Triage Collections

Composite target for files related to remote administration tools

Antivirus

SANS Triage Collection

KapeTriage collects most of the files needed for a DFIR Investigation. This Target pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, SUM data, Cloud metadata, WER, WBEM, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, JumpLists, Notepad unsaved sessions (Win11), 3rd party remote access software logs, 3rd party antivirus software logs, Windows 10/11 Timeline database, and $I Recycle Bin files.

Web browser history, bookmarks, etc.

Basic Collection

File Explorer Replacements

Program Execution Triage Collection

Messaging and communication apps

Cloud Storage Contents and Metadata

Cloud Storage Metadata

Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs

File system metadata

P2P Clients

A compound target for gathering artifacts common to servers.

Evidence of execution related files

SOF-ELK related files of interest

Collects files that can be input into USB Detective for parsing

VPN Clients

All Windows Subsystem for Linux targets

FTP Clients

Usenet Clients

Runs all VirtualBox modules to collect Virtualbox VM config files, logs and Virtual Hard Disks

Logs from all known web server applications and supporting services

OneDrive and other files used with OneDriveExplorer

Exchange Log Files

IRC Clients

MFT, Registry and Event Logs to generate a mini timeline

Network Scanner Tools

System and user related Registry hives

Torrent Clients

Runs all VMware modules to collect VMware VM config files, logs and Virtual Hard Disks

Recycle Bin DataAndInfo

Sophos Data

Symantec AV Logs

LogMeIn Data

ScreenConnect Data (now known as ConnectWise Control)

VNC Logs