({{.}}) - {{- end }} - - {{ template "hidden_paragraph_end" }} - - {{ $query := print "SELECT SourceFile, Size, Modified, LastAccessed, Created \ - FROM source(source='All File Metadata')" }} + notebook: + - type: vql_suggestion + name: Post process collection + template: | + /* - <!-- There could be a huge number of rows just to get the count, so we cap at 10000 --> - {{ $count := Get ( Query (print "LET X = " $query " LIMIT 10000 " \ - " SELECT 1 AS ALL, count() AS Count FROM X Group BY ALL") | Expand ) \ - "0.Count" 0 }} + # Post process this collection. - <!-- If this is a flow show the parameters. --> - {{ $flow := Query "LET X = SELECT Request.Parameters.env AS \ - Env FROM flows(client_id=ClientId, flow_id=FlowId)" \ - "SELECT * FROM foreach(row=X[0].Env, query={ \ - SELECT Key, Value FROM scope()})" | Expand }} + Uncomment the following and evaluate the cell to create new + collections based on the files collected from this artifact. - {{ if $flow }} + The below VQL will apply remapping so standard artifacts will + see the KapeFiles.Targets collection below as a virtual + Windows Client. The artifacts will be collected to a temporary + container and then re-imported as new collections into this + client. - ### Selected Targets + NOTE: This is only a stop gap in case the proper artifacts + were not collected in the first place. Parsing artifacts + through a remapped collection is not as accurate as parsing + directly on the endpoint. See + https://docs.velociraptor.app/training/playbooks/preservation/ + for more info. - {{- range $flow -}}{{- if eq (Get . "Value") "Y" }} - * {{ Get . "Key" }} - {{- end -}}{{- end }} - {{ end }} + */ + LET _ <= import(artifact="Windows.KapeFiles.Remapping") - ## Files collected + LET tmp <= tempfile() - {{ if gt $count 9999 }} - Collected more than {{ $count }} files. - {{ else }} - Collected a total of {{ $count }} files. - {{ end }} + LET Results = SELECT import_collection(filename=Container, client_id=ClientId) AS Import + FROM collect(artifacts=[ + "Windows.Forensics.Usn", + "Windows.NTFS.MFT", + ], + args=dict(`Windows.Forensics.Usn`=dict(), + `Windows.NTFS.MFT`=dict()), + output=tmp, + remapping=GetRemapping(FlowId=FlowId, ClientId=ClientId)) - {{ Query $query | Table }} + // SELECT * FROM Results diff --git a/content/artifact_references/pages/windows.memory.acquisition.md b/content/artifact_references/pages/windows.memory.acquisition.md index 5f4af8eac49..bf677b951f6 100644 --- a/content/artifact_references/pages/windows.memory.acquisition.md +++ b/content/artifact_references/pages/windows.memory.acquisition.md @@ -4,43 +4,78 @@ hidden: true tags: [Client Artifact] --- -Acquires a full memory image. We download winpmem and use it to -acquire a full memory image. +Acquires a full memory image using the built in WinPmem driver. NOTE: This artifact usually transfers a lot of data. You should increase the default timeout to allow it to complete. +Memory images are typically susceptible to a lot of smear. To +minimize this we need to acquire memory as quickly as possible. This +artifact offers a few compression methods for the output +file. Reducing the size of the file will decrease time needed for IO +but will increase CPU requirements so this is a +tradeoff. Empirically we found that using S2 compression gives a +reasonable compression and very high speed reducing acquisition time +from the no compression options significantly. + +To decompress the image you can use the [Go Winpmem binary](https://github.com/Velocidex/WinPmem/releases/download/v4.0.rc1/go-winpmem_amd64_1.0-rc1.exe) + +``` +go-winpmem.exe expand image.compressed image.raw +``` + 

 name: Windows.Memory.Acquisition
 description: |
-  Acquires a full memory image. We download winpmem and use it to
-  acquire a full memory image.
+  Acquires a full memory image using the built in WinPmem driver.
 
   NOTE: This artifact usually transfers a lot of data. You should
   increase the default timeout to allow it to complete.
 
-tools:
-  - name: WinPmem64
-    github_project: Velocidex/WinPmem
-    github_asset_regex: winpmem_mini_x64.+exe
-    serve_locally: true
+  Memory images are typically susceptible to a lot of smear. To
+  minimize this we need to acquire memory as quickly as possible. This
+  artifact offers a few compression methods for the output
+  file. Reducing the size of the file will decrease time needed for IO
+  but will increase CPU requirements so this is a
+  tradeoff. Empirically we found that using S2 compression gives a
+  reasonable compression and very high speed reducing acquisition time
+  from the no compression options significantly.
+
+  To decompress the image you can use the [Go Winpmem binary](https://github.com/Velocidex/WinPmem/releases/download/v4.0.rc1/go-winpmem_amd64_1.0-rc1.exe)
 
-precondition: SELECT OS From info() where OS = 'windows' AND Architecture = "amd64"
+  ```
+  go-winpmem.exe expand image.compressed image.raw
+  ```
+
+precondition: |
+  SELECT OS FROM info()
+  WHERE OS = 'windows'
+    AND Architecture = "amd64"
+    AND version(function='winpmem') >= 0
+
+parameters:
+  - name: ServiceName
+    description: Override the name of the driver service to install.
+  - name: Compression
+    default: None
+    type: choices
+    description: Type of compression to use (Recommended None, S2 or Snappy).
+    choices:
+      - None
+      - S2
+      - Snappy
+      - Gzip
 
 sources:
   - query: |
-      SELECT * FROM foreach(
-          row={
-            SELECT OSPath, tempfile(extension=".raw", remove_last=TRUE) AS Tempfile
-            FROM Artifact.Generic.Utils.FetchBinary(ToolName="WinPmem64")
-          },
-          query={
-            SELECT Stdout, Stderr,
-                   if(condition=Complete,
-                      then=upload(file=Tempfile, name="PhysicalMemory.raw")) As Upload
-            FROM execve(argv=[OSPath, Tempfile], sep="\r\n")
-        })
+      LET Tempfile <= tempfile(extension=".pmem")
+
+      LET ImageInfo <= winpmem(image_path=Tempfile, compression=Compression)
+
+      SELECT ImageInfo, upload(file=Tempfile, name="PhysicalMemory.dd") AS Upload
+      FROM stat(filename=Tempfile)
+      WHERE log(message="Uploading %v bytes", args=Size)
diff --git a/content/artifact_references/pages/windows.sys.allusers.md b/content/artifact_references/pages/windows.sys.allusers.md index fbc03743692..f42e5c6b695 100644 --- a/content/artifact_references/pages/windows.sys.allusers.md +++ b/content/artifact_references/pages/windows.sys.allusers.md @@ -44,6 +44,18 @@ parameters: - name: remoteRegKey default: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\* +export: | + -- Cache function for lookupSID + LET LookupSIDCache(SID) = cache(name="SID", key=SID, + func=lookupSID(sid=SID) || + + -- resolve usernames via registry if lookupSID is not available + -- or yields no results + + pathspec(parse=stat(accessor="registry", + filename="HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/ProfileList/" + + SID + "/ProfileImagePath").Data.value).Basename || "") + sources: - precondition: SELECT OS From info() where OS = 'windows' @@ -56,7 +68,7 @@ sources: SELECT split(string=Key.OSPath.Basename, sep="-")[-1] as Uid, "" AS Gid, - lookupSID(sid=Key.OSPath.Basename) || "" AS Name, + LookupSIDCache(SID=Key.OSPath.Basename || "") AS Name, Key.OSPath as Description, ProfileImagePath as Directory, Key.OSPath.Basename as UUID, diff --git a/content/artifact_references/pages/windows.sys.users.md b/content/artifact_references/pages/windows.sys.users.md index fbb39afce4b..8172953a179 100644 --- a/content/artifact_references/pages/windows.sys.users.md +++ b/content/artifact_references/pages/windows.sys.users.md @@ -28,6 +28,9 @@ parameters: - name: remoteRegKey default: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\* +imports: + - Windows.Sys.AllUsers + sources: - precondition: SELECT OS From info() where OS = 'windows' @@ -39,7 +42,7 @@ sources: -- lookupSID() may not be available on deaddisk analysis SELECT split(string=Key.OSPath.Basename, sep="-")[-1] as Uid, "" AS Gid, - lookupSID(sid=Key.OSPath.Basename) || "" AS Name, + LookupSIDCache(SID=Key.OSPath.Basename || "") AS Name, Key.OSPath as Description, ProfileImagePath as Directory, Key.OSPath.Basename as UUID, diff --git a/content/docs/deployment/references/_reference.html b/content/docs/deployment/references/_reference.html index a17c9e6ae1a..ce91976a9d3 100644 --- a/content/docs/deployment/references/_reference.html +++ b/content/docs/deployment/references/_reference.html @@ -1049,6 +1049,25 @@
10000000
+
When Velociraptor is running as a Windows service the system can +not capture any messages printed to stdout or stderr. This means +that if Velociraptor crashes we lose the panic backtrace the helps +debug why it crashed. Setting this to a path on the client, will +cause Velociraptor to redirect stdout and stderr to this file from +the Windows service.
+
  • + +
    + + panic_file + +
    + + + +
    +
    • +
    Velociraptor keeps a local buffer file to store query results while they are being shipped across the network. There are two types of buffers - an in memory buffer and a local file based @@ -1059,7 +1078,7 @@
  • - + local_buffer
    @@ -1074,7 +1093,7 @@
  • - + memory_size
    @@ -1089,7 +1108,7 @@
  • - + disk_size
    @@ -1104,7 +1123,7 @@
  • - + filename_linux
    @@ -1118,7 +1137,7 @@
  • - + filename_windows
    @@ -1132,7 +1151,7 @@
  • - + filename_darwin
    @@ -1155,7 +1174,7 @@
  • - + panic
    @@ -1174,7 +1193,7 @@
  • - + API
    @@ -1189,7 +1208,7 @@
  • - + hostname
    @@ -1205,7 +1224,7 @@
  • - + bind_address
    @@ -1219,7 +1238,7 @@
  • - + bind_port
    @@ -1233,7 +1252,7 @@
  • - + bind_scheme
    @@ -1249,7 +1268,7 @@
  • - + pinned_gw_name
    @@ -1266,7 +1285,7 @@
  • - + GUI
    @@ -1282,7 +1301,7 @@
  • - + use_plain_http
    @@ -1297,7 +1316,7 @@
  • - + base_path
    @@ -1312,7 +1331,7 @@
  • - + public_url
    @@ -1330,7 +1349,7 @@
  • - + allowed_cidr
    @@ -1358,7 +1377,7 @@
  • - + forwarded_proxy_header
    @@ -1372,7 +1391,7 @@
  • - + text
    @@ -1404,7 +1423,7 @@
  • - + url
    @@ -1418,7 +1437,7 @@
  • - + new_tab
    @@ -1434,7 +1453,7 @@
  • - + type
    @@ -1448,7 +1467,7 @@
  • - + icon_url
    @@ -1464,7 +1483,7 @@
  • - + encode
    @@ -1478,7 +1497,7 @@
  • - + parameter
    @@ -1492,7 +1511,7 @@
  • - + method
    @@ -1506,7 +1525,7 @@
  • - + disabled
    @@ -1525,11 +1544,13 @@
    Bind the GUI to this port. By default: For self signed SSL the GUI will be bound to the localhost only! For Let's Encrypt deployments the GUI will be bound on 0.0.0.0 making it accessible -from anywhere.
    +from anywhere. NOTE: The **only** valid settings here are 0.0.0.0 +for external access and 127.0.0.1 for localhost - Do not specify +any other address unless you know what you are doing!
  • - + bind_address
    @@ -1545,7 +1566,7 @@
  • - + bind_port
    @@ -1560,7 +1581,7 @@
  • - + gw_certificate
    @@ -1581,7 +1602,7 @@
  • - + gw_private_key
    @@ -1603,7 +1624,7 @@
  • - + reverse_proxy
    @@ -1622,7 +1643,7 @@
  • - + route
    @@ -1637,7 +1658,7 @@
  • - + url
    @@ -1652,7 +1673,7 @@
  • - + require_auth
    @@ -1676,7 +1697,7 @@
  • - + initial_users
    @@ -1694,7 +1715,7 @@
  • - + name
    @@ -1710,7 +1731,7 @@
  • - + password_hash
    @@ -1724,7 +1745,7 @@
  • - + password_salt
    @@ -1744,7 +1765,7 @@
  • - + initial_orgs
    @@ -1762,7 +1783,7 @@
  • - + org_id
    @@ -1776,7 +1797,7 @@
  • - + name
    @@ -1792,7 +1813,7 @@
  • - + nonce
    @@ -1814,7 +1835,7 @@
  • - + authenticator
    @@ -1828,7 +1849,7 @@
  • - + type
    @@ -1842,7 +1863,7 @@
  • - + saml_certificate
    @@ -1862,7 +1883,7 @@
  • - + saml_private_key
    @@ -1882,7 +1903,7 @@
  • - + saml_idp_metadata_url
    @@ -1896,7 +1917,7 @@
  • - + saml_root_url
    @@ -1910,7 +1931,7 @@
  • - + saml_user_attribute
    @@ -1924,7 +1945,7 @@
  • - + saml_user_roles
    @@ -1953,7 +1974,7 @@
  • - + oidc_issuer
    @@ -1970,7 +1991,7 @@
  • - + oidc_name
    @@ -1984,7 +2005,7 @@
  • - + avatar
    @@ -1998,7 +2019,7 @@
  • - + oauth_client_id
    @@ -2012,7 +2033,7 @@
  • - + oauth_client_secret
    @@ -2026,7 +2047,7 @@
  • - + tenant
    @@ -2041,7 +2062,7 @@
  • - + auth_redirect_template
    @@ -2059,7 +2080,7 @@
  • - + default_roles_for_unknown_user
    @@ -2081,7 +2102,7 @@
  • - + default_session_expiry_min
    @@ -2097,7 +2118,7 @@
  • - + sub_authenticators
    @@ -2115,7 +2136,7 @@
  • - + type
    @@ -2143,7 +2164,7 @@
  • - + CA
    @@ -2157,7 +2178,7 @@
  • - + private_key
    @@ -2181,7 +2202,7 @@
  • - + Frontend
    @@ -2194,7 +2215,7 @@
  • - + base_path
    @@ -2211,7 +2232,7 @@
  • - + use_plain_http
    @@ -2235,7 +2256,7 @@
  • - + require_client_certificates
    @@ -2252,7 +2273,7 @@
  • - + proxy
    @@ -2267,7 +2288,7 @@
  • - + proxy_config
    @@ -2280,7 +2301,7 @@
  • - + http
    @@ -2294,7 +2315,7 @@
  • - + https
    @@ -2308,7 +2329,7 @@
  • - + proxy_url_regexp
    @@ -2321,7 +2342,7 @@
  • - + ^https://localhost/
    @@ -2338,7 +2359,7 @@
  • - + pac
    @@ -2352,7 +2373,7 @@
  • - + ignore_environment
    @@ -2371,7 +2392,7 @@
  • - + do_not_compress_artifacts
    @@ -2385,7 +2406,7 @@
  • - + hostname
    @@ -2400,7 +2421,7 @@
  • - + bind_address
    @@ -2414,7 +2435,7 @@
  • - + bind_port
    @@ -2433,7 +2454,7 @@
  • - + certificate
    @@ -2453,7 +2474,7 @@
  • - + private_key
    @@ -2479,7 +2500,7 @@
  • - + tls_certificate_filename
    @@ -2493,7 +2514,7 @@
  • - + tls_private_key_filename
    @@ -2509,7 +2530,7 @@
  • - + dyn_dns
    @@ -2522,7 +2543,7 @@
  • - + type
    @@ -2536,7 +2557,7 @@
  • - + hostname
    @@ -2550,7 +2571,7 @@
  • - + ddns_username
    @@ -2564,7 +2585,7 @@
  • - + ddns_password
    @@ -2578,7 +2599,7 @@
  • - + ddns_hostname
    @@ -2592,7 +2613,7 @@
  • - + update_url
    @@ -2606,7 +2627,7 @@
  • - + frequency
    @@ -2621,7 +2642,7 @@
  • - + checkip_url
    @@ -2636,7 +2657,7 @@
  • - + dns_server
    @@ -2650,7 +2671,7 @@
  • - + api_token
    @@ -2664,7 +2685,7 @@
  • - + zone_name
    @@ -2684,7 +2705,7 @@
  • - + proxy_header
    @@ -2699,7 +2720,7 @@
  • - + default_server_monitoring_artifacts
    @@ -2722,7 +2743,7 @@
  • - + default_client_monitoring_artifacts
    @@ -2750,7 +2771,7 @@
  • - + run_as_user
    @@ -2766,7 +2787,7 @@
  • - + initial_server_artifacts
    @@ -2789,7 +2810,7 @@
  • - + GRPC_pool_max_size
    @@ -2803,7 +2824,7 @@
  • - + GRPC_pool_max_wait
    @@ -2817,7 +2838,7 @@
  • - + artifact_definitions_directory
    @@ -2835,7 +2856,7 @@
  • - + collection_error_regex
    @@ -2851,7 +2872,7 @@
  • - + resources
    @@ -2864,7 +2885,7 @@
  • - + connections_per_second
    @@ -2880,7 +2901,7 @@
  • - + notifications_per_second
    @@ -2895,7 +2916,7 @@
  • - + enrollments_per_second
    @@ -2915,7 +2936,7 @@
  • - + concurrency
    @@ -2931,7 +2952,7 @@
  • - + concurrency_timeout
    @@ -2947,7 +2968,7 @@
  • - + max_upload_size
    @@ -2964,7 +2985,7 @@
  • - + expected_clients
    @@ -2982,7 +3003,7 @@
  • - + per_client_upload_rate
    @@ -2996,7 +3017,7 @@
  • - + global_upload_rate
    @@ -3012,7 +3033,7 @@
  • - + client_event_max_wait
    @@ -3028,7 +3049,7 @@
  • - + minion_batch_wait_time_ms
    @@ -3045,7 +3066,7 @@
  • - + client_info_lru_ttl
    @@ -3060,7 +3081,7 @@
  • - + client_info_sync_time
    @@ -3074,7 +3095,7 @@
  • - + client_info_write_time
    @@ -3092,7 +3113,7 @@
  • - + max_journal_buffer_size
    @@ -3107,7 +3128,7 @@
  • - + index_snapshot_frequency
    @@ -3129,7 +3150,7 @@
  • - + Datastore
    @@ -3143,7 +3164,7 @@
  • - + implementation
    @@ -3157,7 +3178,7 @@
  • - + location
    @@ -3174,7 +3195,7 @@
  • - + filestore_directory
    @@ -3188,7 +3209,7 @@
  • - + memcache_write_mutation_max_age
    @@ -3205,7 +3226,7 @@
  • - + minion_implementation
    @@ -3219,7 +3240,7 @@
  • - + master_implementation
    @@ -3235,7 +3256,7 @@
  • - + max_dir_size
    @@ -3252,7 +3273,7 @@
  • - + min_allowed_file_space_mb
    @@ -3266,7 +3287,7 @@
  • - + disk_check_frequency_sec
    @@ -3281,7 +3302,7 @@
  • - + memcache_expiration_sec
    @@ -3298,7 +3319,7 @@
  • - + memcache_write_mutation_buffer
    @@ -3315,7 +3336,7 @@
  • - + memcache_write_mutation_writers
    @@ -3336,7 +3357,7 @@
  • - + memcache_write_mutation_min_age
    @@ -3350,7 +3371,7 @@
  • - + int64 memcache_write_mutation_max_age
    @@ -3366,7 +3387,7 @@
  • - + memcache_datastore_max_size
    @@ -3381,7 +3402,7 @@
  • - + memcache_datastore_max_item_size
    @@ -3395,7 +3416,7 @@
  • - + memcache_datastore_max_dir_size
    @@ -3412,7 +3433,7 @@
  • - + Logging
    @@ -3425,7 +3446,7 @@
  • - + output_directory
    @@ -3441,7 +3462,7 @@
  • - + separate_logs_per_component
    @@ -3456,7 +3477,7 @@
  • - + remote_syslog_server
    @@ -3470,7 +3491,7 @@
  • - + remote_syslog_protocol
    @@ -3485,7 +3506,7 @@
  • - + remote_syslog_components
    @@ -3508,7 +3529,7 @@
  • - + debug
    @@ -3521,7 +3542,7 @@
  • - + rotation_time
    @@ -3535,7 +3556,7 @@
  • - + max_age
    @@ -3549,7 +3570,7 @@
  • - + disabled
    @@ -3566,7 +3587,7 @@
  • - + info
    @@ -3579,7 +3600,7 @@
  • - + rotation_time
    @@ -3593,7 +3614,7 @@
  • - + max_age
    @@ -3607,7 +3628,7 @@
  • - + disabled
    @@ -3624,7 +3645,7 @@
  • - + error
    @@ -3637,7 +3658,7 @@
  • - + rotation_time
    @@ -3651,7 +3672,7 @@
  • - + max_age
    @@ -3665,7 +3686,7 @@
  • - + disabled
    @@ -3687,7 +3708,7 @@
  • - + Monitoring
    @@ -3700,7 +3721,7 @@
  • - + bind_address
    @@ -3714,7 +3735,7 @@
  • - + bind_port
    @@ -3723,6 +3744,21 @@
    8003
    • + +
    If set we use this in links etc, otherwise we take a guess +based on bind_address and bind_port above.
    +
  • + +
    + + metrics_url + +
    + + + +
    http://localhost:8003/metrics
    +
    • @@ -3731,7 +3767,7 @@
  • - + autoexec
    @@ -3747,7 +3783,7 @@
  • - + argv
    @@ -3786,7 +3822,7 @@
  • - + artifact_definitions
    @@ -3805,7 +3841,7 @@
  • - + name
    @@ -3820,7 +3856,7 @@
  • - + description
    @@ -3834,7 +3870,7 @@
  • - + author
    @@ -3848,7 +3884,7 @@
  • - + type
    @@ -3862,7 +3898,7 @@
  • - + reference
    @@ -3887,7 +3923,7 @@
  • - + tools
    @@ -3905,7 +3941,7 @@
  • - + name
    @@ -3920,7 +3956,7 @@
  • - + url
    @@ -3936,7 +3972,7 @@
  • - + github_project
    @@ -3950,7 +3986,7 @@
  • - + github_asset_regex
    @@ -3966,7 +4002,7 @@
  • - + serve_locally
    @@ -3982,7 +4018,7 @@
  • - + admin_override
    @@ -4000,7 +4036,7 @@
  • - + serve_url
    @@ -4014,7 +4050,7 @@
  • - + serve_path
    @@ -4029,7 +4065,7 @@
  • - + filestore_path
    @@ -4046,7 +4082,7 @@
  • - + filename
    @@ -4062,7 +4098,7 @@
  • - + hash
    @@ -4076,7 +4112,7 @@
  • - + materialize
    @@ -4097,7 +4133,7 @@
  • - + required_permissions
    @@ -4119,7 +4155,7 @@
  • - + resources
    @@ -4132,7 +4168,7 @@
  • - + timeout
    @@ -4146,7 +4182,7 @@
  • - + ops_per_second
    @@ -4160,7 +4196,7 @@
  • - + cpu_limit
    @@ -4174,7 +4210,7 @@
  • - + iops_limit
    @@ -4188,7 +4224,7 @@
  • - + max_rows
    @@ -4202,7 +4238,7 @@
  • - + max_upload_bytes
    @@ -4224,7 +4260,7 @@
  • - + precondition
    @@ -4239,7 +4275,7 @@
  • - + parameters
    @@ -4258,7 +4294,7 @@
  • - + name
    @@ -4273,7 +4309,7 @@
  • - + friendly_name
    @@ -4289,7 +4325,7 @@
  • - + default
    @@ -4303,7 +4339,7 @@
  • - + description
    @@ -4319,7 +4355,7 @@
  • - + type
    @@ -4334,7 +4370,7 @@
  • - + choices
    @@ -4368,7 +4404,7 @@
  • - + export
    @@ -4382,7 +4418,7 @@
  • - + imports
    @@ -4404,7 +4440,7 @@
  • - + sources
    @@ -4422,7 +4458,7 @@
  • - + name
    @@ -4436,7 +4472,7 @@
  • - + description
    @@ -4450,7 +4486,7 @@
  • - + query
    @@ -4465,7 +4501,7 @@
  • - + queries
    @@ -4487,7 +4523,7 @@
  • - + precondition
    @@ -4502,7 +4538,7 @@
  • - + notebook
    @@ -4521,7 +4557,7 @@
  • - + type
    @@ -4535,7 +4571,7 @@
  • - + env
    @@ -4553,7 +4589,7 @@
  • - + key
    @@ -4567,7 +4603,7 @@
  • - + value
    @@ -4587,7 +4623,7 @@
  • - + template
    @@ -4622,7 +4658,7 @@
  • - + server_type
    @@ -4639,7 +4675,7 @@
  • - + obfuscation_nonce
    @@ -4653,7 +4689,7 @@
  • - + autocert_cert_cache
    @@ -4667,7 +4703,7 @@
  • - + defaults
    @@ -4683,7 +4719,7 @@
  • - + notebook_cell_timeout_min
    @@ -4703,7 +4739,7 @@
  • - + notebook_memory_low_water_mark
    @@ -4719,7 +4755,7 @@
  • - + notebook_memory_high_water_mark
    @@ -4739,7 +4775,7 @@
  • - + notebook_number_of_local_workers
    @@ -4754,7 +4790,7 @@
  • - + notebook_wait_time_for_worker_ms
    @@ -4769,7 +4805,7 @@
  • - + notebook_worker_priority
    @@ -4785,7 +4821,7 @@
  • - + csv_delimiter
    @@ -4800,7 +4836,7 @@
  • - + hunt_expiry_hours
    @@ -4815,7 +4851,7 @@
  • - + event_max_wait
    @@ -4829,7 +4865,7 @@
  • - + event_max_wait_jitter
    @@ -4848,7 +4884,7 @@
  • - + event_change_notify_all_clients
    @@ -4862,7 +4898,7 @@
  • - + artifact_definitions_directories
    @@ -4886,7 +4922,7 @@
  • - + max_in_memory_group_by
    @@ -4903,7 +4939,7 @@
  • - + allowed_plugins
    @@ -4925,7 +4961,7 @@
  • - + allowed_functions
    @@ -4947,7 +4983,7 @@
  • - + allowed_accessors
    @@ -4969,7 +5005,7 @@
  • - + acl_lru_timeout_sec
    @@ -4984,7 +5020,7 @@
  • - + unauthenticated_lru_timeout_sec
    @@ -4999,7 +5035,7 @@
  • - + disable_inventory_service_external_access
    @@ -5014,7 +5050,7 @@
  • - + certificate_validity_days
    @@ -5029,7 +5065,7 @@
  • - + lockdown_denied_permissions
    @@ -5091,7 +5127,7 @@
  • - + export_concurrency
    @@ -5105,7 +5141,7 @@
  • - + export_max_timeout_sec
    @@ -5122,7 +5158,7 @@
  • - + hunt_dispatcher_refresh_sec
    @@ -5136,7 +5172,7 @@
  • - + notebook_versions
    @@ -5151,7 +5187,7 @@
  • - + watch_plugin_frequency
    @@ -5165,7 +5201,7 @@
  • - + watch_plugin_buffer_size
    @@ -5182,7 +5218,7 @@
  • - + backup_period_seconds
    @@ -5199,7 +5235,7 @@
  • - + client_info_housekeeping_period
    @@ -5208,6 +5244,24 @@
    60
    • + +
    Disable unicode usernames. By default Velociraptor allows +usernames to consist of any Unicode character for i8n support, +however this opens the possibility for Homoglyph attacks. Setting +the following to true will restrict usernames to the set a-z and +0-9
    +
  • + +
    + + disable_unicode_usernames + +
    + + + +
    false
    +
    • @@ -5221,7 +5275,7 @@
  • - + lockdown
    @@ -5235,7 +5289,7 @@
  • - + debug_mode
    @@ -5253,7 +5307,7 @@
  • - + Minion
    @@ -5266,7 +5320,7 @@
  • - + notebook_number_of_local_workers
    @@ -5282,7 +5336,7 @@
  • - + notebook_worker_priority
    diff --git a/content/knowledge_base/tips/collect_artifact_unknown.md b/content/knowledge_base/tips/collect_artifact_unknown.md new file mode 100644 index 00000000000..5721e413517 --- /dev/null +++ b/content/knowledge_base/tips/collect_artifact_unknown.md @@ -0,0 +1,86 @@ +# Error "Parameter refers to an unknown artifact" when collecting a CLIENT artifact + +Before an artifact is collected from the client, the artifact is +compiled into a VQL request by the artifact compiler. This actually +transforms the vql and injects dependent artifacts into the request so +the client can evaluate it. The client's VQL engine will **never** use +built in artifacts and must always have artifacts injected in the request. + +The reason for that is that if an artifact is updated on the server +(e.g. by upgrading the server or edit the custom artifact) the client +must be given the latest version of the artifact. + +When the VQL compiler sees a statement like: + +```vql +SELECT * FROM Artifact.Dependant.Artifact() +``` + +It will recognize the the the VQL is dependent on the artifact +`Dependent.Artifact` and will inject it into the VQL request. You can +see this in the `Request` tab - the `artifacts` section of the request +will include dependent artifact definitions (in this case the artifact +calls `Generic.Utils.FetchBinary`). + +```json +[ + { + "session_id": "F.CR3B2IIN3E8GK", + "request_id": "1", + "FlowRequest": { + "VQLClientActions": [ + { + "query_id": "1", + "total_queries": "1", + .... + "artifacts": [ + { + "name": "Generic.Utils.FetchBinary", + "parameters": [ +``` + +This issue comes up commonly in two scenarios: + +### Using the VQL shell to collect a custom artifact + +In this case the GUI will collect the artifact `Generic.Client.VQL` +which essentially evaluates the query provided as a string on the +client. + +Because the query is given as an opaque string parameter, the artifact +compiler does not see any dependencies and can not inject them into +the request. Built in artifacts are allowed in this case but custom +artifacts are not supported. + +If you need to collect a custom artifact from the endpoint, just +collect it as normal - do not use the VQL shell for that. + +### Using the `collect()` plugin on the client to prepare a collection zip file. + +Another similar issue occurs when writing a custom artifact that uses +the `collect()` plugin. Similarly because the artifacts to collect are +given as strings, the compiler has no idea these are a dependency. + +For example this VQL code + +```vql +SELECT * from collect(artifacts=['Generic.Collectors.File'], + args=dict(`Generic.Collectors.File`=dict(`collectionSpec`=collectionSpec, + `Root`=Root)), + password='infected', + output=tempzip) +``` + +To fix this artifact the `Generic.Collectors.File` artifact must be +given as a dependency. Either include it in the artifact's `import` +section or add the following VQL statement: + +```vql +LET _ = SELECT * FROM Artifact.Generic.Collectors.File() +``` + +That statement will not actually run the artifact (it is a lazy LET +statement) but the compiler's static analyzer will identify the +artifact as a dependency and be able to inject it into the request. + +Tags: #vql diff --git a/content/knowledge_base/tips/deleting_old_data.md b/content/knowledge_base/tips/deleting_old_data.md index 1d5f06ec2ff..18076d03854 100644 --- a/content/knowledge_base/tips/deleting_old_data.md +++ b/content/knowledge_base/tips/deleting_old_data.md @@ -45,3 +45,5 @@ You can automatically delete old collections using the ](/artifact_references/pages/server.utils.deletemonitoringdata/) artifacts. These are server artifacts which can delete flows and monitoring data older than the specified time. + +Tags: #configuration #deployment diff --git a/content/vql_reference/basic/_index.md b/content/vql_reference/basic/_index.md index b9dac126927..ba1fd4b27a2 100644 --- a/content/vql_reference/basic/_index.md +++ b/content/vql_reference/basic/_index.md @@ -21,7 +21,7 @@ or in condition clauses (i.e. after the `WHERE` keyword). {{% /notice %}} |Plugin/Function|Type|Description| |-|-|-| -|[array](array)|Function|Create an array with all the args| +|[array](array)|Function|Create an array| |[atexit](atexit)|Function|Install a query to run when the query is unwound| |[atoi](atoi)|Function|Convert a string to an integer| |[base64decode](base64decode)|Function|Decodes a base64 encoded string| diff --git a/content/vql_reference/basic/array/_index.md b/content/vql_reference/basic/array/_index.md index 1dd3107cba3..72581ed8c4d 100644 --- a/content/vql_reference/basic/array/_index.md +++ b/content/vql_reference/basic/array/_index.md @@ -16,23 +16,51 @@ no_edit: true ### Description -Create an array with all the args. +Create an array. -This function accepts arbitrary arguments and creates an array by -flattening the arguments. - -### Examples +This function is the array constructor. It can be used to build an +array from a number of args (Note that since VQL always uses +keyword args you need to give each arg a name but this name is +actually ignored in this function): ```vql array(a=1, b=2) -> [1, 2] ``` -You can use this to flatten a subquery as well: +The function does not flatten the arguments so providing lists as +parameters will form a nested list: + +```vql +array(a=[1,2]) -> [ [1, 2] ] +``` + +You can use the `_` argument to build the array from another +object: + +```vql +array(_=[1, 2]) -> [1, 2] +``` + +You can use a subquery to built the object from another +query. This is called `materializing` the query because the query +will be expanded into memory (be careful about materializing a +very large query here!) + +Note that materializing a query will give a list of dicts() since +each row in a query is a dict. + +```vql +array(_={ SELECT User FROM Artifact.Windows.System.Users() }) -> [{"User": "Bob"}, {"User": "Fred"}] +``` + +To collapse to a simple list of users, simply reference the User +field: ```vql -SELECT array(a1={ SELECT User FROM Artifact.Windows.System.Users() }) as Users FROM scope() +array(_={ SELECT User FROM Artifact.Windows.System.Users() }).User -> ["Bob", "Fred"] ``` -Will return a single row with Users being an array of names. +This works because the `.` operator on a list, creates another +list with the `.` operator applying on each member. diff --git a/content/vql_reference/basic/atexit/_index.md b/content/vql_reference/basic/atexit/_index.md index a5d46638bc6..a08649802a2 100644 --- a/content/vql_reference/basic/atexit/_index.md +++ b/content/vql_reference/basic/atexit/_index.md @@ -19,7 +19,8 @@ no_edit: true Arg | Description | Type ----|-------------|----- -query|A VQL Query to parse and execute.|Any (required) +query|A VQL Query to parse and execute. +|Any (required) env|A dict of args to insert into the scope.|ordereddict.Dict timeout|How long to wait for destructors to run (default 60 seconds).|uint64 diff --git a/content/vql_reference/basic/timestamp/_index.md b/content/vql_reference/basic/timestamp/_index.md index 33653c7e99e..a45a73d0f87 100644 --- a/content/vql_reference/basic/timestamp/_index.md +++ b/content/vql_reference/basic/timestamp/_index.md @@ -24,7 +24,6 @@ cocoatime||int64 mactime|HFS+|int64 winfiletime||int64 string|Guess a timestamp from a string|string -timezone|A default timezone (UTC)|string format|A format specifier as per the Golang time.Parse|string ### Description @@ -83,6 +82,26 @@ SELECT timestamp(string="8/30/2021 6:01:28 PM", FROM scope() ``` +If the timestamp is ambiguous - i.e. does not specify a timezone +you can provide a timezone hint using the `PARSE_TZ` VQL +variable. This will only be used if the timestamp is ambiguous. If +`PARSE_TZ` is `local` then we use the local timezone on the +endpoint. + +For example: + +```vql +LET PARSE_TZ <= "local" + +SELECT timestamp(string="Thu Aug 29 2024 21:03"), + timestamp(string="Thu Aug 29 2024 21:03 CEST") +FROM scope() +``` + +The first timestamp will be parsed according to the local timezone +because it is ambiguous. However, the second timestamp is not +ambiguous and `PARSE_TZ` has no effect. + Internally VQL uses Golang's [time.Time](https://golang.org/pkg/time/#Time) object to represent times and this is what is returned by the `timestamp()` VQL diff --git a/content/vql_reference/event/watch_etw/_index.md b/content/vql_reference/event/watch_etw/_index.md index 10afc670571..dad5dffa42e 100644 --- a/content/vql_reference/event/watch_etw/_index.md +++ b/content/vql_reference/event/watch_etw/_index.md @@ -26,6 +26,9 @@ all|All Keywords |uint64 level|Log level (0-5)|int64 stop|If provided we stop watching automatically when this lambda returns true|Lambda timeout|If provided we stop after this much time|uint64 +capture_state|If true, capture the state of the provider when the event is triggered|bool +enable_map_info|Resolving MapInfo with TdhGetEventMapInformation is very expensive and causes events to be dropped so we disabled it by default. Enable with this flag.|bool +description|Description for this GUID provider|string ### Description diff --git a/content/vql_reference/misc/_index.md b/content/vql_reference/misc/_index.md index 623d9667e16..acbc46403ab 100644 --- a/content/vql_reference/misc/_index.md +++ b/content/vql_reference/misc/_index.md @@ -17,6 +17,7 @@ Miscellaneous plugins not yet categorized. |[backup](backup)|Plugin|Generates a backup file| |[backup_restore](backup_restore)|Plugin|Restore state from a backup file| |[base85decode](base85decode)|Function|Decode a base85 encoded string| +|[carve_usn](carve_usn)|Plugin|Carve for the USN journal entries from a device| |[client_create](client_create)|Function|Create a new client in the data store| |[create_notebook_download](create_notebook_download)|Function|Creates a notebook export zip file| |[delay](delay)|Plugin|Executes 'query' and delays relaying the rows by the specified number of seconds| @@ -34,6 +35,7 @@ Miscellaneous plugins not yet categorized. |[hunt_update](hunt_update)|Function|Update a hunt| |[import](import)|Function|Imports an artifact into the current scope| |[leveldb](leveldb)|Plugin|Enumerate all items in a level db database| +|[link_to](link_to)|Function|Create a url linking to a particular part in the Velociraptor GUI| |[logging](logging)|Plugin|Watch the logs emitted by the server| |[logscale_upload](logscale_upload)|Plugin|Upload rows to LogScale ingestion server| |[lru](lru)|Function|Creates an LRU object| @@ -45,12 +47,14 @@ Miscellaneous plugins not yet categorized. |[notebook_create](notebook_create)|Function|Create a new notebook| |[notebook_export](notebook_export)|Function|Exports a notebook to a zip file or HTML| |[notebook_get](notebook_get)|Function|Get a notebook| +|[notebook_update](notebook_update)|Function|Update a notebook metadata| |[notebook_update_cell](notebook_update_cell)|Function|Update a notebook cell| |[org](org)|Function|Return the details of the current org| |[org_create](org_create)|Function|Creates a new organization| |[org_delete](org_delete)|Function|Deletes an Org from the server| |[orgs](orgs)|Plugin|Retrieve the list of orgs on this server| |[panic](panic)|Plugin|Crash the program with a panic!| +|[parse_journald](parse_journald)|Plugin|Parse a journald file| |[passwd](passwd)|Function|Updates the user's password| |[pe_dump](pe_dump)|Function|Dump a PE file from process memory| |[pk_decrypt](pk_decrypt)|Function|Decrypt files using pubkey encryption| @@ -74,16 +78,26 @@ Miscellaneous plugins not yet categorized. |[server_frontend_cert](server_frontend_cert)|Function|Get Server Frontend Certificate| |[sigma](sigma)|Plugin|Evaluate sigma rules| |[sigma_log_sources](sigma_log_sources)|Function|Constructs a Log sources object to be used in sigma rules| +|[similarity](similarity)|Function|Compare two Dicts for similarity| |[stat](stat)|Function|Get file information| |[sysinfo](sysinfo)|Function|Collect system information on Linux clients| +|[threads](threads)|Plugin|Enumerate threads in a process| +|[timeline_delete](timeline_delete)|Function|Delete a super timeline| +|[timelines](timelines)|Plugin|List all timelines in a notebook| +|[timestamp_format](timestamp_format)|Function|Format a timestamp into a string| |[tlsh_hash](tlsh_hash)|Function|Calculate the tlsh hash of a file| |[trace](trace)|Function|Upload a trace file| |[upload_azure](upload_azure)|Function|Upload files to Azure Blob Storage Service| |[upload_smb](upload_smb)|Function|Upload files using the SMB file share protocol| |[user](user)|Function|Retrieves information about the Velociraptor user| |[user_grant](user_grant)|Function|Grants the user the specified roles| +|[user_options](user_options)|Function|Update and read the user GUI options| |[vfs_ls](vfs_ls)|Plugin|List directory and build a VFS object| +|[watch_journald](watch_journald)|Plugin|Watch a journald file and stream events from it| |[watch_jsonl](watch_jsonl)|Plugin|Watch a jsonl file and stream events from it| +|[winpmem](winpmem)|Function|Uses the `winpmem` driver to take a memory image| |[write_crypto_file](write_crypto_file)|Plugin|Write a query into an encrypted local storage file| |[write_jsonl](write_jsonl)|Plugin|Write a query into a JSONL file| |[xattr](xattr)|Function|Query a file for the specified extended attribute| +|[yara](yara)|Plugin|Scan files using yara rules| +|[yara_lint](yara_lint)|Function|Clean a set of yara rules| diff --git a/content/vql_reference/misc/carve_usn/_index.md b/content/vql_reference/misc/carve_usn/_index.md new file mode 100644 index 00000000000..29677ef8257 --- /dev/null +++ b/content/vql_reference/misc/carve_usn/_index.md @@ -0,0 +1,51 @@ +--- +title: carve_usn +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## carve_usn +Plugin + + + +
    + +Arg | Description | Type +----|-------------|----- +device|The device file to open.|OSPath +image_filename|A raw image to open. You can also provide the accessor if using a raw image file.|OSPath +accessor|The accessor to use.|string +mft_filename|A path to a raw $MFT file to use for path resolution.|OSPath +usn_filename|A path to a raw USN file to carve. If not provided we carve the image file or the device.|OSPath + +Required Permissions: +FILESYSTEM_READ + +### Description + +Carve for the USN journal entries from a device. + +In practice the USN journal is set to roll over fairly quickly +(default size is usually 32Mb). On busy systems this will lead to +loss of valuable information. + +This plugin carves the raw device for USN entries. Usual caveats +apply for all carved data, however this will often recover entries +from a long time before the roll over. + +This plugin can take a long time! + +Example: + +```vql +SELECT * FROM carve_usn(device='''\\.\C:''') +``` + + diff --git a/content/vql_reference/misc/link_to/_index.md b/content/vql_reference/misc/link_to/_index.md new file mode 100644 index 00000000000..822c1aa99c4 --- /dev/null +++ b/content/vql_reference/misc/link_to/_index.md @@ -0,0 +1,34 @@ +--- +title: link_to +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## link_to +Function + + + +
    + +Arg | Description | Type +----|-------------|----- +type|The type of link. Currently one of collection, hunt, artifact, event|string +client_id||string +flow_id||string +tab|The tab to focus - can be overview, request, results, logs, notebook|string +text|If specified we emit a markdown style URL with a text|string +hunt_id|The hunt id to read.|string +artifact|The artifact to retrieve|string +org|If set the link accesses a different org. Otherwise we accesses the current org.|string + +### Description + +Create a url linking to a particular part in the Velociraptor GUI. + diff --git a/content/vql_reference/misc/notebook_get/_index.md b/content/vql_reference/misc/notebook_get/_index.md index 40566d81e49..85109f11038 100644 --- a/content/vql_reference/misc/notebook_get/_index.md +++ b/content/vql_reference/misc/notebook_get/_index.md @@ -20,6 +20,7 @@ no_edit: true Arg | Description | Type ----|-------------|----- notebook_id|The id of the notebook to fetch|string (required) +verbose|Include more information|bool Required Permissions: READ_RESULTS diff --git a/content/vql_reference/misc/notebook_update/_index.md b/content/vql_reference/misc/notebook_update/_index.md new file mode 100644 index 00000000000..d468a5de64a --- /dev/null +++ b/content/vql_reference/misc/notebook_update/_index.md @@ -0,0 +1,35 @@ +--- +title: notebook_update +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## notebook_update +Function + + + +
    + +Arg | Description | Type +----|-------------|----- +notebook_id|The id of the notebook to update|string (required) +description|The description of the notebook|string +collaborators|A list of users to share the notebook with.|list of string +public|If set the notebook will be public.|bool +attachment|Raw data of an attachment to be added to the notebook|string +attachment_filename|The name of the attachment|string + +Required Permissions: +COLLECT_SERVER + +### Description + +Update a notebook metadata. + diff --git a/content/vql_reference/misc/parse_journald/_index.md b/content/vql_reference/misc/parse_journald/_index.md new file mode 100644 index 00000000000..a88dc181ed6 --- /dev/null +++ b/content/vql_reference/misc/parse_journald/_index.md @@ -0,0 +1,32 @@ +--- +title: parse_journald +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## parse_journald +Plugin + + + +
    + +Arg | Description | Type +----|-------------|----- +filename|A list of journal log files to parse.|list of OSPath (required) +accessor|The accessor to use.|string +raw|Emit raw events (no parsed).|bool + +Required Permissions: +FILESYSTEM_READ + +### Description + +Parse a journald file. + diff --git a/content/vql_reference/misc/profile_goroutines/_index.md b/content/vql_reference/misc/profile_goroutines/_index.md index 77e19e5e2c6..6c2cf6b05c7 100644 --- a/content/vql_reference/misc/profile_goroutines/_index.md +++ b/content/vql_reference/misc/profile_goroutines/_index.md @@ -14,6 +14,13 @@ no_edit: true Plugin + +
    + +Arg | Description | Type +----|-------------|----- +verbose|Emit information in verbose form.|bool + Required Permissions: MACHINE_STATE diff --git a/content/vql_reference/misc/query/_index.md b/content/vql_reference/misc/query/_index.md index 5ae3824eabe..6cf2cf4137b 100644 --- a/content/vql_reference/misc/query/_index.md +++ b/content/vql_reference/misc/query/_index.md @@ -21,6 +21,7 @@ Arg | Description | Type ----|-------------|----- query|A VQL Query to parse and execute.|Any (required) env|A dict of args to insert into the scope.|ordereddict.Dict +copy_env|A list of variables in the current scope that will be copied into the new scope.|list of string cpu_limit|Average CPU usage in percent of a core.|float64 iops_limit|Average IOPs to target.|float64 timeout|Cancel the query after this many seconds|float64 @@ -39,4 +40,117 @@ Evaluate a VQL query. This plugin is useful for evaluating a query in a different environment or context, or turning a string into a query. +The query provided by the `query` parameter can be a string, in +which case it is parsed as a VQL expression, or a VQL expression. + +When we evaluate the query, it runs in an isolated scope. This +means that usually variables defined outside the query plugin are +not visible inside the query. + +You can use the `env` parameter to specify a dict of variables +that will be visible inside the query. This allows to control how +variables are shared between the new isolated scope and the +existing scope outside the query. + +Below we describe a few quirks that users might encounter with +this plugin. + +## Custom artifacts + +The isolated scope does not contain any artifacts by +default. Usually artifacts are accessible from VQL using the +`Artifact` plugin, for example the following accesses the +`Custom.VQL` artifact: + +```sql +SELECT * FROM Artifact.Custom.VQL() +``` + +This will not work in the query plugin because the scope is +isolated. If you want to use the `Artifact` plugin in the new +scope you need to pass it through the `env` variable: + +```sql +SELECT * FROM query(query={ + SELECT * FROM Artifact.Custom.VQL() +}, env=dict(artifact=Artifact)) +``` + +## Remapping rules + +When using the `remap()` function to install a new remapping +configuration, the remapping applies on the current scope and +affect all further VQL statements after the `remap()` function is +evaluated. This means that it is impossible to revoke the +remapping configuration and restore the scope. + +For this reason we recommend that remapping rules be applied +inside an isolated `query()` scope. This way the remapping will +only apply for the like of the `query()` plugin invocation. + +## Using LET statements inside the query + +The `query` parameter can specify a VQL statement or a string +which will be parsed into a VQL statement. If you use a VQL +statement it is no possible to use a LET expression (since LET is +a separate statement). So this is not valid VQL syntax: + +```sql +SELECT * FROM query(query={ + LET Foo(X) = .... + SELECT * FROM Foo(X=1) +}) +``` + +You can define the LET statements outside the query block and pass them in: +```sql +LET Foo(X) = .... + +SELECT * FROM query(query={ + SELECT * FROM Foo(X=1) +}, env=dict(Foo=Foo)) +``` + +Or declare the VQL block as a string; +SELECT * FROM query(query=''' + LET Foo(X) = .... + SELECT * FROM Foo(X=1) +''') +``` + +## Running a query in a different org + +Normally a VQL query runs in the org context in which it was +started. However sometimes it is useful to run in different +context. The `query()` plugin allows you to execute the query in +another scope context created within a different org. + +To do this your user account must be sufficient permissions in the +target org (The query will use the user's ACL permissions token +for the target org). + +For example the following query lists all the clients from all orgs: + +```vql +SELECT * +FROM foreach(row={ + SELECT OrgId + FROM orgs() +}, query={ + SELECT *, OrgId + FROM query(query={ SELECT client_id FROM clients() }, org_id=OrgId) +}) +``` + +## Running as a different user + +You can specify a different user to run the VQL. This will load +the other user's ACL token and username (basically this acts like +the Linux `sudo` command). + +You need to have the IMPERSONATION ACL permission to be able to do +this (Usually only admins have it). This permission is equivalent +to administrator because a user with this permission can become +any user they want including the administrator. + diff --git a/content/vql_reference/misc/similarity/_index.md b/content/vql_reference/misc/similarity/_index.md new file mode 100644 index 00000000000..861cbb7118e --- /dev/null +++ b/content/vql_reference/misc/similarity/_index.md @@ -0,0 +1,28 @@ +--- +title: similarity +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## similarity +Function + + + +
    + +Arg | Description | Type +----|-------------|----- +set1|The first set to compare.|ordereddict.Dict (required) +set2|The second set to compare.|ordereddict.Dict (required) + +### Description + +Compare two Dicts for similarity. + diff --git a/content/vql_reference/misc/threads/_index.md b/content/vql_reference/misc/threads/_index.md new file mode 100644 index 00000000000..0d0efcbf917 --- /dev/null +++ b/content/vql_reference/misc/threads/_index.md @@ -0,0 +1,30 @@ +--- +title: threads +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## threads +Plugin + + + +
    + +Arg | Description | Type +----|-------------|----- +pid|The PID to get the thread for.|int64 (required) + +Required Permissions: +MACHINE_STATE + +### Description + +Enumerate threads in a process. + diff --git a/content/vql_reference/misc/timeline_delete/_index.md b/content/vql_reference/misc/timeline_delete/_index.md new file mode 100644 index 00000000000..5317cc90251 --- /dev/null +++ b/content/vql_reference/misc/timeline_delete/_index.md @@ -0,0 +1,31 @@ +--- +title: timeline_delete +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## timeline_delete +Function + + + +
    + +Arg | Description | Type +----|-------------|----- +timeline|Supertimeline to add to. If a super timeline does not exist, creates a new one.|string (required) +notebook_id|The notebook ID the timeline is stored in.|string + +Required Permissions: +NOTEBOOK_EDITOR + +### Description + +Delete a super timeline. + diff --git a/content/vql_reference/misc/timelines/_index.md b/content/vql_reference/misc/timelines/_index.md new file mode 100644 index 00000000000..af2eabbef9d --- /dev/null +++ b/content/vql_reference/misc/timelines/_index.md @@ -0,0 +1,30 @@ +--- +title: timelines +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## timelines +Plugin + + + +
    + +Arg | Description | Type +----|-------------|----- +notebook_id|The notebook ID the timeline is stored in.|string + +Required Permissions: +READ_RESULTS + +### Description + +List all timelines in a notebook + diff --git a/content/vql_reference/misc/timestamp_format/_index.md b/content/vql_reference/misc/timestamp_format/_index.md new file mode 100644 index 00000000000..9632d940aa0 --- /dev/null +++ b/content/vql_reference/misc/timestamp_format/_index.md @@ -0,0 +1,47 @@ +--- +title: timestamp_format +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## timestamp_format +Function + + + +
    + +Arg | Description | Type +----|-------------|----- +time|Time to format|Any (required) +format|A format specifier as per the Golang time.Format. Additionally any constants specified in https://pkg.go.dev/time#pkg-constants can be used.|string + +### Description + +Format a timestamp into a string. + +This uses the same type of format string as described +https://pkg.go.dev/time#Time.Format . You can also use any of the +constants described in https://pkg.go.dev/time#pkg-constants as a +shorthand to common time formatting directives. + +The output timezone is UTC by default but can be changed using the +`TZ` VQL variable. + +Example: + +```vql +LET TZ="Europe/Berlin" + +SELECT timestamp_format(time=now(), format="RFC3339") FROM scope() + +> "2024-08-29T02:05:23+02:00" +``` + + diff --git a/content/vql_reference/misc/user_options/_index.md b/content/vql_reference/misc/user_options/_index.md new file mode 100644 index 00000000000..6e68fe339e7 --- /dev/null +++ b/content/vql_reference/misc/user_options/_index.md @@ -0,0 +1,51 @@ +--- +title: user_options +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## user_options +Function + + + +
    + +Arg | Description | Type +----|-------------|----- +user|The user to create or update.|string (required) +theme|Set the user's theme.|string +timezone|Set the user's timezone.|string +lang|Set the user's language.|string +org|Set the user's default org id.|string +links|Set the user's default links. This should be a list of dicts with columns: type, text, url, icon_url, new_tab, encode, parameter, method, disabled.|StoredQuery +default_password|Set the user's default password for Zip Exports.|string + +### Description + +Update and read the user GUI options + +Example: The following will set the user language to french, dark +theme and add a sidebar link named Foobar. The default password +for Zip exports will also be set to `foorbar`. + +```vql +SELECT user_options(user=whoami(), + lang="fr", + theme="veloci-dark", + links=[dict( + text="Foobar", + url="https://www.google.com", + type="sidebar", + new_tab=TRUE), ], + default_password="foobar") +FROM scope() +``` + + diff --git a/content/vql_reference/misc/watch_journald/_index.md b/content/vql_reference/misc/watch_journald/_index.md new file mode 100644 index 00000000000..76ed056fa24 --- /dev/null +++ b/content/vql_reference/misc/watch_journald/_index.md @@ -0,0 +1,32 @@ +--- +title: watch_journald +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## watch_journald +Plugin + + + +
    + +Arg | Description | Type +----|-------------|----- +filename|A list of journal log files to parse.|list of OSPath (required) +accessor|The accessor to use.|string +raw|Emit raw events (no parsed).|bool + +Required Permissions: +FILESYSTEM_READ + +### Description + +Watch a journald file and stream events from it. + diff --git a/content/vql_reference/misc/winpmem/_index.md b/content/vql_reference/misc/winpmem/_index.md new file mode 100644 index 00000000000..b6574ac8e7b --- /dev/null +++ b/content/vql_reference/misc/winpmem/_index.md @@ -0,0 +1,59 @@ +--- +title: winpmem +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## winpmem +Function + + + +
    + +Arg | Description | Type +----|-------------|----- +service|The name of the driver service to install.|string +image_path|If specified we write a physical memory image on this path.|string +compression|When writing a memory image use this compression (default none) can be none, s2, snappy, gzip.|string + +Required Permissions: +MACHINE_STATE + +### Description + +Uses the `winpmem` driver to take a memory image. + +This plugin is also needed to facilitate the winpmem accessor. + +When the `image_path` parameter is not set this function will load +the `winpmem` driver until the scope is destroyed at the end of +the query (where the driver will be unloaded). + +If the `image_path` parameter is give, the path will be used to +create a raw memory image. The image can be compressed using a +number of algorithms such as: + +1. None - no compression (default) + +2. S2 or snappy - these are fast algorithms with poor compression + ratio but should result in some speed up over no compression. + +3. The Gzip method is used to produce a compatible gzip file. This + is very slow and so it is not suitable for large memory systems + as there will be too much smear. + + +# Example + +```vql +SELECT winpmem(image_path='c:/test.dd', compression='s2') FROM scope()" +``` + + diff --git a/content/vql_reference/misc/yara/_index.md b/content/vql_reference/misc/yara/_index.md new file mode 100644 index 00000000000..efe6f974442 --- /dev/null +++ b/content/vql_reference/misc/yara/_index.md @@ -0,0 +1,40 @@ +--- +title: yara +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## yara +Plugin + + + +
    + +Arg | Description | Type +----|-------------|----- +rules|Yara rules in the yara DSL or after being compiled by the yarac compiler.|string +files|The list of files to scan.|list of Any (required) +accessor|Accessor (e.g. ntfs,file)|string +context|How many bytes to include around each hit|int +start|The start offset to scan|uint64 +end|End scanning at this offset (100mb)|uint64 +number|Stop after this many hits (1).|int64 +blocksize|Blocksize for scanning (1mb).|uint64 +key|If set use this key to cache the yara rules.|string +namespace|The Yara namespece to use.|string +vars|The Yara variables to use.|ordereddict.Dict + +Required Permissions: +FILESYSTEM_READ + +### Description + +Scan files using yara rules. + diff --git a/content/vql_reference/misc/yara_lint/_index.md b/content/vql_reference/misc/yara_lint/_index.md new file mode 100644 index 00000000000..e7e241b0ada --- /dev/null +++ b/content/vql_reference/misc/yara_lint/_index.md @@ -0,0 +1,43 @@ +--- +title: yara_lint +index: true +noTitle: true +no_edit: true +--- + + + +
    + + +## yara_lint +Function + + + +
    + +Arg | Description | Type +----|-------------|----- +rules|A string containing Yara Rules.|string (required) +clean|Remove metadata to make rules smaller.|bool + +### Description + +Clean a set of yara rules. This removed invalid or unsupported rules. + +Velociraptor's yara implementation does not support all the +modules available in Yara - specifically we do not support modules +that require OpenSSL. Sometimes rules that include conditions that +call these unsupported modules are mixed in with many other +supported rules. + +This function lints the rules in a yara rule set and removes rules +which are not supported. The function also automatically adds yara +imports if they are used by any of the rules. + +Additionally, providing the clean parameter will also remove all +the metadata from rules to save space and execution memory for +large rule sets. + + diff --git a/content/vql_reference/parsers/_index.md b/content/vql_reference/parsers/_index.md index 5463c53f422..5234fe6219c 100644 --- a/content/vql_reference/parsers/_index.md +++ b/content/vql_reference/parsers/_index.md @@ -40,7 +40,7 @@ plugins so their results may be used in further queries. |[parse_records_with_regex](parse_records_with_regex)|Plugin|Parses a file with a set of regexp and yields matches as records| |[parse_recyclebin](parse_recyclebin)|Plugin|Parses a $I file found in the $Recycle| |[parse_string_with_regex](parse_string_with_regex)|Function|Parse a string with a set of regex and extract fields| -|[parse_usn](parse_usn)|Plugin|Parse the USN journal from a device| +|[parse_usn](parse_usn)|Plugin|Parse the USN journal from a device, image file or USN file| |[parse_x509](parse_x509)|Function|Parse a DER encoded x509 string into an object| |[parse_xml](parse_xml)|Function|Parse an XML document into a dict like object| |[parse_yaml](parse_yaml)|Function|Parse yaml into an object| diff --git a/content/vql_reference/parsers/parse_ntfs/_index.md b/content/vql_reference/parsers/parse_ntfs/_index.md index 60a062765e5..39a8f74b3c6 100644 --- a/content/vql_reference/parsers/parse_ntfs/_index.md +++ b/content/vql_reference/parsers/parse_ntfs/_index.md @@ -21,6 +21,7 @@ Arg | Description | Type ----|-------------|----- device|The device file to open. This may be a full path for example C:\Windows - we will figure out the device automatically.|string filename|A raw image to open. You can also provide the accessor if using a raw image file.|OSPath +mft_filename|A path to a raw $MFT file to parse.|OSPath accessor|The accessor to use.|string inode|The MFT entry to parse in inode notation (5-144-1).|string mft|The MFT entry to parse.|int64 @@ -34,7 +35,7 @@ This function retrieves more information about a specific MFT entry including listing all its attributes. It can either operate on an image file or the raw device (on -windows). +windows), or alternatively you can provide a raw $MFT file. ### Example: @@ -48,4 +49,20 @@ FROM scope() You can get the MFT entry number from `parse_mft()` or from the Data attribute of a `glob()` using the `ntfs` accessor. +### Example 2: Using a raw $MFT file + +If you have previously collected the $MFT file (e.g. using the +`Windows.KapeFiles.Targets` artifact, you can use `parse_ntfs()` +to get more information about each MFT entry: + +```vql +SELECT EntryNumber, OSPath, + parse_ntfs(mft_filename=MFTFile, mft=EntryNumber) AS Details +FROM parse_mft(filename=MFTFile) +``` + +Note that the raw $MFT file is sometimes not sufficient to +reconstruct all attributes (for example if attributes are not +stored in the $MFT but in external clusters). + diff --git a/content/vql_reference/parsers/parse_ntfs_i30/_index.md b/content/vql_reference/parsers/parse_ntfs_i30/_index.md index 9923d1aabe3..6ed894a0650 100644 --- a/content/vql_reference/parsers/parse_ntfs_i30/_index.md +++ b/content/vql_reference/parsers/parse_ntfs_i30/_index.md @@ -21,6 +21,7 @@ Arg | Description | Type ----|-------------|----- device|The device file to open. This may be a full path for example C:\Windows - we will figure out the device automatically.|string filename|A raw image to open. You can also provide the accessor if using a raw image file.|OSPath +mft_filename|A path to a raw $MFT file to parse.|OSPath accessor|The accessor to use.|string inode|The MFT entry to parse in inode notation (5-144-1).|string mft|The MFT entry to parse.|int64 @@ -33,4 +34,7 @@ Scan the $I30 stream from an NTFS MFT entry. This is similar in use to the parse_ntfs() function but parses the $I30 stream. +Note: You can also use a raw $MFT file to operate on - see +`parse_ntfs()` for a full description. + diff --git a/content/vql_reference/parsers/parse_ntfs_ranges/_index.md b/content/vql_reference/parsers/parse_ntfs_ranges/_index.md index a8d96a7ce2c..854990d93c5 100644 --- a/content/vql_reference/parsers/parse_ntfs_ranges/_index.md +++ b/content/vql_reference/parsers/parse_ntfs_ranges/_index.md @@ -21,6 +21,7 @@ Arg | Description | Type ----|-------------|----- device|The device file to open. This may be a full path for example C:\Windows - we will figure out the device automatically.|string filename|A raw image to open. You can also provide the accessor if using a raw image file.|OSPath +mft_filename|A path to a raw $MFT file to parse.|OSPath accessor|The accessor to use.|string inode|The MFT entry to parse in inode notation (5-144-1).|string mft|The MFT entry to parse.|int64 @@ -30,3 +31,7 @@ mft_offset|The offset to the MFT entry to parse.|int64 Show the run ranges for an NTFS stream. +Note: You can also use a raw $MFT file to operate on - see +`parse_ntfs()` for a full description. + + diff --git a/content/vql_reference/parsers/parse_usn/_index.md b/content/vql_reference/parsers/parse_usn/_index.md index c70b1e44b22..097d1d0d856 100644 --- a/content/vql_reference/parsers/parse_usn/_index.md +++ b/content/vql_reference/parsers/parse_usn/_index.md @@ -19,11 +19,30 @@ no_edit: true Arg | Description | Type ----|-------------|----- -device|The device file to open.|OSPath (required) +device|The device file to open.|OSPath +image_filename|A raw image to open. You can also provide the accessor if using a raw image file.|OSPath accessor|The accessor to use.|string +mft_filename|A path to a raw $MFT file to use for path resolution.|OSPath +usn_filename|A path to a raw USN file to parse. If not provided we extract it from the Device or Image file.|OSPath start_offset|The starting offset of the first USN record to parse.|int64 +fast_paths|If set we resolve full paths using faster but less accurate algorithm.|bool + +Required Permissions: +FILESYSTEM_READ ### Description -Parse the USN journal from a device. +Parse the USN journal from a device, image file or USN file. + +This plugin calculates the full path of a USN entry by tracing its +parent MFT entries through the MFT file. The MFT can be found in +the same device or image that the USN is read from, or provided +separately using a different file. + +The plugin also considers information from the USN itself in +resolving the full path. This technique is described here +https://cybercx.com.au/blog/ntfs-usnjrnl-rewind/ in detail but it +can result in more accurate path resolution when the directories +have also been removed. + diff --git a/content/vql_reference/plugin/_index.md b/content/vql_reference/plugin/_index.md index 62e33bd971a..9fb5f500508 100644 --- a/content/vql_reference/plugin/_index.md +++ b/content/vql_reference/plugin/_index.md @@ -76,4 +76,3 @@ or in condition clauses (i.e. after the `WHERE` keyword). |[upload_s3](upload_s3)|Function|Upload files to S3| |[whoami](whoami)|Function|Returns the username that is running the query| |[write_csv](write_csv)|Plugin|Write a query into a CSV file| -|[yara](yara)|Plugin|Scan files using yara rules| diff --git a/content/vql_reference/plugin/collect/_index.md b/content/vql_reference/plugin/collect/_index.md index 8a18a0c8be0..b177edb6ee8 100644 --- a/content/vql_reference/plugin/collect/_index.md +++ b/content/vql_reference/plugin/collect/_index.md @@ -35,6 +35,7 @@ progress_timeout|If no progress is detected in this many seconds, we terminate t timeout|Total amount of time in seconds, this collection will take. Collection is cancelled when timeout is exceeded.|float64 metadata|Metadata to store in the zip archive. Outputs to metadata.json in top level of zip file.|StoredQuery concurrency|Number of concurrent collections.|int64 +remapping|A Valid remapping configuration in YAML or JSON format.|string Required Permissions: FILESYSTEM_WRITE diff --git a/content/vql_reference/server/clients/_index.md b/content/vql_reference/server/clients/_index.md index c5494376266..4dced51bacb 100644 --- a/content/vql_reference/server/clients/_index.md +++ b/content/vql_reference/server/clients/_index.md @@ -20,8 +20,6 @@ no_edit: true Arg | Description | Type ----|-------------|----- search|Client search string. Can have the following prefixes: 'label:', 'host:'|string -start|First client to fetch (0)'|uint64 -count|Maximum number of clients to fetch (1000)'|uint64 client_id||string Required Permissions: diff --git a/content/vql_reference/server/splunk_upload/_index.md b/content/vql_reference/server/splunk_upload/_index.md index d3ad55184ea..fc27fff47bc 100644 --- a/content/vql_reference/server/splunk_upload/_index.md +++ b/content/vql_reference/server/splunk_upload/_index.md @@ -23,9 +23,9 @@ query|Source for rows to upload.|StoredQuery (required) threads|How many threads to use.|int64 url|The Splunk Event Collector URL.|string (required) token|Splunk HEC Token.|string -index|The name of the index to upload to.|string (required) -source|The source field for splunk. If not specified this will be 'velociraptor'.|string -sourcetype|The sourcetype field for splunk. If not specified this will 'vql'|string +index|The name of the index to upload to. If not specified, ensure a column is named _splunk_index.|string (required) +source|The source field for splunk. If not specified ensure a column is named _splunk_source or this will be 'velociraptor'.|string +sourcetype|The sourcetype field for splunk. If not specified ensure a column is named _splunk_source_type or this will 'vql'|string chunk_size|The number of rows to send at the time.|int64 skip_verify|Skip SSL verification(default: False).|bool root_ca|As a better alternative to skip_verify, allows root ca certs to be added here.|string diff --git a/content/vql_reference/server/timeline/_index.md b/content/vql_reference/server/timeline/_index.md index d5fd494cca0..0bf46c2bbc9 100644 --- a/content/vql_reference/server/timeline/_index.md +++ b/content/vql_reference/server/timeline/_index.md @@ -20,6 +20,7 @@ no_edit: true Arg | Description | Type ----|-------------|----- timeline|Name of the timeline to read|string (required) +components|List of child components to include|list of string skip|List of child components to skip|list of string start|First timestamp to fetch|Any notebook_id|The notebook ID the timeline is stored in.|string diff --git a/content/vql_reference/server/timeline_add/_index.md b/content/vql_reference/server/timeline_add/_index.md index bb5018b21dd..d6985cab9c9 100644 --- a/content/vql_reference/server/timeline_add/_index.md +++ b/content/vql_reference/server/timeline_add/_index.md @@ -19,10 +19,12 @@ no_edit: true Arg | Description | Type ----|-------------|----- -timeline|Supertimeline to add to|string (required) -name|Name of child timeline|string (required) +timeline|Supertimeline to add to. If a super timeline does not exist, creates a new one.|string (required) +name|Name/Id of child timeline to add.|string (required) query|Run this query to generate the timeline.|StoredQuery (required) -key|The column representing the time.|string (required) +key|The column representing the time to key off.|string (required) +message_column|The column representing the message.|string +ts_desc_column|The column representing the timestamp description.|string notebook_id|The notebook ID the timeline is stored in.|string Required Permissions: diff --git a/static/artifact_reference/data.json b/static/artifact_reference/data.json index 38827eca91e..a98a1540ba2 100644 --- a/static/artifact_reference/data.json +++ b/static/artifact_reference/data.json @@ -433,7 +433,7 @@ }, { "title": "Linux.Debian.Packages", - "description": "Parse dpkg status file.", + "description": "List all packages installed on the system, both deb packages and \"snaps\".\nThe installed deb package information is fetched from the DPKG status file,\nwhile the snap package list is fetched from the snap daemon through a UNIX\nsocket HTTP call (since detailed snap package information is not easily\nin files).", "link": "/artifact_references/pages/linux.debian.packages", "type": "client", "tags": [ @@ -503,15 +503,6 @@ "Client Artifact" ] }, - { - "title": "Linux.KapeFiles.CollectFromDirectory", - "description": "\nKape is a popular bulk collector tool for triaging a system\nquickly. While KAPE itself is not an opensource tool, the logic it\nuses to decide which files to collect is encoded in YAML files\nhosted on the KapeFiles project\n(https://github.com/EricZimmerman/KapeFiles) and released under an\nMIT license.", - "link": "/artifact_references/pages/linux.kapefiles.collectfromdirectory", - "type": "client", - "tags": [ - "Client Artifact" - ] - }, { "title": "Linux.Mounts", "description": "List mounted filesystems by reading /proc/mounts", @@ -800,6 +791,15 @@ "Client Artifact" ] }, + { + "title": "Linux.Utils.InstallDeb", + "description": "Install a deb package and configure it with debconf answers. The package\nmay either be specified by name or be an uploaded file. If the package\nalready exists, it may be optionally reconfigured with debconf answers.\n", + "link": "/artifact_references/pages/linux.utils.installdeb", + "type": "client", + "tags": [ + "Client Artifact" + ] + }, { "title": "LogScale.Events.Clients", "description": "This server side event monitoring artifact will watch a selection of client\nmonitoring artifacts for new events and push those to a LogScale (formerly\nHumio) ingestion endpoint", @@ -998,6 +998,15 @@ "notebook" ] }, + { + "title": "Notebooks.Timelines", + "description": "The notebook creates a default Super-Timeline.", + "link": "/artifact_references/pages/notebooks.timelines", + "type": "notebook", + "tags": [ + "notebook" + ] + }, { "title": "Notebooks.VQLx2", "description": "A notebook initialized with 2 VQL cells\n", @@ -1189,7 +1198,7 @@ }, { "title": "Server.Import.ArtifactExchange", - "description": "This artifact will automatically import the latest\nartifact exchange bundle into the current server.\n", + "description": "This artifact will automatically import the latest artifact\nexchange bundle into the current server.", "link": "/artifact_references/pages/server.import.artifactexchange", "type": "server", "tags": [ @@ -1340,6 +1349,15 @@ "Internal Artifact" ] }, + { + "title": "Server.Internal.ClientScheduled", + "description": "This event will be fired when a client was sent flows to process.\n", + "link": "/artifact_references/pages/server.internal.clientscheduled", + "type": "internal", + "tags": [ + "Internal Artifact" + ] + }, { "title": "Server.Internal.ClientTasks", "description": "This event will be fired when a client has new tasks scheduled.\n", @@ -1466,6 +1484,15 @@ "Internal Artifact" ] }, + { + "title": "Server.Internal.TimelineAdd", + "description": "This artifact will fire whenever a timeline is added to a super\ntimeline. You can use this to monitor for users adding timelines and\nforward them to an external timeline system (e.g. TimeSketch)\n", + "link": "/artifact_references/pages/server.internal.timelineadd", + "type": "server_event", + "tags": [ + "Server Event Artifact" + ] + }, { "title": "Server.Internal.ToolDependencies", "description": "An internal artifact that defines some tool\ndepenencies. Velociraptor releases for offline collector", @@ -1556,6 +1583,15 @@ "Server Event Artifact" ] }, + { + "title": "Server.Monitoring.TimesketchUpload", + "description": "This artifact will automatically upload any Velociraptor timelines to Timesketch.\n", + "link": "/artifact_references/pages/server.monitoring.timesketchupload", + "type": "server_event", + "tags": [ + "Server Event Artifact" + ] + }, { "title": "Server.Orgs.ListOrgs", "description": "This server artifact will list all currently configured orgs on the\nserver.", @@ -1666,7 +1702,7 @@ }, { "title": "Server.Utils.CreateMSI", - "description": "Build an MSI ready for deployment in the current org.\n", + "description": "Build an MSI ready for deployment in the current org.", "link": "/artifact_references/pages/server.utils.createmsi", "type": "server", "tags": [ @@ -1772,6 +1808,15 @@ "Client Artifact" ] }, + { + "title": "Server.Utils.TimesketchUpload", + "description": "Timesketch is an interactive collaborative timeline analysis tool\nthat can be found at https://timesketch.org/", + "link": "/artifact_references/pages/server.utils.timesketchupload", + "type": "server", + "tags": [ + "Server Artifact" + ] + }, { "title": "Splunk.Flows.Upload", "description": "This server side event monitoring artifact waits for new artifacts\nto be collected from endpoints and automatically uploads those to a\nSplunk server.\nTo configure the event collector properly a couple steps need to be\ncompleted prior to setting up this event:\n 1. Configure an index to ingest the data.\n * Go to Settings > Index.\n * New Index.\n 2. Configure the collector.\n * Go to Settings > Data Inputs > HTTP Event Collector.\n * Add New.\n * Name does not matter, but ensure indexer acknowledgement is OFF.\n * Set `Selected Indexes` to the index configured in step 1.\n * Save API key for this event.\n 3. Set Global settings.\n * Go to Settings > Data Inputs > HTTP Event Collector > Global Settings\n * Ensure `All Tokens` is set to ENABLED\n * Copy the HTTP Port Number for this event\n 4. Configure your Splunk props.conf and tranforms.conf\n * Add the following to props.conf\n [vql]\n INDEXED_EXTRACTIONS = json\n DATETIME_CONFIG = CURRENT\n TZ = GMT\n category = Custom\n pulldown_type = 1\n TRANSFORMS-vql-sourcetype = vql-sourcetype,vql-timestamp\n TRUNCATE = 512000\n * Add the following to transforms.conf\n [vql-sourcetype]\n INGEST_EVAL = sourcetype=lower(src_artifact)\n [vql-timestamp]\n INGEST_EVAL = _time=case( \\\n src_artifact=\"artifact_Linux_Search_FileFinder\",strptime(CTime,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_System_VFS_ListDirectory\",strptime(ctime,\"%Y-%m-%dT%H:%M:%S.%NZ\"), \\\n src_artifact=\"artifact_Windows_Timeline_MFT\",strptime(event_time,\"%Y-%m-%dT%H:%M:%S.%NZ\"), \\\n src_artifact=\"artifact_Windows_NTFS_MFT\",strptime(Created0x10,\"%Y-%m-%dT%H:%M:%S.%NZ\"), \\\n src_artifact=\"artifact_Windows_EventLogs_Evtx\",strptime(TimeCreated,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Custom_Windows_EventLogs_System_7045\",strptime(TimeCreated,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Windows_EventLogs_RDPAuth\",strptime(EventTime,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Windows_Analysis_EvidenceOfExecution_UserAssist\",strptime(LastExecution,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Windows_Analysis_EvidenceOfExecution_Amcache\",strptime(KeyMTime,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Windows_System_Amcache_InventoryApplicationFile\",strptime(LastModified,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Windows_Search_FileFinder\",strptime(CTime,\"%Y-%m-%dT%H:%M:%S.%NZ\"), \\\n src_artifact=\"artifact_Windows_Applications_NirsoftBrowserViewer\",strptime(Visited,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Windows_Registry_RecentDocs\",strptime(LastWriteTime,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Windows_Forensics_UserAccessLogs_Clients\",strptime(InsertDate,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Windows_Forensics_UserAccessLogs_DNS\",strptime(LastSeen,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Windows_Forensics_UserAccessLogs_SystemIdentity\",strptime(CreationTime,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Custom_Windows_Application_IIS_IISLogs\",strptime(event_time,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_MacOS_Applications_Chrome_History\",strptime(last_visit_time,\"%Y-%m-%dT%H:%M:%SZ\"), \\\n src_artifact=\"artifact_Windows_Registry_UserAssist\",strptime(LastExecution,\"%Y-%m-%dT%H:%M:%SZ\") \\\n )", @@ -2078,15 +2123,6 @@ "Client Artifact" ] }, - { - "title": "Windows.Carving.USNFiles", - "description": "The USN journal is an important source of information about when\nfiles were manipulated on a system.", - "link": "/artifact_references/pages/windows.carving.usnfiles", - "type": "client", - "tags": [ - "Client Artifact" - ] - }, { "title": "Windows.Detection.Amcache", "description": "This artifact collects AMCache entries with a SHA1 hash to enable threat\ndetection.", @@ -2674,7 +2710,7 @@ }, { "title": "Windows.Forensics.RDPCache", - "description": "This artifact views and enables simplified upload of RDP \ncache files. ", + "description": "This artifact parses, views and enables simplified upload of RDP \ncache files. ", "link": "/artifact_references/pages/windows.forensics.rdpcache", "type": "client", "tags": [ @@ -2780,6 +2816,15 @@ "Server Artifact" ] }, + { + "title": "Windows.KapeFiles.Remapping", + "description": "This artifact automates the rebuilding of remapping rules to be\nable to easily post process the results of the\nWindows.KapeFiles.Targets.", + "link": "/artifact_references/pages/windows.kapefiles.remapping", + "type": "client", + "tags": [ + "Client Artifact" + ] + }, { "title": "Windows.KapeFiles.Targets", "description": "\nKape is a popular bulk collector tool for triaging a system\nquickly. While KAPE itself is not an opensource tool, the logic it\nuses to decide which files to collect is encoded in YAML files\nhosted on the KapeFiles project\n(https://github.com/EricZimmerman/KapeFiles) and released under an\nMIT license.", @@ -2791,7 +2836,7 @@ }, { "title": "Windows.Memory.Acquisition", - "description": "Acquires a full memory image. We download winpmem and use it to\nacquire a full memory image.", + "description": "Acquires a full memory image using the built in WinPmem driver.", "link": "/artifact_references/pages/windows.memory.acquisition", "type": "client", "tags": [ diff --git a/static/kb/data.json b/static/kb/data.json index 2c3cc831aba..8b8baad960f 100644 --- a/static/kb/data.json +++ b/static/kb/data.json @@ -1,4 +1,16 @@ [ + { + "title": "How to manage storage space on the server", + "link": "/knowledge_base/tips/deleting_old_data", + "tags": [ + "configuration", + "deployment" + ], + "author": "scudette", + "author_avatar": "https://avatars.githubusercontent.com/u/3856546?v=4", + "author_link": "https://github.com/scudette", + "date": "2024-07-19" + }, { "title": "How do I enable password protected VFS downloads?", "link": "/knowledge_base/tips/download_password", @@ -346,9 +358,11 @@ "date": "2022-03-21" }, { - "title": "How to manage storage space on the server", - "link": "/knowledge_base/tips/deleting_old_data", - "tags": [], + "title": "Error \"Parameter refers to an unknown artifact\" when collecting a CLIENT artifact", + "link": "/knowledge_base/tips/collect_artifact_unknown", + "tags": [ + "vql" + ], "author": "", "author_link": "", "author_avatar": "", diff --git a/static/reference/data.json b/static/reference/data.json index 2239e3cf76e..b4db236905b 100644 --- a/static/reference/data.json +++ b/static/reference/data.json @@ -24,7 +24,14 @@ "category": "server", "metadata": { "permissions": "COLLECT_CLIENT" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "add_server_monitoring", @@ -46,7 +53,14 @@ "category": "server", "metadata": { "permissions": "COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "alert", @@ -70,6 +84,13 @@ "type": "Any", "description": "If specified we ignore the alert unless the condition is true" } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -94,6 +115,13 @@ "description": "Optionally one or more regex can be provided for convenience", "repeated": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -108,7 +136,11 @@ "required": true } ], - "category": "windows" + "category": "windows", + "platforms": [ + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "any", @@ -132,19 +164,40 @@ "description": "Optionally one or more regex can be provided for convenience", "repeated": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { "name": "appcompatcache", "description": "Parses the appcompatcache.", "type": "Plugin", - "category": "windows" + "category": "windows", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "array", - "description": "Create an array with all the args.", + "description": "Create an array.", "type": "Function", - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "artifact_definitions", @@ -171,7 +224,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "artifact_delete", @@ -187,7 +247,14 @@ "category": "server", "metadata": { "permissions": "ARTIFACT_WRITER,SERVER_ARTIFACT_WRITER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "artifact_set", @@ -208,7 +275,14 @@ "category": "server", "metadata": { "permissions": "ARTIFACT_WRITER,SERVER_ARTIFACT_WRITER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "artifact_set_metadata", @@ -234,7 +308,14 @@ ], "metadata": { "permissions": "ARTIFACT_WRITER,SERVER_ARTIFACT_WRITER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "atexit", @@ -245,7 +326,7 @@ { "name": "query", "type": "Any", - "description": "A VQL Query to parse and execute.", + "description": "A VQL Query to parse and execute.\n", "required": true }, { @@ -259,7 +340,14 @@ "description": "How long to wait for destructors to run (default 60 seconds)." } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "atoi", @@ -273,7 +361,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "audit", @@ -282,7 +377,10 @@ "category": "linux", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "linux_amd64_cgo" + ] }, { "name": "authenticode", @@ -309,7 +407,14 @@ "category": "windows", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "backup", @@ -322,6 +427,13 @@ "description": "The name of the backup file.", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -335,6 +447,13 @@ "description": "The name of the backup file.", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -349,7 +468,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "base64encode", @@ -363,7 +489,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "base85decode", @@ -376,6 +509,13 @@ "description": "A string to decode", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -400,7 +540,14 @@ "description": "Type of path (e.g. windows, linux)" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "batch", @@ -424,7 +571,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "cache", @@ -454,7 +608,14 @@ "description": "The latest age of the cache." } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "cancel_flow", @@ -474,7 +635,53 @@ "category": "server", "metadata": { "permissions": "COLLECT_SERVER,COLLECT_CLIENT" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, + { + "name": "carve_usn", + "description": "Carve for the USN journal entries from a device.", + "type": "Plugin", + "version": 2, + "args": [ + { + "name": "device", + "type": "OSPath", + "description": "The device file to open." + }, + { + "name": "image_filename", + "type": "OSPath", + "description": "A raw image to open. You can also provide the accessor if using a raw image file." + }, + { + "name": "accessor", + "type": "string", + "description": "The accessor to use." + }, + { + "name": "mft_filename", + "type": "OSPath", + "description": "A path to a raw $MFT file to use for path resolution." + }, + { + "name": "usn_filename", + "type": "OSPath", + "description": "A path to a raw USN file to carve. If not provided we carve the image file or the device." + } + ], + "metadata": { + "permissions": "FILESYSTEM_READ" + }, + "platforms": [ + "linux_amd64_cgo" + ] }, { "name": "certificates", @@ -483,7 +690,11 @@ "category": "windows", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "chain", @@ -496,7 +707,14 @@ "description": "If specified we run all queries asynchronously and combine the output." } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "cidr_contains", @@ -517,7 +735,14 @@ "required": true } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "client_create", @@ -560,7 +785,14 @@ ], "metadata": { "permissions": "SERVER_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "client_delete", @@ -580,12 +812,20 @@ "category": "server", "metadata": { "permissions": "DELETE_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "client_info", "description": "Returns client info (like the fqdn) from the datastore.", "type": "Function", + "version": 2, "args": [ { "name": "client_id", @@ -596,7 +836,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "client_metadata", @@ -612,7 +859,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS,SERVER_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "client_set_metadata", @@ -633,7 +887,14 @@ "category": "server", "metadata": { "permissions": "COLLECT_CLIENT,SERVER_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "clients", @@ -645,16 +906,6 @@ "type": "string", "description": "Client search string. Can have the following prefixes: 'label:', 'host:'" }, - { - "name": "start", - "type": "uint64", - "description": "First client to fetch (0)'" - }, - { - "name": "count", - "type": "uint64", - "description": "Maximum number of clients to fetch (1000)'" - }, { "name": "client_id", "type": "string" @@ -663,7 +914,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "clock", @@ -686,7 +944,14 @@ "description": "Wait this many ms between events." } ], - "category": "event" + "category": "event", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "collect", @@ -774,12 +1039,24 @@ "name": "concurrency", "type": "int64", "description": "Number of concurrent collections." + }, + { + "name": "remapping", + "type": "string", + "description": "A Valid remapping configuration in YAML or JSON format." } ], "category": "plugin", "metadata": { "permissions": "FILESYSTEM_WRITE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "collect_client", @@ -853,7 +1130,14 @@ "category": "server", "metadata": { "permissions": "COLLECT_CLIENT,COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "column_filter", @@ -879,13 +1163,27 @@ "repeated": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "combine", "description": "Combine the output of several queries into the same result set.A convenience plugin acting like chain(async=TRUE).", "type": "Plugin", - "category": "event" + "category": "event", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "commandline_split", @@ -904,7 +1202,14 @@ "description": "Use bash rules (Uses Windows rules by default)." } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "compress", @@ -926,7 +1231,14 @@ "category": "server", "metadata": { "permissions": "FILESYSTEM_WRITE,FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "connections", @@ -935,7 +1247,10 @@ "category": "plugin", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "linux_amd64_cgo" + ] }, { "name": "copy", @@ -978,7 +1293,14 @@ "category": "basic", "metadata": { "permissions": "FILESYSTEM_WRITE,FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "count", @@ -991,7 +1313,14 @@ "description": "Not used anymore" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "create_flow_download", @@ -1049,7 +1378,14 @@ "category": "server", "metadata": { "permissions": "PREPARE_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "create_hunt_download", @@ -1096,7 +1432,14 @@ "category": "server", "metadata": { "permissions": "PREPARE_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "create_notebook_download", @@ -1117,7 +1460,14 @@ ], "metadata": { "permissions": "PREPARE_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "crypto_rc4", @@ -1137,7 +1487,14 @@ "required": true } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "delay", @@ -1161,6 +1518,13 @@ "type": "int64", "description": "Maximum number of rows to buffer (default 1000)." } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -1198,7 +1562,14 @@ ], "metadata": { "permissions": "DELETE_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "delete_flow", @@ -1222,13 +1593,27 @@ ], "metadata": { "permissions": "DELETE_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "dict", "description": "Construct a dict from arbitrary keyword args.", "type": "Function", - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "diff", @@ -1253,7 +1638,14 @@ "description": "Number of seconds between evaluation of the query." } ], - "category": "event" + "category": "event", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "dirname", @@ -1277,7 +1669,14 @@ "description": "Type of path (e.g. windows, linux)" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "dns", @@ -1308,7 +1707,14 @@ ], "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "elastic_upload", @@ -1411,7 +1817,14 @@ "category": "server", "metadata": { "permissions": "COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "encode", @@ -1429,7 +1842,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "entropy", @@ -1441,6 +1861,13 @@ "type": "string", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -1454,7 +1881,14 @@ "description": "The items to enumerate" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "enumerate_flow", @@ -1474,7 +1908,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "environ", @@ -1491,7 +1932,14 @@ "category": "basic", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "environ", @@ -1505,7 +1953,14 @@ "repeated": true } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "etw_sessions", @@ -1520,7 +1975,10 @@ ], "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "windows_amd64_cgo" + ] }, { "name": "eval", @@ -1533,6 +1991,13 @@ "description": "Lambda function to evaluate e.g. x=>1+1 where x will be the current scope.", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -1571,7 +2036,14 @@ "category": "plugin", "metadata": { "permissions": "EXECVE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "expand", @@ -1588,7 +2060,14 @@ "category": "basic", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "favorites_delete", @@ -1608,7 +2087,14 @@ "required": true } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "favorites_save", @@ -1639,7 +2125,14 @@ "required": true } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "fifo", @@ -1668,7 +2161,14 @@ "description": "If specified we flush all rows from cache after the call." } ], - "category": "event" + "category": "event", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "file_store", @@ -1682,7 +2182,14 @@ "required": true } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "file_store_delete", @@ -1699,13 +2206,27 @@ "category": "server", "metadata": { "permissions": "SERVER_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "filesystems", "description": "Enumerates mounted filesystems.\n", "type": "Plugin", - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "filter", @@ -1730,7 +2251,14 @@ "description": "A VQL lambda to use to filter elements" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "flatten", @@ -1743,7 +2271,14 @@ "required": true } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "flow_logs", @@ -1765,7 +2300,14 @@ ], "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "flow_results", @@ -1798,7 +2340,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "flows", @@ -1818,7 +2367,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "for", @@ -1843,7 +2399,14 @@ "description": "Run this query over the item." } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "foreach", @@ -1877,7 +2440,14 @@ "description": "If set we only extract the column from row." } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "format", @@ -1896,7 +2466,14 @@ "description": "An array of elements to apply into the format string." } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "gcs_pubsub_publish", @@ -1934,7 +2511,14 @@ "required": true } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "generate", @@ -1968,7 +2552,14 @@ "description": "Wait for this many listeners to connect before starting the query" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "geoip", @@ -1989,7 +2580,14 @@ "required": true } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "get", @@ -2013,7 +2611,14 @@ "type": "Any" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "get_client_monitoring", @@ -2022,7 +2627,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "get_flow", @@ -2041,7 +2653,14 @@ ], "metadata": { "permissions": "COLLECT_CLIENT,COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "get_server_monitoring", @@ -2050,7 +2669,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "getpid", @@ -2059,7 +2685,14 @@ "category": "basic", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "glob", @@ -2103,7 +2736,14 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "grep", @@ -2164,7 +2804,14 @@ "description": "Extract all captures." } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "gui_users", @@ -2177,7 +2824,14 @@ "description": "If set we enumerate permission for all orgs, otherwise just for this org." } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "gunzip", @@ -2190,6 +2844,13 @@ "description": "Data to apply Gunzip", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -2212,7 +2873,10 @@ "category": "windows", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "windows_amd64_cgo" + ] }, { "name": "hash", @@ -2241,7 +2905,14 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "host", @@ -2272,7 +2943,14 @@ ], "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "http_client", @@ -2361,7 +3039,14 @@ "category": "plugin", "metadata": { "permissions": "COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "humanize", @@ -2389,7 +3074,14 @@ "description": "Format integer with comma (e.g. 1,230)" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "hunt", @@ -2480,7 +3172,14 @@ "category": "server", "metadata": { "permissions": "START_HUNT,ORG_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "hunt_add", @@ -2511,7 +3210,14 @@ "category": "server", "metadata": { "permissions": "START_HUNT" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "hunt_delete", @@ -2530,7 +3236,14 @@ ], "metadata": { "permissions": "SERVER_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "hunt_flows", @@ -2562,7 +3275,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "hunt_results", @@ -2600,7 +3320,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "hunt_update", @@ -2636,7 +3363,14 @@ ], "metadata": { "permissions": "START_HUNT" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "hunts", @@ -2652,7 +3386,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "if", @@ -2673,7 +3414,14 @@ "type": "types.LazyAny" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "if", @@ -2695,7 +3443,14 @@ "type": "StoredQuery" } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "import", @@ -2708,6 +3463,13 @@ "description": "The Artifact to import", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -2745,7 +3507,14 @@ "category": "server", "metadata": { "permissions": "COLLECT_SERVER,FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "info", @@ -2754,7 +3523,14 @@ "category": "plugin", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "int", @@ -2767,7 +3543,14 @@ "description": "The integer to round" } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "interfaces", @@ -2776,13 +3559,27 @@ "category": "windows", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "inventory", "description": "Retrieve the tools inventory.", "type": "Plugin", - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "inventory_add", @@ -2829,7 +3626,14 @@ "category": "server", "metadata": { "permissions": "SERVER_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "inventory_get", @@ -2854,7 +3658,14 @@ "category": "server", "metadata": { "permissions": "SERVER_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "ip", @@ -2872,7 +3683,14 @@ "description": "A network order IPv4 address (as big endian)." } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "items", @@ -2884,7 +3702,14 @@ "type": "Any" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "items", @@ -2897,7 +3722,14 @@ "description": "The item to enumerate." } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "join", @@ -2917,7 +3749,14 @@ "description": "The separator. Defaults to an empty string if not explicitly set" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "js", @@ -2936,7 +3775,14 @@ "description": "If set use this key to cache the JS VM." } ], - "category": "experimental" + "category": "experimental", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "js_call", @@ -2960,7 +3806,14 @@ "description": "If set use this key to cache the JS VM." } ], - "category": "experimental" + "category": "experimental", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "js_get", @@ -2979,7 +3832,14 @@ "description": "If set use this key to cache the JS VM." } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "js_set", @@ -3004,7 +3864,14 @@ "description": "If set use this key to cache the JS VM." } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "killkillkill", @@ -3020,7 +3887,14 @@ "category": "basic", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "label", @@ -3049,7 +3923,14 @@ "category": "server", "metadata": { "permissions": "LABEL_CLIENT" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "len", @@ -3063,8 +3944,15 @@ "required": true } ], - "category": "basic" - }, + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, { "name": "leveldb", "description": "Enumerate all items in a level db database", @@ -3083,7 +3971,62 @@ ], "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, + { + "name": "link_to", + "description": "Create a url linking to a particular part in the Velociraptor GUI.", + "type": "Function", + "args": [ + { + "name": "type", + "type": "string", + "description": "The type of link. Currently one of collection, hunt, artifact, event" + }, + { + "name": "client_id", + "type": "string" + }, + { + "name": "flow_id", + "type": "string" + }, + { + "name": "tab", + "type": "string", + "description": "The tab to focus - can be overview, request, results, logs, notebook" + }, + { + "name": "text", + "type": "string", + "description": "If specified we emit a markdown style URL with a text" + }, + { + "name": "hunt_id", + "type": "string", + "description": "The hunt id to read." + }, + { + "name": "artifact", + "type": "string", + "description": "The artifact to retrieve" + }, + { + "name": "org", + "type": "string", + "description": "If set the link accesses a different org. Otherwise we accesses the current org." + } + ], + "platforms": [ + "linux_amd64_cgo" + ] }, { "name": "log", @@ -3113,7 +4056,14 @@ "description": "Level to log at (DEFAULT, WARN, ERROR, INFO, DEBUG)." } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "logging", @@ -3127,7 +4077,14 @@ ], "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "logscale_upload", @@ -3203,6 +4160,13 @@ "type": "bool", "description": "Enable verbose logging." } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -3217,7 +4181,12 @@ "required": true } ], - "category": "windows" + "category": "windows", + "platforms": [ + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "lowcase", @@ -3231,7 +4200,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "lru", @@ -3243,6 +4219,13 @@ "type": "int64", "description": "Size of the LRU (default 1000)" } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -3256,6 +4239,13 @@ "description": "The lzxpress stream (bytes)", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -3289,7 +4279,13 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "mail", @@ -3363,7 +4359,14 @@ ], "metadata": { "permissions": "SERVER_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "mail", @@ -3435,7 +4438,14 @@ "description": "As a better alternative to disable_ssl_security, allows root ca certs to be added here." } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "max", @@ -3448,7 +4458,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "memoize", @@ -3478,7 +4495,14 @@ "description": "The name of this cache." } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "min", @@ -3491,7 +4515,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "mock", @@ -3520,7 +4551,14 @@ "required": true } ], - "category": "utils" + "category": "utils", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "mock_check", @@ -3548,12 +4586,26 @@ "description": "This call will clear previous mocks for this plugin" } ], - "category": "utils" + "category": "utils", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "mock_clear", "description": "Resets all mocks.", - "type": "Function" + "type": "Function", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "mock_replay", @@ -3580,6 +4632,13 @@ "type": "bool", "description": "This call will clear previous mocks for this plugin" } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -3597,7 +4656,11 @@ "category": "windows", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "monitoring", @@ -3645,7 +4708,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "monitoring_logs", @@ -3682,7 +4752,14 @@ ], "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "netcat", @@ -3724,7 +4801,14 @@ "category": "plugin", "metadata": { "permissions": "COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "netstat", @@ -3733,7 +4817,13 @@ "category": "plugin", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "notebook_create", @@ -3775,7 +4865,14 @@ ], "metadata": { "permissions": "COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "notebook_delete", @@ -3795,7 +4892,14 @@ "category": "server", "metadata": { "permissions": "SERVER_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "notebook_export", @@ -3821,7 +4925,14 @@ ], "metadata": { "permissions": "PREPARE_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "notebook_get", @@ -3833,11 +4944,68 @@ "type": "string", "description": "The id of the notebook to fetch", "required": true + }, + { + "name": "verbose", + "type": "bool", + "description": "Include more information" } ], "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, + { + "name": "notebook_update", + "description": "Update a notebook metadata.", + "type": "Function", + "args": [ + { + "name": "notebook_id", + "type": "string", + "description": "The id of the notebook to update", + "required": true + }, + { + "name": "description", + "type": "string", + "description": "The description of the notebook" + }, + { + "name": "collaborators", + "type": "string", + "description": "A list of users to share the notebook with.", + "repeated": true + }, + { + "name": "public", + "type": "bool", + "description": "If set the notebook will be public." + }, + { + "name": "attachment", + "type": "string", + "description": "Raw data of an attachment to be added to the notebook" + }, + { + "name": "attachment_filename", + "type": "string", + "description": "The name of the attachment" + } + ], + "metadata": { + "permissions": "COLLECT_SERVER" + }, + "platforms": [ + "linux_amd64_cgo" + ] }, { "name": "notebook_update_cell", @@ -3874,7 +5042,14 @@ ], "metadata": { "permissions": "COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "now", @@ -3888,7 +5063,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "olevba", @@ -3916,12 +5098,26 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "org", "description": "Return the details of the current org.", - "type": "Function" + "type": "Function", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "org_create", @@ -3942,7 +5138,14 @@ ], "metadata": { "permissions": "ORG_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "org_delete", @@ -3963,12 +5166,26 @@ ], "metadata": { "permissions": "ORG_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "orgs", "description": "Retrieve the list of orgs on this server.", - "type": "Plugin" + "type": "Plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "panic", @@ -3976,7 +5193,14 @@ "type": "Plugin", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parallelize", @@ -4053,7 +5277,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_auditd", @@ -4078,7 +5309,10 @@ "description": "Maximum size of line buffer." } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "linux_amd64_cgo" + ] }, { "name": "parse_binary", @@ -4116,7 +5350,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_csv", @@ -4160,7 +5401,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_ese", @@ -4187,7 +5435,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_ese_catalog", @@ -4208,7 +5463,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_evtx", @@ -4241,7 +5503,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_float", @@ -4255,7 +5524,48 @@ "required": true } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, + { + "name": "parse_journald", + "description": "Parse a journald file.", + "type": "Plugin", + "args": [ + { + "name": "filename", + "type": "OSPath", + "description": "A list of journal log files to parse.", + "repeated": true, + "required": true + }, + { + "name": "accessor", + "type": "string", + "description": "The accessor to use." + }, + { + "name": "raw", + "type": "bool", + "description": "Emit raw events (no parsed)." + } + ], + "metadata": { + "permissions": "FILESYSTEM_READ" + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_json", @@ -4269,7 +5579,14 @@ "required": true } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_json_array", @@ -4283,7 +5600,14 @@ "required": true } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_json_array", @@ -4297,7 +5621,14 @@ "required": true } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_jsonl", @@ -4319,7 +5650,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_lines", @@ -4347,7 +5685,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_mft", @@ -4380,7 +5725,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_ntfs", @@ -4397,6 +5749,11 @@ "type": "OSPath", "description": "A raw image to open. You can also provide the accessor if using a raw image file." }, + { + "name": "mft_filename", + "type": "OSPath", + "description": "A path to a raw $MFT file to parse." + }, { "name": "accessor", "type": "string", @@ -4418,7 +5775,14 @@ "description": "The offset to the MFT entry to parse." } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_ntfs_i30", @@ -4435,6 +5799,11 @@ "type": "OSPath", "description": "A raw image to open. You can also provide the accessor if using a raw image file." }, + { + "name": "mft_filename", + "type": "OSPath", + "description": "A path to a raw $MFT file to parse." + }, { "name": "accessor", "type": "string", @@ -4456,7 +5825,14 @@ "description": "The offset to the MFT entry to parse." } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_ntfs_ranges", @@ -4473,6 +5849,11 @@ "type": "OSPath", "description": "A raw image to open. You can also provide the accessor if using a raw image file." }, + { + "name": "mft_filename", + "type": "OSPath", + "description": "A path to a raw $MFT file to parse." + }, { "name": "accessor", "type": "string", @@ -4494,7 +5875,14 @@ "description": "The offset to the MFT entry to parse." } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_pe", @@ -4521,7 +5909,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_pkcs7", @@ -4535,7 +5930,14 @@ "required": true } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_records_with_regex", @@ -4570,7 +5972,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_recyclebin", @@ -4593,7 +6002,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_string_with_regex", @@ -4614,31 +6030,68 @@ "required": true } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_usn", - "description": "Parse the USN journal from a device.", + "description": "Parse the USN journal from a device, image file or USN file.", "type": "Plugin", + "version": 2, "args": [ { "name": "device", "type": "OSPath", - "description": "The device file to open.", - "required": true + "description": "The device file to open." + }, + { + "name": "image_filename", + "type": "OSPath", + "description": "A raw image to open. You can also provide the accessor if using a raw image file." }, { "name": "accessor", "type": "string", "description": "The accessor to use." }, + { + "name": "mft_filename", + "type": "OSPath", + "description": "A path to a raw $MFT file to use for path resolution." + }, + { + "name": "usn_filename", + "type": "OSPath", + "description": "A path to a raw USN file to parse. If not provided we extract it from the Device or Image file." + }, { "name": "start_offset", "type": "int64", "description": "The starting offset of the first USN record to parse." + }, + { + "name": "fast_paths", + "type": "bool", + "description": "If set we resolve full paths using faster but less accurate algorithm." } ], - "category": "parsers" + "category": "parsers", + "metadata": { + "permissions": "FILESYSTEM_READ" + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_x509", @@ -4652,7 +6105,14 @@ "required": true } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_xml", @@ -4674,7 +6134,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "parse_yaml", @@ -4696,13 +6163,27 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "partitions", "description": "List all partitions", "type": "Plugin", - "category": "windows" + "category": "windows", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "passwd", @@ -4720,6 +6201,13 @@ "description": "The new password to set.", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -4744,7 +6232,14 @@ "description": "A merge-patch to apply" } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "path_join", @@ -4769,7 +6264,14 @@ "description": "Type of path (e.g. 'windows')" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "path_split", @@ -4788,7 +6290,14 @@ "description": "Type of path (e.g. 'windows')" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "pathspec", @@ -4827,7 +6336,14 @@ "description": "The accessor to use to parse the path with" } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "pe_dump", @@ -4854,7 +6370,14 @@ ], "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "pipe", @@ -4877,7 +6400,14 @@ "description": "The separator that will be used to split each read (default: no separator will be used)" } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "pk_decrypt", @@ -4905,6 +6435,13 @@ "type": "string", "description": "Encryption scheme to use. Defaults to RSA. Currently supported: PGP,RSA" } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -4936,7 +6473,14 @@ ], "metadata": { "permissions": "SERVER_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "plist", @@ -4958,7 +6502,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "plist", @@ -4981,7 +6532,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "prefetch", @@ -5004,7 +6562,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "proc_dump", @@ -5021,7 +6586,11 @@ "category": "windows", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "proc_yara", @@ -5069,7 +6638,13 @@ "category": "windows", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "process_tracker", @@ -5102,12 +6677,26 @@ "description": "One or more VQL lambda functions that can enrich the data for the process.", "repeated": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { "name": "process_tracker_all", "description": "Get all processes stored in the tracker.", - "type": "Function" + "type": "Function", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "process_tracker_callchain", @@ -5120,6 +6709,13 @@ "description": "Process ID.", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -5133,6 +6729,13 @@ "description": "Process ID.", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -5146,12 +6749,26 @@ "description": "Process ID.", "required": true } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { "name": "process_tracker_pslist", "description": "List all processes from the process tracker.", - "type": "Plugin" + "type": "Plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "process_tracker_tree", @@ -5168,12 +6785,26 @@ "type": "Lambda", "description": "A VQL Lambda function to that receives a ProcessEntry and returns the data node for each process." } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { "name": "process_tracker_updates", "description": "Get the process tracker update events from the global process tracker.", - "type": "Plugin" + "type": "Plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "profile", @@ -5249,15 +6880,36 @@ "category": "plugin", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "profile_goroutines", "description": "Enumerates all running goroutines.", "type": "Plugin", + "args": [ + { + "name": "verbose", + "type": "bool", + "description": "Emit information in verbose form." + } + ], "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "profile_memory", @@ -5265,7 +6917,14 @@ "type": "Plugin", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "pskill", @@ -5281,7 +6940,14 @@ ], "metadata": { "permissions": "EXECVE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "pslist", @@ -5297,7 +6963,14 @@ "category": "plugin", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "query", @@ -5328,6 +7001,12 @@ "type": "ordereddict.Dict", "description": "A dict of args to insert into the scope." }, + { + "name": "copy_env", + "type": "string", + "description": "A list of variables in the current scope that will be copied into the new scope.", + "repeated": true + }, { "name": "cpu_limit", "type": "float64", @@ -5366,7 +7045,14 @@ ], "metadata": { "permissions": "IMPERSONATION" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "rand", @@ -5379,7 +7065,14 @@ "description": "Selects a random number up to this range." } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "range", @@ -5403,7 +7096,14 @@ "description": "Step (default 1)" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "rate", @@ -5423,7 +7123,14 @@ "required": true } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "read_crypto_file", @@ -5444,7 +7151,14 @@ ], "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "read_file", @@ -5476,7 +7190,14 @@ "category": "basic", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "read_file", @@ -5509,7 +7230,14 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "read_reg_key", @@ -5533,7 +7261,14 @@ "description": "The root directory to glob from (default '/')." } ], - "category": "windows" + "category": "windows", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "reg_rm_key", @@ -5547,7 +7282,11 @@ "required": true } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "reg_rm_value", @@ -5561,7 +7300,11 @@ "required": true } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "reg_set_value", @@ -5592,7 +7335,11 @@ "description": "Set to create missing intermediate keys" } ], - "category": "plugin" + "category": "plugin", + "platforms": [ + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "regex_replace", @@ -5622,7 +7369,14 @@ "required": true } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "regex_transform", @@ -5647,7 +7401,14 @@ "description": "A key for caching" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "rekey", @@ -5662,7 +7423,14 @@ ], "metadata": { "permissions": "EXECVE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "relpath", @@ -5687,7 +7455,14 @@ "description": "Separator to use (default native)" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "remap", @@ -5711,6 +7486,13 @@ "type": "bool", "description": "If set we clear all accessors from the device manager" } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -5759,7 +7541,14 @@ ], "metadata": { "permissions": "COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "rm", @@ -5776,7 +7565,14 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_WRITE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "rm_client_monitoring", @@ -5798,7 +7594,14 @@ "category": "server", "metadata": { "permissions": "COLLECT_CLIENT" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "rm_server_monitoring", @@ -5815,7 +7618,14 @@ "category": "server", "metadata": { "permissions": "COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "rot13", @@ -5827,7 +7637,14 @@ "type": "string" } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "sample", @@ -5847,19 +7664,40 @@ "required": true } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "scope", "description": "return the scope.", "type": "Function", - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "scope", "description": "The scope plugin returns the current scope as a single row.", "type": "Plugin", - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "send_event", @@ -5882,7 +7720,14 @@ "category": "event", "metadata": { "permissions": "SERVER_ADMIN,PUBLISH" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "sequence", @@ -5901,7 +7746,14 @@ "description": "Maximum number of seconds to hold rows in the sequence." } ], - "category": "experimental" + "category": "experimental", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "serialize", @@ -5920,7 +7772,14 @@ "description": "Encoding format (csv,json,yaml,hex,base64)" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "server_frontend_cert", @@ -5928,7 +7787,14 @@ "type": "Function", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "server_metadata", @@ -5937,7 +7803,14 @@ "category": "server", "metadata": { "permissions": "SERVER_ADMIN" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "server_set_metadata", @@ -5950,7 +7823,14 @@ "description": "A dict containing metadata. If not specified we use kwargs." } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "set", @@ -5975,7 +7855,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "set_client_monitoring", @@ -5992,7 +7879,14 @@ "category": "server", "metadata": { "permissions": "COLLECT_CLIENT" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "set_server_monitoring", @@ -6009,7 +7903,14 @@ "category": "server", "metadata": { "permissions": "COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "sigma", @@ -6049,12 +7950,48 @@ "type": "Lambda", "description": "If specified we use this callback to determine a details column if the sigma rule does not specify it." } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { "name": "sigma_log_sources", "description": "Constructs a Log sources object to be used in sigma rules. Call with args being category/product/service and values being stored queries. You may use a * as a placeholder for any of these fields.", - "type": "Function" + "type": "Function", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, + { + "name": "similarity", + "description": "Compare two Dicts for similarity.", + "type": "Function", + "args": [ + { + "name": "set1", + "type": "ordereddict.Dict", + "description": "The first set to compare.", + "required": true + }, + { + "name": "set2", + "type": "ordereddict.Dict", + "description": "The second set to compare.", + "required": true + } + ], + "platforms": [ + "linux_amd64_cgo" + ] }, { "name": "sleep", @@ -6072,7 +8009,14 @@ "description": "The number of ms to sleep" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "slice", @@ -6098,7 +8042,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "source", @@ -6180,7 +8131,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "split", @@ -6204,7 +8162,14 @@ "description": "The separator as string that will be used to split" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "split_records", @@ -6258,7 +8223,14 @@ "category": "parsers", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "splunk_upload", @@ -6290,18 +8262,18 @@ { "name": "index", "type": "string", - "description": "The name of the index to upload to.", + "description": "The name of the index to upload to. If not specified, ensure a column is named _splunk_index.", "required": true }, { "name": "source", "type": "string", - "description": "The source field for splunk. If not specified this will be 'velociraptor'." + "description": "The source field for splunk. If not specified ensure a column is named _splunk_source or this will be 'velociraptor'." }, { "name": "sourcetype", "type": "string", - "description": "The sourcetype field for splunk. If not specified this will 'vql'" + "description": "The sourcetype field for splunk. If not specified ensure a column is named _splunk_source_type or this will 'vql'" }, { "name": "chunk_size", @@ -6347,7 +8319,14 @@ "category": "server", "metadata": { "permissions": "COLLECT_SERVER" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "sql", @@ -6388,7 +8367,14 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "sqlite", @@ -6415,7 +8401,14 @@ "type": "Any" } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "srum_lookup_id", @@ -6438,7 +8431,14 @@ "required": true } ], - "category": "windows" + "category": "windows", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "starl", @@ -6462,7 +8462,14 @@ "description": "Dictionary of values to feed into Starlark environment" } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "stat", @@ -6483,7 +8490,14 @@ ], "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "stat", @@ -6506,7 +8520,14 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "str", @@ -6520,7 +8541,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "strip", @@ -6544,7 +8572,14 @@ "description": "The suffix to strip" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "substr", @@ -6568,7 +8603,14 @@ "description": "End index of substring" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "sum", @@ -6581,13 +8623,27 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "switch", "description": "Conditional execution of multiple queries in order", "type": "Plugin", - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "sysinfo", @@ -6595,7 +8651,10 @@ "type": "Function", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "linux_amd64_cgo" + ] }, { "name": "tempdir", @@ -6611,7 +8670,14 @@ "category": "basic", "metadata": { "permissions": "FILESYSTEM_WRITE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "tempfile", @@ -6643,7 +8709,33 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_WRITE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, + { + "name": "threads", + "description": "Enumerate threads in a process.", + "type": "Plugin", + "args": [ + { + "name": "pid", + "type": "int64", + "description": "The PID to get the thread for.", + "required": true + } + ], + "metadata": { + "permissions": "MACHINE_STATE" + }, + "platforms": [ + "windows_amd64_cgo" + ] }, { "name": "timeline", @@ -6656,6 +8748,12 @@ "description": "Name of the timeline to read", "required": true }, + { + "name": "components", + "type": "string", + "description": "List of child components to include", + "repeated": true + }, { "name": "skip", "type": "string", @@ -6676,7 +8774,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "timeline_add", @@ -6686,13 +8791,13 @@ { "name": "timeline", "type": "string", - "description": "Supertimeline to add to", + "description": "Supertimeline to add to. If a super timeline does not exist, creates a new one.", "required": true }, { "name": "name", "type": "string", - "description": "Name of child timeline", + "description": "Name/Id of child timeline to add.", "required": true }, { @@ -6704,9 +8809,19 @@ { "name": "key", "type": "string", - "description": "The column representing the time.", + "description": "The column representing the time to key off.", "required": true }, + { + "name": "message_column", + "type": "string", + "description": "The column representing the message." + }, + { + "name": "ts_desc_column", + "type": "string", + "description": "The column representing the timestamp description." + }, { "name": "notebook_id", "type": "string", @@ -6716,12 +8831,62 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, + { + "name": "timeline_delete", + "description": "Delete a super timeline.", + "type": "Function", + "args": [ + { + "name": "timeline", + "type": "string", + "description": "Supertimeline to add to. If a super timeline does not exist, creates a new one.", + "required": true + }, + { + "name": "notebook_id", + "type": "string", + "description": "The notebook ID the timeline is stored in." + } + ], + "metadata": { + "permissions": "NOTEBOOK_EDITOR" + }, + "platforms": [ + "linux_amd64_cgo" + ] + }, + { + "name": "timelines", + "description": "List all timelines in a notebook", + "type": "Plugin", + "args": [ + { + "name": "notebook_id", + "type": "string", + "description": "The notebook ID the timeline is stored in." + } + ], + "metadata": { + "permissions": "READ_RESULTS" + }, + "platforms": [ + "linux_amd64_cgo" + ] }, { "name": "timestamp", "description": "Convert from different types to a time.Time.", "type": "Function", + "version": 2, "args": [ { "name": "epoch", @@ -6746,17 +8911,41 @@ "description": "Guess a timestamp from a string" }, { - "name": "timezone", + "name": "format", "type": "string", - "description": "A default timezone (UTC)" + "description": "A format specifier as per the Golang time.Parse" + } + ], + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, + { + "name": "timestamp_format", + "description": "Format a timestamp into a string.", + "type": "Function", + "version": 1, + "args": [ + { + "name": "time", + "type": "Any", + "description": "Time to format", + "required": true }, { "name": "format", "type": "string", - "description": "A format specifier as per the Golang time.Parse" + "description": "A format specifier as per the Golang time.Format. Additionally any constants specified in https://pkg.go.dev/time#pkg-constants can be used." } ], - "category": "basic" + "platforms": [ + "linux_amd64_cgo" + ] }, { "name": "tlsh_hash", @@ -6777,7 +8966,14 @@ ], "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "to_dict", @@ -6789,7 +8985,14 @@ "type": "Any" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "token", @@ -6806,13 +9009,23 @@ "category": "windows", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "windows_amd64_cgo" + ] }, { "name": "trace", "description": "Upload a trace file.", "type": "Function", - "version": 1 + "version": 1, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "unhex", @@ -6825,7 +9038,14 @@ "description": "Hex string to decode" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "unzip", @@ -6863,7 +9083,14 @@ "category": "basic", "metadata": { "permissions": "FILESYSTEM_WRITE,FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "upcase", @@ -6877,7 +9104,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "upload", @@ -6924,7 +9158,14 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "upload", @@ -6981,7 +9222,14 @@ ], "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "upload_directory", @@ -7034,7 +9282,14 @@ "category": "server", "metadata": { "permissions": "FILESYSTEM_WRITE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "upload_gcs", @@ -7079,7 +9334,14 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "upload_s3", @@ -7163,7 +9425,14 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "upload_sftp", @@ -7218,7 +9487,14 @@ "category": "basic", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "upload_smb", @@ -7260,7 +9536,14 @@ ], "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "upload_webdav", @@ -7318,7 +9601,14 @@ "category": "basic", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "uploads", @@ -7349,7 +9639,14 @@ "category": "server", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "url", @@ -7387,7 +9684,14 @@ "description": "A url to parse" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "user", @@ -7405,6 +9709,13 @@ "type": "string", "description": "The org under which we query the user's ACL." } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" ] }, { @@ -7437,7 +9748,14 @@ "repeated": true } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "user_delete", @@ -7462,7 +9780,14 @@ "description": "If not specified, just show what user will be removed" } ], - "category": "server" + "category": "server", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "user_grant", @@ -7492,13 +9817,70 @@ "type": "ordereddict.Dict", "description": "A dict of permissions to set (e.g. as obtained from the gui_users() function)." } + ], + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, + { + "name": "user_options", + "description": "Update and read the user GUI options", + "type": "Function", + "args": [ + { + "name": "user", + "type": "string", + "description": "The user to create or update.", + "required": true + }, + { + "name": "theme", + "type": "string", + "description": "Set the user's theme." + }, + { + "name": "timezone", + "type": "string", + "description": "Set the user's timezone." + }, + { + "name": "lang", + "type": "string", + "description": "Set the user's language." + }, + { + "name": "org", + "type": "string", + "description": "Set the user's default org id." + }, + { + "name": "links", + "type": "StoredQuery", + "description": "Set the user's default links. This should be a list of dicts with columns: type, text, url, icon_url, new_tab, encode, parameter, method, disabled." + }, + { + "name": "default_password", + "type": "string", + "description": "Set the user's default password for Zip Exports." + } + ], + "platforms": [ + "linux_amd64_cgo" ] }, { "name": "users", "description": "Display information about workstation local users. This is obtained through the NetUserEnum() API.", "type": "Plugin", - "category": "windows" + "category": "windows", + "platforms": [ + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "utf16", @@ -7512,7 +9894,14 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "utf16_encode", @@ -7526,13 +9915,27 @@ "required": true } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "uuid", "description": "Generate a UUID.", "type": "Function", - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "vad", @@ -7546,7 +9949,12 @@ "required": true } ], - "category": "windows" + "category": "windows", + "platforms": [ + "darwin_arm64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "version", @@ -7562,7 +9970,14 @@ "type": "string" } ], - "category": "basic" + "category": "basic", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "vfs_ls", @@ -7594,7 +10009,14 @@ ], "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "watch_auditd", @@ -7619,7 +10041,10 @@ "description": "Maximum size of line buffer." } ], - "category": "event" + "category": "event", + "platforms": [ + "linux_amd64_cgo" + ] }, { "name": "watch_csv", @@ -7663,7 +10088,14 @@ "category": "event", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "watch_etw", @@ -7705,9 +10137,28 @@ "name": "timeout", "type": "uint64", "description": "If provided we stop after this much time" + }, + { + "name": "capture_state", + "type": "bool", + "description": "If true, capture the state of the provider when the event is triggered" + }, + { + "name": "enable_map_info", + "type": "bool", + "description": "Resolving MapInfo with TdhGetEventMapInformation is very expensive and causes events to be dropped so we disabled it by default. Enable with this flag." + }, + { + "name": "description", + "type": "string", + "description": "Description for this GUID provider" } ], - "category": "event" + "category": "event", + "platforms": [ + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "watch_evtx", @@ -7740,7 +10191,48 @@ "category": "event", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, + { + "name": "watch_journald", + "description": "Watch a journald file and stream events from it. ", + "type": "Plugin", + "args": [ + { + "name": "filename", + "type": "OSPath", + "description": "A list of journal log files to parse.", + "repeated": true, + "required": true + }, + { + "name": "accessor", + "type": "string", + "description": "The accessor to use." + }, + { + "name": "raw", + "type": "bool", + "description": "Emit raw events (no parsed)." + } + ], + "metadata": { + "permissions": "FILESYSTEM_READ" + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "watch_jsonl", @@ -7767,7 +10259,14 @@ ], "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "watch_monitoring", @@ -7784,7 +10283,14 @@ "category": "event", "metadata": { "permissions": "READ_RESULTS" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "watch_syslog", @@ -7812,7 +10318,14 @@ "category": "event", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "watch_usn", @@ -7826,13 +10339,27 @@ "required": true } ], - "category": "event" + "category": "event", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "whoami", "description": "Returns the username that is running the query.", "type": "Function", - "category": "plugin" + "category": "plugin", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "winobj", @@ -7848,7 +10375,38 @@ "category": "windows", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "windows_amd64_cgo" + ] + }, + { + "name": "winpmem", + "description": "Uses the `winpmem` driver to take a memory image.", + "type": "Function", + "args": [ + { + "name": "service", + "type": "string", + "description": "The name of the driver service to install." + }, + { + "name": "image_path", + "type": "string", + "description": "If specified we write a physical memory image on this path." + }, + { + "name": "compression", + "type": "string", + "description": "When writing a memory image use this compression (default none) can be none, s2, snappy, gzip." + } + ], + "metadata": { + "permissions": "MACHINE_STATE" + }, + "platforms": [ + "windows_amd64_cgo" + ] }, { "name": "wmi", @@ -7870,7 +10428,11 @@ "category": "windows", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "wmi_events", @@ -7899,7 +10461,11 @@ "category": "event", "metadata": { "permissions": "MACHINE_STATE" - } + }, + "platforms": [ + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "write_crypto_file", @@ -7936,7 +10502,14 @@ ], "metadata": { "permissions": "FILESYSTEM_WRITE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "write_csv", @@ -7964,7 +10537,14 @@ "category": "plugin", "metadata": { "permissions": "FILESYSTEM_WRITE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "write_jsonl", @@ -7996,7 +10576,14 @@ ], "metadata": { "permissions": "FILESYSTEM_WRITE" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "xattr", @@ -8023,7 +10610,11 @@ ], "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo" + ] }, { "name": "xor", @@ -8043,7 +10634,14 @@ "required": true } ], - "category": "parsers" + "category": "parsers", + "platforms": [ + "darwin_amd64_cgo", + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] }, { "name": "yara", @@ -8108,9 +10706,36 @@ "description": "The Yara variables to use." } ], - "category": "plugin", "metadata": { "permissions": "FILESYSTEM_READ" - } + }, + "platforms": [ + "darwin_arm64_cgo", + "linux_amd64_cgo", + "windows_386_cgo", + "windows_amd64_cgo" + ] + }, + { + "name": "yara_lint", + "description": "Clean a set of yara rules. This removed invalid or unsupported rules.", + "type": "Function", + "args": [ + { + "name": "rules", + "type": "string", + "description": "A string containing Yara Rules.", + "required": true + }, + { + "name": "clean", + "type": "bool", + "description": "Remove metadata to make rules smaller." + } + ], + "platforms": [ + "darwin_arm64_cgo", + "linux_amd64_cgo" + ] } ] \ No newline at end of file