Triage Artifacts

Triage artifacts simply collect various files as quickly as possible. In recent versions of Velociraptor, many of the triage artifacts have been merged into the Windows.KapeFiles.Targets artifact.

Windows.Triage.ProcessMemory

Dump process memory and upload to the server

Arg Default Description
processRegex notepad
View Artifact Source

Windows.KapeFiles.Targets

Kape is a popular bulk collector tool for triaging a system quickly. While KAPE itself is not an opensource tool, the logic it uses to decide which files to collect is encoded in YAML files hosted on the KapeFiles project (https://github.com/EricZimmerman/KapeFiles) and released under an MIT license.

This artifact is automatically generated from these YAML files, contributed and maintained by the community. This artifact only encapsulates the KAPE “Targets” - basically a bunch of glob expressions used for collecting files on the endpoint. We do not do any post processing these files - we just collect them.

We recommend that timeouts and upload limits be used conservatively with this artifact because we can upload really vast quantities of data very quickly.

Arg Default Description
_BasicCollection Basic Collection (by Phill Moore): Thumbcache DB, at .job, at SchedLgU.txt, XML, Amcache, Amcache transaction files, $SDS, WindowsIndexSearch, $LogFile, $Boot, ntuser.dat registry hive XP, ntuser.dat …
_Boot $Boot (by Eric Zimmerman): $Boot
_J $J (by Eric Zimmerman): $J, $Max
_LogFile $LogFile (by Eric Zimmerman): $LogFile
_MFT $MFT (by Eric Zimmerman): $MFT
_SDS $SDS (by Eric Zimmerman): $SDS
_T $T (by Eric Zimmerman): $T
Amcache Amcache.hve (by Eric Zimmerman): Amcache, Amcache transaction files
Ammyy Ammyy Data (by Drew Ervin): Ammyy Program Data
ApacheAccessLog Apache Access Log (by Hadar Yudovich): Apache Access Log
AppData AppData (by Phill Moore): AppData
ApplicationEvents Windows Application Event Log (by Drew Ervin): Application Event Log XP, Application Event Log Win7+
Avast Avast Antivirus Data (by Drew Ervin): Avast AV User Logs, Avast AV Index, Avast AV Logs (XP), Avast AV Logs
AviraAVLogs Avira Logs (by Fabian Murer): Avira Activity Logs
BCD Boot Configuration Files (by Troy Larson): BCD, BCD Logs
Bitdefender Bitdefender Antivirus Data (by Drew Ervin): Bitdefender Endpoint Security Logs
BoxDrive Box Cloud Storage Files and Metadata (by Chad Tilbury): Box User Files, Box Drive Application Metadata, Box Sync Application Metadata
Chrome Chrome (by Eric Zimmerman): Chrome Preferences, Chrome Shortcuts, Chrome Top Sites, Chrome bookmarks, Chrome Visited Links, Chrome Web Data, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Sess …
ChromeExtensions Chrome Extension Files (by piesecurity): Chrome Extension Files, Chrome Extension Files XP
CiscoJabber Jabber (by Andrew Bannon): Cisco Jabber Database
CloudStorage Cloud Storage Contents and Metadata (by Chad Tilbury): Google File Stream Metadata, OneDrive User Files, OneDrive Metadata Logs, OneDrive Metadata Settings, Box User Files, Box Drive Application Metad …
CombinedLogs Collect Event logs, Trace logs, Windows Firewall and PowerShell console (by Mike Cary): Windows Firewall Logs, WDI Trace Logs 1, WDI Trace Logs 2, WMI Trace Logs, SleepStudy Trace Logs, Energy-NTKL Tr …
ComboFix ComboFix Antivirus Data (by Drew Ervin): ComboFix
ConfluenceLogs Confluence Log Files (by Eric Capuano): Confluence Wiki Log Files, Confluence Wiki Log Files
DirectoryTraversalWildCardExample Find zip archives (by Eric Zimmerman): Zips
Dropbox Dropbox Cloud Storage Files and Metadata (by Chad Tilbury): Dropbox User Files, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Windows Protect Folder
ESET ESET Antivirus Data (by Drew Ervin): ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs
Edge Edge (by Phill Moore): Edge folder, WebcacheV01.dat
EncapsulationLogging EncapsulationLogging (by Troy Larson): EncapsulationLogging Logs, EncapsulationLogging
EventLogs_RDP Collect Win7+ RDP related Event logs (by Mark Hallman): Event logs Win7+, Event logs Win7+, Event logs Win7+, Event logs Win7+
EventLogs Event logs (by Eric Zimmerman): Event logs XP, Event logs Win7+
EventTraceLogs Event Trace Logs (by Mark Hallman): WDI Trace Logs 1, WDI Trace Logs 2, WMI Trace Logs, SleepStudy Trace Logs, Energy-NTKL Trace Logs
EvidenceOfExecution Evidence of execution related files (by Eric Zimmerman): RecentFileCache, Prefetch, Amcache transaction files, Syscache transaction files, Amcache, Syscache
Exchange Exchange Log Files (by Keith Twombley): Exchange TransportRoles log files, Exchange client access log files
ExchangeClientAccess Exchange Client Access Log Files (by Keith Twombley): Exchange client access log files
ExchangeTransport Exchange Transport Log Files (by Keith Twombley): Exchange TransportRoles log files
FSecure F-Secure Antivirus Data (by Drew Ervin): F-Secure Logs, F-Secure User Logs, F-Secure Scheduled Scan Reports
FileSystem File system metadata (by Eric Zimmerman): $LogFile, $MFT, $Boot, $J, $Max, $T, $SDS
Firefox Firefox (by Eric Zimmerman): Places, Downloads, Form history, Cookies, Signons, Webappstore, Favicons, Addons, Search, Places, Downloads, Form history, Cookies, Signons, Webappstore, Favicons, Addons, …
Gigatribe Gigatribe Files (by Linus Nissi): Gigatribe Files Windows XP, Gigatribe Files Windows XP, Gigatribe Files Windows Vista/7/8/10
GoogleDrive Google Drive Storage Files and Metadata (by Chad Tilbury): Google File Stream Metadata, Google Drive User Files, Google Drive Metadata
GroupPolicy Current Group Policy Enforcement (by piesecurity): Local Group Policy INI Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Startup/Shutdown Scripts
HitmanPro HitmanPro Antivirus Data (by Drew Ervin): HitmanPro Logs, HitmanPro Alert Logs, HitmanPro Database
IISLogFiles IIS Log Files (by Troy Larson): IIS log files, IIS log files, IIS log files, IIS log files
InternetExplorer Internet Explorer (by Eric Zimmerman): Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cache, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, IE 11 Cache, IE 11 Cookies, Index.da …
JavaWebCache Java WebStart Cache - (IDX Files) (by piesecurity): Java WebStart Cache User Level - Default, Java WebStart Cache User Level - IE Protected Mode, Java WebStart Cache System level, Java WebStart Cache …
KapeTriage Kape Triage collections that will collect most of the files needed for a DFIR Investigation. This module pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence o …
Kaseya Kaseya Data (by Drew Ervin): Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setu …
LinuxOnWindowsProfileFiles Linux on Windows Profile Files (by Troy Larson): .bash_history, .bash_logout, .bashrc, .profile
LiveUserFiles Live User Files (by Mark Hallman): User Files - Desktop, User Files - Documents, User Files - Downloads, User Files - Dropbox
LnkFilesAndJumpLists Lnk files and jump lists (by Eric Zimmerman): Lnk files from Recent, Lnk files from Microsoft Office Recent, Lnk files from Recent (XP), Desktop lnk files XP, Desktop lnk files, Restore point lnk file …
LogFiles LogFiles (by Fabian Murer): LogFiles
LogMeIn LogMeIn Data (by Drew Ervin): LogMeIn Application Logs, Application Event Log XP, Application Event Log Win7+, LogMeIn ProgramData Logs
MOF MOF files (WMI) (by Eric Zimmerman): MOF files
MSSQLErrorLog MS SQL ErrorLogs (by Troy Larson): MS SQL Errorlog, MS SQL Errorlogs
Malwarebytes Malwarebytes Data (by Drew Ervin): MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs
McAfee McAfee Log Files (by Sam Smoker): McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs
McAfee_ePO McAfee ePO Log Files (by Doug Metz): McAfee ePO Logs
MiniTimelineCollection MFT, Registry and Event Logs to generate a mini timeline (by Mari DeGrazia): $SDS, $LogFile, $Boot, ntuser.dat registry hive XP, ntuser.dat registry hive, ntuser.dat registry transaction files, ntuser …
NGINXLogs NGINX Log Files (by Eric Capuano): NGINX Log Files
Notepad__ Notepad++ backup (by Banaanhangwagen): Notepad++ backup
OneDrive Microsoft OneDrive Storage Files and Metadata (by Chad Tilbury): OneDrive User Files, OneDrive Metadata Logs, OneDrive Metadata Settings
OutlookPSTOST Outlook PST and OST files (by Eric Zimmerman): PST XP, OST XP, PST, OST
PowerShellConsole PowerShell Console Log File (by Mike Cary): PowerShell Console Log
Prefetch Prefetch files (by Eric Zimmerman): Prefetch
RDPCache RDP Cache Files (by Hadar Yudovich): RDP Cache Files, RDP Cache Files
RDPLogs RDP Logs (by Drew Ervin): LocalSessionManager Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RemoteConnectionManager Event Logs
RecentFileCache Amcache.hve (by Eric Zimmerman): RecentFileCache
Recycle Recycle Bin (by Mark Hallman): $Recycle.Bin, RECYCLER WinXP
RegistryHives System and user related Registry hives (by Eric Zimmerman): ntuser.dat registry hive XP, ntuser.dat registry hive, ntuser.dat registry transaction files, ntuser.dat DEFAULT registry hive, ntuser.dat D …
RegistryHivesSystem System level/related Registry hives (by Eric Zimmerman / Mark Hallman): SAM registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transa …
RegistryHivesUser User Related Registry hives (by Eric Zimmerman / Mark Hallman): ntuser.dat registry hive XP, ntuser.dat registry hive, ntuser.dat registry transaction files, ntuser.dat DEFAULT registry hive, ntuser.d …
RemoteAdmin Composite target for files related to remote administration tools (by Drew Ervin): ScreenConnect Session Database, ScreenConnect Session Database, Application Event Log XP, Application Event Log Win7+ …
RogueKiller RogueKiller Anti-Malware (by Adlice Software) (by Drew Ervin): RogueKiller Reports
SDB Shim SDB FIles (by Troy Larson): SDB Files, SDB Files x64
SRUM System Resource Usage Monitor (SRUM) Data (by Mark Hallman): SRUM
SUPERAntiSpyware SUPERAntiSpyware Data (by Drew Ervin): SUPERAntiSpyware Logs
ScheduledTasks Scheduled tasks (*.job and XML) (by Eric Zimmerman): at .job, at SchedLgU.txt, XML
ScreenConnect ScreenConnect Data (now known as ConnectWise Control) (by Drew Ervin): Application Event Log XP, Application Event Log Win7+, ScreenConnect Session Database, ScreenConnect Session Database
SignatureCatalog Obtain detached signature catalog files (by Mike Pilkington): SignatureCatalog
Skype Skype (by Eric Zimmerman): leveldb (Skype for Desktop +v8), main.db (App <v12), skype.db (App +v12), main.db XP, main.db Win7+, s4l-[username].db (App +v8)
Sophos Sophos Data (by Drew Ervin): Application Event Log XP, Sophos Logs (XP), Sophos Logs, Application Event Log Win7+
StartupInfo StartupInfo XML Files (by Hadar Yudovich): StartupInfo XML Files
Symantec_AV_Logs Symantec AV Logs (by Brian Maloney): Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Application Event Log …
Syscache syscache.hve (by Phill Moore): Syscache transaction files, Syscache
TeamViewerLogs Team Viewer Logs (by Hadar Yudovich): TeamViewer Connection Logs, TeamViewer Application Logs, TeamViewer Configuration Files
TeraCopy TeraCopy log history (by Kevin Pagano): TeraCopy
ThumbCache Thumbcache DB (by Eric Zimmerman): Thumbcache DB
TorrentClients Torrent Clients (by Banaanhangwagen): TorrentClients - qBittorrent, TorrentClients - qBittorrent, TorrentClients - uTorrent, TorrentClients - BitTorrent
Torrents Torrent Files (by Tony Knutson): Torrents
TrendMicro Trend Micro Data (by Drew Ervin): Trend Micro Logs, Trend Micro Security Agent Report Logs, Trend Micro Security Agent Connection Logs
USBDevicesLogs USB devices log files (by Eric Zimmerman): Setupapi.log XP, Setupapi.log Win7+
VIPRE VIPRE Data (by Drew Ervin): VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), VIPRE Business Agent Logs, VIPRE Business User Logs (v7+)
VNCLogs VNC Logs (by Phill Moore): Application Event Log XP, Application Event Log Win7+, RealVNC Log
VirtualDisks Virtual Disks (by Phill Moore): VHD, VHDX, VDI, VMDK
WBEM Web-Based Enterprise Management (WBEM) (by Mark Hallman): WBEM
WER Windows Error Reporting (by Troy Larson): WER Files, Crash Dumps, Crash Dumps
WebBrowsers Web browser history, bookmarks, etc. (by Eric Zimmerman): Chrome Preferences, Chrome Shortcuts, Chrome Top Sites, Chrome bookmarks, Chrome Visited Links, Chrome Web Data, Places, Downloads, Form histo …
WindowsDefender Windows Defender Data (by Drew Ervin): Windows Defender Logs, Windows Defender Event Logs
WindowsFirewall Windows Firewall Logs (by Mike Cary): Windows Firewall Logs
WindowsIndexSearch Windows Index Search (by Mark Hallman): WindowsIndexSearch
WindowsNotifcationsDB Windows 10 Notification DB (by Hadar Yudovich): Windows 10 Notification DB, Windows 10 Notification DB
WindowsTimeline ActivitiesCache.db collector (by Lee Whitfield): ActivitiesCache.db-shm, ActivitiesCache.db-wal, ActivitiesCache.db
XPRestorePoints XP Restore Points - System Volume Information directory (by Phill Moore): System Volume Information
iTunesBackup iTunes Backups (by Tony Knutson): iTunes Backup Folder, iTunes Backup Folder
Device C:
VSSAnalysis None If set we run the collection across all VSS and collect only unique changes.
View Artifact Source

Triage.Collection.Upload

A Generic uploader used by triaging artifacts.

Arg Default Description
path This is the glob of the files we use.
type The type of files these are.
accessor file
View Artifact Source

Triage.Collection.UploadTable

A Generic uploader used by triaging artifacts. This is similar to Triage.Collection.Upload but uses a CSV table to drive it.

Arg Default Description
triageTable Type,Accessor,Glob\n A CSV table controlling upload. Must have the headers: Type, Accessor, Glob.
View Artifact Source

Windows.Forensics.Bam

The Background Activity Moderator (BAM) is a Windows service that Controls activity of background applications. This service exists in Windows 10 only after Fall Creators update – version 1709.

It provides full path of the executable file that was run on the system and last execution date/time

Arg Default Description
bamKeys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser …
userRegex .
View Artifact Source

Windows.Forensics.FilenameSearch

Did a specific file exist on this machine in the past or does it still exist on this machine?

This common question comes up frequently in cases of IP theft, discovery and other matters. One way to answer this question is to search the $MFT file for any references to the specific filename. If the filename is fairly unique then a positive hit on that name generally means the file was present.

Simply determining that a filename existed on an endpoint in the past is significant for some investigations.

This artifact applies a YARA search for a set of filenames of interest on the $MFT file. For any hit, the artifact then identified the MFT entry where the hit was found and attempts to resolve that to an actual filename.

Arg Default Description
yaraRule wide nocase:my secret file.txt
Device \\.\c:
View Artifact Source

Windows.Forensics.Prefetch

Windows keeps a cache of prefetch files. When an executable is run, the system records properties about the executable to make it faster to run next time. By parsing this information we are able to determine when binaries are run in the past. On Windows10 we can see the last 8 execution times and creation time (9 potential executions).

There are several parameter’s availible for this artifact.

  • dateAfter enables search for prefetch evidence after this date.
  • dateBefore enables search for prefetch evidence before this date.
  • binaryRegex enables to filter on binary name, e.g evil.exe.
  • hashRegex enables to filter on prefetch hash.
Arg Default Description
prefetchGlobs C:\Windows\Prefetch\*.pf
dateAfter search for events after this date. YYYY-MM-DDTmm:hh:ssZ
dateBefore search for events before this date. YYYY-MM-DDTmm:hh:ssZ
binaryRegex Regex of executable name.
hashRegex Regex of prefetch hash.
View Artifact Source

Windows.Forensics.RecentApps

GUI Program execution launched on the Win10 system is tracked in the RecentApps key

Arg Default Description
UserFilter If specified we filter by this user ID.
ExecutionTimeAfter If specified only show executions after this time.
RecentAppsKey Software\Microsoft\Windows\CurrentVersion\Sear …
UserHomes C:\Users\*\NTUSER.DAT
View Artifact Source

Windows.Forensics.SRUM

Process the SRUM database.

references:

Arg Default Description
SRUMLocation c:\windows\system32\sru\srudb.dat
accessor ntfs
ExecutableRegex .
View Artifact Source

Windows.Forensics.Timeline

Win10 records recently used applications and files in a “timeline” accessible via the “WIN+TAB” key. The data is recorded in a SQLite database.

Arg Default Description
UserFilter If specified we filter by this user ID.
ExecutionTimeAfter If specified only show executions after this time.
Win10TimelineGlob C:\Users\*\AppData\Local\ConnectedDevicesPlat …
View Artifact Source

Windows.Collectors.File

Collects files using a set of globs. All globs must be on the same device. The globs will be searched in one pass - so you can provide many globs at the same time.

Arg Default Description
collectionSpec Glob\nUsers\*\NTUser.dat\n A CSV file with a Glob column with all the globs to collect.\nNOTE: Globs must not have a leading device since the device\nwill depend on the VSS.\n
RootDevice C: The device to apply all the glob on.
Accessor lazy_ntfs
View Artifact Source

Windows.Collectors.VSS

Collects files with VSS deduplication.

Volume shadow copies is a windows feature where file system snapshots can be made at various times. When collecting files it is useful to go back through the VSS to see older versions of critical files.

At the same time we dont want to collect multiple copies of the same data.

This artifact runs the provided globs over all the VSS and collects the unique modified time + path combinations.

If a file was modified in a previous VSS copy, this artifact will retrieve it at multiple shadow copies.

Arg Default Description
collectionSpec Glob\nUsers\*\NTUser.dat\n A CSV file with a Glob column with all the globs to collect.\nNOTE: Globs must not have a leading device since the device\nwill depend on the VSS.\n
RootDevice C: The device to apply all the glob on.
Accessor lazy_ntfs
VSSDateRegex .
View Artifact Source

Windows.NTFS.I30

Carve the $I30 index stream for a directory.

This can reveal previously deleted files. Optionally upload the I30 stream to the server as well.

Arg Default Description
DirectoryGlobs C:\Users\
View Artifact Source

Windows.NTFS.MFT

This artifact scans the $MFT file on the host showing all files within the MFT. This is useful in order to try and recover deleted files. Take the MFT ID of a file of interest and provide it to the Windows.NTFS.Recover artifact.

Arg Default Description
MFTFilename C:/$MFT
Accessor ntfs
FilenameRegex .
View Artifact Source

Windows.NTFS.Recover

Attempt to recover deleted files.

This artifact uploads all streams from an MFTId. If the MFT entry is not allocated there is a chance that the cluster that contain the actual data of the file will be intact still on the disk. Therefore this artifact can be used to attempt to recover a deleted file.

A common use is to recover deleted directory entries using the Windows.NTFS.I30 artifact and identify MFT entries of interest. This is artifact can be used to attempt to recover some data.

Arg Default Description
MFTId 81978
Drive \\.\C:
View Artifact Source