Find DFIR artifacts fast
Search 340 Windows forensic artifacts, paths, and collection targets
// INVESTIGATE BY SCENARIO
Lateral Movement
Track attacker movement across network
Browser Forensics
Analyze web activity and downloads
Persistence
Find malware survival mechanisms
Program Execution
Evidence of program execution
User Activity
Reconstruct user behavior timeline
Data Recovery
Recover deleted and hidden data
// POPULAR ARTIFACTS
view all →Prefetch
Prefetch files
Amcache
Amcache.hve
EventLogs
Event logs
RegistryHivesUser
User Related Registry hives
Chrome
Chrome
SRUM
System Resource Usage Monitor (SRUM) Data
Firefox
Firefox
Edge
Edge
ScheduledTasks
Scheduled tasks (*.job and XML)
$MFT
$MFT
Prefetch
Prefetch files
Amcache
Amcache.hve
EventLogs
Event logs
RegistryHivesUser
User Related Registry hives
Chrome
Chrome
SRUM
System Resource Usage Monitor (SRUM) Data
Firefox
Firefox
Edge
Edge
ScheduledTasks
Scheduled tasks (*.job and XML)
$MFT
$MFT
JumpLists
Jump lists
RecycleBin
Recycle Bin DataAndInfo
BITS
Microsoft BITS (Background Intelligent Transer Service) persistent files
RDPCache
RDP Cache Files
WindowsTimeline
ActivitiesCache.db collector
ThumbCache
Thumbcache DB
AnyDesk
AnyDesk
JumpLists
Jump lists
RecycleBin
Recycle Bin DataAndInfo
BITS
Microsoft BITS (Background Intelligent Transer Service) persistent files
RDPCache
RDP Cache Files
WindowsTimeline
ActivitiesCache.db collector
ThumbCache
Thumbcache DB
AnyDesk
AnyDesk