All Artifacts

AVG Antivirus Data

Avast Antivirus Data

Avira Logs

Bitdefender Antivirus Data

ComboFix Antivirus Data

CrowdStrike Falcon

Cybereason Sensor/Detection Logs

Cylance Antivirus Logs

ESET Antivirus Data

Emsisoft Antivirus Logs

F-Secure Antivirus Data

HitmanPro Antivirus Data

Malwarebytes Data

McAfee Log Files

McAfee ePO Log Files

Microsoft Safety Scanner

RogueKiller Anti-Malware (by Adlice Software)

SUPERAntiSpyware Data

SecureAge Antivirus Logs

Sentinel One Logs

Sophos Data

Symantec AV Logs

TotalAV Antivirus Data

Trend Micro Data

VIPRE Data

Webroot Antivirus

Windows Defender Threat DetectionHistory files

Windows Defender Data

1Password Password Manager

4K Video Downloader

AceText

Acronis True Image

Action1 Application Logs

Advanced IP Scanner Artifacts

Advanced Port Scanner Artifacts

Agent Ransack - Free File Searching Utility

Ammyy Data

AnyDesk

Aspera Connect Log Files

AteraAgent

Box Cloud Storage Metadata

Box Cloud Storage Files

A Target to collect files related to ChatGPT Desktop

Jabber

ClipboardMaster

Confluence Log Files

DWAgent Log Files

Directory Opus

Discord Cache and LevelDB Files

Double Commander

Dropbox Cloud Storage Metadata

Dropbox Cloud Storage Files

EF Commander

Evernote

Everything (VoidTools)

FastStone Image Viewer

Fences

FileZilla XML and SQLite Log Files

FileZilla Server Logs

Forti Client VPN

FreeCommander XE

Free Download Manager

FreeFileSync

Google Backup and Sync Storage Files

Google Drive Metadata

Google Earth

HeidiSQL

HexChat

IDrive Backup Artifacts

ISLOnline Remote Access Tool

ITarian RMM

IceChat

ImgBurn

IrfanView

JDownloader 2

Java WebStart Cache - (IDX Files)

Kaseya Data

Keepass

KeepassXC

Level.io Application Logs

LogMeIn Data

Macrium Reflect

Mattermost

MediaMonkey

MegaSync Data Collection

MeshAgent log and configuration files

Microsoft Azure Copy

Microsoft OneNote

Microsoft Sticky Notes

Microsoft Teams

Microsoft To Do

Midnight Commander

MobaXTerm

Mouse Without Borders

Msty is a UI to interact with large language models (LLMs)

Multi Commander

Nessus

Net Monitor for Employees Pro

Notepad++ Backups, recently searched/replaced terms and recently opened documents

Notion Note-Taking App

One Commander

Microsoft OneDrive Storage Metadata

Microsoft OneDrive Storage Files

OpenSSH Client config, known hosts and keys

OpenSSH Server Config and Logs

OpenVPN Client Config and Log

Outlook PST and OST files

PDQ Deploy database

Palo Alto Networks GlobalProtect VPN logs

PeaZip

ProtonVPN

Pulse Secure

Q-Dir

QFinderPro (QNAP)

Qlik Sense

A Target to collect files that are related to RDCMan

Radmin Server/Viewer Logs and Chats

Rclone config file

Remcos RAT

A Target to collect files that are related to Remote Desktop Manager from Devolutions

Remote Utilities

Robo-FTP

RustDesk

ScreenConnect Data (now known as ConnectWise Control)

Session Desktop

ShareX

Copy Siemens TIA Settings

Signal (Please view this tkape file for documentation on decryption!)

SimpleHelp Remote Access Client

Skype

Slack

Snagit

Soft Perfect Network Scanner Output

SpeedCommander

Splashtop

Steam

Sublime Text 2/3/4 Auto Save Session

SugarSync

SumatraPDF

Supremo Remote Desktop Control Logs

Syncthing Configuration and Logs

Tablacus Explorer

TeamViewer Logs

Telegram Desktop

TeraCopy log history

Mozilla Thunderbird Email Client

Total Commander

TreeSize - Scan History

UEMS Manage Engine Agent

UltraViewer

VLC Media Player

VMware - Virtual Machine Inventory

VMware - Virtual Machine Memory

VNC Logs

ViberPC Messaging App

Collects VirtualBox configuration files

Collects VirtualBox log files

VirtualBox - Memory

Visual Studio Code artifacts

WhatsApp Local Files

WhatsApp Shared Media Files

WinSCP

Windows Your Phone

XYplorer

Xeox Application Logs

Zscaler Logs

Zoho Assist artifacts

Zoom client artifacts

iTunes Backups

mIRC

mRemoteNG

pCloud Database

360 Secure Browser

Arc Browser

Brave Browser

Browser Caches

Chrome

Chrome Browser Extension Metadata

Chrome Extension Files

Chrome HTML5 File System Contents

CocCoc Browser

Edge

Microsoft Edge Chromium Artifacts

Edge Chromium Extension Files

Firefox

Internet Explorer

Opera

Prisma Access Browser

Puffin Secure Browser

QQ Browser

Supermium

UCBrowser

Vivaldi Artifacts

WaveBrowser

Yandex Artifacts

Basic Collection

SANS Triage Collection

Antivirus

Cloud Storage Contents and Metadata

Cloud Storage Metadata

OneDrive and other files used with OneDriveExplorer

Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs

Evidence of execution related files

Exchange Log Files

FTP Clients

File Explorer Replacements

File system metadata

IRC Clients

KapeTriage collects most of the files needed for a DFIR Investigation. This Target pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, SUM data, Cloud metadata, WER, WBEM, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, JumpLists, Notepad unsaved sessions (Win11), 3rd party remote access software logs, 3rd party antivirus software logs, Windows 10/11 Timeline database, and $I Recycle Bin files.

Messaging and communication apps

MFT, Registry and Event Logs to generate a mini timeline

Network Scanner Tools

P2P Clients

Program Execution Triage Collection

Recycle Bin DataAndInfo

System and user related Registry hives

Composite target for files related to remote administration tools

SOF-ELK related files of interest

SQLDatabases Target for use with SQLECmd Module

A compound target for gathering artifacts common to servers.

Torrent Clients

Collects files that can be input into USB Detective for parsing

Usenet Clients

Runs all VMware modules to collect VMware VM config files, logs and Virtual Hard Disks

VPN Clients

Runs all VirtualBox modules to collect Virtualbox VM config files, logs and Virtual Hard Disks

All Windows Subsystem for Linux targets

Web browser history, bookmarks, etc.

Logs from all known web server applications and supporting services

BitTorrent

DC++

Freenet

FrostWire

Gigatribe Files

NZBGet

Newsbin Pro

Newsleecher

Nicotine++

SABnbzd

Shareaza

Soulseek

Torrent Files

Usenet (NZB) Files

eMule

qBittorrent

uTorrent

$Bitmap

$Boot

$J

$LogFile

$MFT

$MFTMirr

$SDS

$T

Active Directory NTDS

Active Directory Sysvol

Amcache.hve

AppCompat PCA Folder

AppXPackages

Windows Application Event Log

Boot Configuration Files

Microsoft BITS (Background Intelligent Transer Service) persistent files

Capability Access Manager database

Certutil

Windows Drivers

EncapsulationLogging

Collect Win7+ RDP related Event logs

Event logs

Event Trace Logs

EventTranscript.db (and other files related to Telemetry and Diagnostic Data)

Exchange Client Access Log Files

Exchange Server Vulnerability *.Compiled Files

Exchange Setup Log

Exchange Transport Log Files

Current Group Policy Enforcement

Hosts file

IIS

IconCache.db files

Jump lists

LNK Files and jump lists

Linux on Windows Profile Files

LogFiles (includes SUM)

MOF files (WMI)

Memory Files

Microsoft Office Backstage

.NET CLR UsageLogs

A Target to collect files that are currently open in Notepad (Windows 11+)

Office Autosave

Office Diagnostics

Office Document Cache

Perflogs Folder Copy

PowerShell 7 Runtime Config

PowerShell Transcripts

Prefetch files

ProgramData Folder Copy

Windows Push Notification Service

Microsoft Quick Assist/Remote Help

RDP Cache Files

RDP Jumplist Files

RDP Logs

RecentFileCache

Recent Folders LNK files

Recycle Bin Data Files

Recycle Bin Info Files

MSIX/APPX App Hives

Other Registry Hives

System level/related Registry hives

User Related Registry hives

User Related Registry Hives, LNK files, etc

SCCM Client Log Files

Shim SDB FIles

System Resource Usage Monitor (SRUM) Data

SUM Database

Scheduled tasks (*.job and XML)

Obtain detached signature catalog files

Snip & Sketch Cached Images

SnippingTools screenshots

Startup Folders

StartupInfo XML Files

syscache.hve

Thumbcache DB

USB devices log files

Users folders Dump

Virtual Disks

Web-Based Enterprise Management (WBEM)

Windows Error Reporting

WindowsApp Logs

Windows Copilot+ Recall

Windows Firewall Logs

Windows Hello

Windows Index Search

Windows Networks settings

Windows 10 Notification DB

Windows OS Upgrade Artifacts

Windows Power Diagnostics

Windows Server DNS and DHCP log files

Legacy Windows Telemetry and Diagnostics files (*.rbs)

ActivitiesCache.db collector

Windows Update Logs

XP Restore Points - System Volume Information directory