Windows.KapeFiles.Targets #
This artifact is built automatically from the KapeFiles project.
You can download the artifact for manual import into Velociraptor.
The description below explains how to use this artifact in practice.
The artifact will generate a list of globs and prepend the device name
to each glob. Velociraptor’s glob() plugin implementation is very
efficient and minimizes the number of passes it needs to make over the
filesystem, when using multiple glob expressions at the same time.
Therefore the artifact first traverses all the rules to build a large list of glob expressions, which it uses to search for candidate files.
Parameters #
Devices: This is the list of drives that should be considered. By default we only consider the
C:drive but if you might have other drives in use, then we consider those as well. The drive name is prepended to each glob specified by the different rules to begin searching on that device.DropVerySlowRules: Some targets specify globs which need to examine every file on the disk. For example,
DirectoryTraversal_AudioFileshas a glob similar toC:\**\*.{3gp,aa,aac,act,aiff}.This type of search is very slow as it needs to examine every file on disk. By default we disable these rules because they are too slow to be useful. If you really want them enabled, switch this setting off, but collection time will increase significantly.
VSS_MAX_AGE_DAYS: By default we do not consider Volume Shadow Copies during file collection. However, if you set this value to a number larger than 0, we consider this many days worth of VSS copies.
This setting causes Velociraptor to repeat the search on all VSS copies within the specified time limit, and check for changed files between VSS copies. If the file has changed (or maybe deleted) between the different VSS copies, then Velociraptor will collect multiple copies of the same file. Note that some files naturally change between VSS copies (e.g. log files) so this can end up collecting a lot more data than anticipated.
NOTE: Setting this will result in a slow down as we need to switch to using the
ntfsaccessor for all files (i.e. parse the low level filesystem), and inspect each VSS copy for a change in the file.MaxFileSize: Sometimes we encounter very large files in unexpected location (e.g. browser cache). This setting ensures that very large files will not be collected. By default the setting is disabled (i.e. we collect any file size), but it is a good idea to limit it as very large files are not often useful.
UPLOAD_IS_RESUMABLE: This setting controls how uploads are send from the Velociraptor client to the server. When enabled, the client will send upload information in advance so that if the collection times out or the client is restarted, the uploads may be resumed.
The setting only has an effect when collecting this artifact remotely from a client (i.e. does nothing for offline collections).
Following these parameters, there are many checkboxes for each possible collection target.
The most useful meta-targets are the SANS_Triage, KapeTriage
Artifact #
name: Windows.KapeFiles.Target
description: |
Kape is a popular bulk collector tool for triaging a system
quickly. While KAPE itself is not an opensource tool, the logic it
uses to decide which files to collect is encoded in YAML files
hosted on the KapeFiles project
(https://github.com/EricZimmerman/KapeFiles) and released under an
MIT license.
This artifact is automatically generated from these YAML files,
contributed and maintained by the community. This artifact only
encapsulates the KAPE "Targets" - basically a bunch of glob
expressions used for collecting files on the endpoint. We do not
do any post processing of these files - we just collect them.
We recommend that timeouts and upload limits be used
conservatively with this artifact because we can upload really
vast quantities of data very quickly.
NOTE:
This artifact was built from [The Velociraptor Triage
Repository](https://triage.velocidex.com/docs/)
Commit 27acaed on 2025-08-12T05:55:02Z
reference:
- https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape
- https://github.com/EricZimmerman/KapeFiles
parameters:
- name: Devices
type: json_array
description: |
Name of the drive letter to search. You can add multiple drives
separated with a comma.
default: '["C:"]'
- name: DropVerySlowRules
type: bool
default: Y
description: |
Some rules are very slow due to a recursive search at the higher
levels (For example a glob such as `C:\**\*.ini` ). These rules
cause the collection to be very slow as the entire filesystem
must be searched.
By default we drop these rules but you can enable them if you
like. This will cause the collection to be a lot slower.
- name: VSS_MAX_AGE_DAYS
type: int
default: 0
description: |
If larger than zero we analyze VSS within this many days
ago. (e.g 7 will analyze all VSS within the last week). Note
that when using VSS analysis we have to use the ntfs accessor
for everything which will be much slower.
- name: MaxFileSize
type: int
default: 18446744073709551615
description: |
The max size in bytes of the individual files to collect.
Set to 0 to disable it.
- name: UPLOAD_IS_RESUMABLE
type: bool
default: Y
description: |
If set the uploads can be resumed if the flow times out or
errors.
- name: _KapeTriage
description: "Calls Kape Triage"
type: bool
- name: AppData
description: "AppData"
type: bool
- name: DirectoryTraversal_AudioFiles
description: "Find audio files covering a multitude of formats"
type: bool
- name: DirectoryTraversal_ExcelDocuments
description: "Find Excel and Excel alternative documents"
type: bool
- name: DirectoryTraversal_PDFDocuments
description: "Find PDF and PDF alternative documents"
type: bool
- name: DirectoryTraversal_PictureFiles
description: "Find picture files covering a multitude of formats"
type: bool
- name: DirectoryTraversal_SQLiteDatabases
description: "Find files with common SQLite file extensions"
type: bool
- name: DirectoryTraversal_VideoFiles
description: "Find video files covering a multitude of formats"
type: bool
- name: DirectoryTraversal_WildCardExample
description: "Find zip archives"
type: bool
- name: DirectoryTraversal_WordDocuments
description: "Find Word and Word alternative documents"
type: bool
- name: LiveUserFiles
description: "Live User Files"
type: bool
- name: AVG
description: "AVG Antivirus Data"
type: bool
- name: Avast
description: "Avast Antivirus Data"
type: bool
- name: AviraAVLogs
description: "Avira Logs"
type: bool
- name: Bitdefender
description: "Bitdefender Antivirus Data"
type: bool
- name: Combofix
description: "ComboFix Antivirus Data"
type: bool
- name: CrowdStrikeFalcon
description: "CrowdStrike Falcon"
type: bool
- name: Cybereason
description: "Cybereason Sensor/Detection Logs"
type: bool
- name: Cylance
description: "Cylance Antivirus Logs"
type: bool
- name: ESET
description: "ESET Antivirus Data"
type: bool
- name: Emsisoft
description: "Emsisoft Antivirus Logs"
type: bool
- name: FSecure
description: "F-Secure Antivirus Data"
type: bool
- name: HitmanPro
description: "HitmanPro Antivirus Data"
type: bool
- name: Malwarebytes
description: "Malwarebytes Data"
type: bool
- name: McAfee
description: "McAfee Log Files"
type: bool
- name: McAfee_ePO
description: "McAfee ePO Log Files"
type: bool
- name: MicrosoftSafetyScanner
description: "Microsoft Safety Scanner"
type: bool
- name: RogueKiller
description: "RogueKiller Anti-Malware (by Adlice Software)"
type: bool
- name: SUPERAntiSpyware
description: "SUPERAntiSpyware Data"
type: bool
- name: SecureAge
description: "SecureAge Antivirus Logs"
type: bool
- name: SentinelOne
description: "Sentinel One Logs"
type: bool
- name: Sophos
description: "Sophos Data"
type: bool
- name: Symantec_AV_Logs
description: "Symantec AV Logs"
type: bool
- name: TotalAV
description: "TotalAV Antivirus Data"
type: bool
- name: TrendMicro
description: "Trend Micro Data"
type: bool
- name: VIPRE
description: "VIPRE Data"
type: bool
- name: Webroot
description: "Webroot Antivirus"
type: bool
- name: WinDefendDetectionHist
description: "Windows Defender Threat DetectionHistory files"
type: bool
- name: WindowsDefender
description: "Windows Defender Data"
type: bool
- name: 1Password
description: "1Password Password Manager"
type: bool
- name: 4KVideoDownloader
description: "4K Video Downloader"
type: bool
- name: AceText
description: "AceText"
type: bool
- name: AcronisTrueImage
description: "Acronis True Image"
type: bool
- name: Action1
description: "Action1 Application Logs"
type: bool
- name: AdvancedIPScanner
description: "Advanced IP Scanner Artifacts"
type: bool
- name: AdvancedPortScanner
description: "Advanced Port Scanner Artifacts"
type: bool
- name: AgentRansack
description: "Agent Ransack - Free File Searching Utility"
type: bool
- name: Ammyy
description: "Ammyy Data"
type: bool
- name: AnyDesk
description: "AnyDesk"
type: bool
- name: AsperaConnect
description: "Aspera Connect Log Files"
type: bool
- name: AteraAgent
description: "AteraAgent"
type: bool
- name: BoxDrive_Metadata
description: "Box Cloud Storage Metadata"
type: bool
- name: BoxDrive_UserFiles
description: "Box Cloud Storage Files"
type: bool
- name: ChatGPT
description: "A Target to collect files related to ChatGPT Desktop"
type: bool
- name: CiscoJabber
description: "Jabber"
type: bool
- name: ClipboardMaster
description: "ClipboardMaster"
type: bool
- name: ConfluenceLogs
description: "Confluence Log Files"
type: bool
- name: DWAgent
description: "DWAgent Log Files"
type: bool
- name: DirectoryOpus
description: "Directory Opus"
type: bool
- name: Discord
description: "Discord Cache and LevelDB Files"
type: bool
- name: DoubleCommander
description: "Double Commander"
type: bool
- name: Dropbox_Metadata
description: "Dropbox Cloud Storage Metadata"
type: bool
- name: Dropbox_UserFiles
description: "Dropbox Cloud Storage Files"
type: bool
- name: EFCommander
description: "EF Commander"
type: bool
- name: Evernote
description: "Evernote"
type: bool
- name: Everything_VoidTools_
description: "Everything (VoidTools)"
type: bool
- name: FastStoneImageViewer
description: "FastStone Image Viewer"
type: bool
- name: Fences
description: "Fences"
type: bool
- name: FileZillaClient
description: "FileZilla XML and SQLite Log Files"
type: bool
- name: FileZillaServer
description: "FileZilla Server Logs"
type: bool
- name: FreeCommander
description: "FreeCommander XE"
type: bool
- name: FreeDownloadManager
description: "Free Download Manager"
type: bool
- name: FreeFileSync
description: "FreeFileSync"
type: bool
- name: GoogleDriveBackupSync_UserFiles
description: "Google Backup and Sync Storage Files"
type: bool
- name: GoogleDrive_Metadata
description: "Google Drive Metadata"
type: bool
- name: GoogleEarth
description: "Google Earth"
type: bool
- name: HeidiSQL
description: "HeidiSQL"
type: bool
- name: HexChat
description: "HexChat"
type: bool
- name: IDrive
description: "IDrive Backup Artifacts"
type: bool
- name: ISLOnline
description: "ISLOnline Remote Access Tool"
type: bool
- name: ITarian
description: "ITarian RMM"
type: bool
- name: IceChat
description: "IceChat"
type: bool
- name: ImgBurn
description: "ImgBurn"
type: bool
- name: IrfanView
description: "IrfanView"
type: bool
- name: JDownloader2
description: "JDownloader 2"
type: bool
- name: JavaWebCache
description: "Java WebStart Cache - (IDX Files)"
type: bool
- name: Kaseya
description: "Kaseya Data"
type: bool
- name: Keepass
description: "Keepass"
type: bool
- name: KeepassXC
description: "KeepassXC"
type: bool
- name: Level
description: "Level.io Application Logs"
type: bool
- name: LogMeIn
description: "LogMeIn Data"
type: bool
- name: MacriumReflect
description: "Macrium Reflect"
type: bool
- name: Mattermost
description: "Mattermost"
type: bool
- name: MediaMonkey
description: "MediaMonkey"
type: bool
- name: Megasync
description: "MegaSync Data Collection"
type: bool
- name: MeshAgent
description: "MeshAgent log and configuration files"
type: bool
- name: MicrosoftAzureCopy
description: "Microsoft Azure Copy"
type: bool
- name: MicrosoftOneNote
description: "Microsoft OneNote"
type: bool
- name: MicrosoftStickyNotes
description: "Microsoft Sticky Notes"
type: bool
- name: MicrosoftTeams
description: "Microsoft Teams"
type: bool
- name: MicrosoftToDo
description: "Microsoft To Do"
type: bool
- name: MidnightCommander
description: "Midnight Commander"
type: bool
- name: MobaXTerm
description: "MobaXTerm"
type: bool
- name: MouseWithoutBorders
description: "Mouse Without Borders"
type: bool
- name: MstyDatabase
description: "Msty is a UI to interact with large language models (LLMs)"
type: bool
- name: MultiCommander
description: "Multi Commander"
type: bool
- name: Nessus
description: "Nessus"
type: bool
- name: NetMonitorforEmployeesProfessional
description: "Net Monitor for Employees Pro"
type: bool
- name: Notepad_
description: "Notepad++ Backups, recently searched/replaced terms and recently opened documents"
type: bool
- name: Notion
description: "Notion Note-Taking App"
type: bool
- name: OneCommander
description: "One Commander"
type: bool
- name: OneDrive_Metadata
description: "Microsoft OneDrive Storage Metadata"
type: bool
- name: OneDrive_UserFiles
description: "Microsoft OneDrive Storage Files"
type: bool
- name: OpenSSHClient
description: "OpenSSH Client config, known hosts and keys"
type: bool
- name: OpenSSHServer
description: "OpenSSH Server Config and Logs"
type: bool
- name: OpenVPNClient
description: "OpenVPN Client Config and Log"
type: bool
- name: OutlookPSTOST
description: "Outlook PST and OST files"
type: bool
- name: PeaZip
description: "PeaZip"
type: bool
- name: ProtonVPN
description: "ProtonVPN"
type: bool
- name: Q_Dir
description: "Q-Dir"
type: bool
- name: QFinderPro_QNAP_
description: "QFinderPro (QNAP)"
type: bool
- name: QlikSense
description: "Qlik Sense"
type: bool
- name: RDCMan
description: "A Target to collect files that are related to RDCMan"
type: bool
- name: Radmin
description: "Radmin Server/Viewer Logs and Chats"
type: bool
- name: RcloneConf
description: "Rclone config file"
type: bool
- name: Remcos
description: "Remcos RAT"
type: bool
- name: RemoteDesktopManager
description: "A Target to collect files that are related to Remote Desktop Manager from Devolutions"
type: bool
- name: RemoteUtilities_app
description: "Remote Utilities"
type: bool
- name: Robo_FTP
description: "Robo-FTP"
type: bool
- name: RustDesk
description: "RustDesk"
type: bool
- name: ScreenConnect
description: "ScreenConnect Data (now known as ConnectWise Control)"
type: bool
- name: Session
description: "Session Desktop"
type: bool
- name: ShareX
description: "ShareX"
type: bool
- name: SiemensTIA
description: "Copy Siemens TIA Settings"
type: bool
- name: Signal
description: "Signal (Please view this tkape file for documentation on decryption!)"
type: bool
- name: SimpleHelp
description: "SimpleHelp Remote Access Client"
type: bool
- name: Skype
description: "Skype"
type: bool
- name: Slack
description: "Slack"
type: bool
- name: Snagit
description: "Snagit"
type: bool
- name: SoftPerfectNetscan
description: "Soft Perfect Network Scanner Output"
type: bool
- name: SpeedCommander
description: "SpeedCommander"
type: bool
- name: Splashtop
description: "Splashtop"
type: bool
- name: Steam
description: "Steam"
type: bool
- name: SublimeText
description: "Sublime Text 2/3/4 Auto Save Session"
type: bool
- name: SugarSync
description: "SugarSync"
type: bool
- name: SumatraPDF
description: "SumatraPDF"
type: bool
- name: SupremoRemoteDesktop
description: "Supremo Remote Desktop Control Logs"
type: bool
- name: Syncthing
description: "Syncthing Configuration and Logs"
type: bool
- name: TablacusExplorer
description: "Tablacus Explorer"
type: bool
- name: TeamViewerLogs
description: "TeamViewer Logs"
type: bool
- name: Telegram
description: "Telegram Desktop"
type: bool
- name: TeraCopy
description: "TeraCopy log history"
type: bool
- name: Thunderbird
description: "Mozilla Thunderbird Email Client"
type: bool
- name: TotalCommander
description: "Total Commander"
type: bool
- name: TreeSize
description: "TreeSize - Scan History"
type: bool
- name: UEMS
description: "UEMS Manage Engine Agent"
type: bool
- name: Ultraviewer
description: "UltraViewer"
type: bool
- name: VLC_Media_Player
description: "VLC Media Player"
type: bool
- name: VMwareInventory
description: "VMware - Virtual Machine Inventory"
type: bool
- name: VMwareMemory
description: "VMware - Virtual Machine Memory"
type: bool
- name: VNCLogs
description: "VNC Logs"
type: bool
- name: Viber
description: "ViberPC Messaging App"
type: bool
- name: VirtualBoxConfig
description: "Collects VirtualBox configuration files"
type: bool
- name: VirtualBoxLogs
description: "Collects VirtualBox log files"
type: bool
- name: VirtualBoxMemory
description: "VirtualBox - Memory"
type: bool
- name: VisualStudioCode
description: "Visual Studio Code artifacts"
type: bool
- name: WhatsApp
description: "WhatsApp Local Files"
type: bool
- name: WhatsApp_Media
description: "WhatsApp Shared Media Files"
type: bool
- name: WinSCP
description: "WinSCP"
type: bool
- name: WindowsYourPhone
description: "Windows Your Phone"
type: bool
- name: XYplorer
description: "XYplorer"
type: bool
- name: Xeox
description: "Xeox Application Logs"
type: bool
- name: ZScaler
description: "Zscaler Logs"
type: bool
- name: ZohoAssist
description: "Zoho Assist artifacts"
type: bool
- name: Zoom
description: "Zoom client artifacts"
type: bool
- name: iTunesBackup
description: "iTunes Backups"
type: bool
- name: mIRC
description: "mIRC"
type: bool
- name: mRemoteNG
description: "mRemoteNG"
type: bool
- name: pCloudDatabase
description: "pCloud Database"
type: bool
- name: 360SecureBrowser
description: "360 Secure Browser"
type: bool
- name: Arc
description: "Arc Browser"
type: bool
- name: BraveBrowser
description: "Brave Browser"
type: bool
- name: BrowserCache
description: "Browser Caches"
type: bool
- name: Chrome
description: "Chrome"
type: bool
- name: ChromeExtensions
description: "Chrome Extension Files"
type: bool
- name: ChromeFileSystem
description: "Chrome HTML5 File System Contents"
type: bool
- name: CocCoc
description: "CocCoc Browser"
type: bool
- name: Edge
description: "Edge"
type: bool
- name: EdgeChromium
description: "Microsoft Edge Chromium Artifacts"
type: bool
- name: EdgeChromiumExtensions
description: "Edge Chromium Extension Files"
type: bool
- name: Firefox
description: "Firefox"
type: bool
- name: InternetExplorer
description: "Internet Explorer"
type: bool
- name: Opera
description: "Opera"
type: bool
- name: PuffinSecureBrowser
description: "Puffin Secure Browser"
type: bool
- name: QQBrowser
description: "QQ Browser"
type: bool
- name: Supermium
description: "Supermium"
type: bool
- name: UCBrowser
description: "UCBrowser"
type: bool
- name: Vivaldi
description: "Vivaldi Artifacts"
type: bool
- name: WaveBrowser
description: "WaveBrowser"
type: bool
- name: Yandex
description: "Yandex Artifacts"
type: bool
- name: _BasicCollection
description: "Basic Collection"
type: bool
- name: _SANS_Triage
description: "SANS Triage Collection"
type: bool
- name: Antivirus
description: "Antivirus"
type: bool
- name: CloudStorage_All
description: "Cloud Storage Contents and Metadata"
type: bool
- name: CloudStorage_Metadata
description: "Cloud Storage Metadata"
type: bool
- name: CloudStorage_OneDriveExplorer
description: "OneDrive and other files used with OneDriveExplorer"
type: bool
- name: CombinedLogs
description: "Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs"
type: bool
- name: EvidenceOfExecution
description: "Evidence of execution related files"
type: bool
- name: Exchange
description: "Exchange Log Files"
type: bool
- name: FTPClients
description: "FTP Clients"
type: bool
- name: FileExplorerReplacements
description: "File Explorer Replacements"
type: bool
- name: FileSystem
description: "File system metadata"
type: bool
- name: IRCClients
description: "IRC Clients"
type: bool
- name: KapeTriage
description: "KapeTriage collects most of the files needed for a DFIR Investigation. This Target pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, SUM data, Cloud metadata, WER, WBEM, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, JumpLists, Notepad unsaved sessions (Win11), 3rd party remote access software logs, 3rd party antivirus software logs, Windows 10/11 Timeline database, and $I Recycle Bin files."
type: bool
- name: MessagingClients
description: "Messaging and communication apps"
type: bool
- name: MiniTimelineCollection
description: "MFT, Registry and Event Logs to generate a mini timeline"
type: bool
- name: NetworkScanner
description: "Network Scanner Tools"
type: bool
- name: P2PClients
description: "P2P Clients"
type: bool
- name: ProgramExecution
description: "Program Execution Triage Collection"
type: bool
- name: RecycleBin
description: "Recycle Bin DataAndInfo"
type: bool
- name: RegistryHives
description: "System and user related Registry hives"
type: bool
- name: RemoteAdmin
description: "Composite target for files related to remote administration tools"
type: bool
- name: SOFELK
description: "SOF-ELK related files of interest"
type: bool
- name: SQLiteDatabases
description: "SQLDatabases Target for use with SQLECmd Module"
type: bool
- name: ServerTriage
description: "A compound target for gathering artifacts common to servers."
type: bool
- name: TorrentClients
description: "Torrent Clients"
type: bool
- name: USBDetective
description: "Collects files that can be input into USB Detective for parsing"
type: bool
- name: UsenetClients
description: "Usenet Clients"
type: bool
- name: VMware
description: "Runs all VMware modules to collect VMware VM config files, logs and Virtual Hard Disks"
type: bool
- name: VirtualBox
description: "Runs all VirtualBox modules to collect Virtualbox VM config files, logs and Virtual Hard Disks"
type: bool
- name: WSL
description: "All Windows Subsystem for Linux targets"
type: bool
- name: WebBrowsers
description: "Web browser history, bookmarks, etc."
type: bool
- name: WebServers
description: "Logs from all known web server applications and supporting services"
type: bool
- name: ApacheAccessLog
description: "Apache Access Log"
type: bool
- name: IISLogFiles
description: "IIS Log Files"
type: bool
- name: MSSQLErrorLog
description: "MS SQL ErrorLogs"
type: bool
- name: ManageEngineLogs
description: "ManageEngine Log Files"
type: bool
- name: NGINXLogs
description: "NGINX Log Files"
type: bool
- name: PowerShellConsole
description: "PowerShell Console Log File"
type: bool
- name: BitTorrent
description: "BitTorrent"
type: bool
- name: DC_
description: "DC++"
type: bool
- name: Freenet
description: "Freenet"
type: bool
- name: FrostWire
description: "FrostWire"
type: bool
- name: Gigatribe
description: "Gigatribe Files"
type: bool
- name: NZBGet
description: "NZBGet"
type: bool
- name: NewsbinPro
description: "Newsbin Pro"
type: bool
- name: Newsleecher
description: "Newsleecher"
type: bool
- name: Nicotine_
description: "Nicotine++"
type: bool
- name: SABnbzd
description: "SABnbzd"
type: bool
- name: Shareaza
description: "Shareaza"
type: bool
- name: Soulseek
description: "Soulseek"
type: bool
- name: Torrents
description: "Torrent Files"
type: bool
- name: Usenet
description: "Usenet (NZB) Files"
type: bool
- name: eMule
description: "eMule"
type: bool
- name: qBittorrent
description: "qBittorrent"
type: bool
- name: uTorrent
description: "uTorrent"
type: bool
- name: _Bitmap
description: "$Bitmap"
type: bool
- name: _Boot
description: "$Boot"
type: bool
- name: _J
description: "$J"
type: bool
- name: _LogFile
description: "$LogFile"
type: bool
- name: _MFT
description: "$MFT"
type: bool
- name: _MFTMirr
description: "$MFTMirr"
type: bool
- name: _SDS
description: "$SDS"
type: bool
- name: _T
description: "$T"
type: bool
- name: ActiveDirectoryNTDS
description: "Active Directory NTDS"
type: bool
- name: ActiveDirectorySysvol
description: "Active Directory Sysvol"
type: bool
- name: Amcache
description: "Amcache.hve"
type: bool
- name: AppCompatPCA
description: "AppCompat PCA Folder"
type: bool
- name: AppXPackages
description: "AppXPackages"
type: bool
- name: ApplicationEvents
description: "Windows Application Event Log"
type: bool
- name: BCD
description: "Boot Configuration Files"
type: bool
- name: BITS
description: "Microsoft BITS (Background Intelligent Transer Service) persistent files"
type: bool
- name: CapabilityAccessManager
description: "Capability Access Manager database"
type: bool
- name: CertUtil
description: "Certutil"
type: bool
- name: Drivers
description: "Windows Drivers"
type: bool
- name: EncapsulationLogging
description: "EncapsulationLogging"
type: bool
- name: EventLogs_RDP
description: "Collect Win7+ RDP related Event logs"
type: bool
- name: EventLogs
description: "Event logs"
type: bool
- name: EventTraceLogs
description: "Event Trace Logs"
type: bool
- name: EventTranscriptDB
description: "EventTranscript.db (and other files related to Telemetry and Diagnostic Data)"
type: bool
- name: ExchangeClientAccess
description: "Exchange Client Access Log Files"
type: bool
- name: ExchangeCve_2021_26855
description: "Exchange Server Vulnerability *.Compiled Files"
type: bool
- name: ExchangeSetupLog
description: "Exchange Setup Log"
type: bool
- name: ExchangeTransport
description: "Exchange Transport Log Files"
type: bool
- name: GroupPolicy
description: "Current Group Policy Enforcement"
type: bool
- name: HostsFile
description: "Hosts file"
type: bool
- name: IISConfiguration
description: "IIS"
type: bool
- name: IconCacheDB
description: "IconCache.db files"
type: bool
- name: JumpLists
description: "Jump lists"
type: bool
- name: LNKFilesAndJumpLists
description: "LNK Files and jump lists"
type: bool
- name: LinuxOnWindowsProfileFiles
description: "Linux on Windows Profile Files"
type: bool
- name: LogFiles
description: "LogFiles (includes SUM)"
type: bool
- name: MOF
description: "MOF files (WMI)"
type: bool
- name: MemoryFiles
description: "Memory Files"
type: bool
- name: MicrosoftOfficeBackstage
description: "Microsoft Office Backstage"
type: bool
- name: NETCLRUsageLogs
description: ".NET CLR UsageLogs"
type: bool
- name: Notepad
description: "A Target to collect files that are currently open in Notepad (Windows 11+)"
type: bool
- name: OfficeAutosave
description: "Office Autosave"
type: bool
- name: OfficeDiagnostics
description: "Office Diagnostics"
type: bool
- name: OfficeDocumentCache
description: "Office Document Cache"
type: bool
- name: PerfLogs
description: "Perflogs Folder Copy"
type: bool
- name: PowerShell7Config
description: "PowerShell 7 Runtime Config"
type: bool
- name: PowerShellTranscripts
description: "PowerShell Transcripts"
type: bool
- name: Prefetch
description: "Prefetch files"
type: bool
- name: ProgramData
description: "ProgramData Folder Copy"
type: bool
- name: PushNotification
description: "Windows Push Notification Service"
type: bool
- name: QuickAssist
description: "Microsoft Quick Assist/Remote Help"
type: bool
- name: RDPCache
description: "RDP Cache Files"
type: bool
- name: RDPJumplist
description: "RDP Jumplist Files"
type: bool
- name: RDPLogs
description: "RDP Logs"
type: bool
- name: RecentFileCache
description: "RecentFileCache"
type: bool
- name: RecentFolders
description: "Recent Folders LNK files"
type: bool
- name: RecycleBin_DataFiles
description: "Recycle Bin Data Files"
type: bool
- name: RecycleBin_InfoFiles
description: "Recycle Bin Info Files"
type: bool
- name: RegistryHivesMSIXApps
description: "MSIX/APPX App Hives"
type: bool
- name: RegistryHivesOther
description: "Other Registry Hives"
type: bool
- name: RegistryHivesSystem
description: "System level/related Registry hives"
type: bool
- name: RegistryHivesUser
description: "User Related Registry hives"
type: bool
- name: RoamingProfile
description: "User Related Registry Hives, LNK files, etc"
type: bool
- name: SCCMClientLogs
description: "SCCM Client Log Files"
type: bool
- name: SDB
description: "Shim SDB FIles"
type: bool
- name: SRUM
description: "System Resource Usage Monitor (SRUM) Data"
type: bool
- name: SUM
description: "SUM Database"
type: bool
- name: ScheduledTasks
description: "Scheduled tasks (*.job and XML)"
type: bool
- name: SignatureCatalog
description: "Obtain detached signature catalog files"
type: bool
- name: SnipAndSketch
description: "Snip & Sketch Cached Images"
type: bool
- name: SnippingTool
description: "SnippingTools screenshots"
type: bool
- name: StartupFolders
description: "Startup Folders"
type: bool
- name: StartupInfo
description: "StartupInfo XML Files"
type: bool
- name: Syscache
description: "syscache.hve"
type: bool
- name: ThumbCache
description: "Thumbcache DB"
type: bool
- name: USBDevicesLogs
description: "USB devices log files"
type: bool
- name: UsersFolders
description: "Users folders Dump"
type: bool
- name: VirtualDisks
description: "Virtual Disks"
type: bool
- name: WBEM
description: "Web-Based Enterprise Management (WBEM)"
type: bool
- name: WER
description: "Windows Error Reporting"
type: bool
- name: WindowsSubsystemforAndroid
description: "Windows Subsystem for Android (WSA)"
type: bool
- name: Debian
description: "Debian on Windows Subsystem for Linux"
type: bool
- name: Kali
description: "Kali on Windows Subsystem for Linux"
type: bool
- name: SUSELinuxEnterpriseServer
description: "SUSE Linux Enterprise Server on Windows Subsystem for Linux"
type: bool
- name: Ubuntu
description: "Ubuntu on Windows Subsystem for Linux"
type: bool
- name: openSUSE
description: "openSUSE on Windows Subsystem for Linux"
type: bool
- name: WindowsApp
description: "WindowsApp Logs"
type: bool
- name: WindowsCopilotRecall
description: "Windows Copilot+ Recall"
type: bool
- name: WindowsFirewall
description: "Windows Firewall Logs"
type: bool
- name: WindowsHello
description: "Windows Hello"
type: bool
- name: WindowsIndexSearch
description: "Windows Index Search"
type: bool
- name: WindowsNetwork
description: "Windows Networks settings"
type: bool
- name: WindowsNotificationsDB
description: "Windows 10 Notification DB"
type: bool
- name: WindowsOSUpgradeArtifacts
description: "Windows OS Upgrade Artifacts"
type: bool
- name: WindowsPowerDiagnostics
description: "Windows Power Diagnostics"
type: bool
- name: WindowsServerDNSAndDHCP
description: "Windows Server DNS and DHCP log files"
type: bool
- name: WindowsTelemetryDiagnosticsLegacy
description: "Legacy Windows Telemetry and Diagnostics files (*.rbs)"
type: bool
- name: WindowsTimeline
description: "ActivitiesCache.db collector"
type: bool
- name: WindowsUpdate
description: "Windows Update Logs"
type: bool
- name: XPRestorePoints
description: "XP Restore Points - System Volume Information directory"
type: bool
export: |
LET VQL_MATERIALIZE_ROW_LIMIT <= 10000
LET NTFS_CACHE_TIME <= 100000
LET NTFS_DISABLE_FULL_PATH_RESOLUTION <= TRUE
LET SlowGlobRegex <= if(condition=DropVerySlowRules,
then="^\\*\\*", else="RunSlowFileGlobs!!!")
-- Group the targets for faster searching.
LET TargetTable <= SELECT Target,
enumerate(items=dict(Rule=Rule, Glob=Glob, Ref=Ref)) AS Rules
FROM parse_csv(accessor="data",
filename='''
Target,Rule,Glob,Ref
1Password,1Password_Backup_Databases,"Users\*\AppData\Local\1password\backups\1Password10.sqlite",
1Password,1Password_Database,"Users\*\AppData\Local\1password\data\1Password10.sqlite",
1Password,1Password_Logs,"Users\*\AppData\Local\1password\logs\*.log",
360SecureBrowser,360_Secure_Browser_Bookmarks,"Users\*\AppData\Roaming\360se6\User Data\*\360Bookmarks*",
360SecureBrowser,360_Secure_Browser_Cookies,"Users\*\AppData\Roaming\360se6\User Data\*\**\Cookies*",
360SecureBrowser,360_Secure_Browser_Current_Session,"Users\*\AppData\Roaming\360se6\User Data\*\Current Session",
360SecureBrowser,360_Secure_Browser_Current_Tabs,"Users\*\AppData\Roaming\360se6\User Data\*\Current Tabs",
360SecureBrowser,360_Secure_Browser_Download_Metadata,"Users\*\AppData\Roaming\360se6\User Data\*\DownloadMetadata",
360SecureBrowser,360_Secure_Browser_Extension_Cookies,"Users\*\AppData\Roaming\360se6\User Data\*\Extension Cookies",
360SecureBrowser,360_Secure_Browser_Favicons,"Users\*\AppData\Roaming\360se6\User Data\*\Favicons*",
360SecureBrowser,360_Secure_Browser_History,"Users\*\AppData\Roaming\360se6\User Data\*\360History*",
360SecureBrowser,360_Secure_Browser_Last_Session,"Users\*\AppData\Roaming\360se6\User Data\*\Last Session",
360SecureBrowser,360_Secure_Browser_Last_Tabs,"Users\*\AppData\Roaming\360se6\User Data\*\Last Tabs",
360SecureBrowser,360_Secure_Browser_Login_Data,"Users\*\AppData\Roaming\360se6\User Data\*\Login Data*",
360SecureBrowser,360_Secure_Browser_Media_History,"Users\*\AppData\Roaming\360se6\User Data\*\Media History*",
360SecureBrowser,360_Secure_Browser_Network_Action_Predictor,"Users\*\AppData\Roaming\360se6\User Data\*\Network Action Predictor",
360SecureBrowser,360_Secure_Browser_Network_Persistent_State,"Users\*\AppData\Roaming\360se6\User Data\*\**\Network Persistent State",
360SecureBrowser,360_Secure_Browser_Preferences,"Users\*\AppData\Roaming\360se6\User Data\*\Preferences",
360SecureBrowser,360_Secure_Browser_Quota_Manager,"Users\*\AppData\Roaming\360se6\User Data\*\QuotaManager",
360SecureBrowser,360_Secure_Browser_Reporting_and_NEL,"Users\*\AppData\Roaming\360se6\User Data\*\**\Reporting and NEL",
360SecureBrowser,360_Secure_Browser_Sessions_Folder,"Users\*\AppData\Roaming\360se6\User Data\*\Sessions\*",
360SecureBrowser,360_Secure_Browser_Shortcuts,"Users\*\AppData\Roaming\360se6\User Data\*\Shortcuts*",
360SecureBrowser,360_Secure_Browser_Snapshots_Folder,"Users\*\AppData\Roaming\360se6\User Data\Snapshots\*\**",
360SecureBrowser,360_Secure_Browser_SyncData_Database,"Users\*\AppData\Roaming\360se6\User Data\*\Sync Data\**",
360SecureBrowser,360_Secure_Browser_Top_Sites,"Users\*\AppData\Roaming\360se6\User Data\*\Top Sites*",
360SecureBrowser,360_Secure_Browser_Trust_Tokens,"Users\*\AppData\Roaming\360se6\User Data\*\**\Trust Tokens*",
360SecureBrowser,360_Secure_Browser_Visited_Links,"Users\*\AppData\Roaming\360se6\User Data\*\Visited Links",
360SecureBrowser,360_Secure_Browser_Web_Data,"Users\*\AppData\Roaming\360se6\User Data\*\Web Data*",
360SecureBrowser,Windows_Protect_Folder,"Users\*\AppData\Roaming\Microsoft\Protect\*\**",
4KVideoDownloader,4K_Video_Downloader,"Users\*\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader\*.sqlite",
4KVideoDownloader,4K_Video_Downloader_,"Users\*\AppData\Local\4kdownload.com\4K Video Downloader+\4K Video Downloader+\*.sqlite",
AVG,AVG_AV_Logs,"ProgramData\AVG\Antivirus\log\**",
AVG,AVG_AV_Logs_XP_,"Documents and Settings\All Users\Application Data\AVG\Antivirus\log\**",
AVG,AVG_AV_Report_Logs_XP_,"Documents and Settings\All Users\Application Data\AVG\Antivirus\report\**",
AVG,AVG_FileInfo_DB,"ProgramData\AVG\Antivirus\**\FileInfo2.db",
AVG,AVG_Persistent_Logs,"ProgramData\AVG\Persistent Data\Antivirus\Logs\**",
AVG,AVG_Report_Logs,"ProgramData\AVG\Antivirus\report\**",
AVG,AVG_lsdbj2_JSON,"ProgramData\AVG\Antivirus\lsdb2.json",
AceText,AceText_Clipboard_History,"Users\*\Documents\*.atc",
AcronisTrueImage,Acronis_True_Image_Database_Files,"ProgramData\Acronis\TrueImageHome\Database\archives.db*",
AcronisTrueImage,Acronis_True_Image_Logs,"ProgramData\Acronis\TrueImageHome\Logs\ti_demon\*",
AcronisTrueImage,Acronis_True_Image_Scripts_Folder,"ProgramData\Acronis\TrueImageHome\Scripts\*",
Action1,Action1_Client_Application_logs,"Windows\Action1\logs\*.log",
ActiveDirectoryNTDS,NTDS,"Windows\NTDS\**",
ActiveDirectorySysvol,SYSVOL,"Windows\SYSVOL\**",
AdvancedIPScanner,Advanced_IP_Scanner_Aliases,"**\advanced_ip_scanner_Aliases.bin",
AdvancedIPScanner,Advanced_IP_Scanner_Comments,"**\advanced_ip_scanner_Comments.bin",
AdvancedIPScanner,Advanced_IP_Scanner_MAC,"**\advanced_ip_scanner_MAC.bin",
AdvancedPortScanner,Advanced_Port_Scanner_Aliases,"**\advanced_port_scanner_Aliases.bin",
AdvancedPortScanner,Advanced_Port_Scanner_Comments,"**\advanced_port_scanner_Comments.bin",
AdvancedPortScanner,Advanced_Port_Scanner_MAC,"**\advanced_port_scanner_MAC.bin",
AgentRansack,Agent_Ransack_Config_Logs,"Users\*\AppData\Roaming\Mythicsoft\AgentRansack\config\**",
AgentRansack,Agent_Ransack_CrashReports_Logs,"Users\*\AppData\Roaming\Mythicsoft\AgentRansack\CrashReports\**",
AgentRansack,Agent_Ransack_IndexLog_Logs,"Users\*\AppData\Roaming\Mythicsoft\AgentRansack\IndexLog\**",
AgentRansack,Agent_Ransack_Logs,"Users\*\AppData\Roaming\Mythicsoft\AgentRansack\logs\**",
Amcache,Amcache,"Windows.old\Windows\AppCompat\Programs\Amcache.hve",
Amcache,Amcache,"Windows\AppCompat\Programs\Amcache.hve",
Amcache,Amcache_transaction_files,"Windows.old\Windows\AppCompat\Programs\Amcache.hve.LOG*",
Amcache,Amcache_transaction_files,"Windows\AppCompat\Programs\Amcache.hve.LOG*",
Ammyy,Ammyy_Program_Data,"ProgramData\Ammyy\**",
Antivirus,AVG,"",AVG
Antivirus,Avast,"",Avast
Antivirus,Avira,"",AviraAVLogs
Antivirus,Bitdefender,"",Bitdefender
Antivirus,ComboFix,"",ComboFix
Antivirus,CrowdStrikeFalcon,"",CrowdStrikeFalcon
Antivirus,Cybereason,"",Cybereason
Antivirus,Cylance,"",Cylance
Antivirus,ESET,"",ESET
Antivirus,Emsisoft,"",Emsisoft
Antivirus,FSecure,"",FSecure
Antivirus,HitmanPro,"",HitmanPro
Antivirus,Malwarebytes,"",Malwarebytes
Antivirus,McAfee,"",McAfee
Antivirus,McAfee_ePO,"",McAfee_ePO
Antivirus,Microsoft_Safety_Scanner,"",MicrosoftSafetyScanner
Antivirus,RogueKiller,"",RogueKiller
Antivirus,SUPERAntiSpyware,"",SUPERAntiSpyware
Antivirus,SecureAge,"",SecureAge
Antivirus,SentinelOne,"",SentinelOne
Antivirus,Sophos,"",Sophos
Antivirus,Symantec,"",Symantec_AV_Logs
Antivirus,TotalAV,"",TotalAV
Antivirus,TrendMicro,"",TrendMicro
Antivirus,VIPRE,"",VIPRE
Antivirus,Webroot,"",Webroot
Antivirus,Windows_Defender,"",WindowsDefender
AnyDesk,AnyDesk_Chat_Logs_User_Profile,"Users\*\AppData\Roaming\AnyDesk\chat\*.txt",
AnyDesk,AnyDesk_File_Transfer_Logs_Installed_as_a_Service,"ProgramData\AnyDesk\file_transfer_trace.txt",
AnyDesk,AnyDesk_File_Transfer_Logs_Running_in_portable_mode,"Users\*\AppData\Roaming\AnyDesk\file_transfer_trace.txt",
AnyDesk,AnyDesk_Logs_ProgramData_conf,"ProgramData\AnyDesk\*.conf",
AnyDesk,AnyDesk_Logs_ProgramData_connection_trace_txt,"ProgramData\AnyDesk\connection_trace.txt",
AnyDesk,AnyDesk_Logs_ProgramData_trace,"ProgramData\AnyDesk\*.trace",
AnyDesk,AnyDesk_Logs_System_User_Account,"Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\*",
AnyDesk,AnyDesk_Logs_User_Profile_conf,"Users\*\AppData\Roaming\AnyDesk\*.conf",
AnyDesk,AnyDesk_Logs_User_Profile_connection_trace_txt,"Users\*\AppData\Roaming\AnyDesk\connection_trace.txt",
AnyDesk,AnyDesk_Logs_User_Profile_trace,"Users\*\AppData\Roaming\AnyDesk\*.trace",
AnyDesk,AnyDesk_Videos,"Users\*\Videos\AnyDesk\*.anydesk",
ApacheAccessLog,Apache_Access_Log,"**\access.log",
AppCompatPCA,AppCompat_PCA_Folder,"Windows\appcompat\pca\*",
AppData,AppData,"Users\*\AppData\**",
AppXPackages,AppRepository_for_AppX,"ProgramData\Microsoft\Windows\AppRepository\Packages\**\StateRepository-*.srd",
AppXPackages,ProgramData_Packages_for_AppX,"ProgramData\Packages\**",
AppXPackages,SystemApps_for_AppX,"Windows\SystemApps\**",
AppXPackages,UserSpecificPackages_for_AppX,"Users\*\AppData\Local\Packages\**",
AppXPackages,WindowsApps_for_AppX,"Program Files\WindowsApps\Deleted*\**",
ApplicationEvents,Application_Event_Log_Win7_,"Windows\System32\winevt\logs\application.evtx",
ApplicationEvents,Application_Event_Log_Win7_,"Windows.old\Windows\System32\winevt\logs\application.evtx",
ApplicationEvents,Application_Event_Log_XP,"Windows\System32\config\AppEvent.evt",
ApplicationEvents,Application_Event_Log_XP,"Windows.old\Windows\System32\config\AppEvent.evt",
Arc,Arc_Bookmarks,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Bookmarks*",
Arc,Arc_Cookies,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Network\Cookies*",
Arc,Arc_Favicons,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Favicons*",
Arc,Arc_History,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\History*",
Arc,Arc_JSON_Files,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\Storable*.json",
Arc,Arc_Login_Data,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Login Data*",
Arc,Arc_Network_Action_Predictor,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Network Action Predictor",
Arc,Arc_PLIST_Files,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\com*.plist",
Arc,Arc_Preferences,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Preferences",
Arc,Arc_Sessions_Folder,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Sessions\*",
Arc,Arc_Shortcuts,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Shortcuts*",
Arc,Arc_SyncData_Database,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Sync Data\**",
Arc,Arc_Top_Sites,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Top Sites*",
Arc,Arc_Visited_Links,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Visited Links",
Arc,Arc_Web_Data,"Users\*\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Web Data*",
AsperaConnect,Aspera_Client_Logs,"Users\*\AppData\Local\Aspera\Aspera Connect\var\log\**\*.log",
AsperaConnect,Aspera_Server_Logs,"Users\*\.aspera\connect\var\log\**\*.log",
AteraAgent,AteraAgent_Logs,"Program Files\ATERA Networks\AteraAgent\**\*.txt",
AteraAgent,AteraAgent_Logs,"Program Files\ATERA Networks\AteraAgent\**\*.db",
AteraAgent,AteraAgent_Logs,"Program Files\ATERA Networks\AteraAgent\**\*.config",
AteraAgent,AteraAgent_Logs,"Program Files\ATERA Networks\AteraAgent\**\*.cfg",
AteraAgent,AteraAgent_ini_files,"Program Files\ATERA Networks\AteraAgent\**\*.ini",
Avast,Avast_AV_Index,"ProgramData\Avast Software\Avast\Chest\index.xml",
Avast,Avast_AV_Logs,"ProgramData\Avast Software\Avast\Log\**",
Avast,Avast_AV_Logs_XP_,"Documents And Settings\All Users\Application Data\Avast Software\Avast\Log\**",
Avast,Avast_AV_User_Logs,"Users\*\Avast Software\Avast\Log\**",
Avast,Avast_Icarus_Logs,"ProgramData\Avast Software\Icarus\Logs\**",
Avast,Avast_Persistent_Data_Logs,"ProgramData\Avast Software\Persistent Data\Avast\Logs\**",
AviraAVLogs,Avira_Activity_Logs,"ProgramData\Avira\Antivirus\LOGFILES\**",
AviraAVLogs,Avira_Security_Logs,"ProgramData\Avira\Security\Logs\**",
AviraAVLogs,Avira_VPN_Logs,"ProgramData\Avira\VPN\**",
BCD,BCD,"Boot\BCD",
BCD,BCD_Logs,"Boot\BCD.LOG*",
BITS,BITS_files,"ProgramData\Microsoft\Network\Downloader\**",
BitTorrent,TorrentClients_BitTorrent,"Users\*\AppData\Roaming\BitTorrent\*.dat",
Bitdefender,Bitdefender_Endpoint_Security_Logs,"ProgramData\Bitdefender\Endpoint Security\Logs\**",
Bitdefender,Bitdefender_Internet_Security_Logs,"ProgramData\Bitdefender\Desktop\Profiles\Logs\**",
Bitdefender,Bitdefender_SQLite_DB_Files,"Program Files*\Bitdefender*\**\*.{db,db-wal,db-shm}",
BoxDrive_Metadata,Box_Drive_Application_Metadata,"Users\*\AppData\Local\Box\Box\**",
BoxDrive_Metadata,Box_Sync_Application_Metadata,"Users\*\AppData\Local\Box Sync\**",
BoxDrive_UserFiles,Box_Drive_User_Files,"Users\*\Box\**",
BoxDrive_UserFiles,Box_Sync_User_Files,"Users\*\Box Sync\**",
BraveBrowser,Bookmarks,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Bookmarks*",
BraveBrowser,Cookies,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Cookies*",
BraveBrowser,Current_Session,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Current Session",
BraveBrowser,Current_Tabs,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Current Tabs",
BraveBrowser,Download_Metadata,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\DownloadMetadata",
BraveBrowser,Favicons,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Favicons*",
BraveBrowser,History,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\History*",
BraveBrowser,Login_Data,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Login Data",
BraveBrowser,Network_Action_Predictor,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Network Action Predictor",
BraveBrowser,Network_Persistent_State,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Network Persistent State",
BraveBrowser,Preferences,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Preferences",
BraveBrowser,Publisher_Info_DB_Brave_Rewards,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\publisher_info_db*",
BraveBrowser,Quota_Manager,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\QuotaManager",
BraveBrowser,Reporting_and_NEL,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Reporting and NEL",
BraveBrowser,Secure_Preferences,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Secure Preferences*",
BraveBrowser,Sessions_Folder,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Sessions\*",
BraveBrowser,Shortcuts,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Shortcuts*",
BraveBrowser,Top_Sites,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Top Sites*",
BraveBrowser,Visited_Links,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Visited Links*",
BraveBrowser,Web_Data,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Web Data*",
BrowserCache,Brave_Cache_Folder,"Users\*\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Cache\Cache_Data\**",
BrowserCache,Chrome_Cache_Folder,"Users\*\AppData\Local\Google\Chrome\User Data\*\Cache\**",
BrowserCache,Chromium_Edge_Cache_Folder,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Cache\**",
BrowserCache,Edge_WebcacheV01_dat,"Users\*\AppData\Local\Microsoft\Windows\WebCache\*",
BrowserCache,Firefox_Cache_Folder,"Users\*\AppData\Local\Mozilla\Firefox\Profiles\*\**",
BrowserCache,IE_11_Cache,"Users\*\AppData\Local\Microsoft\Windows\INetCache\**",
BrowserCache,IE_9_10_Cache,"Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files\**",
BrowserCache,IE_Index_dat_temp_internet_files,"Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5\index.dat",
CapabilityAccessManager,Capability_Access_Manager_database,"ProgramData\Microsoft\Windows\CapabilityAccessManager\CapabilityAccessManager.db",
CertUtil,INetCache,"Users\*\AppData\Local\Microsoft\Windows\INetCache\IE\**",
CertUtil,System_CryptnetUrlCache,"Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\**",
CertUtil,System_WOW64_CryptnetUrlCache,"Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\**",
CertUtil,User_CryptnetUrlCache,"Users\*\AppData\LocalLow\Microsoft\CryptnetUrlCache\**",
ChatGPT,ChatGPT_Settings_File,"Users\*\AppData\Local\Packages\OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0\Settings\settings.dat",
ChatGPT,ChromeCache,"Users\*\AppData\Local\Packages\OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0\LocalCache\Roaming\ChatGPT\Cache\**",
ChatGPT,Helium_Registry_Hives,"Users\*\AppData\Local\Packages\OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0\SystemAppData\Helium\*.dat",
ChatGPT,IndexedDB,"Users\*\AppData\Local\Packages\OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0\LocalCache\Roaming\ChatGPT\IndexedDB\https_chatgpt.com_0.indexeddb.leveldb\*",
ChatGPT,LevelDB,"Users\*\AppData\Local\Packages\OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0\LocalCache\Roaming\ChatGPT\Local Storage\leveldb\*",
Chrome,Chrome_Cookies,"Users\*\AppData\Local\Google\Chrome\User Data\*\**\Cookies*",
Chrome,Chrome_Cookies_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*",
Chrome,Chrome_Current_Session,"Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session",
Chrome,Chrome_Current_Session_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session",
Chrome,Chrome_Current_Tabs,"Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs",
Chrome,Chrome_Current_Tabs_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs",
Chrome,Chrome_Download_Metadata,"Users\*\AppData\Local\Google\Chrome\User Data\*\DownloadMetadata",
Chrome,Chrome_Extension_Cookies,"Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies",
Chrome,Chrome_Favicons,"Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*",
Chrome,Chrome_Favicons_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*",
Chrome,Chrome_History,"Users\*\AppData\Local\Google\Chrome\User Data\*\History*",
Chrome,Chrome_History_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*",
Chrome,Chrome_Last_Session,"Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session",
Chrome,Chrome_Last_Session_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session",
Chrome,Chrome_Last_Tabs,"Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs",
Chrome,Chrome_Last_Tabs_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs",
Chrome,Chrome_Login_Data,"Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data",
Chrome,Chrome_Login_Data_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data",
Chrome,Chrome_Media_History,"Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*",
Chrome,Chrome_Network_Action_Predictor,"Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor",
Chrome,Chrome_Network_Persistent_State,"Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State",
Chrome,Chrome_Preferences,"Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences",
Chrome,Chrome_Preferences_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences",
Chrome,Chrome_Quota_Manager,"Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager",
Chrome,Chrome_Reporting_and_NEL,"Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL",
Chrome,Chrome_Sessions_Folder,"Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*",
Chrome,Chrome_Shortcuts,"Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*",
Chrome,Chrome_Shortcuts_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*",
Chrome,Chrome_Snapshots_Folder,"Users\*\AppData\Local\Google\Chrome\User Data\Snapshots\*\**",
Chrome,Chrome_SyncData_Database,"Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3",
Chrome,Chrome_Top_Sites,"Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*",
Chrome,Chrome_Top_Sites_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*",
Chrome,Chrome_Trust_Tokens,"Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*",
Chrome,Chrome_Visited_Links,"Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links",
Chrome,Chrome_Visited_Links_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links",
Chrome,Chrome_Web_Data,"Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*",
Chrome,Chrome_Web_Data_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*",
Chrome,Chrome_bookmarks,"Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*",
Chrome,Chrome_bookmarks_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*",
ChromeExtensions,Chrome_Extension_Files,"Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions\**",
ChromeExtensions,Chrome_Extension_Files_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions\**",
ChromeFileSystem,Chrome_HTML5_File_System_Folder,"Users\*\AppData\Local\Google\Chrome\User Data\*\File System\**",
Chrome,SYSTEM_Chrome_History,"Windows\system32\config\systemprofile\AppData\Local\Google\Chrome\User Data\*\History*",
Chrome,Windows_Protect_Folder,"Users\*\AppData\Roaming\Microsoft\Protect\*\**",
CiscoJabber,Cisco_Jabber_Database,"Users\*\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History\*.db",
ClipboardMaster,ClipboardMaster_Clipboard_History_Backups,"Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\Clipboard.clm4.ba*",
ClipboardMaster,ClipboardMaster_Clipboard_History_Images,"Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\pics\**",
ClipboardMaster,ClipboardMaster_Clipboard_History_Text,"Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\Clipboard.clm4",
CloudStorage_All,Box_User_Files,"",BoxDrive_UserFiles
CloudStorage_All,CloudStorage_Metadata,"",CloudStorage_Metadata
CloudStorage_All,Dropbox_User_Files,"",Dropbox_UserFiles
CloudStorage_All,Google_Drive_Backup_and_Sync_User_Files,"",GoogleDriveBackupSync_UserFiles
CloudStorage_All,Idrive_Backup,"",Idrive
CloudStorage_All,OneDrive_User_Files,"",OneDrive_UserFiles
CloudStorage_All,SugarSync,"",SugarSync
CloudStorage_All,pCloudDatabase,"",pCloudDatabase
CloudStorage_Metadata,Box_Metadata,"",BoxDrive_Metadata
CloudStorage_Metadata,Dropbox_Metadata,"",Dropbox_Metadata
CloudStorage_Metadata,FreeFileSync,"",FreeFileSync
CloudStorage_Metadata,Google_Drive_Metadata,"",GoogleDrive_Metadata
CloudStorage_Metadata,MegaSync_Data_Collection,"",Megasync
CloudStorage_Metadata,OneDrive_Metadata,"",OneDrive_Metadata
CloudStorage_Metadata,Rclone_Conf_File,"",RcloneConf
CloudStorage_OneDriveExplorer,OneDrive_Metadata,"",OneDrive_Metadata
CloudStorage_OneDriveExplorer,Recycle_Bin_DataAndInfo,"",RecycleBin
CloudStorage_OneDriveExplorer,User_Related_Registry_hives,"",RegistryHivesUser
CocCoc,CocCoc_Bookmarks,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Bookmarks*",
CocCoc,CocCoc_Cookies,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\**\Cookies*",
CocCoc,CocCoc_Current_Session,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Current Session",
CocCoc,CocCoc_Current_Tabs,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Current Tabs",
CocCoc,CocCoc_Download_Metadata,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\DownloadMetadata",
CocCoc,CocCoc_Extension_Cookies,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Extension Cookies",
CocCoc,CocCoc_Favicons,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Favicons*",
CocCoc,CocCoc_History,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\History*",
CocCoc,CocCoc_Last_Session,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Last Session",
CocCoc,CocCoc_Last_Tabs,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Last Tabs",
CocCoc,CocCoc_Login_Data,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Login Data*",
CocCoc,CocCoc_Media_History,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Media History*",
CocCoc,CocCoc_Network_Action_Predictor,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Network Action Predictor",
CocCoc,CocCoc_Network_Persistent_State,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Network Persistent State",
CocCoc,CocCoc_Preferences,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Preferences",
CocCoc,CocCoc_Quota_Manager,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\QuotaManager",
CocCoc,CocCoc_Reporting_and_NEL,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Reporting and NEL",
CocCoc,CocCoc_Sessions_Folder,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Sessions\*",
CocCoc,CocCoc_Shortcuts,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Shortcuts*",
CocCoc,CocCoc_Snapshots_Folder,"Users\*\AppData\Local\CocCoc\Browser\User Data\Snapshots\*\**",
CocCoc,CocCoc_SyncData_Database,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Sync Data\**",
CocCoc,CocCoc_Top_Sites,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Top Sites*",
CocCoc,CocCoc_Trust_Tokens,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Trust Tokens*",
CocCoc,CocCoc_Visited_Links,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Visited Links",
CocCoc,CocCoc_Web_Data,"Users\*\AppData\Local\CocCoc\Browser\User Data\*\Web Data*",
CocCoc,Windows_Protect_Folder,"Users\*\AppData\Roaming\Microsoft\Protect\*\**",
CombinedLogs,Event_Trace_Logs,"",EventTraceLogs
CombinedLogs,PowerShell_Console_Log,"",PowerShellConsole
CombinedLogs,PowerShell_Transcripts,"",PowerShellTranscripts
CombinedLogs,USBDevicesLogs,"",USBDevicesLogs
CombinedLogs,Windows_Event_Logs,"",EventLogs
CombinedLogs,Windows_Firewall_Log,"",WindowsFirewall
CombinedLogs,_NET_CLR_UsageLogs,"",NETCLRUsageLogs
Combofix,ComboFix,"ComboFix.txt",
ConfluenceLogs,Confluence_Wiki_Log_Files,"Program Files\Atlassian\Confluence\logs\*.log",
ConfluenceLogs,Confluence_Wiki_Log_Files,"Atlassian\Application Data\Confluence\logs\*.log*",
CrowdStrikeFalcon,CrowdStrike_Falcon_Quarantined_File,"Windows\System32\Drivers\CrowdStrike\Quarantine\**",
Cybereason,Cybereason_Anti_Ransomware_Logs,"ProgramData\crs1\Logs\**",
Cybereason,Cybereason_Application_Control_and_NGAV_Logs,"ProgramData\crb1\Logs\**",
Cybereason,Cybereason_Sensor_Communications_and_Anti_Malware_Logs,"ProgramData\apv2\Logs\**",
Cylance,Cylance_Optics_Logs,"ProgramData\Cylance\Optics\Log\**",
Cylance,Cylance_ProgramData_Logs,"ProgramData\Cylance\Desktop\**",
Cylance,Cylance_Program_Files_Logs,"Program Files\Cylance\Desktop\log\**",
DC_,DC_Chat_Logs,"Users\*\AppData\Local\DC++\Logs\**",
DWAgent,DWAgent_Log_Files,"ProgramData\DWAgent*\*.log*",
Debian,Debian_WSL_Apt_Logs,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\log\apt\**\*.log",
Debian,Debian_WSL_User_Crontabs,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\spool\cron\crontabs\**",
Debian,Debian_WSL_bash_history,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**\.bash_history",
Debian,Debian_WSL_bashrc,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**\.bashrc",
Debian,Debian_WSL_etc_bash_bashrc,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\bash.bashrc",
Debian,Debian_WSL_etc_crontab,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\crontab",
Debian,Debian_WSL_etc_debian_version,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\debian_version",
Debian,Debian_WSL_etc_fstab,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\fstab",
Debian,Debian_WSL_etc_group,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\group",
Debian,Debian_WSL_etc_hostname,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\hostname",
Debian,Debian_WSL_etc_hosts,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\hosts",
Debian,Debian_WSL_etc_os_release,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\os-release",
Debian,Debian_WSL_etc_passwd,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\passwd",
Debian,Debian_WSL_etc_profile,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\profile",
Debian,Debian_WSL_etc_shadow,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\shadow",
Debian,Debian_WSL_etc_timezone,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc\timezone",
Debian,Debian_WSL_ext4_vhdx,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\ext4.vhdx",
Debian,Debian_WSL_profile,"Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\**\.profile",
DirectoryOpus,Directory_Opus,"Users\*\AppData\Roaming\GPSoftware\Directory Opus\Logs\*",
DirectoryOpus,Directory_Opus,"Users\*\AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache\*",
DirectoryOpus,Directory_Opus,"Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\backupconfig.osd",
DirectoryOpus,Directory_Opus,"Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\recent.osd",
DirectoryOpus,Directory_Opus,"Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_path.osd",
DirectoryOpus,Directory_Opus,"Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_name.osd",
DirectoryOpus,Directory_Opus,"Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_folders.osd",
DirectoryOpus,Directory_Opus,"Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_files.osd",
DirectoryOpus,Directory_Opus,"Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_contains.osd",
DirectoryTraversal_AudioFiles,Audio_files,"**\*.{3gp,aa,aac,act,aiff,alac,amr,ape,au,awb,dss,dvf,flac,gsm,iklax,ivs,m4a,m4b,m4p,mmf,mp3,mpc,msv,nmf,ogg,oga,mogg,opus,ra,rm,raw,rf64,sln,tta,voc,vox,wav,wma,wv,webm}",
DirectoryTraversal_ExcelDocuments,Excel_and_Excel_like_Documents,"**\*.{xls,xlsx,csv,tsv,xlt,xlm,xlsm,xltx,xltm,xlsb,xla,xlam,xll,xlw,ods,fodp,qpw}",
DirectoryTraversal_PDFDocuments,PDF_and_PDF_like_Documents,"**\*.{pdf,xps,oxps}",
DirectoryTraversal_PictureFiles,Picture_files,"**\*.{ai,bmp,bpg,cdr,cpc,eps,exr,flif,gif,heif,ilbm,ima,jp2,j2k,jpf,jpm,jpg2,j2c,jpc,jpx,mj2jpeg,jpg,jxl,kra,ora,pcx,pgf,pgm,png,pnm,ppm,psb,psd,psp,svg,tga,tiff,webp,xaml,xcf}",
DirectoryTraversal_SQLiteDatabases,SQLite_Files_db_and_sqlite_,"**\*.{db,sqlite}*)",
DirectoryTraversal_VideoFiles,Video_files,"**\*.{3g2,3gp,amv,asf,avi,drc,flv,f4v,f4p,f4a,f4b,gif,gifv,m4v,mkv,mov,qt,mp4,m4p,mpg,mpeg,m2v,mp2,mpe,mpv,mts,m2ts,ts,mxf,nsv,ogv,ogg,rm,rmvb,roq,svi,viv,vob,webm,wmv,yuv}",
DirectoryTraversal_WildCardExample,Zips,"**\*.zip",
DirectoryTraversal_WordDocuments,Word_and_Word_like_Documents,"**\*.{doc,docx,docm,dotx,dotm,docb,dot,wbk,odt,fodt,rtf,wp*,tmd}",
Discord,Discord_Cache_Files,"Users\*\AppData\Roaming\discord\cache\**",
Discord,Discord_Local_Storage_LevelDB_Files,"Users\*\AppData\Roaming\discord\local storage\leveldb\**",
DoubleCommander,Double_Commander_FTP_Log,"Users\*\AppData\Roaming\doublecmd\doublecmd*.log",
DoubleCommander,Double_Commander_doublecmd_xml,"Users\*\AppData\Roaming\doublecmd\doublecmd.xml",
DoubleCommander,Double_Commander_history_xml,"Users\*\AppData\Roaming\doublecmd\history.xml",
DoubleCommander,Double_Commander_multiarc_ini,"Users\*\AppData\Roaming\doublecmd\multiarc.ini",
DoubleCommander,Double_Commander_pixmaps_txt,"Users\*\AppData\Roaming\doublecmd\pixmaps.txt",
DoubleCommander,Double_Commander_session_ini,"Users\*\AppData\Roaming\doublecmd\session.ini",
DoubleCommander,Double_Commander_shortcuts_scf,"Users\*\AppData\Roaming\doublecmd\shortcuts.scf",
Drivers,Drivers,"Windows\system32\drivers\**\*.sys",
Dropbox_Metadata,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\machine_storage\tray-thumbnails.db",
Dropbox_Metadata,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\instance*\**",
Dropbox_Metadata,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\host.db",
Dropbox_Metadata,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\info.json",
Dropbox_Metadata,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\host.dbx",
Dropbox_Metadata,Windows_Protect_Folder,"Users\*\AppData\Roaming\Microsoft\Protect\*\**",
Dropbox_UserFiles,Dropbox_User_Files,"Users\*\Dropbox*\**",
EFCommander,EF_Commander_ini_File,"Users\*\AppData\Roaming\EFSoftware\*",
ESET,ESET_NOD32_AV_Logs,"ProgramData\ESET\ESET Security\Logs\**",
ESET,ESET_NOD32_AV_Logs,"ProgramData\ESET\ESET NOD32 Antivirus\Logs\**",
ESET,ESET_NOD32_AV_Logs_XP_,"Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\**",
ESET,ESET_Remote_Administrator_Logs,"ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\*",
ESET,Local_User_Quarantine,"Users\*\AppData\Local\ESET\ESET Security\Quarantine\**",
ESET,SYSTEM_user_quarantine,"Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\**",
EdgeChromium,Edge_Bookmarks,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*",
EdgeChromium,Edge_Collections,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections\collectionsSQLite",
EdgeChromium,Edge_Cookies,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network\Cookies*",
EdgeChromium,Edge_Current_Session,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Session",
EdgeChromium,Edge_Current_Tabs,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Tabs",
EdgeChromium,Edge_Favicons,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Favicons*",
EdgeChromium,Edge_History,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\History*",
EdgeChromium,Edge_Last_Session,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Session",
EdgeChromium,Edge_Last_Tabs,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Tabs",
EdgeChromium,Edge_Login_Data,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Login Data",
EdgeChromium,Edge_Media_History,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Media History*",
EdgeChromium,Edge_Network_Action_Predictor,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network Action Predictor",
EdgeChromium,Edge_Preferences,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences",
EdgeChromium,Edge_Sessions_Folder,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sessions\*",
EdgeChromium,Edge_Shortcuts,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Shortcuts*",
EdgeChromium,Edge_Snapshots_Folder,"Users\*\AppData\Local\Microsoft\Edge\User Data\Snapshots\*\**",
EdgeChromium,Edge_SyncData_Database,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data\SyncData.sqlite3",
EdgeChromium,Edge_Top_Sites,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Top Sites*",
EdgeChromium,Edge_Visited_Links,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Visited Links",
EdgeChromium,Edge_WebAssistDatabase,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\WebAssistDatabase*",
EdgeChromium,Edge_Web_Data,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Web Data*",
EdgeChromiumExtensions,Edge_Chromium_Extension_Files,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Extensions\**",
EdgeChromium,Windows_Protect_Folder,"Users\*\AppData\Roaming\Microsoft\Protect\*\**",
Edge,Edge_folder,"Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**",
Emsisoft,Emsisoft_Scan_Logs,"ProgramData\Emsisoft\Reports\scan*.txt",
EncapsulationLogging,EncapsulationLogging,"Windows\Appcompat\Programs\EncapsulationLogging.hve",
EncapsulationLogging,EncapsulationLogging,"Windows.old\Windows\Appcompat\Programs\EncapsulationLogging.hve",
EncapsulationLogging,EncapsulationLogging_Logs,"Windows.old\Windows\Appcompat\Programs\EncapsulationLogging.hve.log*",
EncapsulationLogging,EncapsulationLogging_Logs,"Windows\Appcompat\Programs\EncapsulationLogging.hve.log*",
EventLogs,Event_logs_Win7_,"Windows.old\Windows\System32\winevt\logs\*.evtx",
EventLogs,Event_logs_Win7_,"Windows\System32\winevt\logs\*.evtx",
EventLogs,Event_logs_XP,"Windows\System32\config\*.evt",
EventLogs_RDP,Event_logs_Win7_,"Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx",
EventLogs_RDP,Event_logs_Win7_,"Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx",
EventLogs_RDP,Event_logs_Win7_,"Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx",
EventLogs_RDP,Event_logs_Win7_,"Windows\System32\winevt\Logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx",
EventLogs_RDP,Event_logs_Win7_,"Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx",
EventLogs_RDP,Event_logs_Win7_,"Windows.old\Windows\System32\winevt\logs\Security.evtx",
EventLogs_RDP,Event_logs_Win7_,"Windows\System32\winevt\logs\Security.evtx",
EventLogs_RDP,Event_logs_Win7_,"Windows.old\Windows\System32\winevt\logs\System.evtx",
EventLogs_RDP,Event_logs_Win7_,"Windows\System32\winevt\logs\System.evtx",
EventLogs_RDP,Event_logs_Win7_,"Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx",
EventLogs_RDP,Event_logs_Win7_,"Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx",
EventLogs_RDP,Event_logs_Win7_,"Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx",
EventTraceLogs,Delivery_Optimization_Trace_Logs,"Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\*.etl*",
EventTraceLogs,Energy_NTKL_Trace_Logs,"ProgramData\Microsoft\Windows\PowerEfficiency Diagnostics\energy-ntkl.etl",
EventTraceLogs,SleepStudy_Trace_Logs,"Windows\System32\SleepStudy\**",
EventTraceLogs,SleepStudy_Trace_Logs,"Windows.old\Windows\System32\SleepStudy\**",
EventTraceLogs,WDI_Trace_Logs_1,"Windows\System32\WDI\LogFiles\*.etl*",
EventTraceLogs,WDI_Trace_Logs_1,"Windows.old\Windows\System32\WDI\LogFiles\*.etl*",
EventTraceLogs,WDI_Trace_Logs_2,"Windows\System32\WDI\{*\**",
EventTraceLogs,WDI_Trace_Logs_2,"Windows.old\Windows\System32\WDI\{*\**",
EventTraceLogs,WMI_Trace_Logs,"Windows.old\Windows\System32\LogFiles\WMI\**",
EventTraceLogs,WMI_Trace_Logs,"Windows\System32\LogFiles\WMI\**",
EventTranscriptDB,EventTranscript_db,"Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*",
EventTranscriptDB,EventTranscript_db,"ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*",
EventTranscriptDB,Microsoft_Office_Diagnostic_Logs,"Users\*\AppData\Local\Temp\Diagnostics\**",
Evernote,Evernote_Accounts,"Users\*\AppData\Local\Evernote\Evernote\Databases\**\.accounts",
Evernote,Evernote_Notebook_Snippets,"Users\*\AppData\Local\Evernote\Evernote\Databases\**\*.exb.snippets",
Evernote,Evernote_Notebooks,"Users\*\AppData\Local\Evernote\Evernote\Databases\**\*.exb",
Everything_VoidTools_,Everything_VoidTools_,"Users\*\AppData\Local\Everything\Everything.db",
Everything_VoidTools_,Everything_VoidTools_Run_History,"Users\*\AppData\Roaming\Everything\Run History.csv",
Everything_VoidTools_,Everything_VoidTools_Search_History,"Users\*\AppData\Roaming\Everything\Search History.csv",
Everything_VoidTools_,Everything_VoidTools_ini_file,"Users\*\AppData\Roaming\Everything\Everything.ini",
EvidenceOfExecution,Amcache,"",Amcache
EvidenceOfExecution,AppCompatPCA,"",AppCompatPCA
EvidenceOfExecution,Prefetch,"",Prefetch
EvidenceOfExecution,RecentFileCache,"",RecentFileCache
EvidenceOfExecution,Syscache,"",Syscache
ExchangeClientAccess,Exchange_client_access_log_files,"Program Files\Microsoft\Exchange Server\*\Logging\**\*.log",
ExchangeCve_2021_26855,Exchange_Server_Modified_Compiled_Files,"Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\**\*.compiled",
ExchangeCve_2021_26855,Exchange_Server_Modified_Compiled_Files,"inetpub\wwwroot\aspnet_client\system_web\**\*.compiled",
ExchangeCve_2021_26855,Exchange_Server_Modified_Compiled_Files,"Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files\**\*.compiled",
ExchangeCve_2021_26855,Exchange_Server_Modified_Compiled_Files,"inetpub\wwwroot\aspnet_client\**\*.compiled",
Exchange,Exchange_Setup_log_file,"",ExchangeSetupLog
Exchange,Exchange_TransportRoles_log_files,"",ExchangeTransport
Exchange,Exchange_client_access_log_files,"",ExchangeClientAccess
ExchangeSetupLog,Exchange_Setup_Log_file,"ExchangeSetupLogs\ExchangeSetup.log",
ExchangeTransport,Exchange_TransportRoles_log_files,"Program Files\Microsoft\Exchange Server\*\TransportRoles\Logs\**\*.log",
FSecure,F_Secure_Logs,"ProgramData\F-Secure\Log\**",
FSecure,F_Secure_Scheduled_Scan_Reports,"ProgramData\F-Secure\Antivirus\ScheduledScanReports\**",
FSecure,F_Secure_User_Logs,"Users\*\AppData\Local\F-Secure\Log\**",
FTPClients,FileZilla_Client,"",FileZillaClient
FTPClients,FileZilla_Server,"",FileZillaServer
FTPClients,Robo_FTP,"",Robo_FTP
FTPClients,WinSCP,"",WinSCP
FastStoneImageViewer,FastStone_Image_Viewer_FSIV_,"Users\*\AppData\Local\FastStone\FSIV\FSIV.db",
Fences,Fences_Desktop_Screenshots,"Users\*\AppData\Roaming\Stardock\Fences\Backups\*",
FileExplorerReplacements,Directory_Opus,"",DirectoryOpus
FileExplorerReplacements,Double_Commander,"",DoubleCommander
FileExplorerReplacements,EF_Commander,"",EFCommander
FileExplorerReplacements,FreeCommander_XE,"",FreeCommander
FileExplorerReplacements,Midnight_Commander,"",MidnightCommander
FileExplorerReplacements,Multi_Commander,"",MultiCommander
FileExplorerReplacements,One_Commander,"",OneCommander
FileExplorerReplacements,Q_Dir,"",Q_Dir
FileExplorerReplacements,SpeedCommander,"",SpeedCommander
FileExplorerReplacements,Tablacus_Explorer,"",TablacusExplorer
FileExplorerReplacements,Total_Commander,"",TotalCommander
FileExplorerReplacements,XYplorer,"",XYplorer
FileSystem,_Boot,"",_Boot
FileSystem,_J,"",_J
FileSystem,_LogFile,"",_LogFile
FileSystem,_MFT,"",_MFT
FileSystem,_SDS,"",_SDS
FileSystem,_T,"",_T
FileZillaClient,FileZilla_SQLite3_Log_Files,"Users\*\AppData\Roaming\FileZilla\*.sqlite3*",
FileZillaClient,FileZilla_XML_Log_Files,"Users\*\AppData\Roaming\FileZilla\*.xml*",
FileZillaServer,FileZilla_Log_Files,"Program Files (x86)\FileZilla Server\Logs\*.log*",
FileZillaServer,FileZilla_Server_XML_Log_Files,"Users\*\AppData\Roaming\FileZilla Server\*.xml*",
Firefox,Addons,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*",
Firefox,Addons_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\addons.sqlite*",
Firefox,Bookmarks,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups\**",
Firefox,Bookmarks,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*",
Firefox,Cookies,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*",
Firefox,Cookies,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*",
Firefox,Cookies_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*",
Firefox,Downloads,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*",
Firefox,Downloads_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*",
Firefox,Extensions,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions.json",
Firefox,Favicons,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*",
Firefox,Favicons_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\favicons.sqlite*",
Firefox,Form_history,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*",
Firefox,Form_history_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite*",
Firefox,Password,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signon*.*",
Firefox,Password,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json",
Firefox,Password,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\key*.db",
Firefox,Password_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\key*.db",
Firefox,Password_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signon*.*",
Firefox,Password_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\logins.json",
Firefox,Permissions,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*",
Firefox,Places,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*",
Firefox,Places_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*",
Firefox,Preferences,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\prefs.js",
Firefox,Protections,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*",
Firefox,Search,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*",
Firefox,Search_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\search.sqlite*",
Firefox,Sessionstore,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore*",
Firefox,Sessionstore_Folder,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups\**",
Firefox,Sessionstore_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\sessionstore*",
Firefox,Signons,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*",
Firefox,Signons_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signons.sqlite*",
Firefox,Storage_Sync,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*",
Firefox,Webappstore,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*",
Firefox,Webappstore_XP,"Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\webappstore.sqlite*",
FreeCommander,Free_Commander_Backup_Settings,"Users\*\AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*\**",
FreeCommander,Free_Commander_FTP_Log,"Users\*\AppData\Local\Temp\fc*.log",
FreeCommander,Free_Commander_FTP_Related_Information,"Users\*\AppData\Local\Temp\FreeCommander*\**",
FreeCommander,Free_Commander_FreeCommander_fav_xml,"Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.fav.xml",
FreeCommander,Free_Commander_FreeCommander_ftp_ini,"Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.ftp.ini",
FreeCommander,Free_Commander_FreeCommander_hist_ini,"Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.hist.ini",
FreeCommander,Free_Commander_FreeCommander_ini,"Users\*\AppData\Local\FreeCommanderXE\Settings\FreeCommander.ini",
FreeDownloadManager,FDM_Backup_Info,"Users\*\AppData\Local\Free Download Manager\backup\backup.info",
FreeDownloadManager,FDM_Database,"Users\*\AppData\Local\Free Download Manager\**\fdm.sqlite",
FreeDownloadManager,FDM_Database_userdata_zip_,"Users\*\AppData\Local\Free Download Manager\backup\userdata.zip",
FreeFileSync,FreeFileSync,"Users\*\AppData\Roaming\FreeFileSync\Logs\*",
Freenet,Freenet,"Users\*\AppData\Local\Freenet\*.bak",
Freenet,Freenet,"Users\*\AppData\Local\Freenet\node*",
Freenet,Freenet,"Users\*\AppData\Local\Freenet\*completed.list.downloads",
Freenet,Freenet,"Users\*\AppData\Local\Freenet\*completed.list.uploads",
Freenet,Freenet,"Users\*\AppData\Local\Freenet\downloads\**",
FrostWire,FrostWire_AppData,"Users\*\.frostwire5\frostwire.props",
FrostWire,FrostWire_AppData,"Users\*\.frostwire5\itunes.props",
FrostWire,FrostWire_Downloads,"Users\*\Documents\FrostWire\Torrent Data\**",
Gigatribe,Gigatribe_Files_Windows_Vista_7_8_10,"Users\*\AppData\Local\Shalsoft\**",
Gigatribe,Gigatribe_Files_Windows_XP,"Documents and Settings\*\*\Application Data\Gigatribe\**",
Gigatribe,Gigatribe_Files_Windows_XP,"Documents and Settings\*\*\Application Data\Shalsoft\**",
GoogleDriveBackupSync_UserFiles,Google_Drive_Backup_and_Sync_User_Files,"Users\*\Google Drive*\**",
GoogleDrive_Metadata,Google_Drive_Backup_and_Sync_Metadata,"Users\*\AppData\Local\Google\Drive\**",
GoogleDrive_Metadata,Google_Drive_for_Desktop_Metadata,"Users\*\AppData\Local\Google\DriveFS\**",
GoogleEarth,Google_Earth_My_Places_Backup_file,"Users\*\AppData\LocalLow\Google\GoogleEarth\myplaces.backup.kml",
GoogleEarth,Google_Earth_My_Places_Backup_file_XP_,"Documents and Settings\*\Application Data\Google\GoogleEarth\myplaces.backup.kml",
GoogleEarth,Google_Earth_My_Places_file,"Users\*\AppData\LocalLow\Google\GoogleEarth\myplaces.kml",
GoogleEarth,Google_Earth_My_Places_file_XP_,"Documents and Settings\*\Application Data\Google\GoogleEarth\myplaces.kml",
GroupPolicy,Computer_Group_Policy_files,"ProgramData\Microsoft\Group Policy\History\**",
GroupPolicy,Group_Policy_Files,"Windows\System32\grouppolicy\**",
GroupPolicy,Local_Group_Policy_Files_Registry_Policy_Files,"Windows.old\Windows\System32\grouppolicy\*.pol",
GroupPolicy,Local_Group_Policy_Files_Registry_Policy_Files,"Windows\System32\grouppolicy\*.pol",
GroupPolicy,Local_Group_Policy_Files_Startup_Shutdown_Scripts,"Windows.old\Windows\System32\grouppolicy\*\Scripts\**",
GroupPolicy,Local_Group_Policy_Files_Startup_Shutdown_Scripts,"Windows\System32\grouppolicy\*\Scripts\**",
GroupPolicy,Local_Group_Policy_INI_Files,"Windows.old\Windows\System32\grouppolicy\*.ini",
GroupPolicy,User_Group_Policy_files,"Users\*\AppData\Local\Microsoft\Group Policy\History\**",
HeidiSQL,HeidiSQL_Backup_files_sql_,"Users\*\AppData\Roaming\HeidiSQL\Backups\*",
HeidiSQL,HeidiSQL_tabs_ini_,"Users\*\AppData\Roaming\HeidiSQL\tabs.ini",
HexChat,HexChat_Chat_Logs,"Users\*\AppData\Roaming\HexChat\logs\**",
HitmanPro,HitmanPro_Alert_Logs,"ProgramData\HitmanPro.Alert\Logs\**",
HitmanPro,HitmanPro_Database,"ProgramData\HitmanPro.Alert\excalibur.db",
HitmanPro,HitmanPro_Logs,"ProgramData\HitmanPro\Logs\**",
HitmanPro,HitmanPro_Quarantine,"ProgramData\HitmanPro\Quarantine\**",
HostsFile,HostsFile,"Windows\System32\drivers\etc\Hosts",
IDrive,IDrive_Backup_Operations,"ProgramData\IDrive\IBCOMMON\*\Session\Backup\**",
IDrive,IDrive_Backup_Schedule,"ProgramData\IDrive\IBCOMMON\schedule.xml",
IDrive,IDrive_Backup_Summary,"ProgramData\IDrive\IBCOMMON\*\Session\LOGXML\*xml",
IDrive,IDrive_Cleanup_Operations,"ProgramData\IDrive\IBCOMMON\*\Session\Archive Cleanup\**",
IDrive,IDrive_Configuration,"ProgramData\IDrive\IBCOMMON\idrive.ini",
IDrive,IDrive_Delete_Operations,"ProgramData\IDrive\IBCOMMON\*\Session\Delete\**",
IDrive,IDrive_Exclusion_Configurations,"ProgramData\IDrive\IBCOMMON\Exclude*",
IDrive,IDrive_Local_Drives,"ProgramData\IDrive\IBCOMMON\get_Alldrives.txt",
IDrive,IDrive_Mapped_Drives,"ProgramData\IDrive\IBCOMMON\IDMappedDrives.txt",
IDrive,IDrive_Restore_Operations,"ProgramData\IDrive\IBCOMMON\*\Session\Restore\*",
IDrive,IDrive_SQL_Databse,"ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.ibds",
IDrive,IDrive_Schedule_History,"ProgramData\IDrive\IBCOMMON\Sch_Trace.txt",
IDrive,IDrive_Tracefile,"ProgramData\IDrive\IBCOMMON\*\Tracefile.txt",
IDrive,IDrive_User_Details,"ProgramData\IDrive\IBCOMMON\AutoComp.ini",
IISConfiguration,IIS_administration_config,"Windows\System32\inetsrv\config\administration.config",
IISConfiguration,IIS_applicationHost_config,"Windows\System32\inetsrv\config\applicationHost.config",
IISConfiguration,IIS_redirection_config,"Windows\System32\inetsrv\config\redirection.config",
IISConfiguration,web_config,"inetpub\wwwroot\**\web.config",
IISLogFiles,IIS_log_files,"Windows.old\Windows\System32\LogFiles\W3SVC*\*.log",
IISLogFiles,IIS_log_files,"inetpub\logs\LogFiles\*.log",
IISLogFiles,IIS_log_files,"inetpub\logs\LogFiles\W3SVC*\*.log",
IISLogFiles,IIS_log_files,"Resources\Directory\*\LogFiles\Web\W3SVC*\*.log",
IISLogFiles,IIS_log_files,"Windows\system32\LogFiles\HTTPERR\*.log",
IISLogFiles,IIS_log_files,"Windows\System32\LogFiles\W3SVC*\*.log",
IRCClients,HexChat,"",HexChat
IRCClients,IceChat,"",IceChat
IRCClients,mIRC,"",mIRC
ISLOnline,ISLOnline_Logs_Session_Configurations,"Users\*\AppData\Local\ISL Online Cache\ISL Light Client\*\conf\*",
ISLOnline,ISLOnline_Logs_Sessions_out,"Users\*\AppData\Local\ISL Online Cache\ISL Light Client\*\ISLClient.out",
ISLOnline,ISL_AlwaysOn_App_Logs,"Program Files (x86)\ISL Online\ISL AlwaysOn\*.out",
ISLOnline,ISL_AlwaysOn_Configuration,"Program Files (x86)\ISL Online\ISL AlwaysOn\StaticConfiguration.ini",
ISLOnline,ISL_AlwaysOn_Email_Configuration,"Program Files (x86)\ISL Online\ISL AlwaysOn\status\tray",
ISLOnline,ISL_AlwaysOn_Logs_Sessions,"Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*\trace.out",
ISLOnline,ISL_AlwaysOn_Logs_Sessions_List,"Program Files (x86)\ISL Online\ISL AlwaysOn\session.xml",
ISLOnline,ISL_Light_Logs_Sessions,"Users\*\AppData\Local\ISL Online Cache\ISL Light\*\trace.out",
ITarian,Comodo,"Program Files\Comodo\Endpoint Manager\rmmlogs\*",
ITarian,ITarian,"Program Files (x86)\Comodo\Endpoint Manager\rmmlogs\*",
ITarian,ITarian,"Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\*",
ITarian,ITarian,"Program Files\ITarian\Endpoint Manager\rmmlogs\*",
IceChat,IceChat_Chat_Logs,"Users\*\AppData\Local\IceChat Networks\IceChat\Logs\**",
IconCacheDB,Windows_IconCache_DB,"Users\*\AppData\Local\IconCache.db",
ImgBurn,ImgBurn_Application_Log_File,"Users\*\AppData\Roaming\ImgBurn\Log Files\ImgBurn.log",
InternetExplorer,IE_11_Cookies,"Users\*\AppData\Local\Microsoft\Windows\INetCookies\**",
InternetExplorer,IE_11_Metadata,"Users\*\AppData\Local\Microsoft\Windows\WebCache\*",
InternetExplorer,IE_9_10_Cookies,"Users\*\AppData\Local\Microsoft\Windows\Cookies\**",
InternetExplorer,IE_9_10_Download_History,"Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory\**",
InternetExplorer,IE_9_10_History,"Users\*\AppData\Local\Microsoft\Windows\History\**",
InternetExplorer,Index_dat_History,"Documents and Settings\*\Local Settings\History\History.IE5\index.dat",
InternetExplorer,Index_dat_History_subdirectory,"Documents and Settings\*\Local Settings\History\History.IE5\*\index.dat",
InternetExplorer,Index_dat_Office,"Users\*\AppData\Roaming\Microsoft\Office\Recent\index.dat",
InternetExplorer,Index_dat_Office_XP,"Documents and Settings\*\Application Data\Microsoft\Office\Recent\index.dat",
InternetExplorer,Index_dat_UserData,"Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData\index.dat",
InternetExplorer,Index_dat_cookies,"Documents and Settings\*\Cookies\index.dat",
InternetExplorer,Local_Internet_Explorer_folder,"Users\*\AppData\Local\Microsoft\Internet Explorer\**",
InternetExplorer,Roaming_Internet_Explorer_folder,"Users\*\AppData\Roaming\Microsoft\Internet Explorer\**",
IrfanView,IrfanView_Configuration_File,"Users\*\AppData\Roaming\IrfanView\i_view32.ini",
JDownloader2,JDownloader_2_0_Download_Lists,"Users\*\AppData\Local\JDownloader 2.0\cfg\**\downloadList*.zip",
JDownloader2,JDownloader_2_0_General_Settings,"Users\*\AppData\Local\JDownloader 2.0\cfg\**\org.jdownloader.settings.GeneralSettings.json",
JDownloader2,JDownloader_2_0_Link_Collector,"Users\*\AppData\Local\JDownloader 2.0\cfg\**\linkcollector*.zip",
JDownloader2,JDownloader_2_0_Link_Grabber_Settings,"Users\*\AppData\Local\JDownloader 2.0\cfg\**\org.jdownloader.gui.views.linkgrabber.addlinksdialog.LinkgrabberSettings.json",
JDownloader2,JDownloader_2_0_Proxy_Settings,"Users\*\AppData\Local\JDownloader 2.0\cfg\**\org.jdownloader.settings.InternetConnectionSettings.customproxylist.json",
JavaWebCache,Java_WebStart_Cache_System_level,"Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx",
JavaWebCache,Java_WebStart_Cache_System_level,"Windows.old\Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx",
JavaWebCache,Java_WebStart_Cache_System_level_IE_Protected_Mode,"Windows.old\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx",
JavaWebCache,Java_WebStart_Cache_System_level_IE_Protected_Mode,"Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx",
JavaWebCache,Java_WebStart_Cache_System_level_SysWow64_,"Windows.old\Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx",
JavaWebCache,Java_WebStart_Cache_System_level_SysWow64_,"Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx",
JavaWebCache,Java_WebStart_Cache_System_level_SysWow64_IE_Protected_Mode,"Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx",
JavaWebCache,Java_WebStart_Cache_System_level_SysWow64_IE_Protected_Mode,"Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx",
JavaWebCache,Java_WebStart_Cache_User_Level_Default,"Users\*\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx",
JavaWebCache,Java_WebStart_Cache_User_Level_IE_Protected_Mode,"Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx",
JavaWebCache,Java_WebStart_Cache_User_Level_XP,"Documents and Settings\*\Application Data\Sun\Java\Deployment\cache\*\*\*.idx",
JumpLists,JumpLists_from_CustomDestinations,"Users\*\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\**",
JumpLists,JumpLists_from_CustomDestinations,"Users\*\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\**",
Kali,Kali_WSL_Apt_Logs,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\log\apt\**\*.log",
Kali,Kali_WSL_User_Crontabs,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\spool\cron\crontabs\**",
Kali,Kali_WSL_bash_history,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**\.bash_history",
Kali,Kali_WSL_bashrc,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**\.bashrc",
Kali,Kali_WSL_etc_bash_bashrc,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\bash.bashrc",
Kali,Kali_WSL_etc_crontab,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\crontab",
Kali,Kali_WSL_etc_debian_version,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\debian_version",
Kali,Kali_WSL_etc_fstab,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\fstab",
Kali,Kali_WSL_etc_group,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\group",
Kali,Kali_WSL_etc_hostname,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\hostname",
Kali,Kali_WSL_etc_hosts,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\hosts",
Kali,Kali_WSL_etc_os_release,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\os-release",
Kali,Kali_WSL_etc_passwd,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\passwd",
Kali,Kali_WSL_etc_profile,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\profile",
Kali,Kali_WSL_etc_shadow,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\shadow",
Kali,Kali_WSL_etc_timezone,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc\timezone",
Kali,Kali_WSL_ext4_vhdx,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\ext4.vhdx",
Kali,Kali_WSL_profile,"Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\**\.profile",
KapeTriage,Antivirus,"",Antivirus
KapeTriage,CloudStorage_Metadata,"",CloudStorage_Metadata
KapeTriage,EventLogs,"",EventLogs
KapeTriage,EvidenceOfExecution,"",EvidenceOfExecution
KapeTriage,FileSystem,"",FileSystem
KapeTriage,LNKFilesAndJumpLists,"",LNKFilesAndJumpLists
KapeTriage,Notepad,"",Notepad
KapeTriage,PowerShellConsole,"",PowerShellConsole
KapeTriage,RecycleBin_InfoFiles,"",RecycleBin_InfoFiles
KapeTriage,RegistryHives,"",RegistryHives
KapeTriage,RemoteAccess,"",RemoteAdmin
KapeTriage,SRUM,"",SRUM
KapeTriage,SUM,"",SUM
KapeTriage,ScheduledTasks,"",ScheduledTasks
KapeTriage,WBEM,"",WBEM
KapeTriage,WER,"",WER
KapeTriage,WebBrowsers,"",WebBrowsers
KapeTriage,WindowsTimeline,"",WindowsTimeline
Kaseya,Kaseya_Agent_Edge_Service_Logs,"ProgramData\Kaseya\Log\KaseyaEdgeServices\**",
Kaseya,Kaseya_Agent_Endpoint_Service_Logs,"ProgramData\Kaseya\Log\Endpoint\**",
Kaseya,Kaseya_Agent_Endpoint_Service_Logs_XP_,"Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint\**",
Kaseya,Kaseya_Agent_Service_Log,"Program Files*\Kaseya\*\agentmon.log*",
Kaseya,Kaseya_Live_Connect_Logs,"Users\*\AppData\Local\Kaseya\Log\KaseyaLiveConnect\**",
Kaseya,Kaseya_Live_Connect_Logs_XP_,"Documents and Settings\*\Application Data\Kaseya\Log\**",
Kaseya,Kaseya_Setup_Log,"Windows.old\Windows\Temp\KASetup.log",
Kaseya,Kaseya_Setup_Log,"Windows\Temp\KASetup.log",
Kaseya,Kaseya_Setup_Log,"Users\*\AppData\Local\Temp\KASetup.log",
Keepass,Keepass_Application_Details,"Program Files\KeePass Password Safe*\*.config",
Keepass,Keepass_Config_Xml,"Program Files\KeePass Password Safe*\*.xml",
Keepass,Keepass_User_Config,"Users\*\AppData\Roaming\KeePass\*.xml",
KeepassXC,Keepass_Local_Ini,"Users\*\AppData\Local\KeePassXC\*.ini",
KeepassXC,Keepass_Roaming_Ini,"Users\*\AppData\Roaming\KeePassXC\*.ini",
LNKFilesAndJumpLists,Desktop_LNK_Files,"Users\*\Desktop\*.LNK",
LNKFilesAndJumpLists,Desktop_LNK_Files_XP,"Documents and Settings\*\Desktop\*.LNK",
LNKFilesAndJumpLists,LNK_Files_from_C_ProgramData,"ProgramData\Microsoft\Windows\Start Menu\Programs\*.LNK",
LNKFilesAndJumpLists,LNK_Files_from_Microsoft_Office_Recent,"Users\*\AppData\Roaming\Microsoft\Office\Recent\**",
LNKFilesAndJumpLists,LNK_Files_from_Recent,"Users\*\AppData\Roaming\Microsoft\Windows\Recent\**",
LNKFilesAndJumpLists,LNK_Files_from_Recent_XP_,"Documents and Settings\*\Recent\**",
LNKFilesAndJumpLists,Restore_point_LNK_Files_XP,"System Volume Information\_restore*\RP*\*.LNK",
LNKFilesAndJumpLists,Start_Menu_LNK_Files,"Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\*.LNK",
Level,Level_RMM_Client_Application_logs,"Program Files\Level\*.log",
LinuxOnWindowsProfileFiles,_bash_history,"Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_history",
LinuxOnWindowsProfileFiles,_bash_logout,"Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_logout",
LinuxOnWindowsProfileFiles,_bashrc,"Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bashrc",
LinuxOnWindowsProfileFiles,_profile,"Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.profile",
LiveUserFiles,User_Files_Desktop,"Users\*\Desktop\**",
LiveUserFiles,User_Files_Documents,"Users\*\Documents\**",
LiveUserFiles,User_Files_Downloads,"Users\*\Downloads\**",
LiveUserFiles,User_Files_Dropbox,"Users\*\Dropbox*\**",
LogFiles,Error_logging,"windows\PFRO.log",
LogFiles,LogFiles,"Windows.old\Windows\System32\LogFiles\**",
LogFiles,LogFiles,"Windows\System32\LogFiles\**",
LogMeIn,LogMeIn_Application_Events,"",ApplicationEvents
LogMeIn,LogMeIn_Application_Logs,"Users\*\AppData\Local\temp\LogMeInLogs\**",
LogMeIn,LogMeIn_ProgramData_Logs,"ProgramData\LogMeIn\Logs\**",
MOF,MOF_files,"**\*.MOF",
MSSQLErrorLog,MS_SQL_Errorlog,"Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG",
MSSQLErrorLog,MS_SQL_Errorlogs,"Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG.*",
MacriumReflect,Macrium_Reflect,"ProgramData\Macrium\Macrium Service\*",
MacriumReflect,Macrium_Reflect,"ProgramData\Macrium\Reflect\*",
MacriumReflect,Macrium_Reflect,"ProgramData\Macrium\Reflect Launcher\*",
Malwarebytes,MalwareBytes_Anti_Malware_Logs,"ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-*.xml",
Malwarebytes,MalwareBytes_Anti_Malware_Scan_Logs,"Users\*\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs\**",
Malwarebytes,MalwareBytes_Anti_Malware_Scan_Results_Logs,"ProgramData\Malwarebytes\MBAMService\ScanResults\**",
Malwarebytes,MalwareBytes_Anti_Malware_Service_Logs,"ProgramData\Malwarebytes\MBAMService\logs\mbamservice.log*",
ManageEngineLogs,ManageEngine_ADSelfService_Plus_Log_Files,"ManageEngine\ADSelfService Plus\logs\**",
ManageEngineLogs,ManageEngine_Desktop_Central_Log_Files,"ManageEngine\DesktopCentral_Server\logs\**",
Mattermost,Mattermost_Chat_Logs,"Users\*\AppData\Roaming\Mattermost\IndexedDB\**",
McAfee,McAfee_Agent_Events,"ProgramData\Mcafee\Agent\AgentEvents\**",
McAfee,McAfee_Agent_Events_XP,"Documents and Settings\All Users\Application Data\McAfee\Common Framework\AgentEvents\**",
McAfee,McAfee_Agent_Logs,"ProgramData\Mcafee\Agent\logs\**",
McAfee,McAfee_Data_Reputation_Logs,"ProgramData\Mcafee\datareputation\Logs\**",
McAfee,McAfee_Data_Reputation_Logs_XP,"Documents and Settings\All Users\Application Data\McAfee\datreputation\Logs\**",
McAfee,McAfee_Desktop_Protection_Logs,"ProgramData\McAfee\DesktopProtection\**",
McAfee,McAfee_Desktop_Protection_Logs_XP,"Users\All Users\Application Data\McAfee\DesktopProtection\**",
McAfee,McAfee_Endpoint_Security_Logs,"ProgramData\McAfee\Endpoint Security\Logs_Old\**",
McAfee,McAfee_Endpoint_Security_Logs,"ProgramData\McAfee\Endpoint Security\Logs\**",
McAfee,McAfee_MC_Logs_XP,"Documents and Settings\All Users\Application Data\McAfee\MCLOGS\SAE\**",
McAfee,McAfee_MSC_Logs,"ProgramData\Mcafee\MSC\Logs\**",
McAfee,McAfee_Managed_VirusScan,"ProgramData\Mcafee\Managed\VirusScan\Logs\**",
McAfee,McAfee_Managed_VirusScan_Logs_XP,"Documents and Settings\All Users\Application Data\McAfee\Managed\VirusScan\Logs\**",
McAfee,McAfee_VirusScan_Logs,"ProgramData\Mcafee\VirusScan\**",
McAfee,McAfee_WCF_Service_Logs,"Program Files (x86)\McAfee\DLP\WCF Service\Log\**",
McAfee_ePO,McAfee_ePO_Apache_Logs,"Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\Logs\**",
McAfee_ePO,McAfee_ePO_DB_Debug_Events,"Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Events\Debug\**",
McAfee_ePO,McAfee_ePO_DB_Events,"Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Events\**",
McAfee_ePO,McAfee_ePO_Logs,"ProgramData\McAfee\Endpoint Security\Logs\**",
McAfee_ePO,McAfee_ePO_Server_Logs,"Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Logs\**",
MediaMonkey,MediaMonkey_MediaMonkey_ini,"Users\*\AppData\Roaming\MediaMonkey\MediaMonkey.ini",
MediaMonkey,MediaMonkey_Media_SQLite_Database,"Users\*\AppData\Roaming\MediaMonkey\MM.DB",
Megasync,MegaSync_Folder,"Users\*\AppData\Local\Mega Limited\MEGAsync\**",
MemoryFiles,Small_Memory_Dump_directory,"Windows.old\Windows\Minidump\*.dmp",
MemoryFiles,Small_Memory_Dump_directory,"Windows\Minidump\*.dmp",
MemoryFiles,hiberfil_sys,"hiberfil.sys",
MemoryFiles,pagefile_sys,"pagefile.sys",
MemoryFiles,swapfile_sys,"swapfile.sys",
MeshAgent,MeshAgent_log_file,"Program Files\Mesh Agent\**\*.log",
MeshAgent,MeshAgent_msh_configuration_file,"Program Files\Mesh Agent\**\*.msh",
MessagingClients,Cisco_Jabber,"",CiscoJabber
MessagingClients,Discord,"",Discord
MessagingClients,IRC_Clients,"",IRCClients
MessagingClients,Mattermost,"",Mattermost
MessagingClients,Microsoft_Teams,"",MicrosoftTeams
MessagingClients,Signal,"",Signal
MessagingClients,Skype,"",Skype
MessagingClients,Slack,"",Slack
MessagingClients,Telegram,"",Telegram
MessagingClients,Viber,"",Viber
MessagingClients,WhatsApp,"",WhatsApp
MicrosoftAzureCopy,Azure_Copy_Plans_ste_,"Users\*\.azcopy\plans\*.ste*",
MicrosoftAzureCopy,Azure_Copy_User_Profile_log,"Users\*\.azcopy\*.log",
MicrosoftOfficeBackstage,Microsoft_Office_Backstage,"Users\*\AppData\Local\Microsoft\Office\*\BackstageinAppNavCache\**",
MicrosoftOneNote,Microsoft_OneNote_AccessibilityCheckerIndex,"Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex\*",
MicrosoftOneNote,Microsoft_OneNote_FullTextSearchIndex,"Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex\*",
MicrosoftOneNote,Microsoft_OneNote_RecentNotebooks_SeenURLs,"Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications\RecentNotebooks_SeenURLs",
MicrosoftOneNote,Microsoft_OneNote_RecentSearches,"Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches\RecentSearches.db",
MicrosoftOneNote,Microsoft_OneNote_User_NoteTags,"Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags\*LiveId.db",
MicrosoftSafetyScanner,Windows_Safety_Scanner_Logs,"Windows\Debug\msert.log",
MicrosoftStickyNotes,Microsoft_Sticky_Notes_1607_and_later,"Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\plum.sqlite*",
MicrosoftStickyNotes,Microsoft_Sticky_Notes_Windows_7_8_and_10_version_1511_and_earlier,"Users\*\AppData\Roaming\Microsoft\StickyNotes\StickyNotes.snt",
MicrosoftTeams,Microsoft_Teams_Cache,"Users\*\AppData\Roaming\Microsoft\Teams\Cache\**",
MicrosoftTeams,Microsoft_Teams_Config,"Users\*\AppData\Roaming\Microsoft\Teams\desktop-config.json",
MicrosoftTeams,Microsoft_Teams_IndexedDB_Cache,"Users\*\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\**",
MicrosoftTeams,Microsoft_Teams_Local_Storage_Cache,"Users\*\AppData\Roaming\Microsoft\Teams\Local Storage\leveldb\**",
MicrosoftTeams,Microsoft_Teams_Logs_Windows_11_,"Users\*\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs\*",
MicrosoftToDo,Microsoft_To_Do_SQLite_Database_of_To_Do_tasks,"Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\todosqlite.db*",
MicrosoftToDo,Microsoft_To_Do_User_Avatar,"Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\4c444a17ebb042fb92df97d00d1c802a\avatars\UserAvatar.jpg",
MidnightCommander,Midnight_Commander_All_Configuation_Files,"Users\*\Midnight Commander\*",
MiniTimelineCollection,Event_Logs,"",EventLogs
MiniTimelineCollection,File_System,"",FileSystem
MiniTimelineCollection,RegistryHives,"",RegistryHives
MobaXTerm,MobaXTerm_Logs,"Users\*\AppData\Roaming\MobaXterm\**",
MouseWithoutBorders,Mouse_Without_Borders_Logs_folder,"Users\*\AppData\Local\Microsoft\PowerToys\MouseWithoutBorders\Logs\**",
MouseWithoutBorders,Mouse_Without_Borders_msi_log_MagicMouse_log,"Program Files (x86)\Microsoft Garage\Mouse without Borders\MagicMouse.log",
MouseWithoutBorders,Mouse_Without_Borders_runtime_activity_logs,"Users\*\AppData\Local\Microsoft\PowerToys\MouseWithoutBorders\LogsModuleInterface\*",
MouseWithoutBorders,Mouse_Without_Borders_settings_settings_json,"Users\*\AppData\Local\Microsoft\PowerToys\MouseWithoutBorders\settings.json",
MstyDatabase,Msty_Artificial_Intelligence,"Users\*\AppData\Roaming\Msty\*.db",
MultiCommander,Multi_Commander_Application_Folder,"Users\*\AppData\Local\MultiCommander*\**",
MultiCommander,Multi_Commander_Config_Folder,"Users\*\AppData\Roaming\MultiCommander*\Config\**",
MultiCommander,Multi_Commander_Log_File,"Users\*\AppData\Roaming\MultiCommander*\**\*MultiCommander.log",
MultiCommander,Multi_Commander_Log_Folder,"Users\*\AppData\Roaming\MultiCommander*\Logs\**",
MultiCommander,Multi_Commander_UserData_Folder,"Users\*\AppData\Roaming\MultiCommander*\UserData\**",
NETCLRUsageLogs,_NET_CLR_UsageLogs_system_scoped_,"Windows*\System32\config\systemprofile\AppData\Local\Microsoft\CLR_*\**\*.log",
NETCLRUsageLogs,_NET_CLR_UsageLogs_user_scoped_,"Users\*\AppData\Local\Microsoft\CLR_*\**\*.log",
NGINXLogs,NGINX_Log_Files,"nginx\logs\*.log",
NZBGet,Usenet_Clients_NZBGet_Log_File,"ProgramData\NZBGet\nzbget.log",
NZBGet,Usenet_Clients_NZBGet_NZBs,"ProgramData\NZBGet\nzb\*",
Nessus,Nessus_Logs,"ProgramData\Tenable\Nessus\nessus\logs\**",
Nessus,Nessus_Logs,"ProgramData\Tenable\Nessus\conf\**",
NetMonitorforEmployeesProfessional,Net_Monitor_Client_Config,"Program Files*\Net Monitor for Employees Pro\config\**",
NetMonitorforEmployeesProfessional,Net_Monitor_Client_Logs,"Program Files*\Net Monitor for Employees Pro\log\**",
NetMonitorforEmployeesProfessional,Net_Monitor_Server_Config,"ProgramData\Net Monitor for Employees Pro\config\**",
NetMonitorforEmployeesProfessional,Net_Monitor_Server_Data,"ProgramData\Net Monitor for Employees Pro\data\**",
NetMonitorforEmployeesProfessional,Net_Monitor_Server_Logs,"ProgramData\Net Monitor for Employees Pro\log\*\**",
NetMonitorforEmployeesProfessional,Net_Monitor_Server_Temp_Folder,"ProgramData\Net Monitor for Employees Pro\tmp\**",
NetworkScanner,Advanced_IP_Scanner,"",AdvancedIPScanner
NetworkScanner,Advanced_Port_Scanner,"",AdvancedPortScanner
NetworkScanner,Soft_Perfect_Network_Scanner,"",SoftPerfectNetscan
NewsbinPro,Usenet_Clients_Newsbin_Pro,"Users\*\AppData\Local\Newsbin\Downloaded.db3",
Newsleecher,Usenet_Clients_Newsleecher,"Users\*\AppData\Roaming\NewsLeecher\downloaded.dat",
Nicotine_,Nicotine_Buddyfileindex_db,"Users\*\AppData\Roaming\nicotine\**\buddyfileindex.db",
Nicotine_,Nicotine_Buddyfiles_db,"Users\*\AppData\Roaming\nicotine\**\buddyfiles.db",
Nicotine_,Nicotine_Buddymtimes_db,"Users\*\AppData\Roaming\nicotine\**\buddymtimes.db",
Nicotine_,Nicotine_Buddystreams_db,"Users\*\AppData\Roaming\nicotine\**\buddystreams.db",
Nicotine_,Nicotine_Buddywordindex_db,"Users\*\AppData\Roaming\nicotine\**\buddywordindex.db",
Nicotine_,Nicotine_Config_Files,"Users\*\AppData\Roaming\nicotine\config\**",
Nicotine_,Nicotine_Downloads_json,"Users\*\AppData\Roaming\nicotine\downloads.json*",
Nicotine_,Nicotine_Incomplete_Downloads,"Users\*\AppData\Roaming\nicotine\incomplete\**",
Nicotine_,Nicotine_Logs,"Users\*\AppData\Roaming\nicotine\logs\**",
Nicotine_,Nicotine_Uploads_json,"Users\*\AppData\Roaming\nicotine\uploads.json*",
Nicotine_,Nicotine_User_Shares,"Users\*\AppData\Roaming\nicotine\usershares\**",
Notepad,Notepad_Registry_Hives,"Users\*\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\*.dat",
Notepad,Notepad_Session_Files,"Users\*\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\*.bin",
Notepad,Notepad_Settings_File,"Users\*\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\Settings\settings.dat",
Notepad,Notepad_Window_State_Files,"Users\*\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\WindowState\*.bin",
Notepad_,Notepad_Config,"Users\*\AppData\Roaming\Notepad++\config.xml",
Notepad_,Notepad_Session,"Users\*\AppData\Roaming\Notepad++\session.xml",
Notepad_,Notepad_Unsaved_Edits,"Users\*\AppData\Roaming\Notepad++\backup\**",
Notion,Notion_Custom_Dictionary,"Users\*\AppData\Roaming\Notion\Partitions\notion\Custom Dictionary.txt",
Notion,Notion_Local_Storage,"Users\*\AppData\Roaming\Notion\notion.db",
OfficeAutosave,Excel_Autosave_Location,"Users\*\AppData\Roaming\Microsoft\Excel\**",
OfficeAutosave,Powerpoint_Autosave_Location,"Users\*\AppData\Roaming\Microsoft\Powerpoint\**",
OfficeAutosave,Publisher_Autosave_Location,"Users\*\AppData\Roaming\Microsoft\Publisher\**",
OfficeAutosave,Word_Autosave_Location,"Users\*\AppData\Roaming\Microsoft\Word\**",
OfficeDiagnostics,Office_Diagnostics,"Users\*\AppData\Local\Diagnostics\PCW.debugreport.xml",
OfficeDiagnostics,Office_Elevated_Diagnostics,"Users\*\AppData\Local\ElevatedDiagnostics\PCW.debugreport.xml",
OfficeDocumentCache,Office_Document_Cache,"Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\**",
OneCommander,One_Commander_All_Configuration_Files,"Users\*\OneCommander\*",
OneCommander,One_Commander_Other_Configuration_Files,"Users\*\AppData\Local\Apps\2.0\*\*\onec*\**",
OneDrive_Metadata,OneDrive_Metadata_Logs,"Users\*\AppData\Local\Microsoft\OneDrive\logs\**",
OneDrive_Metadata,OneDrive_Metadata_Settings,"Users\*\AppData\Local\Microsoft\OneDrive\settings\**",
OneDrive_UserFiles,OneDrive_User_Files,"Users\*\OneDrive*\**",
OpenSSHClient,OpenSSH_Config_File,"Users\*\.ssh\config",
OpenSSHClient,OpenSSH_Default_DSA_Private_Key,"Users\*\.ssh\id_dsa",
OpenSSHClient,OpenSSH_Default_ECDSA_Private_Key,"Users\*\.ssh\id_ecdsa",
OpenSSHClient,OpenSSH_Default_ECDSA_SK_Private_Key,"Users\*\.ssh\id_ecdsa_sk",
OpenSSHClient,OpenSSH_Default_ED25519_Private_Key,"Users\*\.ssh\id_ed25519",
OpenSSHClient,OpenSSH_Default_ED25519_SK_Private_Key,"Users\*\.ssh\id_ed25519_sk",
OpenSSHClient,OpenSSH_Default_RSA_Private_Key,"Users\*\.ssh\id_rsa",
OpenSSHClient,OpenSSH_Known_Hosts,"Users\*\.ssh\known_hosts",
OpenSSHClient,OpenSSH_Public_Keys,"Users\*\.ssh\*.pub",
OpenSSHServer,OpenSSH_Authorized_Administrator_Keys,"ProgramData\ssh\administrators_authorized_keys",
OpenSSHServer,OpenSSH_Host_DSA_Key,"ProgramData\ssh\ssh_host_dsa_key",
OpenSSHServer,OpenSSH_Host_ECDSA_Key,"ProgramData\ssh\ssh_host_ecdsa_key",
OpenSSHServer,OpenSSH_Host_ED25519_Key,"ProgramData\ssh\ssh_host_ed25519_key",
OpenSSHServer,OpenSSH_Host_RSA_Key,"ProgramData\ssh\ssh_host_rsa_key",
OpenSSHServer,OpenSSH_Server_Config_File,"ProgramData\ssh\sshd_config",
OpenSSHServer,OpenSSH_Server_Logs,"ProgramData\ssh\logs\*",
OpenSSHServer,OpenSSH_User_Authorized_Keys,"Users\*\.ssh\authorized_keys",
OpenSSHServer,OpenSSH_User_Authorized_Keys_2,"Users\*\.ssh\authorized_keys2",
OpenVPNClient,OpenVPN_Client_Config,"Users\*\OpenVPN\config\**",
OpenVPNClient,OpenVPN_Client_Config,"Program Files*\OpenVPN\config\**",
OpenVPNClient,OpenVPN_Client_Config,"Users\*\OpenVPN\log\*.log",
Opera,Opera_Local_Folder,"Users\*\AppData\Local\Opera Software\Opera Stable\**",
Opera,Opera_Roaming_Folder,"Users\*\AppData\Roaming\Opera Software\Opera Stable\**",
OutlookPSTOST,NST,"Users\*\AppData\Local\Microsoft\Outlook\*.nst",
OutlookPSTOST,OST,"Users\*\AppData\Local\Microsoft\Outlook\*.ost",
OutlookPSTOST,OST_2013_or_2016_,"Users\*\Documents\Outlook Files\*.ost",
OutlookPSTOST,OST_XP,"Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.ost",
OutlookPSTOST,Outlook_Attachment_Temporary_Storage,"Users\*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\**",
OutlookPSTOST,PST,"Users\*\AppData\Local\Microsoft\Outlook\*.pst",
OutlookPSTOST,PST_2013_or_2016_,"Users\*\Documents\Outlook Files\*.pst",
OutlookPSTOST,PST_XP,"Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.pst",
P2PClients,DC_,"",DC_
P2PClients,FrostWire,"",FrostWire
P2PClients,Gigatribe,"",Gigatribe
P2PClients,Shareaza,"",Shareaza
P2PClients,Soulseek,"",Soulseek
P2PClients,eMule,"",eMule
PeaZip,PeaZip_Configuration_Files,"Users\*\AppData\Roaming\PeaZip\**",
PerfLogs,Perflogs,"PerfLogs\**",
PowerShell7Config,PowerShell_7_Config_JSON,"Program Files\PowerShell\7\powershell.config.json",
PowerShellConsole,PowerShell_Console_Log,"Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\*_history.txt",
PowerShellConsole,PowerShell_Console_Log_Systemprofile,"Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\*_history.txt",
PowerShellConsole,PowerShell_Console_Log_WOW64_Systemprofile,"Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\*_history.txt",
PowerShellConsole,PowerShell_ISE_AutoSave_Files,"Users\*\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\AutoSaveFiles\*.ps1",
PowerShellConsole,PowerShell_ISE_User_Config,"Users\*\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\*.config",
PowerShellTranscripts,PowerShell_Transcripts_Default_Location,"Users\*\Documents\PowerShell_transcript.*.txt",
PowerShellTranscripts,PowerShell_Transcripts_Observed_Location,"Windows\System32\*\PowerShell_transcript.*.txt",
PowerShellTranscripts,PowerShell_Transcripts_Observed_Location,"Windows\SysWOW64\*\PowerShell_transcript.*.txt",
PowerShellTranscripts,PowerShell_Transcripts_Observed_Location,"Users\*\Documents\20*\PowerShell_transcript.*.txt",
PowerShellTranscripts,PowerShell_Transcripts_Observed_Location,"PSTranscript\20*\PowerShell_transcript.*.txt",
PowerShellTranscripts,PowerShell_Transcripts_Observed_Location,"Program Files\Amazon\Ec2ConfigService\Scripts\*\PowerShell_transcript.*.txt",
Prefetch,Prefetch,"Windows\prefetch\*.pf",
Prefetch,Prefetch,"Windows.old\Windows\prefetch\*.pf",
ProgramData,ProgramData,"ProgramData\**",
ProgramExecution,Amcache,"",Amcache
ProgramExecution,AppCompatPCA,"",AppCompatPCA
ProgramExecution,JumpLists,"",JumpLists
ProgramExecution,PowerShellConsole,"",PowerShellConsole
ProgramExecution,PowerShellTranscripts,"",PowerShellTranscripts
ProgramExecution,Prefetch,"",Prefetch
ProgramExecution,RecentFileCache,"",RecentFileCache
ProgramExecution,Syscache,"",Syscache
ProgramExecution,WBEM,"",WBEM
ProgramExecution,WER,"",WER
ProgramExecution,WindowsTimeline,"",WindowsTimeline
ProgramExecution,_NET_CLR_UsageLogs,"",NETCLRUsageLogs
ProtonVPN,ProtonVPN_Connection_Logs,"Users\*\AppData\Local\ProtonVPN\Logs\*",
PuffinSecureBrowser,Puffin_Autocomplete_Data,"Users\*\AppData\Local\PuffinSecureBrowser\autocompletes.dat",
PuffinSecureBrowser,Puffin_Cookies,"Users\*\AppData\Local\PuffinSecureBrowser\cookies.dat",
PuffinSecureBrowser,Puffin_Image_Cache,"Users\*\AppData\Local\PuffinSecureBrowser\image_cache\**",
PuffinSecureBrowser,Puffin_Password_Encrypted_,"Users\*\AppData\Local\PuffinSecureBrowser\credential.dat",
PuffinSecureBrowser,Puffin_Password_Forms_Data,"Users\*\AppData\Local\PuffinSecureBrowser\passwordForms.dat",
PuffinSecureBrowser,Puffin_Subscription_Data,"Users\*\AppData\Local\PuffinSecureBrowser\subscription",
PuffinSecureBrowser,Puffin_data_db,"Users\*\AppData\Local\PuffinSecureBrowser\data.db",
PushNotification,WNS,"Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db",
PushNotification,WNS,"Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat",
QFinderPro_QNAP_,QFinderPro,"Users\*\AppData\Local\QNAP\QfinderPro\*",
QQBrowser,QQ_Browser_Bookmarks,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Bookmarks*",
QQBrowser,QQ_Browser_Cookies,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\**\Cookies*",
QQBrowser,QQ_Browser_Current_Session,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Current Session",
QQBrowser,QQ_Browser_Current_Tabs,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Current Tabs",
QQBrowser,QQ_Browser_Download_Metadata,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\DownloadMetadata",
QQBrowser,QQ_Browser_Extension_Cookies,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Extension Cookies",
QQBrowser,QQ_Browser_Favicons,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Favicons*",
QQBrowser,QQ_Browser_History,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\History*",
QQBrowser,QQ_Browser_Last_Session,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Last Session",
QQBrowser,QQ_Browser_Last_Tabs,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Last Tabs",
QQBrowser,QQ_Browser_Login_Data,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Login Data*",
QQBrowser,QQ_Browser_Media_History,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Media History*",
QQBrowser,QQ_Browser_Network_Action_Predictor,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Network Action Predictor",
QQBrowser,QQ_Browser_Network_Persistent_State,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\**\Network Persistent State",
QQBrowser,QQ_Browser_Preferences,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Preferences",
QQBrowser,QQ_Browser_Quota_Manager,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\QuotaManager",
QQBrowser,QQ_Browser_Reporting_and_NEL,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\**\Reporting and NEL",
QQBrowser,QQ_Browser_Sessions_Folder,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Sessions\*",
QQBrowser,QQ_Browser_Shortcuts,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Shortcuts*",
QQBrowser,QQ_Browser_Snapshots_Folder,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\Snapshots\*\**",
QQBrowser,QQ_Browser_SyncData_Database,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Sync Data\**",
QQBrowser,QQ_Browser_Top_Sites,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Top Sites*",
QQBrowser,QQ_Browser_Trust_Tokens,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\**\Trust Tokens*",
QQBrowser,QQ_Browser_Visited_Links,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Visited Links",
QQBrowser,QQ_Browser_Web_Data,"Users\*\AppData\Local\Tencent\QQBrowser\User Data\*\Web Data*",
QQBrowser,Windows_Protect_Folder,"Users\*\AppData\Roaming\Microsoft\Protect\*\**",
Q_Dir,Q_Dir_ini_File,"Users\*\AppData\Roaming\Q-Dir\Q-Dir.ini",
Q_Dir,Q_Dir_qdr_file,"Users\*\AppData\Roaming\Q-Dir\start.qdr",
QlikSense,Qlik_Sense_Logs,"ProgramData\Qlik\Sense\Log\Proxy\**\*.txt",
QlikSense,Qlik_Sense_Logs,"ProgramData\Qlik\Sense\Log\Proxy\**\*.log",
QlikSense,Qlik_Sense_Logs,"ProgramData\Qlik\Sense\Log\Scheduler\**\*.txt",
QlikSense,Qlik_Sense_Logs,"ProgramData\Qlik\Sense\Log\Scheduler\**\*.log",
QuickAssist,Microsoft_Quick_Assist,"Users\*\AppData\Local\Temp\QuickAssist\**",
QuickAssist,Microsoft_Remote_Help,"Users\*\AppData\Local\Temp\RemoteHelp\**",
RDCMan,Old_RDG_Files,"**\*.rdg.old",
RDCMan,RDCMan_Personal_Certificate,"Users*\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*",
RDCMan,RDCMan_Settings_File,"Users\*\AppData\Local\Microsoft\Remote Desktop Connection Manager\**\*.settings",
RDCMan,RDG_Files,"**\*.rdg",
RDPCache,RDP_Cache_Files,"Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*",
RDPCache,RDP_Cache_Files,"Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*",
RDPCache,Windows_old_RDP_Cache_Files,"Windows.old\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*",
RDPJumplist,RDP_Jumplist_Files,"Users\*\AppData\Local\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\**",
RDPLogs,LocalSessionManager_Event_Logs,"Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*",
RDPLogs,LocalSessionManager_Event_Logs,"Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*",
RDPLogs,RDPClient_Event_Logs,"Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*",
RDPLogs,RDPClient_Event_Logs,"Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*",
RDPLogs,RDPCoreTS_Event_Logs,"Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*",
RDPLogs,RDPCoreTS_Event_Logs,"Windows\System32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*",
RDPLogs,RemoteConnectionManager_Event_Logs,"Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*",
RDPLogs,RemoteConnectionManager_Event_Logs,"Windows.old\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*",
Radmin,Radmin_Server_32bit_Chats,"Windows\SysWOW64\rserver30\CHATLOGS\*\*.htm",
Radmin,Radmin_Server_32bit_Log,"Windows\SysWOW64\rserver30\Radm_log.htm",
Radmin,Radmin_Server_64bit_Chats,"Windows\System32\rserver30\CHATLOGS\*\*.htm",
Radmin,Radmin_Server_64bit_Log,"Windows\System32\rserver30\Radm_log.htm",
Radmin,Radmin_Viewer_Chats,"Users\*\Documents\ChatLogs\*\*.htm",
RcloneConf,Rclone_Config,"**\rclone.conf",
RecentFileCache,RecentFileCache,"Windows.old\Windows\AppCompat\Programs\RecentFileCache.bcf",
RecentFileCache,RecentFileCache,"Windows\AppCompat\Programs\RecentFileCache.bcf",
RecentFolders,LNK_Files_from_Microsoft_Office_Recent,"Users\*\AppData\Roaming\Microsoft\Office\Recent\**",
RecentFolders,LNK_Files_from_Recent,"Users\*\AppData\Roaming\Microsoft\Windows\Recent\**",
RecycleBin,RecycleBin_DataFiles,"",RecycleBin_DataFiles
RecycleBin,RecycleBin_InfoFiles,"",RecycleBin_InfoFiles
RecycleBin_DataFiles,RECYCLER_WinXP,"RECYCLE*\**\D*",
RecycleBin_DataFiles,Recycle_Bin_Windows_Vista_,"$Recycle.Bin\*\$R*\**",
RecycleBin_DataFiles,Recycle_Bin_Windows_Vista_,"$Recycle.Bin\**\$R*",
RecycleBin_InfoFiles,RECYCLER_WinXP,"RECYCLE*\**\INFO2",
RecycleBin_InfoFiles,Recycle_Bin_Windows_Vista_,"$Recycle.Bin\**\$I*",
RegistryHivesMSIXApps,Registry_dat_MSIX_Hive,"Users\*\AppData\Local\Packages\*\SystemAppData\Helium\Registry.dat*",
RegistryHivesMSIXApps,Registry_dat_MSIX_Hive,"Program Files\WindowsApps\*\Registry.dat*",
RegistryHivesMSIXApps,Registry_dat_MSIX_Hive,"Windows\SystemApps\*\Registry.dat*",
RegistryHivesMSIXApps,UserClasses_dat_MSIX_Hive,"Users\*\AppData\Local\Packages\*\SystemAppData\Helium\UserClasses.dat*",
RegistryHivesMSIXApps,User_dat_MSIX_Hive,"Users\*\AppData\Local\Packages\*\SystemAppData\Helium\User.dat*",
RegistryHivesMSIXApps,settings_dat_MSIX_Hive,"Users\*\AppData\Local\Packages\*\Settings\settings.dat*",
RegistryHives,MSIX_Application_Registry_Files,"",RegistryHivesMSIXApps
RegistryHivesOther,BBI_registry_hive,"Windows\System32\config\BBI",
RegistryHivesOther,BBI_registry_hive,"Windows.old\Windows\System32\config\BBI",
RegistryHivesOther,BBI_registry_transaction_files,"Windows\System32\config\BBI.LOG*",
RegistryHivesOther,BBI_registry_transaction_files,"Windows.old\System32\config\BBI.LOG*",
RegistryHivesOther,BCD_Template_registry_hive,"Windows\System32\config\BCD-Template",
RegistryHivesOther,BCD_Template_registry_hive,"Windows.old\Windows\System32\config\BCD-Template",
RegistryHivesOther,BCD_Template_registry_transaction_files,"Windows\System32\config\BCD-Template.LOG*",
RegistryHivesOther,BCD_Template_registry_transaction_files,"Windows.old\System32\config\BCD-Template.LOG*",
RegistryHivesOther,COMPONENTS_registry_hive,"Windows\System32\config\COMPONENTS",
RegistryHivesOther,COMPONENTS_registry_hive,"Windows.old\Windows\System32\config\COMPONENTS",
RegistryHivesOther,COMPONENTS_registry_transaction_files,"Windows\System32\config\COMPONENTS.LOG*",
RegistryHivesOther,COMPONENTS_registry_transaction_files,"Windows.old\System32\config\COMPONENTS.LOG*",
RegistryHivesOther,DRIVERS_registry_hive,"Windows\System32\config\DRIVERS",
RegistryHivesOther,DRIVERS_registry_hive,"Windows.old\Windows\System32\config\DRIVERS",
RegistryHivesOther,DRIVERS_registry_transaction_files,"Windows\System32\config\DRIVERS.LOG*",
RegistryHivesOther,DRIVERS_registry_transaction_files,"Windows.old\System32\config\DRIVERS.LOG*",
RegistryHivesOther,ELAM_registry_hive,"Windows.old\Windows\System32\config\ELAM",
RegistryHivesOther,ELAM_registry_hive,"Windows\System32\config\ELAM",
RegistryHivesOther,ELAM_registry_transaction_files,"Windows\System32\config\ELAM.LOG*",
RegistryHivesOther,ELAM_registry_transaction_files,"Windows.old\System32\config\ELAM.LOG*",
RegistryHivesOther,VSMIDK_registry_hive,"Windows\System32\config\VSMIDK",
RegistryHivesOther,VSMIDK_registry_hive,"Windows.old\Windows\System32\config\VSMIDK",
RegistryHivesOther,VSMIDK_registry_transaction_files,"Windows\System32\config\VSMIDK.LOG*",
RegistryHivesOther,VSMIDK_registry_transaction_files,"Windows.old\System32\config\VSMIDK.LOG*",
RegistryHivesOther,userdiff_registry_hive,"Windows\System32\config\userdiff",
RegistryHivesOther,userdiff_registry_hive,"Windows.old\Windows\System32\config\userdiff",
RegistryHivesOther,userdiff_registry_transaction_files,"Windows\System32\config\userdiff.LOG*",
RegistryHivesOther,userdiff_registry_transaction_files,"Windows.old\System32\config\userdiff.LOG*",
RegistryHivesSystem,Local_Service_registry_hive,"Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT",
RegistryHivesSystem,Local_Service_registry_hive,"Windows\ServiceProfiles\LocalService\NTUSER.DAT",
RegistryHivesSystem,Local_Service_registry_transaction_files,"Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*",
RegistryHivesSystem,Local_Service_registry_transaction_files,"Windows.old\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG*",
RegistryHivesSystem,Network_Service_registry_hive,"Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT",
RegistryHivesSystem,Network_Service_registry_hive,"Windows\ServiceProfiles\NetworkService\NTUSER.DAT",
RegistryHivesSystem,Network_Service_registry_transaction_files,"Windows.old\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*",
RegistryHivesSystem,Network_Service_registry_transaction_files,"Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG*",
RegistryHivesSystem,RegBack_registry_transaction_files,"Windows\System32\config\RegBack\*.LOG*",
RegistryHivesSystem,RegBack_registry_transaction_files,"Windows.old\Windows\System32\config\RegBack\*.LOG*",
RegistryHivesSystem,SAM_registry_hive,"Windows\System32\config\SAM",
RegistryHivesSystem,SAM_registry_hive,"Windows.old\Windows\System32\config\SAM",
RegistryHivesSystem,SAM_registry_hive_RegBack_,"Windows\System32\config\RegBack\SAM",
RegistryHivesSystem,SAM_registry_hive_RegBack_,"Windows.old\Windows\System32\config\RegBack\SAM",
RegistryHivesSystem,SAM_registry_transaction_files,"Windows\System32\config\SAM.LOG*",
RegistryHivesSystem,SAM_registry_transaction_files,"Windows.old\Windows\System32\config\SAM.LOG*",
RegistryHivesSystem,SECURITY_registry_hive,"Windows.old\Windows\System32\config\SECURITY",
RegistryHivesSystem,SECURITY_registry_hive,"Windows\System32\config\SECURITY",
RegistryHivesSystem,SECURITY_registry_hive_RegBack_,"Windows\System32\config\RegBack\SECURITY",
RegistryHivesSystem,SECURITY_registry_hive_RegBack_,"Windows.old\Windows\System32\config\RegBack\SECURITY",
RegistryHivesSystem,SECURITY_registry_transaction_files,"Windows.old\Windows\System32\config\SECURITY.LOG*",
RegistryHivesSystem,SECURITY_registry_transaction_files,"Windows\System32\config\SECURITY.LOG*",
RegistryHivesSystem,SOFTWARE_registry_hive,"Windows.old\Windows\System32\config\SOFTWARE",
RegistryHivesSystem,SOFTWARE_registry_hive,"Windows\System32\config\SOFTWARE",
RegistryHivesSystem,SOFTWARE_registry_hive_RegBack_,"Windows\System32\config\RegBack\SOFTWARE",
RegistryHivesSystem,SOFTWARE_registry_hive_RegBack_,"Windows.old\Windows\System32\config\RegBack\SOFTWARE",
RegistryHivesSystem,SOFTWARE_registry_transaction_files,"Windows\System32\config\SOFTWARE.LOG*",
RegistryHivesSystem,SOFTWARE_registry_transaction_files,"Windows.old\Windows\System32\config\SOFTWARE.LOG*",
RegistryHivesSystem,SYSTEM_registry_hive,"Windows.old\Windows\System32\config\SYSTEM",
RegistryHivesSystem,SYSTEM_registry_hive,"Windows\System32\config\SYSTEM",
RegistryHivesSystem,SYSTEM_registry_hive_RegBack_,"Windows.old\Windows\System32\config\RegBack\SYSTEM",
RegistryHivesSystem,SYSTEM_registry_hive_RegBack_,"Windows\System32\config\RegBack\SYSTEM1",
RegistryHivesSystem,SYSTEM_registry_hive_RegBack_,"Windows.old\Windows\System32\config\RegBack\SYSTEM1",
RegistryHivesSystem,SYSTEM_registry_hive_RegBack_,"Windows\System32\config\RegBack\SYSTEM",
RegistryHivesSystem,SYSTEM_registry_transaction_files,"Windows\System32\config\SYSTEM.LOG*",
RegistryHivesSystem,SYSTEM_registry_transaction_files,"Windows.old\Windows\System32\config\SYSTEM.LOG*",
RegistryHivesSystem,System_Profile_registry_hive,"Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT",
RegistryHivesSystem,System_Profile_registry_hive,"Windows\System32\config\systemprofile\NTUSER.DAT",
RegistryHivesSystem,System_Profile_registry_transaction_files,"Windows.old\Windows\System32\config\systemprofile\NTUSER.DAT.LOG*",
RegistryHivesSystem,System_Profile_registry_transaction_files,"Windows\System32\config\systemprofile\NTUSER.DAT.LOG*",
RegistryHivesSystem,System_Restore_Points_Registry_Hives_XP_,"System Volume Information\_restore*\RP*\snapshot\_REGISTRY_*",
RegistryHives,System_Registry_Files,"",RegistryHivesSystem
RegistryHivesUser,NTUSER_DAT_DEFAULT_registry_hive,"Windows\System32\config\DEFAULT",
RegistryHivesUser,NTUSER_DAT_DEFAULT_registry_hive,"Windows.old\Windows\System32\config\DEFAULT",
RegistryHivesUser,NTUSER_DAT_DEFAULT_transaction_files,"Windows.old\Windows\System32\config\DEFAULT.LOG*",
RegistryHivesUser,NTUSER_DAT_DEFAULT_transaction_files,"Windows\System32\config\DEFAULT.LOG*",
RegistryHivesUser,NTUSER_DAT_registry_hive,"Users\*\NTUSER.DAT*",
RegistryHivesUser,NTUSER_DAT_registry_hive_XP,"Documents and Settings\*\NTUSER.DAT*",
RegistryHivesUser,NTUSER_DAT_registry_transaction_files,"Users\*\NTUSER.DAT.LOG*",
RegistryHivesUser,UsrClass_dat_registry_hive,"Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat*",
RegistryHivesUser,UsrClass_dat_registry_transaction_files,"Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG*",
RegistryHives,User_Level_Registry_Files,"",RegistryHivesUser
Remcos,Remco_RAT_Default_path,"Users\*\AppData\Roaming\remcos\logs*.dat*",
Remcos,Remco_RAT_custom_path,"ProgramData\remcos\logs*.dat*",
Remcos,Remco_RAT_custom_path_AppData_hpsupport,"Users\*\AppData\Roaming\hpsupport\logs*.dat*",
Remcos,Remco_RAT_custom_path_AppData_hpsupport,"ProgramData\hpsupport\logs*.dat*",
Remcos,Remco_RAT_custom_path_AppData_micrecords,"ProgramData\micrecords\logs*.dat*",
Remcos,Remco_RAT_custom_path_AppData_micrecords_folder,"Users\*\AppData\Roaming\micrecords\logs*.dat*",
Remcos,Remco_RAT_custom_path_AppData_notess,"ProgramData\notess\logs*.dat*",
Remcos,Remco_RAT_custom_path_AppData_notess_folder,"Users\*\AppData\Roaming\notess\logs*.dat*",
Remcos,Remco_RAT_custom_path_AppData_screenshots,"ProgramData\screenshots\logs*.dat*",
Remcos,Remco_RAT_custom_path_AppData_screenshots_folder,"Users\*\AppData\Roaming\screenshots\logs*.dat*",
RemoteAdmin,Action1,"",Action1
RemoteAdmin,Ammyy,"",Ammyy
RemoteAdmin,AnyDesk,"",AnyDesk
RemoteAdmin,Chrome_Remote_Desktop,"",ApplicationEvents
RemoteAdmin,DWAgent,"",DWAgent
RemoteAdmin,ISLOnline,"",ISLOnline
RemoteAdmin,ITarian,"",ITarian
RemoteAdmin,Kaseya,"",Kaseya
RemoteAdmin,Level,"",Level
RemoteAdmin,LogMeIn,"",LogMeIn
RemoteAdmin,MeshAgent,"",MeshAgent
RemoteAdmin,NetMonitor,"",NetMonitorforEmployeesProfessional
RemoteAdmin,QuickAssist,"",QuickAssist
RemoteAdmin,RDP_Cache,"",RDPCache
RemoteAdmin,RDP_Logs,"",RDPLogs
RemoteAdmin,Radmin,"",Radmin
RemoteAdmin,Remcos_RAT,"",Remcos
RemoteAdmin,Remote_Utilities,"",RemoteUtilities_app
RemoteAdmin,RustDesk,"",RustDesk
RemoteAdmin,ScreenConnect_ConnectWise_Control_,"",ScreenConnect
RemoteAdmin,Splashtop,"",Splashtop
RemoteAdmin,Supremo_Remote_Desktop_Control,"",SupremoRemoteDesktop
RemoteAdmin,TeamViewer,"",TeamViewerLogs
RemoteAdmin,UEMS,"",UEMS
RemoteAdmin,UltraViewer,"",UltraViewer
RemoteAdmin,VNC,"",VNCLogs
RemoteAdmin,Xeox,"",Xeox
RemoteAdmin,ZohoAssist,"",ZohoAssist
RemoteAdmin,mRemoteNG,"",mRemoteNG
RemoteDesktopManager,Connections_log,"Users\*\AppData\Local\Devolutions\RemoteDesktopManager\Connections.log",
RemoteDesktopManager,Favorites_XML,"Users\*\AppData\Local\Devolutions\RemoteDesktopManager\*\Favorites.xml",
RemoteDesktopManager,Most_Recently_Used_XML,"Users\*\AppData\Local\Devolutions\RemoteDesktopManager\*\Mru.xml",
RemoteDesktopManager,RemoteDesktopManager_cfg,"Users\*\AppData\Local\Devolutions\RemoteDesktopManager\RemoteDesktopManager.cfg",
RemoteDesktopManager,SQLite_Data_Sources,"Users\*\AppData\Local\Devolutions\RemoteDesktopManager\*.db",
RemoteDesktopManager,XML_Data_Sources,"Users\*\AppData\Local\Devolutions\RemoteDesktopManager\*.xml",
RemoteUtilities_app,RemoteUtilities_Connection_Logs,"Program Files*\Remote Utilities - Host\Logs\rut_log_*.html",
RemoteUtilities_app,RemoteUtilities_Install_Log,"ProgramData\Remote Utilities\install.log",
RoamingProfile,Amcache,"**\Amcache.hve",
RoamingProfile,Amcache_transaction_files,"**\Amcache.hve.LOG*",
RoamingProfile,Chrome_Cookies,"Users\*\AppData\Local\Google\Chrome\User Data\*\**\Cookies*",
RoamingProfile,Chrome_Cookies,"Users\*\AppData\Local\Google\Chrome\User Data\*\**\Cookies*",
RoamingProfile,Chrome_Current_Session,"Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session",
RoamingProfile,Chrome_Current_Session,"Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session",
RoamingProfile,Chrome_Current_Tabs,"Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs",
RoamingProfile,Chrome_Current_Tabs,"Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs",
RoamingProfile,Chrome_Download_Metadata,"Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata",
RoamingProfile,Chrome_Download_Metadata,"Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata",
RoamingProfile,Chrome_Extension_Cookies,"Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies",
RoamingProfile,Chrome_Extension_Cookies,"Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies",
RoamingProfile,Chrome_Favicons,"Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*",
RoamingProfile,Chrome_Favicons,"Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*",
RoamingProfile,Chrome_History,"Users\*\AppData\Local\Google\Chrome\User Data\*\History*",
RoamingProfile,Chrome_History,"Users\*\AppData\Local\Google\Chrome\User Data\*\History*",
RoamingProfile,Chrome_Last_Session,"Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session",
RoamingProfile,Chrome_Last_Session,"Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session",
RoamingProfile,Chrome_Last_Tabs,"Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs",
RoamingProfile,Chrome_Last_Tabs,"Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs",
RoamingProfile,Chrome_Login_Data,"Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data",
RoamingProfile,Chrome_Login_Data,"Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data",
RoamingProfile,Chrome_Media_History,"Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*",
RoamingProfile,Chrome_Media_History,"Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*",
RoamingProfile,Chrome_Network_Action_Predictor,"Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor",
RoamingProfile,Chrome_Network_Action_Predictor,"Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor",
RoamingProfile,Chrome_Network_Persistent_State,"Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State",
RoamingProfile,Chrome_Network_Persistent_State,"Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State",
RoamingProfile,Chrome_Preferences,"Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences",
RoamingProfile,Chrome_Preferences,"Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences",
RoamingProfile,Chrome_Quota_Manager,"Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager",
RoamingProfile,Chrome_Quota_Manager,"Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager",
RoamingProfile,Chrome_Reporting_and_NEL,"Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL",
RoamingProfile,Chrome_Reporting_and_NEL,"Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL",
RoamingProfile,Chrome_Sessions_Folder,"Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*",
RoamingProfile,Chrome_Sessions_Folder,"Users\*\AppData\Local\Google\Chrome\User Data\*\Sessions\*",
RoamingProfile,Chrome_Shortcuts,"Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*",
RoamingProfile,Chrome_Shortcuts,"Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*",
RoamingProfile,Chrome_SyncData_Database,"Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3",
RoamingProfile,Chrome_SyncData_Database,"Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3",
RoamingProfile,Chrome_Top_Sites,"Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*",
RoamingProfile,Chrome_Top_Sites,"Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*",
RoamingProfile,Chrome_Trust_Tokens,"Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*",
RoamingProfile,Chrome_Trust_Tokens,"Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*",
RoamingProfile,Chrome_Visited_Links,"Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links",
RoamingProfile,Chrome_Visited_Links,"Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links",
RoamingProfile,Chrome_Web_Data,"Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*",
RoamingProfile,Chrome_Web_Data,"Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*",
RoamingProfile,Chrome_bookmarks,"Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*",
RoamingProfile,Chrome_bookmarks,"Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*",
RoamingProfile,Desktop_LNK_Files,"**\*.LNK",
RoamingProfile,Edge_folder,"Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**",
RoamingProfile,Edge_folder,"Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\**",
RoamingProfile,Excel_Autosave_Location,"Users\*\AppData\Roaming\Microsoft\Excel\*",
RoamingProfile,LNK_Files,"**\*.LNK",
RoamingProfile,LNK_Files_from_Microsoft_Office_Recent,"Users\*\AppData\Roaming\Microsoft\Office\Recent\**",
RoamingProfile,LNK_Files_from_Microsoft_Office_Recent,"Users\*\AppData\Roaming\Microsoft\Office\Recent\**",
RoamingProfile,LNK_Files_from_Recent,"Users\*\AppData\Roaming\Microsoft\Windows\Recent\**",
RoamingProfile,LNK_Files_from_Recent,"Users\*\AppData\Roaming\Microsoft\Windows\Recent\**",
RoamingProfile,NTUSER_DAT_DEFAULT_registry_hive,"**\DEFAULT",
RoamingProfile,NTUSER_DAT_DEFAULT_transaction_files,"**\DEFAULT.LOG*",
RoamingProfile,NTUSER_DAT_registry_hive,"**\NTUSER.DAT",
RoamingProfile,NTUSER_DAT_registry_transaction_files,"**\NTUSER.DAT.LOG*",
RoamingProfile,Office_Document_Cache,"Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\*",
RoamingProfile,Office_Document_Cache,"Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache\*",
RoamingProfile,PowerPoint_Autosave_Location,"Users\*\AppData\Roaming\Microsoft\PowerPoint\*",
RoamingProfile,Publisher_Autosave_Location,"Users\*\AppData\Roaming\Microsoft\Word\*",
RoamingProfile,Publisher_Autosave_Location,"Users\*\AppData\Roaming\Microsoft\Publisher\*",
RoamingProfile,UsrClass_dat_registry_hive,"**\UsrClass.dat",
RoamingProfile,UsrClass_dat_registry_transaction_files,"**\UsrClass.dat.LOG*",
RoamingProfile,Windows_Protect_Folder,"Users\*\AppData\Roaming\Microsoft\Protect\*\**",
RoamingProfile,Windows_Protect_Folder,"Users\*\AppData\Roaming\Microsoft\Protect\*\**",
RoamingProfile,Word_Autosave_Location,"Users\*\AppData\Roaming\Microsoft\Word\*",
Robo_FTP,Robo_FTP_Debug_Logs,"Program Files\Robo-FTP 3.12\ProgramData\Debug\*",
Robo_FTP,Robo_FTP_Jobs,"Program Files\Robo-FTP 3.12\ProgramData\SchedulerService.sqlite",
Robo_FTP,Robo_FTP_PGP_Keys,"Program Files\Robo-FTP 3.12\ProgramData\PGP Keys\*",
Robo_FTP,Robo_FTP_SSH_Keys,"Program Files\Robo-FTP 3.12\ProgramData\SSH Keys\*",
Robo_FTP,Robo_FTP_SSL_Certificates,"Program Files\Robo-FTP 3.12\ProgramData\SSL Certificates\*",
Robo_FTP,Robo_FTP_Script_Trace_Logs,"Program Files\Robo-FTP 3.12\ProgramData\Logs\*",
Robo_FTP,Robo_FTP_User_Debug_Logs,"Program Files\Robo-FTP 3.12\UserData\*\Debug\*.log",
Robo_FTP,Robo_FTP_User_PGP_Keys,"Program Files\Robo-FTP 3.12\UserData\*\PGP Keys\*",
Robo_FTP,Robo_FTP_User_SSH_Keys,"Program Files\Robo-FTP 3.12\UserData\*\SSH Keys\*",
Robo_FTP,Robo_FTP_User_SSL_Certificates,"Program Files\Robo-FTP 3.12\UserData\*\SSL Certificates\*",
Robo_FTP,Robo_FTP_User_Script_Trace_Logs,"Program Files\Robo-FTP 3.12\UserData\*\Logs\*",
Robo_FTP,Robo_FTP_User_Scripts,"Program Files\Robo-FTP 3.12\UserData\*\Scripts\*.s",
Robo_FTP,Robo_FTP_User_XML_Config,"Program Files\Robo-FTP 3.12\UserData\*\config.xml",
Robo_FTP,Robo_FTP_XML_Config,"Program Files\Robo-FTP 3.12\ProgramData\config.xml",
RogueKiller,RogueKiller_Reports,"ProgramData\RogueKiller\logs\AdliceReport_*.json",
RustDesk,RustDesk_logs,"Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server\*",
RustDesk,RustDesk_logs,"Users\*\AppData\Roaming\RustDesk\*",
SABnbzd,Usenet_Clients_SABnzbd_Download_Logs,"Users\*\AppData\Local\sabnzbd\logs\sabnzbd.log",
SABnbzd,Usenet_Clients_SABnzbd_History_db,"Users\*\AppData\Local\sabnzbd\admin\history1.db",
SCCMClientLogs,SCCM_Client_Log_Files,"Windows\CCM\Logs\*",
SDB,SDB_Files,"Windows\apppatch\Custom\*.sdb",
SDB,SDB_Files,"Windows.old\Windows\apppatch\Custom\*.sdb",
SDB,SDB_Files_x64,"Windows\apppatch\Custom\Custom64\*.sdb",
SDB,SDB_Files_x64,"Windows.old\Windows\apppatch\Custom\Custom64\*.sdb",
SOFELK,EventLogs,"",EventLogs
SOFELK,EvidenceOfExecution,"",EvidenceOfExecution
SOFELK,FileSystem,"",FileSystem
SOFELK,LNKFilesAndJumpLists,"",LNKFilesAndJumpLists
SOFELK,Prefetch,"",Prefetch
SQLiteDatabases,4K_Video_Downloader,"Users\*\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader\*.sqlite",
SQLiteDatabases,ActivitiesCache_db,"Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db*",
SQLiteDatabases,Addons,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*",
SQLiteDatabases,Bitdefender_SQLite_DB_Files,"Program Files*\Bitdefender*\**\*.{db,db-wal,db-shm}",
SQLiteDatabases,Bookmarks,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*",
SQLiteDatabases,Chrome_Cookies,"Users\*\AppData\Local\Google\Chrome\User Data\*\Cookies*",
SQLiteDatabases,Chrome_Cookies_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*",
SQLiteDatabases,Chrome_Current_Session,"Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session",
SQLiteDatabases,Chrome_Current_Session_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session",
SQLiteDatabases,Chrome_Current_Tabs,"Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs",
SQLiteDatabases,Chrome_Current_Tabs_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs",
SQLiteDatabases,Chrome_Download_Metadata,"Users\*\AppData\Local\Google\Chrome\User Data\*\Download Metadata",
SQLiteDatabases,Chrome_Extension_Cookies,"Users\*\AppData\Local\Google\Chrome\User Data\*\Extension Cookies",
SQLiteDatabases,Chrome_Favicons,"Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*",
SQLiteDatabases,Chrome_Favicons_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*",
SQLiteDatabases,Chrome_History,"Users\*\AppData\Local\Google\Chrome\User Data\*\History*",
SQLiteDatabases,Chrome_History_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*",
SQLiteDatabases,Chrome_Last_Session,"Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session",
SQLiteDatabases,Chrome_Last_Session_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session",
SQLiteDatabases,Chrome_Last_Tabs,"Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs",
SQLiteDatabases,Chrome_Last_Tabs_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs",
SQLiteDatabases,Chrome_Login_Data,"Users\*\AppData\Local\Google\Chrome\User Data\*\Login Data",
SQLiteDatabases,Chrome_Login_Data_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data",
SQLiteDatabases,Chrome_Media_History,"Users\*\AppData\Local\Google\Chrome\User Data\*\Media History*",
SQLiteDatabases,Chrome_Network_Action_Predictor,"Users\*\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor",
SQLiteDatabases,Chrome_Network_Persistent_State,"Users\*\AppData\Local\Google\Chrome\User Data\*\Network Persistent State",
SQLiteDatabases,Chrome_Preferences,"Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences",
SQLiteDatabases,Chrome_Preferences_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences",
SQLiteDatabases,Chrome_Quota_Manager,"Users\*\AppData\Local\Google\Chrome\User Data\*\QuotaManager",
SQLiteDatabases,Chrome_Reporting_and_NEL,"Users\*\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL",
SQLiteDatabases,Chrome_Shortcuts,"Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*",
SQLiteDatabases,Chrome_Shortcuts_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*",
SQLiteDatabases,Chrome_SyncData_Database,"Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data\SyncData.sqlite3",
SQLiteDatabases,Chrome_Top_Sites,"Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*",
SQLiteDatabases,Chrome_Top_Sites_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*",
SQLiteDatabases,Chrome_Trust_Tokens,"Users\*\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*",
SQLiteDatabases,Chrome_Visited_Links,"Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links",
SQLiteDatabases,Chrome_Visited_Links_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links",
SQLiteDatabases,Chrome_Web_Data,"Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*",
SQLiteDatabases,Chrome_Web_Data_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*",
SQLiteDatabases,Chrome_bookmarks,"Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*",
SQLiteDatabases,Chrome_bookmarks_XP,"Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*",
SQLiteDatabases,Cookies,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*",
SQLiteDatabases,Cookies,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*",
SQLiteDatabases,Downloads,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*",
SQLiteDatabases,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\host.db",
SQLiteDatabases,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\host.dbx",
SQLiteDatabases,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\*\avatarcache.db",
SQLiteDatabases,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\*\sync_history.db",
SQLiteDatabases,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\*\sync\nucleus.sqlite3*",
SQLiteDatabases,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\*\home.db",
SQLiteDatabases,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\*\config.dbx",
SQLiteDatabases,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\*\filecache.db*",
SQLiteDatabases,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\*\avatarcache.db",
SQLiteDatabases,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\*\sync\aggregation.dbx",
SQLiteDatabases,Dropbox_Metadata,"Users\*\AppData\Local\Dropbox\*\icon.db",
SQLiteDatabases,Edge_Bookmarks,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*",
SQLiteDatabases,Edge_Collections,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections\collectionsSQLite",
SQLiteDatabases,Edge_Cookies,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Cookies*",
SQLiteDatabases,Edge_Current_Session,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Session",
SQLiteDatabases,Edge_Current_Tabs,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Current Tabs",
SQLiteDatabases,Edge_Favicons,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Favicons*",
SQLiteDatabases,Edge_History,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\History*",
SQLiteDatabases,Edge_Last_Session,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Session",
SQLiteDatabases,Edge_Last_Tabs,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Last Tabs",
SQLiteDatabases,Edge_Login_Data,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Login Data",
SQLiteDatabases,Edge_Media_History,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Media History*",
SQLiteDatabases,Edge_Network_Action_Predictor,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Network Action Predictor",
SQLiteDatabases,Edge_Preferences,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Preferences",
SQLiteDatabases,Edge_Shortcuts,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Shortcuts*",
SQLiteDatabases,Edge_SyncData_Database,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data\SyncData.sqlite3",
SQLiteDatabases,Edge_Top_Sites,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Top Sites*",
SQLiteDatabases,Edge_Visited_Links,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Visited Links",
SQLiteDatabases,Edge_Web_Data,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Web Data*",
SQLiteDatabases,Edge_bookmarks,"Users\*\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*",
SQLiteDatabases,EventTranscript_db,"ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*",
SQLiteDatabases,EventTranscript_db,"Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*",
SQLiteDatabases,Favicons,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*",
SQLiteDatabases,FileZilla_SQLite3_Log_Files,"Users\*\AppData\Roaming\FileZilla\*.sqlite3*",
SQLiteDatabases,Form_history,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*",
SQLiteDatabases,Google_File_Stream_Metadata,"Users\*\AppData\Local\Google\Drive\*\TempData\*\change_buffer\**",
SQLiteDatabases,Google_File_Stream_Metadata,"Users\*\AppData\Local\Google\Drive\*\sync_config.db",
SQLiteDatabases,Google_File_Stream_Metadata,"Users\*\AppData\Local\Google\Drive\*\snapshot.db",
SQLiteDatabases,Google_File_Stream_Metadata,"Users\*\AppData\Local\Google\Drive\*\cloud_graph\cloud_graph.db",
SQLiteDatabases,IDrive_Backed_Up_Files,"ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.idbs",
SQLiteDatabases,Microsoft_OneNote_AccessibilityCheckerIndex,"Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex\*",
SQLiteDatabases,Microsoft_OneNote_FullTextSearchIndex,"Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex\*",
SQLiteDatabases,Microsoft_OneNote_RecentNotebooks_SeenURLs,"Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications\RecentNotebooks_SeenURLs",
SQLiteDatabases,Microsoft_OneNote_RecentSearches,"Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches\RecentSearches.db",
SQLiteDatabases,Microsoft_OneNote_User_NoteTags,"Users\*\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags\*LiveId.db",
SQLiteDatabases,Microsoft_Sticky_Notes_1607_and_later,"Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\plum.sqlite*",
SQLiteDatabases,Microsoft_To_Do_SQLite_Database_of_To_Do_tasks,"Users\*\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\todosqlite.db*",
SQLiteDatabases,Notion_Local_Storage,"Users\*\AppData\Roaming\Notion\notion.db",
SQLiteDatabases,Permissions,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*",
SQLiteDatabases,Places,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*",
SQLiteDatabases,Protections,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*",
SQLiteDatabases,Robo_FTP_Jobs,"Program Files\Robo-FTP *\ProgramData\SchedulerService.sqlite",
SQLiteDatabases,Search,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*",
SQLiteDatabases,Signons,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*",
SQLiteDatabases,Storage_Sync,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*",
SQLiteDatabases,TeraCopy_History_Databases,"Users\*\AppData\Roaming\TeraCopy\History\*.db",
SQLiteDatabases,TeraCopy_Main_Database,"Users\*\AppData\Roaming\TeraCopy\main.db",
SQLiteDatabases,Update_Store_db,"ProgramData\USOPrivate\UpdateStore\store.db",
SQLiteDatabases,Webappstore,"Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*",
SQLiteDatabases,Windows_10_Notification_DB,"Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db",
SQLiteDatabases,Windows_10_Notification_DB,"Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat",
SRUM,SOFTWARE_registry_hive,"Windows.old\Windows\System32\config\SOFTWARE",
SRUM,SOFTWARE_registry_hive,"Windows\System32\config\SOFTWARE",
SRUM,SOFTWARE_registry_transaction_files,"Windows.old\Windows\System32\config\SOFTWARE.LOG*",
SRUM,SOFTWARE_registry_transaction_files,"Windows\System32\config\SOFTWARE.LOG*",
SRUM,SRUM,"Windows\System32\SRU\**",
SRUM,SRUM,"Windows.old\Windows\System32\SRU\**",
SUM,SUM_Database_mdb_files_,"Windows\System32\LogFiles\SUM\**",
SUPERAntiSpyware,SUPERAntiSpyware_Logs,"Users\*\AppData\Roaming\SUPERAntiSpyware\Logs\**",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_bash_history,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**\.bash_history",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_bashrc,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**\.bashrc",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_etc_bash_bashrc,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\bash.bashrc",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_etc_fstab,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\fstab",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_etc_group,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\group",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_etc_hostname,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\hostname",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_etc_hosts,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\hosts",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_etc_os_release,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\os-release",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_etc_passwd,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\passwd",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_etc_profile,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\profile",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_etc_shadow,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\shadow",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_etc_timezone,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc\timezone",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_ext4_vhdx,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\ext4.vhdx",
SUSELinuxEnterpriseServer,SUSE_Linux_Enterprise_Server_WSL_profile,"Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\**\.profile",
ScheduledTasks,PowerShell_Scheduled_Jobs,"Users\*\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**",
ScheduledTasks,PowerShell_Scheduled_Jobs_Output,"Users\*\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\**",
ScheduledTasks,PowerShell_Scheduled_Jobs_Output_Systemprofile,"Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\**",
ScheduledTasks,PowerShell_Scheduled_Jobs_Output_WOW64_Systemprofile,"Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\**",
ScheduledTasks,PowerShell_Scheduled_Jobs_Systemprofile,"Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**",
ScheduledTasks,PowerShell_Scheduled_Jobs_WOW64_Systemprofile,"Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\**",
ScheduledTasks,XML,"Windows\syswow64\Tasks\**",
ScheduledTasks,XML,"Windows.old\Windows\System32\Tasks\**",
ScheduledTasks,XML,"Windows\System32\Tasks\**",
ScheduledTasks,at_SchedLgU_txt,"Windows\SchedLgU.txt",
ScheduledTasks,at_SchedLgU_txt,"Windows.old\Windows\SchedLgU.txt",
ScheduledTasks,at_job,"Windows.old\Windows\Tasks\*.job",
ScheduledTasks,at_job,"Windows\Tasks\*.job",
ScreenConnect,ScreenConnect_Application_Events,"",ApplicationEvents
ScreenConnect,ScreenConnect_Session_Database,"Program Files*\ScreenConnect\App_Data\Session.db",
ScreenConnect,ScreenConnect_Session_Database,"Program Files*\ScreenConnect\App_Data\User.xml",
ScreenConnect,ScreenConnect_User_Config,"ProgramData\ScreenConnect Client*\user.config",
SecureAge,SecureAge_Antvirus_Logs,"ProgramData\SecureAge Technology\SecureAge\log\**",
SentinelOne,SentinelOne_EDR_Log,"programdata\sentinel\logs\**",
ServerTriage,Confluence,"",ConfluenceLogs
ServerTriage,Exchange,"",Exchange
ServerTriage,FileZilla_Server,"",FileZillaServer
ServerTriage,ManageEngine,"",ManageEngineLogs
ServerTriage,OpenSSH_Server,"",OpenSSHServer
ServerTriage,WebServers,"",WebServers
Session,Session_App_Folder,"Users\*\AppData\Roaming\Session\**",
ShareX,ShareX,"Users\*\Documents\ShareX\**",
Shareaza,Shareaza_Logs,"Users\*\AppData\Roaming\Shareaza\**",
SiemensTIA,Siemens_TIA_Settings,"Users\*\AppData\Roaming\Siemens\Automation\Portal*\Settings\**",
Signal,Signal_Attachments_cache,"Users\*\AppData\Roaming\Signal\attachments.noindex\**",
Signal,Signal_Database,"Users\*\AppData\Roaming\Signal\sql\db.sqlite",
Signal,Signal_Logs,"Users\*\AppData\Roaming\Signal\logs\**",
Signal,Signal_config_json,"Users\*\AppData\Roaming\Signal\config.json",
SignatureCatalog,SignatureCatalog,"Windows\System32\CatRoot\**",
SignatureCatalog,SignatureCatalog,"Windows.old\Windows\System32\CatRoot\**",
SimpleHelp,SimpleHelp_ProgramData_JWrapper_Logs,"ProgramData\JWrapper-Remote Access\logs\*",
SimpleHelp,SimpleHelp_ProgramData_SimpleHelp_Logs,"ProgramData\SimpleHelp\logs\*",
SimpleHelp,SimpleHelp_User_AppData_Technician_Console_Logs,"Users\*\AppData\Roaming\JWrapper-SimpleHelp Technician\logs\*",
Skype,Skype_for_Destkop_v8_Chromium_Cache,"Users\*\AppData\Roaming\Microsoft\Skype for Desktop\Cache\**",
Skype,leveldb_Skype_for_Desktop_v8_,"Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb\**",
Skype,main_db_App_v12_,"Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\main.db",
Skype,main_db_Win7_,"Users\*\AppData\Roaming\Skype\*\main.db",
Skype,main_db_XP,"Documents and Settings\*\Application Data\Skype\*\main.db",
Skype,s4l_username_db_App_v8_,"Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\s4l-*.db",
Skype,skype_db_App_v12_,"Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\skype.db",
Slack,Slack_Cache,"Users\*\AppData\Roaming\Slack\Cache\**",
Slack,Slack_Chat_Logs,"Users\*\AppData\Roaming\Slack\IndexedDB\**",
Slack,Slack_Electron_Logs,"Users\*\AppData\Roaming\Slack\logs\**",
Slack,Slack_LevelDB_Files,"Users\*\AppData\Roaming\Slack\Local Storage\leveldb\**",
Slack,Slack_Storage,"Users\*\AppData\Roaming\Slack\storage\**",
Snagit,Snagit_Captures,"Users\*\AppData\Local\TechSmith\Snagit\DataStore\*",
SnipAndSketch,Snip_Sketch,"Users\*\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\ScreenClip\*.json",
SnipAndSketch,Snip_Sketch,"Users\*\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\*.png",
SnipAndSketch,Snip_Sketch,"Users\*\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\*.png",
SnippingTool,SnippingTools_screenshots_cached,"Users\*\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips\*.png",
SnippingTool,SnippingTools_screenshots_in_Pictures,"Users\*\Pictures\Screenshots\*.png",
SoftPerfectNetscan,Netscan_XML_default_output,"**\netscan.xml",
Sophos,Sophos_Application_Events,"",ApplicationEvents
Sophos,Sophos_Logs,"ProgramData\Sophos\Logs\**",
Sophos,Sophos_Logs,"ProgramData\Sophos\*\Logs\**",
Sophos,Sophos_Logs_XP_,"Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs\**",
Soulseek,Soulseek_Chat_Logs,"Users\*\AppData\Local\SoulseekQt\Soulseek Chat Logs\**",
Soulseek,Soulseek_Search_History_Shared_Folders_Settings,"Users\*\AppData\Local\SoulseekQt\1\*.dat",
SpeedCommander,SpeedCommander_ini_File,"Users\*\AppData\Roaming\SpeedProject\SpeedCommander 19\*",
Splashtop,Splashtop_Log_Files,"Program Files*\Splashtop\Splashtop Remote\Server\log\**",
Splashtop,Splashtop_Log_Files_in_ProgramData,"ProgramData\Splashtop\Temp\log\**",
StartupFolders,System_wide_startup_folder,"ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*",
StartupFolders,User_startup_folders,"Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*",
StartupInfo,StartupInfo_XML_Files,"Windows\System32\WDI\LogFiles\StartupInfo\*.xml",
StartupInfo,StartupInfo_XML_Files,"Windows.old\Windows\System32\WDI\LogFiles\StartupInfo\*.xml",
Steam,Steam_Friend_List_and_Username_History_file,"Program Files\Steam\userdata\*\config\**\localconfig.vdf",
Steam,Steam_Friend_List_and_Username_History_file,"Program Files (x86)\Steam\userdata\*\config\**\localconfig.vdf",
Steam,Steam_Game_Image_files,"Program Files\Steam\appcache\librarycache\**",
Steam,Steam_Game_Image_files,"Program Files (x86)\Steam\appcache\librarycache\**",
Steam,Steam_Game_Tray_Icon_files,"Program Files\Steam\steam\games\**",
Steam,Steam_Game_Tray_Icon_files,"Program Files (x86)\Steam\steam\games\**",
Steam,Steam_Login_Metadata_file,"Program Files\Steam\config\**\loginusers.vdf",
Steam,Steam_Login_Metadata_file,"Program Files (x86)\Steam\config\**\loginusers.vdf",
Steam,Steam_Startup_Times_Log_file,"Program Files\Steam\logs\**\bootstrap_log.txt",
Steam,Steam_Startup_Times_Log_file,"Program Files (x86)\Steam\logs\**\bootstrap_log.txt",
Steam,Steam_User_Avatar_files,"Program Files\Steam\config\avatarcache\**",
Steam,Steam_User_Avatar_files,"Program Files (x86)\Steam\config\avatarcache\**",
SublimeText,SublimeText_2_3_Auto_Save_Session,"Users\*\AppData\Roaming\Sublime Text*\Settings\Session.sublime_session",
SublimeText,SublimeText_4_Auto_Save_Session,"Users\*\AppData\Roaming\Sublime Text*\Local\*.sublime_session",
SugarSync,SugarSync_Log_File,"Users\*\AppData\Local\SugarSync\sc1.log",
SugarSync,SugarSync_My_SugarSync_Default_Location_,"Users\*\Documents\My SugarSync\**",
SugarSync,SugarSync_Shared_Folders_Default_Location_,"Users\*\Documents\SugarSync Shared Folders\**",
SumatraPDF,SumatraPDF_Cache,"Users\*\AppData\Local\SumatraPDF\sumatrapdfcache\*",
SumatraPDF,SumatraPDF_Settings_SessionData,"Users\*\AppData\Local\SumatraPDF\SumatraPDF-settings.txt",
Supermium,SYSTEM_Supermium_History,"Windows\system32\config\systemprofile\AppData\Local\Supermium\User Data\*\History*",
Supermium,Supermium_Bookmarks,"Users\*\AppData\Local\Supermium\User Data\*\Bookmarks*",
Supermium,Supermium_Bookmarks_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Bookmarks*",
Supermium,Supermium_Cookies,"Users\*\AppData\Local\Supermium\User Data\*\**\Cookies*",
Supermium,Supermium_Cookies_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\**\Cookies*",
Supermium,Supermium_Current_Session,"Users\*\AppData\Local\Supermium\User Data\*\Current Session",
Supermium,Supermium_Current_Session_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Current Session",
Supermium,Supermium_Current_Tabs,"Users\*\AppData\Local\Supermium\User Data\*\Current Tabs",
Supermium,Supermium_Current_Tabs_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Current Tabs",
Supermium,Supermium_Download_Metadata,"Users\*\AppData\Local\Supermium\User Data\*\DownloadMetadata",
Supermium,Supermium_Extension_Cookies,"Users\*\AppData\Local\Supermium\User Data\*\Extension Cookies",
Supermium,Supermium_Favicons,"Users\*\AppData\Local\Supermium\User Data\*\Favicons*",
Supermium,Supermium_Favicons_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Favicons*",
Supermium,Supermium_History,"Users\*\AppData\Local\Supermium\User Data\*\History*",
Supermium,Supermium_History_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\History*",
Supermium,Supermium_Last_Session,"Users\*\AppData\Local\Supermium\User Data\*\Last Session",
Supermium,Supermium_Last_Session_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Last Session",
Supermium,Supermium_Last_Tabs,"Users\*\AppData\Local\Supermium\User Data\*\Last Tabs",
Supermium,Supermium_Last_Tabs_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Last Tabs",
Supermium,Supermium_Login_Data,"Users\*\AppData\Local\Supermium\User Data\*\Login Data*",
Supermium,Supermium_Login_Data_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Login Data*",
Supermium,Supermium_Media_History,"Users\*\AppData\Local\Supermium\User Data\*\Media History*",
Supermium,Supermium_Network_Action_Predictor,"Users\*\AppData\Local\Supermium\User Data\*\Network Action Predictor",
Supermium,Supermium_Network_Action_Predictor_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Network Action Predictor",
Supermium,Supermium_Network_Persistent_State,"Users\*\AppData\Local\Supermium\User Data\*\**\Network Persistent State",
Supermium,Supermium_Network_Persistent_State_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\**\Network Persistent State",
Supermium,Supermium_Preferences,"Users\*\AppData\Local\Supermium\User Data\*\Preferences",
Supermium,Supermium_Preferences_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Preferences",
Supermium,Supermium_Quota_Manager,"Users\*\AppData\Local\Supermium\User Data\*\QuotaManager",
Supermium,Supermium_Reporting_and_NEL,"Users\*\AppData\Local\Supermium\User Data\*\**\Reporting and NEL",
Supermium,Supermium_Reporting_and_NEL_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\**\Reporting and NEL",
Supermium,Supermium_Sessions_Folder,"Users\*\AppData\Local\Supermium\User Data\*\Sessions\*",
Supermium,Supermium_Sessions_Folder_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Sessions\*",
Supermium,Supermium_Shortcuts,"Users\*\AppData\Local\Supermium\User Data\*\Shortcuts*",
Supermium,Supermium_Shortcuts_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Shortcuts*",
Supermium,Supermium_Snapshots_Folder,"Users\*\AppData\Local\Supermium\User Data\Snapshots\*\**",
Supermium,Supermium_SyncData_Database,"Users\*\AppData\Local\Supermium\User Data\*\Sync Data\**",
Supermium,Supermium_SyncData_Database_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Sync Data\**",
Supermium,Supermium_Top_Sites,"Users\*\AppData\Local\Supermium\User Data\*\Top Sites*",
Supermium,Supermium_Top_Sites_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Top Sites*",
Supermium,Supermium_Trust_Tokens,"Users\*\AppData\Local\Supermium\User Data\*\**\Trust Tokens*",
Supermium,Supermium_Trust_Tokens_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\**\Trust Tokens*",
Supermium,Supermium_Visited_Links,"Users\*\AppData\Local\Supermium\User Data\*\Visited Links",
Supermium,Supermium_Visited_Links_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Visited Links",
Supermium,Supermium_Web_Data,"Users\*\AppData\Local\Supermium\User Data\*\Web Data*",
Supermium,Supermium_Web_Data_XP,"Documents and Settings\*\Application Data\Supermium\User Data\*\Web Data*",
Supermium,Windows_Protect_Folder,"Users\*\AppData\Roaming\Microsoft\Protect\*\**",
SupremoRemoteDesktop,Supremo_Connection_Logs,"ProgramData\SupremoRemoteDesktop\Log\*.log",
SupremoRemoteDesktop,Supremo_File_Transfer_Inbox,"ProgramData\SupremoRemoteDesktop\Inbox\*",
Symantec_AV_Logs,Symantec_Endpoint_Protection_Logs,"ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs\**",
Symantec_AV_Logs,Symantec_Endpoint_Protection_Logs_XP_,"Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV\**",
Symantec_AV_Logs,Symantec_Endpoint_Protection_Manager_SEPM_Application_Events,"",ApplicationEvents
Symantec_AV_Logs,Symantec_Endpoint_Protection_Quarantine,"ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine\**",
Symantec_AV_Logs,Symantec_Endpoint_Protection_Quarantine_XP_,"Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\**",
Symantec_AV_Logs,Symantec_Endpoint_Protection_User_Logs,"Users\*\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\**",
Symantec_AV_Logs,Symantec_Event_Log_Win7_,"Windows.old\Windows\System32\winevt\logs\Symantec Endpoint Protection Client.evtx",
Symantec_AV_Logs,Symantec_Event_Log_Win7_,"Windows\System32\winevt\logs\Symantec Endpoint Protection Client.evtx",
Symantec_AV_Logs,ccSubSDK_Database,"ProgramData\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK\**",
Symantec_AV_Logs,registrationInfo_xml,"ProgramData\Symantec\Symantec Endpoint Protection\*\Data\registrationInfo.xml",
Syncthing,Syncthing_Cache_and_Storage,"Users\*\AppData\Local\SyncTrazor\*",
Syncthing,Syncthing_Configuration_and_Certificates,"Users\*\AppData\Local\Syncthing\*",
Syncthing,Syncthing_Logs,"Users\*\AppData\Roaming\SyncTrazor\*",
Syscache,Syscache,"System Volume Information\Syscache.hve",
Syscache,Syscache_transaction_files,"System Volume Information\Syscache.hve.LOG*",
TablacusExplorer,Tablacus_Explorer_remember_xml,"Users\*\AppData\Local\Temp\*\config\**\remember.xml",
TablacusExplorer,Tablacus_Explorer_window1_xml,"Users\*\AppData\Local\Temp\*\config\**\window1.xml",
TablacusExplorer,Tablacus_Explorer_window_xml,"Users\*\AppData\Local\Temp\*\config\**\window.xml",
TeamViewerLogs,TeamViewer_Application_Logs,"Program Files*\TeamViewer\TeamViewer*_Logfile*",
TeamViewerLogs,TeamViewer_Application_User_Logs,"Users\*\AppData\Roaming\TeamViewer\TeamViewer*_Logfile*",
TeamViewerLogs,TeamViewer_Configuration_Files,"Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport\**",
TeamViewerLogs,TeamViewer_Connection_Logs,"Program Files*\TeamViewer\connections*.txt",
Telegram,Telegram_app_folder,"Users\*\AppData\Roaming\Telegram Desktop\**",
Telegram,Telegram_downloaded_files,"Users\*\Downloads\Telegram Desktop\**",
TeraCopy,TeraCopy,"Users\*\AppData\Roaming\TeraCopy\**",
ThumbCache,Thumbcache_DB,"Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db",
Thunderbird,Mozilla_Thunderbird_Address_Book,"Users\*\AppData\Roaming\Thunderbird\Profiles\*\abook.sqlite",
Thunderbird,Mozilla_Thunderbird_Attachments,"Users\*\AppData\Roaming\Thunderbird\Profiles\*\Attachments\*",
Thunderbird,Mozilla_Thunderbird_Calendar_Data,"Users\*\AppData\Roaming\Thunderbird\Profiles\*\calendar-data\local.sqlite",
Thunderbird,Mozilla_Thunderbird_Global_Messages_Database,"Users\*\AppData\Roaming\Thunderbird\Profiles\*\global-messages-db.sqlite",
Thunderbird,Mozilla_Thunderbird_ImapMail_INBOX,"Users\*\AppData\Roaming\Thunderbird\Profiles\*\ImapMail\**\INBOX",
Thunderbird,Mozilla_Thunderbird_Install_Date,"Users\*\AppData\Roaming\Thunderbird\Crash Reports\InstallTime*",
Thunderbird,Mozilla_Thunderbird_Mail_INBOX,"Users\*\AppData\Roaming\Thunderbird\Profiles\*\Mail\**\INBOX",
Thunderbird,Mozilla_Thunderbird_Profiles_ini,"Users\*\AppData\Roaming\Thunderbird\profiles.ini",
Thunderbird,Mozilla_Thunderbird_logins_json,"Users\*\AppData\Roaming\Thunderbird\Profiles\*\logins.json",
Thunderbird,Mozilla_Thunderbird_places_sqlite,"Users\*\AppData\Roaming\Thunderbird\Profiles\*\places.sqlite",
Thunderbird,Mozilla_Thunderbird_prefs_js,"Users\*\AppData\Roaming\Thunderbird\Profiles\*\prefs.js",
TorrentClients,BitTorrent,"",BitTorrent
TorrentClients,qBittorrent,"",qBittorrent
TorrentClients,uTorrent,"",uTorrent
Torrents,Torrents,"**\*.torrent",
TotalAV,TotalAV_Logs,"ProgramData\TotalAV\logs\**",
TotalAV,TotalAV_Logs,"Program Files*\TotalAV\logs\**",
TotalCommander,Total_Commander_FTP_Logs,"Users\*\AppData\Local\Temp\tcftp.log",
TotalCommander,Total_Commander_FTP_ini_File,"Users\*\AppData\Roaming\GHISLER\wcx_ftp.ini",
TotalCommander,Total_Commander_File_Tree,"Users\*\AppData\Local\GHISLER\treeinfo*.wc",
TotalCommander,Total_Commander_Frequent_Directory_Listing,"Users\*\AppData\Local\GHISLER\tcDirFrq.txt",
TotalCommander,Total_Commander_Log_File,"**\totalcmd.log",
TotalCommander,Total_Commander_Temp_Files_Created_During_Folder_Traversal,"Users\*\AppData\Local\Temp\FTP*.tmp",
TotalCommander,Total_Commander_ini_File,"Users\*\AppData\Roaming\GHISLER\wincmd.ini",
TreeSize,TreeSize_ScanHistory_XML,"Users\*\AppData\Roaming\JAM Software\TreeSize\scanhistory.xml",
TrendMicro,Trend_Micro_Logs,"ProgramData\Trend Micro\**",
TrendMicro,Trend_Micro_Security_Agent_Connection_Logs,"Program Files*\Trend Micro\Security Agent\ConnLog\*.log",
TrendMicro,Trend_Micro_Security_Agent_Report_Logs,"Program Files*\Trend Micro\Security Agent\Report\*.log",
UCBrowser,UCBrowser_Bookmarks,"Users\*\AppData\Local\UCBrowser\User Data*\*\Bookmarks*",
UCBrowser,UCBrowser_Cookies,"Users\*\AppData\Local\UCBrowser\User Data*\*\**\Cookies*",
UCBrowser,UCBrowser_Current_Session,"Users\*\AppData\Local\UCBrowser\User Data*\*\Current Session",
UCBrowser,UCBrowser_Current_Tabs,"Users\*\AppData\Local\UCBrowser\User Data*\*\Current Tabs",
UCBrowser,UCBrowser_Download_Metadata,"Users\*\AppData\Local\UCBrowser\User Data*\*\DownloadMetadata",
UCBrowser,UCBrowser_Extension_Cookies,"Users\*\AppData\Local\UCBrowser\User Data*\*\Extension Cookies",
UCBrowser,UCBrowser_Favicons,"Users\*\AppData\Local\UCBrowser\User Data*\*\Favicons*",
UCBrowser,UCBrowser_History,"Users\*\AppData\Local\UCBrowser\User Data*\*\History*",
UCBrowser,UCBrowser_Last_Session,"Users\*\AppData\Local\UCBrowser\User Data*\*\Last Session",
UCBrowser,UCBrowser_Last_Tabs,"Users\*\AppData\Local\UCBrowser\User Data*\*\Last Tabs",
UCBrowser,UCBrowser_Login_Data,"Users\*\AppData\Local\UCBrowser\User Data*\*\Login Data*",
UCBrowser,UCBrowser_Media_History,"Users\*\AppData\Local\UCBrowser\User Data*\*\Media History*",
UCBrowser,UCBrowser_Network_Action_Predictor,"Users\*\AppData\Local\UCBrowser\User Data*\*\Network Action Predictor",
UCBrowser,UCBrowser_Network_Persistent_State,"Users\*\AppData\Local\UCBrowser\User Data*\*\Network Persistent State",
UCBrowser,UCBrowser_Preferences,"Users\*\AppData\Local\UCBrowser\User Data*\*\Preferences",
UCBrowser,UCBrowser_Quota_Manager,"Users\*\AppData\Local\UCBrowser\User Data*\*\QuotaManager",
UCBrowser,UCBrowser_Reporting_and_NEL,"Users\*\AppData\Local\UCBrowser\User Data*\*\Reporting and NEL",
UCBrowser,UCBrowser_Sessions_Folder,"Users\*\AppData\Local\UCBrowser\User Data*\*\Sessions\*",
UCBrowser,UCBrowser_Shortcuts,"Users\*\AppData\Local\UCBrowser\User Data*\*\Shortcuts*",
UCBrowser,UCBrowser_Snapshots_Folder,"Users\*\AppData\Local\UCBrowser\User Data*\Snapshots\*\**",
UCBrowser,UCBrowser_SyncData_Database,"Users\*\AppData\Local\UCBrowser\User Data*\*\Sync Data\**",
UCBrowser,UCBrowser_Top_Sites,"Users\*\AppData\Local\UCBrowser\User Data*\*\Top Sites*",
UCBrowser,UCBrowser_Trust_Tokens,"Users\*\AppData\Local\UCBrowser\User Data*\*\Trust Tokens*",
UCBrowser,UCBrowser_Visited_Links,"Users\*\AppData\Local\UCBrowser\User Data*\*\Visited Links",
UCBrowser,UCBrowser_Web_Data,"Users\*\AppData\Local\UCBrowser\User Data*\*\Web Data*",
UCBrowser,Windows_Protect_Folder,"Users\*\AppData\Roaming\Microsoft\Protect\*\**",
UEMS,Unified_endpoint_management_and_security_solutions_from_ManageEngine,"Program Files (x86)\ManageEngine\UEMS_Agent\logs\**\*.log",
UEMS,Unified_endpoint_management_and_security_solutions_from_ManageEngine,"Users\*\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs\**\*.log",
USBDetective,Amcache,"",Amcache
USBDetective,Event_Logs,"",EventLogs
USBDetective,LNKFilesAndJumplists,"",LNKFilesAndJumplists
USBDetective,RegistryHives,"",RegistryHives
USBDetective,USBDevicesLogs,"",USBDevicesLogs
USBDevicesLogs,Setupapi_log_Win7_,"Windows.old\Windows\inf\setupapi.*.log",
USBDevicesLogs,Setupapi_log_Win7_,"Windows\inf\setupapi.*.log",
USBDevicesLogs,Setupapi_log_XP,"Windows\setupapi.log",
Ubuntu,Ubuntu_WSL_Apt_Logs,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\log\apt\**\*.log",
Ubuntu,Ubuntu_WSL_User_Crontabs,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\spool\cron\crontabs\**",
Ubuntu,Ubuntu_WSL_bash_history,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**\.bash_history",
Ubuntu,Ubuntu_WSL_bashrc,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**\.bashrc",
Ubuntu,Ubuntu_WSL_etc_bash_bashrc,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\bash.bashrc",
Ubuntu,Ubuntu_WSL_etc_crontab,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\crontab",
Ubuntu,Ubuntu_WSL_etc_fstab,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\fstab",
Ubuntu,Ubuntu_WSL_etc_group,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\group",
Ubuntu,Ubuntu_WSL_etc_hostname,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\hostname",
Ubuntu,Ubuntu_WSL_etc_hosts,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\hosts",
Ubuntu,Ubuntu_WSL_etc_os_release,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\os-release",
Ubuntu,Ubuntu_WSL_etc_passwd,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\passwd",
Ubuntu,Ubuntu_WSL_etc_profile,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\profile",
Ubuntu,Ubuntu_WSL_etc_shadow,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\shadow",
Ubuntu,Ubuntu_WSL_etc_timezone,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc\timezone",
Ubuntu,Ubuntu_WSL_ext4_vhdx,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\ext4.vhdx",
Ubuntu,Ubuntu_WSL_profile,"Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\**\.profile",
Ultraviewer,UltraViewer_Connection_Log,"Program Files*\UltraViewer\ConnectionLog.Log",
Ultraviewer,UltraViewer_Service_Log,"Program Files*\UltraViewer\UltraViewerService_log.txt",
Ultraviewer,UltraViewer_System_Logs,"Windows\SysWOW64\config\systemprofile\AppData\Roaming\UltraViewer\**",
Ultraviewer,UltraViewer_User_Logs,"Users\*\AppData\Roaming\UltraViewer\**",
UsenetClients,NZBGet,"",NZBGet
UsenetClients,NewsbinPro,"",NewsbinPro
UsenetClients,Newsleecher,"",Newsleecher
UsenetClients,SABnbzd,"",SABnbzd
Usenet,Usenet_NZB_Files,"**\*.nzb",
UsersFolders,Users,"Users\*\**",
VIPRE,VIPRE_Business_Agent_Logs,"ProgramData\VIPRE Business Agent\Logs\**",
VIPRE,VIPRE_Business_User_Logs_up_to_v4_,"Users\*\AppData\Roaming\Sunbelt Software\AntiMalware\Logs\**",
VIPRE,VIPRE_Business_User_Logs_v5_v6_,"Users\*\AppData\Roaming\GFI Software\AntiMalware\Logs\**",
VIPRE,VIPRE_Business_User_Logs_v7_,"Users\*\AppData\Roaming\VIPRE Business\**",
VLC_Media_Player,VLC_Recently_Opened_Files,"Users\*\AppData\Roaming\vlc\vlc-qt-interface.ini",
VLC_Media_Player,VLC_Recorded_Files,"Users\*\Videos\vlc-*.avi",
VMwareInventory,VMware_Virtual_Machine_Inventory,"Users\*\AppData\Roaming\VMware\*",
VMwareMemory,VMware_Fusion_Workstation_Server_Player_,"**\*.vmem",
VMwareMemory,VMware_Fusion_Workstation_Server_Player_,"**\*.vmsn",
VMwareMemory,VMware_Fusion_Workstation_Server_Player_,"**\*.vmss",
VMware,VMware_Inventory,"",VMwareInventory
VMware,VMware_Memory,"",VMwareMemory
VMware,Virtual_Hard_Drives,"",VirtualDisks
VNCLogs,RealVNC_Application_Logs,"",ApplicationEvents
VNCLogs,RealVNC_Log,"Users\*\AppData\Local\RealVNC\vncserver.log",
VNCLogs,RealVNC_Log,"ProgramData\RealVNC-Service\vncserver.log",
VNCLogs,TightVNC_Application_Logs,"ProgramData\TightVNC\Server\Logs\*",
Viber,Viber_Config_Database,"Users\*\AppData\Roaming\ViberPC\config.db",
Viber,Viber_Users_Avatars_Cache,"Users\*\AppData\Roaming\ViberPC\*\Avatars\*",
Viber,Viber_Users_Backgrounds_Cache,"Users\*\AppData\Roaming\ViberPC\*\Backgrounds\*",
Viber,Viber_Users_Data_Database,"Users\*\AppData\Roaming\ViberPC\*\viber.db",
Viber,Viber_Users_Thumbnails_Cache,"Users\*\AppData\Roaming\ViberPC\*\Thumbnails\*",
VirtualBoxConfig,VirtualBox_VM_backup_configs,"**\*.vbox-prev",
VirtualBoxConfig,VirtualBox_VM_configs,"**\*.vbox",
VirtualBoxLogs,VirtualBox_Backup_Logs,"**\VBox.log.*",
VirtualBoxLogs,VirtualBox_Hardening_Logs,"**\VBoxHardening.log",
VirtualBoxLogs,VirtualBox_Logs,"**\VBox.log",
VirtualBoxMemory,VirtualBox,"**\*.sav",
VirtualBox,VirtualBox_Configs,"",VirtualBoxConfig
VirtualBox,VirtualBox_Logs,"",VirtualBoxLogs
VirtualBox,VirtualBox_Memory,"",VirtualBoxMemory
VirtualBox,Virtual_Hard_Drives,"",VirtualDisks
VirtualDisks,VDI,"**\*.VDI",
VirtualDisks,VHD,"**\*.VHD",
VirtualDisks,VHDX,"**\*.VHDX",
VirtualDisks,VMDK,"**\*.VMDK",
VisualStudioCode,VSCode_File_Backups,"Users\*\AppData\Roaming\Code\Backups\*\**",
VisualStudioCode,VSCode_Logs,"Users\*\AppData\Roaming\Code\logs\**",
VisualStudioCode,VSCode_Network_Cookies,"Users\*\AppData\Roaming\Code\Network\Cookies*",
VisualStudioCode,VSCode_Network_Persistent_State,"Users\*\AppData\Roaming\Code\Network\Network Persistent State*",
VisualStudioCode,VSCode_Opened_Files,"Users\*\AppData\Roaming\Code\User\History\*\**",
VisualStudioCode,VSCode_User_Preferences,"Users\*\AppData\Roaming\Code\preferences*",
VisualStudioCode,VSCode_User_extensions,"Users\*\AppData\Roaming\Code\CachedExtensions\user*",
VisualStudioCode,VSCode_User_settings,"Users\*\AppData\Roaming\Code\User\settings.json*",
VisualStudioCode,VSCode_Workspaces,"Users\*\AppData\Roaming\Code\User\globalStorage\storage.json*",
Vivaldi,Vivaldi_Bookmarks,"Users\*\AppData\Local\Vivaldi\User Data\*\Bookmarks*",
Vivaldi,Vivaldi_Calendar,"Users\*\AppData\Local\Vivaldi\User Data\*\Calendar*",
Vivaldi,Vivaldi_Contacts,"Users\*\AppData\Local\Vivaldi\User Data\*\Contacts*",
Vivaldi,Vivaldi_Cookies,"Users\*\AppData\Local\Vivaldi\User Data\*\**\Cookies*",
Vivaldi,Vivaldi_Download_Metadata,"Users\*\AppData\Local\Vivaldi\User Data\*\DownloadMetadata*",
Vivaldi,Vivaldi_Favicons,"Users\*\AppData\Local\Vivaldi\User Data\*\Favicons*",
Vivaldi,Vivaldi_History,"Users\*\AppData\Local\Vivaldi\User Data\*\History*",
Vivaldi,Vivaldi_Login_Data,"Users\*\AppData\Local\Vivaldi\User Data\*\Login Data",
Vivaldi,Vivaldi_Network_Action_Predictor,"Users\*\AppData\Local\Vivaldi\User Data\*\Network Action Predictor",
Vivaldi,Vivaldi_Network_Persistent_State,"Users\*\AppData\Local\Vivaldi\User Data\*\**\Network Persistent State",
Vivaldi,Vivaldi_Notes,"Users\*\AppData\Local\Vivaldi\User Data\*\Notes*",
Vivaldi,Vivaldi_Preferences,"Users\*\AppData\Local\Vivaldi\User Data\*\Preferences",
Vivaldi,Vivaldi_Sessions_Folder,"Users\*\AppData\Local\Vivaldi\User Data\*\Sessions\*",
Vivaldi,Vivaldi_Top_Sites,"Users\*\AppData\Local\Vivaldi\User Data\*\Top Sites*",
Vivaldi,Vivaldi_User_Tracking,"Users\*\.vivaldi_reporting_data*",
Vivaldi,Vivaldi_Visited_Links,"Users\*\AppData\Local\Vivaldi\User Data\*\Visited Links",
Vivaldi,Vivaldi_Web_Data,"Users\*\AppData\Local\Vivaldi\User Data\*\Web Data*",
WBEM,WBEM,"Windows\System32\wbem\Repository\**",
WBEM,WBEM,"Windows.old\Windows\System32\wbem\Repository\**",
WER,Crash_Dumps,"Windows\*.dmp",
WER,Crash_Dumps,"Users\*\AppData\Local\CrashDumps\*.dmp",
WER,Crash_Dumps,"Windows.old\Windows\*.dmp",
WER,WER_Files,"Users\*\AppData\Local\Microsoft\Windows\WER\**",
WER,WER_Files,"ProgramData\Microsoft\Windows\WER\**",
WSL,Debian,"",Debian
WSL,Kali,"",Kali
WSL,SUSE_Linux_Enterprise_Server,"",SUSELinuxEnterpriseServer
WSL,Ubuntu,"",Ubuntu
WSL,openSUSE,"",openSUSE
WaveBrowser,SYSTEM_WaveBrowser_History,"Windows\system32\config\systemprofile\AppData\Local\WaveBrowser\User Data\*\History*",
WaveBrowser,WaveBrowser_Cookies,"Users\*\AppData\Local\WaveBrowser\User Data\*\**\Cookies*",
WaveBrowser,WaveBrowser_Current_Session,"Users\*\AppData\Local\WaveBrowser\User Data\*\Current Session",
WaveBrowser,WaveBrowser_Current_Tabs,"Users\*\AppData\Local\WaveBrowser\User Data\*\Current Tabs",
WaveBrowser,WaveBrowser_Download_Metadata,"Users\*\AppData\Local\WaveBrowser\User Data\*\DownloadMetadata",
WaveBrowser,WaveBrowser_Extension_Cookies,"Users\*\AppData\Local\WaveBrowser\User Data\*\Extension Cookies",
WaveBrowser,WaveBrowser_Favicons,"Users\*\AppData\Local\WaveBrowser\User Data\*\Favicons*",
WaveBrowser,WaveBrowser_History,"Users\*\AppData\Local\WaveBrowser\User Data\*\History*",
WaveBrowser,WaveBrowser_Last_Session,"Users\*\AppData\Local\WaveBrowser\User Data\*\Last Session",
WaveBrowser,WaveBrowser_Last_Tabs,"Users\*\AppData\Local\WaveBrowser\User Data\*\Last Tabs",
WaveBrowser,WaveBrowser_Login_Data,"Users\*\AppData\Local\WaveBrowser\User Data\*\Login Data",
WaveBrowser,WaveBrowser_Media_History,"Users\*\AppData\Local\WaveBrowser\User Data\*\Media History*",
WaveBrowser,WaveBrowser_Network_Action_Predictor,"Users\*\AppData\Local\WaveBrowser\User Data\*\Network Action Predictor",
WaveBrowser,WaveBrowser_Network_Persistent_State,"Users\*\AppData\Local\WaveBrowser\User Data\*\Network Persistent State",
WaveBrowser,WaveBrowser_Preferences,"Users\*\AppData\Local\WaveBrowser\User Data\*\Preferences",
WaveBrowser,WaveBrowser_Quota_Manager,"Users\*\AppData\Local\WaveBrowser\User Data\*\QuotaManager",
WaveBrowser,WaveBrowser_Reporting_and_NEL,"Users\*\AppData\Local\WaveBrowser\User Data\*\Reporting and NEL",
WaveBrowser,WaveBrowser_Sessions_Folder,"Users\*\AppData\Local\WaveBrowser\User Data\*\Sessions\*",
WaveBrowser,WaveBrowser_Shortcuts,"Users\*\AppData\Local\WaveBrowser\User Data\*\Shortcuts*",
WaveBrowser,WaveBrowser_Snapshots_Folder,"Users\*\AppData\Local\WaveBrowser\User Data\Snapshots\*\**",
WaveBrowser,WaveBrowser_SyncData_Database,"Users\*\AppData\Local\WaveBrowser\User Data\*\Sync Data\SyncData.sqlite3",
WaveBrowser,WaveBrowser_Top_Sites,"Users\*\AppData\Local\WaveBrowser\User Data\*\Top Sites*",
WaveBrowser,WaveBrowser_Trust_Tokens,"Users\*\AppData\Local\WaveBrowser\User Data\*\Trust Tokens*",
WaveBrowser,WaveBrowser_Visited_Links,"Users\*\AppData\Local\WaveBrowser\User Data\*\Visited Links",
WaveBrowser,WaveBrowser_Web_Data,"Users\*\AppData\Local\WaveBrowser\User Data\*\Web Data*",
WaveBrowser,WaveBrowser_bookmarks,"Users\*\AppData\Local\WaveBrowser\User Data\*\Bookmarks*",
WaveBrowser,Windows_Protect_Folder,"Users\*\AppData\Roaming\Microsoft\Protect\*\**",
WebBrowsers,360_Secure_Browser,"",360SecureBrowser
WebBrowsers,Arc_Browser,"",Arc
WebBrowsers,Brave_Browser,"",BraveBrowser
WebBrowsers,Chrome,"",Chrome
WebBrowsers,CocCoc_Browser,"",CocCoc
WebBrowsers,Edge,"",Edge
WebBrowsers,Edge_Chromium,"",EdgeChromium
WebBrowsers,Firefox,"",Firefox
WebBrowsers,Internet_Explorer,"",InternetExplorer
WebBrowsers,Opera,"",Opera
WebBrowsers,Puffin_Secure_Browser,"",PuffinSecureBrowser
WebBrowsers,QQ_Browser,"",QQBrowser
WebBrowsers,Supermium,"",Supermium
WebBrowsers,UCBrowser,"",UCBrowser
WebBrowsers,Vivaldi_Browser,"",Vivaldi
WebBrowsers,WaveBrowser,"",WaveBrowser
WebBrowsers,Yandex_Browser,"",Yandex
WebServers,Apache_Access_Logs,"",ApacheAccessLog
WebServers,IIS_Logs,"",IISLogFiles
WebServers,MSSQL_Error_Logs,"",MSSQLErrorLog
WebServers,NGINX_Logs,"",NGINXLogs
Webroot,Webroot_Program_Data,"ProgramData\WRData\WRLog.log",
WhatsApp,Microsoft_Store_WhatsApp_Cache,"Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache\*",
WhatsApp,Microsoft_Store_WhatsApp_Local_Storage,"Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Local Storage\leveldb\*",
WhatsApp,WhatsApp_Cache,"Users\*\AppData\Roaming\WhatsApp\Cache\*",
WhatsApp,WhatsApp_Local_Storage,"Users\*\AppData\Roaming\WhatsApp\Local Storage\leveldb\*",
WhatsApp_Media,Microsoft_Store_WhatsApp_Desktop_Profile_Pictures,"Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\profilePictures\*",
WhatsApp_Media,Microsoft_Store_WhatsApp_Shared_Media,"Users\*\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\shared\transfers\**\*.{jpg,mp4,pdf,webp}",
WinDefendDetectionHist,DetectionHistory,"ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\**",
WinSCP,WinSCP_ini_file_,"**\WinSCP.ini",
WindowsApp,WindowsApp,"Users\*\AppData\Local\Temp\DiagOutputDir\Windows365\**",
WindowsCopilotRecall,Recall_folder,"Users\*\AppData\Local\CoreAIPlatform.00\UKP\**",
WindowsDefender,DetectionHistory,"ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\**",
WindowsDefender,Windows_Defender_Detections_log,"ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log",
WindowsDefender,Windows_Defender_Event_Logs,"Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender*.evtx",
WindowsDefender,Windows_Defender_Event_Logs,"Windows.old\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender*.evtx",
WindowsDefender,Windows_Defender_Logs,"ProgramData\Microsoft\Microsoft AntiMalware\Support\**",
WindowsDefender,Windows_Defender_Logs,"ProgramData\Microsoft\Windows Defender\Support\**",
WindowsDefender,Windows_Defender_Logs,"Windows\Temp\MpCmdRun.log",
WindowsDefender,Windows_Defender_Logs,"Windows.old\Windows\Temp\MpCmdRun.log",
WindowsDefender,Windows_Defender_Quarantine,"ProgramData\Microsoft\Windows Defender\Quarantine\**",
WindowsFirewall,Windows_Firewall_Logs,"Windows.old\Windows\System32\LogFiles\Firewall\pfirewall.*",
WindowsFirewall,Windows_Firewall_Logs,"Windows\System32\LogFiles\Firewall\pfirewall.*",
WindowsHello,Cryptokeys,"Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\**",
WindowsHello,Masterkey,"Windows\System32\Microsoft\Protect\S-1-5-18\User\**",
WindowsHello,NGC,"Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\**",
WindowsHello,SECURITY_registry_hive,"Windows\System32\config\SECURITY",
WindowsHello,SECURITY_registry_hive,"Windows.old\Windows\System32\config\SECURITY",
WindowsHello,SECURITY_registry_hive_RegBack_,"Windows\System32\config\RegBack\SECURITY",
WindowsHello,SECURITY_registry_hive_RegBack_,"Windows.old\Windows\System32\config\RegBack\SECURITY",
WindowsHello,SECURITY_registry_transaction_files,"Windows\System32\config\SECURITY.LOG*",
WindowsHello,SECURITY_registry_transaction_files,"Windows.old\Windows\System32\config\SECURITY.LOG*",
WindowsHello,SOFTWARE_registry_hive,"Windows.old\Windows\System32\config\SOFTWARE",
WindowsHello,SOFTWARE_registry_hive,"Windows\System32\config\SOFTWARE",
WindowsHello,SOFTWARE_registry_hive_RegBack_,"Windows.old\Windows\System32\config\RegBack\SOFTWARE",
WindowsHello,SOFTWARE_registry_hive_RegBack_,"Windows\System32\config\RegBack\SOFTWARE",
WindowsHello,SOFTWARE_registry_transaction_files,"Windows.old\Windows\System32\config\SOFTWARE.LOG*",
WindowsHello,SOFTWARE_registry_transaction_files,"Windows\System32\config\SOFTWARE.LOG*",
WindowsHello,SYSTEM_registry_hive,"Windows.old\Windows\System32\config\SYSTEM",
WindowsHello,SYSTEM_registry_hive,"Windows\System32\config\SYSTEM",
WindowsHello,SYSTEM_registry_hive_RegBack_,"Windows.old\Windows\System32\config\RegBack\SYSTEM",
WindowsHello,SYSTEM_registry_hive_RegBack_,"Windows.old\Windows\System32\config\RegBack\SYSTEM1",
WindowsHello,SYSTEM_registry_hive_RegBack_,"Windows\System32\config\RegBack\SYSTEM",
WindowsHello,SYSTEM_registry_hive_RegBack_,"Windows\System32\config\RegBack\SYSTEM1",
WindowsHello,SYSTEM_registry_transaction_files,"Windows.old\Windows\System32\config\SYSTEM.LOG*",
WindowsHello,SYSTEM_registry_transaction_files,"Windows\System32\config\SYSTEM.LOG*",
WindowsIndexSearch,GatherLogs,"programdata\microsoft\search\data\applications\windows\GatherLogs\**",
WindowsIndexSearch,GatherLogs_User,"Users\*\AppData\Roaming\Microsoft\Search\Data\Applications\S-1*\GatherLogs\**",
WindowsIndexSearch,WindowsIndexSearch,"programdata\microsoft\search\data\applications\windows\*",
WindowsIndexSearch,WindowsIndexSearch_User,"Users\*\AppData\Roaming\Microsoft\Search\Data\Applications\S-1*\*",
WindowsNetwork,Network_setting_files,"windows\system32\drivers\etc\**",
WindowsNotificationsDB,Windows_10_Notification_DB,"Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat",
WindowsNotificationsDB,Windows_10_Notification_DB,"Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db",
WindowsOSUpgradeArtifacts,FolderMoveLog_txt,"Windows\Panther\Rollback\FolderMoveLog.txt",
WindowsOSUpgradeArtifacts,HumanReadable_xml,"Windows\Panther\*HumanReadable.xml",
WindowsOSUpgradeArtifacts,MigLog_xml,"Windows\Panther\MigLog.xml",
WindowsOSUpgradeArtifacts,Setupact_log,"Windows\Panther\Setupact.log",
WindowsOSUpgradeArtifacts,Update_Store_db,"ProgramData\USOPrivate\UpdateStore\store.db",
WindowsPowerDiagnostics,Windows_Power_Diagnostics,"ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\**",
WindowsServerDNSAndDHCP,DHCP_files,"Windows\System32\dhcp\**",
WindowsServerDNSAndDHCP,DNS_Netlogon_files,"Windows\System32\config\**\netlogon.*",
WindowsServerDNSAndDHCP,DNS_files,"Windows\System32\dns\**",
WindowsSubsystemforAndroid,App_download_artifacts_ICO_,"Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\*.ico",
WindowsSubsystemforAndroid,App_download_artifacts_PNG_,"Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\*.png",
WindowsSubsystemforAndroid,Appcompatdb_json,"Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalState\appcompatdb.json",
WindowsSubsystemforAndroid,Diagnostic_Logs_for_WSA,"Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalState\diagnostics\logcat\*.log",
WindowsSubsystemforAndroid,userdata_vhdx,"Users\*\AppData\Local\Packages\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\LocalCache\userdata.vhdx",
WindowsTelemetryDiagnosticsLegacy,Legacy_rbs_files_relating_to_Windows_Telemetry_and_Diagnostics,"ProgramData\Microsoft\Diagnosis\events*.rbs",
WindowsTelemetryDiagnosticsLegacy,Legacy_rbs_files_relating_to_Windows_Telemetry_and_Diagnostics,"Windows.old\ProgramData\Microsoft\Diagnosis\events*.rbs",
WindowsTimeline,ActivitiesCache_db,"Users\*\AppData\Local\ConnectedDevicesPlatform\**\ActivitiesCache.db*",
WindowsUpdate,Windows_Component_Based_Servicing_logs,"Windows\Logs\CBS\**\CBS*.log",
WindowsUpdate,Windows_Update_History,"Windows\SoftwareDistribution\DataStore\**",
WindowsUpdate,Windows_Update_Session_Orchestrator_logs,"ProgramData\USOShared\Logs\System\**\*.etl",
WindowsUpdate,Windows_Update_logs,"Windows\Logs\WindowsUpdate\**\WindowsUpdate*.etl",
WindowsYourPhone,Windows_Your_Phone_All_Databases,"Users\*\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed\**",
XPRestorePoints,System_Volume_Information,"System Volume Information\**",
XYplorer,XYplorer_AutoBackup_folder,"Users\*\AppData\Roaming\XYplorer\AutoBackup\**",
XYplorer,XYplorer_dat_files,"Users\*\AppData\Roaming\XYplorer\**\*.dat",
XYplorer,XYplorer_ini_file,"Users\*\AppData\Roaming\XYplorer\XYplorer.ini",
XYplorer,XYplorer_ini_file_for_each_respective_pane,"Users\*\AppData\Roaming\XYplorer\Panes\*\**\pane.ini",
Xeox,Xeox_RMM_Client_Application_logs,"Program Files\Xeox\*.log",
Yandex,Yandex_Autofill_data,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Ya Autofill Data*",
Yandex,Yandex_Bookmarks,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Bookmarks*",
Yandex,Yandex_Cookies,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\**\Cookies*",
Yandex,Yandex_Favicons,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Favicons*",
Yandex,Yandex_History,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\History*",
Yandex,Yandex_Login_Data,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Ya Passman Data*",
Yandex,Yandex_Network_Action_Predictor,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Network Action Predictor",
Yandex,Yandex_Network_Persistent_State,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\**\Network Persistent State",
Yandex,Yandex_Passman_logs,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Passman Logs*",
Yandex,Yandex_Preferences,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Preferences",
Yandex,Yandex_Sessions_Folder,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Sessions\*",
Yandex,Yandex_Shortcuts,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Shortcuts*",
Yandex,Yandex_Top_Sites,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Top Sites*",
Yandex,Yandex_Visited_Links,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Visited Links",
Yandex,Yandex_Web_Data,"Users\*\AppData\Local\Yandex\YandexBrowser\User Data\*\Web Data*",
ZScaler,Zscaler_Logs,"Users\*\AppData\Local\Zscaler\*",
ZohoAssist,Zoho_Assist_conf_files,"ProgramData\ZohoMeeting\**\*.conf",
ZohoAssist,Zoho_Assist_conf_files_in_AppData_Local,"Users\*\AppData\Local\ZohoMeeting\*.conf",
ZohoAssist,Zoho_Assist_conf_files_in_Program_Files_,"Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\*.conf",
ZohoAssist,Zoho_Assist_log_files_in_AppData_Local,"Users\*\AppData\Local\ZohoMeeting\log\**",
ZohoAssist,Zoho_Assist_log_files_in_ProgramData,"ProgramData\ZohoMeeting\log\**",
ZohoAssist,Zoho_Assist_log_files_in_Program_Files_,"Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\logs\**",
ZohoAssist,Zoho_Assist_txt_files_in_Program_Files_,"Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\*.txt",
Zoom,Zoom_client_logs,"Users\*\AppData\Roaming\Zoom\logs\**",
Zoom,Zoom_client_logs_Windows_XP_,"Documents and Settings\*\Application Data\Zoom\**",
Zoom,Zoom_client_recordings,"Users\*\Documents\Zoom\**",
Zoom,Zoom_plugin_Outlook_,"Users\*\AppData\Roaming\Zoom Plugin\*.json",
_BasicCollection,Event_Logs,"",EventLogs
_BasicCollection,Evidence_of_Execution,"",EvidenceOfExecution
_BasicCollection,File_System,"",FileSystem
_BasicCollection,LNKFilesAndJumpLists,"",LNKFilesAndJumpLists
_BasicCollection,PowerShellConsole,"",PowerShellConsole
_BasicCollection,RecycleBin_InfoFiles,"",RecycleBin_InfoFiles
_BasicCollection,RegistryHives,"",RegistryHives
_BasicCollection,SRUM,"",SRUM
_BasicCollection,ScheduledTasks,"",ScheduledTasks
_BasicCollection,ThumbCache,"",Thumbcache
_BasicCollection,USBDevicesLogs,"",USBDevicesLogs
_BasicCollection,WindowsIndexSearch,"",WindowsIndexSearch
_Bitmap,_Bitmap,"$Bitmap",
_Boot,_Boot,"$Boot",
_J,_J,"$Extend\$UsnJrnl:$J",
_J,_J,"$Extend\$J",
_J,_Max,"$Extend\$Max",
_J,_Max,"$Extend\$UsnJrnl:$Max",
_KapeTriage,KapeTriage,"",KapeTriage
_LogFile,_LogFile,"$LogFile",
_MFTMirr,_MFTMirr,"$MFTMirr",
_MFT,_MFT,"$MFT",
_SANS_Triage,Antivirus,"",Antivirus
_SANS_Triage,BITS,"",BITS
_SANS_Triage,CloudStorage_Metadata,"",CloudStorage_Metadata
_SANS_Triage,CombinedLogs,"",CombinedLogs
_SANS_Triage,EvidenceOfExecution,"",EvidenceOfExecution
_SANS_Triage,FTPClients,"",FTPClients
_SANS_Triage,FileSystem,"",FileSystem
_SANS_Triage,GroupPolicy,"",GroupPolicy
_SANS_Triage,LNKFilesAndJumpLists,"",LNKFilesAndJumpLists
_SANS_Triage,MessagingClients,"",MessagingClients
_SANS_Triage,NetworkScanner,"",NetworkScanner
_SANS_Triage,RecycleBin_InfoFiles,"",RecycleBin_InfoFiles
_SANS_Triage,RegistryHives,"",RegistryHives
_SANS_Triage,RemoteAccess,"",RemoteAdmin
_SANS_Triage,SRUM,"",SRUM
_SANS_Triage,SUM,"",SUM
_SANS_Triage,ScheduledTasks,"",ScheduledTasks
_SANS_Triage,ThumbCache,"",Thumbcache
_SANS_Triage,WBEM,"",WBEM
_SANS_Triage,WER,"",WER
_SANS_Triage,WebBrowsers,"",WebBrowsers
_SANS_Triage,WindowsIndexSearch,"",WindowsIndexSearch
_SANS_Triage,WindowsTimeline,"",WindowsTimeline
_SDS,_SDS,"$Secure:$SDS",
_SDS,_SDS,"$Secure_$SDS",
_T,_T,"$Extend\$RmMetadata\$TxfLog\$Tops:$T",
_T,_T,"$Extend\$RmMetadata\$TxfLog\$T",
eMule,eMule_Logs_and_Configuration_Files,"Users\*\AppData\Local\eMule\**",
eMule,eMule_part_met_files,"**\*.part.met",
iTunesBackup,iTunes_Backup_Folder,"Users\*\AppData\Roaming\Apple\Mobilesync\Backup\**",
iTunesBackup,iTunes_Backup_Folder,"Users\*\AppData\Roaming\Apple Computer\Mobilesync\Backup\**",
iTunesBackup,iTunes_Backup_Folder_iOS13,"Users\*\Apple\Mobilesync\Backup\**",
mIRC,mIRC_Chat_Logs_2000_XP_,"Documents and Settings\*\Application Data\mIRC\logs\**",
mIRC,mIRC_Chat_Logs_Vista_,"Users\*\AppData\Roaming\mIRC\logs\**",
mRemoteNG,mRemoteNG_Connection_Configuration_and_Backups,"Users\*\AppData\Roaming\mRemoteNG\confCons.xml*",
mRemoteNG,mRemoteNG_Logs,"Users\*\AppData\Roaming\mRemoteNG\mRemoteNG.log",
mRemoteNG,mRemoteNG_Program_Settings,"Users\*\AppData\*\mRemoteNG\**\user.config",
openSUSE,openSUSE_WSL_bash_history,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**\.bash_history",
openSUSE,openSUSE_WSL_bashrc,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**\.bashrc",
openSUSE,openSUSE_WSL_etc_bash_bashrc,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\bash.bashrc",
openSUSE,openSUSE_WSL_etc_fstab,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\fstab",
openSUSE,openSUSE_WSL_etc_group,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\group",
openSUSE,openSUSE_WSL_etc_hostname,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\hostname",
openSUSE,openSUSE_WSL_etc_hosts,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\hosts",
openSUSE,openSUSE_WSL_etc_os_release,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\os-release",
openSUSE,openSUSE_WSL_etc_passwd,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\passwd",
openSUSE,openSUSE_WSL_etc_profile,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\profile",
openSUSE,openSUSE_WSL_etc_shadow,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\shadow",
openSUSE,openSUSE_WSL_etc_timezone,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc\timezone",
openSUSE,openSUSE_WSL_ext4_vhdx,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\ext4.vhdx",
openSUSE,openSUSE_WSL_profile,"Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\**\.profile",
pCloudDatabase,pCloud_Database,"Users\*\AppData\Local\pCloud\*.db",
pCloudDatabase,pCloud_Database_Shared_Memory_File,"Users\*\AppData\Local\pCloud\*.db-shm",
pCloudDatabase,pCloud_Database_WAL_File,"Users\*\AppData\Local\pCloud\*.db-wal",
qBittorrent,TorrentClients_qBittorrent,"Users\*\AppData\Local\qBittorrent\BT_backup\*",
qBittorrent,TorrentClients_qBittorrent,"Users\*\AppData\Local\qBittorrent\GeoDB\*",
qBittorrent,TorrentClients_qBittorrent,"Users\*\AppData\Roaming\qBittorrent\*.ini",
qBittorrent,TorrentClients_qBittorrent,"Users\*\AppData\Local\qBittorrent\logs\*",
uTorrent,TorrentClients_uTorrent,"Users\*\AppData\Roaming\uTorrent\*.dat",
''')
GROUP BY Target
// Build a lookup cache on target.
LET Lookup <= memoize(query={
SELECT * FROM TargetTable
}, key="Target")
-- Extract all rules within the required target. Uses the memoized
-- structure above.
LET FilterTable(Required) =
SELECT Required AS Target, *
FROM flatten(query={
SELECT * FROM foreach(row=get(item=Lookup, field=Required).Rules)
})
WHERE if(condition=Glob =~ SlowGlobRegex,
then=log(message="Dropping rule %v/%v because it is too slow: %v",
dedup=-1, args=[Target, Rule, Glob]) AND FALSE,
else=TRUE)
LET Expand(FilteredTable) = SELECT * FROM foreach(
row=FilteredTable,
query={
-- If there is a reference, resolve it from the table recursively.
SELECT *
FROM if(condition=Ref AND log(message="%v/%v: Resolving Ref %v", dedup=-1, args=[Target, Rule, Ref]),
then={
SELECT * FROM Expand(
FilteredTable={
SELECT * FROM FilterTable(Required=Ref)
})
}, else={
SELECT Target, Rule, Glob FROM scope()
})
})
sources:
- name: SearchGlobs
query: |
-- Collect all the top level targets that the user selected.
LET Collections <= SELECT Target + "/" + Rule AS Rule, Glob
FROM Expand(FilteredTable={
SELECT Target,
Rules.Rule AS Rule,
Rules.Glob AS Glob,
Rules.Ref AS Ref
FROM flatten(query={
SELECT * FROM TargetTable
WHERE get(field=Target)
AND log(message="Collecting target %v: %v", args=[Target, Rule], dedup=-1)
})
})
GROUP BY Rule
SELECT * FROM Collections
- name: All Matches Metadata
query: |
LET GlobLookup <= memoize(query=Collections, key="Glob")
LET NTFSGlobs = SELECT * FROM Collections
WHERE Glob =~ "[:$]" AND NOT Glob =~ "\\$Recycle.Bin"
LET AutoGlobs = SELECT * FROM Collections
WHERE Glob =~ "\\$Recycle.Bin" OR NOT Glob =~ "[:$]"
LET _ <= if(condition=MaxFileSize > 0,
then=log(message="Limiting file acquisition to MaxFileSize %v bytes (%v)",
args=[MaxFileSize, humanize(bytes=MaxFileSize)]))
LET PreferredAccessor <= if(
condition=VSS_MAX_AGE_DAYS > 0,
then="ntfs_vss", else="auto")
LET AllResults <= SELECT OSPath AS SourceFile,
Size,
Btime AS Created,
Ctime AS Changed,
Mtime AS Modified,
Atime AS LastAccessed,
Accessor
FROM foreach(row={
SELECT _value AS Device FROM foreach(row=Devices)
}, query={
SELECT * FROM chain(async=TRUE,
a={
SELECT *,
get(item=GlobLookup, field=Globs[0]).Rule AS Rule,
"ntfs" AS Accessor
FROM glob(globs=NTFSGlobs.Glob, accessor="ntfs", root=Device)
}, b={
SELECT *,
get(item=GlobLookup, field=Globs[0]).Rule AS Rule,
PreferredAccessor AS Accessor
FROM glob(globs=AutoGlobs.Glob,
accessor=PreferredAccessor,
root=Device)
})
})
WHERE NOT IsDir
AND log(message="Found %v for rule %v", args=[SourceFile, Rule], dedup=10)
AND if(condition= Size <= MaxFileSize,
then=TRUE,
else=log(message="Skipping file %v (Size %v) Due to MaxFileSize",
dedup=-1, args=[SourceFile, humanize(bytes=Size)]) AND FALSE)
SELECT * FROM AllResults
- name: Uploads
query: |
-- Upload the files. Split into workers so the files are uploaded in parallel.
LET uploaded_files = SELECT *
FROM foreach(row={
SELECT * FROM AllResults
},
workers=30,
query={
SELECT now() AS CopiedOnTimestamp,
Created,
Changed,
LastAccessed,
Modified,
SourceFile,
Size,
upload(file=SourceFile, accessor=Accessor, mtime=Modified) AS Upload
FROM scope()
})
-- Separate the hashes into their own column.
SELECT CopiedOnTimestamp,
SourceFile,
Upload.Path AS DestinationFile,
Size AS FileSize,
Upload.sha256 AS SourceFileSha256,
Created,
Changed,
Modified,
LastAccessed
FROM uploaded_files