Windows Collections
Windows Evidence List
Section titled “Windows Evidence List”| # | Evidence (click for details) |
Category | Parsed | Sent to the Investigation Hub |
Raw Files Collected |
| 1 | $Boot | DiskFilesystem | No | Yes | Yes |
| 2 | $Log File | DiskFilesystem | No | Yes | Yes |
| 3 | $Secure:$SDS | DiskFilesystem | No | Yes | Yes |
| 4 | $TxfLog $Tops:$T | DiskFilesystem | No | Yes | Yes |
| 5 | ARP Table | Network | Yes | Yes | No |
| 6 | AVG Logs | Applications | No | No | Yes |
| 7 | Action1 RMM Logs | Applications | No | No | Yes |
| 8 | Active Directory Logs | Applications | No | No | Yes |
| 9 | AmCache | System | Yes | Yes | Yes |
| 10 | AmmyAdmin Logs | Applications | No | No | Yes |
| 11 | Antivirus Information | System | Yes | Yes | No |
| 12 | AnyDesk Logs | Applications | No | No | Yes |
| 13 | Apache Logs | Applications | No | No | Yes |
| 14 | AppCompactCache | System | Yes | Yes | No |
| 15 | AppPaths | System | Yes | Yes | No |
| 16 | Avast Logs | Applications | No | No | Yes |
| 17 | Avira Logs | Applications | No | No | Yes |
| 18 | Bitdefender Logs | Applications | No | No | Yes |
| 19 | Brave Bookmarks | Applications | Yes | Yes | No |
| 20 | Brave Browsing History | Applications | Yes | Yes | No |
| 21 | Brave Cookies | Applications | Yes | Yes | No |
| 22 | Brave Downloads | Applications | Yes | Yes | No |
| 23 | Brave Extensions | Applications | Yes | Yes | No |
| 24 | Brave Favicons | Applications | Yes | Yes | No |
| 25 | Brave Form History | Applications | Yes | Yes | No |
| 26 | Brave Local Storage | Applications | Yes | Yes | No |
| 27 | Brave Login Data | Applications | Yes | Yes | No |
| 28 | Brave Sessions | Applications | Yes | Yes | No |
| 29 | Brave Thumbnails | Applications | Yes | Yes | No |
| 30 | Brave User Profiles | Applications | Yes | Yes | No |
| 31 | Brave Web Storage | Applications | Yes | Yes | No |
| 32 | CIDSizeMRU | System | Yes | Yes | No |
| 33 | CLR | System | No | Yes | Yes |
| 34 | Carbon Black Logs | Applications | No | No | Yes |
| 35 | Chrome Bookmarks | Applications | Yes | Yes | No |
| 36 | Chrome Browsing History | Applications | Yes | Yes | No |
| 37 | Chrome Cookies | Applications | Yes | Yes | No |
| 38 | Chrome Downloads | Applications | Yes | Yes | No |
| 39 | Chrome Extensions | Applications | Yes | Yes | No |
| 40 | Chrome Favicons | Applications | Yes | Yes | No |
| 41 | Chrome Form History | Applications | Yes | Yes | No |
| 42 | Chrome Local Storage | Applications | Yes | Yes | No |
| 43 | Chrome Login Data | Applications | Yes | Yes | No |
| 44 | Chrome Sessions | Applications | Yes | Yes | No |
| 45 | Chrome Thumbnails | Applications | Yes | Yes | No |
| 46 | Chrome User Profiles | Applications | Yes | Yes | No |
| 47 | Chrome Web Storage | Applications | Yes | Yes | No |
| 48 | Cisco AMP Logs | Applications | No | No | Yes |
| 49 | Collect LNK Files | System | Yes | Yes | Yes |
| 50 | Collect SRUM Database Files | System | No | No | Yes |
| 51 | ComboFix | Applications | No | No | Yes |
| 52 | Cortana History | Applications | No | No | Yes |
| 53 | Crash Dump Information | System | Yes | Yes | No |
| 54 | Cybereason Logs | Applications | No | No | Yes |
| 55 | Cylance Logs | Applications | No | No | Yes |
| 56 | DHCP Server Logs | Applications | No | No | Yes |
| 57 | DNS Cache | Network | Yes | Yes | No |
| 58 | DNS Server Logs | Applications | No | No | Yes |
| 59 | DNS Servers | Network | Yes | Yes | No |
| 60 | Deep Instinct Logs | Applications | No | No | Yes |
| 61 | Default Browser | Applications | Yes | Yes | No |
| 62 | Discord Desktop Cache | Applications | No | No | Yes |
| 63 | Docker Changes | Applications | Yes | Yes | No |
| 64 | Docker Container Logs | Applications | Yes | Yes | No |
| 65 | Docker Containers | Applications | Yes | Yes | No |
| 66 | Docker Image History | Applications | Yes | Yes | No |
| 67 | Docker Images | Applications | Yes | Yes | No |
| 68 | Docker Info | Applications | Yes | Yes | No |
| 69 | Docker Networks | Applications | Yes | Yes | No |
| 70 | Docker Processes | Applications | Yes | Yes | No |
| 71 | Docker Volumes | Applications | Yes | Yes | No |
| 72 | Downloaded Files Information | System | Yes | Yes | No |
| 73 | Driver Objects | System | Yes | Yes | No |
| 74 | Drivers List | System | Yes | Yes | No |
| 75 | Dropbox Cache | Applications | No | No | Yes |
| 76 | Dropbox Databases | Applications | No | No | Yes |
| 77 | Dropbox Logs | Applications | No | No | Yes |
| 78 | Dump Brave Indexed DB | Applications | Yes | Yes | No |
| 79 | Dump Chrome Indexed DB | Applications | Yes | Yes | No |
| 80 | Dump Edge Indexed DB | Applications | Yes | Yes | No |
| 81 | Dump Opera Indexed DB | Applications | Yes | Yes | No |
| 82 | Dump QQ Indexed DB | Applications | Yes | Yes | No |
| 83 | Dump Vivaldi Indexed DB | Applications | Yes | Yes | No |
| 84 | ETL | System | No | Yes | Yes |
| 85 | Edge Bookmarks | Applications | Yes | Yes | No |
| 86 | Edge Cookies | Applications | Yes | Yes | No |
| 87 | Edge Downloads | Applications | Yes | Yes | No |
| 88 | Edge Extensions | Applications | Yes | Yes | No |
| 89 | Edge Favicons | Applications | Yes | Yes | No |
| 90 | Edge Form History | Applications | Yes | Yes | No |
| 91 | Edge Local Storage | Applications | Yes | Yes | No |
| 92 | Edge Login Data | Applications | Yes | Yes | No |
| 93 | Edge Sessions | Applications | Yes | Yes | No |
| 94 | Edge Thumbnails | Applications | Yes | Yes | No |
| 95 | Edge User Profiles | Applications | Yes | Yes | No |
| 96 | Edge Web Storage | Applications | Yes | Yes | No |
| 97 | Elastic Logs | Applications | No | No | Yes |
| 98 | Environment Variables | System | Yes | Yes | No |
| 99 | Eset Logs | Applications | No | No | Yes |
| 100 | Event Log EVT Files | EventLogs | Yes | Yes | No |
| 101 | Event Log EVT Records | EventLogs | Yes | Yes | Yes |
| 102 | Event Log EVTX Files | EventLogs | Yes | Yes | No |
| 103 | EventTranscript DB | System | Yes | Yes | Yes |
| 104 | Evernote Databases | Applications | No | No | Yes |
| 105 | Evernote Drag and Drop Files | Applications | No | No | Yes |
| 106 | Evernote Logs | Applications | No | No | Yes |
| 107 | Everything History | Applications | No | No | Yes |
| 108 | F-Secure Logs | Applications | No | No | Yes |
| 109 | Facebook Cache | Applications | No | No | Yes |
| 110 | Facebook Databases | Applications | No | No | Yes |
| 111 | FileExts | System | Yes | Yes | No |
| 112 | FileZilla Sessions | Applications | No | No | Yes |
| 113 | FireEye Logs | Applications | No | No | Yes |
| 114 | Firefox Browsing History | Applications | Yes | Yes | No |
| 115 | Firefox Cookies | Applications | Yes | Yes | No |
| 116 | Firefox Downloads | Applications | Yes | Yes | No |
| 117 | Firefox Extensions | Applications | Yes | Yes | No |
| 118 | Firewall Rules | Network | Yes | Yes | No |
| 119 | FirstFolder | System | Yes | Yes | No |
| 120 | Github Desktop Cache | Applications | No | No | Yes |
| 121 | Github Desktop Databases | Applications | No | No | Yes |
| 122 | Github Desktop Logs | Applications | No | No | Yes |
| 123 | GoTo Logs | Applications | No | No | Yes |
| 124 | Google Drive Databases | Applications | No | No | Yes |
| 125 | Hibernation File | Memory | No | Yes | Yes |
| 126 | HitmanPro Logs | Applications | No | No | Yes |
| 127 | Hosts | Network | Yes | Yes | Yes |
| 128 | IE 10,11,Edge Browsing History | Applications | Yes | Yes | Yes |
| 129 | IE 7,8,9 Browsing History | Applications | Yes | Yes | Yes |
| 130 | IIS Logs | Applications | No | No | Yes |
| 131 | INF Setup | System | No | Yes | Yes |
| 132 | IPv4 Routes | Network | Yes | Yes | No |
| 133 | Iconcache | System | No | Yes | Yes |
| 134 | Installed Applications | System | Yes | Yes | No |
| 135 | JumpList Automatic Entries | System | Yes | Yes | No |
| 136 | JumpList Automatic Files | System | Yes | Yes | Yes |
| 137 | JumpList Custom Entries | System | Yes | Yes | No |
| 138 | JumpList Custom Files | System | Yes | Yes | Yes |
| 139 | Kaseya Logs | Applications | No | No | Yes |
| 140 | LastVisitedPidlMRU | System | Yes | Yes | No |
| 141 | Level Logs | Applications | No | No | Yes |
| 142 | LinkedIn Cache | Applications | No | No | Yes |
| 143 | LogMeIn Logs | Applications | No | No | Yes |
| 144 | MBR | DiskFilesystem | No | Yes | Yes |
| 145 | MFT | DiskFilesystem | No | Yes | Yes |
| 146 | MFT Mirror | DiskFilesystem | No | Yes | Yes |
| 147 | MFT as CSV | DiskFilesystem | Yes | No | No |
| 148 | MSSQL Logs | Applications | No | No | Yes |
| 149 | MalwareBytes Logs | Applications | No | No | Yes |
| 150 | Map Network Drive MRU | System | Yes | Yes | No |
| 151 | McAfee Logs | Applications | No | No | Yes |
| 152 | Microsoft Calendar | Applications | No | No | Yes |
| 153 | Microsoft Exchange Logs | Applications | No | No | Yes |
| 154 | Microsoft Mail | Applications | No | No | Yes |
| 155 | Microsoft Maps | Applications | No | No | Yes |
| 156 | Microsoft Outlook | Applications | No | No | Yes |
| 157 | Microsoft People | Applications | No | No | Yes |
| 158 | Microsoft Photos | Applications | No | No | Yes |
| 159 | Microsoft Sticky Notes | Applications | No | No | Yes |
| 160 | Microsoft Store Applications List | Applications | No | No | Yes |
| 161 | Microsoft Voice Record History | Applications | No | No | Yes |
| 162 | MongoDB Logs | Applications | No | No | Yes |
| 163 | Mozilla Thunderbird | Applications | No | No | Yes |
| 164 | NTDS.dit | System | No | Yes | Yes |
| 165 | Network Adapters | Network | Yes | Yes | No |
| 166 | Network Shares | Network | Yes | Yes | No |
| 167 | Notepad++ Sessions | Applications | No | No | Yes |
| 168 | Object Directory | System | Yes | Yes | No |
| 169 | OfficeMRU | System | Yes | Yes | No |
| 170 | Old Registry Hives | System | No | Yes | Yes |
| 171 | OneDrive Logs | Applications | No | No | Yes |
| 172 | OpenSavePidlMRU | System | Yes | Yes | No |
| 173 | OpenVPN Config | Applications | No | No | Yes |
| 174 | Opera Bookmarks | Applications | Yes | Yes | No |
| 175 | Opera Browsing History | Applications | Yes | Yes | No |
| 176 | Opera Cookies | Applications | Yes | Yes | No |
| 177 | Opera Downloads | Applications | Yes | Yes | No |
| 178 | Opera Extensions | Applications | Yes | Yes | No |
| 179 | Opera Favicons | Applications | Yes | Yes | No |
| 180 | Opera Form History | Applications | Yes | Yes | No |
| 181 | Opera Local Storage | Applications | Yes | Yes | No |
| 182 | Opera Login Data | Applications | Yes | Yes | No |
| 183 | Opera Sessions | Applications | Yes | Yes | No |
| 184 | Opera Thumbnails | Applications | Yes | Yes | No |
| 185 | Opera User Profiles | Applications | Yes | Yes | No |
| 186 | Opera Web Storage | Applications | Yes | Yes | No |
| 187 | PDB Information | System | Yes | Yes | No |
| 188 | Page File | Memory | No | Yes | Yes |
| 189 | Palo Alto Logs | Applications | No | No | Yes |
| 190 | Parse LNK Files | System | Yes | Yes | No |
| 191 | Parse SRUM Application Timeline | System | No | Yes | No |
| 192 | Parse SRUM Application Usage | System | No | Yes | No |
| 193 | Parse SRUM Energy Usage | System | No | Yes | No |
| 194 | Parse SRUM Network Connectivity | System | No | Yes | No |
| 195 | Parse SRUM Network Usage | System | No | Yes | No |
| 196 | Powershell ConsoleHost History | System | Yes | Yes | No |
| 197 | Powershell Logs | System | No | Yes | Yes |
| 198 | Prefetch Files | System | Yes | Yes | Yes |
| 199 | Proxy List | Network | Yes | Yes | No |
| 200 | QQ Bookmarks | Applications | Yes | Yes | No |
| 201 | QQ Browsing History | Applications | Yes | Yes | No |
| 202 | QQ Cookies | Applications | Yes | Yes | No |
| 203 | QQ Downloads | Applications | Yes | Yes | No |
| 204 | QQ Extensions | Applications | Yes | Yes | No |
| 205 | QQ Favicons | Applications | Yes | Yes | No |
| 206 | QQ Form History | Applications | Yes | Yes | No |
| 207 | QQ Local Storage | Applications | Yes | Yes | No |
| 208 | QQ Login Data | Applications | Yes | Yes | No |
| 209 | QQ Sessions | Applications | Yes | Yes | No |
| 210 | QQ Thumbnails | Applications | Yes | Yes | No |
| 211 | QQ User Profiles | Applications | Yes | Yes | No |
| 212 | QQ Web Storage | Applications | Yes | Yes | No |
| 213 | Quick Assist | System | Yes | Yes | No |
| 214 | RAM Image | Memory | No | Yes | Yes |
| 215 | RDP Cache | System | No | Yes | Yes |
| 216 | RealVNC Logs | Applications | No | No | Yes |
| 217 | Recent File Cache | System | No | Yes | Yes |
| 218 | RecentDocs | System | Yes | Yes | No |
| 219 | Recycle Bin Information | System | Yes | Yes | No |
| 220 | Registry Hives | System | No | Yes | Yes |
| 221 | Registry Items | System | Yes | Yes | Yes |
| 222 | RemComSvc Logs | Applications | No | No | Yes |
| 223 | Remote Utilities Logs | Applications | No | No | Yes |
| 224 | RogueKiller Reports | Applications | No | No | Yes |
| 225 | RunMRU | System | Yes | Yes | No |
| 226 | Running Processes and Modules | System | Yes | Yes | No |
| 227 | SAM Users and Groups | System | Yes | Yes | No |
| 228 | SDB | System | No | Yes | Yes |
| 229 | SRUM | System | Yes | Yes | Yes |
| 230 | SUPERAntiSpyware Logs | Applications | No | No | Yes |
| 231 | Scheduled Tasks | System | Yes | Yes | Yes |
| 232 | ScreenConnect (ConnectWise Control) Application Data | Applications | No | No | Yes |
| 233 | Search History | Applications | No | No | Yes |
| 234 | SentinelOne Logs | Applications | No | No | Yes |
| 235 | Service List | System | Yes | Yes | Yes |
| 236 | Shadow Copy as CSV | DiskFilesystem | Yes | Yes | No |
| 237 | ShellBags | System | Yes | Yes | No |
| 238 | ShellFolders | System | Yes | Yes | No |
| 239 | Skype Databases | Applications | No | No | Yes |
| 240 | Skype Media | Applications | No | No | Yes |
| 241 | Sophos Logs | Applications | No | No | Yes |
| 242 | Sourcefire FireAMP Logs | Applications | No | No | Yes |
| 243 | Splashtop Logs | Applications | No | No | Yes |
| 244 | Spotify Cache | Applications | No | No | Yes |
| 245 | Spotify Recently Played List | Applications | No | No | Yes |
| 246 | Startup Items | System | Yes | Yes | Yes |
| 247 | Sublime Text Sessions | Applications | No | No | Yes |
| 248 | Superfetch | System | No | Yes | Yes |
| 249 | Supremo Remote Desktop Logs | Applications | No | No | Yes |
| 250 | Swap File | Memory | No | Yes | Yes |
| 251 | Symantec Logs | Applications | No | No | Yes |
| 252 | System Restore Points Information | System | Yes | Yes | No |
| 253 | TCP Table | Network | Yes | Yes | No |
| 254 | Tanium Logs | Applications | No | No | Yes |
| 255 | Teamviewer Logs | Applications | No | No | Yes |
| 256 | Telegram Desktop Data | Applications | No | No | Yes |
| 257 | Telegram Desktop Download | Applications | No | No | Yes |
| 258 | Thumbcache | System | No | Yes | Yes |
| 259 | TightVNC Logs | Applications | No | No | Yes |
| 260 | Tortoise Git Logs | Applications | No | No | Yes |
| 261 | TotalAv Logs | Applications | No | No | Yes |
| 262 | Trend Micro Logs | Applications | No | No | Yes |
| 263 | Twitter Cache | Applications | No | No | Yes |
| 264 | Twitter Databases | Applications | No | No | Yes |
| 265 | TypedPaths | System | Yes | Yes | No |
| 266 | TypedURLs | System | Yes | Yes | No |
| 267 | UDP Table | Network | Yes | Yes | No |
| 268 | USB Storage History | DiskFilesystem | Yes | Yes | No |
| 269 | USN Journal | DiskFilesystem | No | Yes | Yes |
| 270 | USN Journal $Max | DiskFilesystem | No | Yes | Yes |
| 271 | USN Journal as CSV | DiskFilesystem | Yes | Yes | No |
| 272 | UltraVNC Logs | Applications | No | No | Yes |
| 273 | Ultraviewer Logs | Applications | No | No | Yes |
| 274 | User Access Logs (UAL) | System | Yes | Yes | Yes |
| 275 | User Folders | System | Yes | Yes | No |
| 276 | UserAssist | System | Yes | Yes | No |
| 277 | Users | System | Yes | Yes | No |
| 278 | VIPRE Logs | Applications | No | No | Yes |
| 279 | VMware Config | Applications | No | No | Yes |
| 280 | VMware Drag and Drop Files | Applications | No | No | Yes |
| 281 | VMware Logs | Applications | No | No | Yes |
| 282 | Visual Studio Team Explorer Config | Applications | No | No | Yes |
| 283 | Vivaldi Bookmarks | Applications | Yes | Yes | No |
| 284 | Vivaldi Browsing History | Applications | Yes | Yes | No |
| 285 | Vivaldi Cookies | Applications | Yes | Yes | No |
| 286 | Vivaldi Downloads | Applications | Yes | Yes | No |
| 287 | Vivaldi Extensions | Applications | Yes | Yes | No |
| 288 | Vivaldi Favicons | Applications | Yes | Yes | No |
| 289 | Vivaldi Form History | Applications | Yes | Yes | No |
| 290 | Vivaldi Local Storage | Applications | Yes | Yes | No |
| 291 | Vivaldi Login Data | Applications | Yes | Yes | No |
| 292 | Vivaldi Sessions | Applications | Yes | Yes | No |
| 293 | Vivaldi Thumbnails | Applications | Yes | Yes | No |
| 294 | Vivaldi User Profiles | Applications | Yes | Yes | No |
| 295 | Vivaldi Web Storage | Applications | Yes | Yes | No |
| 296 | Volumes Information | DiskFilesystem | Yes | Yes | No |
| 297 | WBEM | System | No | Yes | Yes |
| 298 | WMI Active Script | System | Yes | Yes | No |
| 299 | WMI Command Line | System | Yes | Yes | No |
| 300 | WSL | Applications | No | No | Yes |
| 301 | Webroot Logs | Applications | No | No | Yes |
| 302 | WhatsApp Desktop Cache | Applications | No | No | Yes |
| 303 | WhatsApp Desktop Cookie | Applications | No | No | Yes |
| 304 | WinRAR History | Applications | Yes | Yes | No |
| 305 | Windows Defender Logs | Applications | No | No | Yes |
| 306 | Windows Error Reporting Files | System | No | No | Yes |
| 307 | Windows Index Search | System | No | Yes | Yes |
| 308 | Windows Live Mail User Settings | Applications | No | No | Yes |
| 309 | Windows Notification History | Applications | No | No | Yes |
| 310 | Windows Timeline | System | Yes | Yes | Yes |
| 311 | Wireless Connection History | Network | Yes | Yes | No |
| 312 | WordWheelQuery | System | Yes | Yes | No |
| 313 | Xeox Logs | Applications | No | No | Yes |
| 314 | ZohoAssist Logs | Applications | No | No | Yes |
| 315 | Zoom Databases | Applications | No | No | Yes |
| 316 | Zoom Media | Applications | No | No | Yes |
| 317 | iTunes Backups | Applications | No | No | Yes |