CLR
Overview
Section titled “Overview”Evidence: CLR
Description: Collect CLR Log
Category: System
Platform: windows
Short Name: clr
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The .NET Common Language Runtime (CLR) generates diagnostic logs, crash dumps, and error reports for .NET applications. These logs are stored in user-specific directories and contain information about .NET application crashes, exceptions, and runtime errors.
CLR logs can provide evidence of .NET application failures, crashes, and error conditions that may be relevant to incident investigation or malware analysis.
Data Collected
Section titled “Data Collected”This collector gathers structured data about clr.
CLR Data
Section titled “CLR Data”| Field | Description | Example |
|---|---|---|
Name | Artifact name | CLR Log |
Type | Folder | Folder |
SourcePath | Original folder path | C:\Users\user\AppData\Local\Microsoft\CLRv4.0 |
Path | Relative path in evidence | Other/CLRv4.0 |
Collection Method
Section titled “Collection Method”This collector collects CLR log directories:
Users\*\AppData\Local\Microsoft\CLR*
All directories matching the CLR* pattern are collected recursively.
Forensic Value
Section titled “Forensic Value”CLR logs can reveal .NET application errors and crashes that may indicate malware behavior or application exploitation. Investigators use this data to analyze .NET application failures, detect malicious .NET assemblies, investigate application crashes, and identify .NET-based malware activity.