// AUTO-GENERATED by forensicnomicon ingest pipeline.
// Source: kape
// Entries: 2422
// Do not edit manually — re-run `cargo run -p ingest` to regenerate.
#![allow(clippy::too_many_lines)]
use super::super::super::types::{
ArtifactDescriptor, ArtifactType, DataScope, Decoder, OsScope, TriagePriority,
};
pub(crate) static KAPE_FILE_KAPETRIAGE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_kapetriage_tkape",
name: "KapeTriage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("KapeTriage.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "KapeTriage — collected by KAPE !KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_APPDATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_appdata",
name: "AppData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AppData — collected by KAPE AppData target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AppData.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGEX_3GP_AA_AAC_ACT_AIFF_ALAC_AMR_APE_AU_AWB_DSS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regex_3gp_aa_aac_act_aiff_alac_amr_ape_au_awb_dss",
name: "Audio files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\regex:*.+\\.(3gp|aa|aac|act|aiff|alac|amr|ape|au|awb|dss|dvf|flac|gsm|iklax|ivs|m4a|m4b|m4p|mmf|mp3|mpc|msv|nmf|ogg|oga|mogg|opus|ra|rm|raw|rf64|sln|tta|voc|vox|wav|wma|wv|webm)"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Covers most (if not all) audio file formats",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryTraversal_AudioFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGEX_XLS_XLSX_CSV_TSV_XLT_XLM_XLSM_XLTX_XLTM_XLSB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regex_xls_xlsx_csv_tsv_xlt_xlm_xlsm_xltx_xltm_xlsb",
name: "Excel and Excel-like Documents",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\regex:*.+\\.(xls|xlsx|csv|tsv|xlt|xlm|xlsm|xltx|xltm|xlsb|xla|xlam|xll|xlw|ods|fodp|qpw)"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Covers all document file formats for Excel, OpenOffice, LibreOffice, Apache OpenOffice, WPS Office, SoftMaker Office, and more",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryTraversal_ExcelDocuments.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGEX_PDF_XPS_OXPS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regex_pdf_xps_oxps",
name: "PDF and PDF-like Documents",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\regex:*.+\\.(pdf|xps|oxps)"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Covers all PDF and PDF-like document formats",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryTraversal_PDFDocuments.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGEX_AI_BMP_BPG_CDR_CPC_EPS_EXR_FLIF_GIF_HEIF_ILB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regex_ai_bmp_bpg_cdr_cpc_eps_exr_flif_gif_heif_ilb",
name: "Picture files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\regex:*.+\\.(ai|bmp|bpg|cdr|cpc|eps|exr|flif|gif|heif|ilbm|ima|jp2|j2k|jpf|jpm|jpg2|j2c|jpc|jpx|mj2jpeg|jpg|jxl|kra|ora|pcx|pgf|pgm|png|pnm|ppm|psb|psd|psp|svg|tga|tiff|webp|xaml|xcf)"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Covers most (if not all) picture file formats",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryTraversal_PictureFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGEX_DB_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regex_db_sqlite",
name: "SQLite Files (.db* and .sqlite*)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\regex:*.+\\.(db*|sqlite*|)"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Covers all common file extensions for SQLite databases",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryTraversal_SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGEX_3G2_3GP_AMV_ASF_AVI_DRC_FLV_F4V_F4P_F4A_F4B: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regex_3g2_3gp_amv_asf_avi_drc_flv_f4v_f4p_f4a_f4b",
name: "Video files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\regex:*.+\\.(3g2|3gp|amv|asf|avi|drc|flv|f4v|f4p|f4a|f4b|gif|gifv|m4v|mkv|mov|qt|mp4|m4p|mpg|mpeg|m2v|mp2|mpe|mpv|mts|m2ts|ts|mxf|nsv|ogv|ogg|rm|rmvb|roq|svi|viv|vob|webm|wmv|yuv)"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Covers most (if not all) video file formats",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryTraversal_VideoFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_ZIP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_zip",
name: "Zips",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.zip'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "This is an example of how to walk a drive for a file mask. Probably do not want to use this one as is",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryTraversal_WildCardExample.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGEX_DOC_DOCX_DOCM_DOTX_DOTM_DOCB_DOT_WBK_ODT_FOD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regex_doc_docx_docm_dotx_dotm_docb_dot_wbk_odt_fod",
name: "Word and Word-like Documents",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\regex:*.+\\.(doc|docx|docm|dotx|dotm|docb|dot|wbk|odt|fodt|rtf|wp*|tmd)"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Covers all document file formats for Word, OpenOffice, LibreOffice, Apache OpenOffice, WPS Office, SoftMaker Office, and more",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryTraversal_WordDocuments.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_DESKTOP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_desktop",
name: "User Files - Desktop",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Desktop\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User Files - Desktop — collected by KAPE LiveUserFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LiveUserFiles.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_DOCUMENTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_documents",
name: "User Files - Documents",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User Files - Documents — collected by KAPE LiveUserFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LiveUserFiles.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_DOWNLOADS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_downloads",
name: "User Files - Downloads",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Downloads\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User Files - Downloads — collected by KAPE LiveUserFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LiveUserFiles.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_DROPBOX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_dropbox",
name: "User Files - Dropbox",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Dropbox*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User Files - Dropbox — collected by KAPE LiveUserFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LiveUserFiles.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANTIVIRUS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_antivirus_log",
name: "AVG AV Logs (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\All Users\\Application Data\\AVG\\Antivirus\\log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AVG AV Logs (XP) — collected by KAPE AVG target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AVG.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANTIVIRUS_REPORT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_antivirus_report",
name: "AVG AV Report Logs (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\All Users\\Application Data\\AVG\\Antivirus\\report",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AVG AV Report Logs (XP) — collected by KAPE AVG target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AVG.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVG_AV_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avg_av_logs",
name: "AVG AV Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\AVG\\Antivirus\\log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AVG AV Logs — collected by KAPE AVG target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AVG.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVG_REPORT_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avg_report_logs",
name: "AVG Report Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\AVG\\Antivirus\\report"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AVG Report Logs — collected by KAPE AVG target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AVG.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANTIVIRUS_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_antivirus_logs",
name: "AVG Persistent Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\AVG\\Persistent Data\\Antivirus\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AVG Persistent Logs — collected by KAPE AVG target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AVG.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVG_ANTIVIRUSFILEINFO2_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avg_antivirusfileinfo2_db",
name: "AVG FileInfo DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\AVG\\AntivirusFileInfo2.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AVG FileInfo DB — collected by KAPE AVG target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AVG.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVG_ANTIVIRUSLSDB2_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avg_antiviruslsdb2_json",
name: "AVG lsdbj2 JSON",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\AVG\\Antiviruslsdb2.json"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AVG lsdbj2 JSON — collected by KAPE AVG target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AVG.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVAST_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avast_log",
name: "Avast AV Logs (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents And Settings\\All Users\\Application Data\\Avast Software\\Avast\\Log\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Avast AV Logs (XP) — collected by KAPE Avast target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Avast.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVAST_AV_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avast_av_logs",
name: "Avast AV Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Avast Software\\Avast\\Log\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Avast AV Logs — collected by KAPE Avast target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Avast.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVAST_AV_USER_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avast_av_user_logs",
name: "Avast AV User Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Avast Software\\Avast\\Log\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Avast AV User Logs — collected by KAPE Avast target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Avast.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHEST_INDEX_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chest_index_xml",
name: "Avast AV Index",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Avast Software\\Avast\\Chest\\index.xml"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Avast AV Index — collected by KAPE Avast target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Avast.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVAST_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avast_logs",
name: "Avast Persistent Data Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Avast Persistent Data Logs — collected by KAPE Avast target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Avast.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ICARUS_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_icarus_logs",
name: "Avast Icarus Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Avast Software\\Icarus\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Avast Icarus Logs — collected by KAPE Avast target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Avast.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANTIVIRUS_LOGFILES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_antivirus_logfiles",
name: "Avira Activity Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Avira\\Antivirus\\LOGFILES\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the scan logs of Avira Antivirus\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AviraAVLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SECURITY_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_security_logs",
name: "Avira Security Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Avira\\Security\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Avira Security Logs — collected by KAPE AviraAVLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AviraAVLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVIRA_VPN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avira_vpn",
name: "Avira VPN Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Avira\\VPN"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the VPN logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AviraAVLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ENDPOINT_SECURITY_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_endpoint_security_logs",
name: "Bitdefender Endpoint Security Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Bitdefender\\Endpoint Security\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Bitdefender Endpoint Security Logs — collected by KAPE Bitdefender target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Bitdefender.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROFILES_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_profiles_logs",
name: "Bitdefender Internet Security Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Bitdefender\\Desktop\\Profiles\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Bitdefender Internet Security Logs — collected by KAPE Bitdefender target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Bitdefender.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGEX_DB_DB_WAL_DB_SHM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regex_db_db_wal_db_shm",
name: "Bitdefender SQLite DB Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Bitdefender*\\regex:*.+\\.(db|db-wal|db-shm)"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Bitdefender SQLite databases\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Bitdefender.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_COMBOFIX_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_combofix_txt",
name: "ComboFix",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ComboFix.txt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ComboFix — collected by KAPE Combofix target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Combofix.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CROWDSTRIKE_QUARANTINE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_crowdstrike_quarantine",
name: "CrowdStrike Falcon Quarantined File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\Drivers\\CrowdStrike\\Quarantine\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CrowdStrike Falcon Quarantined File — collected by KAPE CrowdStrikeFalcon target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CrowdStrikeFalcon.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CRS1_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_crs1_logs",
name: "Cybereason Anti-Ransomware Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\crs1\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cybereason Anti-Ransomware Logs — collected by KAPE Cybereason target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Cybereason.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APV2_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_apv2_logs",
name: "Cybereason Sensor Communications and Anti-Malware Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\apv2\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cybereason Sensor Communications and Anti-Malware Logs — collected by KAPE Cybereason target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Cybereason.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CRB1_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_crb1_logs",
name: "Cybereason Application Control and NGAV Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\crb1\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cybereason Application Control and NGAV Logs — collected by KAPE Cybereason target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Cybereason.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CYLANCE_DESKTOP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cylance_desktop",
name: "Cylance ProgramData Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Cylance\\Desktop"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cylance ProgramData Logs — collected by KAPE Cylance target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Cylance.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OPTICS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_optics_log",
name: "Cylance Optics Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Cylance\\Optics\\Log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cylance Optics Logs — collected by KAPE Cylance target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Cylance.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DESKTOP_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_desktop_log",
name: "Cylance Program Files Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Cylance\\Desktop\\log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cylance Program Files Logs — collected by KAPE Cylance target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Cylance.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ESET_NOD32_ANTIVIRUS_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eset_nod32_antivirus_logs",
name: "ESET NOD32 AV Logs (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ESET NOD32 AV Logs (XP) — collected by KAPE ESET target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ESET.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ESET_NOD32_AV_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eset_nod32_av_logs",
name: "ESET NOD32 AV Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Parser available at https://github.com/laciKE/EsetLogParser\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ESET.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ESET_SECURITY_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eset_security_logs",
name: "ESET NOD32 AV Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ESET\\ESET Security\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ESET NOD32 AV Logs — collected by KAPE ESET target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ESET.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ERAAGENTAPPLICATIONDATA_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eraagentapplicationdata_logs",
name: "ESET Remote Administrator Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\ProgramData\\ESET\\RemoteAdministrator\\Agent\\EraAgentApplicationData\\Logs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Remote Administrator logs include information on tasks executed on the target.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ESET.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ESET_SECURITY_QUARANTINE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eset_security_quarantine",
name: "Local User Quarantine",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\ESET\\ESET Security\\Quarantine\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Local User Quarantine — collected by KAPE ESET target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ESET.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_USER_QUARANTI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_user_quaranti",
name: "SYSTEM user quarantine",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\ESET\\ESET Security\\Quarantine\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM user quarantine — collected by KAPE ESET target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ESET.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_log",
name: "Elastic Defend Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Elastic\\Endpoint\\state\\log\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Elastic Defend Logs — collected by KAPE ElasticDefend target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ElasticDefend.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EQUARANTINE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_equarantine",
name: "Elastic Defend Quarantine",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\.equarantine\\'*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Elastic Defend Quarantine — collected by KAPE ElasticDefend target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ElasticDefend.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ELASTIC_DEFEND_QUARA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_elastic_defend_quara",
name: "Elastic Defend Quarantine",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Elastic\\Endpoint\\state\\.equarantine\\'*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Elastic Defend Quarantine — collected by KAPE ElasticDefend target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ElasticDefend.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTS_SCAN_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reports_scan_txt",
name: "Emsisoft Scan Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Emsisoft\\Reports\\scan*.txt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Can contain file detection and quarantine info\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Emsisoft.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_F_SECURE_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_f_secure_log",
name: "F-Secure Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\F-Secure\\Log\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "F-Secure Logs — collected by KAPE FSecure target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FSecure.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_F_SECURE_USER_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_f_secure_user_logs",
name: "F-Secure User Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\F-Secure\\Log\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "F-Secure User Logs — collected by KAPE FSecure target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FSecure.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANTIVIRUS_SCHEDULEDSCANREPORTS: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_antivirus_scheduledscanreports",
name: "F-Secure Scheduled Scan Reports",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\F-Secure\\Antivirus\\ScheduledScanReports\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "F-Secure Scheduled Scan Reports — collected by KAPE FSecure target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FSecure.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HITMANPRO_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_hitmanpro_logs",
name: "HitmanPro Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\HitmanPro\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "HitmanPro Logs — collected by KAPE HitmanPro target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/HitmanPro.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HITMANPRO_ALERT_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_hitmanpro_alert_logs",
name: "HitmanPro Alert Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\HitmanPro.Alert\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "HitmanPro Alert Logs — collected by KAPE HitmanPro target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/HitmanPro.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HITMANPRO_ALERT_EXCALIBUR_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_hitmanpro_alert_excalibur_db",
name: "HitmanPro Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\HitmanPro.Alert\\excalibur.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite DB\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/HitmanPro.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HITMANPRO_QUARANTINE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_hitmanpro_quarantine",
name: "HitmanPro Quarantine",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\HitmanPro\\Quarantine"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "HitmanPro Quarantine — collected by KAPE HitmanPro target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/HitmanPro.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MBAM_LOG_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_mbam_log_xml",
name: "MalwareBytes Anti-Malware Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\ProgramData\\Malwarebytes\\Malwarebytes Anti-Malware\\Logs\\'mbam-log-*.xml'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MalwareBytes Anti-Malware Logs — collected by KAPE Malwarebytes target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Malwarebytes.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MBAMSERVICE_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_mbamservice_log",
name: "MalwareBytes Anti-Malware Service Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Malwarebytes\\MBAMService\\logs\\mbamservice.log*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MalwareBytes Anti-Malware Service Logs — collected by KAPE Malwarebytes target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Malwarebytes.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MALWAREBYTES_ANTI_MALWARE_LOGS: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_malwarebytes_anti_malware_logs",
name: "MalwareBytes Anti-Malware Scan Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Malwarebytes\\Malwarebytes Anti-Malware\\Logs\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MalwareBytes Anti-Malware Scan Logs — collected by KAPE Malwarebytes target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Malwarebytes.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MBAMSERVICE_SCANRESULTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mbamservice_scanresults",
name: "MalwareBytes Anti-Malware Scan Results Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Malwarebytes\\MBAMService\\ScanResults"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MalwareBytes Anti-Malware Scan Results Logs — collected by KAPE Malwarebytes target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Malwarebytes.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MCAFEE_DESKTOPPROTECTION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mcafee_desktopprotection",
name: "McAfee Desktop Protection Logs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\All Users\\Application Data\\McAfee\\DesktopProtection\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee Desktop Protection Logs XP — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MCAFEE_DESKTOP_PROTE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mcafee_desktop_prote",
name: "McAfee Desktop Protection Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\McAfee\\DesktopProtection\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee Desktop Protection Logs — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ENDPOINT_SECURITY_LOGS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_endpoint_security_logs_2",
name: "McAfee Endpoint Security Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\McAfee\\Endpoint Security\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee Endpoint Security Logs — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ENDPOINT_SECURITY_LOGS_OLD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_endpoint_security_logs_old",
name: "McAfee Endpoint Security Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\McAfee\\Endpoint Security\\Logs_Old\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee Endpoint Security Logs — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MCAFEE_VIRUSSCAN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mcafee_virusscan",
name: "McAfee VirusScan Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Mcafee\\VirusScan\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee VirusScan Logs — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MSC_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_msc_logs",
name: "McAfee MSC Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Mcafee\\MSC\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee MSC Logs — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AGENT_AGENTEVENTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_agent_agentevents",
name: "McAfee Agent Events",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Mcafee\\Agent\\AgentEvents"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee Agent Events — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AGENT_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_agent_logs",
name: "McAfee Agent Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Mcafee\\Agent\\logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee Agent Logs — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DATAREPUTATION_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_datareputation_logs",
name: "McAfee Data Reputation Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Mcafee\\datareputation\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee Data Reputation Logs — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIRUSSCAN_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_virusscan_logs",
name: "McAfee Managed VirusScan",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Mcafee\\Managed\\VirusScan\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee Managed VirusScan — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COMMON_FRAMEWORK_AGENTEVENTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_common_framework_agentevents",
name: "McAfee Agent Events XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\All Users\\Application Data\\McAfee\\Common Framework\\AgentEvents"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee Agent Events XP — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MCLOGS_SAE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mclogs_sae",
name: "McAfee MC Logs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\All Users\\Application Data\\McAfee\\MCLOGS\\SAE"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee MC Logs XP — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DATREPUTATION_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_datreputation_logs",
name: "McAfee Data Reputation Logs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\All Users\\Application Data\\McAfee\\datreputation\\Logs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee Data Reputation Logs XP — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MCAFEE_MANAGED_VIRUS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mcafee_managed_virus",
name: "McAfee Managed VirusScan Logs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\All Users\\Application Data\\McAfee\\Managed\\VirusScan\\Logs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee Managed VirusScan Logs XP — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WCF_SERVICE_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wcf_service_log",
name: "McAfee WCF Service Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\McAfee\\DLP\\WCF Service\\Log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee WCF Service Logs — collected by KAPE McAfee target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ENDPOINT_SECURITY_LOGS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_endpoint_security_logs_3",
name: "McAfee ePO Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\McAfee\\Endpoint Security\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee ePO Logs — collected by KAPE McAfee_ePO target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee_ePO.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APACHE2_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_apache2_logs",
name: "McAfee ePO Apache Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\McAfee\\ePolicy Orchestrator\\Apache2\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee ePO Apache Logs — collected by KAPE McAfee_ePO target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee_ePO.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DB_EVENTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_db_events",
name: "McAfee ePO DB Events",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\McAfee\\ePolicy Orchestrator\\DB\\Events"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee ePO DB Events — collected by KAPE McAfee_ePO target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee_ePO.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENTS_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_events_debug",
name: "McAfee ePO DB Debug Events",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\McAfee\\ePolicy Orchestrator\\DB\\Events\\Debug"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee ePO DB Debug Events — collected by KAPE McAfee_ePO target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee_ePO.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVER_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_server_logs",
name: "McAfee ePO Server Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\McAfee\\ePolicy Orchestrator\\Server\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee ePO Server Logs — collected by KAPE McAfee_ePO target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/McAfee_ePO.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DEBUG_MSERT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_debug_msert_log",
name: "Windows Safety Scanner Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Debug\\msert.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Safety Scanner Logs — collected by KAPE MicrosoftSafetyScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftSafetyScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_ADLICEREPORT_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_adlicereport_json",
name: "RogueKiller Reports",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\RogueKiller\\logs\\AdliceReport_*.json"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RogueKiller Reports — collected by KAPE RogueKiller target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RogueKiller.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERANTISPYWARE_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_superantispyware_logs",
name: "SUPERAntiSpyware Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\SUPERAntiSpyware\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUPERAntiSpyware Logs — collected by KAPE SUPERAntiSpyware target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUPERAntiSpyware.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SECUREAGE_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_secureage_log",
name: "SecureAge Antvirus Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\SecureAge Technology\\SecureAge\\log\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SecureAge Antvirus Logs — collected by KAPE SecureAge target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SecureAge.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SENTINEL_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sentinel_logs",
name: "SentinelOne EDR Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\programdata\\sentinel\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Logs are in Binary Format (.binlog)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SentinelOne.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOPHOS_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sophos_logs",
name: "Sophos Logs (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\All Users\\Application Data\\Sophos\\Sophos *\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Sophos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs",
name: "Sophos Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Sophos\\*\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Sophos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOPHOS_LOGS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sophos_logs_2",
name: "Sophos Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Sophos\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains SophosUnifiedSupport.log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Sophos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPLICATIONEVENTS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_applicationevents_tkape",
name: "Sophos Application Events",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ApplicationEvents.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Event source: Sophos Anti-Virus\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Sophos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_AV: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_av",
name: "Symantec Endpoint Protection Logs (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\All Users\\Application Data\\Symantec\\Symantec Endpoint Protection\\Logs\\AV\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Symantec Endpoint Protection Logs (XP) — collected by KAPE Symantec_AV_Logs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Symantec_AV_Logs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DATA_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_data_logs",
name: "Symantec Endpoint Protection Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\*\\Data\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Symantec Endpoint Protection Logs — collected by KAPE Symantec_AV_Logs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Symantec_AV_Logs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYMANTEC_ENDPOINT_PROTECTION_LOGS: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_symantec_endpoint_protection_logs",
name: "Symantec Endpoint Protection User Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Symantec\\Symantec Endpoint Protection\\Logs\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Symantec Endpoint Protection User Logs — collected by KAPE Symantec_AV_Logs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Symantec_AV_Logs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_SYMANTEC_ENDPOINT_PROTECTION_CLIENT_EVTX: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_logs_symantec_endpoint_protection_client_evtx",
name: "Symantec Event Log Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows\\System32\\winevt\\logs\\Symantec Endpoint Protection Client.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Symantec specific Windows event log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Symantec_AV_Logs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYMANTEC_EVENT_LOG_W: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_symantec_event_log_w",
name: "Symantec Event Log Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\logs\\Symantec Endpoint Protection Client.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Symantec specific Windows event log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Symantec_AV_Logs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPLICATIONEVENTS_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_applicationevents_tkape_2",
name: "Symantec Endpoint Protection Manager (SEPM) Application Events",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ApplicationEvents.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains SEPM entries, documented here: https://support.symantec.com/us/en/article.tech196455.html\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Symantec_AV_Logs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYMANTEC_ENDPOINT_PROTECTION_QUARANTINE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_symantec_endpoint_protection_quarantine",
name: "Symantec Endpoint Protection Quarantine (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\All Users\\Application Data\\Symantec\\Symantec Endpoint Protection\\Quarantine\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Symantec Endpoint Protection Quarantine (XP) — collected by KAPE Symantec_AV_Logs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Symantec_AV_Logs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DATA_QUARANTINE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_data_quarantine",
name: "Symantec Endpoint Protection Quarantine",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\*\\Data\\Quarantine\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Symantec Endpoint Protection Quarantine — collected by KAPE Symantec_AV_Logs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Symantec_AV_Logs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CMNCLNT_CCSUBSDK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cmnclnt_ccsubsdk",
name: "ccSubSDK Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\*\\Data\\CmnClnt\\ccSubSDK\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ccSubSDK Database — collected by KAPE Symantec_AV_Logs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Symantec_AV_Logs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DATA_REGISTRATIONINFO_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_data_registrationinfo_xml",
name: "registrationInfo.xml",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\*\\Data\\registrationInfo.xml",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "registrationInfo.xml — collected by KAPE Symantec_AV_Logs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Symantec_AV_Logs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOTALAV_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_totalav_logs",
name: "TotalAV Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\TotalAV\\logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TotalAV Logs — collected by KAPE TotalAV target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TotalAV.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOTALAV_LOGS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_totalav_logs_2",
name: "TotalAV Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\TotalAV\\logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TotalAV Logs — collected by KAPE TotalAV target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TotalAV.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_TREND_MICRO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_trend_micro",
name: "Trend Micro Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Trend Micro\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Trend Micro Logs — collected by KAPE TrendMicro target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TrendMicro.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_report_log",
name: "Trend Micro Security Agent Report Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Trend Micro\\Security Agent\\Report\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Trend Micro Security Agent Report Logs — collected by KAPE TrendMicro target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TrendMicro.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONNLOG_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_connlog_log",
name: "Trend Micro Security Agent Connection Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Trend Micro\\Security Agent\\ConnLog\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Trend Micro Security Agent Connection Logs — collected by KAPE TrendMicro target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TrendMicro.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUARANTINE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quarantine",
name: "Trend Micro Quarantine",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Trend Micro\\*\\Quarantine\\'*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Trend Micro Quarantine — collected by KAPE TrendMicro target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TrendMicro.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIPRE_BUSINESS_AGENT_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_vipre_business_agent_logs",
name: "VIPRE Business Agent Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\VIPRE Business Agent\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VIPRE Business Agent Logs — collected by KAPE VIPRE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VIPRE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_VIPRE_BUSINESS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_vipre_business",
name: "VIPRE Business User Logs (v7+)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\VIPRE Business\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VIPRE Business User Logs (v7+) — collected by KAPE VIPRE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VIPRE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANTIMALWARE_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_antimalware_logs",
name: "VIPRE Business User Logs (v5-v6)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\GFI Software\\AntiMalware\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VIPRE Business User Logs (v5-v6) — collected by KAPE VIPRE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VIPRE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIPRE_BUSINESS_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_vipre_business_user",
name: "VIPRE Business User Logs (up to v4)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Sunbelt Software\\AntiMalware\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VIPRE Business User Logs (up to v4) — collected by KAPE VIPRE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VIPRE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WRDATA_WRLOG_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wrdata_wrlog_log",
name: "Webroot Program Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\WRData\\WRLog.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Webroot Program Data — collected by KAPE Webroot target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Webroot.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DETECTIONHISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_detectionhistory",
name: "DetectionHistory",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\DetectionHistory\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DetectionHistory — collected by KAPE WinDefendDetectionHist target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WinDefendDetectionHist.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_ANTIMALWARE_SUPPORT: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_microsoft_antimalware_support",
name: "Windows Defender Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Microsoft AntiMalware\\Support\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Defender Logs — collected by KAPE WindowsDefender target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsDefender.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_WINDOWS_DEFENDER_EVTX: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_windows_defender_evtx",
name: "Windows Defender Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-Windows Defender*.evtx",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Defender Event Logs — collected by KAPE WindowsDefender target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsDefender.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_DEFENDER_EVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_defender_eve",
name: "Windows Defender Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-Windows Defender*.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Defender Event Logs — collected by KAPE WindowsDefender target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsDefender.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_DEFENDER_SUPPORT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_defender_support",
name: "Windows Defender Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Defender Logs — collected by KAPE WindowsDefender target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsDefender.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_MPCMDRUN_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_mpcmdrun_log",
name: "Windows Defender Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Temp\\MpCmdRun.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Defender Logs — collected by KAPE WindowsDefender target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsDefender.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_DEFENDER_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_defender_log",
name: "Windows Defender Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\Temp\\MpCmdRun.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Defender Logs — collected by KAPE WindowsDefender target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsDefender.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DETECTIONHISTORY_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_detectionhistory_2",
name: "DetectionHistory",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\DetectionHistory\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DetectionHistory — collected by KAPE WindowsDefender target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsDefender.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_DEFENDER_QUARANTINE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_defender_quarantine",
name: "Windows Defender Quarantine",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Defender Quarantine — collected by KAPE WindowsDefender target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsDefender.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICE_DETECTIONS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_service_detections_log",
name: "Windows Defender Detections.log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Detections.log",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Defender Detections.log — collected by KAPE WindowsDefender target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsDefender.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_1PASSWORD_DATA_1PASSWORD10_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_1password_data_1password10_sqlite",
name: "1Password Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\1password\\data'1Password10.sqlite'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Database which holds information about 1Password installation, such as accounts, categories, settings and more\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/1Password.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Encrypted browser passwords; key in OS credential store; timestamp shows last use"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static KAPE_FILE_1PASSWORD_BACKUPS_1PASSWORD10_SQLITE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_1password_backups_1password10_sqlite",
name: "1Password Backup Databases",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\1password\\backups'1Password10.sqlite'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Backups of 1Password Database\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/1Password.tkape",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Encrypted browser passwords; key in OS credential store; timestamp shows last use",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static KAPE_FILE_1PASSWORD_LOGS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_1password_logs_log",
name: "1Password Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\1password\\logs'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Log of usage of 1Password - can be useful for identifying periods of user activity\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/1Password.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Encrypted browser passwords; key in OS credential store; timestamp shows last use",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static KAPE_FILE_4K_VIDEO_DOWNLOADER_4K_VIDEO_DOWNLOADER_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_4k_video_downloader_4k_video_downloader_sqlite",
name: "4K Video Downloader",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\4kdownload.com\\4K Video Downloader\\4K Video Downloader\"*.sqlite\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs database(s) that stores user download history\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/4KVideoDownloader.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_4K_VIDEO_DOWNLOADER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_4k_video_downloader",
name: "4K Video Downloader+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\4kdownload.com\\4K Video Downloader+\\4K Video Downloader+\"*.sqlite\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs database(s) that stores user download history\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/4KVideoDownloader.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_DOCUMENTS_ATC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_documents_atc",
name: "AceText - Clipboard History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents'*.atc'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the Clipboard history for AceText\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AceText.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_TI_DEMON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_ti_demon",
name: "Acronis True Image - Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Acronis\\TrueImageHome\\Logs\\ti_demon\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies out all log files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AcronisTrueImage.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUEIMAGEHOME_DATABASEARCHIVES_DB: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_trueimagehome_databasearchives_db",
name: "Acronis True Image - Database Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Acronis\\TrueImageHome\\Databasearchives.db*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies out the Database folder which appears to have important information\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AcronisTrueImage.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUEIMAGEHOME_SCRIPTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trueimagehome_scripts",
name: "Acronis True Image - Scripts Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Acronis\\TrueImageHome\\Scripts\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies out all scripts files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AcronisTrueImage.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ACTION1_LOGS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_action1_logs_log",
name: "Action1 Client Application logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Action1\\logs'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains Application Log entries such as service start and incomming connections, and deployed scripts/jobs.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Action1.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_ALIASES_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_advanced_ip_scanner_aliases_bin",
name: "Advanced IP Scanner Aliases - User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%'advanced_ip_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Aliases - User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_ALI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_ip_scanner_2_advanced_ip_scanner_ali",
name: "Advanced IP Scanner Aliases - User Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\Advanced IP Scanner 2'advanced_ip_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Aliases - User Temp Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ADVANCED_IP_SCANNER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_advanced_ip_scanner",
name: "Advanced IP Scanner Aliases - Windows Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Temp\\Advanced IP Scanner 2'advanced_ip_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Aliases - Windows Temp Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_ALIASES_B: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_ip_scanner_aliases_b",
name: "Advanced IP Scanner Aliases - SYSTEM SysWOW64 User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile'advanced_ip_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Aliases - SYSTEM SysWOW64 User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_ALIASES_B_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_ip_scanner_aliases_b_2",
name: "Advanced IP Scanner Aliases - SYSTEM User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile'advanced_ip_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Aliases - SYSTEM User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_A: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_localservice_advanced_ip_scanner_a",
name: "Advanced IP Scanner Aliases - LocalService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService'advanced_ip_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Aliases - LocalService User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_networkservice_advanced_ip_scanner",
name: "Advanced IP Scanner Aliases - NetworkService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService'advanced_ip_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Aliases - NetworkService User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_COMMENTS_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_advanced_ip_scanner_comments_bin",
name: "Advanced IP Scanner Comments - User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%'advanced_ip_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Comments - User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_COM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_ip_scanner_2_advanced_ip_scanner_com",
name: "Advanced IP Scanner Comments - User Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\Advanced IP Scanner 2'advanced_ip_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Comments - User Temp Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_COM_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_ip_scanner_2_advanced_ip_scanner_com_2",
name: "Advanced IP Scanner Comments - Windows Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Temp\\Advanced IP Scanner 2'advanced_ip_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Comments - Windows Temp Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_COMMENTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_ip_scanner_comments",
name: "Advanced IP Scanner Comments - SYSTEM SysWOW64 User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile'advanced_ip_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Comments - SYSTEM SysWOW64 User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_COMMENTS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_ip_scanner_comments_2",
name: "Advanced IP Scanner Comments - SYSTEM User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile'advanced_ip_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Comments - SYSTEM User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_C: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_localservice_advanced_ip_scanner_c",
name: "Advanced IP Scanner Comments - LocalService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService'advanced_ip_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Comments - LocalService User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_networkservice_advanced_ip_scanner_2",
name: "Advanced IP Scanner Comments - NetworkService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService'advanced_ip_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Comments - NetworkService User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_MAC_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_advanced_ip_scanner_mac_bin",
name: "Advanced IP Scanner MAC - User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%'advanced_ip_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner MAC - User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_MAC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_ip_scanner_2_advanced_ip_scanner_mac",
name: "Advanced IP Scanner MAC - User Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\Advanced IP Scanner 2'advanced_ip_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner MAC - User Temp Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_MAC_2:
ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_ip_scanner_2_advanced_ip_scanner_mac_2",
name: "Advanced IP Scanner MAC - Windows Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Temp\\Advanced IP Scanner 2'advanced_ip_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Advanced IP Scanner MAC - Windows Temp Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_MAC_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_ip_scanner_mac_bin",
name: "Advanced IP Scanner MAC - SYSTEM SysWOW64 User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile'advanced_ip_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner MAC - SYSTEM SysWOW64 User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_MAC_BIN_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_ip_scanner_mac_bin_2",
name: "Advanced IP Scanner MAC - SYSTEM User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile'advanced_ip_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner MAC - SYSTEM User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_M: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_localservice_advanced_ip_scanner_m",
name: "Advanced IP Scanner MAC - LocalService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService'advanced_ip_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner MAC - LocalService User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_networkservice_advanced_ip_scanner_3",
name: "Advanced IP Scanner MAC - NetworkService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService'advanced_ip_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner MAC - NetworkService User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_FAVORITES_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_advanced_ip_scanner_favorites_bin",
name: "Advanced IP Scanner Favorites - User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%'advanced_ip_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Favorites - User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_FAV: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_ip_scanner_2_advanced_ip_scanner_fav",
name: "Advanced IP Scanner Favorites - User Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\Advanced IP Scanner 2'advanced_ip_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Favorites - User Temp Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_FAV_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_ip_scanner_2_advanced_ip_scanner_fav_2",
name: "Advanced IP Scanner Favorites - Windows Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Temp\\Advanced IP Scanner 2'advanced_ip_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Favorites - Windows Temp Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_FAVORITES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_ip_scanner_favorites",
name: "Advanced IP Scanner Favorites - SYSTEM SysWOW64 User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile'advanced_ip_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Favorites - SYSTEM SysWOW64 User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_FAVORITES_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_ip_scanner_favorites_2",
name: "Advanced IP Scanner Favorites - SYSTEM User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile'advanced_ip_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Favorites - SYSTEM User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_F: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_localservice_advanced_ip_scanner_f",
name: "Advanced IP Scanner Favorites - LocalService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService'advanced_ip_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Favorites - LocalService User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_networkservice_advanced_ip_scanner_4",
name: "Advanced IP Scanner Favorites - NetworkService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService'advanced_ip_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Favorites - NetworkService User Folder — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_ADVANCED_IP_SCANNER_FAVORITES_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_advanced_ip_scanner_favorites_bin",
name: "Advanced IP Scanner Favorites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'advanced_ip_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner Favorites — collected by KAPE AdvancedIPScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedIPScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_ALIASES_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_advanced_port_scanner_aliases_bin",
name: "Advanced Port Scanner Aliases - User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%'advanced_port_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Aliases - User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_port_scanner_2_advanced_port_scanner",
name: "Advanced Port Scanner Aliases - User Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\Advanced Port Scanner 2'advanced_port_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Aliases - User Temp Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ADVANCED_PORT_SCANNE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_advanced_port_scanne",
name: "Advanced Port Scanner Aliases - Windows Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Temp\\Advanced Port Scanner 2'advanced_port_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Aliases - Windows Temp Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_ALIASES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_port_scanner_aliases",
name: "Advanced Port Scanner Aliases - SYSTEM SysWOW64 User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile'advanced_port_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Aliases - SYSTEM SysWOW64 User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_ALIASES_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_port_scanner_aliases_2",
name: "Advanced Port Scanner Aliases - SYSTEM User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile'advanced_port_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Aliases - SYSTEM User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_localservice_advanced_port_scanner",
name: "Advanced Port Scanner Aliases - LocalService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService'advanced_port_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Aliases - LocalService User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_networkservice_advanced_port_scann",
name: "Advanced Port Scanner Aliases - NetworkService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService'advanced_port_scanner_Aliases.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Aliases - NetworkService User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_COMMENTS_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_advanced_port_scanner_comments_bin",
name: "Advanced Port Scanner Comments - User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%'advanced_port_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Comments - User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_port_scanner_2_advanced_port_scanner_2",
name: "Advanced Port Scanner Comments - User Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\Advanced Port Scanner 2'advanced_port_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Comments - User Temp Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_port_scanner_2_advanced_port_scanner_3",
name: "Advanced Port Scanner Comments - Windows Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Temp\\Advanced Port Scanner 2'advanced_port_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Comments - Windows Temp Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_COMMENT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_port_scanner_comment",
name: "Advanced Port Scanner Comments - SYSTEM SysWOW64 User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile'advanced_port_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Comments - SYSTEM SysWOW64 User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_COMMENT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_port_scanner_comment_2",
name: "Advanced Port Scanner Comments - SYSTEM User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile'advanced_port_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Comments - SYSTEM User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_localservice_advanced_port_scanner_2",
name: "Advanced Port Scanner Comments - LocalService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService'advanced_port_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Comments - LocalService User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_networkservice_advanced_port_scann_2",
name: "Advanced Port Scanner Comments - NetworkService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService'advanced_port_scanner_Comments.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Comments - NetworkService User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_MAC_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_advanced_port_scanner_mac_bin",
name: "Advanced Port Scanner MAC - User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%'advanced_port_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner MAC - User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_port_scanner_2_advanced_port_scanner_4",
name: "Advanced Port Scanner MAC - User Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\Advanced Port Scanner 2'advanced_port_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner MAC - User Temp Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_port_scanner_2_advanced_port_scanner_5",
name: "Advanced Port Scanner MAC - Windows Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Temp\\Advanced Port Scanner 2'advanced_port_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner MAC - Windows Temp Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_MAC_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_port_scanner_mac_bin",
name: "Advanced Port Scanner MAC - SYSTEM SysWOW64 User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile'advanced_port_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner MAC - SYSTEM SysWOW64 User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_MAC_BIN_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_port_scanner_mac_bin_2",
name: "Advanced Port Scanner MAC - SYSTEM User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile'advanced_port_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner MAC - SYSTEM User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_localservice_advanced_port_scanner_3",
name: "Advanced Port Scanner MAC - LocalService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService'advanced_port_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner MAC - LocalService User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_networkservice_advanced_port_scann_3",
name: "Advanced Port Scanner MAC - NetworkService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService'advanced_port_scanner_MAC.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner MAC - NetworkService User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_FAVORITES_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_advanced_port_scanner_favorites_bin",
name: "Advanced Port Scanner Favorites - User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%'advanced_port_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Favorites - User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_port_scanner_2_advanced_port_scanner_6",
name: "Advanced Port Scanner Favorites - User Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\Advanced Port Scanner 2'advanced_port_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Favorites - User Temp Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_advanced_port_scanner_2_advanced_port_scanner_7",
name: "Advanced Port Scanner Favorites - Windows Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Temp\\Advanced Port Scanner 2'advanced_port_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Favorites - Windows Temp Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_FAVORIT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_port_scanner_favorit",
name: "Advanced Port Scanner Favorites - SYSTEM SysWOW64 User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile'advanced_port_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Favorites - SYSTEM SysWOW64 User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_FAVORIT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_systemprofile_advanced_port_scanner_favorit_2",
name: "Advanced Port Scanner Favorites - SYSTEM User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile'advanced_port_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Favorites - SYSTEM User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_localservice_advanced_port_scanner_4",
name: "Advanced Port Scanner Favorites - LocalService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService'advanced_port_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Favorites - LocalService User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_serviceprofiles_networkservice_advanced_port_scann_4",
name: "Advanced Port Scanner Favorites - NetworkService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService'advanced_port_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Favorites - NetworkService User Folder — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_ADVANCED_PORT_SCANNER_FAVORITES_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_advanced_port_scanner_favorites_bin",
name: "Advanced Port Scanner Favorites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'advanced_port_scanner_Favorites.bin'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner Favorites — collected by KAPE AdvancedPortScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AdvancedPortScanner.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AGENTRANSACK_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_agentransack_config",
name: "Agent Ransack Config Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Mythicsoft\\AgentRansack\\config"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Agent Ransack Config Logs — collected by KAPE AgentRansack target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AgentRansack.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AGENTRANSACK_CRASHREPORTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_agentransack_crashreports",
name: "Agent Ransack CrashReports Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Mythicsoft\\AgentRansack\\CrashReports"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Agent Ransack CrashReports Logs — collected by KAPE AgentRansack target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AgentRansack.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AGENTRANSACK_INDEXLOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_agentransack_indexlog",
name: "Agent Ransack IndexLog Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Mythicsoft\\AgentRansack\\IndexLog"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Agent Ransack IndexLog Logs — collected by KAPE AgentRansack target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AgentRansack.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AGENTRANSACK_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_agentransack_logs",
name: "Agent Ransack Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Mythicsoft\\AgentRansack\\logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Agent Ransack Logs — collected by KAPE AgentRansack target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AgentRansack.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_AMMYY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_ammyy",
name: "Ammyy Program Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Ammyy\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"May not contain traditional log files, but presence of this folder may indicate historical usage\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ammyy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANYDESK_TRACE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_anydesk_trace",
name: "AnyDesk Logs - User Profile - *.trace",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\AnyDesk\\'*.trace'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the trace logs for AnyDesk from a user profile\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AnyDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANYDESK_LOGS_PROGRAM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_anydesk_logs_program",
name: "AnyDesk Logs - ProgramData - *.trace",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\AnyDesk\\'*.trace'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the trace logs for AnyDesk from ProgramData\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AnyDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANYDESK_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_anydesk_conf",
name: "AnyDesk Logs - User Profile - *.conf",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\AnyDesk\\'*.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the conf logs for AnyDesk from a user profile\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AnyDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANYDESK_CONF_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_anydesk_conf_2",
name: "AnyDesk Logs - ProgramData - *.conf",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\AnyDesk\\'*.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the conf logs for AnyDesk from ProgramData\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AnyDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANYDESK_ANYDESK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_anydesk_anydesk",
name: "AnyDesk Videos",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Videos\\AnyDesk\\'*.anydesk'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects any session recordings made by the user while using AnyDesk\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AnyDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANYDESK_CONNECTION_TRACE_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_anydesk_connection_trace_txt",
name: "AnyDesk Logs - User Profile - connection_trace.txt",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\AnyDesk\\'connection_trace.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the connection trace log from user profile\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AnyDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANYDESK_CONNECTION_TRACE_TXT_2: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_anydesk_connection_trace_txt_2",
name: "AnyDesk Logs - ProgramData - connection_trace.txt",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\AnyDesk\\'connection_trace.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the connection trace log from ProgramData\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AnyDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_ANYDESK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_anydesk",
name: "AnyDesk Logs - System User Account",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the logs associated with the System user account\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AnyDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANYDESK_CHAT_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_anydesk_chat_txt",
name: "AnyDesk Chat Logs - User Profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\AnyDesk\\chat'*.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects chat logs associated with the user profile\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AnyDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_ANYDESK_FILE_TRANSFER_TRACE_TXT: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_roaming_anydesk_file_transfer_trace_txt",
name: "AnyDesk File Transfer Logs - Running in portable mode",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\AnyDesk'file_transfer_trace.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects file transfer logs that occur when running in portable mode\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AnyDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANYDESK_FILE_TRANSFER_TRACE_TXT: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_anydesk_file_transfer_trace_txt",
name: "AnyDesk File Transfer Logs - Installed as a Service",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\AnyDesk\\'file_transfer_trace.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects file transfer logs that occur when running as an installed service\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AnyDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_log_2",
name: "Aspera Client Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Aspera\\Aspera Connect\\var\\log\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Aspera Client Logs — collected by KAPE AsperaConnect target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AsperaConnect.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ASPERA_SERVER_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_aspera_server_logs",
name: "Aspera Server Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.aspera\\connect\\var\\log\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Aspera Server Logs — collected by KAPE AsperaConnect target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AsperaConnect.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_INI: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_atera_networks_ateraagent_ini",
name: "AteraAgent .ini files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\ATERA Networks\\AteraAgent'*.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects logs for AteraAgent\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AteraAgent.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_TXT: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_atera_networks_ateraagent_txt",
name: "AteraAgent Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\ATERA Networks\\AteraAgent'*.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects logs for AteraAgent\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AteraAgent.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_atera_networks_ateraagent_db",
name: "AteraAgent Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\ATERA Networks\\AteraAgent'*.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects logs for AteraAgent\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AteraAgent.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_CONFIG: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_atera_networks_ateraagent_config",
name: "AteraAgent Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\ATERA Networks\\AteraAgent'*.config'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects logs for AteraAgent\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AteraAgent.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_CFG: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_atera_networks_ateraagent_cfg",
name: "AteraAgent Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\ATERA Networks\\AteraAgent'*.cfg'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects logs for AteraAgent\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AteraAgent.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOX_BOX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_box_box",
name: "Box Drive Application Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Box\\Box\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Box Drive Application Metadata — collected by KAPE BoxDrive_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BoxDrive_Metadata.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_BOX_SYNC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_box_sync",
name: "Box Sync Application Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Box Sync\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Box Sync Application Metadata — collected by KAPE BoxDrive_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BoxDrive_Metadata.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_BOX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_box",
name: "Box Drive User Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Box\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Caution! This target will collect Box Drive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use or isolate system from network\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BoxDrive_UserFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_BOX_SYNC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_box_sync",
name: "Box Sync User Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Box Sync\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Box Sync User Files — collected by KAPE BoxDrive_UserFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BoxDrive_UserFiles.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb",
name: "LevelDB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0\\LocalCache\\Roaming\\ChatGPT\\Local Storage\\leveldb\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"LevelDB Database\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChatGPT.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB_HTTPS_CHATGPT_COM_0_INDEXEDDB_LEVELDB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb_https_chatgpt_com_0_indexeddb_leveldb",
name: "IndexedDB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0\\LocalCache\\Roaming\\ChatGPT\\IndexedDB\\https_chatgpt.com_0.indexeddb.leveldb\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"IndexedDB Database\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChatGPT.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHATGPT_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chatgpt_cache",
name: "ChromeCache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0\\LocalCache\\Roaming\\ChatGPT\\Cache\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Chrome Cache\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChatGPT.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEMAPPDATA_HELIUM_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_systemappdata_helium_dat",
name: "Helium Registry Hives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0\\SystemAppData\\Helium\"*.dat\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves User.dat and UserClasses.dat which are Application Registries\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChatGPT.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OPENAI_CHATGPT_DESKTOP_2P2NQSD0C76G0_SETTINGS_SETT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_openai_chatgpt_desktop_2p2nqsd0c76g0_settings_sett",
name: "ChatGPT Settings File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0\\Settings\"settings.dat\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves settings.dat which is an Application Registry\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChatGPT.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_log",
name: "Chocolatey logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\chocolatey\\logs\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chocolatey logs — collected by KAPE Chocolatey target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chocolatey.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_db",
name: "Cisco Jabber Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Cisco\\Unified Communications\\Jabber\\CSF\\History\\'*.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"The Cisco Jabber process needs to be killed before database can be copied.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CiscoJabber.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CLIPBOARDMASTER_CLIPBOARD_CLM4: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_clipboardmaster_clipboard_clm4",
name: "ClipboardMaster - Clipboard History - Text",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Jumping Bytes\\ClipboardMaster\\'Clipboard.clm4'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the user’s clipboard history (text) for ClipboardMaster\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ClipboardMaster.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CLIPBOARDMASTER_PICS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_clipboardmaster_pics",
name: "ClipboardMaster - Clipboard History - Images",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Jumping Bytes\\ClipboardMaster\\pics\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the user’s clipboard history (images) for ClipboardMaster\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ClipboardMaster.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CLIPBOARDMASTER_CLIPBOARD_CLM4_BA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_clipboardmaster_clipboard_clm4_ba",
name: "ClipboardMaster - Clipboard History - Backups",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Jumping Bytes\\ClipboardMaster\\'Clipboard.clm4.ba*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the user’s clipboard history (backups) for ClipboardMaster\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ClipboardMaster.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_log_2",
name: "Confluence Wiki Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Atlassian\\Application Data\\Confluence\\logs\\'*.log*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Confluence Wiki Log Files — collected by KAPE ConfluenceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ConfluenceLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFLUENCE_WIKI_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_confluence_wiki_log",
name: "Confluence Wiki Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Atlassian\\Confluence\\logs\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Confluence Wiki Log Files — collected by KAPE ConfluenceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ConfluenceLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DWAGENT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dwagent_log",
name: "DWAgent Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\DWAgent*\\'*.log*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DWAgent Log Files — collected by KAPE DWAgent target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DWAgent.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AWS_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_aws_credentials",
name: "AWS CLI Credentials",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.aws\\'credentials'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects AWS CLI credential file\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DeveloperCloudCredentials.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["AWS access key ID and secret; timestamp indicates when last modified"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential file persists until key rotation",
};
pub(crate) static KAPE_FILE_AWS_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_aws_config",
name: "AWS CLI Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.aws\\'config'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects AWS CLI config file\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DeveloperCloudCredentials.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KUBE_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_kube_config",
name: "Kubernetes Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.kube\\'config'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Kubernetes client config\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DeveloperCloudCredentials.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOCKER_CONFIG_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_docker_config_json",
name: "Docker Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.docker\\'config.json'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Docker client configuration\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DeveloperCloudCredentials.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_GIT_CREDENTIALS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_git_credentials",
name: "Git Credentials",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\'.git-credentials'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Git stored credentials\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DeveloperCloudCredentials.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Repository tokens; check for non-corporate VCS hosts"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Git credential helper store persists until credential deletion",
};
pub(crate) static KAPE_FILE_USER_GITCONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_gitconfig",
name: "Git Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\'.gitconfig'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Git user configuration\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DeveloperCloudCredentials.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_config",
name: "SSH Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'config'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects SSH client configuration\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DeveloperCloudCredentials.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_KNOWN_HOSTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_known_hosts",
name: "SSH Known Hosts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'known_hosts'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects SSH known_hosts file\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DeveloperCloudCredentials.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_NPMRC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_npmrc",
name: "npm User Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\'.npmrc'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects npm user configuration\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DeveloperCloudCredentials.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MRU_RENAME_FOLDERS_OSD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mru_rename_folders_osd",
name: "Directory Opus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\GPSoftware\\Directory Opus\\State Data\\MRU\\'rename_folders.osd'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .osd file which contains names of folders that have been renamed manually by the user.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryOpus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MRU_RENAME_FILES_OSD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mru_rename_files_osd",
name: "Directory Opus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\GPSoftware\\Directory Opus\\State Data\\MRU\\'rename_files.osd'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .osd file which contains names of files that have been renamed manually by the user.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryOpus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MRU_FIND_CONTAINS_OSD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mru_find_contains_osd",
name: "Directory Opus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\GPSoftware\\Directory Opus\\State Data\\MRU\\'find_contains.osd'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .osd file which contains search queries initiated by the user during a search for files with contents related to the search query.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryOpus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MRU_FIND_NAME_OSD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mru_find_name_osd",
name: "Directory Opus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\GPSoftware\\Directory Opus\\State Data\\MRU\\'find_name.osd'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .osd file which contains search queries initiated by the user during a search for files with a filename related to the search query.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryOpus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MRU_FIND_PATH_OSD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mru_find_path_osd",
name: "Directory Opus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\GPSoftware\\Directory Opus\\State Data\\MRU\\'find_path.osd'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .osd file which contains file paths related to user activity - not exactly sure how these are generated at this time.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryOpus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STATE_DATA_RECENT_OSD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_state_data_recent_osd",
name: "Directory Opus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\GPSoftware\\Directory Opus\\State Data\\'recent.osd'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .osd file which contains file paths related to recent user activity. Effectively the DOpus Shellbags-equivalent. Appears to be for last 10 folder visited within the Lister.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryOpus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STATE_DATA_BACKUPCONFIG_OSD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_state_data_backupconfig_osd",
name: "Directory Opus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\GPSoftware\\Directory Opus\\State Data\\'backupconfig.osd'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryOpus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DIRECTORY_OPUS_THUMBNAIL_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_directory_opus_thumbnail_cache",
name: "Directory Opus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\GPSoftware\\Directory Opus\\Thumbnail Cache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryOpus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DIRECTORY_OPUS_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_directory_opus_logs",
name: "Directory Opus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\GPSoftware\\Directory Opus\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .txt files that will be named with the IP address of the FTP server Directory Opus was used to connect to. All-activity.txt will simply be a combination of all other .txt files present in this directory.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DirectoryOpus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DISCORD_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_discord_cache",
name: "Discord Cache Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\discord\\cache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Gets cached data from Discord app\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Discord.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_2",
name: "Discord Local Storage LevelDB Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\discord\\local storage\\leveldb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Gets LevelDB database from Discord app\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Discord.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOUBLECMD_HISTORY_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_doublecmd_history_xml",
name: "Double Commander - history.xml",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\doublecmd\\'history.xml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from bottom to top.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DoubleCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOUBLECMD_DOUBLECMD_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_doublecmd_doublecmd_xml",
name: "Double Commander - doublecmd.xml",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\doublecmd\\'doublecmd.xml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DoubleCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOUBLECMD_DOUBLECMD_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_doublecmd_doublecmd_log",
name: "Double Commander - FTP Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\doublecmd\\'doublecmd*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates log files that'll be named with the following naming convention: doublecmd_2021-04-03.log.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DoubleCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOUBLECMD_MULTIARC_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_doublecmd_multiarc_ini",
name: "Double Commander - multiarc.ini",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\doublecmd\\'multiarc.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Double Commander - multiarc.ini — collected by KAPE DoubleCommander target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DoubleCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOUBLECMD_SESSION_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_doublecmd_session_ini",
name: "Double Commander - session.ini",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\doublecmd\\'session.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Double Commander - session.ini — collected by KAPE DoubleCommander target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DoubleCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOUBLECMD_PIXMAPS_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_doublecmd_pixmaps_txt",
name: "Double Commander - pixmaps.txt",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\doublecmd\\'pixmaps.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Double Commander - pixmaps.txt — collected by KAPE DoubleCommander target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DoubleCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOUBLECMD_SHORTCUTS_SCF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_doublecmd_shortcuts_scf",
name: "Double Commander - shortcuts.scf",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\doublecmd\\'shortcuts.scf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Double Commander - shortcuts.scf — collected by KAPE DoubleCommander target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DoubleCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DROPBOX_INFO_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dropbox_info_json",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\info.json"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Getting individual files because folder may contain very large extraneous files. Info.json contains user's Dropbox folder location\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Dropbox_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DROPBOX_HOST_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dropbox_host_db",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\host.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Dropbox_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DROPBOX_MACHINE_STORAGETRAY_THUMBNAILS_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dropbox_machine_storagetray_thumbnails_db",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\machine_storagetray-thumbnails.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database containing references to image files at one time present in a user’s Dropbox instance.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Dropbox_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DROPBOX_HOST_DBX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dropbox_host_dbx",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\host.dbx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Dropbox_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption of Dropbox databases\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Dropbox_Metadata.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DROPBOX_INSTANCE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dropbox_instance",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\instance*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"instance folder holds multiple SQLite databases related to Dropbox activity and contents\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Dropbox_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_DROPBOX_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_dropbox_2",
name: "Dropbox User Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Dropbox*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Default storage location for Dropbox Personal and Business (when using wildcard), but can be user-defined. Check info.json file in user Dropbox metadata files to identify default folder.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Dropbox_UserFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_EFSOFTWARE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_efsoftware",
name: "EF Commander - .ini File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\EFSoftware\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates folder where all configuration files reside\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EFCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DATABASES_ACCOUNTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_databases_accounts",
name: "Evernote Accounts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Evernote\\Evernote\\Databases\\\".accounts\"",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Holds username and email of accounts\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Evernote.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DATABASES_EXB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_databases_exb",
name: "Evernote Notebooks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Evernote\\Evernote\\Databases\\\"*.exb\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite Database of the notes\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Evernote.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DATABASES_EXB_SNIPPETS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_databases_exb_snippets",
name: "Evernote Notebook Snippets",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Evernote\\Evernote\\Databases\\\"*.exb.snippets\"",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Note 'Snippets'\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Evernote.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVERYTHING_EVERYTHING_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_everything_everything_db",
name: "Everything (VoidTools)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Everything\\Everything.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies out Everything.db\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Everything (VoidTools).tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVERYTHING_RUN_HISTORY_CSV: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_everything_run_history_csv",
name: "Everything (VoidTools) - Run History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Everything\\Run History.csv"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies out a CSV containing the history of items ran from Everything's search results window\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Everything (VoidTools).tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVERYTHING_SEARCH_HISTORY_CSV: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_everything_search_history_csv",
name: "Everything (VoidTools) - Search History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Everything\\Search History.csv"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies out a CSV containing the history of items searched for within Everything with timestamps\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Everything (VoidTools).tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVERYTHING_EVERYTHING_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_everything_everything_ini",
name: "Everything (VoidTools) - .ini file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Everything\\Everything.ini"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies out the .ini file for Everything\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Everything (VoidTools).tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FSIV_FSIV_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_fsiv_fsiv_db",
name: "FastStone Image Viewer (FSIV)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\FastStone\\FSIV\\'FSIV.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Image browser, converter, and editor that supports all major graphic formats.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FastStoneImageViewer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FENCES_BACKUPS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_fences_backups",
name: "Fences - Desktop Screenshots",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Stardock\\Fences\\Backups"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates all screenshots taken automatically by the Fences application\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Fences.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILEZILLA_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filezilla_xml",
name: "FileZilla XML Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\FileZilla\\'*.xml*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FileZilla XML Log Files — collected by KAPE FileZillaClient target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileZillaClient.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILEZILLA_SQLITE3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filezilla_sqlite3",
name: "FileZilla SQLite3 Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\FileZilla\\'*.sqlite3*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FileZilla SQLite3 Log Files — collected by KAPE FileZillaClient target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileZillaClient.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILEZILLA_SERVER_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filezilla_server_xml",
name: "FileZilla Server XML Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\FileZilla Server\\'*.xml*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FileZilla Server XML Log Files — collected by KAPE FileZillaServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileZillaServer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_LOG_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_log_3",
name: "FileZilla Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\FileZilla Server\\Logs\\'*.log*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FileZilla Log Files — collected by KAPE FileZillaServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileZillaServer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_TRACE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_trace",
name: "FortiClient trace logs in AppData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Local\\FortiClient\\logs\\trace'*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Trace Logs for Forti Client VPN\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FortiClientVPN.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FORTICLIENT_TRACE_LO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_forticlient_trace_lo",
name: "FortiClient trace logs in Program Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Fortinet\\FortiClient\\logs\\trace'*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Trace Logs for Forti Client VPN\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FortiClientVPN.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SETTINGS_FREECOMMANDER_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_settings_freecommander_ini",
name: "Free Commander - FreeCommander.ini",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\FreeCommanderXE\\Settings\\'FreeCommander.ini'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates an .ini file that contains Shellbags-equivalent artifacts.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FreeCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SETTINGS_FREECOMMANDER_FTP_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_settings_freecommander_ftp_ini",
name: "Free Commander - FreeCommander.ftp.ini",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\FreeCommanderXE\\Settings\\'FreeCommander.ftp.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates an .ini file that contains the file path to the FTP log for Free Commander.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FreeCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SETTINGS_FREECOMMANDER_HIST_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_settings_freecommander_hist_ini",
name: "Free Commander - FreeCommander.hist.ini",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\FreeCommanderXE\\Settings\\'FreeCommander.hist.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates an .ini file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom for both left and right directory browsers.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FreeCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SETTINGS_FREECOMMANDER_FAV_XML: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_settings_freecommander_fav_xml",
name: "Free Commander - FreeCommander.fav.xml",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\FreeCommanderXE\\Settings\\'FreeCommander.fav.xml'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates an .xml file that contains favorited files/folder by the user.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FreeCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SETTINGS_BKP_SETTINGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_settings_bkp_settings",
name: "Free Commander - Backup Settings",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\FreeCommanderXE\\Settings\\Bkp_Settings*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates an exact copy of the above files which will have a timestamped folder name, i.e. Bkp_Settings-YYYY-MM-DD HH-MM-SS.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FreeCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_FC_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_fc_log",
name: "Free Commander - FTP Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\'fc*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates log file(s) that have a default naming convention of fc_ftplog_20210403 but can be modified by the user.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FreeCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_FREECOMMANDER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_freecommander",
name: "Free Commander - FTP Related Information",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\FreeCommander*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a folder that may be named randomly that contains more FTP related information as well as .tmp files that are created while the user is traversing folders during an active FTP session. These files are deleted upon program exit.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FreeCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FREE_DOWNLOAD_MANAGER_FDM_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_free_download_manager_fdm_sqlite",
name: "FDM Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Free Download Manager\\\"fdm.sqlite\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"fdm.sqlite shows Torrents, downloads, folder history, auth credentials and more. Will also pull fdm.sqlite in db_backup/\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FreeDownloadManager.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &["May contain saved FTP/HTTP credentials; check for non-standard download sources"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Download manager credential database persists until uninstall",
};
pub(crate) static KAPE_FILE_BACKUP_BACKUP_INFO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_backup_backup_info",
name: "FDM Backup Info",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Free Download Manager\\backup\\\"backup.info\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Backup info file - can change backup name from userdata.zip, so could give indication of file name\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FreeDownloadManager.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BACKUP_USERDATA_ZIP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_backup_userdata_zip",
name: "FDM Database (userdata.zip)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Free Download Manager\\backup\\\"userdata.zip\"",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"fdm.sqlite can also appear in the backup folder in a compressed userdata.zip file\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FreeDownloadManager.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FREEFILESYNC_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_freefilesync_logs",
name: "FreeFileSync",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\FreeFileSync\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies out all log files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FreeFileSync.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_GOOGLE_DRIVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_google_drive",
name: "Google Drive Backup and Sync User Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Google Drive*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Older Google Drive Backup and Sync application only\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GoogleDriveBackupSync_UserFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GOOGLE_DRIVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_google_drive",
name: "Google Drive Backup and Sync Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Drive\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Older version of Google Drive\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GoogleDrive_Metadata.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GOOGLE_DRIVEFS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_google_drivefs",
name: "Google Drive for Desktop Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\DriveFS\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Metadata folder the same for both newer Google Drive for Desktop and older Google File Stream application\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GoogleDrive_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_KML: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_google_googleearth_myplaces_kml",
name: "Google Earth My Places file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\LocalLow\\Google\\GoogleEarth'myplaces.kml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"File which holds favorited locations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GoogleEarth.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_BACKUP_KML: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_google_googleearth_myplaces_backup_kml",
name: "Google Earth My Places Backup file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\LocalLow\\Google\\GoogleEarth'myplaces.backup.kml'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Backup file which holds favorited locations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GoogleEarth.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GOOGLE_EARTH_MY_PLAC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_google_earth_my_plac",
name: "Google Earth My Places file (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Application Data\\Google\\GoogleEarth'myplaces.kml'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"File which holds favorited locations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GoogleEarth.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_BACKUP_KML_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_google_googleearth_myplaces_backup_kml_2",
name: "Google Earth My Places Backup file (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Google\\GoogleEarth'myplaces.backup.kml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Backup file which holds favorited locations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GoogleEarth.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HEIDISQL_BACKUPS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_heidisql_backups",
name: "HeidiSQL Backup files (*.sql)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\HeidiSQL\\Backups\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "HeidiSQL Backup files (*.sql) — collected by KAPE HeidiSQL target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/HeidiSQL.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HEIDISQL_TABS_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_heidisql_tabs_ini",
name: "HeidiSQL (tabs.ini)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\HeidiSQL\\tabs.ini"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "HeidiSQL (tabs.ini) — collected by KAPE HeidiSQL target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/HeidiSQL.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HEXCHAT_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_hexchat_logs",
name: "HexChat Chat Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\HexChat\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "HexChat Chat Logs — collected by KAPE HexChat target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/HexChat.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ARCHIVE_CLEANUP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_archive_cleanup",
name: "IDrive Cleanup Operations",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\*\\Session\\Archive Cleanup\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains individual log files for each archive cleanup operation\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BACKUP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_backup",
name: "IDrive Backup Operations",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\*\\Session\\Backup\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains individual log files for each backup operation\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DELETE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_delete",
name: "IDrive Delete Operations",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\*\\Session\\Delete\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains individual log files for each delete operation\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RESTORE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_restore",
name: "IDrive Restore Operations",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\*\\Session\\Restore\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains individual log files for each restore operation\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGXML_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logxml_xml",
name: "IDrive Backup Summary",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\*\\Session\\LOGXML\\\"*xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains summary of each backup session\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRACEFILE_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_tracefile_txt",
name: "IDrive Tracefile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\*\\\"Tracefile.txt\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Application log which includes error logs for failed uploads\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IBCOMMON_IDMAPPEDDRIVES_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ibcommon_idmappeddrives_txt",
name: "IDrive Mapped Drives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\\"IDMappedDrives.txt\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"List of mapped drives for backup\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IBCOMMON_SCHEDULE_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ibcommon_schedule_xml",
name: "IDrive Backup Schedule",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\\"schedule.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Backup schedule configurations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IBCOMMON_SCH_TRACE_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ibcommon_sch_trace_txt",
name: "IDrive Schedule History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\\"Sch_Trace.txt\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"History of schedule configurations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IBCOMMON_IDRIVE_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ibcommon_idrive_ini",
name: "IDrive Configuration",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\\"idrive.ini\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"List of IDrive configuration options\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IBCOMMON_GET_ALLDRIVES_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ibcommon_get_alldrives_txt",
name: "IDrive Local Drives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\\"get_Alldrives.txt\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"List of all local drives\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IBCOMMON_EXCLUDE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ibcommon_exclude",
name: "IDrive Exclusion Configurations",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\\"Exclude*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Files pertaining to exclusion configurations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IBCOMMON_AUTOCOMP_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ibcommon_autocomp_ini",
name: "IDrive User Details",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\\"AutoComp.ini\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"IDrive username, Scheduler notification emails, local username\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IBDS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ibds",
name: "IDrive SQL Databse",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\*\\LDBNEW\\*\\\"*.ibds\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Sql database of local files that are backed up\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IDrive.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ISLCLIENT_OUT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_islclient_out",
name: "ISLOnline Logs - Sessions - *.out",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\ISL Online Cache\\ISL Light Client\\*\\'ISLClient.out'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects client session logs for one or more sessions\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ISLOnline.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_conf",
name: "ISLOnline Logs - Session Configurations",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\ISL Online Cache\\ISL Light Client\\*\\conf\\'*'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Configurations for ISL Light sessions\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ISLOnline.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ISL_ALWAYSON_SESSION_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_isl_alwayson_session_xml",
name: "ISL AlwaysOn Logs - Sessions List",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\ISL Online\\ISL AlwaysOn\\'session.xml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects an xml file listing all sessions for ISL AlwaysOn (Unattended Access)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ISLOnline.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRACE_OUT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trace_out",
name: "ISL AlwaysOn Logs - Sessions",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\ISL Online\\ISL AlwaysOn\\sessions\\*\\'trace.out'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Detailed log for each session for ISL AlwaysOn (Unattended Access)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ISLOnline.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ISL_ALWAYSON_OUT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_isl_alwayson_out",
name: "ISL AlwaysOn - App Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\ISL Online\\ISL AlwaysOn\\'*.out'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Application logs containg various artifacts.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ISLOnline.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ISL_LIGHT_LOGS_SESSI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_isl_light_logs_sessi",
name: "ISL Light Logs - Sessions",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\ISL Online Cache\\ISL Light\\*\\'trace.out'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects client session logs for one or more sessions\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ISLOnline.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STATUS_TRAY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_status_tray",
name: "ISL AlwaysOn - Email Configuration",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\ISL Online\\ISL AlwaysOn\\status\\'tray'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"This file includes the email of the logged in user for ISL AlwaysOn (Unattended Access)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ISLOnline.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ISL_ALWAYSON_STATICCONFIGURATION_INI: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_isl_alwayson_staticconfiguration_ini",
name: "ISL AlwaysOn - Configuration",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Program Files (x86)\\ISL Online\\ISL AlwaysOn\\'StaticConfiguration.ini'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Configuration information (port, http/htpps) for ISL AlwaysOn (Unattended Access)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ISLOnline.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ENDPOINT_MANAGER_RMMLOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_endpoint_manager_rmmlogs",
name: "ITarian",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\ITarian\\Endpoint Manager\\rmmlogs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ITarian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ITARIAN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_itarian",
name: "ITarian",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\ITarian\\Endpoint Manager\\rmmlogs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ITarian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COMODO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_comodo",
name: "Comodo",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Comodo\\Endpoint Manager\\rmmlogs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ITarian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ENDPOINT_MANAGER_RMMLOGS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_endpoint_manager_rmmlogs_2",
name: "ITarian",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\Comodo\\Endpoint Manager\\rmmlogs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ITarian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ICECHAT_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_icechat_logs",
name: "IceChat Chat Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\IceChat Networks\\IceChat\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IceChat Chat Logs — collected by KAPE IceChat target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IceChat.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_FILES_IMGBURN_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_files_imgburn_log",
name: "ImgBurn - Application Log File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\ImgBurn\\Log Files\\ImgBurn.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains the ImgBurn application log file.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ImgBurn.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IRFANVIEW_I_VIEW32_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_irfanview_i_view32_ini",
name: "IrfanView Configuration File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\IrfanView\\i_view32.ini"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IrfanView Configuration File — collected by KAPE IrfanView target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IrfanView.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_JDOWNLOADER_2_0_CFG_DOWNLOADLIST_ZIP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_jdownloader_2_0_cfg_downloadlist_zip",
name: "JDownloader 2.0 Download Lists",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\JDownloader 2.0\\cfg\"downloadList*.zip\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Zip folder which contains several files (00,00_00 and extraInfo) which list the download folder, the time it was created, the name of the download, origin URL, referral URL and more\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JDownloader2.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_JDOWNLOADER_2_0_CFG_LINKCOLLECTOR_ZIP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_jdownloader_2_0_cfg_linkcollector_zip",
name: "JDownloader 2.0 Link Collector",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\JDownloader 2.0\\cfg\"linkcollector*.zip\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Zip folder which contains several files (0X,0X_00 and extraInfo) which list the websites crawled for links, the referral URLs, timestamps and more\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JDownloader2.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_SETTINGS_GENER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_jdownloader_2_0_cfg_org_jdownloader_settings_gener",
name: "JDownloader 2.0 General Settings",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\JDownloader 2.0\\cfg\"org.jdownloader.settings.GeneralSettings.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"General user config for JDownloader 2.0. Holds default download folder.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JDownloader2.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_GUI_VIEWS_LINK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_jdownloader_2_0_cfg_org_jdownloader_gui_views_link",
name: "JDownloader 2.0 Link Grabber Settings",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\JDownloader 2.0\\cfg\"org.jdownloader.gui.views.linkgrabber.addlinksdialog.LinkgrabberSettings.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Linkgrabber Settings for JDownloader 2.0. Holds latest download destination folder.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JDownloader2.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_SETTINGS_INTER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_jdownloader_2_0_cfg_org_jdownloader_settings_inter",
name: "JDownloader 2.0 Proxy Settings",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\JDownloader 2.0\\cfg\"org.jdownloader.settings.InternetConnectionSettings.customproxylist.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Proxy configuration for JDownloader 2.0\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JDownloader2.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idx",
name: "Java WebStart Cache User Level - Default",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Sun\\Java\\Deployment\\cache\\*\\*\\'*.idx'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Java WebStart Cache User Level - Default — collected by KAPE JavaWebCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JavaWebCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_JAVA_WEBSTART_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_java_webstart_cache",
name: "Java WebStart Cache User Level - IE Protected Mode",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\*\\*\\'*.idx'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Java WebStart Cache User Level - IE Protected Mode — collected by KAPE JavaWebCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JavaWebCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDX_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idx_2",
name: "Java WebStart Cache System level",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Sun\\Java\\Deployment\\cache\\*\\*\\'*.idx'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Java WebStart Cache System level — collected by KAPE JavaWebCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JavaWebCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDX_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idx_3",
name: "Java WebStart Cache System level",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Sun\\Java\\Deployment\\cache\\*\\*\\'*.idx'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Java WebStart Cache System level — collected by KAPE JavaWebCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JavaWebCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDX_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idx_4",
name: "Java WebStart Cache System level - IE Protected Mode",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\*\\*\\'*.idx'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Java WebStart Cache System level - IE Protected Mode — collected by KAPE JavaWebCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JavaWebCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDX_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idx_5",
name: "Java WebStart Cache System level - IE Protected Mode",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\*\\*\\'*.idx'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Java WebStart Cache System level - IE Protected Mode — collected by KAPE JavaWebCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JavaWebCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDX_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idx_6",
name: "Java WebStart Cache System level (SysWow64)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Sun\\Java\\Deployment\\cache\\*\\*\\'*.idx'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Java WebStart Cache System level (SysWow64) — collected by KAPE JavaWebCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JavaWebCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDX_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idx_7",
name: "Java WebStart Cache System level (SysWow64)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Sun\\Java\\Deployment\\cache\\*\\*\\'*.idx'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Java WebStart Cache System level (SysWow64) — collected by KAPE JavaWebCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JavaWebCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDX_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idx_8",
name: "Java WebStart Cache System level (SysWow64) - IE Protected Mode",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\*\\*\\'*.idx'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Java WebStart Cache System level (SysWow64) - IE Protected Mode — collected by KAPE JavaWebCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JavaWebCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDX_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idx_9",
name: "Java WebStart Cache System level (SysWow64) - IE Protected Mode",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\*\\*\\'*.idx'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Java WebStart Cache System level (SysWow64) - IE Protected Mode — collected by KAPE JavaWebCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JavaWebCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDX_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idx_10",
name: "Java WebStart Cache User Level - XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Sun\\Java\\Deployment\\cache\\*\\*\\'*.idx'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Java WebStart Cache User Level - XP — collected by KAPE JavaWebCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JavaWebCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KASEYA_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_kaseya_log",
name: "Kaseya Live Connect Logs (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Kaseya\\Log\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kaseya.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_KASEYALIVECONNECT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_kaseyaliveconnect",
name: "Kaseya Live Connect Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Kaseya\\Log\\KaseyaLiveConnect\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kaseya.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_ENDPOINT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_endpoint",
name: "Kaseya Agent Endpoint Service Logs (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\All Users\\Application Data\\Kaseya\\Log\\Endpoint\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kaseya.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KASEYA_AGENT_ENDPOIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_kaseya_agent_endpoin",
name: "Kaseya Agent Endpoint Service Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Kaseya\\Log\\Endpoint\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kaseya.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AGENTMON_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_agentmon_log",
name: "Kaseya Agent Service Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Kaseya\\*\\agentmon.log*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kaseya.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_KASETUP_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_kasetup_log",
name: "Kaseya Setup Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\KASetup.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://helpdesk.kaseya.com/hc/en-gb/articles/229011448\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kaseya.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KASEYA_SETUP_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_kaseya_setup_log",
name: "Kaseya Setup Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Temp\\KASetup.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://helpdesk.kaseya.com/hc/en-gb/articles/229011448\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kaseya.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_KASETUP_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_kasetup_log_2",
name: "Kaseya Setup Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\Temp\\KASetup.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://helpdesk.kaseya.com/hc/en-gb/articles/229011448\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kaseya.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_KASEYAEDGESERVICES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_kaseyaedgeservices",
name: "Kaseya Agent Edge Service Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kaseya.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KEEPASS_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_keepass_xml",
name: "Keepass User Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\KeePass\\\"*.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collecting Keepass User Configuration File\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Keepass.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KEEPASS_PASSWORD_SAFE_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_keepass_password_safe_xml",
name: "Keepass Config Xml",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\KeePass Password Safe*\\\"*.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collecting Keepass Configuration File\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Keepass.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KEEPASS_PASSWORD_SAFE_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_keepass_password_safe_config",
name: "Keepass Application Details",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\KeePass Password Safe*\\\"*.config\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collecting Keepass Application Details\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Keepass.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KEEPASSXC_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_keepassxc_ini",
name: "Keepass Local Ini",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\KeePassXC\\\"*.ini\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Keepass Local Ini — collected by KAPE KeepassXC target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KeepassXC.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KEEPASS_ROAMING_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_keepass_roaming_ini",
name: "Keepass Roaming Ini",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\KeePassXC\\\"*.ini\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Keepass Roaming Ini — collected by KAPE KeepassXC target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KeepassXC.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAM_FILES_LEVEL_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_program_files_level_log",
name: "Level RMM Client Application logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Level'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains Application Log entries such as service start and incoming connections.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Level.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGMEIN_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logmein_logs",
name: "LogMeIn ProgramData Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\LogMeIn\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LogMeIn ProgramData Logs — collected by KAPE LogMeIn target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LogMeIn.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPLICATIONEVENTS_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_applicationevents_tkape_3",
name: "LogMeIn Application Events",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ApplicationEvents.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains LogMeIn entries, event source: LogMeIn\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LogMeIn.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_LOGMEINLOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_logmeinlogs",
name: "LogMeIn Application Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\temp\\LogMeInLogs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains RemoteAssist (formerly GoToAssist), GoToMeeting, and other GoTo* logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LogMeIn.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MACRIUM_MACRIUM_SERVICE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_macrium_macrium_service",
name: "Macrium Reflect",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Macrium\\Macrium Service\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies out all log files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MacriumReflect.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MACRIUM_REFLECT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_macrium_reflect",
name: "Macrium Reflect",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Macrium\\Reflect\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies out the Reflect folder which contains many important logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MacriumReflect.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MACRIUM_REFLECT_LAUNCHER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_macrium_reflect_launcher",
name: "Macrium Reflect",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Macrium\\Reflect Launcher"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies out the Reflect folder which contains many important logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MacriumReflect.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MATTERMOST_INDEXEDDB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mattermost_indexeddb",
name: "Mattermost - Chat Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Mattermost\\IndexedDB\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates Mattermost logs and copies them\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Mattermost.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_MEDIAMONKEY_MM_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_mediamonkey_mm_db",
name: "MediaMonkey - Media SQLite Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\MediaMonkey'MM.DB'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates SQLite DB that contains a complete enumeration of the user's media collection within MediaMonkey\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MediaMonkey.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_MEDIAMONKEY_MEDIAMONKEY_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_mediamonkey_mediamonkey_ini",
name: "MediaMonkey - MediaMonkey.ini",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\MediaMonkey'MediaMonkey.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .ini file which contains information about the user's MediaMonkey application instance\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MediaMonkey.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEGA_LIMITED_MEGASYNC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mega_limited_megasync",
name: "MegaSync Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Mega Limited\\MEGAsync\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MegaSync Folder — collected by KAPE Megasync target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Megasync.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MESH_AGENT_MSH: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mesh_agent_msh",
name: "MeshAgent .msh (configuration) file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Mesh Agent\\\"*.msh\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs all .msh (config) files present in this folder\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MeshAgent.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MESH_AGENT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mesh_agent_log",
name: "MeshAgent log file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Mesh Agent\\\"*.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs all .log files present in this folder\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MeshAgent.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AZCOPY_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_azcopy_log",
name: "Azure Copy - User Profile - *.log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.azcopy\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects session and transfer logs for Microsoft Azure Copy from a user profile\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftAzureCopy.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PLANS_STE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_plans_ste",
name: "Azure Copy - Plans - *.ste*",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.azcopy\\plans\\'*.ste*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the plans for Microsoft Azure Copy from a user profile\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftAzureCopy.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FULLTEXTSEARCHINDEX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_fulltextsearchindex",
name: "Microsoft OneNote - FullTextSearchIndex",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\AppData\\Local\\OneNote\\*\\FullTextSearchIndex"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs database(s) comprising of each OneNote notebook's text content\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftOneNote.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ONENOTE_NOTIFICATIONSRECENTNOTEBOOKS_SEENURLS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_onenote_notificationsrecentnotebooks_seenurls",
name: "Microsoft OneNote - RecentNotebooks_SeenURLs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\AppData\\Local\\OneNote\\NotificationsRecentNotebooks_SeenURLs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a file that appears to record recently seen OneNote notebooks\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftOneNote.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_16_0_ACCESSIBILITYCHECKERINDEX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_16_0_accessibilitycheckerindex",
name: "Microsoft OneNote - AccessibilityCheckerIndex",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\AppData\\Local\\OneNote\\16.0\\AccessibilityCheckerIndex"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs database(s) comprising of each OneNote notebook's version sync error history\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftOneNote.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_16_0_NOTETAGS_LIVEID_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_16_0_notetags_liveid_db",
name: "Microsoft OneNote - User NoteTags",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\AppData\\Local\\OneNote\\16.0\\NoteTags\"*LiveId.db\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a database that stores the user specified tags within OneNote to be used application-wide\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftOneNote.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_16_0_RECENTSEARCHESRECENTSEARCHES_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_16_0_recentsearchesrecentsearches_db",
name: "Microsoft OneNote - RecentSearches",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\AppData\\Local\\OneNote\\16.0\\RecentSearchesRecentSearches.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a database that stores the user's recent searches within OneNote\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftOneNote.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STICKYNOTES_STICKYNOTES_SNT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_stickynotes_stickynotes_snt",
name: "Microsoft Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\StickyNotes\\StickyNotes.snt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier — collected by KAPE MicrosoftStickyNotes target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftStickyNotes.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSTATE_PLUM_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localstate_plum_sqlite",
name: "Microsoft Sticky Notes - 1607 and later",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes*\\LocalState\\plum.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft Sticky Notes - 1607 and later — collected by KAPE MicrosoftStickyNotes target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftStickyNotes.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB_HTTPS_TEAMS_MICROSOFT_COM_0_INDEXEDDB_LE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb_https_teams_microsoft_com_0_indexeddb_le",
name: "Microsoft Teams IndexedDB Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Teams\\IndexedDB\\https_teams.microsoft.com_0.indexeddb.leveldb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"LevelDB database which can contain inbound/outbound chat messages, call history and more\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftTeams.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_3",
name: "Microsoft Teams Local Storage Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Teams\\Local Storage\\leveldb\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"LevelDB database which can contain meeting history, file transfer logs and more\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftTeams.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEAMS_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_teams_cache",
name: "Microsoft Teams Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Teams\\Cache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium cache which can be viewed with Nirsoft's ChromeCacheView",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftTeams.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEAMS_DESKTOP_CONFIG_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_teams_desktop_config_json",
name: "Microsoft Teams Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Teams\\\"desktop-config.json\"",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"JSON config file for Teams\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftTeams.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MSTEAMS_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_msteams_logs",
name: "Microsoft Teams Logs (Windows 11)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Local\\Packages\\MicrosoftTeams_8wekyb3d8bbwe\\LocalCache\\Microsoft\\MSTeams\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Lots of log files for MS Teams\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftTeams.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TODOSQLITE_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_todosqlite_db",
name: "Microsoft To Do - SQLite Database of To Do tasks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Todos_8wekyb3d8bbwe\\LocalState\\AccountsRoot\\*\\todosqlite.db*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft To Do - SQLite Database of To Do tasks — collected by KAPE MicrosoftToDo target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftToDo.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVATARS_USERAVATAR_JPG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avatars_useravatar_jpg",
name: "Microsoft To Do - User Avatar",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Todos_8wekyb3d8bbwe\\LocalState\\AccountsRoot\\4c444a17ebb042fb92df97d00d1c802a\\avatars\\UserAvatar.jpg"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft To Do - User Avatar — collected by KAPE MicrosoftToDo target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftToDo.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_MIDNIGHT_COMMANDER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_midnight_commander",
name: "Midnight Commander -- All Configuation Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Midnight Commander\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates folder where all configuration files reside\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MidnightCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_MOBAXTERM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_mobaxterm",
name: "MobaXTerm Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\MobaXterm"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Contains what appears to be a Linux Filesystem that's set up upon use of MobaXTerm",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MobaXTerm.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MSTY_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_msty_db",
name: "Msty Artificial Intelligence",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Msty\\'*.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Msty database includes API keys, chat messages, chat sessions, knowledge stack, etc.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MstyDatabase.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_MULTICOMMANDER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_multicommander",
name: "Multi Commander - Application Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\MultiCommander*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the contents of the Application folder.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MultiCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MULTICOMMANDER_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_multicommander_config",
name: "Multi Commander - Config Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\MultiCommander*\\Config\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the contents of the Config folder.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MultiCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MULTICOMMANDER_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_multicommander_logs",
name: "Multi Commander - Log Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\MultiCommander*\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates log file(s) related to user activity within Multi Commander.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MultiCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MULTICOMMANDER_USERDATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_multicommander_userdata",
name: "Multi Commander - UserData Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\MultiCommander*\\UserData\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the contents of the UserData folder.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MultiCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MULTICOMMANDER_MULTICOMMANDER_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_multicommander_multicommander_log",
name: "Multi Commander - Log File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\MultiCommander*\\'*MultiCommander.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates log file(s) associated with Milti Commander. Commonly in YYYY-MM-DD (numbers)-MultiCommander.log naming convention.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MultiCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NESSUS_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nessus_conf",
name: "Nessus Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Tenable\\Nessus\\conf"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nessus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NESSUS_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nessus_logs",
name: "Nessus Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Tenable\\Nessus\\nessus\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nessus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_user",
name: "Net Monitor Server Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Net Monitor for Employees Pro\\log\\%user%\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains Net Monitor server logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NetMonitorforEmployeesProfessional.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_net_monitor_for_employees_pro_data",
name: "Net Monitor Server Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Net Monitor for Employees Pro\\data\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains Net Monitor server data - Indicates what have been seen as the attacker\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NetMonitorforEmployeesProfessional.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_net_monitor_for_employees_pro_config",
name: "Net Monitor Server Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Net Monitor for Employees Pro\\config\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains Net Monitor server config\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NetMonitorforEmployeesProfessional.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_TMP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_net_monitor_for_employees_pro_tmp",
name: "Net Monitor Server Temp Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Net Monitor for Employees Pro\\tmp\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Net Monitor Server Temp Folder — collected by KAPE NetMonitorforEmployeesProfessional target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NetMonitorforEmployeesProfessional.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_net_monitor_for_employees_pro_log",
name: "Net Monitor Client Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Net Monitor for Employees Pro\\log\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains Net Monitor client logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NetMonitorforEmployeesProfessional.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NET_MONITOR_CLIENT_C: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_net_monitor_client_c",
name: "Net Monitor Client Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Net Monitor for Employees Pro\\config\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains Net Monitor client config\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NetMonitorforEmployeesProfessional.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NOTEPAD_BACKUP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_notepad_backup",
name: "Notepad++ Unsaved Edits",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Notepad++\\backup\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates non-saved Notepad++ files and copies them.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Notepad++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NOTEPAD_CONFIG_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_notepad_config_xml",
name: "Notepad++ Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Notepad++\\\"config.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves config.xml which contains recently searched terms, replaced terms and recently opened documents\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Notepad++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NOTEPAD_SESSION_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_notepad_session_xml",
name: "Notepad++ Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Notepad++\\\"session.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves session.xml which contains session date\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Notepad++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_NOTION_NOTION_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_notion_notion_db",
name: "Notion Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Notion'notion.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Local storage file containing all pages, databases, users, etc.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Notion.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PARTITIONS_NOTION_CUSTOM_DICTIONARY_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_partitions_notion_custom_dictionary_txt",
name: "Notion Custom Dictionary",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Notion\\Partitions\\notion'Custom Dictionary.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Notion Custom Dictionary — collected by KAPE Notion target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Notion.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_ONECOMMANDER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_onecommander",
name: "One Commander - All Configuration Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\OneCommander\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates folder where all configuration files reside\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OneCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ONEC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_onec",
name: "One Commander - Other Configuration Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Apps\\2.0\\*\\*\\onec*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates folder where all configuration files reside\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OneCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_ONEDRIVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_onedrive",
name: "OneDrive User Profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\OneDrive\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "OneDrive User Profile — collected by KAPE OneDrive_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OneDrive_Metadata.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_ONEDRIVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_onedrive",
name: "OneDrive User Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\OneDrive*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Caution -- This target will collect OneDrive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use or isolate system from network.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OneDrive_UserFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_CONFIG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_config_2",
name: "OpenSSH Config File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'config'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Config file can hold usernames, IP addresses and ports, key locations and configured shortcuts for servers e.g. ssh web-server\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHClient.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_KNOWN_HOSTS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_known_hosts_2",
name: "OpenSSH Known Hosts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'known_hosts'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Known hosts file can hold a list of connected FQDNs/IP Addresses and ports if they are non-default, as well as public key fingerprints\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHClient.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_PUB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_pub",
name: "OpenSSH Public Keys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'*.pub'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Gets all public keys (*.pub). It is more difficult to find private keys as they typically do not have a file extension. However, the .pub files should be able to help find the private keys as they are typically named the same.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHClient.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_ID_RSA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_id_rsa",
name: "OpenSSH Default RSA Private Key",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'id_rsa'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Default name for an auto-generated SSH RSA private key\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHClient.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_ID_ECDSA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_id_ecdsa",
name: "OpenSSH Default ECDSA Private Key",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'id_ecdsa'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Default name for an auto-generated SSH ECDSA private key\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHClient.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_ID_ECDSA_SK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_id_ecdsa_sk",
name: "OpenSSH Default ECDSA-SK Private Key",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'id_ecdsa_sk'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Default name for an auto-generated SSH ECDSA private key using a Security Key\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHClient.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_ID_ED25519: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_id_ed25519",
name: "OpenSSH Default ED25519 Private Key",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'id_ed25519'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Default name for an auto-generated SSH ED25519 private key\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHClient.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_ID_ED25519_SK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_id_ed25519_sk",
name: "OpenSSH Default ED25519-SK Private Key",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'id_ed25519_sk'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Default name for an auto-generated SSH ED25519 private key using a Security Key\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHClient.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_ID_DSA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_id_dsa",
name: "OpenSSH Default DSA Private Key",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'id_dsa'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Default name for an auto-generated SSH DSA private key\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHClient.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_SSHD_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_sshd_config",
name: "OpenSSH Server Config File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ssh\\'sshd_config'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Config file can hold information on allowed/denied users\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHServer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_2",
name: "OpenSSH Server Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ssh\\logs\\'*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"OpenSSH server logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHServer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_SSH_HOST_ECDSA_KEY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_ssh_host_ecdsa_key",
name: "OpenSSH Host ECDSA Key",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ssh\\'ssh_host_ecdsa_key'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves the host ECDSA key\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHServer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_SSH_HOST_ED25519_KEY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_ssh_host_ed25519_key",
name: "OpenSSH Host ED25519 Key",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ssh\\'ssh_host_ed25519_key'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves the host ED25519 key\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHServer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_SSH_HOST_DSA_KEY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_ssh_host_dsa_key",
name: "OpenSSH Host DSA Key",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ssh\\'ssh_host_dsa_key'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves the host DSA key\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHServer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_SSH_HOST_RSA_KEY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_ssh_host_rsa_key",
name: "OpenSSH Host RSA Key",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ssh\\'ssh_host_rsa_key'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves the host RSA key\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHServer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_AUTHORIZED_KEYS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_authorized_keys",
name: "OpenSSH User Authorized Keys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'authorized_keys'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves the user's authorised public keys\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHServer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_AUTHORIZED_KEYS2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_authorized_keys2",
name: "OpenSSH User Authorized Keys 2",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\\'authorized_keys2'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves the user's authorised public keys from the second file\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHServer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_ADMINISTRATORS_AUTHORIZED_KEYS: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_ssh_administrators_authorized_keys",
name: "OpenSSH Authorized Administrator Keys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ssh\\'administrators_authorized_keys'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves the administrator group's authorised public keys\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenSSHServer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OPENVPN_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_openvpn_config",
name: "OpenVPN Client Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\OpenVPN\\config\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains OpenVPN Configs (Profiles)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenVPNClient.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OPENVPN_CLIENT_CONFI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_openvpn_client_confi",
name: "OpenVPN Client Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\OpenVPN\\config"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains OpenVPN Configs(Profiles)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenVPNClient.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_LOG_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_log_3",
name: "OpenVPN Client Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\OpenVPN\\log\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains OpenVPN Logs for each Config(Profile)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OpenVPNClient.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OUTLOOK_PST: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_outlook_pst",
name: "PST XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Microsoft\\Outlook\\'*.pst'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PST XP — collected by KAPE OutlookPSTOST target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OutlookPSTOST.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OUTLOOK_OST: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_outlook_ost",
name: "OST XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Microsoft\\Outlook\\'*.ost'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "OST XP — collected by KAPE OutlookPSTOST target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OutlookPSTOST.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OUTLOOK_FILES_PST: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_outlook_files_pst",
name: "PST (2013 or 2016)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents\\Outlook Files\\'*.pst'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PST (2013 or 2016) — collected by KAPE OutlookPSTOST target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OutlookPSTOST.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OUTLOOK_FILES_OST: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_outlook_files_ost",
name: "OST (2013 or 2016)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents\\Outlook Files\\'*.ost'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "OST (2013 or 2016) — collected by KAPE OutlookPSTOST target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OutlookPSTOST.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PST: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_pst",
name: "PST",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Outlook\\'*.pst'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Outlook Data File: POP accounts, archives, older installations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OutlookPSTOST.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OST: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ost",
name: "OST",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Outlook\\'*.ost'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Offline Outlook Data File: M365, Exchange, IMAP\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OutlookPSTOST.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OUTLOOK_NST: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_outlook_nst",
name: "NST",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Outlook\\'*.nst'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Outlook Group Storage File: Group conversations and calendar\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OutlookPSTOST.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INETCACHE_CONTENT_OUTLOOK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_inetcache_content_outlook",
name: "Outlook Attachment Temporary Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Outlook temporary storage folder for user attachments\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OutlookPSTOST.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PDQ_DEPLOY_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_pdq_deploy_db",
name: "PDQ Deploy database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Admin Arsenal\\PDQ Deploy\\'*.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PDQ Deploy database — collected by KAPE PDQDeploy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PDQDeploy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PALO_ALTO_NETWORKS_GLOBALPROTECT_PANGP_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_palo_alto_networks_globalprotect_pangp_log",
name: "Palo Alto GlobalProtect VPN",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Local\\Palo Alto Networks\\GlobalProtect'PanGP*.log*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Authentication, portal/gateway connection, and user-side events (login/logout attempts)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PaloAlto.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PALO_ALTO_NETWORKS_GLOBALPROTECT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_palo_alto_networks_globalprotect_log",
name: "Palo Alto GlobalProtect VPN",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Palo Alto Networks\\GlobalProtect'*.log*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Multiple logs like PanGPS.log that stores authentication, portal/gateway connection, and user-side events (login/logout attempts)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PaloAlto.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_PEAZIP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_peazip",
name: "PeaZip Configuration Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\PeaZip\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PeaZip Configuration Files — collected by KAPE PeaZip target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PeaZip.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTONVPN_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protonvpn_logs",
name: "ProtonVPN - Connection Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\ProtonVPN\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates ProtonVPN connection logs.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProtonVPN.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTON_VPN_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_proton_vpn_logs",
name: "ProtonVPN - Connection Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Proton\\Proton VPN\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates ProtonVPN client logs.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProtonVPN.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEDATA_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_servicedata_logs",
name: "ProtonVPN - Service Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Proton\\VPN\\v*\\ServiceData\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates ProtonVPN service logs.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProtonVPN.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTON_VPN_STORAGE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_proton_vpn_storage",
name: "ProtonVPN - Configuration",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Proton\\Proton VPN\\Storage"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Proton VPN configs including settings, recently connected server list and Proton VPN server IPs.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProtonVPN.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PULSE_SECURE_LOGGING: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_pulse_secure_logging",
name: "Pulse Secure logs in Programmes Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\Pulse Secure\\Logging'*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Logs for Pule Secure\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PulseSecure.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PULSE_SECURE_LOGS_IN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_pulse_secure_logs_in",
name: "Pulse Secure logs in ProgramData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Pulse Secure\\Logging'*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Logs for Pule Secure\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PulseSecure.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PULSE_SECURE_SETUP_CLIENT_LOG: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_pulse_secure_setup_client_log",
name: "Pulse Secure setup logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Roaming\\Pulse Secure\\Setup Client'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Setup logs for Pule Secure\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PulseSecure.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PULSE_SECURE_LOGGING_PULSECLIENT_LOG: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_pulse_secure_logging_pulseclient_log",
name: "Pulse Secure PSAL logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Local\\Pulse Secure\\Logging'PulseClient.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"PSAL logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PulseSecure.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_Q_DIR_Q_DIR_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_q_dir_q_dir_ini",
name: "Q-Dir - .ini File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Q-Dir\\'Q-Dir.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Locates .ini file associated with Q-Dir which stores useful user activity information.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Q-Dir.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_Q_DIR_START_QDR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_q_dir_start_qdr",
name: "Q-Dir - .qdr file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Q-Dir\\'start.qdr'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .qdr file associated with Q-Dir which stores useful user activity information, including the last 4 folders opened (encoded, unfortunately).\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Q-Dir.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QNAP_QFINDERPRO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_qnap_qfinderpro",
name: "QFinderPro",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\QNAP\\QfinderPro"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a JSON file that provides network location information for any QNAP connected devices.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QFinderPro (QNAP).tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_PROXY_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_proxy_txt",
name: "Qlik Sense Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Qlik\\Sense\\Log\\Proxy'*.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the proxy logs for Qlik Sense\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QlikSense.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_PROXY_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_proxy_log",
name: "Qlik Sense Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Qlik\\Sense\\Log\\Proxy'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the proxy logs for Qlik Sense\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QlikSense.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_SCHEDULER_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_scheduler_txt",
name: "Qlik Sense Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Qlik\\Sense\\Log\\Scheduler'*.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the scheduler logs for Qlik Sense\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QlikSense.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_SCHEDULER_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_scheduler_log",
name: "Qlik Sense Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Qlik\\Sense\\Log\\Scheduler'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects the scheduler logs for Qlik Sense\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QlikSense.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_RDG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_rdg",
name: "RDG Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\\"*.rdg\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"These files store the information about Remote Desktop Groups.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDCMan.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_RDG_OLD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_rdg_old",
name: "Old RDG Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\\"*.rdg.old\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"These files store the information about Remote Desktop Groups. They are backups created when upgrading to a newer version of RDCMan.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDCMan.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REMOTE_DESKTOP_CONNECTION_MANAGER_SETTINGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_remote_desktop_connection_manager_settings",
name: "RDCMan Settings File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\\"*.settings\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Stores settings information for RDCMan.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDCMan.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MY_CERTIFICATES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_my_certificates",
name: "RDCMan Personal Certificate",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users%user%\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Encryption Certificate for stored passwords\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDCMan.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Personal certificates including private keys; check for self-signed or unexpected issuers",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Certificate store persists until certificate deletion",
};
pub(crate) static KAPE_FILE_RSERVER30_RADM_LOG_HTM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rserver30_radm_log_htm",
name: "Radmin Server 32bit Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Contains Application Log entries such as service start and incomming connections.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Radmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RADMIN_SERVER_64BIT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_radmin_server_64bit",
name: "Radmin Server 64bit Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\rserver30\\Radm_log.htm"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Contains Application Log entries such as service start and incomming connections.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Radmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HTM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_htm",
name: "Radmin Server 32bit Chats",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\rserver30\\CHATLOGS\\*\\'*.htm'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Previous chat logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Radmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HTM_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_htm_2",
name: "Radmin Server 64bit Chats",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\'*.htm'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Previous chat logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Radmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RADMIN_VIEWER_CHATS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_radmin_viewer_chats",
name: "Radmin Viewer Chats",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents\\ChatLogs\\*\\'*.htm'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Previous chat logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Radmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_RCLONE_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_rclone_conf",
name: "Rclone config - User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%'.rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects .rclone.conf from a user profile - v0.96\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEMPROFILE_RCLONE_CONF: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_config_systemprofile_rclone_conf",
name: "Rclone config - SYSTEM SysWOW64 User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile'.rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects .rclone.conf from SYSTEM SysWOW64 user profile - v0.96\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RCLONE_CONFIG_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rclone_config_system",
name: "Rclone config - SYSTEM User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile'.rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects .rclone.conf from SYSTEM user profile - v0.96\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_RCLONE_CONF: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_serviceprofiles_localservice_rclone_conf",
name: "Rclone config - LocalService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService'.rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects .rclone.conf from LocalService user profile - v0.96\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_RCLONE_CONF: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_serviceprofiles_networkservice_rclone_conf",
name: "Rclone config - NetworkService User Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService'.rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects .rclone.conf from NetworkService user profile - v0.96\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_rclone_rclone_conf",
name: "Rclone config - User .config Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.config\\rclone'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the .config folder in a user profile - v1.55.1\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_rclone_rclone_conf_2",
name: "Rclone config - SYSTEM SysWOW64 User .config Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile\\.config\\rclone'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects rclone.conf from the .config folder in SYSTEM SysWOW64 user profile - v1.55.1\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_rclone_rclone_conf_3",
name: "Rclone config - SYSTEM User .config Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile\\.config\\rclone'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the .config folder in SYSTEM user profile - v1.55.1\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RCLONE_CONFIG_LOCALS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rclone_config_locals",
name: "Rclone config - LocalService User .config Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService\\.config\\rclone'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects rclone.conf from the .config folder in LocalService user profile - v1.55.1\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RCLONE_CONFIG_NETWOR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rclone_config_networ",
name: "Rclone config - NetworkService User .config Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService\\.config\\rclone'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects rclone.conf from the .config folder in NetworkService user profile - v1.55.1\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_rclone_rclone_conf",
name: "Rclone config - User config Folder - XDG_CONFIG_HOME Default",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\rclone'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the config folder in a user profile - v1.55.1. Default for XDG_CONFIG_HOME indicates LOCALAPPDATA\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_rclone_rclone_conf_2",
name: "Rclone config - SYSTEM SysWOW64 User config Folder - XDG_CONFIG_HOME Default",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\rclone'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the config folder in SYSTEM SysWOW64 user profile - v1.55.1. Default for XDG_CONFIG_HOME indicates LOCALAPPDATA\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_rclone_rclone_conf_3",
name: "Rclone config - SYSTEM User config Folder - XDG_CONFIG_HOME Default",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\rclone'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the config folder in SYSTEM user profile - v1.55.1. Default for XDG_CONFIG_HOME indicates LOCALAPPDATA\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_rclone_rclone_conf_4",
name: "Rclone config - LocalService User config Folder - XDG_CONFIG_HOME Default",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\rclone'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the config folder in LocalService user profile - v1.55.1. Default for XDG_CONFIG_HOME indicates LOCALAPPDATA\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_rclone_rclone_conf_5",
name: "Rclone config - NetworkService User config Folder - XDG_CONFIG_HOME Default",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\rclone'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the config folder in NetworkService user profile - v1.55.1. Default for XDG_CONFIG_HOME indicates LOCALAPPDATA\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_rclone_rclone_conf",
name: "Rclone config - User config Folder - Roaming",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\rclone'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the config folder in a user profile - v1.56+\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_rclone_rclone_conf_2",
name: "Rclone config - SYSTEM SysWOW64 User config Folder - Roaming",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\rclone'rclone.conf'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects rclone.conf from the config folder in SYSTEM SysWOW64 user profile - v1.56+\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_rclone_rclone_conf_3",
name: "Rclone config - SYSTEM User config Folder - Roaming",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\rclone'rclone.conf'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the config folder in SYSTEM user profile - v1.56+\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_rclone_rclone_conf_4",
name: "Rclone config - LocalService User config Folder - Roaming",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\rclone'rclone.conf'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects rclone.conf from the config folder in LocalService user profile - v1.56+\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_rclone_rclone_conf_5",
name: "Rclone config - NetworkService User config Folder - Roaming",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Roaming\\rclone'rclone.conf'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects rclone.conf from the config folder in NetworkService user profile - v1.56+\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_SYSWOW64_RCLONE_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_syswow64_rclone_conf",
name: "Rclone config - SysWOW64 Sideloaded Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the SysWOW64 Folder\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_SYSTEM32_RCLONE_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_system32_rclone_conf",
name: "Rclone config - System32 Sideloaded Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the System32 Folder\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_WINDOWS_RCLONE_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_windows_rclone_conf",
name: "Rclone config - Windows Sideloaded Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf from the Windows Folder\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_RCLONE_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_rclone_conf",
name: "Rclone config - Recursive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects rclone.conf recursively. Needed if rclone.conf is sideloaded beside binary - portable mode or specifying custom path\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RCLONE_CONFIG_FALLBA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rclone_config_fallba",
name: "Rclone config fallback - Recursive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'.rclone.conf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects .rclone.conf recursively. This is a fallback in the Rclone code for writing config to current working directory if all other methods fail\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RcloneConf.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_REMCOS_LOGS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_remcos_logs_dat",
name: "Remco RAT Default path",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Roaming\\remcos'logs*.dat*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Remco RAT logs.dat default file - contains debug data and logs relative to the keylogging module\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Remcos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_SCREENSHOTS_LOGS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_screenshots_logs_dat",
name: "Remco RAT custom path - AppData screenshots folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Roaming\\screenshots'logs*.dat*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Remcos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_NOTESS_LOGS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_notess_logs_dat",
name: "Remco RAT custom path - AppData notess folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Roaming\\notess'logs*.dat*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Remcos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_MICRECORDS_LOGS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_micrecords_logs_dat",
name: "Remco RAT custom path - AppData micrecords folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Roaming\\micrecords'logs*.dat*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Remcos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_HPSUPPORT_LOGS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_hpsupport_logs_dat",
name: "Remco RAT custom path - AppData hpsupport",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Roaming\\hpsupport'logs*.dat*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Remcos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_REMCOS_LOGS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_remcos_logs_dat",
name: "Remco RAT custom path",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\remcos'logs*.dat*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Remcos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_NOTESS_LOGS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_notess_logs_dat",
name: "Remco RAT custom path - AppData notess",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\notess'logs*.dat*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Remcos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_SCREENSHOTS_LOGS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_screenshots_logs_dat",
name: "Remco RAT custom path - AppData screenshots",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\screenshots'logs*.dat*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Remcos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_MICRECORDS_LOGS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_micrecords_logs_dat",
name: "Remco RAT custom path - AppData micrecords",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\micrecords'logs*.dat*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Remcos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_HPSUPPORT_LOGS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_hpsupport_logs_dat",
name: "Remco RAT custom path - AppData hpsupport",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\hpsupport'logs*.dat*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Remco RAT logs.dat custom path - contains debug data and logs relative to the keylogging module\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Remcos.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_devolutions_remotedesktopmanager_db",
name: "SQLite Data Sources",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Devolutions\\RemoteDesktopManager\"*.db\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database of connections and settings. Connections.db is the default. There can be others in different locations. This will only pick up db files in the default location.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteDesktopManager.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_devolutions_remotedesktopmanager_xml",
name: "XML Data Sources",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Devolutions\\RemoteDesktopManager\"*.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "XML of connections and settings. Connections.xml is the default. There can be others in different locations. This will only pick up XML files in the default location.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteDesktopManager.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_CONNECTIONS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_devolutions_remotedesktopmanager_connections_log",
name: "Connections.log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Devolutions\\RemoteDesktopManager\"Connections.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Log file for connections.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteDesktopManager.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_REMOTEDESKTOPMANA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_devolutions_remotedesktopmanager_remotedesktopmana",
name: "RemoteDesktopManager.cfg",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Devolutions\\RemoteDesktopManager\"RemoteDesktopManager.cfg\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Configuration settings.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteDesktopManager.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MRU_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mru_xml",
name: "Most Recently Used XML",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Devolutions\\RemoteDesktopManager\\*\\\"Mru.xml\"",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"XML file of most recently used connections.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteDesktopManager.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVORITES_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favorites_xml",
name: "Favorites XML",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Devolutions\\RemoteDesktopManager\\*\\\"Favorites.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"XML file of Favorited connections.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteDesktopManager.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REMOTE_MANIPULATOR_SYSTEM_HOST_LOGS_RMS_LOG_HTML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_remote_manipulator_system_host_logs_rms_log_html",
name: "Remote Manipulator System Connection Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Remote Manipulator System - Host\\Logs\"rms_log_*.html\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes connection log files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteManipulatorSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REMOTE_MANIPULATOR_SYSTEM_LOGS_RMS_LOG_HTML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_remote_manipulator_system_logs_rms_log_html",
name: "Remote Manipulator System Connection Logs in ProgramData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Remote Manipulator System\\Logs\"rms_log_*.html\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes connection log files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteManipulatorSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_REMOTE_MANIPULATOR_SYSTEM_INSTALL_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_remote_manipulator_system_install_log",
name: "Remote Manipulator System Install Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Remote Manipulator System\"install.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes Install log file\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteManipulatorSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REMOTE_UTILITIES_HOST_LOGS_RUT_LOG_HTML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_remote_utilities_host_logs_rut_log_html",
name: "RemoteUtilities Connection Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Remote Utilities - Host\\Logs\"rut_log_*.html\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes connection log files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteUtilities_app.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REMOTE_UTILITIES_LOGS_RUT_LOG_HTML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_remote_utilities_logs_rut_log_html",
name: "RemoteUtilities Connection Logs in ProgramData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Remote Utilities\\Logs\"rut_log_*.html\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes connection log files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteUtilities_app.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_REMOTE_UTILITIES_INSTALL_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_remote_utilities_install_log",
name: "RemoteUtilities Install Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Remote Utilities\"install.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes Install log file\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteUtilities_app.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SCRIPTS_S: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_scripts_s",
name: "Robo-FTP User Scripts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\UserData\\*\\Scripts\\\"*.s\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Custom scripts created by each user\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DEBUG_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_debug_log",
name: "Robo-FTP User Debug Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\UserData\\*\\Debug\\\"*.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Debug logs generated for each user, if enabled\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_3",
name: "Robo-FTP User Script/Trace Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\UserData\\*\\Logs\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Script and Trace logs generated for each user\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_xml",
name: "Robo-FTP User XML Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\UserData\\*\\\"config.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Config.xml unique to each user. Contains list of custom scripts and ftp sites\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSH_KEYS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssh_keys",
name: "Robo-FTP User SSH Keys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\UserData\\*\\SSH Keys\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Saved SSH keys for each user\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SSL_CERTIFICATES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ssl_certificates",
name: "Robo-FTP User SSL Certificates",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\UserData\\*\\SSL Certificates\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Saved SSL Certificates for each user\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PGP_KEYS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_pgp_keys",
name: "Robo-FTP User PGP Keys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\UserData\\*\\PGP Keys\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Saved PGP Keys for each user\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROBO_FTP_SSH_KEYS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_robo_ftp_ssh_keys",
name: "Robo-FTP SSH Keys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\ProgramData\\SSH Keys\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Shared SSH keys\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROBO_FTP_SSL_CERTIFI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_robo_ftp_ssl_certifi",
name: "Robo-FTP SSL Certificates",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\ProgramData\\SSL Certificates\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Shared SSL Certificates\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROBO_FTP_PGP_KEYS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_robo_ftp_pgp_keys",
name: "Robo-FTP PGP Keys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\ProgramData\\PGP Keys\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Shared PGP Keys\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DEBUG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_debug",
name: "Robo-FTP Debug Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\ProgramData\\Debug\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Debug logs generated by Robo-FTP\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROBO_FTP_SCRIPT_TRAC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_robo_ftp_script_trac",
name: "Robo-FTP Script/Trace Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\ProgramData\\Logs\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Script and Trace logs generated by Robo-FTP\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_CONFIG_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_config_xml",
name: "Robo-FTP XML Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP 3.12\\ProgramData\\\"config.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Config.xml. Contains list of custom scripts and ftp sites\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_SCHEDULERSERVICE_SQLITE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_programdata_schedulerservice_sqlite",
name: "Robo-FTP Jobs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Program Files\\Robo-FTP 3.12\\ProgramData\\\"SchedulerService.sqlite\"",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains details of scheduled jobs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Robo-FTP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_RUSTDESK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_rustdesk",
name: "RustDesk logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\RustDesk\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects all log files related to RustDesk\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RustDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_SERVER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_server",
name: "RustDesk logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\RustDesk\\log\\server",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects all log files related to RustDesk\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RustDesk.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELL_PSREADLINECONSOLEHOST_HISTORY_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershell_psreadlineconsolehost_history_txt",
name: "PowerShell ConsoleHost history",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLineConsoleHost_history.txt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell command history may contain ssh, plink, and pivot tool commands",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SSHTunnelCommandArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_BASH_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_bash_history",
name: "Bash history in user profiles",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%.bash_history"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Bash history may contain ssh tunneling and pivot commands",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SSHTunnelCommandArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_ZSH_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_zsh_history",
name: "Zsh history in user profiles",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%.zsh_history"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Zsh history may contain ssh tunneling and pivot commands",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SSHTunnelCommandArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_PS1: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_ps1",
name: "User PowerShell scripts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\"*.ps1\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User-created PowerShell scripts may contain pivoting commands",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SSHTunnelCommandArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_BAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_bat",
name: "User batch scripts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\"*.bat\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Batch scripts may contain ssh, plink, or netsh portproxy commands",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SSHTunnelCommandArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_CMD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_cmd",
name: "User command scripts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\"*.cmd\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CMD scripts may contain ssh, plink, or netsh portproxy commands",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SSHTunnelCommandArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER_SH: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user_sh",
name: "User shell scripts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\"*.sh\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Shell scripts may contain ssh tunneling and proxy commands",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SSHTunnelCommandArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_SSHKNOWN_HOSTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_sshknown_hosts",
name: "SSH known_hosts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.sshknown_hosts"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "known_hosts records SSH servers previously connected to",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SSHTunnelCommandArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_SSHCONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_sshconfig",
name: "SSH config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.sshconfig"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SSH config may contain port forwarding or tunneling settings",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SSHTunnelCommandArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_SSH: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_ssh",
name: "SSH directory artifacts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.ssh\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SSH directory may contain keys, configs, and other connection artifacts",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SSHTunnelCommandArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APP_DATA_SESSION_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_app_data_session_db",
name: "ScreenConnect Session Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database with session information\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScreenConnect.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APP_DATA_USER_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_app_data_user_xml",
name: "ScreenConnect Session Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains each user's last authenticated time\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScreenConnect.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPLICATIONEVENTS_TKAPE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_applicationevents_tkape_4",
name: "ScreenConnect Application Events",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ApplicationEvents.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains ScreenConnect entries, source: ScreenConnect Client\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScreenConnect.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SCREENCONNECT_CLIENT_USER_CONFIG: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_screenconnect_client_user_config",
name: "ScreenConnect User Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ScreenConnect Client*\\user.config"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains server domain and IP info\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScreenConnect.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_SESSION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_session",
name: "Session App Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Session\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Session App Folder\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Session.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOCUMENTS_SHAREX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_documents_sharex",
name: "ShareX",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents\\ShareX"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates and captures all files within the default ShareX folder path\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ShareX.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PORTAL_SETTINGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_portal_settings",
name: "Siemens TIA Settings",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Siemens\\Automation\\Portal*\\Settings\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Siemens TIA Settings — collected by KAPE SiemensTIA target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SiemensTIA.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SIGNAL_ATTACHMENTS_NOINDEX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_signal_attachments_noindex",
name: "Signal Attachments cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Signal\\attachments.noindex\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Profile pictures (and possibly attachments) for users who this individual has as contacts or has communicated with",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Signal.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SIGNAL_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_signal_logs",
name: "Signal Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Signal\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Logs for Signal. Most recent has the extension .log while old ones will have extension .log.0, .log.1 etc.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Signal.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SIGNAL_CONFIG_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_signal_config_json",
name: "Signal config.json",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Signal\\\"config.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "config.json holds the db.sqlite SQLCipher raw key",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Signal.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SQL_DB_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sql_db_sqlite",
name: "Signal Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Signal\\sql\\\"db.sqlite\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Stores attachment details, conversations, messages, and more",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Signal.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_JWRAPPER_REMOTE_ACCESS_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_jwrapper_remote_access_logs",
name: "SimpleHelp - ProgramData - JWrapper Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\JWrapper-Remote Access\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects application and connectivity logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SimpleHelp.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SIMPLEHELP_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_simplehelp_logs",
name: "SimpleHelp - ProgramData - SimpleHelp Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\SimpleHelp\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects application and connectivity logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SimpleHelp.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_JWRAPPER_SIMPLEHELP_TECHNICIAN_LOGS: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_jwrapper_simplehelp_technician_logs",
name: "SimpleHelp - User AppData - Technician Console Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\JWrapper-SimpleHelp Technician\\logs\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects technician console logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SimpleHelp.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MAIN_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_main_db",
name: "main.db (App <v12)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.SkypeApp_*\\LocalState\\*\\main.db",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "main.db (App <v12) — collected by KAPE Skype target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Skype.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SKYPE_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_skype_db",
name: "skype.db (App +v12)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.SkypeApp_*\\LocalState\\*\\skype.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "skype.db (App +v12) — collected by KAPE Skype target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Skype.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MAIN_DB_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_main_db_xp",
name: "main.db XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Skype\\*\\main.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "main.db XP — collected by KAPE Skype target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Skype.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MAIN_DB_WIN7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_main_db_win7",
name: "main.db Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Skype\\*\\main.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "main.db Win7+ — collected by KAPE Skype target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Skype.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSTATE_S4L_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localstate_s4l_db",
name: "s4l-[username].db (App +v8)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.SkypeApp_*\\LocalState\\s4l-*.db",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "s4l-[username].db (App +v8) — collected by KAPE Skype target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Skype.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB_LEVELDB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb_leveldb",
name: "leveldb (Skype for Desktop +v8)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Skype for Desktop\\IndexedDB\\*.leveldb\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "leveldb (Skype for Desktop +v8) — collected by KAPE Skype target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Skype.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SKYPE_FOR_DESKTOP_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_skype_for_desktop_cache",
name: "Skype for Destkop v8+ Chromium Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Skype for Desktop\\Cache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Can be viewed with Nirsoft's ChromeCacheView",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Skype.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SLACK_INDEXEDDB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_slack_indexeddb",
name: "Slack - Chat Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Slack\\IndexedDB\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates Slack logs and copies them\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Slack.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_4",
name: "Slack LevelDB Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Slack\\Local Storage\\leveldb"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Slack LevelDB Files — collected by KAPE Slack target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Slack.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SLACK_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_slack_logs",
name: "Slack Electron Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Slack\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Current Slack application is based on Electron and additional logging can be found here.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Slack.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SLACK_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_slack_cache",
name: "Slack Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Slack\\Cache"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Slack cache files. This folder can be parsed like a Chrome Browser cache using a tool like Nirsoft ChromeCacheView\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Slack.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SLACK_STORAGE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_slack_storage",
name: "Slack Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Slack\\storage\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"User activity logs can be present including slack-downloads log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Slack.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAGIT_DATASTORE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snagit_datastore",
name: "Snagit - Captures",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\TechSmith\\Snagit\\DataStore"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates all Snagit captures\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Snagit.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_NETSCAN_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_netscan_xml",
name: "Netscan XML default output",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'netscan.xml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Netscan XML default output — collected by KAPE SoftPerfectNetscan target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SoftPerfectNetscan.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SPEEDPROJECT_SPEEDCOMMANDER_19: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_speedproject_speedcommander_19",
name: "SpeedCommander - .ini File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\SpeedProject\\SpeedCommander 19\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates folder where all configuration files reside\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SpeedCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVER_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_server_log",
name: "Splashtop Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Splashtop\\Splashtop Remote\\Server\\log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects logs for Splashtop\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Splashtop.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_log",
name: "Splashtop Log Files in ProgramData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Splashtop\\Temp\\log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects logs for Splashtop\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Splashtop.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SPLASHTOP_GATEWAY_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_splashtop_gateway_log",
name: "Splashtop Gateway Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Splashtop\\Splashtop Remote\\Splashtop Gateway\\log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects logs for Splashtop Gateway\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Splashtop.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log",
name: "Splashtop Enterprise/Business(legacy) Log Files in ProgramData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Splashtop\\Splashtop Remote Client for ST*\\*\\log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects logs for Splashtop Enterprise/Business(legacy)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Splashtop.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPCACHE_LIBRARYCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_appcache_librarycache",
name: "Steam Game Image files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Steam\\appcache\\librarycache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the directory containing image resources of installed/uninstalled games.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_LOGINUSERS_VDF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_loginusers_vdf",
name: "Steam Login Metadata file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Steam\\config\\loginusers.vdf"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates file containing Steam username and persona name.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_LOCALCONFIG_VDF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_localconfig_vdf",
name: "Steam Friend List and Username History file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Steam\\userdata\\*\\config\\localconfig.vdf"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates file containing Steam Friend List and Username History.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_AVATARCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_avatarcache",
name: "Steam User Avatar files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Steam\\config\\avatarcache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the directory containing avatar cache.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STEAM_GAMES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_steam_games",
name: "Steam Game Tray Icon files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Steam\\steam\\games\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the directory containing game icons appearing from tray menu.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_BOOTSTRAP_LOG_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_bootstrap_log_txt",
name: "Steam Startup Times Log file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Steam\\logs\\bootstrap_log.txt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the directory containing log for Steam startup times.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STEAM_GAME_IMAGE_FIL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_steam_game_image_fil",
name: "Steam Game Image files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\Steam\\appcache\\librarycache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the directory containing image resources of installed/uninstalled games.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STEAM_LOGIN_METADATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_steam_login_metadata",
name: "Steam Login Metadata file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\Steam\\config\\loginusers.vdf"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates file containing Steam username and persona name.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STEAM_FRIEND_LIST_AN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_steam_friend_list_an",
name: "Steam Friend List and Username History file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\Steam\\userdata\\*\\config\\localconfig.vdf"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates file containing Steam Friend List and Username History.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STEAM_USER_AVATAR_FI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_steam_user_avatar_fi",
name: "Steam User Avatar files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\Steam\\config\\avatarcache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the directory containing avatar cache.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STEAM_GAME_TRAY_ICON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_steam_game_tray_icon",
name: "Steam Game Tray Icon files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\Steam\\steam\\games\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the directory containing game icons appearing from tray menu.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STEAM_STARTUP_TIMES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_steam_startup_times",
name: "Steam Startup Times Log file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\Steam\\logs\\bootstrap_log.txt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the directory containing log for Steam startup times.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Steam.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SETTINGS_SESSION_SUBLIME_SESSION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_settings_session_sublime_session",
name: "SublimeText 2/3 Auto Save Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Sublime Text*\\Settings\\Session.sublime_session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Sublime Text 2/3 stores unsaved (temporary) files and its content in its Session.sublime_session file\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SublimeText.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_SUBLIME_SESSION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_sublime_session",
name: "SublimeText 4 Auto Save Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Sublime Text*\\Local\\'*.sublime_session'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Sublime Text 4 stores unsaved (temporary) files and its content in its .sublime_session files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SublimeText.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUGARSYNC_SC1_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sugarsync_sc1_log",
name: "SugarSync Log File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\SugarSync\\'sc1.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a log file the gives a play-by-play of what the user synced when.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SugarSync.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOCUMENTS_SUGARSYNC_SHARED_FOLDERS: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_documents_sugarsync_shared_folders",
name: "SugarSync - Shared Folders (Default Location)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents\\SugarSync Shared Folders\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"SugarSync - Shared Folders (Default Location) — collected by KAPE SugarSync target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SugarSync.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOCUMENTS_MY_SUGARSYNC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_documents_my_sugarsync",
name: "SugarSync - My SugarSync (Default Location)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents\\My SugarSync\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SugarSync - My SugarSync (Default Location) — collected by KAPE SugarSync target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SugarSync.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_SUMATRAPDFSUMATRAPDF_SETTINGS_TXT: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_local_sumatrapdfsumatrapdf_settings_txt",
name: "SumatraPDF Settings - SessionData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\SumatraPDFSumatraPDF-settings.txt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Settings file which contains information about previous user session",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SumatraPDF.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUMATRAPDF_SUMATRAPDFCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sumatrapdf_sumatrapdfcache",
name: "SumatraPDF Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\SumatraPDF\\sumatrapdfcache"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Folder contains a PNG snapshot of each PDF file the user had open at the time of last application close",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SumatraPDF.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPREMOREMOTEDESKTOP_LOG_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supremoremotedesktop_log_log",
name: "Supremo Connection Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\SupremoRemoteDesktop\\Log'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes Supremo.00.Client.log and Supremo.00.Incoming.log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SupremoRemoteDesktop.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPREMOREMOTEDESKTOP_INBOX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supremoremotedesktop_inbox",
name: "Supremo File Transfer Inbox",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\SupremoRemoteDesktop\\Inbox"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes files transferred to the inbox folder during a remote session. See Supremo.00.FileTransfer.log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SupremoRemoteDesktop.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_SYNCTHING: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_syncthing",
name: "Syncthing Configuration and Certificates",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Syncthing\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Folder storing Syncthing configuration and certificates\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Syncthing.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_SYNCTRAZOR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_synctrazor",
name: "Syncthing Cache and Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\SyncTrazor\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Folder storing session and storage cache\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Syncthing.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_SYNCTRAZOR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_synctrazor",
name: "Syncthing Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\SyncTrazor\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Folder storing Syncthing session logs\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Syncthing.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_REMEMBER_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_remember_xml",
name: "Tablacus Explorer - remember.xml",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\*\\config'remember.xml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Tablacus Explorer - remember.xml — collected by KAPE TablacusExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TablacusExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_WINDOW_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_window_xml",
name: "Tablacus Explorer - window.xml",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\*\\config'window.xml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Tablacus Explorer - window.xml — collected by KAPE TablacusExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TablacusExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_WINDOW1_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_window1_xml",
name: "Tablacus Explorer - window1.xml",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\*\\config'window1.xml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Tablacus Explorer - window1.xml — collected by KAPE TablacusExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TablacusExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEAMVIEWER_CONNECTIONS_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_teamviewer_connections_txt",
name: "TeamViewer Connection Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\TeamViewer\\'connections*.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes connections_incoming.txt and connections.txt\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TeamViewerLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEAMVIEWER_TEAMVIEWER_LOGFILE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_teamviewer_teamviewer_logfile",
name: "TeamViewer Application Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\TeamViewer\\'TeamViewer*_Logfile*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Includes TeamViewer<version>_Logfile.log and TeamViewer<version>_Logfile_OLD.log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TeamViewerLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEAMVIEWER_APPLICATI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_teamviewer_applicati",
name: "TeamViewer Application User Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\TeamViewer\\'TeamViewer*_Logfile*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Alternate location for TeamViewer<version>_Logfile.log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TeamViewerLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MRU_REMOTESUPPORT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mru_remotesupport",
name: "TeamViewer Configuration Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes miscellaneous config files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TeamViewerLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_TELEGRAM_DESKTOP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_telegram_desktop",
name: "Telegram app folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Telegram Desktop\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Telegram app folder structure\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Telegram.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADS_TELEGRAM_DESKTOP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloads_telegram_desktop",
name: "Telegram downloaded files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Downloads\\Telegram Desktop\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Chat Attachments\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Telegram.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_TERACOPY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_teracopy",
name: "TeraCopy",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\TeraCopy\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TeraCopy — collected by KAPE TeraCopy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TeraCopy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CRASH_REPORTS_INSTALLTIME: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_crash_reports_installtime",
name: "Mozilla Thunderbird Install Date",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Thunderbird\\Crash Reports\\'InstallTime*'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Holds install time in Unix Seconds timestamp\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Thunderbird.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_THUNDERBIRD_PROFILES_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_thunderbird_profiles_ini",
name: "Mozilla Thunderbird Profiles.ini",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Thunderbird\\'profiles.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Profiles list - can hold references to other profiles held elsewhere on the device\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Thunderbird.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFS_JS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_prefs_js",
name: "Mozilla Thunderbird prefs.js",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Thunderbird\\Profiles\\*\\\"prefs.js\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"User Preferences for that profile\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Thunderbird.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GLOBAL_MESSAGES_DB_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_global_messages_db_sqlite",
name: "Mozilla Thunderbird Global Messages Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Thunderbird\\Profiles\\*\\\"global-messages-db.sqlite\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Holds list of contacts, emails, and other potentially useful artifacts\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Thunderbird.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGINS_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logins_json",
name: "Mozilla Thunderbird logins.json",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Thunderbird\\Profiles\\*\\\"logins.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Holds last time online login used, last time password changed, hostname, HTTP(s) URL and more\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Thunderbird.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Encrypted browser passwords; key in OS credential store; timestamp shows last use"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static KAPE_FILE_PLACES_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_places_sqlite",
name: "Mozilla Thunderbird places.sqlite",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Thunderbird\\Profiles\\*\\\"places.sqlite\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Holds history for Thunderbird - as it contains portions of Firefox embedded, it can be used to visit websites too\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Thunderbird.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IMAPMAIL_INBOX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_imapmail_inbox",
name: "Mozilla Thunderbird ImapMail INBOX",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Thunderbird\\Profiles\\*\\ImapMail\\\"INBOX\"",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Holds all email files with headers, content etc\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Thunderbird.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MAIL_INBOX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mail_inbox",
name: "Mozilla Thunderbird Mail INBOX",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Thunderbird\\Profiles\\*\\Mail\\\"INBOX\"",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Holds all email files with headers, content etc\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Thunderbird.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CALENDAR_DATA_LOCAL_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_calendar_data_local_sqlite",
name: "Mozilla Thunderbird Calendar Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Thunderbird\\Profiles\\*\\calendar-data\\\"local.sqlite\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Holds local calendar data\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Thunderbird.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ATTACHMENTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_attachments",
name: "Mozilla Thunderbird Attachments",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Thunderbird\\Profiles\\*\\Attachments\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Holds attachments\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Thunderbird.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ABOOK_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_abook_sqlite",
name: "Mozilla Thunderbird Address Book",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Thunderbird\\Profiles\\*\\\"abook.sqlite\"",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Holds local address book\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Thunderbird.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GHISLER_WINCMD_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ghisler_wincmd_ini",
name: "Total Commander - .ini File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\GHISLER\\'wincmd.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .ini file associated with Total Commander which stores useful user activity information.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TotalCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_TOTALCMD_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_totalcmd_log",
name: "Total Commander - Log File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'totalcmd.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates log file associated with Total Commander. NOTE: this log file is NOT enabled by default and the filename can be modified.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TotalCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_FTP_TMP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_ftp_tmp",
name: "Total Commander - Temp Files Created During Folder Traversal",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\'FTP*.tmp'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .tmp files which are created during the user's folder traversal and provide insight into contents of each folder traversed.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TotalCommander.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GHISLER_WCX_FTP_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ghisler_wcx_ftp_ini",
name: "Total Commander - FTP .ini File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\GHISLER\\'wcx_ftp.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Locates .ini file associated with Total Commander which stores useful FTP information.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TotalCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GHISLER_TREEINFO_WC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ghisler_treeinfo_wc",
name: "Total Commander - File Tree",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\GHISLER\\'treeinfo*.wc'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a file that contains an exhaustive file tree of a user's file system.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TotalCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GHISLER_TCDIRFRQ_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ghisler_tcdirfrq_txt",
name: "Total Commander - Frequent Directory Listing",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\GHISLER\\'tcDirFrq.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a file that contains a frequently accessed folder listing.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TotalCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_TCFTP_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_tcftp_log",
name: "Total Commander - FTP Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\'tcftp.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a file that contains the Total Commander FTP logs.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TotalCommander.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_JAM_SOFTWARE_TREESIZE_SCANHISTORY_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_jam_software_treesize_scanhistory_xml",
name: "TreeSize - ScanHistory.XML",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\JAM Software\\TreeSize'scanhistory.xml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates XML file that provides a list of previously scanned directories by the user.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TreeSize.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_UEMS_AGENT_LOGS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_uems_agent_logs_log",
name: "Unified endpoint management and security solutions from ManageEngine",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\logs'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects all logs for UEMS\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UEMS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_UNIFIED_ENDPOINT_MAN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_unified_endpoint_man",
name: "Unified endpoint management and security solutions from ManageEngine",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\VirtualStore\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\logs'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects User logs for UEMS\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UEMS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_ULTRAVIEWER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_ultraviewer",
name: "UltraViewer User Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\UltraViewer"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes all files related to UltraViewer chat, connections, and recordings\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ultraviewer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ULTRAVIEWER_SYSTEM_L: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ultraviewer_system_l",
name: "UltraViewer System Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\UltraViewer"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Includes all files related to UltraViewer chat, connections, and recordings\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ultraviewer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAM_FILES_ULTRAVIEWERULTRAVIEWERSERVICE_LOG_TX: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_program_files_ultraviewerultraviewerservice_log_tx",
name: "UltraViewer Service Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\UltraViewerUltraViewerService_log.txt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"UltraViewer Service log file\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ultraviewer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAM_FILES_ULTRAVIEWERCONNECTIONLOG_LOG: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_program_files_ultraviewerconnectionlog_log",
name: "UltraViewer Connection Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\UltraViewerConnectionLog.Log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"UltraViewer Service level connection log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ultraviewer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VLC_VLC_QT_INTERFACE_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_vlc_vlc_qt_interface_ini",
name: "VLC Recently Opened Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\vlc\\\"vlc-qt-interface.ini\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Configuration file for VLC. Holds [RecentsMRL] key which lists recently opened files as well as sometimes retaining timestamps for file opening\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VLC Media Player.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIDEOS_VLC_AVI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_videos_vlc_avi",
name: "VLC Recorded Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Videos\\\"vlc-*.avi\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Recorded files in VLC. Sometimes the Record button may be pressed instead of Play by suspects, which can record them watching content with VLC\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VLC Media Player.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_VMWARE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_vmware",
name: "VMware - Virtual Machine Inventory",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\VMware"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates an inventory of all Virtual Machines on disk.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VMwareInventory.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_VMEM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_vmem",
name: "VMware (Fusion/Workstation/Server/Player)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.vmem'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Captures all raw memory from VMware virtual machines.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VMwareMemory.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_VMSS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_vmss",
name: "VMware (Fusion/Workstation/Server/Player)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.vmss'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Captures all memory images from VMware virtual machines.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VMwareMemory.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_VMSN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_vmsn",
name: "VMware (Fusion/Workstation/Server/Player)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.vmsn'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Captures all memory images from VMware virtual machines.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VMwareMemory.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REALVNC_VNCSERVER_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_realvnc_vncserver_log",
name: "RealVNC Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\RealVNC\\vncserver.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://www.realvnc.com/en/connect/docs/logging.html#logging\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VNCLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REALVNC_VNCVIEWER_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_realvnc_vncviewer_log",
name: "RealVNC Viewer Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Local\\RealVNC\\vncviewer.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://help.realvnc.com/hc/en-us/articles/360002254238-All-About-Logging#realvnc-server-0-1\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VNCLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_REALVNC_SERVICEVNCSERVER_LOG: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_programdata_realvnc_servicevncserver_log",
name: "RealVNC Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\RealVNC-Servicevncserver.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://help.realvnc.com/hc/en-us/articles/360002254238-All-About-Logging-\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VNCLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPLICATIONEVENTS_TKAPE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_applicationevents_tkape_5",
name: "RealVNC Application Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ApplicationEvents.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains RealVNC entries, event source: VNC Server\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VNCLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SERVER_LOGS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_server_logs_2",
name: "TightVNC Application Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\TightVNC\\Server\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1160&context=adf\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VNCLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIBERPC_CONFIG_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_viberpc_config_db",
name: "Viber Config Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\ViberPC\\\"config.db\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Configuration file for Viber\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Viber.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIBER_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_viber_db",
name: "Viber Users Data Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\ViberPC\\*\\\"viber.db\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Viber data for that user, containing Calls, Chat Messages, Contacts and more\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Viber.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVATARS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avatars",
name: "Viber Users Avatars Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\ViberPC\\*\\Avatars"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Cache of the Avatars for other Viber users\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Viber.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BACKGROUNDS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_backgrounds",
name: "Viber Users Backgrounds Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\ViberPC\\*\\Backgrounds"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Store of the backgrounds\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Viber.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_THUMBNAILS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_thumbnails",
name: "Viber Users Thumbnails Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\ViberPC\\*\\Thumbnails"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Cache of the thumbnails for uploaded/downloaded images\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Viber.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_VBOX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_vbox",
name: "VirtualBox VM configs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\\"*.vbox\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates all .vbox VM configuration files on disk\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualBoxConfig.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_VBOX_PREV: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_vbox_prev",
name: "VirtualBox VM backup configs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\\"*.vbox-prev\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates all backup .vbox VM configuration files on disk\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualBoxConfig.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_VBOX_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_vbox_log",
name: "VirtualBox Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\\"VBox.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates all VBox.log files on disk\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualBoxLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIRTUALBOX_BACKUP_LO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_virtualbox_backup_lo",
name: "VirtualBox Backup Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\\"VBox.log.*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates all backup VBox.log files on disk - these can show historic VM usage\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualBoxLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_VBOXHARDENING_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_vboxhardening_log",
name: "VirtualBox Hardening Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\\"VBoxHardening.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates all VBoxHardening.log files on disk\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualBoxLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_SAV: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_sav",
name: "VirtualBox",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.sav'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Captures all partial memory images from VirtualBox.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualBoxMemory.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history",
name: "VSCode Opened Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Code\\User\\History\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Grabs the files in the VSCode history. These are files the user has opened with VSCode\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VisualStudioCode.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GLOBALSTORAGE_STORAGE_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_globalstorage_storage_json",
name: "VSCode Workspaces",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Code\\User\\globalStorage\\storage.json*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs the file containing information about the user's workspaces\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VisualStudioCode.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CACHEDEXTENSIONS_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cachedextensions_user",
name: "VSCode User extensions",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Code\\CachedExtensions\\user*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs the files relating to the user's installed extensions\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VisualStudioCode.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_SETTINGS_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_settings_json",
name: "VSCode User settings",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Code\\User\\settings.json*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs the file containing the settings the user has set.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VisualStudioCode.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CODE_PREFERENCES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_code_preferences",
name: "VSCode User Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Code\\preferences*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs the file containing the preferences the user has set.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VisualStudioCode.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_cookies",
name: "VSCode Network Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Code\\Network\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs the cookie files. Same format as Chromium Cookies\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VisualStudioCode.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_NETWORK_PERSISTENT_STATE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_network_network_persistent_state",
name: "VSCode Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Code\\Network\\Network Persistent State*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs the Network Persistent State file. Same format as in Chromium\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VisualStudioCode.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CODE_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_code_logs",
name: "VSCode Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Code\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs the VSCode logs. Further analysis is needed to determine which logs are junk, and which can be vital.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VisualStudioCode.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BACKUPS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_backups",
name: "VSCode File Backups",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Code\\Backups\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs the Backups for unsaved changes.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VisualStudioCode.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WHATSAPP_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_whatsapp_cache",
name: "WhatsApp Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\WhatsApp\\Cache"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WhatsApp.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_5",
name: "WhatsApp Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\WhatsApp\\Local Storage\\leveldb"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WhatsApp.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_STORE_WHAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_store_what",
name: "Microsoft Store WhatsApp Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*WhatsAppDesktop*\\LocalCache\\Roaming\\WhatsApp\\Cache"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WhatsApp.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_2_2",
name: "Microsoft Store WhatsApp Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*WhatsAppDesktop*\\LocalCache\\Roaming\\WhatsApp\\Local Storage\\leveldb"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WhatsApp.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSTATE_PROFILEPICTURES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localstate_profilepictures",
name: "Microsoft Store WhatsApp Desktop Profile Pictures",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*WhatsAppDesktop*\\LocalState\\profilePictures"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies the local store of contacts profile pictures, simply open with a photos software\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WhatsApp_Media.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRANSFERSREGEX_JPG_MP4_PDF_WEBP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_transfersregex_jpg_mp4_pdf_webp",
name: "Microsoft Store WhatsApp Shared Media",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*WhatsAppDesktop*\\LocalState\\shared\\transfersregex:.*\\.(jpg|mp4|pdf|webp)"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Copies the shared media, can get very large.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WhatsApp_Media.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_WINSCP_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_winscp_ini",
name: "WinSCP (.ini file)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'WinSCP.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WinSCP (.ini file) — collected by KAPE WinSCP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WinSCP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALCACHE_INDEXED: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localcache_indexed",
name: "Windows Your Phone - All Databases",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.YourPhone_8wekyb3d8bbwe\\LocalCache\\Indexed"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates all Your Phone database files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsYourPhone.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_XYPLORER_XYPLORER_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_xyplorer_xyplorer_ini",
name: "XYplorer - .ini file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\XYplorer\\'XYplorer.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .ini file associated with Total Commander which stores useful user activity information.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/XYplorer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PANE_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_pane_ini",
name: "XYplorer - .ini file for each respective pane",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\XYplorer\\Panes\\*\\'pane.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the .ini file for the left and right pane.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/XYplorer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_XYPLORER_AUTOBACKUP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_xyplorer_autobackup",
name: "XYplorer - AutoBackup folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\XYplorer\\AutoBackup"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the AutoBackup folder and copies its contents.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/XYplorer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_XYPLORER_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_xyplorer_dat",
name: "XYplorer - .dat files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\XYplorer'*.dat'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the .dat files in the XYplorer's AppData folder, all of which are updated upon program's exit.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/XYplorer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAM_FILES_XEOX_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_program_files_xeox_log",
name: "Xeox RMM Client Application logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Xeox'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Contains Application Log entries such as service start and incomming connections.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Xeox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_ZSCALER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_zscaler",
name: "Zscaler Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Zscaler'*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains Zscaler agent Logs entries\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ZScaler.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ZOHOMEETING_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_zohomeeting_log",
name: "Zoho Assist log files in AppData\\Local",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\ZohoMeeting\\log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Zoho Assist log files in AppData\\Local\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ZohoAssist.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_ZOHOMEETING_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_zohomeeting_conf",
name: "Zoho Assist .conf files in AppData\\Local",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\ZohoMeeting\"*.conf\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs all .conf files present in this folder (Connection/Settings)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ZohoAssist.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ZOHO_ASSIST_LOG_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_zoho_assist_log_file",
name: "Zoho Assist log files in ProgramData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ZohoMeeting\\log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Zoho Assist log files in ProgramData\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ZohoAssist.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_ZOHOMEETING_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_zohomeeting_conf",
name: "Zoho Assist .conf files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\ZohoMeeting\"*.conf\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs all .conf files present in this folder (Connection/Proxy/Settings)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ZohoAssist.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ZOHOMEETING_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_zohomeeting_logs",
name: "Zoho Assist log files in Program Files*",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\ZohoMeeting\\UnAttended\\ZohoMeeting\\logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Zoho Assist log files in Program Files*\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ZohoAssist.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_UNATTENDED_ZOHOMEETING_CONF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_unattended_zohomeeting_conf",
name: "Zoho Assist .conf files in Program Files*",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\ZohoMeeting\\UnAttended\\ZohoMeeting\"*.conf\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs all .conf files present in this folder (Service/Settings)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ZohoAssist.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_UNATTENDED_ZOHOMEETING_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_unattended_zohomeeting_txt",
name: "Zoho Assist .txt files in Program Files*",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\ZohoMeeting\\UnAttended\\ZohoMeeting\"*.txt\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs all .txt files present in this folder (Service/Settings)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ZohoAssist.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ZOOM_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_zoom_logs",
name: "Zoom client logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Zoom\\logs\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Zoom client artifacts\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Zoom.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ZOOM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_zoom",
name: "Zoom client logs (Windows XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Zoom\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Zoom client artifacts (Windows XP)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Zoom.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ZOOM_CLIENT_RECORDIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_zoom_client_recordin",
name: "Zoom client recordings",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents\\Zoom\\\"*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Zoom recording artifacts\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Zoom.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_ZOOM_PLUGIN_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_zoom_plugin_json",
name: "Zoom plugin (Outlook)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Zoom Plugin\"*.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Zoom plugin artifacts\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Zoom.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MOBILESYNC_BACKUP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mobilesync_backup",
name: "iTunes Backup Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Apple\\Mobilesync\\Backup\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "iTunes Backup Folder — collected by KAPE iTunesBackup target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/iTunesBackup.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ITUNES_BACKUP_FOLDER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_itunes_backup_folder",
name: "iTunes Backup Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Apple Computer\\Mobilesync\\Backup\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "iTunes Backup Folder — collected by KAPE iTunesBackup target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/iTunesBackup.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MOBILESYNC_BACKUP_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mobilesync_backup_2",
name: "iTunes Backup Folder - iOS13",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Apple\\Mobilesync\\Backup\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "iTunes Backup Folder - iOS13 — collected by KAPE iTunesBackup target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/iTunesBackup.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MIRC_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mirc_logs",
name: "mIRC Chat Logs (Vista+)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\mIRC\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "mIRC Chat Logs (Vista+) — collected by KAPE mIRC target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/mIRC.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MIRC_CHAT_LOGS_2000: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mirc_chat_logs_2000",
name: "mIRC Chat Logs (2000/XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\mIRC\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "mIRC Chat Logs (2000/XP) — collected by KAPE mIRC target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/mIRC.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MREMOTENG_MREMOTENG_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mremoteng_mremoteng_log",
name: "mRemoteNG Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Contains log entries for remote connections",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/mRemoteNG.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MREMOTENG_CONFCONS_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mremoteng_confcons_xml",
name: "mRemoteNG Connection Configuration and Backups",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\mRemoteNG\\confCons.xml*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Contains connection config, often with obfuscated credentials",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/mRemoteNG.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Encrypted vault; master password hash extractable for offline attack"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Password manager database persists until application uninstall",
};
pub(crate) static KAPE_FILE_MREMOTENG_USER_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mremoteng_user_config",
name: "mRemoteNG Program Settings",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\*\\mRemoteNG\\user.config"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Contains user-specific program settings",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/mRemoteNG.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PCLOUD_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_pcloud_db",
name: "pCloud Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\pCloud\\'*.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Database contains all files sync'd with pCloud account.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/pCloudDatabase.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PCLOUD_DB_WAL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_pcloud_db_wal",
name: "pCloud Database WAL File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\pCloud\\'*.db-wal'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Write-Ahead Log for pCloud database file.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/pCloudDatabase.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PCLOUD_DB_SHM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_pcloud_db_shm",
name: "pCloud Database Shared Memory File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\pCloud\\'*.db-shm'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Shared Memory for the pCloud database file.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/pCloudDatabase.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_360BOOKMARKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_360bookmarks",
name: "360 Secure Browser Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\360Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Bookmarks — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies",
name: "360 Secure Browser Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Cookies — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session",
name: "360 Secure Browser Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Current Session — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs",
name: "360 Secure Browser Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Current Tabs — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata",
name: "360 Secure Browser Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\DownloadMetadata"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Download Metadata — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies",
name: "360 Secure Browser Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Extension Cookies"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Extension Cookies — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons",
name: "360 Secure Browser Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Favicons — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_360HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_360history",
name: "360 Secure Browser History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\360History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser History — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session",
name: "360 Secure Browser Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Last Session — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs",
name: "360 Secure Browser Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Last Tabs — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions",
name: "360 Secure Browser Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Sessions Folder — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data",
name: "360 Secure Browser Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Login Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Login Data — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history",
name: "360 Secure Browser Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Media History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Media History — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor",
name: "360 Secure Browser Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Network Action Predictor",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"360 Secure Browser Network Action Predictor — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state",
name: "360 Secure Browser Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Network Persistent State",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"360 Secure Browser Network Persistent State — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences",
name: "360 Secure Browser Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Preferences — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager",
name: "360 Secure Browser Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\QuotaManager"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Quota Manager — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel",
name: "360 Secure Browser Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Reporting and NEL"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Reporting and NEL — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts",
name: "360 Secure Browser Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Shortcuts — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites",
name: "360 Secure Browser Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Top Sites — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens",
name: "360 Secure Browser Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Trust Tokens*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Trust Tokens — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_data",
name: "360 Secure Browser SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Sync Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser SyncData Database — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links",
name: "360 Secure Browser Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Visited Links — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data",
name: "360 Secure Browser Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser Web Data — collected by KAPE 360SecureBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_2",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots",
name: "360 Secure Browser Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\360se6\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of 360 Secure Browser SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/360SecureBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKCOOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkcookies",
name: "Arc Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\NetworkCookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Cookies — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_2",
name: "Arc Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Favicons — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_2",
name: "Arc History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc History — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_2",
name: "Arc Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Sessions Folder — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_2",
name: "Arc Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\Login Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Login Data — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_2",
name: "Arc Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\Network Action Predictor"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Network Action Predictor — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_2",
name: "Arc Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Preferences — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_2",
name: "Arc Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Shortcuts — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_2",
name: "Arc Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Top Sites — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATA_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_data_2",
name: "Arc SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\Sync Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc SyncData Database — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks",
name: "Arc Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Bookmarks — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_2",
name: "Arc Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Visited Links — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_2",
name: "Arc Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\Arc\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Web Data — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_ARCSTORABLE_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_arcstorable_json",
name: "Arc JSON Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Local\\ArcStorable*.json"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc JSON Files — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALCACHE_LOCALCOM_PLIST: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localcache_localcom_plist",
name: "Arc PLIST Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheBrowserCompany.Arc_ttt1ap7aakyb4\\LocalCache\\Localcom*.plist"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc PLIST Files — collected by KAPE Arc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Arc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_2",
name: "Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Bookmarks*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Bookmarks — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_2",
name: "Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cookies — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_2",
name: "Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Current Session — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_2",
name: "Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Current Tabs — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_2",
name: "Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\DownloadMetadata"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Download Metadata — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_3",
name: "Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Favicons*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Favicons — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_3",
name: "History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "History — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DEFAULT_SESSIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_default_sessions",
name: "Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Sessions Folder — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_3",
name: "Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Login Data",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Login Data — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_3",
name: "Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Network Action Predictor"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Network Action Predictor — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_2",
name: "Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Network Persistent State — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_3",
name: "Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Preferences — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_2",
name: "Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\QuotaManager"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Quota Manager — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_2",
name: "Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Reporting and NEL"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Reporting and NEL — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_3",
name: "Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Shortcuts*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Shortcuts — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PUBLISHER_INFO_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_publisher_info_db",
name: "Publisher Info DB/Brave Rewards",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\publisher_info_db*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SQLite Database related to \"Brave Rewards\" containing an event_log table",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_3",
name: "Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Top Sites*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Top Sites — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_3",
name: "Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Visited Links*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Visited Links — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_3",
name: "Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Web Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Web Data — collected by KAPE BraveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SECURE_PREFERENCES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_secure_preferences",
name: "Secure Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*\\Secure Preferences*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Contains additional preferences data",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BraveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cache",
name: "Chrome Cache Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Cache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Cache Folder — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_CACHE_FO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_cache_fo",
name: "Chrome Beta Cache Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Cache\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Cache Folder — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_CACHE_FOL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_cache_fol",
name: "Chrome Dev Cache Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Cache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Cache Folder — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_CANARY_CA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_canary_ca",
name: "Chrome SxS - Canary Cache Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Cache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS - Canary Cache Folder — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_EDGE_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_edge_cache",
name: "Chromium Edge Cache Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Cache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Edge Cache Folder — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_EDGE_BETA_C: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_edge_beta_c",
name: "Chromium Edge Beta Cache Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Cache\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Edge Beta Cache Folder — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_EDGE_DEV_CA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_edge_dev_ca",
name: "Chromium Edge Dev Cache Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Cache\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Edge Dev Cache Folder — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_EDGE_SXS_CA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_edge_sxs_ca",
name: "Chromium Edge SxS - Canary Cache Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Cache\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Edge SxS - Canary Cache Folder — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_CACHE_FOLDE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_cache_folde",
name: "Chromium Cache Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Cache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Cache Folder — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROFILES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_profiles",
name: "Firefox Cache Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Firefox Cache Folder — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_TEMPORARY_INTERNET_FILES: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_windows_temporary_internet_files",
name: "IE 9/10 Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IE 9/10 Cache — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONTENT_IE5_INDEX_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_content_ie5_index_dat",
name: "IE Index.dat temp internet files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Temporary Internet Files\\Content.IE5\\index.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IE Index.dat temp internet files — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_INETCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_inetcache",
name: "IE 11 Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IE 11 Cache — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_WEBCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_webcache",
name: "Edge WebcacheV01.dat",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\WebCache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge WebcacheV01.dat — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CACHE_CACHE_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cache_cache_data",
name: "Brave Cache Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%users%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Cache\\Cache_Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Brave Cache Folder — collected by KAPE BrowserCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BrowserCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_3",
name: "Chrome Bookmarks XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Bookmarks XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_3",
name: "Chrome Cookies XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Cookies XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_3",
name: "Chrome Current Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Session XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_3",
name: "Chrome Current Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Tabs XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_4",
name: "Chrome Favicons XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Favicons XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_4",
name: "Chrome History XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome History XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_2",
name: "Chrome Last Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Session XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_2",
name: "Chrome Last Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Tabs XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_4",
name: "Chrome Login Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Login Data XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_4",
name: "Chrome Preferences XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Preferences XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_4",
name: "Chrome Shortcuts XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Shortcuts XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_4",
name: "Chrome Top Sites XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Top Sites XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_4",
name: "Chrome Visited Links XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Visited Links XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_4",
name: "Chrome Web Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Web Data XP — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BOOKMARKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_bookmarks",
name: "Chrome Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Bookmarks — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_cookies",
name: "Chrome Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Cookies — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_CURRENT_SESSI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_current_sessi",
name: "Chrome Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Session — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_CURRENT_TABS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_current_tabs",
name: "Chrome Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Tabs — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_3",
name: "Chrome Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\DownloadMetadata",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Download Metadata — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_2",
name: "Chrome Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Extension Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Extension Cookies — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_FAVICONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_favicons",
name: "Chrome Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Favicons — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_history",
name: "Chrome History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome History — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_LAST_SESSION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_last_session",
name: "Chrome Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Session — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_LAST_TABS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_last_tabs",
name: "Chrome Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Tabs — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_3",
name: "Chrome Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Sessions Folder — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_LOGIN_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_login_data",
name: "Chrome Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Login Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Login Data — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_2",
name: "Chrome Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Media History — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_4",
name: "Chrome Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Network Action Predictor*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Network Action Predictor — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_3",
name: "Chrome Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Network Persistent State",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Network Persistent State — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networknetwork_persistent_state",
name: "Chrome Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\NetworkNetwork Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Network Persistent State — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_PREFERENCES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_preferences",
name: "Chrome Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Preferences — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_3",
name: "Chrome Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\QuotaManager*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Quota Manager — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBSTORAGEQUOTAMANAGER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webstoragequotamanager",
name: "Chrome Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\WebStorageQuotaManager*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Quota Manager — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_3",
name: "Chrome Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Reporting and NEL*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Reporting and NEL — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKREPORTING_AND_NEL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkreporting_and_nel",
name: "Chrome Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\NetworkReporting and NEL*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Reporting and NEL — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SHORTCUTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_shortcuts",
name: "Chrome Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Shortcuts — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_TOP_SITES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_top_sites",
name: "Chrome Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Top Sites — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_2",
name: "Chrome Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Trust Tokens — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKTRUST_TOKENS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networktrust_tokens",
name: "Chrome Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\NetworkTrust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Trust Tokens — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3",
name: "Chrome SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SyncData Database — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_VISITED_LINKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_visited_links",
name: "Chrome Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Visited Links — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_WEB_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_web_data",
name: "Chrome Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Web Data — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb",
name: "Chrome IndexedDB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\IndexedDB\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects IndexedDB (LevelDB) databases used by modern web applications to store data.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_6",
name: "Chrome Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Local Storage\\leveldb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Local Storage (LevelDB) databases, another form of persistent client-side storage.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_3",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_2",
name: "Chrome Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_CHROME_HISTOR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_chrome_histor",
name: "SYSTEM Chrome History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM Chrome History — collected by KAPE Chrome target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chrome.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_4",
name: "Chrome Beta Bookmarks XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Bookmarks XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_4",
name: "Chrome Beta Cookies XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Cookies XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_4",
name: "Chrome Beta Current Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Current Session XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_4",
name: "Chrome Beta Current Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Current Tabs XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_5",
name: "Chrome Beta Favicons XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Favicons XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_5",
name: "Chrome Beta History XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta History XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_3",
name: "Chrome Beta Last Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Last Session XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_3",
name: "Chrome Beta Last Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Last Tabs XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_5",
name: "Chrome Beta Login Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Login Data XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_5",
name: "Chrome Beta Preferences XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Preferences XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_5",
name: "Chrome Beta Shortcuts XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Shortcuts XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_5",
name: "Chrome Beta Top Sites XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Top Sites XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_5",
name: "Chrome Beta Visited Links XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Visited Links XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_5",
name: "Chrome Beta Web Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Web Data XP — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_BOOKMARK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_bookmark",
name: "Chrome Beta Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Bookmarks*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Bookmarks — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_cookies",
name: "Chrome Beta Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Cookies — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_CURRENT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_current",
name: "Chrome Beta Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Current Session — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_2_2",
name: "Chrome Beta Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Current Tabs — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_4",
name: "Chrome Beta Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\DownloadMetadata",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Download Metadata — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_3",
name: "Chrome Beta Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Extension Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Extension Cookies — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_FAVICONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_favicons",
name: "Chrome Beta Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Favicons*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Favicons — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_history",
name: "Chrome Beta History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta History — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_LAST_SES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_last_ses",
name: "Chrome Beta Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Last Session — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_LAST_TAB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_last_tab",
name: "Chrome Beta Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Last Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Last Tabs — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_4",
name: "Chrome Beta Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Sessions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Sessions Folder — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_LOGIN_DA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_login_da",
name: "Chrome Beta Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Login Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Login Data — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_3",
name: "Chrome Beta Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Media History — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_5",
name: "Chrome Beta Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Network Action Predictor*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Network Action Predictor — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_4",
name: "Chrome Beta Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Network Persistent State — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networknetwork_persistent_state_2",
name: "Chrome Beta Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\NetworkNetwork Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Network Persistent State — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_PREFEREN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_preferen",
name: "Chrome Beta Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Preferences",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Preferences — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_4",
name: "Chrome Beta Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\QuotaManager*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Quota Manager — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBSTORAGEQUOTAMANAGER_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webstoragequotamanager_2",
name: "Chrome Beta Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\WebStorageQuotaManager*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Quota Manager — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_4",
name: "Chrome Beta Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Reporting and NEL*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Reporting and NEL — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKREPORTING_AND_NEL_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkreporting_and_nel_2",
name: "Chrome Beta Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\NetworkReporting and NEL*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Reporting and NEL — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_SHORTCUT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_shortcut",
name: "Chrome Beta Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Shortcuts*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Shortcuts — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_TOP_SITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_top_site",
name: "Chrome Beta Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Top Sites*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Top Sites — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_3",
name: "Chrome Beta Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Trust Tokens — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKTRUST_TOKENS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networktrust_tokens_2",
name: "Chrome Beta Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\NetworkTrust Tokens*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Trust Tokens — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_2",
name: "Chrome Beta SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta SyncData Database — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_VISITED: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_visited",
name: "Chrome Beta Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Visited Links — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_WEB_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_web_data",
name: "Chrome Beta Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Web Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Web Data — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb_2",
name: "Chrome Beta IndexedDB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\IndexedDB\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects IndexedDB (LevelDB) databases used by modern web applications to store data.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_7",
name: "Chrome Beta Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Local Storage\\leveldb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Local Storage (LevelDB) databases, another form of persistent client-side storage.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_4",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_3",
name: "Chrome Beta Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_CHROME_BETA_H: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_chrome_beta_h",
name: "SYSTEM Chrome Beta History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM Chrome Beta History — collected by KAPE ChromeBeta target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeBeta.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_5",
name: "Chrome Dev Bookmarks XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Bookmarks XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_5",
name: "Chrome Dev Cookies XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Cookies XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_5",
name: "Chrome Dev Current Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Current Session XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_5",
name: "Chrome Dev Current Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Current Tabs XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_6",
name: "Chrome Dev Favicons XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Favicons XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_6",
name: "Chrome Dev History XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev History XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_4",
name: "Chrome Dev Last Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Last Session XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_4",
name: "Chrome Dev Last Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Last Tabs XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_6",
name: "Chrome Dev Login Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Login Data XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_6",
name: "Chrome Dev Preferences XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Preferences XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_6",
name: "Chrome Dev Shortcuts XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Shortcuts XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_6",
name: "Chrome Dev Top Sites XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Top Sites XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_6",
name: "Chrome Dev Visited Links XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Visited Links XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_6",
name: "Chrome Dev Web Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Web Data XP — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_BOOKMARKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_bookmarks",
name: "Chrome Dev Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Bookmarks*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Bookmarks — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_cookies",
name: "Chrome Dev Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Cookies — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_CURRENT_S: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_current_s",
name: "Chrome Dev Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Current Session — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_CURRENT_T: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_current_t",
name: "Chrome Dev Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Current Tabs — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_5",
name: "Chrome Dev Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\DownloadMetadata",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Download Metadata — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_4",
name: "Chrome Dev Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Extension Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Extension Cookies — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_FAVICONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_favicons",
name: "Chrome Dev Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Favicons*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Favicons — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_history",
name: "Chrome Dev History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev History — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_LAST_SESS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_last_sess",
name: "Chrome Dev Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Last Session — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_LAST_TABS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_last_tabs",
name: "Chrome Dev Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Last Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Last Tabs — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_5",
name: "Chrome Dev Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Sessions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Sessions Folder — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_LOGIN_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_login_dat",
name: "Chrome Dev Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Login Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Login Data — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_4",
name: "Chrome Dev Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Media History — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_6",
name: "Chrome Dev Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Network Action Predictor*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Network Action Predictor — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_5",
name: "Chrome Dev Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Network Persistent State — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networknetwork_persistent_state_3",
name: "Chrome Dev Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\NetworkNetwork Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Network Persistent State — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_PREFERENC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_preferenc",
name: "Chrome Dev Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Preferences",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Preferences — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_5",
name: "Chrome Dev Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\QuotaManager*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Quota Manager — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBSTORAGEQUOTAMANAGER_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webstoragequotamanager_3",
name: "Chrome Dev Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\WebStorageQuotaManager*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Quota Manager — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_5",
name: "Chrome Dev Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Reporting and NEL*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Reporting and NEL — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKREPORTING_AND_NEL_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkreporting_and_nel_3",
name: "Chrome Dev Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\NetworkReporting and NEL*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Reporting and NEL — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_SHORTCUTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_shortcuts",
name: "Chrome Dev Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Shortcuts*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Shortcuts — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_TOP_SITES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_top_sites",
name: "Chrome Dev Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Top Sites*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Top Sites — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_4",
name: "Chrome Dev Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Trust Tokens — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKTRUST_TOKENS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networktrust_tokens_3",
name: "Chrome Dev Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\NetworkTrust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Trust Tokens — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_3",
name: "Chrome Dev SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev SyncData Database — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_VISITED_L: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_visited_l",
name: "Chrome Dev Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Visited Links — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_WEB_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_web_data",
name: "Chrome Dev Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Web Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Web Data — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb_3",
name: "Chrome Dev IndexedDB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\IndexedDB\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects IndexedDB (LevelDB) databases used by modern web applications to store data.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_8",
name: "Chrome Dev Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Local Storage\\leveldb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Local Storage (LevelDB) databases, another form of persistent client-side storage.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_5",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_4",
name: "Chrome Dev Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_CHROME_DEV_HI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_chrome_dev_hi",
name: "SYSTEM Chrome Dev History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM Chrome Dev History — collected by KAPE ChromeDev target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeDev.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSIONS_MANIFEST_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extensions_manifest_json",
name: "Chrome Browser Extension manifest.json (Extension ID, Version, Permissions)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Extensions\\\"manifest.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Browser Extension manifest.json (Extension ID, Version, Permissions) — collected by KAPE ChromeExtension_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtension_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EN_MESSAGES_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_en_messages_json",
name: "Chrome Browser Extension messages.json (Friendly Name and Description)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Extensions\\*\\*\\_locales\\en\\\"messages.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Browser Extension messages.json (Friendly Name and Description) — collected by KAPE ChromeExtension_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtension_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_BROWSER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_browser",
name: "Chrome Beta Browser Extension manifest.json (Extension ID, Version, Permissions)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Extensions\\\"manifest.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Browser Extension manifest.json (Extension ID, Version, Permissions) — collected by KAPE ChromeExtension_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtension_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EN_MESSAGES_JSON_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_en_messages_json_2",
name: "Chrome Beta Browser Extension messages.json (Friendly Name and Description)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Extensions\\*\\*\\_locales\\en\\\"messages.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Browser Extension messages.json (Friendly Name and Description) — collected by KAPE ChromeExtension_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtension_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_BROWSER_E: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_browser_e",
name: "Chrome Dev Browser Extension manifest.json (Extension ID, Version, Permissions)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Extensions\\\"manifest.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Browser Extension manifest.json (Extension ID, Version, Permissions) — collected by KAPE ChromeExtension_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtension_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EN_MESSAGES_JSON_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_en_messages_json_3",
name: "Chrome Dev Browser Extension messages.json (Friendly Name and Description)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Extensions\\*\\*\\_locales\\en\\\"messages.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Browser Extension messages.json (Friendly Name and Description) — collected by KAPE ChromeExtension_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtension_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_CANARY_BR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_canary_br",
name: "Chrome SxS - Canary Browser Extension manifest.json (Extension ID, Version, Permissions)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Extensions\\\"manifest.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS - Canary Browser Extension manifest.json (Extension ID, Version, Permissions) — collected by KAPE ChromeExtension_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtension_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EN_MESSAGES_JSON_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_en_messages_json_4",
name: "Chrome SxS - Canary Browser Extension messages.json (Friendly Name and Description)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Extensions\\*\\*\\_locales\\en\\\"messages.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS - Canary Browser Extension messages.json (Friendly Name and Description) — collected by KAPE ChromeExtension_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtension_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extensions",
name: "Chrome Extension Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Extensions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Extension Files — collected by KAPE ChromeExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtensions.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_EXTENSION_FIL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_extension_fil",
name: "Chrome Extension Files XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Extensions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Extension Files XP — collected by KAPE ChromeExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtensions.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_EXTENSIO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_extensio",
name: "Chrome Beta Extension Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\Extensions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Extension Files — collected by KAPE ChromeExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtensions.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSIONS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extensions_2",
name: "Chrome Beta Extension Files XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Beta\\User Data\\*\\Extensions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta Extension Files XP — collected by KAPE ChromeExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtensions.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_EXTENSION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_extension",
name: "Chrome Dev Extension Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\Extensions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Extension Files — collected by KAPE ChromeExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtensions.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSIONS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extensions_3",
name: "Chrome Dev Extension Files XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome Dev\\User Data\\*\\Extensions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev Extension Files XP — collected by KAPE ChromeExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtensions.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_CANARY_EX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_canary_ex",
name: "Chrome SxS - Canary Extension Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Extensions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS - Canary Extension Files — collected by KAPE ChromeExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtensions.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSIONS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extensions_4",
name: "Chrome SxS - Canary Extension Files XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Extensions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS - Canary Extension Files XP — collected by KAPE ChromeExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeExtensions.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILE_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_file_system",
name: "Chrome HTML5 File System Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\File System\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome HTML5 File System Folder — collected by KAPE ChromeFileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeFileSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BETA_HTML5_FI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_beta_html5_fi",
name: "Chrome Beta HTML5 File System Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Beta\\User Data\\*\\File System\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta HTML5 File System Folder — collected by KAPE ChromeFileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeFileSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DEV_HTML5_FIL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_dev_html5_fil",
name: "Chrome Dev HTML5 File System Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome Dev\\User Data\\*\\File System\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev HTML5 File System Folder — collected by KAPE ChromeFileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeFileSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_CANARY_HT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_canary_ht",
name: "Chrome SxS - Canary HTML5 File System Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\File System\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Chrome SxS - Canary HTML5 File System Folder — collected by KAPE ChromeFileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeFileSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_6",
name: "Chrome SxS Bookmarks XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Bookmarks XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_6",
name: "Chrome SxS Cookies XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Cookies XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_6",
name: "Chrome SxS Current Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Current Session XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_6",
name: "Chrome SxS Current Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Current Tabs XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_7",
name: "Chrome SxS Favicons XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Favicons XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_7",
name: "Chrome SxS History XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS History XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_5",
name: "Chrome SxS Last Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Last Session XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_5",
name: "Chrome SxS Last Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Last Tabs XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_7",
name: "Chrome SxS Login Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Login Data XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_7",
name: "Chrome SxS Preferences XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Preferences XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_7",
name: "Chrome SxS Shortcuts XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Shortcuts XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_7",
name: "Chrome SxS Top Sites XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Top Sites XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_7",
name: "Chrome SxS Visited Links XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Visited Links XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_7",
name: "Chrome SxS Web Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome SxS\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Web Data XP — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_BOOKMARKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_bookmarks",
name: "Chrome SxS Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Bookmarks*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Bookmarks — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_cookies",
name: "Chrome SxS Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Cookies — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_CURRENT_S: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_current_s",
name: "Chrome SxS Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Current Session — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_CURRENT_T: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_current_t",
name: "Chrome SxS Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Current Tabs — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_6",
name: "Chrome SxS Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\DownloadMetadata",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Download Metadata — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_5",
name: "Chrome SxS Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Extension Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Extension Cookies — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_FAVICONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_favicons",
name: "Chrome SxS Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Favicons*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Favicons — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_history",
name: "Chrome SxS History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS History — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_LAST_SESS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_last_sess",
name: "Chrome SxS Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Last Session — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_LAST_TABS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_last_tabs",
name: "Chrome SxS Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Last Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Last Tabs — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_6",
name: "Chrome SxS Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Sessions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Sessions Folder — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_LOGIN_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_login_dat",
name: "Chrome SxS Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Login Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Login Data — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_5",
name: "Chrome SxS Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Media History — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_7",
name: "Chrome SxS Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Network Action Predictor*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Network Action Predictor — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_6",
name: "Chrome SxS Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Network Persistent State — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networknetwork_persistent_state_4",
name: "Chrome SxS Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\NetworkNetwork Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Network Persistent State — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_PREFERENC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_preferenc",
name: "Chrome SxS Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Preferences",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Preferences — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_6",
name: "Chrome SxS Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\QuotaManager*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Quota Manager — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBSTORAGEQUOTAMANAGER_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webstoragequotamanager_4",
name: "Chrome SxS Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\WebStorageQuotaManager*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Quota Manager — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_6",
name: "Chrome SxS Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Reporting and NEL*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Reporting and NEL — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKREPORTING_AND_NEL_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkreporting_and_nel_4",
name: "Chrome SxS Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\NetworkReporting and NEL*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Reporting and NEL — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_SHORTCUTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_shortcuts",
name: "Chrome SxS Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Shortcuts*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Shortcuts — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_TOP_SITES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_top_sites",
name: "Chrome SxS Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Top Sites*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Top Sites — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_5",
name: "Chrome SxS Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Trust Tokens — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKTRUST_TOKENS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networktrust_tokens_4",
name: "Chrome SxS Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\NetworkTrust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Trust Tokens — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_4",
name: "Chrome SxS SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS SyncData Database — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_VISITED_L: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_visited_l",
name: "Chrome SxS Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Visited Links — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SXS_WEB_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sxs_web_data",
name: "Chrome SxS Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Web Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS Web Data — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb_4",
name: "Chrome SxS IndexedDB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\IndexedDB\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects IndexedDB (LevelDB) databases used by modern web applications to store data.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_9",
name: "Chrome SxS Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\Local Storage\\leveldb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Local Storage (LevelDB) databases, another form of persistent client-side storage.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_6",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_5",
name: "Chrome SxS Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome SxS\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_CHROME_SXS_HI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_chrome_sxs_hi",
name: "SYSTEM Chrome SxS History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM Chrome SxS History — collected by KAPE ChromeSxS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ChromeSxS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_7",
name: "Chromium Bookmarks XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Bookmarks XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_7",
name: "Chromium Cookies XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Cookies XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_7",
name: "Chromium Current Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Current Session XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_7",
name: "Chromium Current Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Current Tabs XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_8",
name: "Chromium Favicons XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Favicons XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_8",
name: "Chromium History XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium History XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_6",
name: "Chromium Last Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Last Session XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_6",
name: "Chromium Last Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Last Tabs XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_8",
name: "Chromium Login Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Login Data XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_8",
name: "Chromium Preferences XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Preferences XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_8",
name: "Chromium Shortcuts XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Shortcuts XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_8",
name: "Chromium Top Sites XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Top Sites XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_8",
name: "Chromium Visited Links XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Visited Links XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_8",
name: "Chromium Web Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Chromium\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Web Data XP — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_BOOKMARKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_bookmarks",
name: "Chromium Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Bookmarks — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_cookies",
name: "Chromium Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Cookies — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_CURRENT_SES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_current_ses",
name: "Chromium Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Current Session — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_CURRENT_TAB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_current_tab",
name: "Chromium Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Current Tabs — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_7",
name: "Chromium Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\DownloadMetadata"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Download Metadata — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_6",
name: "Chromium Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Extension Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Extension Cookies — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_FAVICONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_favicons",
name: "Chromium Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Favicons — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_history",
name: "Chromium History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium History — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_LAST_SESSIO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_last_sessio",
name: "Chromium Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Last Session — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_LAST_TABS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_last_tabs",
name: "Chromium Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Last Tabs — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_7",
name: "Chromium Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Sessions Folder — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_LOGIN_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_login_data",
name: "Chromium Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Login Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Login Data — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_6",
name: "Chromium Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Media History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Media History — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_8",
name: "Chromium Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Network Action Predictor*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Network Action Predictor — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_7",
name: "Chromium Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Network Persistent State",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Network Persistent State — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networknetwork_persistent_state_5",
name: "Chromium Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\NetworkNetwork Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Network Persistent State — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_PREFERENCES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_preferences",
name: "Chromium Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Preferences — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_7",
name: "Chromium Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\QuotaManager*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Quota Manager — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBSTORAGEQUOTAMANAGER_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webstoragequotamanager_5",
name: "Chromium Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\WebStorageQuotaManager*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Quota Manager — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_7",
name: "Chromium Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Reporting and NEL*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Reporting and NEL — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKREPORTING_AND_NEL_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkreporting_and_nel_5",
name: "Chromium Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\NetworkReporting and NEL*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Reporting and NEL — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_SHORTCUTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_shortcuts",
name: "Chromium Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Shortcuts — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_TOP_SITES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_top_sites",
name: "Chromium Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Top Sites — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_6",
name: "Chromium Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Trust Tokens*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Trust Tokens — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKTRUST_TOKENS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networktrust_tokens_5",
name: "Chromium Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\NetworkTrust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Trust Tokens — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_5",
name: "Chromium SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Sync DataSyncData.sqlite3",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium SyncData Database — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_VISITED_LIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_visited_lin",
name: "Chromium Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Visited Links — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_WEB_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_web_data",
name: "Chromium Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium Web Data — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb_5",
name: "Chromium IndexedDB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\IndexedDB\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects IndexedDB (LevelDB) databases used by modern web applications to store data.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_10",
name: "Chromium Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\*\\Local Storage\\leveldb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Local Storage (LevelDB) databases, another form of persistent client-side storage.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_7",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_6",
name: "Chromium Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Chromium\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_CHROMIUM_HIST: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_chromium_hist",
name: "SYSTEM Chromium History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM Chromium History — collected by KAPE Chromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Chromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_8",
name: "CocCoc Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Bookmarks — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_8",
name: "CocCoc Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Cookies — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_8",
name: "CocCoc Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Current Session — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_8",
name: "CocCoc Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Current Tabs — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_8",
name: "CocCoc Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\DownloadMetadata",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Download Metadata — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_7",
name: "CocCoc Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Extension Cookies",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Extension Cookies — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_9",
name: "CocCoc Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Favicons — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_9",
name: "CocCoc History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc History — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_7",
name: "CocCoc Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Last Session — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_7",
name: "CocCoc Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Last Tabs — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_8",
name: "CocCoc Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Sessions Folder — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_9",
name: "CocCoc Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Login Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Login Data — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_7",
name: "CocCoc Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Media History — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_9",
name: "CocCoc Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Network Action Predictor"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Network Action Predictor — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_8",
name: "CocCoc Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Network Persistent State — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_9",
name: "CocCoc Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Preferences",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Preferences — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_8",
name: "CocCoc Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\QuotaManager",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Quota Manager — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_8",
name: "CocCoc Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Reporting and NEL",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Reporting and NEL — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_9",
name: "CocCoc Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Shortcuts — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_9",
name: "CocCoc Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Top Sites — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_7",
name: "CocCoc Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Trust Tokens — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATA_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_data_3",
name: "CocCoc SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Sync Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc SyncData Database — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_9",
name: "CocCoc Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Visited Links — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_9",
name: "CocCoc Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Web Data — collected by KAPE CocCoc target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_8",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_7",
name: "CocCoc Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CocCoc\\Browser\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of CocCoc SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CocCoc.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PACKAGES_MICROSOFT_MICROSOFTEDGE_8WEKYB3D8BBWE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_packages_microsoft_microsoftedge_8wekyb3d8bbwe",
name: "Edge folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge folder — collected by KAPE Edge target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Edge.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_collectionscollectionssqlite",
name: "Edge Beta Collections",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\CollectionscollectionsSQLite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Collections — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_9",
name: "Edge Beta Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Bookmarks*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Bookmarks — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKCOOKIES_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkcookies_2",
name: "Edge Beta Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\NetworkCookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Cookies — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_9",
name: "Edge Beta Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Current Session — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_9",
name: "Edge Beta Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Current Tabs — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_8",
name: "Edge Beta Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Extension Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Extension Cookies — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_10",
name: "Edge Beta Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Favicons*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Favicons — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_10",
name: "Edge Beta History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta History — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_8",
name: "Edge Beta Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Last Session — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_8",
name: "Edge Beta Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Last Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Last Tabs — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_9",
name: "Edge Beta Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Sessions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Sessions Folder — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_10",
name: "Edge Beta Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Login Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Login Data — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_8",
name: "Edge Beta Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Media History — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_10",
name: "Edge Beta Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Network Action Predictor*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Network Action Predictor — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_9",
name: "Edge Beta Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Network Persistent State — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networknetwork_persistent_state_6",
name: "Edge Beta Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\NetworkNetwork Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Network Persistent State — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_10",
name: "Edge Beta Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Preferences",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Preferences — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_9",
name: "Edge Beta Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\QuotaManager*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Quota Manager — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBSTORAGEQUOTAMANAGER_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webstoragequotamanager_6",
name: "Edge Beta Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\WebStorageQuotaManager*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Quota Manager — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_9",
name: "Edge Beta Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Reporting and NEL*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Reporting and NEL — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKREPORTING_AND_NEL_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkreporting_and_nel_6",
name: "Edge Beta Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\NetworkReporting and NEL*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Reporting and NEL — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_10",
name: "Edge Beta Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Shortcuts*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Shortcuts — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_10",
name: "Edge Beta Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Top Sites*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Top Sites — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_8",
name: "Edge Beta Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Trust Tokens — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKTRUST_TOKENS_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networktrust_tokens_6",
name: "Edge Beta Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\NetworkTrust Tokens*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Trust Tokens — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_6",
name: "Edge Beta SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta SyncData Database — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_10",
name: "Edge Beta Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Visited Links — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_10",
name: "Edge Beta Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Web Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Web Data — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb_6",
name: "Edge Beta IndexedDB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\IndexedDB\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects IndexedDB (LevelDB) databases used by modern web applications to store data.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_11",
name: "Edge Beta Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Local Storage\\leveldb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Local Storage (LevelDB) databases, another form of persistent client-side storage.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBASSISTDATABASE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webassistdatabase",
name: "Edge Beta WebAssistDatabase",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\WebAssistDatabase*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta WebAssistDatabase — collected by KAPE EdgeBetaChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_9",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline DPAPI decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_8",
name: "Edge Beta Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of Edge Chromium SQLite DBs organized by version #. In testing, there were 3 previous versions of Edge Chromium separated into different folders\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeBetaChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_collectionscollectionssqlite_2",
name: "Edge Collections",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\CollectionscollectionsSQLite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Collections — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_10",
name: "Edge Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Bookmarks — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKCOOKIES_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkcookies_3",
name: "Edge Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\NetworkCookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Cookies — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_10",
name: "Edge Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Current Session — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_10",
name: "Edge Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Current Tabs — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_9",
name: "Edge Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Extension Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Extension Cookies — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_11",
name: "Edge Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Favicons — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_11",
name: "Edge History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge History — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_9",
name: "Edge Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Last Session — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_9",
name: "Edge Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Last Tabs — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_10",
name: "Edge Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Sessions Folder — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_11",
name: "Edge Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Login Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Login Data — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_9",
name: "Edge Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Media History — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_11",
name: "Edge Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Network Action Predictor*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Network Action Predictor — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_10",
name: "Edge Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Network Persistent State — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networknetwork_persistent_state_7",
name: "Edge Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\NetworkNetwork Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Network Persistent State — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_11",
name: "Edge Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Preferences",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Preferences — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_10",
name: "Edge Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\QuotaManager*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Quota Manager — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBSTORAGEQUOTAMANAGER_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webstoragequotamanager_7",
name: "Edge Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\WebStorageQuotaManager*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Quota Manager — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_10",
name: "Edge Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Reporting and NEL*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Reporting and NEL — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKREPORTING_AND_NEL_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkreporting_and_nel_7",
name: "Edge Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\NetworkReporting and NEL*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Reporting and NEL — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_11",
name: "Edge Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Shortcuts — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_11",
name: "Edge Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Top Sites — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_9",
name: "Edge Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Trust Tokens — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKTRUST_TOKENS_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networktrust_tokens_7",
name: "Edge Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\NetworkTrust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Trust Tokens — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_7",
name: "Edge SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SyncData Database — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_11",
name: "Edge Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Visited Links — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_11",
name: "Edge Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Web Data — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB_7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb_7",
name: "Edge IndexedDB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\IndexedDB\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects IndexedDB (LevelDB) databases used by modern web applications to store data.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_12",
name: "Edge Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Local Storage\\leveldb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Local Storage (LevelDB) databases, another form of persistent client-side storage.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBASSISTDATABASE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webassistdatabase_2",
name: "Edge WebAssistDatabase",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\WebAssistDatabase*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge WebAssistDatabase — collected by KAPE EdgeChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_10",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline DPAPI decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_9",
name: "Edge Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of Edge Chromium SQLite DBs organized by version #. In testing, there were 3 previous versions of Edge Chromium separated into different folders\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSIONS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extensions_5",
name: "Edge Chromium Extension Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Extensions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Chromium Extension Files — collected by KAPE EdgeChromiumExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromiumExtensions.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_BETA_CHROMIUM_E: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_beta_chromium_e",
name: "Edge Beta Chromium Extension Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\Extensions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Chromium Extension Files — collected by KAPE EdgeChromiumExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromiumExtensions.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_DEV_CHROMIUM_EX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_dev_chromium_ex",
name: "Edge Dev Chromium Extension Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Extensions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Chromium Extension Files — collected by KAPE EdgeChromiumExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromiumExtensions.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_SXS_CANARY_CHRO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_sxs_canary_chro",
name: "Edge SxS - Canary Chromium Extension Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Extensions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS - Canary Chromium Extension Files — collected by KAPE EdgeChromiumExtensions target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeChromiumExtensions.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_collectionscollectionssqlite_3",
name: "Edge Dev Collections",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\CollectionscollectionsSQLite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Collections — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_11",
name: "Edge Dev Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Bookmarks*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Bookmarks — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKCOOKIES_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkcookies_4",
name: "Edge Dev Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\NetworkCookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Cookies — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_11",
name: "Edge Dev Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Current Session — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_11",
name: "Edge Dev Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Current Tabs — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_10",
name: "Edge Dev Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Extension Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Extension Cookies — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_12",
name: "Edge Dev Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Favicons*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Favicons — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_12",
name: "Edge Dev History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev History — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_10",
name: "Edge Dev Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Last Session — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_10",
name: "Edge Dev Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Last Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Last Tabs — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_11",
name: "Edge Dev Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Sessions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Sessions Folder — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_12",
name: "Edge Dev Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Login Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Login Data — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_10",
name: "Edge Dev Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Media History — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_12",
name: "Edge Dev Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Network Action Predictor*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Network Action Predictor — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_11",
name: "Edge Dev Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Network Persistent State — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networknetwork_persistent_state_8",
name: "Edge Dev Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\NetworkNetwork Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Network Persistent State — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_12",
name: "Edge Dev Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Preferences",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Preferences — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_11",
name: "Edge Dev Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\QuotaManager*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Quota Manager — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBSTORAGEQUOTAMANAGER_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webstoragequotamanager_8",
name: "Edge Dev Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\WebStorageQuotaManager*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Quota Manager — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_11",
name: "Edge Dev Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Reporting and NEL*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Reporting and NEL — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKREPORTING_AND_NEL_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkreporting_and_nel_8",
name: "Edge Dev Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\NetworkReporting and NEL*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Reporting and NEL — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_12",
name: "Edge Dev Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Shortcuts*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Shortcuts — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_12",
name: "Edge Dev Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Top Sites*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Top Sites — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_10",
name: "Edge Dev Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Trust Tokens — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKTRUST_TOKENS_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networktrust_tokens_8",
name: "Edge Dev Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\NetworkTrust Tokens*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Trust Tokens — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_8",
name: "Edge Dev SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev SyncData Database — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_12",
name: "Edge Dev Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Visited Links — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_12",
name: "Edge Dev Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Web Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Web Data — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB_8: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb_8",
name: "Edge Dev IndexedDB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\IndexedDB\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects IndexedDB (LevelDB) databases used by modern web applications to store data.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_13",
name: "Edge Dev Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\Local Storage\\leveldb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Local Storage (LevelDB) databases, another form of persistent client-side storage.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBASSISTDATABASE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webassistdatabase_3",
name: "Edge Dev WebAssistDatabase",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\WebAssistDatabase*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev WebAssistDatabase — collected by KAPE EdgeDevChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_11",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline DPAPI decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_10",
name: "Edge Dev Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of Edge Chromium SQLite DBs organized by version #. In testing, there were 3 previous versions of Edge Chromium separated into different folders\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeDevChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILE_SYSTEM_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_file_system_2",
name: "Edge HTML5 File System Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\File System\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge HTML5 File System Folder — collected by KAPE EdgeFileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeFileSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_BETA_HTML5_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_beta_html5_file",
name: "Edge Beta HTML5 File System Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Beta\\User Data\\*\\File System\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta HTML5 File System Folder — collected by KAPE EdgeFileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeFileSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_DEV_HTML5_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_dev_html5_file",
name: "Edge Dev HTML5 File System Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge Dev\\User Data\\*\\File System\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev HTML5 File System Folder — collected by KAPE EdgeFileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeFileSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_SXS_CANARY_HTML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_sxs_canary_html",
name: "Edge SxS - Canary HTML5 File System Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\File System\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS - Canary HTML5 File System Folder — collected by KAPE EdgeFileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeFileSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_collectionscollectionssqlite_4",
name: "Edge SxS Collections",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\CollectionscollectionsSQLite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Collections — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_12",
name: "Edge SxS Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Bookmarks*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Bookmarks — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKCOOKIES_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkcookies_5",
name: "Edge SxS Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\NetworkCookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Cookies — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_12",
name: "Edge SxS Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Current Session — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_12",
name: "Edge SxS Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Current Tabs — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_11",
name: "Edge SxS Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Extension Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Extension Cookies — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_13",
name: "Edge SxS Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Favicons*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Favicons — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_13",
name: "Edge SxS History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS History — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_11",
name: "Edge SxS Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Last Session — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_11",
name: "Edge SxS Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Last Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Last Tabs — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_12",
name: "Edge SxS Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Sessions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Sessions Folder — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_13",
name: "Edge SxS Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Login Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Login Data — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_11",
name: "Edge SxS Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Media History — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_13",
name: "Edge SxS Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Network Action Predictor*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Network Action Predictor — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_12",
name: "Edge SxS Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Network Persistent State — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networknetwork_persistent_state_9",
name: "Edge SxS Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\NetworkNetwork Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Network Persistent State — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_13",
name: "Edge SxS Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Preferences",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Preferences — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_12",
name: "Edge SxS Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\QuotaManager*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Quota Manager — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBSTORAGEQUOTAMANAGER_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webstoragequotamanager_9",
name: "Edge SxS Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\WebStorageQuotaManager*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Quota Manager — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_12",
name: "Edge SxS Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Reporting and NEL*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Reporting and NEL — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKREPORTING_AND_NEL_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkreporting_and_nel_9",
name: "Edge SxS Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\NetworkReporting and NEL*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Reporting and NEL — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_13",
name: "Edge SxS Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Shortcuts*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Shortcuts — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_13",
name: "Edge SxS Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Top Sites*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Top Sites — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_11",
name: "Edge SxS Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Trust Tokens — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKTRUST_TOKENS_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networktrust_tokens_9",
name: "Edge SxS Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\NetworkTrust Tokens*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Trust Tokens — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_9",
name: "Edge SxS SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS SyncData Database — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_13",
name: "Edge SxS Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Visited Links — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_13",
name: "Edge SxS Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Web Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS Web Data — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEXEDDB_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_indexeddb_9",
name: "Edge SxS IndexedDB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\IndexedDB\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Collects IndexedDB (LevelDB) databases used by modern web applications to store data.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_STORAGE_LEVELDB_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_storage_leveldb_14",
name: "Edge SxS Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\Local Storage\\leveldb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Collects Local Storage (LevelDB) databases, another form of persistent client-side storage.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBASSISTDATABASE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webassistdatabase_4",
name: "Edge SxS WebAssistDatabase",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\*\\WebAssistDatabase*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS WebAssistDatabase — collected by KAPE EdgeSxSChromium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_12",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline DPAPI decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_11",
name: "Edge SxS Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge SxS\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of Edge Chromium SQLite DBs organized by version #. In testing, there were 3 previous versions of Edge Chromium separated into different folders\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EdgeSxSChromium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ADDONS_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_addons_sqlite",
name: "Addons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\addons.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Addons — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEAVE_BOOKMARKS_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_weave_bookmarks_sqlite",
name: "Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\weave\\bookmarks.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Bookmarks — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKBACKUPS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarkbackups",
name: "Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\bookmarkbackups",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Bookmarks — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_sqlite",
name: "Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cookies — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FIREFOX_COOKIES_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_firefox_cookies_sqlite",
name: "Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\firefox_cookies.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cookies — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADS_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloads_sqlite",
name: "Downloads",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\downloads.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Downloads — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSIONS_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extensions_json",
name: "Extensions",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\extensions.json",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Extensions — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_sqlite",
name: "Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\favicons.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Favicons — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FORMHISTORY_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_formhistory_sqlite",
name: "Form history",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\formhistory.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Form history — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PERMISSIONS_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_permissions_sqlite",
name: "Permissions",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\permissions.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Permissions — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PLACES_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_places_sqlite_2",
name: "Places",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Places — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECTIONS_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protections_sqlite",
name: "Protections",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\protections.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Protections — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SEARCH_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_search_sqlite",
name: "Search",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\search.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Search — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SIGNONS_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_signons_sqlite",
name: "Signons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\signons.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Signons — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STORAGE_SYNC_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_storage_sync_sqlite",
name: "Storage Sync",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\storage-sync.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Storage Sync — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBAPPSTORE_SQLITE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webappstore_sqlite",
name: "Webappstore",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\webappstore.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Webappstore — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KEY_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_key_db",
name: "Password",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\key*.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Password — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Encrypted vault; master password hash extractable for offline attack"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Password manager database persists until application uninstall",
};
pub(crate) static KAPE_FILE_SIGNON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_signon",
name: "Password",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\signon*.*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Password — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Encrypted browser passwords; key in OS credential store; timestamp shows last use",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static KAPE_FILE_LOGINS_JSON_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logins_json_2",
name: "Password",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\logins.json",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Password — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Encrypted browser passwords; key in OS credential store; timestamp shows last use",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static KAPE_FILE_PREFS_JS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_prefs_js_2",
name: "Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\prefs.js"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Preferences — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONSTORE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessionstore",
name: "Sessionstore",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\sessionstore*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Sessionstore — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONSTORE_BACKUPS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessionstore_backups",
name: "Sessionstore Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\sessionstore-backups",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Sessionstore Folder — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PLACES_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_places_xp",
name: "Places XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Places XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADS_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloads_xp",
name: "Downloads XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\downloads.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Downloads XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FORM_HISTORY_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_form_history_xp",
name: "Form history XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\formhistory.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Form history XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_xp",
name: "Cookies XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cookies XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SIGNONS_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_signons_xp",
name: "Signons XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\signons.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Signons XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBAPPSTORE_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webappstore_xp",
name: "Webappstore XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\webappstore.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Webappstore XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_xp",
name: "Favicons XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\favicons.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Favicons XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ADDONS_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_addons_xp",
name: "Addons XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\addons.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Addons XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SEARCH_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_search_xp",
name: "Search XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\search.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Search XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PASSWORD_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_password_xp",
name: "Password XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\key*.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Password XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Encrypted browser passwords; key in OS credential store; timestamp shows last use"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static KAPE_FILE_SIGNON_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_signon_2",
name: "Password XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\signon*.*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Password XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Encrypted browser passwords; key in OS credential store; timestamp shows last use"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static KAPE_FILE_LOGINS_JSON_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logins_json_2_2",
name: "Password XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\logins.json"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Password XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Encrypted browser passwords; key in OS credential store; timestamp shows last use"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static KAPE_FILE_SESSIONSTORE_XP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessionstore_xp",
name: "Sessionstore XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Mozilla\\Firefox\\Profiles\\*\\sessionstore*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Sessionstore XP — collected by KAPE Firefox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Firefox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_IE5_INDEX_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_ie5_index_dat",
name: "Index.dat History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Local Settings\\History\\History.IE5\\index.dat",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Index.dat History — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEX_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_index_dat",
name: "Index.dat History subdirectory",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Local Settings\\History\\History.IE5\\*\\index.dat",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Index.dat History subdirectory — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_INDEX_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_index_dat",
name: "Index.dat cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Cookies\\index.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Index.dat cookies — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERDATA_INDEX_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_userdata_index_dat",
name: "Index.dat UserData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Microsoft\\Internet Explorer\\UserData\\index.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Index.dat UserData — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECENT_INDEX_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recent_index_dat",
name: "Index.dat Office XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Microsoft\\Office\\Recent\\index.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Index.dat Office XP — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INDEX_DAT_OFFICE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_index_dat_office",
name: "Index.dat Office",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Index.dat Office — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_INTERNET_EXPLORER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_internet_explorer",
name: "Local Internet Explorer folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Internet Explorer\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Local Internet Explorer folder — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_INTERNET_EXP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_internet_exp",
name: "Roaming Internet Explorer folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Internet Explorer\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Roaming Internet Explorer folder — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_history",
name: "IE 9/10 History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\History\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IE 9/10 History — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_cookies",
name: "IE 9/10 Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\Cookies\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IE 9/10 Cookies — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_IEDOWNLOADHISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_iedownloadhistory",
name: "IE 9/10 Download History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\IEDownloadHistory\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IE 9/10 Download History — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_WEBCACHE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_webcache_2",
name: "IE 11 Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\WebCache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IE 11 Metadata — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_INETCOOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_inetcookies",
name: "IE 11 Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IE 11 Cookies — collected by KAPE InternetExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/InternetExplorer.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OPERA_SOFTWARE_OPERA_STABLE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_opera_software_opera_stable",
name: "Opera - Local Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Opera Software\\Opera Stable"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Grabs entire contents of the Opera AppData\\Local folder",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Opera.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OPERA_ROAMING_FOLDER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_opera_roaming_folder",
name: "Opera - Roaming Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Opera Software\\Opera Stable"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Grabs entire contents of the Opera AppData\\Roaming folder",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Opera.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_13",
name: "Prisma Access Browser bookmarks XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser bookmarks XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_9",
name: "Prisma Access Browser Cookies XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Cookies XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_13",
name: "Prisma Access Browser Current Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Current Session XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_13",
name: "Prisma Access Browser Current Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Current Tabs XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_14",
name: "Prisma Access Browser Favicons XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Favicons XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_14",
name: "Prisma Access Browser History XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser History XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_12",
name: "Prisma Access Browser Last Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Last Session XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_12",
name: "Prisma Access Browser Last Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Last Tabs XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_14",
name: "Prisma Access Browser Login Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Login Data XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_14",
name: "Prisma Access Browser Preferences XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Preferences XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_14",
name: "Prisma Access Browser Shortcuts XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Shortcuts XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_14",
name: "Prisma Access Browser Top Sites XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Top Sites XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_14",
name: "Prisma Access Browser Visited Links XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Visited Links XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_14",
name: "Prisma Access Browser Web Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Web Data XP — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PRISMA_ACCESS_BROWSE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_prisma_access_browse",
name: "Prisma Access Browser bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser bookmarks — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_2_2",
name: "Prisma Access Browser Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Cookies — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_2_2",
name: "Prisma Access Browser Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Current Session — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_2_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_2_3",
name: "Prisma Access Browser Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Current Tabs — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_9: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_9",
name: "Prisma Access Browser Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\DownloadMetadata"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Download Metadata — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_12",
name: "Prisma Access Browser Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Extension Cookies"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Extension Cookies — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_2_2",
name: "Prisma Access Browser Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Favicons — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_2_2",
name: "Prisma Access Browser History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser History — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_2_2",
name: "Prisma Access Browser Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Last Session — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_2_2",
name: "Prisma Access Browser Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Last Tabs — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_13",
name: "Prisma Access Browser Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Sessions Folder — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_2_2",
name: "Prisma Access Browser Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Login Data — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_12",
name: "Prisma Access Browser Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Media History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Media History — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_14",
name: "Prisma Access Browser Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Network Action Predictor"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Network Action Predictor — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_13",
name: "Prisma Access Browser Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Network Persistent State — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_2_2",
name: "Prisma Access Browser Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Preferences — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_13",
name: "Prisma Access Browser Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\QuotaManager"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Quota Manager — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_13",
name: "Prisma Access Browser Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Reporting and NEL"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Reporting and NEL — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_2_2",
name: "Prisma Access Browser Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Shortcuts — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_2_2",
name: "Prisma Access Browser Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Top Sites — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_12",
name: "Prisma Access Browser Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Trust Tokens*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Trust Tokens — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_10",
name: "Prisma Access Browser SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser SyncData Database — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_2_2",
name: "Prisma Access Browser Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Visited Links — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_2_2",
name: "Prisma Access Browser Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser Web Data — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_13",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_12",
name: "Prisma Access Browser Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_CHROME_HISTOR_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_chrome_histor_2",
name: "SYSTEM Chrome History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM Chrome History — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PRISMAACCESSBROWSER_USER_DATA_BACKUP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_prismaaccessbrowser_user_data_backup",
name: "Prisma Access Browser User Data Backup Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Palo Alto Networks\\PrismaAccessBrowser\\User Data Backup\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser User Data Backup Folder — collected by KAPE PrismaAccessBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PrismaAccessBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_PUFFINSECUREBROWSERDATA_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_puffinsecurebrowserdata_db",
name: "Puffin - data.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\PuffinSecureBrowserdata.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs an important database file that contains browser history\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PuffinSecureBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_PUFFINSECUREBROWSERAUTOCOMPLETES_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_puffinsecurebrowserautocompletes_dat",
name: "Puffin - Autocomplete Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\PuffinSecureBrowserautocompletes.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a file that stores autocomplete data\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PuffinSecureBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_PUFFINSECUREBROWSERPASSWORDFORMS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_puffinsecurebrowserpasswordforms_dat",
name: "Puffin - Password Forms Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\PuffinSecureBrowserpasswordForms.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a file that stores some saved password data\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PuffinSecureBrowser.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Encrypted browser passwords; key in OS credential store; timestamp shows last use"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static KAPE_FILE_LOCAL_PUFFINSECUREBROWSERCREDENTIAL_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_puffinsecurebrowsercredential_dat",
name: "Puffin - Password (Encrypted)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\PuffinSecureBrowsercredential.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a file that stores passwords in an encrypted format\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PuffinSecureBrowser.tkape"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Browser-saved form passwords; check timestamp against incident window"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Browser credential file persists until app data deletion",
};
pub(crate) static KAPE_FILE_LOCAL_PUFFINSECUREBROWSERSUBSCRIPTION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_puffinsecurebrowsersubscription",
name: "Puffin - Subscription Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\PuffinSecureBrowsersubscription"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a file that stores the user's email address that's associated with their Puffin subscription\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PuffinSecureBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_PUFFINSECUREBROWSERCOOKIES_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_puffinsecurebrowsercookies_dat",
name: "Puffin - Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\PuffinSecureBrowsercookies.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a file that stores information related to cookies\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PuffinSecureBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PUFFINSECUREBROWSER_IMAGE_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_puffinsecurebrowser_image_cache",
name: "Puffin - Image Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\PuffinSecureBrowser\\image_cache"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a directory that caches images from websites visited\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PuffinSecureBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_14",
name: "QQ Browser Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Bookmarks*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Bookmarks — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_10",
name: "QQ Browser Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Cookies — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_14",
name: "QQ Browser Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Current Session — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_14",
name: "QQ Browser Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Current Tabs — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_10: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_10",
name: "QQ Browser Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\DownloadMetadata",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Download Metadata — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_13",
name: "QQ Browser Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Extension Cookies",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Extension Cookies — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_15",
name: "QQ Browser Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Favicons*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Favicons — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_15",
name: "QQ Browser History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser History — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_13",
name: "QQ Browser Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Last Session — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_13",
name: "QQ Browser Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Last Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Last Tabs — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_14",
name: "QQ Browser Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Sessions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Sessions Folder — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_15",
name: "QQ Browser Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Login Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Login Data — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_13",
name: "QQ Browser Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Media History — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_15",
name: "QQ Browser Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Network Action Predictor"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Network Action Predictor — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_14",
name: "QQ Browser Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Network Persistent State — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_15",
name: "QQ Browser Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Preferences",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Preferences — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_14",
name: "QQ Browser Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\QuotaManager",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Quota Manager — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_14",
name: "QQ Browser Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Reporting and NEL",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Reporting and NEL — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_15",
name: "QQ Browser Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Shortcuts*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Shortcuts — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_15",
name: "QQ Browser Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Top Sites*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Top Sites — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_13",
name: "QQ Browser Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Trust Tokens — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATA_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_data_4",
name: "QQ Browser SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Sync Data",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser SyncData Database — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_15",
name: "QQ Browser Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Visited Links — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_15",
name: "QQ Browser Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\*\\Web Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser Web Data — collected by KAPE QQBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_14",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_13",
name: "QQ Browser Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of QQ Browser SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QQBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_15",
name: "Supermium Bookmarks XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Bookmarks*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Bookmarks XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_11",
name: "Supermium Cookies XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Cookies XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_15",
name: "Supermium Current Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Current Session XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_15",
name: "Supermium Current Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Current Tabs XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_16",
name: "Supermium Favicons XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Favicons*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Favicons XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_16",
name: "Supermium History XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium History XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_14",
name: "Supermium Last Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Last Session XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_14",
name: "Supermium Last Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Last Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Last Tabs XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_15",
name: "Supermium Sessions Folder XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Sessions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Sessions Folder XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_16",
name: "Supermium Network Action Predictor XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Network Action Predictor"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Network Action Predictor XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_15",
name: "Supermium Network Persistent State XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Network Persistent State XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_16",
name: "Supermium Login Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Login Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Login Data XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_16",
name: "Supermium Preferences XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Preferences XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_15",
name: "Supermium Reporting and NEL XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Reporting and NEL"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Reporting and NEL XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_14",
name: "Supermium Trust Tokens XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Trust Tokens*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Trust Tokens XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATA_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_data_5",
name: "Supermium SyncData Database XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Sync Data",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium SyncData Database XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_16",
name: "Supermium Shortcuts XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Shortcuts*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Shortcuts XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_16",
name: "Supermium Top Sites XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Top Sites*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Top Sites XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_16",
name: "Supermium Visited Links XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Visited Links XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_16",
name: "Supermium Web Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Documents and Settings\\%user%\\Application Data\\Supermium\\User Data\\*\\Web Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Web Data XP — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_BOOKMARKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_bookmarks",
name: "Supermium Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Bookmarks — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_cookies",
name: "Supermium Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Cookies — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_CURRENT_SE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_current_se",
name: "Supermium Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Current Session — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_CURRENT_TA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_current_ta",
name: "Supermium Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Current Tabs — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_11",
name: "Supermium Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\DownloadMetadata"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Download Metadata — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_14",
name: "Supermium Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Extension Cookies",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Extension Cookies — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_FAVICONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_favicons",
name: "Supermium Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Favicons — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_history",
name: "Supermium History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium History — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_LAST_SESSI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_last_sessi",
name: "Supermium Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Last Session — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_LAST_TABS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_last_tabs",
name: "Supermium Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Last Tabs — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_SESSIONS_F: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_sessions_f",
name: "Supermium Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Sessions Folder — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_LOGIN_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_login_data",
name: "Supermium Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Login Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Login Data — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_14",
name: "Supermium Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Media History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Media History — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_NETWORK_AC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_network_ac",
name: "Supermium Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Network Action Predictor",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Network Action Predictor — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_NETWORK_PE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_network_pe",
name: "Supermium Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Network Persistent State",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Network Persistent State — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_PREFERENCE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_preference",
name: "Supermium Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Preferences — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_15",
name: "Supermium Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\QuotaManager"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Quota Manager — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_REPORTING: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_reporting",
name: "Supermium Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Reporting and NEL",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Reporting and NEL — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_SHORTCUTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_shortcuts",
name: "Supermium Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Shortcuts — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_TOP_SITES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_top_sites",
name: "Supermium Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Top Sites — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_TRUST_TOKE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_trust_toke",
name: "Supermium Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Trust Tokens*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Trust Tokens — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_SYNCDATA_D: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_syncdata_d",
name: "Supermium SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Sync Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium SyncData Database — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_VISITED_LI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_visited_li",
name: "Supermium Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Visited Links — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_WEB_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_web_data",
name: "Supermium Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium Web Data — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_15",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_14",
name: "Supermium Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Supermium\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of Supermium SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_SUPERMIUM_HIS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_supermium_his",
name: "SYSTEM Supermium History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Supermium\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM Supermium History — collected by KAPE Supermium target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Supermium.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_16",
name: "UCBrowser Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Bookmarks — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_12",
name: "UCBrowser Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Cookies — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_16",
name: "UCBrowser Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Current Session — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_16",
name: "UCBrowser Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Current Tabs — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_12",
name: "UCBrowser Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\DownloadMetadata",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Download Metadata — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_15",
name: "UCBrowser Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Extension Cookies",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Extension Cookies — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_17",
name: "UCBrowser Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Favicons — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_17",
name: "UCBrowser History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser History — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_15",
name: "UCBrowser Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Last Session — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_15",
name: "UCBrowser Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Last Tabs — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_16",
name: "UCBrowser Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Sessions Folder — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_17",
name: "UCBrowser Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Login Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Login Data — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_15",
name: "UCBrowser Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Media History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Media History — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_17",
name: "UCBrowser Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Network Action Predictor",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Network Action Predictor — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_16",
name: "UCBrowser Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Network Persistent State",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Network Persistent State — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_17",
name: "UCBrowser Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Preferences — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_16",
name: "UCBrowser Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\QuotaManager"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Quota Manager — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_16",
name: "UCBrowser Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Reporting and NEL",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Reporting and NEL — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_17",
name: "UCBrowser Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Shortcuts — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_17",
name: "UCBrowser Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Top Sites — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_15",
name: "UCBrowser Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Trust Tokens*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Trust Tokens — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATA_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_data_6",
name: "UCBrowser SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Sync Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser SyncData Database — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_17",
name: "UCBrowser Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Visited Links — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_17",
name: "UCBrowser Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser Web Data — collected by KAPE UCBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_16",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_15",
name: "UCBrowser Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\UCBrowser\\User Data*\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of UCBrowser SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UCBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_13",
name: "Vivaldi Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Cookies — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_17",
name: "Vivaldi Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Network Persistent State",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Network Persistent State — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_18",
name: "Vivaldi Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Favicons — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_18",
name: "Vivaldi History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi History — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_17",
name: "Vivaldi Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Sessions Folder — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_18",
name: "Vivaldi Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Login Data — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_18",
name: "Vivaldi Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Network Action Predictor",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Network Action Predictor — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_18",
name: "Vivaldi Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Preferences — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_18",
name: "Vivaldi Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Top Sites — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_17",
name: "Vivaldi Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Bookmarks — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_18",
name: "Vivaldi Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Visited Links — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_18",
name: "Vivaldi Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Web Data — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_VIVALDI_REPORTING_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_vivaldi_reporting_data",
name: "Vivaldi User Tracking",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.vivaldi_reporting_data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi User Tracking — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CALENDAR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_calendar",
name: "Vivaldi Calendar",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Calendar*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Calendar — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONTACTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_contacts",
name: "Vivaldi Contacts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Contacts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Contacts — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NOTES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_notes",
name: "Vivaldi Notes",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\Notes*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Notes — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_13",
name: "Vivaldi Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Vivaldi\\User Data\\*\\DownloadMetadata*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Download Metadata — collected by KAPE Vivaldi target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Vivaldi.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_18",
name: "WaveBrowser bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser bookmarks — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_14",
name: "WaveBrowser Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Cookies — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_17",
name: "WaveBrowser Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Current Session — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_17",
name: "WaveBrowser Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Current Tabs — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADMETADATA_14: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloadmetadata_14",
name: "WaveBrowser Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\DownloadMetadata",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Download Metadata — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_16",
name: "WaveBrowser Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Extension Cookies",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Extension Cookies — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_19",
name: "WaveBrowser Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Favicons — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_19",
name: "WaveBrowser History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser History — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_16",
name: "WaveBrowser Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Last Session — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_16",
name: "WaveBrowser Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Last Tabs — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_18",
name: "WaveBrowser Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Sessions Folder — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_19",
name: "WaveBrowser Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Login Data — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_16",
name: "WaveBrowser Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Media History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Media History — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_19",
name: "WaveBrowser Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Network Action Predictor",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Network Action Predictor — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_18",
name: "WaveBrowser Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Network Persistent State",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Network Persistent State — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_19",
name: "WaveBrowser Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Preferences — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_17",
name: "WaveBrowser Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\QuotaManager"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Quota Manager — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_17",
name: "WaveBrowser Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Reporting and NEL",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Reporting and NEL — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_18",
name: "WaveBrowser Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Shortcuts — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_19",
name: "WaveBrowser Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Top Sites — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_16",
name: "WaveBrowser Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Trust Tokens*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Trust Tokens — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_11: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_11",
name: "WaveBrowser SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Sync DataSyncData.sqlite3",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser SyncData Database — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_19",
name: "WaveBrowser Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Visited Links — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_19",
name: "WaveBrowser Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser Web Data — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_17",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOTS_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshots_16",
name: "WaveBrowser Snapshots Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\WaveBrowser\\User Data\\Snapshots\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs folder that appears to have snapshots of WaveBrowser SQLite DBs organized by version #.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_WAVEBROWSER_H: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_wavebrowser_h",
name: "SYSTEM WaveBrowser History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\WaveBrowser\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM WaveBrowser History — collected by KAPE WaveBrowser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WaveBrowser.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_15: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_15",
name: "Yandex Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Cookies*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Cookies — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_19",
name: "Yandex Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Network Persistent State"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Network Persistent State — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_20",
name: "Yandex Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Favicons*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Favicons — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_20",
name: "Yandex History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex History — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_19",
name: "Yandex Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Sessions\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Sessions Folder — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_YA_PASSMAN_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ya_passman_data",
name: "Yandex Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Ya Passman Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Login Data — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_20",
name: "Yandex Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Network Action Predictor"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Network Action Predictor — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_20",
name: "Yandex Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Preferences",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Preferences — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_20",
name: "Yandex Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Top Sites*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Top Sites — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_19",
name: "Yandex Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Bookmarks*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Bookmarks — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_20",
name: "Yandex Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Visited Links — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_20",
name: "Yandex Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Web Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Web Data — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_YA_AUTOFILL_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ya_autofill_data",
name: "Yandex Autofill data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Ya Autofill Data*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Autofill data — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PASSMAN_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_passman_logs",
name: "Yandex Passman logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Passman Logs*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Passman logs — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_19",
name: "Yandex Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*\\Shortcuts*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Shortcuts — collected by KAPE Yandex target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Yandex.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENTLOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eventlogs_tkape",
name: "Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EventLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event Logs — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_evidenceofexecution_tkape",
name: "Evidence of Execution",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EvidenceOfExecution.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Evidence of Execution — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILESYSTEM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filesystem_tkape",
name: "File System",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FileSystem.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "File System — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_lnkfilesandjumplists_tkape",
name: "LNKFilesAndJumpLists",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("LNKFilesAndJumpLists.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNKFilesAndJumpLists — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELLCONSOLE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershellconsole_tkape",
name: "PowerShellConsole",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("PowerShellConsole.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShellConsole — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recyclebin_infofiles_tkape",
name: "RecycleBin InfoFiles",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RecycleBin_InfoFiles.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RecycleBin InfoFiles — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGISTRYHIVES_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_registryhives_tkape",
name: "RegistryHives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RegistryHives.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RegistryHives — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SCHEDULEDTASKS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_scheduledtasks_tkape",
name: "ScheduledTasks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ScheduledTasks.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ScheduledTasks — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SRUM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_srum_tkape",
name: "SRUM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SRUM.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SRUM — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_THUMBCACHE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_thumbcache_tkape",
name: "ThumbCache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Thumbcache.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ThumbCache — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USBDEVICESLOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_usbdeviceslogs_tkape",
name: "USBDevicesLogs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("USBDevicesLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "USBDevicesLogs — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWSINDEXSEARCH_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windowsindexsearch_tkape",
name: "WindowsIndexSearch",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WindowsIndexSearch.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WindowsIndexSearch — collected by KAPE !BasicCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!BasicCollection.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANTIVIRUS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_antivirus_tkape",
name: "Antivirus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Antivirus.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Antivirus — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cloudstorage_metadata_tkape",
name: "CloudStorage_Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("CloudStorage_Metadata.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CloudStorage_Metadata — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COMBINEDLOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_combinedlogs_tkape",
name: "CombinedLogs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("CombinedLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CombinedLogs — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GROUPPOLICY_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_grouppolicy_tkape",
name: "GroupPolicy",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("GroupPolicy.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "GroupPolicy — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_evidenceofexecution_tkape_2",
name: "EvidenceOfExecution",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EvidenceOfExecution.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EvidenceOfExecution — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILESYSTEM_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filesystem_tkape_2",
name: "FileSystem",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FileSystem.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FileSystem — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FTPCLIENTS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ftpclients_tkape",
name: "FTPClients",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FTPClients.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FTPClients — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_lnkfilesandjumplists_tkape_2",
name: "LNKFilesAndJumpLists",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("LNKFilesAndJumpLists.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNKFilesAndJumpLists — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MESSAGINGCLIENTS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_messagingclients_tkape",
name: "MessagingClients",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("MessagingClients.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MessagingClients — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKSCANNER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkscanner_tkape",
name: "NetworkScanner",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("NetworkScanner.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NetworkScanner — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recyclebin_infofiles_tkape_2",
name: "RecycleBin_InfoFiles",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RecycleBin_InfoFiles.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RecycleBin_InfoFiles — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGISTRYHIVES_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_registryhives_tkape_2",
name: "RegistryHives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RegistryHives.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RegistryHives — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REMOTEADMIN_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_remoteadmin_tkape",
name: "RemoteAccess",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RemoteAdmin.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RemoteAccess — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SCHEDULEDTASKS_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_scheduledtasks_tkape_2",
name: "ScheduledTasks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ScheduledTasks.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ScheduledTasks — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SRUM_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_srum_tkape_2",
name: "SRUM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SRUM.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SRUM — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sum_tkape",
name: "SUM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SUM.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUM — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wer_tkape",
name: "WER",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WER.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WER — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_THUMBCACHE_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_thumbcache_tkape_2",
name: "ThumbCache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Thumbcache.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ThumbCache — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WBEM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wbem_tkape",
name: "WBEM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WBEM.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WBEM — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BITS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bits_tkape",
name: "BITS",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("BITS.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "BITS — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBBROWSERS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webbrowsers_tkape",
name: "WebBrowsers",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WebBrowsers.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WebBrowsers — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWSINDEXSEARCH_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windowsindexsearch_tkape_2",
name: "WindowsIndexSearch",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WindowsIndexSearch.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WindowsIndexSearch — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWSTIMELINE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windowstimeline_tkape",
name: "WindowsTimeline",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WindowsTimeline.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WindowsTimeline — collected by KAPE !SANS_Triage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/!SANS_Triage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVAST_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avast_tkape",
name: "Avast",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Avast.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Avast — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVG_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avg_tkape",
name: "AVG",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("AVG.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AVG — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVIRAAVLOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_aviraavlogs_tkape",
name: "Avira",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("AviraAVLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Avira — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BITDEFENDER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bitdefender_tkape",
name: "Bitdefender",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Bitdefender.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Bitdefender — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COMBOFIX_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_combofix_tkape",
name: "ComboFix",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ComboFix.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ComboFix — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CROWDSTRIKEFALCON_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_crowdstrikefalcon_tkape",
name: "CrowdStrikeFalcon",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("CrowdStrikeFalcon.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CrowdStrikeFalcon — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CYBEREASON_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cybereason_tkape",
name: "Cybereason",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Cybereason.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cybereason — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CYLANCE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cylance_tkape",
name: "Cylance",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Cylance.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cylance — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ELASTICDEFEND_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_elasticdefend_tkape",
name: "Elastic Defend",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ElasticDefend.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Elastic Defend — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EMSISOFT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_emsisoft_tkape",
name: "Emsisoft",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Emsisoft.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Emsisoft — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ESET_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eset_tkape",
name: "ESET",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ESET.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ESET — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FSECURE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_fsecure_tkape",
name: "FSecure",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FSecure.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FSecure — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HITMANPRO_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_hitmanpro_tkape",
name: "HitmanPro",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("HitmanPro.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "HitmanPro — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MALWAREBYTES_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_malwarebytes_tkape",
name: "Malwarebytes",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Malwarebytes.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Malwarebytes — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MCAFEE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mcafee_tkape",
name: "McAfee",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("McAfee.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MCAFEE_EPO_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mcafee_epo_tkape",
name: "McAfee ePO",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("McAfee_ePO.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "McAfee ePO — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFTSAFETYSCANNER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoftsafetyscanner_tkape",
name: "Microsoft Safety Scanner",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("MicrosoftSafetyScanner.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft Safety Scanner — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROGUEKILLER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roguekiller_tkape",
name: "RogueKiller",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RogueKiller.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RogueKiller — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SECUREAGE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_secureage_tkape",
name: "SecureAge",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SecureAge.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SecureAge — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SENTINELONE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sentinelone_tkape",
name: "SentinelOne",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SentinelOne.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SentinelOne — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOPHOS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sophos_tkape",
name: "Sophos",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Sophos.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Sophos — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERANTISPYWARE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_superantispyware_tkape",
name: "SUPERAntiSpyware",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SUPERAntiSpyware.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUPERAntiSpyware — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYMANTEC_AV_LOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_symantec_av_logs_tkape",
name: "Symantec",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Symantec_AV_Logs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Symantec — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOTALAV_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_totalav_tkape",
name: "TotalAV",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("TotalAV.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TotalAV — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRENDMICRO_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trendmicro_tkape",
name: "TrendMicro",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("TrendMicro.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TrendMicro — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIPRE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_vipre_tkape",
name: "VIPRE",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("VIPRE.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VIPRE — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBROOT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webroot_tkape",
name: "Webroot",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Webroot.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Webroot — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWSDEFENDER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windowsdefender_tkape",
name: "Windows Defender",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WindowsDefender.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Defender — collected by KAPE Antivirus target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Antivirus.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOXDRIVE_USERFILES_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_boxdrive_userfiles_tkape",
name: "Box User Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("BoxDrive_UserFiles.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Box User Files — collected by KAPE CloudStorage_All target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_All.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DROPBOX_USERFILES_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dropbox_userfiles_tkape",
name: "Dropbox User Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Dropbox_UserFiles.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Dropbox User Files — collected by KAPE CloudStorage_All target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_All.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GOOGLEDRIVEBACKUPSYNC_USERFILES_TKAPE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_googledrivebackupsync_userfiles_tkape",
name: "Google Drive Backup and Sync User Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("GoogleDriveBackupSync_UserFiles.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Google Drive Backup and Sync User Files — collected by KAPE CloudStorage_All target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_All.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ONEDRIVE_USERFILES_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_onedrive_userfiles_tkape",
name: "OneDrive User Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("OneDrive_UserFiles.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "OneDrive User Files — collected by KAPE CloudStorage_All target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_All.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PCLOUDDATABASE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_pclouddatabase_tkape",
name: "pCloudDatabase",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("pCloudDatabase.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "pCloudDatabase — collected by KAPE CloudStorage_All target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_All.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUGARSYNC_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sugarsync_tkape",
name: "SugarSync",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SugarSync.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SugarSync — collected by KAPE CloudStorage_All target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_All.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE_2: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_cloudstorage_metadata_tkape_2",
name: "CloudStorage Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("CloudStorage_Metadata.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CloudStorage Metadata — collected by KAPE CloudStorage_All target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_All.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDRIVE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idrive_tkape",
name: "Idrive Backup",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Idrive.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Idrive Backup — collected by KAPE CloudStorage_All target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_All.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOXDRIVE_METADATA_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_boxdrive_metadata_tkape",
name: "Box Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("BoxDrive_Metadata.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Box Metadata — collected by KAPE CloudStorage_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DROPBOX_METADATA_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dropbox_metadata_tkape",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Dropbox_Metadata.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Dropbox Metadata — collected by KAPE CloudStorage_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GOOGLEDRIVE_METADATA_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_googledrive_metadata_tkape",
name: "Google Drive Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("GoogleDrive_Metadata.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Google Drive Metadata — collected by KAPE CloudStorage_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEGASYNC_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_megasync_tkape",
name: "MegaSync Data Collection",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Megasync.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MegaSync Data Collection — collected by KAPE CloudStorage_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ONEDRIVE_METADATA_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_onedrive_metadata_tkape",
name: "OneDrive Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("OneDrive_Metadata.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "OneDrive Metadata — collected by KAPE CloudStorage_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RCLONECONF_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rcloneconf_tkape",
name: "Rclone Conf File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RcloneConf.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Rclone Conf File — collected by KAPE CloudStorage_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FREEFILESYNC_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_freefilesync_tkape",
name: "FreeFileSync",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FreeFileSync.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FreeFileSync — collected by KAPE CloudStorage_Metadata target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_Metadata.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ONEDRIVE_METADATA_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_onedrive_metadata_tkape_2",
name: "OneDrive Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("OneDrive_Metadata.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "OneDrive Metadata — collected by KAPE CloudStorage_OneDriveExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_OneDriveExplorer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGISTRYHIVESUSER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_registryhivesuser_tkape",
name: "User Related Registry hives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RegistryHivesUser.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User Related Registry hives — collected by KAPE CloudStorage_OneDriveExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_OneDriveExplorer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECYCLEBIN_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recyclebin_tkape",
name: "Recycle Bin DataAndInfo",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RecycleBin.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Recycle Bin DataAndInfo — collected by KAPE CloudStorage_OneDriveExplorer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CloudStorage_OneDriveExplorer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENTLOGS_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eventlogs_tkape_2",
name: "Windows Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EventLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Event Logs — collected by KAPE CombinedLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CombinedLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENTTRACELOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eventtracelogs_tkape",
name: "Event Trace Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EventTraceLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event Trace Logs — collected by KAPE CombinedLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CombinedLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELLCONSOLE_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershellconsole_tkape_2",
name: "PowerShell Console Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("PowerShellConsole.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Console Log — collected by KAPE CombinedLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CombinedLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELLTRANSCRIPTS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershelltranscripts_tkape",
name: "PowerShell Transcripts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("PowerShellTranscripts.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Transcripts — collected by KAPE CombinedLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CombinedLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWSFIREWALL_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windowsfirewall_tkape",
name: "Windows Firewall Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WindowsFirewall.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Firewall Log — collected by KAPE CombinedLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CombinedLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USBDEVICESLOGS_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_usbdeviceslogs_tkape_2",
name: "USBDevicesLogs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("USBDevicesLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "USBDevicesLogs — collected by KAPE CombinedLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CombinedLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETCLRUSAGELOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_netclrusagelogs_tkape",
name: ".NET CLR UsageLogs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("NETCLRUsageLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: ".NET CLR UsageLogs — collected by KAPE CombinedLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CombinedLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AMCACHE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_amcache_tkape",
name: "Amcache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Amcache.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Amcache — collected by KAPE EvidenceOfExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EvidenceOfExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPCOMPATPCA_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_appcompatpca_tkape",
name: "AppCompatPCA",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("AppCompatPCA.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AppCompatPCA — collected by KAPE EvidenceOfExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EvidenceOfExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFETCH_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_prefetch_tkape",
name: "Prefetch",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Prefetch.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prefetch — collected by KAPE EvidenceOfExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EvidenceOfExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECENTFILECACHE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recentfilecache_tkape",
name: "RecentFileCache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RecentFileCache.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RecentFileCache — collected by KAPE EvidenceOfExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EvidenceOfExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSCACHE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_syscache_tkape",
name: "Syscache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Syscache.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Syscache — collected by KAPE EvidenceOfExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EvidenceOfExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXCHANGECLIENTACCESS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_exchangeclientaccess_tkape",
name: "Exchange client access log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ExchangeClientAccess.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Exchange client access log files — collected by KAPE Exchange target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Exchange.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXCHANGETRANSPORT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_exchangetransport_tkape",
name: "Exchange TransportRoles log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ExchangeTransport.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Exchange TransportRoles log files — collected by KAPE Exchange target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Exchange.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXCHANGESETUPLOG_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_exchangesetuplog_tkape",
name: "Exchange Setup log file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ExchangeSetupLog.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Exchange Setup log file — collected by KAPE Exchange target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Exchange.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILEZILLACLIENT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filezillaclient_tkape",
name: "FileZilla Client",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FileZillaClient.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FileZilla Client — collected by KAPE FTPClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FTPClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILEZILLASERVER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filezillaserver_tkape",
name: "FileZilla Server",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FileZillaServer.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FileZilla Server — collected by KAPE FTPClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FTPClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINSCP_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_winscp_tkape",
name: "WinSCP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WinSCP.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WinSCP — collected by KAPE FTPClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FTPClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROBO_FTP_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_robo_ftp_tkape",
name: "Robo-FTP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Robo-FTP.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Robo-FTP — collected by KAPE FTPClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FTPClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DIRECTORYOPUS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_directoryopus_tkape",
name: "Directory Opus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("DirectoryOpus.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Directory Opus — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOUBLECOMMANDER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_doublecommander_tkape",
name: "Double Commander",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("DoubleCommander.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Double Commander — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EFCOMMANDER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_efcommander_tkape",
name: "EF Commander",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EFCommander.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EF Commander — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FREECOMMANDER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_freecommander_tkape",
name: "FreeCommander XE",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FreeCommander.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FreeCommander XE — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MIDNIGHTCOMMANDER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_midnightcommander_tkape",
name: "Midnight Commander",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("MidnightCommander.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Midnight Commander — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MULTICOMMANDER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_multicommander_tkape",
name: "Multi Commander",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("MultiCommander.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Multi Commander — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ONECOMMANDER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_onecommander_tkape",
name: "One Commander",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("OneCommander.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "One Commander — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_Q_DIR_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_q_dir_tkape",
name: "Q-Dir",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Q-Dir.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Q-Dir — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SPEEDCOMMANDER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_speedcommander_tkape",
name: "SpeedCommander",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SpeedCommander.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SpeedCommander — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TABLACUSEXPLORER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_tablacusexplorer_tkape",
name: "Tablacus Explorer",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("TablacusExplorer.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Tablacus Explorer — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOTALCOMMANDER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_totalcommander_tkape",
name: "Total Commander",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("TotalCommander.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Total Commander — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_XYPLORER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_xyplorer_tkape",
name: "XYplorer",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("XYplorer.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "XYplorer — collected by KAPE FileExplorerReplacements target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileExplorerReplacements.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MFT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mft_tkape",
name: "$MFT",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("$MFT.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$MFT — collected by KAPE FileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGFILE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logfile_tkape",
name: "$LogFile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("$LogFile.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$LogFile — collected by KAPE FileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_J_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_j_tkape",
name: "$J",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("$J.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$J — collected by KAPE FileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SDS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sds_tkape",
name: "$SDS",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("$SDS.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$SDS — collected by KAPE FileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_boot_tkape",
name: "$Boot",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("$Boot.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$Boot — collected by KAPE FileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_T_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_t_tkape",
name: "$T",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("$T.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$T — collected by KAPE FileSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FileSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HEXCHAT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_hexchat_tkape",
name: "HexChat",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("HexChat.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "HexChat — collected by KAPE IRCClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IRCClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ICECHAT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_icechat_tkape",
name: "IceChat",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("IceChat.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IceChat — collected by KAPE IRCClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IRCClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MIRC_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mirc_tkape",
name: "mIRC",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("mIRC.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "mIRC — collected by KAPE IRCClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IRCClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANTIVIRUS_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_antivirus_tkape_2",
name: "Antivirus",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Antivirus.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Antivirus — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE_3: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_cloudstorage_metadata_tkape_3",
name: "CloudStorage_Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("CloudStorage_Metadata.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CloudStorage_Metadata — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENTLOGS_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eventlogs_tkape_3",
name: "EventLogs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EventLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EventLogs — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_evidenceofexecution_tkape_3",
name: "EvidenceOfExecution",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EvidenceOfExecution.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EvidenceOfExecution — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILESYSTEM_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filesystem_tkape_3",
name: "FileSystem",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FileSystem.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FileSystem — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_lnkfilesandjumplists_tkape_3",
name: "LNKFilesAndJumpLists",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("LNKFilesAndJumpLists.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNKFilesAndJumpLists — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NOTEPAD_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_notepad_tkape",
name: "Notepad",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Notepad.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Notepad — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELLCONSOLE_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershellconsole_tkape_3",
name: "PowerShellConsole",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("PowerShellConsole.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShellConsole — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recyclebin_infofiles_tkape_3",
name: "RecycleBin_InfoFiles",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RecycleBin_InfoFiles.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RecycleBin_InfoFiles — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGISTRYHIVES_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_registryhives_tkape_3",
name: "RegistryHives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RegistryHives.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RegistryHives — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REMOTEADMIN_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_remoteadmin_tkape_2",
name: "RemoteAccess",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RemoteAdmin.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RemoteAccess — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SCHEDULEDTASKS_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_scheduledtasks_tkape_3",
name: "ScheduledTasks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ScheduledTasks.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ScheduledTasks — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SRUM_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_srum_tkape_3",
name: "SRUM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SRUM.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SRUM — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUM_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sum_tkape_2",
name: "SUM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SUM.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUM — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WER_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wer_tkape_2",
name: "WER",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WER.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WER — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WBEM_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wbem_tkape_2",
name: "WBEM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WBEM.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WBEM — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBBROWSERS_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webbrowsers_tkape_2",
name: "WebBrowsers",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WebBrowsers.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WebBrowsers — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWSTIMELINE_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windowstimeline_tkape_2",
name: "WindowsTimeline",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WindowsTimeline.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WindowsTimeline — collected by KAPE KapeTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/KapeTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IRCCLIENTS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ircclients_tkape",
name: "IRC Clients",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("IRCClients.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IRC Clients — collected by KAPE MessagingClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MessagingClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CISCOJABBER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ciscojabber_tkape",
name: "Cisco Jabber",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("CiscoJabber.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cisco Jabber — collected by KAPE MessagingClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MessagingClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DISCORD_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_discord_tkape",
name: "Discord",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Discord.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Discord — collected by KAPE MessagingClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MessagingClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MATTERMOST_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mattermost_tkape",
name: "Mattermost",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Mattermost.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Mattermost — collected by KAPE MessagingClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MessagingClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFTTEAMS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoftteams_tkape",
name: "Microsoft Teams",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("MicrosoftTeams.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft Teams — collected by KAPE MessagingClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MessagingClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SIGNAL_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_signal_tkape",
name: "Signal",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Signal.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Signal — collected by KAPE MessagingClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MessagingClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SKYPE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_skype_tkape",
name: "Skype",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Skype.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Skype — collected by KAPE MessagingClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MessagingClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SLACK_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_slack_tkape",
name: "Slack",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Slack.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Slack — collected by KAPE MessagingClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MessagingClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TELEGRAM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_telegram_tkape",
name: "Telegram",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Telegram.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Telegram — collected by KAPE MessagingClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MessagingClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIBER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_viber_tkape",
name: "Viber",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Viber.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Viber — collected by KAPE MessagingClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MessagingClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WHATSAPP_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_whatsapp_tkape",
name: "WhatsApp",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WhatsApp.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WhatsApp — collected by KAPE MessagingClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MessagingClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENTLOGS_TKAPE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eventlogs_tkape_4",
name: "Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EventLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event Logs — collected by KAPE MiniTimelineCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MiniTimelineCollection.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILESYSTEM_TKAPE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filesystem_tkape_4",
name: "File System",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FileSystem.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "File System — collected by KAPE MiniTimelineCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MiniTimelineCollection.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGISTRYHIVES_TKAPE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_registryhives_tkape_4",
name: "RegistryHives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RegistryHives.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RegistryHives — collected by KAPE MiniTimelineCollection target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MiniTimelineCollection.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ADVANCEDIPSCANNER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_advancedipscanner_tkape",
name: "Advanced IP Scanner",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("AdvancedIPScanner.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced IP Scanner — collected by KAPE NetworkScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NetworkScanner.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ADVANCEDPORTSCANNER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_advancedportscanner_tkape",
name: "Advanced Port Scanner",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("AdvancedPortScanner.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Advanced Port Scanner — collected by KAPE NetworkScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NetworkScanner.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOFTPERFECTNETSCAN_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_softperfectnetscan_tkape",
name: "Soft Perfect Network Scanner",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SoftPerfectNetscan.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Soft Perfect Network Scanner — collected by KAPE NetworkScanner target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NetworkScanner.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DC_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dc_tkape",
name: "DC++",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("DC++.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DC++ — collected by KAPE P2PClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/P2PClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EMULE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_emule_tkape",
name: "eMule",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("eMule.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "eMule — collected by KAPE P2PClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/P2PClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FROSTWIRE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_frostwire_tkape",
name: "FrostWire",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FrostWire.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FrostWire — collected by KAPE P2PClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/P2PClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GIGATRIBE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_gigatribe_tkape",
name: "Gigatribe",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Gigatribe.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Gigatribe — collected by KAPE P2PClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/P2PClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHAREAZA_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shareaza_tkape",
name: "Shareaza",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Shareaza.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Shareaza — collected by KAPE P2PClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/P2PClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOULSEEK_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_soulseek_tkape",
name: "Soulseek",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Soulseek.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Soulseek — collected by KAPE P2PClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/P2PClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHOCOLATEY_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chocolatey_tkape",
name: "Chocolatey",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Chocolatey.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chocolatey — collected by KAPE PackageManagers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PackageManagers.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AMCACHE_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_amcache_tkape_2",
name: "Amcache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Amcache.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Amcache — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPCOMPATPCA_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_appcompatpca_tkape_2",
name: "AppCompatPCA",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("AppCompatPCA.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AppCompatPCA — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFETCH_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_prefetch_tkape_2",
name: "Prefetch",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Prefetch.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prefetch — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECENTFILECACHE_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recentfilecache_tkape_2",
name: "RecentFileCache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RecentFileCache.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RecentFileCache — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSCACHE_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_syscache_tkape_2",
name: "Syscache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Syscache.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Syscache — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELLTRANSCRIPTS_TKAPE_2: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_powershelltranscripts_tkape_2",
name: "PowerShellTranscripts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("PowerShellTranscripts.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShellTranscripts — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELLCONSOLE_TKAPE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershellconsole_tkape_4",
name: "PowerShellConsole",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("PowerShellConsole.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShellConsole — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WBEM_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wbem_tkape_3",
name: "WBEM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WBEM.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WBEM — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WER_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wer_tkape_3",
name: "WER",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WER.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WER — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWSTIMELINE_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windowstimeline_tkape_3",
name: "WindowsTimeline",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WindowsTimeline.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WindowsTimeline — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_JUMPLISTS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_jumplists_tkape",
name: "JumpLists",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("JumpLists.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "JumpLists — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETCLRUSAGELOGS_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_netclrusagelogs_tkape_2",
name: ".NET CLR UsageLogs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("NETCLRUsageLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: ".NET CLR UsageLogs — collected by KAPE ProgramExecution target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramExecution.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recyclebin_infofiles_tkape_4",
name: "RecycleBin_InfoFiles",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RecycleBin_InfoFiles.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RecycleBin_InfoFiles — collected by KAPE RecycleBin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RecycleBin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECYCLEBIN_DATAFILES_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recyclebin_datafiles_tkape",
name: "RecycleBin_DataFiles",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RecycleBin_DataFiles.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RecycleBin_DataFiles — collected by KAPE RecycleBin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RecycleBin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGISTRYHIVESSYSTEM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_registryhivessystem_tkape",
name: "System Registry Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RegistryHivesSystem.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System Registry Files — collected by KAPE RegistryHives target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHives.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGISTRYHIVESUSER_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_registryhivesuser_tkape_2",
name: "User Level Registry Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RegistryHivesUser.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User Level Registry Files — collected by KAPE RegistryHives target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHives.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGISTRYHIVESMSIXAPPS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_registryhivesmsixapps_tkape",
name: "MSIX Application Registry Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RegistryHivesMSIXApps.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MSIX Application Registry Files — collected by KAPE RegistryHives target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHives.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ACTION1_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_action1_tkape",
name: "Action1",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Action1.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Action1 — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AMMYY_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ammyy_tkape",
name: "Ammyy",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Ammyy.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ammyy — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ANYDESK_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_anydesk_tkape",
name: "AnyDesk",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("AnyDesk.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AnyDesk — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPLICATIONEVENTS_TKAPE_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_applicationevents_tkape_6",
name: "Chrome Remote Desktop",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ApplicationEvents.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Remote Desktop — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DWAGENT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dwagent_tkape",
name: "DWAgent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("DWAgent.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DWAgent — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ISLONLINE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_islonline_tkape",
name: "ISLOnline",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ISLOnline.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ISLOnline — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ITARIAN_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_itarian_tkape",
name: "ITarian",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ITarian.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ITarian — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KASEYA_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_kaseya_tkape",
name: "Kaseya",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Kaseya.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kaseya — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LEVEL_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_level_tkape",
name: "Level",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Level.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Level — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGMEIN_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logmein_tkape",
name: "LogMeIn",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("LogMeIn.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LogMeIn — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MESHAGENT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_meshagent_tkape",
name: "MeshAgent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("MeshAgent.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MeshAgent — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MREMOTENG_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mremoteng_tkape",
name: "mRemoteNG",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("mRemoteNG.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "mRemoteNG — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETMONITORFOREMPLOYEESPROFESSIONAL_TKAPE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_netmonitorforemployeesprofessional_tkape",
name: "NetMonitor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("NetMonitorforEmployeesProfessional.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NetMonitor — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUICKASSIST_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quickassist_tkape",
name: "QuickAssist",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("QuickAssist.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QuickAssist — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RADMIN_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_radmin_tkape",
name: "Radmin",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Radmin.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Radmin Server and Viewer Logs and Chats\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RDPCACHE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rdpcache_tkape",
name: "RDP Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RDPCache.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains data cached during recent RDP sessions\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RDPLOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rdplogs_tkape",
name: "RDP Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RDPLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains Windows Event Logs related to RDP\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REMCOS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_remcos_tkape",
name: "Remcos RAT",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Remcos.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains logs related to Remcos RAT\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REMOTEMANIPULATORSYSTEM_TKAPE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_remotemanipulatorsystem_tkape",
name: "Remote Manipulator System",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RemoteManipulatorSystem.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains logs related to Remote Manipulator System\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REMOTEUTILITIES_APP_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_remoteutilities_app_tkape",
name: "Remote Utilities",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RemoteUtilities_app.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains logs related to the App RemoteUtilities\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RUSTDESK_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rustdesk_tkape",
name: "RustDesk",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RustDesk.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains logs related to RustDesk\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SCREENCONNECT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_screenconnect_tkape",
name: "ScreenConnect (ConnectWise Control)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ScreenConnect.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ScreenConnect (ConnectWise Control) — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SPLASHTOP_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_splashtop_tkape",
name: "Splashtop",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Splashtop.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Splashtop — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPREMOREMOTEDESKTOP_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supremoremotedesktop_tkape",
name: "Supremo Remote Desktop Control",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SupremoRemoteDesktop.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supremo Remote Desktop Control — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEAMVIEWERLOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_teamviewerlogs_tkape",
name: "TeamViewer",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("TeamViewerLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TeamViewer — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_UEMS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_uems_tkape",
name: "UEMS",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("UEMS.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UEMS — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ULTRAVIEWER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ultraviewer_tkape",
name: "UltraViewer",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("UltraViewer.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UltraViewer — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VNCLOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_vnclogs_tkape",
name: "VNC",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("VNCLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VNC — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_XEOX_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_xeox_tkape",
name: "Xeox",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Xeox.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Xeox — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ZOHOASSIST_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_zohoassist_tkape",
name: "ZohoAssist",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ZohoAssist.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ZohoAssist — collected by KAPE RemoteAdmin target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RemoteAdmin.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENTLOGS_TKAPE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eventlogs_tkape_5",
name: "EventLogs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EventLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EventLogs — collected by KAPE SOFELK target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SOFELK.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_evidenceofexecution_tkape_4",
name: "EvidenceOfExecution",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EvidenceOfExecution.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EvidenceOfExecution — collected by KAPE SOFELK target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SOFELK.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILESYSTEM_TKAPE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filesystem_tkape_5",
name: "FileSystem",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FileSystem.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FileSystem — collected by KAPE SOFELK target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SOFELK.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_lnkfilesandjumplists_tkape_4",
name: "LNKFilesAndJumpLists",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("LNKFilesAndJumpLists.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNKFilesAndJumpLists — collected by KAPE SOFELK target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SOFELK.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFETCH_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_prefetch_tkape_3",
name: "Prefetch",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Prefetch.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prefetch — collected by KAPE SOFELK target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SOFELK.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_4K_VIDEO_DOWNLOADER_4K_VIDEO_DOWNLOADER_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_4k_video_downloader_4k_video_downloader_sqlite_2",
name: "4K Video Downloader",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\4kdownload.com\\4K Video Downloader\\4K Video Downloader\"*.sqlite\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs database(s) that stores user download history\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FULLTEXTSEARCHINDEX_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_fulltextsearchindex_2",
name: "Microsoft OneNote - FullTextSearchIndex",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\AppData\\Local\\OneNote\\*\\FullTextSearchIndex"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs database(s) comprising of each OneNote notebook's text content\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ONENOTE_NOTIFICATIONSRECENTNOTEBOOKS_SEENURLS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_onenote_notificationsrecentnotebooks_seenurls_2",
name: "Microsoft OneNote - RecentNotebooks_SeenURLs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\AppData\\Local\\OneNote\\NotificationsRecentNotebooks_SeenURLs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a file that appears to record recently seen OneNote notebooks\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_16_0_ACCESSIBILITYCHECKERINDEX_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_16_0_accessibilitycheckerindex_2",
name: "Microsoft OneNote - AccessibilityCheckerIndex",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\AppData\\Local\\OneNote\\16.0\\AccessibilityCheckerIndex"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs database(s) comprising of each OneNote notebook's version sync error history\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_16_0_NOTETAGS_LIVEID_DB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_16_0_notetags_liveid_db_2",
name: "Microsoft OneNote - User NoteTags",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\AppData\\Local\\OneNote\\16.0\\NoteTags\"*LiveId.db\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a database that stores the user specified tags within OneNote to be used application-wide\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_16_0_RECENTSEARCHESRECENTSEARCHES_DB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_16_0_recentsearchesrecentsearches_db_2",
name: "Microsoft OneNote - RecentSearches",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\AppData\\Local\\OneNote\\16.0\\RecentSearchesRecentSearches.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs a database that stores the user's recent searches within OneNote\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSTATE_PLUM_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localstate_plum_sqlite_2",
name: "Microsoft Sticky Notes - 1607 and later",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes*\\LocalState\\plum.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft Sticky Notes - 1607 and later — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TODOSQLITE_DB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_todosqlite_db_2",
name: "Microsoft To Do - SQLite Database of To Do tasks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.Todos_8wekyb3d8bbwe\\LocalState\\AccountsRoot\\*\\todosqlite.db*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft To Do - SQLite Database of To Do tasks — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_SCHEDULERSERVICE_SQLITE_2: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_programdata_schedulerservice_sqlite_2",
name: "Robo-FTP Jobs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Robo-FTP *\\ProgramData\\\"SchedulerService.sqlite\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Robo-FTP Jobs — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TERACOPY_HISTORY_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_teracopy_history_db",
name: "TeraCopy - History Databases",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\TeraCopy\\History\"*.db\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TeraCopy - History Databases — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TERACOPY_MAIN_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_teracopy_main_db",
name: "TeraCopy - Main Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\TeraCopy\\main.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TeraCopy - Main Database — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_NOTION_NOTION_DB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_notion_notion_db_2",
name: "Notion Local Storage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Notion'notion.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Notion Local Storage — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IDBS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_idbs",
name: "IDrive Backed Up Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\IDrive\\IBCOMMON\\*\\LDBNEW\\*\\'*.idbs'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IDrive Backed Up Files — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILECACHE_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filecache_db",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\*\\filecache.db*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Getting individual files because folder may contain very large extraneous files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_DBX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_dbx",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\*\\config.dbx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Getting individual files because folder may contain very large extraneous files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HOME_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_home_db",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\*\\home.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"SQlite database which appears to keep track of the user's recent Dropbox activity\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ICON_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_icon_db",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\*\\icon.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database which appears to keep track of icons in the user's Drobox sync history which can give an indication as to which files and folders are present\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_HISTORY_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_history_db",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\*\\sync_history.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database which appears to keep track of the user's Drobox sync history\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_NUCLEUS_SQLITE3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_nucleus_sqlite3",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\*\\sync\\nucleus.sqlite3*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database which appears to contain a table for deleted files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DROPBOX_HOST_DB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dropbox_host_db_2",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\host.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DROPBOX_HOST_DBX_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dropbox_host_dbx_2",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\host.dbx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_AGGREGATION_DBX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_aggregation_dbx",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\*\\sync\\aggregation.dbx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database which appears to contain snapshot table of the user's Dropbox contents in JSON with timestamps in UNIX Epoch\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AVATARCACHE_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_avatarcache_db",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\*\\avatarcache.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DROPBOX_METADATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dropbox_metadata",
name: "Dropbox Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Dropbox\\*\\avatarcache.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CLOUD_GRAPH_CLOUD_GRAPH_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cloud_graph_cloud_graph_db",
name: "Google File Stream Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Drive\\*\\cloud_graph\\cloud_graph.db",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Windows_GoogleDrive_CloudGraphDB.smap\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHANGE_BUFFER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_change_buffer",
name: "Google File Stream Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Drive\\*\\TempData\\*\\change_buffer\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"DB(s) with seemingly randomized filename(s) that track file system changes within Google Drive\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOT_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshot_db",
name: "Google File Stream Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Drive\\*\\snapshot.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Windows_GoogleDrive_SnapshotDB.smap\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_CONFIG_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_config_db",
name: "Google File Stream Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Drive\\*\\sync_config.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Windows_GoogleDrive_SyncConfigDB.smap\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILEZILLA_SQLITE3_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filezilla_sqlite3_2",
name: "FileZilla SQLite3 Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\FileZilla\\'*.sqlite3*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FileZilla SQLite3 Log Files — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_20",
name: "Chrome bookmarks XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome bookmarks XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_16: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_16",
name: "Chrome Cookies XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Cookies XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_18",
name: "Chrome Current Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Current Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Session XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_18",
name: "Chrome Current Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Current Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Tabs XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_21: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_21",
name: "Chrome Favicons XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Favicons XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_21: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_21",
name: "Chrome History XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome History XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_17",
name: "Chrome Last Session XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Last Session"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Session XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_17",
name: "Chrome Last Tabs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Tabs XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_20",
name: "Chrome Login Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Login Data XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_21: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_21",
name: "Chrome Preferences XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Preferences XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_20",
name: "Chrome Shortcuts XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Shortcuts XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_21: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_21",
name: "Chrome Top Sites XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Top Sites XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_21: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_21",
name: "Chrome Visited Links XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Visited Links"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Visited Links XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_21: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_21",
name: "Chrome Web Data XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Web Data XP — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BOOKMARKS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_bookmarks_2",
name: "Chrome bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome bookmarks — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_COOKIES_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_cookies_2",
name: "Chrome Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Cookies — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_CURRENT_SESSI_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_current_sessi_2",
name: "Chrome Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Session — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_CURRENT_TABS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_current_tabs_2",
name: "Chrome Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Tabs — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOAD_METADATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_download_metadata",
name: "Chrome Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Download Metadata",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Download Metadata — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_17",
name: "Chrome Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Extension Cookies",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Extension Cookies — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_FAVICONS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_favicons_2",
name: "Chrome Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Favicons — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_HISTORY_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_history_2",
name: "Chrome History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome History — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_LAST_SESSION_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_last_session_2",
name: "Chrome Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Session — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_LAST_TABS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_last_tabs_2",
name: "Chrome Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Tabs — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_LOGIN_DATA_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_login_data_2",
name: "Chrome Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Login Data — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_17",
name: "Chrome Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Media History — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_21: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_21",
name: "Chrome Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Network Action Predictor",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Network Action Predictor — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_20",
name: "Chrome Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Network Persistent State",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Network Persistent State — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_PREFERENCES_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_preferences_2",
name: "Chrome Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Preferences — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_18",
name: "Chrome Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\QuotaManager",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Quota Manager — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_18",
name: "Chrome Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Reporting and NEL",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Reporting and NEL — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SHORTCUTS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_shortcuts_2",
name: "Chrome Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Shortcuts — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_TOP_SITES_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_top_sites_2",
name: "Chrome Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Top Sites — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_17",
name: "Chrome Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Trust Tokens — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_12: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_12",
name: "Chrome SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SyncData Database — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_VISITED_LINKS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_visited_links_2",
name: "Chrome Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Visited Links — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_WEB_DATA_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_web_data_2",
name: "Chrome Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Web Data — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_BOOKMARKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_bookmarks",
name: "Edge bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge bookmarks — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_collectionscollectionssqlite_5",
name: "Edge Collections",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\CollectionscollectionsSQLite"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Collections — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_cookies",
name: "Edge Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Cookies — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_CURRENT_SESSION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_current_session",
name: "Edge Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Current Session — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_CURRENT_TABS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_current_tabs",
name: "Edge Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Current Tabs — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_FAVICONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_favicons",
name: "Edge Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Favicons — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_history",
name: "Edge History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge History — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_LAST_SESSION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_last_session",
name: "Edge Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Last Session — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_LAST_TABS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_last_tabs",
name: "Edge Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Last Tabs — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_LOGIN_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_login_data",
name: "Edge Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Login Data — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_MEDIA_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_media_history",
name: "Edge Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Media History — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_NETWORK_ACTION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_network_action",
name: "Edge Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Network Action Predictor"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Network Action Predictor — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_PREFERENCES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_preferences",
name: "Edge Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Preferences",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Preferences — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_SHORTCUTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_shortcuts",
name: "Edge Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Shortcuts — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_TOP_SITES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_top_sites",
name: "Edge Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Top Sites — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_SYNCDATA_DATABA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_syncdata_databa",
name: "Edge SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SyncData Database — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_2_2",
name: "Edge Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Bookmarks — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_VISITED_LINKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_visited_links",
name: "Edge Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Visited Links — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_WEB_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_web_data",
name: "Edge Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Web Data — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ADDONS_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_addons_sqlite_2",
name: "Addons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\addons.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Addons — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEAVE_BOOKMARKS_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_weave_bookmarks_sqlite_2",
name: "Bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\weave\\bookmarks.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Bookmarks — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_sqlite_2",
name: "Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cookies — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FIREFOX_COOKIES_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_firefox_cookies_sqlite_2",
name: "Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\firefox_cookies.sqlite*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cookies — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOADS_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_downloads_sqlite_2",
name: "Downloads",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\downloads.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Downloads — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_sqlite_2",
name: "Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\favicons.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Favicons — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FORMHISTORY_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_formhistory_sqlite_2",
name: "Form history",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\formhistory.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Form history — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PERMISSIONS_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_permissions_sqlite_2",
name: "Permissions",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\permissions.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Permissions — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PLACES_SQLITE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_places_sqlite_3",
name: "Places",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Places — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECTIONS_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protections_sqlite_2",
name: "Protections",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\protections.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Protections — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SEARCH_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_search_sqlite_2",
name: "Search",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\search.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Search — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SIGNONS_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_signons_sqlite_2",
name: "Signons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\signons.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Signons — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STORAGE_SYNC_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_storage_sync_sqlite_2",
name: "Storage Sync",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\storage-sync.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Storage Sync — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBAPPSTORE_SQLITE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webappstore_sqlite_2",
name: "Webappstore",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\webappstore.sqlite*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Webappstore — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_notifications_wpndatabase_db",
name: "Windows 10 Notification DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\Notifications\\wpndatabase.db",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows 10 Notification DB — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NOTIFICATIONS_APPDB_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_notifications_appdb_dat",
name: "Windows 10 Notification DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\Notifications\\appdb.dat",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows 10 Notification DB — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ACTIVITIESCACHE_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_activitiescache_db",
name: "ActivitiesCache.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\ConnectedDevicesPlatform\\*\\ActivitiesCache.db*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ActivitiesCache.db — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USOPRIVATE_UPDATESTORESTORE_DB: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_usoprivate_updatestorestore_db",
name: "Update Store.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\USOPrivate\\UpdateStorestore.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Update Store.db — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGEX_DB_DB_WAL_DB_SHM_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regex_db_db_wal_db_shm_2",
name: "Bitdefender SQLite DB Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files*\\Bitdefender*\\regex:*.+\\.(db|db-wal|db-shm)"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Bitdefender SQLite databases\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DIAGNOSIS_EVENTTRANSCRIPT_EVENTTRANSCRIPT_DB: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_diagnosis_eventtranscript_eventtranscript_db",
name: "EventTranscript.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\ProgramData\\Microsoft\\Diagnosis\\EventTranscript'EventTranscript.db*'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EventTranscript.db — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENTTRANSCRIPT_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eventtranscript_db",
name: "EventTranscript.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows.old\\ProgramData\\Microsoft\\Diagnosis\\EventTranscript'EventTranscript.db*'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EventTranscript.db — collected by KAPE SQLiteDatabases target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SQLiteDatabases.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEBSERVERS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_webservers_tkape",
name: "WebServers",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WebServers.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WebServers — collected by KAPE ServerTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ServerTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MONGODBLOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mongodblogs_tkape",
name: "MongoDB Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("MongoDBLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MongoDB Logs — collected by KAPE ServerTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ServerTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXCHANGE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_exchange_tkape",
name: "Exchange",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Exchange.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Exchange — collected by KAPE ServerTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ServerTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFLUENCELOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_confluencelogs_tkape",
name: "Confluence",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ConfluenceLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Confluence — collected by KAPE ServerTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ServerTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FILEZILLASERVER_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_filezillaserver_tkape_2",
name: "FileZilla Server",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FileZillaServer.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FileZilla Server — collected by KAPE ServerTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ServerTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OPENSSHSERVER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_opensshserver_tkape",
name: "OpenSSH Server",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("OpenSSHServer.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "OpenSSH Server — collected by KAPE ServerTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ServerTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MANAGEENGINELOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_manageenginelogs_tkape",
name: "ManageEngine",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ManageEngineLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ManageEngine — collected by KAPE ServerTriage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ServerTriage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BITTORRENT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bittorrent_tkape",
name: "BitTorrent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("BitTorrent.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "BitTorrent — collected by KAPE TorrentClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TorrentClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QBITTORRENT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_qbittorrent_tkape",
name: "qBittorrent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("qBittorrent.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "qBittorrent — collected by KAPE TorrentClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TorrentClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_UTORRENT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_utorrent_tkape",
name: "uTorrent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("uTorrent.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "uTorrent — collected by KAPE TorrentClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/TorrentClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USBDEVICESLOGS_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_usbdeviceslogs_tkape_3",
name: "USBDevicesLogs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("USBDevicesLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "USBDevicesLogs — collected by KAPE USBDetective target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/USBDetective.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGISTRYHIVES_TKAPE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_registryhives_tkape_5",
name: "RegistryHives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("RegistryHives.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RegistryHives — collected by KAPE USBDetective target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/USBDetective.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENTLOGS_TKAPE_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eventlogs_tkape_6",
name: "Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EventLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event Logs — collected by KAPE USBDetective target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/USBDetective.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_lnkfilesandjumplists_tkape_5",
name: "LNKFilesAndJumplists",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("LNKFilesAndJumplists.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNKFilesAndJumplists — collected by KAPE USBDetective target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/USBDetective.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AMCACHE_TKAPE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_amcache_tkape_3",
name: "Amcache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Amcache.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Amcache — collected by KAPE USBDetective target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/USBDetective.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NEWSBINPRO_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_newsbinpro_tkape",
name: "NewsbinPro",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("NewsbinPro.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NewsbinPro — collected by KAPE UsenetClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UsenetClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NEWSLEECHER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_newsleecher_tkape",
name: "Newsleecher",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Newsleecher.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Newsleecher — collected by KAPE UsenetClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UsenetClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NZBGET_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nzbget_tkape",
name: "NZBGet",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("NZBGet.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NZBGet — collected by KAPE UsenetClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UsenetClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SABNBZD_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sabnbzd_tkape",
name: "SABnbzd",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SABnbzd.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SABnbzd — collected by KAPE UsenetClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UsenetClients.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VMWAREINVENTORY_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_vmwareinventory_tkape",
name: "VMware Inventory",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("VMwareInventory.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VMware Inventory — collected by KAPE VMware target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VMware.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VMWAREMEMORY_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_vmwarememory_tkape",
name: "VMware Memory",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("VMwareMemory.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VMware Memory — collected by KAPE VMware target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VMware.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIRTUALDISKS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_virtualdisks_tkape",
name: "Virtual Hard Drives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("VirtualDisks.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Virtual Hard Drives — collected by KAPE VMware target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VMware.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTONVPN_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protonvpn_tkape",
name: "Proton VPN",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ProtonVPN.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Proton VPN — collected by KAPE VPNClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VPNClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OPENVPNCLIENT_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_openvpnclient_tkape",
name: "OpenVPN",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("OpenVPNClient.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "OpenVPN — collected by KAPE VPNClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VPNClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PALOALTO_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_paloalto_tkape",
name: "Palo Alto GlobalProtect VPN",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("PaloAlto.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Palo Alto GlobalProtect VPN — collected by KAPE VPNClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VPNClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FORTICLIENTVPN_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_forticlientvpn_tkape",
name: "Forti Client VPN",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("FortiClientVPN.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Forti Client VPN — collected by KAPE VPNClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VPNClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PULSESECURE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_pulsesecure_tkape",
name: "Ivanti Pulse Secure",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("PulseSecure.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ivanti Pulse Secure — collected by KAPE VPNClients target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VPNClients.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIRTUALBOXLOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_virtualboxlogs_tkape",
name: "VirtualBox Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("VirtualBoxLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VirtualBox Logs — collected by KAPE VirtualBox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualBox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIRTUALBOXMEMORY_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_virtualboxmemory_tkape",
name: "VirtualBox Memory",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("VirtualBoxMemory.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VirtualBox Memory — collected by KAPE VirtualBox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualBox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIRTUALBOXCONFIG_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_virtualboxconfig_tkape",
name: "VirtualBox Configs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("VirtualBoxConfig.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VirtualBox Configs — collected by KAPE VirtualBox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualBox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIRTUALDISKS_TKAPE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_virtualdisks_tkape_2",
name: "Virtual Hard Drives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("VirtualDisks.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Virtual Hard Drives — collected by KAPE VirtualBox target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualBox.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DEBIAN_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_debian_tkape",
name: "Debian",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Debian.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian — collected by KAPE WSL target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WSL.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_UBUNTU_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ubuntu_tkape",
name: "Ubuntu",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Ubuntu.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu — collected by KAPE WSL target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WSL.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_KALI_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_kali_tkape",
name: "Kali",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Kali.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali — collected by KAPE WSL target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WSL.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OPENSUSE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_opensuse_tkape",
name: "openSUSE",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("openSUSE.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE — collected by KAPE WSL target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WSL.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUSELINUXENTERPRISESERVER_TKAPE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_suselinuxenterpriseserver_tkape",
name: "SUSE Linux Enterprise Server",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("SUSELinuxEnterpriseServer.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server — collected by KAPE WSL target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WSL.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_360SECUREBROWSER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_360securebrowser_tkape",
name: "360 Secure Browser",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("360SecureBrowser.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "360 Secure Browser — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ARC_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_arc_tkape",
name: "Arc Browser",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Arc.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Arc Browser — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BRAVEBROWSER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bravebrowser_tkape",
name: "Brave Browser",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("BraveBrowser.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Brave Browser — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_tkape",
name: "Chrome",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Chrome.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMEBETA_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromebeta_tkape",
name: "Chrome Beta",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ChromeBeta.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Beta — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMEDEV_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromedev_tkape",
name: "Chrome Dev",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ChromeDev.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Dev — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMESXS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromesxs_tkape",
name: "Chrome SxS - Canary",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ChromeSxS.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SxS - Canary — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROMIUM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chromium_tkape",
name: "Chromium",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Chromium.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chromium — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COCCOC_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_coccoc_tkape",
name: "CocCoc Browser",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("CocCoc.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "CocCoc Browser — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_tkape",
name: "Edge",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Edge.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGEBETACHROMIUM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edgebetachromium_tkape",
name: "Edge Beta Chromium",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EdgeBetaChromium.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Beta Chromium — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGECHROMIUM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edgechromium_tkape",
name: "Edge Chromium",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EdgeChromium.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Chromium — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGEDEVCHROMIUM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edgedevchromium_tkape",
name: "Edge Dev Chromium",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EdgeDevChromium.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge Dev Chromium — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGESXSCHROMIUM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edgesxschromium_tkape",
name: "Edge SxS - Canary Chromium",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("EdgeSxSChromium.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge SxS - Canary Chromium — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FIREFOX_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_firefox_tkape",
name: "Firefox",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Firefox.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Firefox — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INTERNETEXPLORER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_internetexplorer_tkape",
name: "Internet Explorer",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("InternetExplorer.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Internet Explorer — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OPERA_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_opera_tkape",
name: "Opera",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Opera.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Opera — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PRISMAACCESSBROWSER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_prismaaccessbrowser_tkape",
name: "Prisma Access Browser",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("PrismaAccessBrowser.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prisma Access Browser — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PUFFINSECUREBROWSER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_puffinsecurebrowser_tkape",
name: "Puffin Secure Browser",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("PuffinSecureBrowser.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Puffin Secure Browser — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QQBROWSER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_qqbrowser_tkape",
name: "QQ Browser",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("QQBrowser.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "QQ Browser — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SUPERMIUM_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_supermium_tkape",
name: "Supermium",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Supermium.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Supermium — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_UCBROWSER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ucbrowser_tkape",
name: "UCBrowser",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("UCBrowser.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UCBrowser — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VIVALDI_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_vivaldi_tkape",
name: "Vivaldi Browser",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Vivaldi.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi Browser — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WAVEBROWSER_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wavebrowser_tkape",
name: "WaveBrowser",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("WaveBrowser.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WaveBrowser — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_YANDEX_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_yandex_tkape",
name: "Yandex Browser",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("Yandex.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Yandex Browser — collected by KAPE WebBrowsers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebBrowsers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APACHEACCESSLOG_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_apacheaccesslog_tkape",
name: "Apache Access Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("ApacheAccessLog.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Apache Access Logs — collected by KAPE WebServers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebServers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IISLOGFILES_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_iislogfiles_tkape",
name: "IIS Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("IISLogFiles.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IIS Logs — collected by KAPE WebServers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebServers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NGINXLOGS_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nginxlogs_tkape",
name: "NGINX Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("NGINXLogs.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NGINX Logs — collected by KAPE WebServers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebServers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MSSQLERRORLOG_TKAPE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mssqlerrorlog_tkape",
name: "MSSQL Error Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("MSSQLErrorLog.tkape"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MSSQL Error Logs — collected by KAPE WebServers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WebServers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_ACCESS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_access_log",
name: "Apache Access Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'access.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Apache Access Log — collected by KAPE ApacheAccessLog target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ApacheAccessLog.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_W3SVC_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_w3svc_log",
name: "IIS log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\LogFiles\\W3SVC*\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IIS log files — collected by KAPE IISLogFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISLogFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_IIS_LOG_FILES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_iis_log_files",
name: "IIS log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\LogFiles\\W3SVC*\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IIS log files — collected by KAPE IISLogFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISLogFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGFILES_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logfiles_log",
name: "IIS log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\inetpub\\logs\\LogFiles\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IIS log files — collected by KAPE IISLogFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISLogFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_W3SVC_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_w3svc_log_2",
name: "IIS log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\inetpub\\logs\\LogFiles\\W3SVC*\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IIS log files — collected by KAPE IISLogFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISLogFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_W3SVC_LOG_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_w3svc_log_3",
name: "IIS log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Resources\\Directory\\*\\LogFiles\\Web\\W3SVC*\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IIS log files — collected by KAPE IISLogFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISLogFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HTTPERR_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_httperr_log",
name: "IIS log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\system32\\LogFiles\\HTTPERR\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IIS log files — collected by KAPE IISLogFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISLogFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FTPSVC_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ftpsvc_log",
name: "IIS log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\inetpub\\logs\\LogFiles\\FTPSVC*\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IIS log files — collected by KAPE IISLogFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISLogFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_2",
name: "IIS log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\inetpub\\logs\\LogFiles\\*\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "IIS log files — collected by KAPE IISLogFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISLogFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_ERRORLOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_errorlog",
name: "MS SQL Errorlog",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Microsoft SQL Server\\*\\MSSQL\\LOG\\ERRORLOG"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MS SQL Errorlog — collected by KAPE MSSQLErrorLog target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MSSQLErrorLog.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MS_SQL_ERRORLOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ms_sql_errorlogs",
name: "MS SQL Errorlogs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Microsoft SQL Server\\*\\MSSQL\\LOG\\ERRORLOG.*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MS SQL Errorlogs — collected by KAPE MSSQLErrorLog target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MSSQLErrorLog.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DESKTOPCENTRAL_SERVER_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_desktopcentral_server_logs",
name: "ManageEngine Desktop Central Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ManageEngine\\DesktopCentral_Server\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ManageEngine Desktop Central Log Files — collected by KAPE ManageEngineLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ManageEngineLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ADSELFSERVICE_PLUS_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_adselfservice_plus_logs",
name: "ManageEngine ADSelfService Plus Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ManageEngine\\ADSelfService Plus\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"ManageEngine ADSelfService Plus Log Files — collected by KAPE ManageEngineLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ManageEngineLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOG_LOG_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_log_log_4",
name: "MongoDB Logs (Program Files)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\MongoDB\\Server\\*\\log\\\"*.log*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"MongoDB log files in default MSI install log directory\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MongoDBLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_LOG_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_log_4",
name: "MongoDB Logs (Program Files - logs folder)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\MongoDB\\Server\\*\\logs\\\"*.log*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"MongoDB log files when folder is named 'logs'\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MongoDBLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MONGODB_LOGS_C_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mongodb_logs_c_data",
name: "MongoDB Logs (C:\\data\\log)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\data\\log\\\"*.log*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Common default MongoDB log directory for manual installations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MongoDBLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MONGODB_LOGS_PROGRAM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mongodb_logs_program",
name: "MongoDB Logs (ProgramData)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\MongoDB\\log\\\"*.log*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Log directory for MongoDB Windows service installations\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MongoDBLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MONGODB_LOGS_ALTERNA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_mongodb_logs_alterna",
name: "MongoDB Logs (Alternate Install)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\MongoDB\\log\\\"*.log*\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Common non-default install log directory\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MongoDBLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_LOG_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_log_5",
name: "NGINX Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\nginx\\logs\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NGINX Log Files — collected by KAPE NGINXLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NGINXLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PSREADLINE_HISTORY_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_psreadline_history_txt",
name: "PowerShell Console Log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\'*_history.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Console Log — collected by KAPE PowerShellConsole target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShellConsole.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELL_CONSOLE_L: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershell_console_l",
name: "PowerShell Console Log Systemprofile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\'*_history.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Console Log Systemprofile — collected by KAPE PowerShellConsole target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShellConsole.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PSREADLINE_HISTORY_TXT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_psreadline_history_txt_2",
name: "PowerShell Console Log WOW64 Systemprofile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\'*_history.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Console Log WOW64 Systemprofile — collected by KAPE PowerShellConsole target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShellConsole.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AUTOSAVEFILES_PS1: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_autosavefiles_ps1",
name: "PowerShell ISE - AutoSave Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft_Corporation\\powershell_ise.exe_StrongName*\\*\\AutoSaveFiles\\'*.ps1'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell ISE - AutoSave Files — collected by KAPE PowerShellConsole target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShellConsole.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config",
name: "PowerShell ISE - User Config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft_Corporation\\powershell_ise.exe_StrongName*\\*\\'*.config'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell ISE - User Config — collected by KAPE PowerShellConsole target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShellConsole.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BITTORRENT_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bittorrent_dat",
name: "TorrentClients - BitTorrent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\BitTorrent\\'*.dat'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TorrentClients - BitTorrent — collected by KAPE BitTorrent target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BitTorrent.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DC_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_dc_logs",
name: "DC++ Chat Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\DC++\\Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates DC++ hub/chat logs and copies them. Current as of version 0.868.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/DC++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FREENET_NODE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_freenet_node",
name: "Freenet",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Freenet\\'node*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Freenet — collected by KAPE Freenet target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Freenet.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FREENET_COMPLETED_LIST_DOWNLOADS: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_freenet_completed_list_downloads",
name: "Freenet",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Freenet\\'*completed.list.downloads'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Freenet — collected by KAPE Freenet target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Freenet.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FREENET_COMPLETED_LIST_UPLOADS: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_freenet_completed_list_uploads",
name: "Freenet",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Freenet\\'*completed.list.uploads'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Freenet — collected by KAPE Freenet target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Freenet.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FREENET_BAK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_freenet_bak",
name: "Freenet",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Freenet\\'*.bak'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Freenet — collected by KAPE Freenet target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Freenet.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FREENET_DOWNLOADS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_freenet_downloads",
name: "Freenet",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Freenet\\downloads\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Freenet — collected by KAPE Freenet target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Freenet.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FROSTWIRE_TORRENT_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_frostwire_torrent_data",
name: "FrostWire Downloads",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents\\FrostWire\\Torrent Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Locates files downloaded that land in the default location as specified by FrostWire\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FrostWire.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_FROSTWIRE5_FROSTWIRE_PROPS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_frostwire5_frostwire_props",
name: "FrostWire AppData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.frostwire5'frostwire.props'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a file that contains important information about the instance of FrostWire on the user's system\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FrostWire.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_FROSTWIRE5_ITUNES_PROPS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_frostwire5_itunes_props",
name: "FrostWire AppData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\.frostwire5'itunes.props'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a file that contains important information about the instance of FrostWire on the user's system\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/FrostWire.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_SHALSOFT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_shalsoft",
name: "Gigatribe Files Windows Vista/7/8/10",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Shalsoft\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates Gigatribe files and copies them\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Gigatribe.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPLICATION_DATA_GIGATRIBE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_application_data_gigatribe",
name: "Gigatribe Files Windows XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\*\\Application Data\\Gigatribe\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\\Documents and Settings\\<username>\\Lokala Inställningar\\Application Data\\Gigatribe",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Gigatribe.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPLICATION_DATA_SHALSOFT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_application_data_shalsoft",
name: "Gigatribe Files Windows XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\*\\Application Data\\Shalsoft\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\\Documents and Settings\\<username>\\Lokala Inställningar\\Application Data\\Shalsoft",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Gigatribe.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NZBGET_NZBGET_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nzbget_nzbget_log",
name: "Usenet Clients - NZBGet Log File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\NZBGet\\'nzbget.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates NZBGet download log file\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NZBGet.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NZBGET_NZB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nzbget_nzb",
name: "Usenet Clients - NZBGet NZBs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\NZBGet\\nzb\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates NZBGet NZB files that were used by the user\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NZBGet.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NEWSBIN_DOWNLOADED_DB3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_newsbin_downloaded_db3",
name: "Usenet Clients - Newsbin Pro",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Newsbin\\'Downloaded.db3'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates Newsbin Pro download log database\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NewsbinPro.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NEWSLEECHER_DOWNLOADED_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_newsleecher_downloaded_dat",
name: "Usenet Clients - Newsleecher",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\NewsLeecher\\'downloaded.dat'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates Newsleecher download .dat file\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Newsleecher.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NICOTINE_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nicotine_logs",
name: "Nicotine++ Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Roaming\\nicotine\\logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Locates Nicotine++ chat logs, room logs, transfer logs, and debug logs (if enabled)\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nicotine++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NICOTINE_INCOMPLETE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nicotine_incomplete",
name: "Nicotine++ Incomplete Downloads",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Roaming\\nicotine\\incomplete"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates files that did not finish downloading\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nicotine++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NICOTINE_BUDDYFILES_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nicotine_buddyfiles_db",
name: "Nicotine++ Buddyfiles.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Roaming\\nicotine\\'buddyfiles.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a DB that appears to include shared files from a user's buddy list\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nicotine++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NICOTINE_BUDDYSTREAMS_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nicotine_buddystreams_db",
name: "Nicotine++ Buddystreams.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Roaming\\nicotine\\'buddystreams.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a DB that appears to include shared files from a user's buddy list\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nicotine++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NICOTINE_BUDDYMTIMES_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nicotine_buddymtimes_db",
name: "Nicotine++ Buddymtimes.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Roaming\\nicotine\\'buddymtimes.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a DB that appears to enumerate which files the user is sharing to their buddy list, from a folder level\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nicotine++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NICOTINE_BUDDYFILEINDEX_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nicotine_buddyfileindex_db",
name: "Nicotine++ Buddyfileindex.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Roaming\\nicotine\\'buddyfileindex.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a DB that appears to enumerate which files the user is sharing to their buddy list, from a file level\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nicotine++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_NICOTINE_BUDDYWORDINDEX_DB: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_roaming_nicotine_buddywordindex_db",
name: "Nicotine++ Buddywordindex.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Roaming\\nicotine'buddywordindex.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Unknown what this is for at this time\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nicotine++.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NICOTINE_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nicotine_config",
name: "Nicotine++ Config Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Roaming\\nicotine\\config"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates config files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nicotine++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NICOTINE_USERSHARES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_nicotine_usershares",
name: "Nicotine++ User Shares",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Roaming\\nicotine\\usershares"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates a DB that appears to store a list of files per user that they are sharing within Nicotine++. Note: this requires the user to right-click -> browse files shared by that user\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nicotine++.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_NICOTINE_DOWNLOADS_JSON: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_roaming_nicotine_downloads_json",
name: "Nicotine++ Downloads.json",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Roaming\\nicotine'downloads.json*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates downloads.json\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nicotine++.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_NICOTINE_UPLOADS_JSON: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_roaming_nicotine_uploads_json",
name: "Nicotine++ Uploads.json",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Roaming\\nicotine'uploads.json*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates uploads.json\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Nicotine++.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_SABNZBD_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_sabnzbd_log",
name: "Usenet Clients - SABnzbd Download Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\sabnzbd\\logs\\'sabnzbd.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates SABnzbd download log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SABnbzd.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ADMIN_HISTORY1_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_admin_history1_db",
name: "Usenet Clients - SABnzbd History.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\sabnzbd\\admin\\'history1.db'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates SABnzbd history log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SABnbzd.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROAMING_SHAREAZA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_roaming_shareaza",
name: "Shareaza Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Shareaza\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates Shareaza logs and copies them.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Shareaza.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOULSEEKQT_SOULSEEK_CHAT_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_soulseekqt_soulseek_chat_logs",
name: "Soulseek Chat Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\SoulseekQt\\Soulseek Chat Logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates Soulseek chat logs and copies them. Chat logs are in plaintext. Current as of version 2019.7.22.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Soulseek.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_1_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_1_dat",
name: "Soulseek Search History/Shared Folders/Settings",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\SoulseekQt\\1\\'*.dat'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates .dat file(s) containing: search history, active searches (search_record), current shared folders (shared_file_folder), and wish list items (wish_list_item).\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Soulseek.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_TORRENT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_torrent",
name: "Torrents",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.torrent'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Torrents — collected by KAPE Torrents target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Torrents.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_NZB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_nzb",
name: "Usenet (NZB) Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.nzb'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Usenet (NZB) Files — collected by KAPE Usenet target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Usenet.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_EMULE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_emule",
name: "eMule Logs and Configuration Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\eMule\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates eMule logs and configuration files and copies them.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/eMule.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_PART_MET: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_part_met",
name: "eMule part.met files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.part.met'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates eMule *.part.met files and copies them.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/eMule.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QBITTORRENT_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_qbittorrent_ini",
name: "TorrentClients - qBittorrent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\qBittorrent\\'*.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TorrentClients - qBittorrent — collected by KAPE qBittorrent target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/qBittorrent.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QBITTORRENT_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_qbittorrent_logs",
name: "TorrentClients - qBittorrent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\qBittorrent\\logs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TorrentClients - qBittorrent — collected by KAPE qBittorrent target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/qBittorrent.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QBITTORRENT_GEODB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_qbittorrent_geodb",
name: "TorrentClients - qBittorrent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\qBittorrent\\GeoDB\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locate .mmdb file for network peer connection analysis.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/qBittorrent.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QBITTORRENT_BT_BACKUP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_qbittorrent_bt_backup",
name: "TorrentClients - qBittorrent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\qBittorrent\\BT_backup\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locate active (in-progress) torrent files.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/qBittorrent.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_UTORRENT_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_utorrent_dat",
name: "TorrentClients - uTorrent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\uTorrent\\'*.dat'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "TorrentClients - uTorrent — collected by KAPE uTorrent target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/uTorrent.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_BITMAP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_bitmap",
name: "$Bitmap",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Bitmap"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$Bitmap — collected by KAPE $Bitmap target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$Bitmap.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_BOOT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_boot",
name: "$Boot",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Boot"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$Boot — collected by KAPE $Boot target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$Boot.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTEND_USNJRNL_J: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extend_usnjrnl_j",
name: "$J",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Extend\\$UsnJrnl:$J"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$J — collected by KAPE $J target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$J.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTEND_USNJRNL_MAX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extend_usnjrnl_max",
name: "$Max",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Extend\\$UsnJrnl:$Max"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$Max — collected by KAPE $J target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$J.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTEND_J: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extend_j",
name: "$J",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Extend\\$J"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Targets are looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$J.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTEND_MAX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extend_max",
name: "$Max",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Extend\\$Max"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Targets are looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$J.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_LOGFILE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_logfile",
name: "$LogFile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$LogFile"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$LogFile — collected by KAPE $LogFile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$LogFile.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_MFT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_mft",
name: "$MFT",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$MFT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$MFT — collected by KAPE $MFT target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$MFT.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_MFTMIRR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_mftmirr",
name: "$MFTMirr",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$MFTMirr"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"$MFTMirr is a redundant copy of the first four (4) records of the MFT.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$MFTMirr.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_SECURE_SDS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_secure_sds",
name: "$SDS",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Secure:$SDS"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$SDS — collected by KAPE $SDS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$SDS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SDS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sds",
name: "$SDS",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Secure_$SDS"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Target is looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$SDS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TXFLOG_TOPS_T: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_txflog_tops_t",
name: "$T",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Extend\\$RmMetadata\\$TxfLog\\$Tops:$T"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "$T — collected by KAPE $T target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$T.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TXFLOG_T: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_txflog_t",
name: "$T",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Extend\\$RmMetadata\\$TxfLog\\$T"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Target is looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/$T.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_NTDS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_ntds",
name: "NTDS",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\NTDS"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTDS — collected by KAPE ActiveDirectoryNTDS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ActiveDirectoryNTDS.tkape",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Domain credential store; offline cracking risk; compare hash count against user count",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Active Directory database persists until DC decommission",
};
pub(crate) static KAPE_FILE_WINDOWS_SYSVOL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_sysvol",
name: "SYSVOL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SYSVOL"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSVOL — collected by KAPE ActiveDirectorySysvol target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ActiveDirectorySysvol.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMS_AMCACHE_HVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programs_amcache_hve",
name: "Amcache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\AppCompat\\Programs\\Amcache.hve"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Amcache — collected by KAPE Amcache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Amcache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AMCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_amcache",
name: "Amcache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\AppCompat\\Programs\\Amcache.hve"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Amcache — collected by KAPE Amcache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Amcache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMS_AMCACHE_HVE_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programs_amcache_hve_log",
name: "Amcache transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\AppCompat\\Programs\\Amcache.hve.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Amcache transaction files — collected by KAPE Amcache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Amcache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AMCACHE_TRANSACTION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_amcache_transaction",
name: "Amcache transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\AppCompat\\Programs\\Amcache.hve.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Amcache transaction files — collected by KAPE Amcache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Amcache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPCOMPAT_PCA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_appcompat_pca",
name: "AppCompat PCA Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\appcompat\\pca"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "AppCompat PCA Folder — collected by KAPE AppCompatPCA target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AppCompatPCA.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWSAPPS_DELETED: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windowsapps_deleted",
name: "WindowsApps for AppX",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\WindowsApps\\Deleted*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates all the user AppX package directories which were installed through Microsoft Store and updated/uninstalled by the user.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AppXPackages.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_SYSTEMAPPS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_systemapps",
name: "SystemApps for AppX",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SystemApps\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Locates all the system AppX package directories which were installed by the system.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AppXPackages.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_PACKAGES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_packages",
name: "UserSpecificPackages for AppX",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates all the user and system AppX package directories which are user specific on the system.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AppXPackages.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PACKAGES_STATEREPOSITORY_SRD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_packages_staterepository_srd",
name: "AppRepository for AppX",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\StateRepository-*.srd",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the StateRepository .srd databases.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AppXPackages.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMDATA_PACKAGES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programdata_packages",
name: "ProgramData Packages for AppX",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Packages\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Locates the ProgramData AppX package directories.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/AppXPackages.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_APPEVENT_EVT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_appevent_evt",
name: "Application Event Log XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\AppEvent.evt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Application Event Log XP — collected by KAPE ApplicationEvents target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ApplicationEvents.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPLICATION_EVENT_LO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_application_event_lo",
name: "Application Event Log XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\AppEvent.evt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Application Event Log XP — collected by KAPE ApplicationEvents target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ApplicationEvents.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_APPLICATION_EVTX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_application_evtx",
name: "Application Event Log Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\winevt\\logs\\application.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Application Event Log Win7+ — collected by KAPE ApplicationEvents target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ApplicationEvents.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_APPLICATION_EVTX_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_application_evtx_2",
name: "Application Event Log Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\logs\\application.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Application Event Log Win7+ — collected by KAPE ApplicationEvents target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ApplicationEvents.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOT_BCD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_boot_bcd",
name: "BCD",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Boot\\BCD"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "BCD — collected by KAPE BCD target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BCD.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOT_BCD_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_boot_bcd_log",
name: "BCD Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Boot\\'BCD.LOG*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "BCD Logs — collected by KAPE BCD target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BCD.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_DOWNLOADER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_downloader",
name: "BITS files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Network\\Downloader\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "BITS files — collected by KAPE BITS target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/BITS.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CAPABILITYACCESSMANAGER_CAPABILITYACCESSMANAGER_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_capabilityaccessmanager_capabilityaccessmanager_db",
name: "Capability Access Manager database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Windows\\CapabilityAccessManager\\CapabilityAccessManager.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Capability Access Manager database — collected by KAPE CapabilityAccessManager target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CapabilityAccessManager.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_CRYPTNETURLCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_cryptneturlcache",
name: "System CryptnetUrlCache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System CryptnetUrlCache — collected by KAPE CertUtil target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CertUtil.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_WOW64_CRYPTNE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_wow64_cryptne",
name: "System WOW64 CryptnetUrlCache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System WOW64 CryptnetUrlCache — collected by KAPE CertUtil target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CertUtil.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_CRYPTNETURLCACH: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_cryptneturlcach",
name: "User CryptnetUrlCache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User CryptnetUrlCache — collected by KAPE CertUtil target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CertUtil.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INETCACHE_IE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_inetcache_ie",
name: "INetCache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "INetCache — collected by KAPE CertUtil target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/CertUtil.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DRIVERS_SYS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_drivers_sys",
name: "Drivers",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\system32\\drivers\\'*.sys'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Drivers — collected by KAPE Drivers target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Drivers.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programs_encapsulationlogging_hve",
name: "EncapsulationLogging",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Appcompat\\Programs\\EncapsulationLogging.hve"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EncapsulationLogging — collected by KAPE EncapsulationLogging target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EncapsulationLogging.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ENCAPSULATIONLOGGING: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_encapsulationlogging",
name: "EncapsulationLogging",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\Appcompat\\Programs\\EncapsulationLogging.hve"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EncapsulationLogging — collected by KAPE EncapsulationLogging target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EncapsulationLogging.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programs_encapsulationlogging_hve_log",
name: "EncapsulationLogging Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Appcompat\\Programs\\EncapsulationLogging.hve.log*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EncapsulationLogging Logs — collected by KAPE EncapsulationLogging target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EncapsulationLogging.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programs_encapsulationlogging_hve_log_2",
name: "EncapsulationLogging Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\Appcompat\\Programs\\EncapsulationLogging.hve.log*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EncapsulationLogging Logs — collected by KAPE EncapsulationLogging target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EncapsulationLogging.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_SYSTEM_EVTX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_system_evtx",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\winevt\\logs\\System.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENT_LOGS_WIN7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_event_logs_win7",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\logs\\System.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_SECURITY_EVTX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_security_evtx",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\winevt\\logs\\Security.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_SECURITY_EVTX_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_security_evtx_2",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\logs\\Security.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_terminalservices_rdpclient",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_terminalservices_rdpclient_2",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_remotedesktopservices_rdpco",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_remotedesktopservices_rdpco_2",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_terminalservices_remoteconn",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_terminalservices_remoteconn_2",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_terminalservices_localsessi",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_terminalservices_localsessi_2",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs-RDP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs-RDP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_EVT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_evt",
name: "Event logs XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\'*.evt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs XP — collected by KAPE EventLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_EVTX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_evtx",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\winevt\\logs\\'*.evtx'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENT_LOGS_WIN7_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_event_logs_win7_2",
name: "Event logs Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\logs\\'*.evtx'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Event logs Win7+ — collected by KAPE EventLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGFILES_ETL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logfiles_etl",
name: "WDI Trace Logs 1",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\WDI\\LogFiles\\'*.etl*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WDI Trace Logs 1 — collected by KAPE EventTraceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTraceLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WDI_TRACE_LOGS_1: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wdi_trace_logs_1",
name: "WDI Trace Logs 1",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\WDI\\LogFiles\\'*.etl*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WDI Trace Logs 1 — collected by KAPE EventTraceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTraceLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WDI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wdi",
name: "WDI Trace Logs 2",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\WDI\\{*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WDI Trace Logs 2 — collected by KAPE EventTraceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTraceLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WDI_TRACE_LOGS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wdi_trace_logs_2",
name: "WDI Trace Logs 2",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\WDI\\{*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WDI Trace Logs 2 — collected by KAPE EventTraceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTraceLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGFILES_WMI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logfiles_wmi",
name: "WMI Trace Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\LogFiles\\WMI\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WMI Trace Logs — collected by KAPE EventTraceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTraceLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WMI_TRACE_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wmi_trace_logs",
name: "WMI Trace Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\LogFiles\\WMI\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WMI Trace Logs — collected by KAPE EventTraceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTraceLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM32_SLEEPSTUDY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system32_sleepstudy",
name: "SleepStudy Trace Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\SleepStudy\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SleepStudy Trace Logs — collected by KAPE EventTraceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTraceLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SLEEPSTUDY_TRACE_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sleepstudy_trace_log",
name: "SleepStudy Trace Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\SleepStudy\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SleepStudy Trace Logs — collected by KAPE EventTraceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTraceLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWEREFFICIENCY_DIAGNOSTICS_ENERGY_NTKL_ETL: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_powerefficiency_diagnostics_energy_ntkl_etl",
name: "Energy-NTKL Trace Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\ProgramData\\Microsoft\\Windows\\PowerEfficiency Diagnostics\\energy-ntkl.etl",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Energy-NTKL Trace Logs — collected by KAPE EventTraceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTraceLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_ETL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_etl",
name: "Delivery Optimization Trace Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Microsoft\\Windows\\DeliveryOptimization\\Logs\\'*.etl*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Delivery Optimization Trace Logs — collected by KAPE EventTraceLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTraceLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DIAGNOSIS_EVENTTRANSCRIPT_EVENTTRANSCRIPT_DB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_diagnosis_eventtranscript_eventtranscript_db_2",
name: "EventTranscript.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Diagnosis\\EventTranscript'EventTranscript.db*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EventTranscript.db — collected by KAPE EventTranscriptDB target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTranscriptDB.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EVENTTRANSCRIPT_DB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_eventtranscript_db_2",
name: "EventTranscript.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows.old\\ProgramData\\Microsoft\\Diagnosis\\EventTranscript'EventTranscript.db*'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "EventTranscript.db — collected by KAPE EventTranscriptDB target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTranscriptDB.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_DIAGNOSTICS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_diagnostics",
name: "Microsoft Office Diagnostic Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%User%\\AppData\\Local\\Temp\\Diagnostics"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft Office Diagnostic Logs — collected by KAPE EventTranscriptDB target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/EventTranscriptDB.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGGING_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logging_log",
name: "Exchange client access log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Microsoft\\Exchange Server\\*\\Logging\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Highly dependent on Exchange configuration\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ExchangeClientAccess.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_b_a_za_z0_9_8_b_compiled",
name: "Exchange Server Modified Compiled Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Microsoft.NET\\Framework*\\v*\\Temporary ASP.NET Files\\'Regex:*.\\b[a-zA-Z0-9_-]{8}\\b.compiled'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Highly dependent on Exchange configuration\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ExchangeCve-2021-26855.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXCHANGE_SERVER_MODI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_exchange_server_modi",
name: "Exchange Server Modified Compiled Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\inetpub\\wwwroot\\aspnet_client'Regex:*.\\b[a-zA-Z0-9_-]{8}\\b.compiled'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Highly dependent on Exchange configuration\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ExchangeCve-2021-26855.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_b_a_za_z0_9_8_b_compiled_2",
name: "Exchange Server Modified Compiled Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\'Regex:*.\\b[a-zA-Z0-9_-]{8}\\b.compiled'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Highly dependent on Exchange configuration\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ExchangeCve-2021-26855.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_b_a_za_z0_9_8_b_compiled_3",
name: "Exchange Server Modified Compiled Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\'Regex:*.\\b[a-zA-Z0-9_-]{8}\\b.compiled'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Highly dependent on Exchange configuration\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ExchangeCve-2021-26855.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXCHANGESETUPLOGS_EXCHANGESETUP_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_exchangesetuplogs_exchangesetup_log",
name: "Exchange Setup Log file",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ExchangeSetupLogs\\\"ExchangeSetup.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"The Exchange Setup log tracks the progress of every task during the Exchange installation and configuration.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ExchangeSetupLog.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_LOG_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_log_6",
name: "Exchange TransportRoles log files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Program Files\\Microsoft\\Exchange Server\\*\\TransportRoles\\Logs\\'*.log'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Highly dependent on Exchange configuration\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ExchangeTransport.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM32_GROUPPOLICY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system32_grouppolicy",
name: "Group Policy Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\grouppolicy\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Group Policy Files — collected by KAPE GroupPolicy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GroupPolicy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GROUP_POLICY_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_group_policy_history",
name: "Computer Group Policy files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Group Policy\\History\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Computer Group Policy files — collected by KAPE GroupPolicy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GroupPolicy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_GROUP_POLICY_FI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_group_policy_fi",
name: "User Group Policy files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Group Policy\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User Group Policy files — collected by KAPE GroupPolicy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GroupPolicy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GROUPPOLICY_INI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_grouppolicy_ini",
name: "Local Group Policy INI Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\grouppolicy\\'*.ini'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Local Group Policy INI Files — collected by KAPE GroupPolicy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GroupPolicy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_GROUPPOLICY_POL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_grouppolicy_pol",
name: "Local Group Policy Files - Registry Policy Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\grouppolicy\\'*.pol'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Local Group Policy Files - Registry Policy Files — collected by KAPE GroupPolicy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GroupPolicy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_GROUP_POLICY_F: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_group_policy_f",
name: "Local Group Policy Files - Registry Policy Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\grouppolicy\\'*.pol'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Local Group Policy Files - Registry Policy Files — collected by KAPE GroupPolicy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GroupPolicy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SCRIPTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_scripts",
name: "Local Group Policy Files - Startup/Shutdown Scripts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\grouppolicy\\*\\Scripts\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Local Group Policy Files - Startup/Shutdown Scripts — collected by KAPE GroupPolicy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GroupPolicy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SCRIPTS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_scripts_2",
name: "Local Group Policy Files - Startup/Shutdown Scripts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\grouppolicy\\*\\Scripts\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Local Group Policy Files - Startup/Shutdown Scripts — collected by KAPE GroupPolicy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/GroupPolicy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_HOSTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_hosts",
name: "HostsFile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\drivers\\etc\\'Hosts'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "HostsFile — collected by KAPE HostsFile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/HostsFile.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_APPLICATIONHOST_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_applicationhost_config",
name: "IIS applicationHost.config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\inetsrv\\config\\\"applicationHost.config\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"This configuration file stores the settings for all your Web sites and applications.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISConfiguration.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_ADMINISTRATION_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_administration_config",
name: "IIS administration.config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\inetsrv\\config\\\"administration.config\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"This configuration file stores the settings for IIS management.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISConfiguration.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_REDIRECTION_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_redirection_config",
name: "IIS redirection.config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\inetsrv\\config\\\"redirection.config\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"This configuration file contains the settings that indicate the location where the centralized configuration files are stored.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISConfiguration.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INETPUB_WWWROOT_WEB_CONFIG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_inetpub_wwwroot_web_config",
name: "web.config",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\inetpub\\wwwroot\"web.config\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"The web.config is a file that is read by IIS and the ASP.NET Core Module to configure an app hosted with IIS.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IISConfiguration.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_ICONCACHE_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_iconcache_db",
name: "Windows IconCache DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\IconCache.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows IconCache DB — collected by KAPE IconCacheDB target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/IconCacheDB.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECENT_AUTOMATICDESTINATIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recent_automaticdestinations",
name: "JumpLists from CustomDestinations",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "JumpLists from CustomDestinations — collected by KAPE JumpLists target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JumpLists.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECENT_CUSTOMDESTINATIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recent_customdestinations",
name: "JumpLists from CustomDestinations",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "JumpLists from CustomDestinations — collected by KAPE JumpLists target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/JumpLists.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_RECENT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_recent",
name: "LNK Files from Recent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Also includes automatic and custom jumplist directories",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LNKFilesAndJumpLists.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OFFICE_RECENT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_office_recent",
name: "LNK Files from Microsoft Office Recent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Office\\Recent\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"LNK Files from Microsoft Office Recent — collected by KAPE LNKFilesAndJumpLists target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LNKFilesAndJumpLists.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_START_MENU_PROGRAMS_LNK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_start_menu_programs_lnk",
name: "Start Menu LNK Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs'*.LNK'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Start Menu LNK Files — collected by KAPE LNKFilesAndJumpLists target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LNKFilesAndJumpLists.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_RECENT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_recent",
name: "LNK Files from Recent (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Recent\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNK Files from Recent (XP) — collected by KAPE LNKFilesAndJumpLists target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LNKFilesAndJumpLists.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DESKTOP_LNK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_desktop_lnk",
name: "Desktop LNK Files XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Desktop\\'*.LNK'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Desktop LNK Files XP — collected by KAPE LNKFilesAndJumpLists target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LNKFilesAndJumpLists.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DESKTOP_LNK_FILES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_desktop_lnk_files",
name: "Desktop LNK Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Desktop\\'*.LNK'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Desktop LNK Files — collected by KAPE LNKFilesAndJumpLists target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LNKFilesAndJumpLists.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RP_LNK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rp_lnk",
name: "Restore point LNK Files XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\System Volume Information\\_restore*\\RP*\\'*.LNK'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Restore point LNK Files XP — collected by KAPE LNKFilesAndJumpLists target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LNKFilesAndJumpLists.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMS_LNK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programs_lnk",
name: "LNK Files from C:\\ProgramData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\'*.LNK'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNK Files from C:\\ProgramData — collected by KAPE LNKFilesAndJumpLists target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LNKFilesAndJumpLists.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BASH_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bash_history",
name: ".bash_history",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*\\LocalState\\rootfs\\home\\*\\'.bash_history'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: ".bash_history — collected by KAPE LinuxOnWindowsProfileFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LinuxOnWindowsProfileFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BASH_LOGOUT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bash_logout",
name: ".bash_logout",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*\\LocalState\\rootfs\\home\\*\\'.bash_logout'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: ".bash_logout — collected by KAPE LinuxOnWindowsProfileFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LinuxOnWindowsProfileFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BASHRC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bashrc",
name: ".bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*\\LocalState\\rootfs\\home\\*\\'.bashrc'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: ".bashrc — collected by KAPE LinuxOnWindowsProfileFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LinuxOnWindowsProfileFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROFILE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_profile",
name: ".profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*\\LocalState\\rootfs\\home\\*\\'.profile'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: ".profile — collected by KAPE LinuxOnWindowsProfileFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LinuxOnWindowsProfileFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM32_LOGFILES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system32_logfiles",
name: "LogFiles",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\LogFiles\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LogFiles — collected by KAPE LogFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LogFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGFILES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logfiles",
name: "LogFiles",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\LogFiles\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LogFiles — collected by KAPE LogFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LogFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_PFRO_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_pfro_log",
name: "Error logging",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\windows\\PFRO.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Error logging — collected by KAPE LogFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/LogFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_MOF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_mof",
name: "MOF files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.MOF'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MOF files — collected by KAPE MOF target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MOF.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_HIBERFIL_SYS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_hiberfil_sys",
name: "hiberfil.sys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\hiberfil.sys"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "hiberfil.sys — collected by KAPE MemoryFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MemoryFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_PAGEFILE_SYS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_pagefile_sys",
name: "pagefile.sys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\pagefile.sys"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "pagefile.sys — collected by KAPE MemoryFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MemoryFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_SWAPFILE_SYS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_swapfile_sys",
name: "swapfile.sys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\swapfile.sys"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "swapfile.sys — collected by KAPE MemoryFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MemoryFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MINIDUMP_DMP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_minidump_dmp",
name: "Small Memory Dump directory",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Minidump\\'*.dmp'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MemoryFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SMALL_MEMORY_DUMP_DI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_small_memory_dump_di",
name: "Small Memory Dump directory",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\Minidump\\'*.dmp'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MemoryFiles.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BACKSTAGEINAPPNAVCACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_backstageinappnavcache",
name: "Microsoft Office Backstage",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Office\\*\\BackstageinAppNavCache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft Office Backstage — collected by KAPE MicrosoftOfficeBackstage target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/MicrosoftOfficeBackstage.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CLR_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_clr_log",
name: ".NET CLR UsageLogs (user-scoped)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\CLR_*\\'*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: ".NET CLR UsageLogs (user-scoped) — collected by KAPE NETCLRUsageLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NETCLRUsageLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NET_CLR_USAGELOGS_SY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_net_clr_usagelogs_sy",
name: ".NET CLR UsageLogs (system-scoped)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows*\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\CLR_*\\'*.log'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: ".NET CLR UsageLogs (system-scoped) — collected by KAPE NETCLRUsageLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/NETCLRUsageLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSTATE_TABSTATE_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localstate_tabstate_bin",
name: "Notepad Session Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.WindowsNotepad_8wekyb3d8bbwe\\LocalState\\TabState\"*.bin\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains .bin files which consist of the files opened in each tab in Windows Notepad\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Notepad.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWSTATE_BIN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windowstate_bin",
name: "Notepad Window State Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.WindowsNotepad_8wekyb3d8bbwe\\LocalState\\WindowState\\\"*.bin\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Contains .bin files tracking the state of the Notepad Window\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Notepad.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SETTINGS_SETTINGS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_settings_settings_dat",
name: "Notepad Settings File",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.WindowsNotepad_8wekyb3d8bbwe\\Settings\\\"settings.dat\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves settings.dat which is an Application Registry\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Notepad.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEMAPPDATA_HELIUM_DAT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_systemappdata_helium_dat_2",
name: "Notepad Registry Hives",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.WindowsNotepad_8wekyb3d8bbwe\\SystemAppData\\Helium\"*.dat\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Retrieves User.dat and UserClasses.dat. User.dat contains MRU entries. UserClasses.dat contains Shell Bags.\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Notepad.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_WORD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_word",
name: "Word Autosave Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Word\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Word Autosave Location — collected by KAPE OfficeAutosave target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OfficeAutosave.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_EXCEL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_excel",
name: "Excel Autosave Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Excel\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Excel Autosave Location — collected by KAPE OfficeAutosave target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OfficeAutosave.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_POWERPOINT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_powerpoint",
name: "Powerpoint Autosave Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Powerpoint\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Powerpoint Autosave Location — collected by KAPE OfficeAutosave target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OfficeAutosave.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_PUBLISHER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_publisher",
name: "Publisher Autosave Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Publisher\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Publisher Autosave Location — collected by KAPE OfficeAutosave target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OfficeAutosave.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DIAGNOSTICS_PCW_DEBUGREPORT_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_diagnostics_pcw_debugreport_xml",
name: "Office Diagnostics",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Diagnostics\\\"PCW.debugreport.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Payloads for CVE-2022-30190 ('Follina') will be in this log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OfficeDiagnostics.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ELEVATEDDIAGNOSTICS_PCW_DEBUGREPORT_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_elevateddiagnostics_pcw_debugreport_xml",
name: "Office Elevated Diagnostics",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\ElevatedDiagnostics\\\"PCW.debugreport.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Payloads for CVE-2022-30190 ('Follina') will be in this log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OfficeDiagnostics.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OFFICEFILECACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_officefilecache",
name: "Office Document Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Office\\*\\OfficeFileCache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Office Document Cache — collected by KAPE OfficeDocumentCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/OfficeDocumentCache.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_PERFLOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_perflogs",
name: "Perflogs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\PerfLogs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Perflogs — collected by KAPE PerfLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PerfLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELL_7_POWERSHELL_CONFIG_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershell_7_powershell_config_json",
name: "PowerShell 7 Config JSON",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\PowerShell\\7'powershell.config.json'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell 7 Config JSON — collected by KAPE PowerShell7Config target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShell7Config.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOCUMENTS_POWERSHELL_TRANSCRIPT_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_documents_powershell_transcript_txt",
name: "PowerShell Transcripts - Default Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents\\'PowerShell_transcript.*.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Transcripts - Default Location — collected by KAPE PowerShellTranscripts target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShellTranscripts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_20_POWERSHELL_TRANSCRIPT_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_20_powershell_transcript_txt",
name: "PowerShell Transcripts - Observed Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\Documents\\20*\\'PowerShell_transcript.*.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Transcripts - Observed Location — collected by KAPE PowerShellTranscripts target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShellTranscripts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELL_TRANSCRIPT_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershell_transcript_txt",
name: "PowerShell Transcripts - Observed Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\*\\'PowerShell_transcript.*.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Transcripts - Observed Location — collected by KAPE PowerShellTranscripts target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShellTranscripts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELL_TRANSCRIP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershell_transcrip",
name: "PowerShell Transcripts - Observed Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\Amazon\\Ec2ConfigService\\Scripts\\*\\'PowerShell_transcript.*.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Transcripts - Observed Location — collected by KAPE PowerShellTranscripts target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShellTranscripts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELL_TRANSCRIPT_TXT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershell_transcript_txt_2",
name: "PowerShell Transcripts - Observed Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\*\\'PowerShell_transcript.*.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Transcripts - Observed Location — collected by KAPE PowerShellTranscripts target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShellTranscripts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_20_POWERSHELL_TRANSCRIPT_TXT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_20_powershell_transcript_txt_2",
name: "PowerShell Transcripts - Observed Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\PSTranscript\\20*\\'PowerShell_transcript.*.txt'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Transcripts - Observed Location — collected by KAPE PowerShellTranscripts target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PowerShellTranscripts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFETCH_PF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_prefetch_pf",
name: "Prefetch",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\prefetch\\'*.pf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prefetch — collected by KAPE Prefetch target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Prefetch.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFETCH: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_prefetch",
name: "Prefetch",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\prefetch\\'*.pf'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Prefetch — collected by KAPE Prefetch target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Prefetch.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_PROGRAMDATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_programdata",
name: "ProgramData",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ProgramData — collected by KAPE ProgramData target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ProgramData.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NOTIFICATIONS_APPDB_DAT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_notifications_appdb_dat_2",
name: "WNS",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\Notifications\\appdb.dat",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WNS — collected by KAPE PushNotification target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PushNotification.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB_2: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_notifications_wpndatabase_db_2",
name: "WNS",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\Notifications\\wpndatabase.db",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WNS — collected by KAPE PushNotification target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/PushNotification.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_QUICKASSIST: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_quickassist",
name: "Microsoft Quick Assist",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\QuickAssist"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft Quick Assist — collected by KAPE QuickAssist target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QuickAssist.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMP_REMOTEHELP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_temp_remotehelp",
name: "Microsoft Remote Help",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Temp\\RemoteHelp"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft Remote Help — collected by KAPE QuickAssist target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/QuickAssist.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TERMINAL_SERVER_CLIENT_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_terminal_server_client_cache",
name: "RDP Cache Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Terminal Server Client\\Cache\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RDP Cache Files — collected by KAPE RDPCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_OLD_RDP_CACH: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_old_rdp_cach",
name: "Windows.old RDP Cache Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Users\\%user%\\AppData\\Local\\Microsoft\\Terminal Server Client\\Cache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows.old RDP Cache Files — collected by KAPE RDPCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RDP_CACHE_FILES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rdp_cache_files",
name: "RDP Cache Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\Local Settings\\Application Data\\Microsoft\\Terminal Server Client\\Cache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RDP Cache Files — collected by KAPE RDPCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PACKAGES_MICROSOFT_REMOTEDESKTOP_8WEKYB3D8BBWE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_packages_microsoft_remotedesktop_8wekyb3d8bbwe",
name: "RDP Jumplist Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.RemoteDesktop_8wekyb3d8bbwe\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RDP Jumplist Files — collected by KAPE RDPJumplist target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPJumplist.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_terminalservices_remoteconn_3",
name: "RemoteConnectionManager Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\winevt\\logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RemoteConnectionManager Event Logs — collected by KAPE RDPLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REMOTECONNECTIONMANA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_remoteconnectionmana",
name: "RemoteConnectionManager Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RemoteConnectionManager Event Logs — collected by KAPE RDPLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_terminalservices_localsessi_3",
name: "LocalSessionManager Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\winevt\\logs\\Microsoft-Windows-TerminalServices-LocalSessionManager*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LocalSessionManager Event Logs — collected by KAPE RDPLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSESSIONMANAGER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localsessionmanager",
name: "LocalSessionManager Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\logs\\Microsoft-Windows-TerminalServices-LocalSessionManager*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LocalSessionManager Event Logs — collected by KAPE RDPLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_3:
ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_terminalservices_rdpclient_3",
name: "RDPClient Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows\\System32\\winevt\\logs\\Microsoft-Windows-TerminalServices-RDPClient*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RDPClient Event Logs — collected by KAPE RDPLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RDPCLIENT_EVENT_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rdpclient_event_logs",
name: "RDPClient Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\logs\\Microsoft-Windows-TerminalServices-RDPClient*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RDPClient Event Logs — collected by KAPE RDPLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO_3:
ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logs_microsoft_windows_remotedesktopservices_rdpco_3",
name: "RDPCoreTS Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows\\System32\\winevt\\logs\\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Can be used to correlate RDP logon failures by originating IP\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RDPCORETS_EVENT_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rdpcorets_event_logs",
name: "RDPCoreTS Event Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\winevt\\logs\\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Can be used to correlate RDP logon failures by originating IP\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RDPLogs.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMS_RECENTFILECACHE_BCF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programs_recentfilecache_bcf",
name: "RecentFileCache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\AppCompat\\Programs\\RecentFileCache.bcf"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RecentFileCache — collected by KAPE RecentFileCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RecentFileCache.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECENTFILECACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recentfilecache",
name: "RecentFileCache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\AppCompat\\Programs\\RecentFileCache.bcf"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RecentFileCache — collected by KAPE RecentFileCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RecentFileCache.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_RECENT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_recent_2",
name: "LNK Files from Recent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNK Files from Recent — collected by KAPE RecentFolders target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RecentFolders.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OFFICE_RECENT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_office_recent_2",
name: "LNK Files from Microsoft Office Recent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Office\\Recent\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNK Files from Microsoft Office Recent — collected by KAPE RecentFolders target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RecentFolders.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECYCLE_BIN_R: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recycle_bin_r",
name: "Recycle Bin - Windows Vista+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Recycle.Bin\\'$R*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Recycle Bin - Windows Vista+ — collected by KAPE RecycleBin_DataFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RecycleBin_DataFiles.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_R: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_r",
name: "Recycle Bin - Windows Vista+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Recycle.Bin\\*\\$R*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Recycle Bin - Windows Vista+ — collected by KAPE RecycleBin_DataFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RecycleBin_DataFiles.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECYCLE_D: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recycle_d",
name: "RECYCLER - WinXP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\RECYCLE*\\'D*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RECYCLER - WinXP — collected by KAPE RecycleBin_DataFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RecycleBin_DataFiles.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECYCLE_BIN_I: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recycle_bin_i",
name: "Recycle Bin - Windows Vista+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\$Recycle.Bin\\'$I*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Recycle Bin - Windows Vista+ — collected by KAPE RecycleBin_InfoFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RecycleBin_InfoFiles.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_RECYCLE_INFO2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_recycle_info2",
name: "RECYCLER - WinXP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\RECYCLE*\\'INFO2'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RECYCLER - WinXP — collected by KAPE RecycleBin_InfoFiles target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RecycleBin_InfoFiles.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HELIUM_REGISTRY_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_helium_registry_dat",
name: "Registry.dat MSIX Hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*\\SystemAppData\\Helium\\Registry.dat*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Registry.dat MSIX Hive — collected by KAPE RegistryHivesMSIXApps target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesMSIXApps.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGISTRY_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_registry_dat",
name: "Registry.dat MSIX Hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Program Files\\WindowsApps\\*\\Registry.dat*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Registry.dat MSIX Hive — collected by KAPE RegistryHivesMSIXApps target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesMSIXApps.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGISTRY_DAT_MSIX_HI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_registry_dat_msix_hi",
name: "Registry.dat MSIX Hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SystemApps\\*\\Registry.dat*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Registry.dat MSIX Hive — collected by KAPE RegistryHivesMSIXApps target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesMSIXApps.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SETTINGS_SETTINGS_DAT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_settings_settings_dat_2",
name: "settings.dat MSIX Hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*\\Settings\\settings.dat*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "settings.dat MSIX Hive — collected by KAPE RegistryHivesMSIXApps target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesMSIXApps.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HELIUM_USER_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_helium_user_dat",
name: "User.dat MSIX Hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*\\SystemAppData\\Helium\\User.dat*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User.dat MSIX Hive — collected by KAPE RegistryHivesMSIXApps target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesMSIXApps.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HELIUM_USERCLASSES_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_helium_userclasses_dat",
name: "UserClasses.dat MSIX Hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\*\\SystemAppData\\Helium\\UserClasses.dat*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UserClasses.dat MSIX Hive — collected by KAPE RegistryHivesMSIXApps target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesMSIXApps.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_BBI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_bbi",
name: "BBI registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\BBI"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "BBI registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BBI_REGISTRY_HIVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bbi_registry_hive",
name: "BBI registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\BBI"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "BBI registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_BBI_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_bbi_log",
name: "BBI registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\BBI.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "BBI registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BBI_REGISTRY_TRANSAC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bbi_registry_transac",
name: "BBI registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\System32\\config\\BBI.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "BBI registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_BCD_TEMPLATE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_bcd_template",
name: "BCD-Template registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\BCD-Template"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "BCD-Template registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BCD_TEMPLATE_REGISTR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bcd_template_registr",
name: "BCD-Template registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\BCD-Template"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "BCD-Template registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_BCD_TEMPLATE_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_bcd_template_log",
name: "BCD-Template registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\BCD-Template.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"BCD-Template registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_BCD_TEMPLATE_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_bcd_template_log_2",
name: "BCD-Template registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\System32\\config\\BCD-Template.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"BCD-Template registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_COMPONENTS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_components",
name: "COMPONENTS registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\COMPONENTS"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "COMPONENTS registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COMPONENTS_REGISTRY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_components_registry",
name: "COMPONENTS registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\COMPONENTS"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "COMPONENTS registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_COMPONENTS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_components_log",
name: "COMPONENTS registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\COMPONENTS.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "COMPONENTS registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_COMPONENTS_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_components_log_2",
name: "COMPONENTS registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\System32\\config\\COMPONENTS.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "COMPONENTS registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_DRIVERS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_drivers",
name: "DRIVERS registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\DRIVERS"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DRIVERS registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DRIVERS_REGISTRY_HIV: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_drivers_registry_hiv",
name: "DRIVERS registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\DRIVERS"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DRIVERS registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_DRIVERS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_drivers_log",
name: "DRIVERS registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\DRIVERS.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DRIVERS registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DRIVERS_REGISTRY_TRA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_drivers_registry_tra",
name: "DRIVERS registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\System32\\config\\DRIVERS.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DRIVERS registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_ELAM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_elam",
name: "ELAM registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\ELAM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ELAM registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ELAM_REGISTRY_HIVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_elam_registry_hive",
name: "ELAM registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\ELAM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ELAM registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_ELAM_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_elam_log",
name: "ELAM registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\ELAM.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ELAM registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ELAM_REGISTRY_TRANSA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_elam_registry_transa",
name: "ELAM registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\System32\\config\\ELAM.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ELAM registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_USERDIFF: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_userdiff",
name: "userdiff registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\userdiff"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "userdiff registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERDIFF_REGISTRY_HI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_userdiff_registry_hi",
name: "userdiff registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\userdiff"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "userdiff registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_USERDIFF_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_userdiff_log",
name: "userdiff registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\userdiff.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "userdiff registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERDIFF_REGISTRY_TR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_userdiff_registry_tr",
name: "userdiff registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\System32\\config\\userdiff.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "userdiff registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_VSMIDK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_vsmidk",
name: "VSMIDK registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\VSMIDK"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VSMIDK registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VSMIDK_REGISTRY_HIVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_vsmidk_registry_hive",
name: "VSMIDK registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\VSMIDK"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VSMIDK registry hive — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_VSMIDK_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_vsmidk_log",
name: "VSMIDK registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\VSMIDK.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VSMIDK registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VSMIDK_REGISTRY_TRAN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_vsmidk_registry_tran",
name: "VSMIDK registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\System32\\config\\VSMIDK.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VSMIDK registry transaction files — collected by KAPE RegistryHivesOther target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesOther.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SAM_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_sam_log",
name: "SAM registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SAM.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SAM registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Local account credential hashes; NTLM offline cracking risk"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "SAM hive persists across reboots; protected in-use by Windows",
};
pub(crate) static KAPE_FILE_SAM_REGISTRY_TRANSAC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sam_registry_transac",
name: "SAM registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SAM.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SAM registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Verify presence against incident timeline; correlate with other triage artifacts",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Artifact persists until explicit deletion",
};
pub(crate) static KAPE_FILE_CONFIG_SECURITY_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_security_log",
name: "SECURITY registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SECURITY.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SECURITY_REGISTRY_TR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_security_registry_tr",
name: "SECURITY registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SECURITY.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SOFTWARE_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_software_log",
name: "SOFTWARE registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SOFTWARE.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOFTWARE_REGISTRY_TR: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_software_registry_tr",
name: "SOFTWARE registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SOFTWARE.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEM_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_system_log",
name: "SYSTEM registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SYSTEM.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_REGISTRY_TRAN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_registry_tran",
name: "SYSTEM registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SYSTEM.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SAM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_sam",
name: "SAM registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SAM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SAM registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Local account credential hashes; NTLM offline cracking risk"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "SAM hive persists across reboots; protected in-use by Windows",
};
pub(crate) static KAPE_FILE_SAM_REGISTRY_HIVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sam_registry_hive",
name: "SAM registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SAM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SAM registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Local account credential hashes; NTLM offline cracking risk"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "SAM hive persists across reboots; protected in-use by Windows",
};
pub(crate) static KAPE_FILE_CONFIG_SECURITY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_security",
name: "SECURITY registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SECURITY"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SECURITY_REGISTRY_HI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_security_registry_hi",
name: "SECURITY registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SECURITY"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SOFTWARE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_software",
name: "SOFTWARE registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SOFTWARE"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOFTWARE_REGISTRY_HI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_software_registry_hi",
name: "SOFTWARE registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SOFTWARE"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_system",
name: "SYSTEM registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SYSTEM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_REGISTRY_HIVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_registry_hive",
name: "SYSTEM registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SYSTEM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_log",
name: "RegBack registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\RegBack\\'*.LOG*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RegBack registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_REGISTRY_TRA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_registry_tra",
name: "RegBack registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\RegBack\\'*.LOG*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "RegBack registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SAM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_sam",
name: "SAM registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\RegBack\\SAM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SAM registry hive (RegBack) — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Verify presence against incident timeline; correlate with other triage artifacts",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Artifact persists until explicit deletion",
};
pub(crate) static KAPE_FILE_SAM_REGISTRY_HIVE_RE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sam_registry_hive_re",
name: "SAM registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\RegBack\\SAM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SAM registry hive (RegBack) — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &["Local account credential hashes; NTLM offline cracking risk"],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "SAM hive persists across reboots; protected in-use by Windows",
};
pub(crate) static KAPE_FILE_REGBACK_SECURITY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_security",
name: "SECURITY registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\RegBack\\SECURITY"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry hive (RegBack) — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SECURITY_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_security_2",
name: "SECURITY registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\RegBack\\SECURITY"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry hive (RegBack) — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SOFTWARE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_software",
name: "SOFTWARE registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\RegBack\\SOFTWARE"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry hive (RegBack) — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SOFTWARE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_software_2",
name: "SOFTWARE registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\RegBack\\SOFTWARE"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry hive (RegBack) — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SYSTEM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_system",
name: "SYSTEM registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\RegBack\\SYSTEM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive (RegBack) — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SYSTEM_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_system_2",
name: "SYSTEM registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\RegBack\\SYSTEM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive (RegBack) — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SYSTEM1: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_system1",
name: "SYSTEM registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\RegBack\\SYSTEM1"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive (RegBack) — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SYSTEM1_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_system1_2",
name: "SYSTEM registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\RegBack\\SYSTEM1"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive (RegBack) — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_systemprofile_ntuser_dat",
name: "System Profile registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile\\NTUSER.DAT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System Profile registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_PROFILE_REGIS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_profile_regis",
name: "System Profile registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\systemprofile\\NTUSER.DAT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System Profile registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_systemprofile_ntuser_dat_log",
name: "System Profile registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile\\NTUSER.DAT.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"System Profile registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_systemprofile_ntuser_dat_log_2",
name: "System Profile registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\systemprofile\\NTUSER.DAT.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System Profile registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSERVICE_NTUSER_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localservice_ntuser_dat",
name: "Local Service registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService\\NTUSER.DAT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Local Service registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCAL_SERVICE_REGIST: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_local_service_regist",
name: "Local Service registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\ServiceProfiles\\LocalService\\NTUSER.DAT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Local Service registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSERVICE_NTUSER_DAT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localservice_ntuser_dat_log",
name: "Local Service registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService\\NTUSER.DAT.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Local Service registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSERVICE_NTUSER_DAT_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localservice_ntuser_dat_log_2",
name: "Local Service registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\ServiceProfiles\\LocalService\\NTUSER.DAT.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Local Service registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKSERVICE_NTUSER_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkservice_ntuser_dat",
name: "Network Service registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService\\NTUSER.DAT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Network Service registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_SERVICE_REGI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_service_regi",
name: "Network Service registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\ServiceProfiles\\NetworkService\\NTUSER.DAT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Network Service registry hive — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKSERVICE_NTUSER_DAT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkservice_ntuser_dat_log",
name: "Network Service registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\NetworkService\\NTUSER.DAT.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Network Service registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORKSERVICE_NTUSER_DAT_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_networkservice_ntuser_dat_log_2",
name: "Network Service registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\ServiceProfiles\\NetworkService\\NTUSER.DAT.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Network Service registry transaction files — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNAPSHOT_REGISTRY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snapshot_registry",
name: "System Restore Points Registry Hives (XP)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\System Volume Information\\_restore*\\RP*\\snapshot\\_REGISTRY_*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"System Restore Points Registry Hives (XP) — collected by KAPE RegistryHivesSystem target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesSystem.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_NTUSER_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_ntuser_dat",
name: "NTUSER.DAT registry hive XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Documents and Settings\\%user%\\NTUSER.DAT*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTUSER.DAT registry hive XP — collected by KAPE RegistryHivesUser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesUser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NTUSER_DAT_REGISTRY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ntuser_dat_registry",
name: "NTUSER.DAT registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\NTUSER.DAT*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTUSER.DAT registry hive — collected by KAPE RegistryHivesUser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesUser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USER_NTUSER_DAT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_user_ntuser_dat_log",
name: "NTUSER.DAT registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\NTUSER.DAT.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTUSER.DAT registry transaction files — collected by KAPE RegistryHivesUser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesUser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_DEFAULT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_default",
name: "NTUSER.DAT DEFAULT registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\DEFAULT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTUSER.DAT DEFAULT registry hive — collected by KAPE RegistryHivesUser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesUser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NTUSER_DAT_DEFAULT_R: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ntuser_dat_default_r",
name: "NTUSER.DAT DEFAULT registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\DEFAULT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTUSER.DAT DEFAULT registry hive — collected by KAPE RegistryHivesUser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesUser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_DEFAULT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_default_log",
name: "NTUSER.DAT DEFAULT transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\DEFAULT.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTUSER.DAT DEFAULT transaction files — collected by KAPE RegistryHivesUser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesUser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NTUSER_DAT_DEFAULT_T: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ntuser_dat_default_t",
name: "NTUSER.DAT DEFAULT transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\DEFAULT.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTUSER.DAT DEFAULT transaction files — collected by KAPE RegistryHivesUser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesUser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_USRCLASS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_usrclass_dat",
name: "UsrClass.dat registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UsrClass.dat registry hive — collected by KAPE RegistryHivesUser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesUser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_USRCLASS_DAT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_usrclass_dat_log",
name: "UsrClass.dat registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UsrClass.dat registry transaction files — collected by KAPE RegistryHivesUser target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RegistryHivesUser.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_NTUSER_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_ntuser_dat",
name: "NTUSER.DAT registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\NTUSER.DAT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTUSER.DAT registry hive — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_NTUSER_DAT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_ntuser_dat_log",
name: "NTUSER.DAT registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\NTUSER.DAT.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTUSER.DAT registry transaction files — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_DEFAULT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_default",
name: "NTUSER.DAT DEFAULT registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\DEFAULT"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTUSER.DAT DEFAULT registry hive — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_DEFAULT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_default_log",
name: "NTUSER.DAT DEFAULT transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\DEFAULT.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NTUSER.DAT DEFAULT transaction files — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_USRCLASS_DAT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_usrclass_dat",
name: "UsrClass.dat registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\UsrClass.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UsrClass.dat registry hive — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_USRCLASS_DAT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_usrclass_dat_log",
name: "UsrClass.dat registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\UsrClass.dat.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "UsrClass.dat registry transaction files — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_LNK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_lnk",
name: "LNK Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.LNK'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNK Files — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_WORD_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_word_2",
name: "Word Autosave Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Word\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Word Autosave Location — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_EXCEL_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_excel_2",
name: "Excel Autosave Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Excel\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Excel Autosave Location — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_POWERPOINT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_powerpoint_2",
name: "PowerPoint Autosave Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\PowerPoint\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerPoint Autosave Location — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_PUBLISHER_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_publisher_2",
name: "Publisher Autosave Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Publisher\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Publisher Autosave Location — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PUBLISHER_AUTOSAVE_L: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_publisher_autosave_l",
name: "Publisher Autosave Location",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Word\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Publisher Autosave Location — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OFFICEFILECACHE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_officefilecache_2",
name: "Office Document Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Office\\*\\OfficeFileCache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Office Document Cache — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OFFICE_DOCUMENT_CACH: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_office_document_cach",
name: "Office Document Cache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Office\\*\\OfficeFileCache\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Office Document Cache — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_BOOKMARKS_21: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_bookmarks_21",
name: "Chrome bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome bookmarks — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_BOOKMARKS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_bookmarks_3",
name: "Chrome bookmarks",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Bookmarks*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome bookmarks — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COOKIES_17: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cookies_17",
name: "Chrome Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Cookies — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_COOKIES_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_cookies_3",
name: "Chrome Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Cookies*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Cookies — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_SESSION_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_session_19",
name: "Chrome Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Session — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_CURRENT_SESSI_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_current_sessi_3",
name: "Chrome Current Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Current Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Session — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CURRENT_TABS_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_current_tabs_19",
name: "Chrome Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Tabs — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_CURRENT_TABS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_current_tabs_3",
name: "Chrome Current Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Current Tabs",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Current Tabs — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DOWNLOAD_METADATA_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_download_metadata_2",
name: "Chrome Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Download Metadata",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Download Metadata — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_DOWNLOAD_META: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_download_meta",
name: "Chrome Download Metadata",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Download Metadata",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Download Metadata — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXTENSION_COOKIES_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_extension_cookies_18",
name: "Chrome Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Extension Cookies",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Extension Cookies — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_EXTENSION_COO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_extension_coo",
name: "Chrome Extension Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Extension Cookies",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Extension Cookies — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FAVICONS_22: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_favicons_22",
name: "Chrome Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Favicons — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_FAVICONS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_favicons_3",
name: "Chrome Favicons",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Favicons*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Favicons — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_HISTORY_22: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_history_22",
name: "Chrome History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome History — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_HISTORY_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_history_3",
name: "Chrome History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\History*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome History — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_SESSION_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_session_18",
name: "Chrome Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Session — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_LAST_SESSION_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_last_session_3",
name: "Chrome Last Session",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Last Session",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Session — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LAST_TABS_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_last_tabs_18",
name: "Chrome Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Tabs — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_LAST_TABS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_last_tabs_3",
name: "Chrome Last Tabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Last Tabs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Last Tabs — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SESSIONS_20: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sessions_20",
name: "Chrome Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Sessions Folder — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SESSIONS_FOLD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_sessions_fold",
name: "Chrome Sessions Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Sessions\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Sessions Folder — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGIN_DATA_21: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_login_data_21",
name: "Chrome Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Login Data — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_LOGIN_DATA_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_login_data_3",
name: "Chrome Login Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Login Data — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MEDIA_HISTORY_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_media_history_18",
name: "Chrome Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Media History — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_MEDIA_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_media_history",
name: "Chrome Media History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Media History*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Media History — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_ACTION_PREDICTOR_22: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_action_predictor_22",
name: "Chrome Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Network Action Predictor",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Network Action Predictor — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_NETWORK_ACTIO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_network_actio",
name: "Chrome Network Action Predictor",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Network Action Predictor",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Network Action Predictor — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NETWORK_PERSISTENT_STATE_21: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_network_persistent_state_21",
name: "Chrome Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Network Persistent State",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Network Persistent State — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_NETWORK_PERSI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_network_persi",
name: "Chrome Network Persistent State",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Network Persistent State",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Network Persistent State — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PREFERENCES_22: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_preferences_22",
name: "Chrome Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Preferences — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_PREFERENCES_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_preferences_3",
name: "Chrome Preferences",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Preferences"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Preferences — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_QUOTAMANAGER_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_quotamanager_19",
name: "Chrome Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\QuotaManager",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Quota Manager — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_QUOTA_MANAGER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_quota_manager",
name: "Chrome Quota Manager",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\QuotaManager",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Quota Manager — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REPORTING_AND_NEL_19: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_reporting_and_nel_19",
name: "Chrome Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Reporting and NEL",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Reporting and NEL — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_REPORTING_AND: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_reporting_and",
name: "Chrome Reporting and NEL",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Reporting and NEL",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Reporting and NEL — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SHORTCUTS_21: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_shortcuts_21",
name: "Chrome Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Shortcuts — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SHORTCUTS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_shortcuts_3",
name: "Chrome Shortcuts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Shortcuts*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Shortcuts — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TOP_SITES_22: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_top_sites_22",
name: "Chrome Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Top Sites — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_TOP_SITES_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_top_sites_3",
name: "Chrome Top Sites",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Top Sites*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Top Sites — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TRUST_TOKENS_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_trust_tokens_18",
name: "Chrome Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Trust Tokens — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_TRUST_TOKENS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_trust_tokens",
name: "Chrome Trust Tokens",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Trust Tokens*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Trust Tokens — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_13: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sync_datasyncdata_sqlite3_13",
name: "Chrome SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SyncData Database — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_SYNCDATA_DATA: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_syncdata_data",
name: "Chrome SyncData Database",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Sync DataSyncData.sqlite3"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SyncData Database — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_VISITED_LINKS_22: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_visited_links_22",
name: "Chrome Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Visited Links — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_VISITED_LINKS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_visited_links_3",
name: "Chrome Visited Links",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Visited Links",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Visited Links — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WEB_DATA_22: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_web_data_22",
name: "Chrome Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Web Data — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CHROME_WEB_DATA_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_chrome_web_data_3",
name: "Chrome Web Data",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Web Data*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome Web Data — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROTECT_18: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_protect_18",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_PROTECT_FOLD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_protect_fold",
name: "Windows Protect Folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Protect\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Required for offline decryption\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PACKAGES_MICROSOFT_MICROSOFTEDGE_8WEKYB3D8BBWE_2: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_packages_microsoft_microsoftedge_8wekyb3d8bbwe_2",
name: "Edge folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge folder — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EDGE_FOLDER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_edge_folder",
name: "Edge folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge folder — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_AMCACHE_HVE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_amcache_hve",
name: "Amcache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Amcache.hve"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Amcache — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_AMCACHE_HVE_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_amcache_hve_log",
name: "Amcache transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Amcache.hve.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Amcache transaction files — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_RECENT_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_recent_3",
name: "LNK Files from Recent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNK Files from Recent — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LNK_FILES_FROM_RECEN: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_lnk_files_from_recen",
name: "LNK Files from Recent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNK Files from Recent — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OFFICE_RECENT_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_office_recent_3",
name: "LNK Files from Microsoft Office Recent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Office\\Recent\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNK Files from Microsoft Office Recent — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LNK_FILES_FROM_MICRO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_lnk_files_from_micro",
name: "LNK Files from Microsoft Office Recent",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Office\\Recent\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LNK Files from Microsoft Office Recent — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DESKTOP_LNK_FILES_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_desktop_lnk_files_2",
name: "Desktop LNK Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.LNK'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Desktop LNK Files — collected by KAPE RoamingProfile target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/RoamingProfile.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CCM_LOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_ccm_logs",
name: "SCCM Client Log Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\CCM\\Logs"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SCCM Client Log Files — collected by KAPE SCCMClientLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SCCMClientLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CUSTOM_SDB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_custom_sdb",
name: "SDB Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\apppatch\\Custom\\'*.sdb'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SDB Files — collected by KAPE SDB target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SDB.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SDB_FILES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sdb_files",
name: "SDB Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\apppatch\\Custom\\'*.sdb'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SDB Files — collected by KAPE SDB target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SDB.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CUSTOM64_SDB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_custom64_sdb",
name: "SDB Files x64",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\apppatch\\Custom\\Custom64\\'*.sdb'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SDB Files x64 — collected by KAPE SDB target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SDB.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SDB_FILES_X64: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_sdb_files_x64",
name: "SDB Files x64",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\apppatch\\Custom\\Custom64\\'*.sdb'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SDB Files x64 — collected by KAPE SDB target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SDB.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM32_SRU: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system32_sru",
name: "SRUM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\SRU\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SRUM — collected by KAPE SRUM target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SRUM.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SRUM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_srum",
name: "SRUM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\SRU\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SRUM — collected by KAPE SRUM target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SRUM.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SOFTWARE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_software_2",
name: "SOFTWARE registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SOFTWARE"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry hive — collected by KAPE SRUM target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SRUM.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOFTWARE_REGISTRY_HI_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_software_registry_hi_2",
name: "SOFTWARE registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SOFTWARE"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry hive — collected by KAPE SRUM target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SRUM.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SOFTWARE_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_software_log_2",
name: "SOFTWARE registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SOFTWARE.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry transaction files — collected by KAPE SRUM target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SRUM.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOFTWARE_REGISTRY_TR_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_software_registry_tr_2",
name: "SOFTWARE registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SOFTWARE.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry transaction files — collected by KAPE SRUM target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SRUM.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGFILES_SUM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logfiles_sum",
name: "SUM Database (.mdb files)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\LogFiles\\SUM\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"\"Grabs Current.mdb, SystemIdentity.mdb, [GUID].mdb and associated ESE db log files\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUM.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TASKS_JOB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_tasks_job",
name: "at .job",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Tasks\\'*.job'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "at .job — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AT_JOB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_at_job",
name: "at .job",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\Tasks\\'*.job'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "at .job — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_SCHEDLGU_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_schedlgu_txt",
name: "at SchedLgU.txt",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SchedLgU.txt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "at SchedLgU.txt — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_AT_SCHEDLGU_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_at_schedlgu_txt",
name: "at SchedLgU.txt",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\SchedLgU.txt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "at SchedLgU.txt — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM32_TASKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system32_tasks",
name: "XML",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\Tasks\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "XML — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSWOW64_TASKS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_syswow64_tasks",
name: "XML",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\syswow64\\Tasks\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "XML — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_xml",
name: "XML",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\Tasks\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "XML — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELL_SCHEDULEDJOBS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershell_scheduledjobs",
name: "PowerShell Scheduled_Jobs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ScheduledJobs\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Scheduled_Jobs — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OUTPUT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_output",
name: "PowerShell Scheduled_Jobs Output",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ScheduledJobs\\*\\Output\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Scheduled_Jobs Output — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELL_SCHEDULED: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershell_scheduled",
name: "PowerShell Scheduled_Jobs Systemprofile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ScheduledJobs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Scheduled_Jobs Systemprofile — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OUTPUT_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_output_2",
name: "PowerShell Scheduled_Jobs Output Systemprofile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ScheduledJobs\\*\\Output\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Scheduled_Jobs Output Systemprofile — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_POWERSHELL_SCHEDULEDJOBS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_powershell_scheduledjobs_2",
name: "PowerShell Scheduled_Jobs WOW64 Systemprofile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ScheduledJobs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Scheduled_Jobs WOW64 Systemprofile — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_OUTPUT_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_output_3",
name: "PowerShell Scheduled_Jobs Output WOW64 Systemprofile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ScheduledJobs\\*\\Output\\*\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "PowerShell Scheduled_Jobs Output WOW64 Systemprofile — collected by KAPE ScheduledTasks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ScheduledTasks.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM32_CATROOT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system32_catroot",
name: "SignatureCatalog",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\CatRoot\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SignatureCatalog — collected by KAPE SignatureCatalog target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SignatureCatalog.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SIGNATURECATALOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_signaturecatalog",
name: "SignatureCatalog",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\CatRoot\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SignatureCatalog — collected by KAPE SignatureCatalog target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SignatureCatalog.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_TEMPSTATE_PNG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_tempstate_png",
name: "Snip & Sketch",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Local\\Packages\\Microsoft.ScreenSketch_8wekyb3d8bbwe\\TempState\\'*.png'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Pulls all temporary .png images generated by the Snip & Sketch screen capture tool built into Windows\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SnipAndSketch.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNIP_SKETCH: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snip_sketch",
name: "Snip & Sketch",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TempState\\'*.png'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Pulls all temporary .png images generated by the Snip & Sketch screen capture tool built into Windows 11 22h2+\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SnipAndSketch.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SCREENCLIP_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_screenclip_json",
name: "Snip & Sketch",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TempState\\ScreenClip\\'*.json'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Pulls all temporary .json files related to the images generated by the Snip & Sketch screen capture tool built into Windows 11 22h2+\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SnipAndSketch.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SCREENSHOTS_PNG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_screenshots_png",
name: "SnippingTools screenshots in Pictures",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\Pictures\\Screenshots\\'*.png'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Pulls all screenshots made with SnippingTool.exe\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SnippingTool.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SNIPS_PNG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_snips_png",
name: "SnippingTools screenshots cached",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Local\\Packages\\Microsoft.ScreenSketch_8wekyb3d8bbwe\\TempState\\Snips\\'*.png'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Pulls all temporary screenshots made with SnippingTool.exe when the save in Pictures\\\\Screenshots\\\\ is disabled. A simlar but different path used by SnipAndSketch\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SnippingTool.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PROGRAMS_STARTUP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_programs_startup",
name: "User startup folders",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "User startup folders — collected by KAPE StartupFolders target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/StartupFolders.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_WIDE_STARTUP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_wide_startup",
name: "System-wide startup folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System-wide startup folder — collected by KAPE StartupFolders target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/StartupFolders.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STARTUPINFO_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_startupinfo_xml",
name: "StartupInfo XML Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\'*.xml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "StartupInfo XML Files — collected by KAPE StartupInfo target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/StartupInfo.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_STARTUPINFO_XML_FILE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_startupinfo_xml_file",
name: "StartupInfo XML Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\'*.xml'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "StartupInfo XML Files — collected by KAPE StartupInfo target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/StartupInfo.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_VOLUME_INFORMATION_SYSCACHE_HVE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_system_volume_information_syscache_hve",
name: "Syscache",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\System Volume Information\\'Syscache.hve'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Syscache — collected by KAPE Syscache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Syscache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_VOLUME_INFORMATION_SYSCACHE_HVE_LOG: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_system_volume_information_syscache_hve_log",
name: "Syscache transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\System Volume Information\\'Syscache.hve.LOG*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Syscache transaction files — collected by KAPE Syscache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Syscache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_EXPLORER_THUMBCACHE_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_explorer_thumbcache_db",
name: "Thumbcache DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\Explorer\\'thumbcache_*.db'",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Thumbcache DB — collected by KAPE ThumbCache target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/ThumbCache.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_SETUPAPI_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_setupapi_log",
name: "Setupapi.log XP",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\setupapi.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Setupapi.log XP — collected by KAPE USBDevicesLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/USBDevicesLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_INF_SETUPAPI_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_inf_setupapi_log",
name: "Setupapi.log Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\inf\\setupapi.*.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Setupapi.log Win7+ — collected by KAPE USBDevicesLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/USBDevicesLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SETUPAPI_LOG_WIN7: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_setupapi_log_win7",
name: "Setupapi.log Win7+",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\inf\\setupapi.*.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Setupapi.log Win7+ — collected by KAPE USBDevicesLogs target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/USBDevicesLogs.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USERS_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_users_user",
name: "Users",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Users — collected by KAPE UsersFolders target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/UsersFolders.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_VHD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_vhd",
name: "VHD",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.VHD'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VHD — collected by KAPE VirtualDisks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualDisks.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_VHDX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_vhdx",
name: "VHDX",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.VHDX'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VHDX — collected by KAPE VirtualDisks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualDisks.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_VDI: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_vdi",
name: "VDI",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.VDI'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VDI — collected by KAPE VirtualDisks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualDisks.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_VMDK: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_vmdk",
name: "VMDK",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\'*.VMDK'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "VMDK — collected by KAPE VirtualDisks target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/VirtualDisks.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WBEM_REPOSITORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wbem_repository",
name: "WBEM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\wbem\\Repository\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WBEM — collected by KAPE WBEM target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WBEM.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WBEM: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wbem",
name: "WBEM",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\wbem\\Repository\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WBEM — collected by KAPE WBEM target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WBEM.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_WER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_wer",
name: "WER Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Windows\\WER\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WER Files — collected by KAPE WER target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WER.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WER_FILES: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_wer_files",
name: "WER Files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\WER\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WER Files — collected by KAPE WER target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WER.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CRASHDUMPS_DMP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_crashdumps_dmp",
name: "Crash Dumps",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\CrashDumps\\'*.dmp'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Crash Dumps — collected by KAPE WER target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WER.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_DMP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_dmp",
name: "Crash Dumps",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\'*.dmp'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Crash Dumps — collected by KAPE WER target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WER.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CRASH_DUMPS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_crash_dumps",
name: "Crash Dumps",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\'*.dmp'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Crash Dumps — collected by KAPE WER target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WER.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOGCAT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_logcat_log",
name: "Diagnostic Logs for WSA",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\\LocalState\\diagnostics\\logcat\\\"*.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Filenames should be %timestamp%.log\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsSubsystemforAndroid.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALCACHE_PNG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localcache_png",
name: "App download artifacts (PNG)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\\LocalCache\\\"*.png\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Will provide examiners with indicators of which apps were downloaded\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsSubsystemforAndroid.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALCACHE_ICO: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localcache_ico",
name: "App download artifacts (ICO)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\\LocalCache\\\"*.ico\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Will provide examiners with indicators of which apps were downloaded WHEN since .ico files appear immediately when download of an application completes\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsSubsystemforAndroid.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSTATE_APPCOMPATDB_JSON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localstate_appcompatdb_json",
name: "Appcompatdb.json",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\\LocalState\\\"appcompatdb.json\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs the appcompatdb.json, unknown exactly what this is but further relevance could be uncovered after more research is conducted\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsSubsystemforAndroid.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALCACHE_USERDATA_VHDX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localcache_userdata_vhdx",
name: "userdata.vhdx",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\MicrosoftCorporationII.WindowsSubsystemForAndroid_8wekyb3d8bbwe\\LocalCache\\\"userdata.vhdx\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "\"Grabs the user's data which appears to be stored in a VHDX\"",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsSubsystemforAndroid.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_DEBIAN_VERSION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_debian_version",
name: "Debian WSL /etc/debian_version",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"debian_version\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/debian_version — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_FSTAB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_fstab",
name: "Debian WSL /etc/fstab",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"fstab\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/fstab — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_OS_RELEASE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_os_release",
name: "Debian WSL /etc/os-release",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"os-release\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/os-release — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_PASSWD: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_passwd",
name: "Debian WSL /etc/passwd",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"passwd\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/passwd — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_GROUP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_group",
name: "Debian WSL /etc/group",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"group\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/group — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_SHADOW: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_shadow",
name: "Debian WSL /etc/shadow",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"shadow\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/shadow — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_TIMEZONE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_timezone",
name: "Debian WSL /etc/timezone",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"timezone\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/timezone — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_HOSTNAME: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_hostname",
name: "Debian WSL /etc/hostname",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"hostname\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/hostname — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_HOSTS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_hosts_2",
name: "Debian WSL /etc/hosts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"hosts\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/hosts — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_CRONTAB: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_crontab",
name: "Debian WSL /etc/crontab",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"crontab\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/crontab — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_BASH_BASHRC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_bash_bashrc",
name: "Debian WSL /etc/bash.bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"bash.bashrc\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/bash.bashrc — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_PROFILE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_profile",
name: "Debian WSL /etc/profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\etc\\\"profile\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL /etc/profile — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_BASH_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_bash_history",
name: "Debian WSL .bash_history",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\\".bash_history\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL .bash_history — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_BASHRC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_bashrc",
name: "Debian WSL .bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\\".bashrc\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL .bashrc — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_PROFILE: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_profile",
name: "Debian WSL .profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\\".profile\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL .profile — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CRON_CRONTABS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cron_crontabs",
name: "Debian WSL User Crontabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\var\\spool\\cron\\crontabs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL User Crontabs — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_apt_log",
name: "Debian WSL Apt Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\rootfs\\var\\log\\apt\\\"*.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL Apt Logs — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSTATE_EXT4_VHDX: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localstate_ext4_vhdx",
name: "Debian WSL ext4.vhdx",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\TheDebianProject.DebianGNULinux_*\\LocalState\\\"ext4.vhdx\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Debian WSL ext4.vhdx — collected by KAPE Debian target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Debian.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_DEBIAN_VERSION_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_debian_version_2",
name: "Kali WSL /etc/debian_version",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"debian_version\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/debian_version — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_FSTAB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_fstab_2",
name: "Kali WSL /etc/fstab",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"fstab\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/fstab — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_OS_RELEASE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_os_release_2",
name: "Kali WSL /etc/os-release",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"os-release\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/os-release — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_PASSWD_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_passwd_2",
name: "Kali WSL /etc/passwd",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"passwd\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/passwd — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_GROUP_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_group_2",
name: "Kali WSL /etc/group",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"group\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/group — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_SHADOW_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_shadow_2",
name: "Kali WSL /etc/shadow",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"shadow\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/shadow — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_TIMEZONE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_timezone_2",
name: "Kali WSL /etc/timezone",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"timezone\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/timezone — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_HOSTNAME_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_hostname_2",
name: "Kali WSL /etc/hostname",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"hostname\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/hostname — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_HOSTS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_hosts_3",
name: "Kali WSL /etc/hosts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"hosts\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/hosts — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_CRONTAB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_crontab_2",
name: "Kali WSL /etc/crontab",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"crontab\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/crontab — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_BASH_BASHRC_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_bash_bashrc_2",
name: "Kali WSL /etc/bash.bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"bash.bashrc\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/bash.bashrc — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_PROFILE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_profile_2",
name: "Kali WSL /etc/profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\etc\\\"profile\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL /etc/profile — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_BASH_HISTORY_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_bash_history_2",
name: "Kali WSL .bash_history",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\\".bash_history\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL .bash_history — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_BASHRC_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_bashrc_2",
name: "Kali WSL .bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\\".bashrc\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL .bashrc — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_PROFILE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_profile_2",
name: "Kali WSL .profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\\".profile\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL .profile — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CRON_CRONTABS_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cron_crontabs_2",
name: "Kali WSL User Crontabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\var\\spool\\cron\\crontabs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL User Crontabs — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APT_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_apt_log_2",
name: "Kali WSL Apt Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\rootfs\\var\\log\\apt\\\"*.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL Apt Logs — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSTATE_EXT4_VHDX_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localstate_ext4_vhdx_2",
name: "Kali WSL ext4.vhdx",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\KaliLinux.54290C8133FEE_*\\LocalState\\\"ext4.vhdx\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Kali WSL ext4.vhdx — collected by KAPE Kali target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Kali.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_OS_RELEASE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_os_release_3",
name: "SUSE Linux Enterprise Server WSL /etc/os-release",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\etc\\\"os-release\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL /etc/os-release — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_FSTAB_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_fstab_3",
name: "SUSE Linux Enterprise Server WSL /etc/fstab",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\etc\\\"fstab\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL /etc/fstab — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_PASSWD_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_passwd_3",
name: "SUSE Linux Enterprise Server WSL /etc/passwd",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\etc\\\"passwd\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL /etc/passwd — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_GROUP_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_group_3",
name: "SUSE Linux Enterprise Server WSL /etc/group",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\etc\\\"group\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL /etc/group — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_SHADOW_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_shadow_3",
name: "SUSE Linux Enterprise Server WSL /etc/shadow",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\etc\\\"shadow\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL /etc/shadow — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_TIMEZONE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_timezone_3",
name: "SUSE Linux Enterprise Server WSL /etc/timezone",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\etc\\\"timezone\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL /etc/timezone — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_HOSTNAME_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_hostname_3",
name: "SUSE Linux Enterprise Server WSL /etc/hostname",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\etc\\\"hostname\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL /etc/hostname — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_HOSTS_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_hosts_4",
name: "SUSE Linux Enterprise Server WSL /etc/hosts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\etc\\\"hosts\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL /etc/hosts — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_BASH_BASHRC_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_bash_bashrc_3",
name: "SUSE Linux Enterprise Server WSL /etc/bash.bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\etc\\\"bash.bashrc\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL /etc/bash.bashrc — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_PROFILE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_profile_3",
name: "SUSE Linux Enterprise Server WSL /etc/profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\etc\\\"profile\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL /etc/profile — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_BASH_HISTORY_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_bash_history_3",
name: "SUSE Linux Enterprise Server WSL .bash_history",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\\".bash_history\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL .bash_history — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_BASHRC_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_bashrc_3",
name: "SUSE Linux Enterprise Server WSL .bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\\".bashrc\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL .bashrc — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_PROFILE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_profile_3",
name: "SUSE Linux Enterprise Server WSL .profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\rootfs\\\".profile\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL .profile — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSTATE_EXT4_VHDX_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localstate_ext4_vhdx_3",
name: "SUSE Linux Enterprise Server WSL ext4.vhdx",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.SUSELinuxEnterpriseServer*\\LocalState\\\"ext4.vhdx\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SUSE Linux Enterprise Server WSL ext4.vhdx — collected by KAPE SUSELinuxEnterpriseServer target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/SUSELinuxEnterpriseServer.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_OS_RELEASE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_os_release_4",
name: "Ubuntu WSL /etc/os-release",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\etc\\\"os-release\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL /etc/os-release — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_FSTAB_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_fstab_4",
name: "Ubuntu WSL /etc/fstab",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\etc\\\"fstab\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL /etc/fstab — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_PASSWD_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_passwd_4",
name: "Ubuntu WSL /etc/passwd",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\etc\\\"passwd\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL /etc/passwd — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_GROUP_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_group_4",
name: "Ubuntu WSL /etc/group",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\etc\\\"group\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL /etc/group — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_SHADOW_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_shadow_4",
name: "Ubuntu WSL /etc/shadow",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\etc\\\"shadow\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL /etc/shadow — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_TIMEZONE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_timezone_4",
name: "Ubuntu WSL /etc/timezone",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\etc\\\"timezone\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL /etc/timezone — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_HOSTNAME_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_hostname_4",
name: "Ubuntu WSL /etc/hostname",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\etc\\\"hostname\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL /etc/hostname — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_HOSTS_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_hosts_5",
name: "Ubuntu WSL /etc/hosts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\etc\\\"hosts\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL /etc/hosts — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_CRONTAB_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_crontab_3",
name: "Ubuntu WSL /etc/crontab",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\etc\\\"crontab\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL /etc/crontab — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_BASH_BASHRC_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_bash_bashrc_4",
name: "Ubuntu WSL /etc/bash.bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\etc\\\"bash.bashrc\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL /etc/bash.bashrc — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_PROFILE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_profile_4",
name: "Ubuntu WSL /etc/profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\etc\\\"profile\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL /etc/profile — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_BASH_HISTORY_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_bash_history_4",
name: "Ubuntu WSL .bash_history",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\\".bash_history\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL .bash_history — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_BASHRC_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_bashrc_4",
name: "Ubuntu WSL .bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\\".bashrc\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL .bashrc — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_PROFILE_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_profile_4",
name: "Ubuntu WSL .profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\\".profile\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL .profile — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CRON_CRONTABS_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cron_crontabs_3",
name: "Ubuntu WSL User Crontabs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\var\\spool\\cron\\crontabs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL User Crontabs — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APT_LOG_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_apt_log_3",
name: "Ubuntu WSL Apt Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\rootfs\\var\\log\\apt\\\"*.log\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL Apt Logs — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSTATE_EXT4_VHDX_4: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localstate_ext4_vhdx_4",
name: "Ubuntu WSL ext4.vhdx",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu*\\LocalState\\\"ext4.vhdx\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Ubuntu WSL ext4.vhdx — collected by KAPE Ubuntu target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Ubuntu.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_OS_RELEASE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_os_release_5",
name: "openSUSE WSL /etc/os-release",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\etc\\\"os-release\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL /etc/os-release — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_FSTAB_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_fstab_5",
name: "openSUSE WSL /etc/fstab",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\etc\\\"fstab\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL /etc/fstab — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_PASSWD_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_passwd_5",
name: "openSUSE WSL /etc/passwd",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\etc\\\"passwd\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL /etc/passwd — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_GROUP_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_group_5",
name: "openSUSE WSL /etc/group",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\etc\\\"group\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL /etc/group — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_SHADOW_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_shadow_5",
name: "openSUSE WSL /etc/shadow",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\etc\\\"shadow\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL /etc/shadow — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_TIMEZONE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_timezone_5",
name: "openSUSE WSL /etc/timezone",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\etc\\\"timezone\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL /etc/timezone — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_HOSTNAME_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_hostname_5",
name: "openSUSE WSL /etc/hostname",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\etc\\\"hostname\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL /etc/hostname — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_HOSTS_6: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_hosts_6",
name: "openSUSE WSL /etc/hosts",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\etc\\\"hosts\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL /etc/hosts — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_BASH_BASHRC_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_bash_bashrc_5",
name: "openSUSE WSL /etc/bash.bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\etc\\\"bash.bashrc\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL /etc/bash.bashrc — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ETC_PROFILE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_etc_profile_5",
name: "openSUSE WSL /etc/profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\etc\\\"profile\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL /etc/profile — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_BASH_HISTORY_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_bash_history_5",
name: "openSUSE WSL .bash_history",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\\".bash_history\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL .bash_history — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_BASHRC_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_bashrc_5",
name: "openSUSE WSL .bashrc",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\\".bashrc\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL .bashrc — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_ROOTFS_PROFILE_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_rootfs_profile_5",
name: "openSUSE WSL .profile",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\rootfs\\\".profile\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL .profile — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LOCALSTATE_EXT4_VHDX_5: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_localstate_ext4_vhdx_5",
name: "openSUSE WSL ext4.vhdx",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Packages\\46932SUSE.openSUSE*Leap*\\LocalState\\\"ext4.vhdx\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "openSUSE WSL ext4.vhdx — collected by KAPE openSUSE target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/openSUSE.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DIAGOUTPUTDIR_WINDOWS365: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_diagoutputdir_windows365",
name: "WindowsApp",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Local\\Temp\\DiagOutputDir\\Windows365\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WindowsApp — collected by KAPE WindowsApp target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsApp.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_COREAIPLATFORM_00_UKP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_coreaiplatform_00_ukp",
name: "Recall folder",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\*\\AppData\\Local\\CoreAIPlatform.00\\UKP\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Recall folder — collected by KAPE WindowsCopilotRecall target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsCopilotRecall.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_FIREWALL_PFIREWALL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_firewall_pfirewall",
name: "Windows Firewall Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Firewall Logs — collected by KAPE WindowsFirewall target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsFirewall.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_FIREWALL_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_firewall_log",
name: "Windows Firewall Logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Firewall Logs — collected by KAPE WindowsFirewall target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsFirewall.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CRYPTO_KEYS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_crypto_keys",
name: "Cryptokeys",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Cryptokeys — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_S_1_5_18_USER: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_s_1_5_18_user",
name: "Masterkey",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\User\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Masterkey — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_MICROSOFT_NGC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_microsoft_ngc",
name: "NGC",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Microsoft\\Ngc\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "NGC — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SECURITY_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_security_log_2",
name: "SECURITY registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SECURITY.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry transaction files — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SECURITY_REGISTRY_TR_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_security_registry_tr_2",
name: "SECURITY registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SECURITY.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry transaction files — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SOFTWARE_LOG_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_software_log_3",
name: "SOFTWARE registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SOFTWARE.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry transaction files — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOFTWARE_REGISTRY_TR_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_software_registry_tr_3",
name: "SOFTWARE registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SOFTWARE.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry transaction files — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEM_LOG_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_system_log_2",
name: "SYSTEM registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SYSTEM.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry transaction files — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_REGISTRY_TRAN_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_registry_tran_2",
name: "SYSTEM registry transaction files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SYSTEM.LOG*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry transaction files — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SECURITY_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_security_2",
name: "SECURITY registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SECURITY"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry hive — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SECURITY_REGISTRY_HI_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_security_registry_hi_2",
name: "SECURITY registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SECURITY"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry hive — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SOFTWARE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_software_3",
name: "SOFTWARE registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SOFTWARE"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry hive — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOFTWARE_REGISTRY_HI_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_software_registry_hi_3",
name: "SOFTWARE registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SOFTWARE"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry hive — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_SYSTEM_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_system_2",
name: "SYSTEM registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\SYSTEM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_REGISTRY_HIVE_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_registry_hive_2",
name: "SYSTEM registry hive",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\SYSTEM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SECURITY_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_security_3",
name: "SECURITY registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\RegBack\\SECURITY"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry hive (RegBack) — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SECURITY_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_security_2_2",
name: "SECURITY registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\RegBack\\SECURITY"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SECURITY registry hive (RegBack) — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SOFTWARE_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_software_3",
name: "SOFTWARE registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\RegBack\\SOFTWARE"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry hive (RegBack) — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SOFTWARE_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_software_2_2",
name: "SOFTWARE registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\RegBack\\SOFTWARE"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SOFTWARE registry hive (RegBack) — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SYSTEM_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_system_3",
name: "SYSTEM registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\RegBack\\SYSTEM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive (RegBack) — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SYSTEM_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_system_2_2",
name: "SYSTEM registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\RegBack\\SYSTEM"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive (RegBack) — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SYSTEM1_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_system1_3",
name: "SYSTEM registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\RegBack\\SYSTEM1"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive (RegBack) — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_REGBACK_SYSTEM1_2_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_regback_system1_2_2",
name: "SYSTEM registry hive (RegBack)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\Windows\\System32\\config\\RegBack\\SYSTEM1"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SYSTEM registry hive (RegBack) — collected by KAPE WindowsHello target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsHello.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPLICATIONS_WINDOWS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_applications_windows",
name: "WindowsIndexSearch",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\programdata\\microsoft\\search\\data\\applications\\windows\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WindowsIndexSearch — collected by KAPE WindowsIndexSearch target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsIndexSearch.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_APPLICATIONS_S_1: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_applications_s_1",
name: "WindowsIndexSearch - User",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Search\\Data\\Applications\\S-1*\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "WindowsIndexSearch - User — collected by KAPE WindowsIndexSearch target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsIndexSearch.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_S_1_GATHERLOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_s_1_gatherlogs",
name: "GatherLogs - User",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Roaming\\Microsoft\\Search\\Data\\Applications\\S-1*\\GatherLogs\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "GatherLogs - User — collected by KAPE WindowsIndexSearch target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsIndexSearch.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_GATHERLOGS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_gatherlogs",
name: "GatherLogs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\programdata\\microsoft\\search\\data\\applications\\windows\\GatherLogs\\",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "GatherLogs — collected by KAPE WindowsIndexSearch target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsIndexSearch.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DRIVERS_ETC: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_drivers_etc",
name: "Network setting files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\windows\\system32\\drivers\\etc"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Network setting files — collected by KAPE WindowsNetwork target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsNetwork.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_notifications_wpndatabase_db_3",
name: "Windows 10 Notification DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\Notifications\\wpndatabase.db*"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows 10 Notification DB — collected by KAPE WindowsNotificationsDB target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsNotificationsDB.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_NOTIFICATIONS_APPDB_DAT_3: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_notifications_appdb_dat_3",
name: "Windows 10 Notification DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Users\\%user%\\AppData\\Local\\Microsoft\\Windows\\Notifications\\appdb.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows 10 Notification DB — collected by KAPE WindowsNotificationsDB target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsNotificationsDB.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_PANTHERMIGLOG_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_panthermiglog_xml",
name: "MigLog.xml",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\PantherMigLog.xml"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "MigLog.xml — collected by KAPE WindowsOSUpgradeArtifacts target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsOSUpgradeArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_PANTHERSETUPACT_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_panthersetupact_log",
name: "Setupact.log",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\PantherSetupact.log"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Setupact.log — collected by KAPE WindowsOSUpgradeArtifacts target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsOSUpgradeArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_PANTHER_HUMANREADABLE_XML: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_panther_humanreadable_xml",
name: "HumanReadable.xml",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Panther\"*HumanReadable.xml\""),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "HumanReadable.xml — collected by KAPE WindowsOSUpgradeArtifacts target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsOSUpgradeArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_PANTHER_ROLLBACKFOLDERMOVELOG_TXT: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_panther_rollbackfoldermovelog_txt",
name: "FolderMoveLog.txt",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Panther\\RollbackFolderMoveLog.txt"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "FolderMoveLog.txt — collected by KAPE WindowsOSUpgradeArtifacts target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsOSUpgradeArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_USOPRIVATE_UPDATESTORESTORE_DB_2: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_usoprivate_updatestorestore_db_2",
name: "Update Store.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\USOPrivate\\UpdateStorestore.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Update Store.db — collected by KAPE WindowsOSUpgradeArtifacts target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsOSUpgradeArtifacts.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWS_POWER_EFFICIENCY_DIAGNOSTICS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_windows_power_efficiency_diagnostics",
name: "Windows Power Diagnostics",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Power Diagnostics — collected by KAPE WindowsPowerDiagnostics target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsPowerDiagnostics.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONFIG_NETLOGON: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_config_netlogon",
name: "DNS Netlogon files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\config\\'netlogon.*'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DNS Netlogon files — collected by KAPE WindowsServerDNSAndDHCP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsServerDNSAndDHCP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM32_DNS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system32_dns",
name: "DNS files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\dns\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DNS files — collected by KAPE WindowsServerDNSAndDHCP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsServerDNSAndDHCP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM32_DHCP: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system32_dhcp",
name: "DHCP files",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\System32\\dhcp"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "DHCP files — collected by KAPE WindowsServerDNSAndDHCP target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsServerDNSAndDHCP.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_DIAGNOSIS_EVENTS_RBS: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_diagnosis_events_rbs",
name: "Legacy .rbs files relating to Windows Telemetry and Diagnostics",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\Microsoft\\Diagnosis\\'events*.rbs'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Legacy .rbs files relating to Windows Telemetry and Diagnostics — collected by KAPE WindowsTelemetryDiagnosticsLegacy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsTelemetryDiagnosticsLegacy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_LEGACY_RBS_FILES_REL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_legacy_rbs_files_rel",
name: "Legacy .rbs files relating to Windows Telemetry and Diagnostics",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows.old\\ProgramData\\Microsoft\\Diagnosis\\'events*.rbs'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Legacy .rbs files relating to Windows Telemetry and Diagnostics — collected by KAPE WindowsTelemetryDiagnosticsLegacy target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsTelemetryDiagnosticsLegacy.tkape"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CONNECTEDDEVICESPLATFORM_ACTIVITIESCACHE_DB: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_connecteddevicesplatform_activitiescache_db",
name: "ActivitiesCache.db",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"C:\\Users\\%user%\\AppData\\Local\\ConnectedDevicesPlatform\\ActivitiesCache.db*",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "ActivitiesCache.db — collected by KAPE WindowsTimeline target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsTimeline.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SYSTEM_ETL: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_system_etl",
name: "Windows Update Session Orchestrator logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\ProgramData\\USOShared\\Logs\\System\\'*.etl'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Update Session Orchestrator logs — collected by KAPE WindowsUpdate target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsUpdate.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_WINDOWSUPDATE_WINDOWSUPDATE_ETL: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_windowsupdate_windowsupdate_etl",
name: "Windows Update logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Logs\\WindowsUpdate\\'WindowsUpdate*.etl'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Update logs — collected by KAPE WindowsUpdate target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsUpdate.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_CBS_CBS_LOG: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_cbs_cbs_log",
name: "Windows Component-Based Servicing logs",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\Logs\\CBS\\'CBS*.log'"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Component-Based Servicing logs — collected by KAPE WindowsUpdate target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsUpdate.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_SOFTWAREDISTRIBUTION_DATASTORE: ArtifactDescriptor =
ArtifactDescriptor {
id: "kape_file_softwaredistribution_datastore",
name: "Windows Update History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\Windows\\SoftwareDistribution\\DataStore"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Windows Update History — collected by KAPE WindowsUpdate target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/WindowsUpdate.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static KAPE_FILE_C_SYSTEM_VOLUME_INFORMATION: ArtifactDescriptor = ArtifactDescriptor {
id: "kape_file_c_system_volume_information",
name: "System Volume Information",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("C:\\System Volume Information\\"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "System Volume Information — collected by KAPE XPRestorePoints target",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &[
"https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/XPRestorePoints.tkape",
],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
// ── Generated entries (2422) ─────────────────────────────────────────────────
// pub(crate) static GENERATED_KAPE_ENTRIES: &[&ArtifactDescriptor] = &[
// &KAPE_FILE_KAPETRIAGE_TKAPE,
// &KAPE_FILE_USER_APPDATA,
// &KAPE_FILE_REGEX_3GP_AA_AAC_ACT_AIFF_ALAC_AMR_APE_AU_AWB_DSS,
// &KAPE_FILE_REGEX_XLS_XLSX_CSV_TSV_XLT_XLM_XLSM_XLTX_XLTM_XLSB,
// &KAPE_FILE_REGEX_PDF_XPS_OXPS,
// &KAPE_FILE_REGEX_AI_BMP_BPG_CDR_CPC_EPS_EXR_FLIF_GIF_HEIF_ILB,
// &KAPE_FILE_REGEX_DB_SQLITE,
// &KAPE_FILE_REGEX_3G2_3GP_AMV_ASF_AVI_DRC_FLV_F4V_F4P_F4A_F4B,
// &KAPE_FILE_C_ZIP,
// &KAPE_FILE_REGEX_DOC_DOCX_DOCM_DOTX_DOTM_DOCB_DOT_WBK_ODT_FOD,
// &KAPE_FILE_USER_DESKTOP,
// &KAPE_FILE_USER_DOCUMENTS,
// &KAPE_FILE_USER_DOWNLOADS,
// &KAPE_FILE_USER_DROPBOX,
// &KAPE_FILE_ANTIVIRUS_LOG,
// &KAPE_FILE_ANTIVIRUS_REPORT,
// &KAPE_FILE_AVG_AV_LOGS,
// &KAPE_FILE_AVG_REPORT_LOGS,
// &KAPE_FILE_ANTIVIRUS_LOGS,
// &KAPE_FILE_AVG_ANTIVIRUSFILEINFO2_DB,
// &KAPE_FILE_AVG_ANTIVIRUSLSDB2_JSON,
// &KAPE_FILE_AVAST_LOG,
// &KAPE_FILE_AVAST_AV_LOGS,
// &KAPE_FILE_AVAST_AV_USER_LOGS,
// &KAPE_FILE_CHEST_INDEX_XML,
// &KAPE_FILE_AVAST_LOGS,
// &KAPE_FILE_ICARUS_LOGS,
// &KAPE_FILE_ANTIVIRUS_LOGFILES,
// &KAPE_FILE_SECURITY_LOGS,
// &KAPE_FILE_AVIRA_VPN,
// &KAPE_FILE_ENDPOINT_SECURITY_LOGS,
// &KAPE_FILE_PROFILES_LOGS,
// &KAPE_FILE_REGEX_DB_DB_WAL_DB_SHM,
// &KAPE_FILE_C_COMBOFIX_TXT,
// &KAPE_FILE_CROWDSTRIKE_QUARANTINE,
// &KAPE_FILE_CRS1_LOGS,
// &KAPE_FILE_APV2_LOGS,
// &KAPE_FILE_CRB1_LOGS,
// &KAPE_FILE_CYLANCE_DESKTOP,
// &KAPE_FILE_OPTICS_LOG,
// &KAPE_FILE_DESKTOP_LOG,
// &KAPE_FILE_ESET_NOD32_ANTIVIRUS_LOGS,
// &KAPE_FILE_ESET_NOD32_AV_LOGS,
// &KAPE_FILE_ESET_SECURITY_LOGS,
// &KAPE_FILE_ERAAGENTAPPLICATIONDATA_LOGS,
// &KAPE_FILE_ESET_SECURITY_QUARANTINE,
// &KAPE_FILE_SYSTEM_USER_QUARANTI,
// &KAPE_FILE_LOG_LOG,
// &KAPE_FILE_EQUARANTINE,
// &KAPE_FILE_ELASTIC_DEFEND_QUARA,
// &KAPE_FILE_REPORTS_SCAN_TXT,
// &KAPE_FILE_F_SECURE_LOG,
// &KAPE_FILE_F_SECURE_USER_LOGS,
// &KAPE_FILE_ANTIVIRUS_SCHEDULEDSCANREPORTS,
// &KAPE_FILE_HITMANPRO_LOGS,
// &KAPE_FILE_HITMANPRO_ALERT_LOGS,
// &KAPE_FILE_HITMANPRO_ALERT_EXCALIBUR_DB,
// &KAPE_FILE_HITMANPRO_QUARANTINE,
// &KAPE_FILE_LOGS_MBAM_LOG_XML,
// &KAPE_FILE_LOGS_MBAMSERVICE_LOG,
// &KAPE_FILE_MALWAREBYTES_ANTI_MALWARE_LOGS,
// &KAPE_FILE_MBAMSERVICE_SCANRESULTS,
// &KAPE_FILE_MCAFEE_DESKTOPPROTECTION,
// &KAPE_FILE_MCAFEE_DESKTOP_PROTE,
// &KAPE_FILE_ENDPOINT_SECURITY_LOGS_2,
// &KAPE_FILE_ENDPOINT_SECURITY_LOGS_OLD,
// &KAPE_FILE_MCAFEE_VIRUSSCAN,
// &KAPE_FILE_MSC_LOGS,
// &KAPE_FILE_AGENT_AGENTEVENTS,
// &KAPE_FILE_AGENT_LOGS,
// &KAPE_FILE_DATAREPUTATION_LOGS,
// &KAPE_FILE_VIRUSSCAN_LOGS,
// &KAPE_FILE_COMMON_FRAMEWORK_AGENTEVENTS,
// &KAPE_FILE_MCLOGS_SAE,
// &KAPE_FILE_DATREPUTATION_LOGS,
// &KAPE_FILE_MCAFEE_MANAGED_VIRUS,
// &KAPE_FILE_WCF_SERVICE_LOG,
// &KAPE_FILE_ENDPOINT_SECURITY_LOGS_3,
// &KAPE_FILE_APACHE2_LOGS,
// &KAPE_FILE_DB_EVENTS,
// &KAPE_FILE_EVENTS_DEBUG,
// &KAPE_FILE_SERVER_LOGS,
// &KAPE_FILE_DEBUG_MSERT_LOG,
// &KAPE_FILE_LOGS_ADLICEREPORT_JSON,
// &KAPE_FILE_SUPERANTISPYWARE_LOGS,
// &KAPE_FILE_SECUREAGE_LOG,
// &KAPE_FILE_SENTINEL_LOGS,
// &KAPE_FILE_SOPHOS_LOGS,
// &KAPE_FILE_LOGS,
// &KAPE_FILE_SOPHOS_LOGS_2,
// &KAPE_FILE_APPLICATIONEVENTS_TKAPE,
// &KAPE_FILE_LOGS_AV,
// &KAPE_FILE_DATA_LOGS,
// &KAPE_FILE_SYMANTEC_ENDPOINT_PROTECTION_LOGS,
// &KAPE_FILE_LOGS_SYMANTEC_ENDPOINT_PROTECTION_CLIENT_EVTX,
// &KAPE_FILE_SYMANTEC_EVENT_LOG_W,
// &KAPE_FILE_APPLICATIONEVENTS_TKAPE_2,
// &KAPE_FILE_SYMANTEC_ENDPOINT_PROTECTION_QUARANTINE,
// &KAPE_FILE_DATA_QUARANTINE,
// &KAPE_FILE_CMNCLNT_CCSUBSDK,
// &KAPE_FILE_DATA_REGISTRATIONINFO_XML,
// &KAPE_FILE_TOTALAV_LOGS,
// &KAPE_FILE_TOTALAV_LOGS_2,
// &KAPE_FILE_PROGRAMDATA_TREND_MICRO,
// &KAPE_FILE_REPORT_LOG,
// &KAPE_FILE_CONNLOG_LOG,
// &KAPE_FILE_QUARANTINE,
// &KAPE_FILE_VIPRE_BUSINESS_AGENT_LOGS,
// &KAPE_FILE_ROAMING_VIPRE_BUSINESS,
// &KAPE_FILE_ANTIMALWARE_LOGS,
// &KAPE_FILE_VIPRE_BUSINESS_USER,
// &KAPE_FILE_WRDATA_WRLOG_LOG,
// &KAPE_FILE_DETECTIONHISTORY,
// &KAPE_FILE_MICROSOFT_ANTIMALWARE_SUPPORT,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_WINDOWS_DEFENDER_EVTX,
// &KAPE_FILE_WINDOWS_DEFENDER_EVE,
// &KAPE_FILE_WINDOWS_DEFENDER_SUPPORT,
// &KAPE_FILE_TEMP_MPCMDRUN_LOG,
// &KAPE_FILE_WINDOWS_DEFENDER_LOG,
// &KAPE_FILE_DETECTIONHISTORY_2,
// &KAPE_FILE_WINDOWS_DEFENDER_QUARANTINE,
// &KAPE_FILE_SERVICE_DETECTIONS_LOG,
// &KAPE_FILE_1PASSWORD_DATA_1PASSWORD10_SQLITE,
// &KAPE_FILE_1PASSWORD_BACKUPS_1PASSWORD10_SQLITE,
// &KAPE_FILE_1PASSWORD_LOGS_LOG,
// &KAPE_FILE_4K_VIDEO_DOWNLOADER_4K_VIDEO_DOWNLOADER_SQLITE,
// &KAPE_FILE_4K_VIDEO_DOWNLOADER,
// &KAPE_FILE_USER_DOCUMENTS_ATC,
// &KAPE_FILE_LOGS_TI_DEMON,
// &KAPE_FILE_TRUEIMAGEHOME_DATABASEARCHIVES_DB,
// &KAPE_FILE_TRUEIMAGEHOME_SCRIPTS,
// &KAPE_FILE_ACTION1_LOGS_LOG,
// &KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_ALIASES_BIN,
// &KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_ALI,
// &KAPE_FILE_ADVANCED_IP_SCANNER,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_ALIASES_B,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_ALIASES_B_2,
// &KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_A,
// &KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER,
// &KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_COMMENTS_BIN,
// &KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_COM,
// &KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_COM_2,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_COMMENTS,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_COMMENTS_2,
// &KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_C,
// &KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_2,
// &KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_MAC_BIN,
// &KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_MAC,
// &KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_MAC_2,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_MAC_BIN,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_MAC_BIN_2,
// &KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_M,
// &KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_3,
// &KAPE_FILE_USERS_USER_ADVANCED_IP_SCANNER_FAVORITES_BIN,
// &KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_FAV,
// &KAPE_FILE_TEMP_ADVANCED_IP_SCANNER_2_ADVANCED_IP_SCANNER_FAV_2,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_FAVORITES,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_IP_SCANNER_FAVORITES_2,
// &KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_IP_SCANNER_F,
// &KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_IP_SCANNER_4,
// &KAPE_FILE_C_ADVANCED_IP_SCANNER_FAVORITES_BIN,
// &KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_ALIASES_BIN,
// &KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER,
// &KAPE_FILE_ADVANCED_PORT_SCANNE,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_ALIASES,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_ALIASES_2,
// &KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER,
// &KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN,
// &KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_COMMENTS_BIN,
// &KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_2,
// &KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_3,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_COMMENT,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_COMMENT_2,
// &KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_2,
// &KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_2,
// &KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_MAC_BIN,
// &KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_4,
// &KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_5,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_MAC_BIN,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_MAC_BIN_2,
// &KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_3,
// &KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_3,
// &KAPE_FILE_USERS_USER_ADVANCED_PORT_SCANNER_FAVORITES_BIN,
// &KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_6,
// &KAPE_FILE_TEMP_ADVANCED_PORT_SCANNER_2_ADVANCED_PORT_SCANNER_7,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_FAVORIT,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_ADVANCED_PORT_SCANNER_FAVORIT_2,
// &KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_ADVANCED_PORT_SCANNER_4,
// &KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_ADVANCED_PORT_SCANN_4,
// &KAPE_FILE_C_ADVANCED_PORT_SCANNER_FAVORITES_BIN,
// &KAPE_FILE_AGENTRANSACK_CONFIG,
// &KAPE_FILE_AGENTRANSACK_CRASHREPORTS,
// &KAPE_FILE_AGENTRANSACK_INDEXLOG,
// &KAPE_FILE_AGENTRANSACK_LOGS,
// &KAPE_FILE_PROGRAMDATA_AMMYY,
// &KAPE_FILE_ANYDESK_TRACE,
// &KAPE_FILE_ANYDESK_LOGS_PROGRAM,
// &KAPE_FILE_ANYDESK_CONF,
// &KAPE_FILE_ANYDESK_CONF_2,
// &KAPE_FILE_ANYDESK_ANYDESK,
// &KAPE_FILE_ANYDESK_CONNECTION_TRACE_TXT,
// &KAPE_FILE_ANYDESK_CONNECTION_TRACE_TXT_2,
// &KAPE_FILE_ROAMING_ANYDESK,
// &KAPE_FILE_ANYDESK_CHAT_TXT,
// &KAPE_FILE_ROAMING_ANYDESK_FILE_TRANSFER_TRACE_TXT,
// &KAPE_FILE_ANYDESK_FILE_TRANSFER_TRACE_TXT,
// &KAPE_FILE_LOG_LOG_2,
// &KAPE_FILE_ASPERA_SERVER_LOGS,
// &KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_INI,
// &KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_TXT,
// &KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_DB,
// &KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_CONFIG,
// &KAPE_FILE_ATERA_NETWORKS_ATERAAGENT_CFG,
// &KAPE_FILE_BOX_BOX,
// &KAPE_FILE_LOCAL_BOX_SYNC,
// &KAPE_FILE_USER_BOX,
// &KAPE_FILE_USER_BOX_SYNC,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB,
// &KAPE_FILE_INDEXEDDB_HTTPS_CHATGPT_COM_0_INDEXEDDB_LEVELDB,
// &KAPE_FILE_CHATGPT_CACHE,
// &KAPE_FILE_SYSTEMAPPDATA_HELIUM_DAT,
// &KAPE_FILE_OPENAI_CHATGPT_DESKTOP_2P2NQSD0C76G0_SETTINGS_SETT,
// &KAPE_FILE_LOGS_LOG,
// &KAPE_FILE_HISTORY_DB,
// &KAPE_FILE_CLIPBOARDMASTER_CLIPBOARD_CLM4,
// &KAPE_FILE_CLIPBOARDMASTER_PICS,
// &KAPE_FILE_CLIPBOARDMASTER_CLIPBOARD_CLM4_BA,
// &KAPE_FILE_LOGS_LOG_2,
// &KAPE_FILE_CONFLUENCE_WIKI_LOG,
// &KAPE_FILE_DWAGENT_LOG,
// &KAPE_FILE_AWS_CREDENTIALS,
// &KAPE_FILE_AWS_CONFIG,
// &KAPE_FILE_KUBE_CONFIG,
// &KAPE_FILE_DOCKER_CONFIG_JSON,
// &KAPE_FILE_USER_GIT_CREDENTIALS,
// &KAPE_FILE_USER_GITCONFIG,
// &KAPE_FILE_SSH_CONFIG,
// &KAPE_FILE_SSH_KNOWN_HOSTS,
// &KAPE_FILE_USER_NPMRC,
// &KAPE_FILE_MRU_RENAME_FOLDERS_OSD,
// &KAPE_FILE_MRU_RENAME_FILES_OSD,
// &KAPE_FILE_MRU_FIND_CONTAINS_OSD,
// &KAPE_FILE_MRU_FIND_NAME_OSD,
// &KAPE_FILE_MRU_FIND_PATH_OSD,
// &KAPE_FILE_STATE_DATA_RECENT_OSD,
// &KAPE_FILE_STATE_DATA_BACKUPCONFIG_OSD,
// &KAPE_FILE_DIRECTORY_OPUS_THUMBNAIL_CACHE,
// &KAPE_FILE_DIRECTORY_OPUS_LOGS,
// &KAPE_FILE_DISCORD_CACHE,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_2,
// &KAPE_FILE_DOUBLECMD_HISTORY_XML,
// &KAPE_FILE_DOUBLECMD_DOUBLECMD_XML,
// &KAPE_FILE_DOUBLECMD_DOUBLECMD_LOG,
// &KAPE_FILE_DOUBLECMD_MULTIARC_INI,
// &KAPE_FILE_DOUBLECMD_SESSION_INI,
// &KAPE_FILE_DOUBLECMD_PIXMAPS_TXT,
// &KAPE_FILE_DOUBLECMD_SHORTCUTS_SCF,
// &KAPE_FILE_DROPBOX_INFO_JSON,
// &KAPE_FILE_DROPBOX_HOST_DB,
// &KAPE_FILE_DROPBOX_MACHINE_STORAGETRAY_THUMBNAILS_DB,
// &KAPE_FILE_DROPBOX_HOST_DBX,
// &KAPE_FILE_PROTECT,
// &KAPE_FILE_DROPBOX_INSTANCE,
// &KAPE_FILE_USER_DROPBOX_2,
// &KAPE_FILE_ROAMING_EFSOFTWARE,
// &KAPE_FILE_DATABASES_ACCOUNTS,
// &KAPE_FILE_DATABASES_EXB,
// &KAPE_FILE_DATABASES_EXB_SNIPPETS,
// &KAPE_FILE_EVERYTHING_EVERYTHING_DB,
// &KAPE_FILE_EVERYTHING_RUN_HISTORY_CSV,
// &KAPE_FILE_EVERYTHING_SEARCH_HISTORY_CSV,
// &KAPE_FILE_EVERYTHING_EVERYTHING_INI,
// &KAPE_FILE_FSIV_FSIV_DB,
// &KAPE_FILE_FENCES_BACKUPS,
// &KAPE_FILE_FILEZILLA_XML,
// &KAPE_FILE_FILEZILLA_SQLITE3,
// &KAPE_FILE_FILEZILLA_SERVER_XML,
// &KAPE_FILE_LOGS_LOG_3,
// &KAPE_FILE_LOGS_TRACE,
// &KAPE_FILE_FORTICLIENT_TRACE_LO,
// &KAPE_FILE_SETTINGS_FREECOMMANDER_INI,
// &KAPE_FILE_SETTINGS_FREECOMMANDER_FTP_INI,
// &KAPE_FILE_SETTINGS_FREECOMMANDER_HIST_INI,
// &KAPE_FILE_SETTINGS_FREECOMMANDER_FAV_XML,
// &KAPE_FILE_SETTINGS_BKP_SETTINGS,
// &KAPE_FILE_TEMP_FC_LOG,
// &KAPE_FILE_TEMP_FREECOMMANDER,
// &KAPE_FILE_FREE_DOWNLOAD_MANAGER_FDM_SQLITE,
// &KAPE_FILE_BACKUP_BACKUP_INFO,
// &KAPE_FILE_BACKUP_USERDATA_ZIP,
// &KAPE_FILE_FREEFILESYNC_LOGS,
// &KAPE_FILE_USER_GOOGLE_DRIVE,
// &KAPE_FILE_GOOGLE_DRIVE,
// &KAPE_FILE_GOOGLE_DRIVEFS,
// &KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_KML,
// &KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_BACKUP_KML,
// &KAPE_FILE_GOOGLE_EARTH_MY_PLAC,
// &KAPE_FILE_GOOGLE_GOOGLEEARTH_MYPLACES_BACKUP_KML_2,
// &KAPE_FILE_HEIDISQL_BACKUPS,
// &KAPE_FILE_HEIDISQL_TABS_INI,
// &KAPE_FILE_HEXCHAT_LOGS,
// &KAPE_FILE_ARCHIVE_CLEANUP,
// &KAPE_FILE_BACKUP,
// &KAPE_FILE_DELETE,
// &KAPE_FILE_RESTORE,
// &KAPE_FILE_LOGXML_XML,
// &KAPE_FILE_TRACEFILE_TXT,
// &KAPE_FILE_IBCOMMON_IDMAPPEDDRIVES_TXT,
// &KAPE_FILE_IBCOMMON_SCHEDULE_XML,
// &KAPE_FILE_IBCOMMON_SCH_TRACE_TXT,
// &KAPE_FILE_IBCOMMON_IDRIVE_INI,
// &KAPE_FILE_IBCOMMON_GET_ALLDRIVES_TXT,
// &KAPE_FILE_IBCOMMON_EXCLUDE,
// &KAPE_FILE_IBCOMMON_AUTOCOMP_INI,
// &KAPE_FILE_IBDS,
// &KAPE_FILE_ISLCLIENT_OUT,
// &KAPE_FILE_CONF,
// &KAPE_FILE_ISL_ALWAYSON_SESSION_XML,
// &KAPE_FILE_TRACE_OUT,
// &KAPE_FILE_ISL_ALWAYSON_OUT,
// &KAPE_FILE_ISL_LIGHT_LOGS_SESSI,
// &KAPE_FILE_STATUS_TRAY,
// &KAPE_FILE_ISL_ALWAYSON_STATICCONFIGURATION_INI,
// &KAPE_FILE_ENDPOINT_MANAGER_RMMLOGS,
// &KAPE_FILE_ITARIAN,
// &KAPE_FILE_COMODO,
// &KAPE_FILE_ENDPOINT_MANAGER_RMMLOGS_2,
// &KAPE_FILE_ICECHAT_LOGS,
// &KAPE_FILE_LOG_FILES_IMGBURN_LOG,
// &KAPE_FILE_IRFANVIEW_I_VIEW32_INI,
// &KAPE_FILE_JDOWNLOADER_2_0_CFG_DOWNLOADLIST_ZIP,
// &KAPE_FILE_JDOWNLOADER_2_0_CFG_LINKCOLLECTOR_ZIP,
// &KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_SETTINGS_GENER,
// &KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_GUI_VIEWS_LINK,
// &KAPE_FILE_JDOWNLOADER_2_0_CFG_ORG_JDOWNLOADER_SETTINGS_INTER,
// &KAPE_FILE_IDX,
// &KAPE_FILE_JAVA_WEBSTART_CACHE,
// &KAPE_FILE_IDX_2,
// &KAPE_FILE_IDX_3,
// &KAPE_FILE_IDX_4,
// &KAPE_FILE_IDX_5,
// &KAPE_FILE_IDX_6,
// &KAPE_FILE_IDX_7,
// &KAPE_FILE_IDX_8,
// &KAPE_FILE_IDX_9,
// &KAPE_FILE_IDX_10,
// &KAPE_FILE_KASEYA_LOG,
// &KAPE_FILE_LOG_KASEYALIVECONNECT,
// &KAPE_FILE_LOG_ENDPOINT,
// &KAPE_FILE_KASEYA_AGENT_ENDPOIN,
// &KAPE_FILE_AGENTMON_LOG,
// &KAPE_FILE_TEMP_KASETUP_LOG,
// &KAPE_FILE_KASEYA_SETUP_LOG,
// &KAPE_FILE_TEMP_KASETUP_LOG_2,
// &KAPE_FILE_LOG_KASEYAEDGESERVICES,
// &KAPE_FILE_KEEPASS_XML,
// &KAPE_FILE_KEEPASS_PASSWORD_SAFE_XML,
// &KAPE_FILE_KEEPASS_PASSWORD_SAFE_CONFIG,
// &KAPE_FILE_KEEPASSXC_INI,
// &KAPE_FILE_KEEPASS_ROAMING_INI,
// &KAPE_FILE_PROGRAM_FILES_LEVEL_LOG,
// &KAPE_FILE_LOGMEIN_LOGS,
// &KAPE_FILE_APPLICATIONEVENTS_TKAPE_3,
// &KAPE_FILE_TEMP_LOGMEINLOGS,
// &KAPE_FILE_MACRIUM_MACRIUM_SERVICE,
// &KAPE_FILE_MACRIUM_REFLECT,
// &KAPE_FILE_MACRIUM_REFLECT_LAUNCHER,
// &KAPE_FILE_MATTERMOST_INDEXEDDB,
// &KAPE_FILE_ROAMING_MEDIAMONKEY_MM_DB,
// &KAPE_FILE_ROAMING_MEDIAMONKEY_MEDIAMONKEY_INI,
// &KAPE_FILE_MEGA_LIMITED_MEGASYNC,
// &KAPE_FILE_MESH_AGENT_MSH,
// &KAPE_FILE_MESH_AGENT_LOG,
// &KAPE_FILE_AZCOPY_LOG,
// &KAPE_FILE_PLANS_STE,
// &KAPE_FILE_FULLTEXTSEARCHINDEX,
// &KAPE_FILE_ONENOTE_NOTIFICATIONSRECENTNOTEBOOKS_SEENURLS,
// &KAPE_FILE_16_0_ACCESSIBILITYCHECKERINDEX,
// &KAPE_FILE_16_0_NOTETAGS_LIVEID_DB,
// &KAPE_FILE_16_0_RECENTSEARCHESRECENTSEARCHES_DB,
// &KAPE_FILE_STICKYNOTES_STICKYNOTES_SNT,
// &KAPE_FILE_LOCALSTATE_PLUM_SQLITE,
// &KAPE_FILE_INDEXEDDB_HTTPS_TEAMS_MICROSOFT_COM_0_INDEXEDDB_LE,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_3,
// &KAPE_FILE_TEAMS_CACHE,
// &KAPE_FILE_TEAMS_DESKTOP_CONFIG_JSON,
// &KAPE_FILE_MSTEAMS_LOGS,
// &KAPE_FILE_TODOSQLITE_DB,
// &KAPE_FILE_AVATARS_USERAVATAR_JPG,
// &KAPE_FILE_USER_MIDNIGHT_COMMANDER,
// &KAPE_FILE_ROAMING_MOBAXTERM,
// &KAPE_FILE_MSTY_DB,
// &KAPE_FILE_LOCAL_MULTICOMMANDER,
// &KAPE_FILE_MULTICOMMANDER_CONFIG,
// &KAPE_FILE_MULTICOMMANDER_LOGS,
// &KAPE_FILE_MULTICOMMANDER_USERDATA,
// &KAPE_FILE_MULTICOMMANDER_MULTICOMMANDER_LOG,
// &KAPE_FILE_NESSUS_CONF,
// &KAPE_FILE_NESSUS_LOGS,
// &KAPE_FILE_LOG_USER,
// &KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_DATA,
// &KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_CONFIG,
// &KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_TMP,
// &KAPE_FILE_NET_MONITOR_FOR_EMPLOYEES_PRO_LOG,
// &KAPE_FILE_NET_MONITOR_CLIENT_C,
// &KAPE_FILE_NOTEPAD_BACKUP,
// &KAPE_FILE_NOTEPAD_CONFIG_XML,
// &KAPE_FILE_NOTEPAD_SESSION_XML,
// &KAPE_FILE_ROAMING_NOTION_NOTION_DB,
// &KAPE_FILE_PARTITIONS_NOTION_CUSTOM_DICTIONARY_TXT,
// &KAPE_FILE_USER_ONECOMMANDER,
// &KAPE_FILE_ONEC,
// &KAPE_FILE_MICROSOFT_ONEDRIVE,
// &KAPE_FILE_USER_ONEDRIVE,
// &KAPE_FILE_SSH_CONFIG_2,
// &KAPE_FILE_SSH_KNOWN_HOSTS_2,
// &KAPE_FILE_SSH_PUB,
// &KAPE_FILE_SSH_ID_RSA,
// &KAPE_FILE_SSH_ID_ECDSA,
// &KAPE_FILE_SSH_ID_ECDSA_SK,
// &KAPE_FILE_SSH_ID_ED25519,
// &KAPE_FILE_SSH_ID_ED25519_SK,
// &KAPE_FILE_SSH_ID_DSA,
// &KAPE_FILE_SSH_SSHD_CONFIG,
// &KAPE_FILE_LOGS_2,
// &KAPE_FILE_SSH_SSH_HOST_ECDSA_KEY,
// &KAPE_FILE_SSH_SSH_HOST_ED25519_KEY,
// &KAPE_FILE_SSH_SSH_HOST_DSA_KEY,
// &KAPE_FILE_SSH_SSH_HOST_RSA_KEY,
// &KAPE_FILE_SSH_AUTHORIZED_KEYS,
// &KAPE_FILE_SSH_AUTHORIZED_KEYS2,
// &KAPE_FILE_SSH_ADMINISTRATORS_AUTHORIZED_KEYS,
// &KAPE_FILE_OPENVPN_CONFIG,
// &KAPE_FILE_OPENVPN_CLIENT_CONFI,
// &KAPE_FILE_LOG_LOG_3,
// &KAPE_FILE_OUTLOOK_PST,
// &KAPE_FILE_OUTLOOK_OST,
// &KAPE_FILE_OUTLOOK_FILES_PST,
// &KAPE_FILE_OUTLOOK_FILES_OST,
// &KAPE_FILE_PST,
// &KAPE_FILE_OST,
// &KAPE_FILE_OUTLOOK_NST,
// &KAPE_FILE_INETCACHE_CONTENT_OUTLOOK,
// &KAPE_FILE_PDQ_DEPLOY_DB,
// &KAPE_FILE_PALO_ALTO_NETWORKS_GLOBALPROTECT_PANGP_LOG,
// &KAPE_FILE_PALO_ALTO_NETWORKS_GLOBALPROTECT_LOG,
// &KAPE_FILE_ROAMING_PEAZIP,
// &KAPE_FILE_PROTONVPN_LOGS,
// &KAPE_FILE_PROTON_VPN_LOGS,
// &KAPE_FILE_SERVICEDATA_LOGS,
// &KAPE_FILE_PROTON_VPN_STORAGE,
// &KAPE_FILE_PULSE_SECURE_LOGGING,
// &KAPE_FILE_PULSE_SECURE_LOGS_IN,
// &KAPE_FILE_PULSE_SECURE_SETUP_CLIENT_LOG,
// &KAPE_FILE_PULSE_SECURE_LOGGING_PULSECLIENT_LOG,
// &KAPE_FILE_Q_DIR_Q_DIR_INI,
// &KAPE_FILE_Q_DIR_START_QDR,
// &KAPE_FILE_QNAP_QFINDERPRO,
// &KAPE_FILE_LOG_PROXY_TXT,
// &KAPE_FILE_LOG_PROXY_LOG,
// &KAPE_FILE_LOG_SCHEDULER_TXT,
// &KAPE_FILE_LOG_SCHEDULER_LOG,
// &KAPE_FILE_C_RDG,
// &KAPE_FILE_C_RDG_OLD,
// &KAPE_FILE_REMOTE_DESKTOP_CONNECTION_MANAGER_SETTINGS,
// &KAPE_FILE_MY_CERTIFICATES,
// &KAPE_FILE_RSERVER30_RADM_LOG_HTM,
// &KAPE_FILE_RADMIN_SERVER_64BIT,
// &KAPE_FILE_HTM,
// &KAPE_FILE_HTM_2,
// &KAPE_FILE_RADMIN_VIEWER_CHATS,
// &KAPE_FILE_USERS_USER_RCLONE_CONF,
// &KAPE_FILE_CONFIG_SYSTEMPROFILE_RCLONE_CONF,
// &KAPE_FILE_RCLONE_CONFIG_SYSTEM,
// &KAPE_FILE_SERVICEPROFILES_LOCALSERVICE_RCLONE_CONF,
// &KAPE_FILE_SERVICEPROFILES_NETWORKSERVICE_RCLONE_CONF,
// &KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF,
// &KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF_2,
// &KAPE_FILE_CONFIG_RCLONE_RCLONE_CONF_3,
// &KAPE_FILE_RCLONE_CONFIG_LOCALS,
// &KAPE_FILE_RCLONE_CONFIG_NETWOR,
// &KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF,
// &KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_2,
// &KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_3,
// &KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_4,
// &KAPE_FILE_LOCAL_RCLONE_RCLONE_CONF_5,
// &KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF,
// &KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_2,
// &KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_3,
// &KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_4,
// &KAPE_FILE_ROAMING_RCLONE_RCLONE_CONF_5,
// &KAPE_FILE_WINDOWS_SYSWOW64_RCLONE_CONF,
// &KAPE_FILE_WINDOWS_SYSTEM32_RCLONE_CONF,
// &KAPE_FILE_C_WINDOWS_RCLONE_CONF,
// &KAPE_FILE_C_RCLONE_CONF,
// &KAPE_FILE_RCLONE_CONFIG_FALLBA,
// &KAPE_FILE_ROAMING_REMCOS_LOGS_DAT,
// &KAPE_FILE_ROAMING_SCREENSHOTS_LOGS_DAT,
// &KAPE_FILE_ROAMING_NOTESS_LOGS_DAT,
// &KAPE_FILE_ROAMING_MICRECORDS_LOGS_DAT,
// &KAPE_FILE_ROAMING_HPSUPPORT_LOGS_DAT,
// &KAPE_FILE_PROGRAMDATA_REMCOS_LOGS_DAT,
// &KAPE_FILE_PROGRAMDATA_NOTESS_LOGS_DAT,
// &KAPE_FILE_PROGRAMDATA_SCREENSHOTS_LOGS_DAT,
// &KAPE_FILE_PROGRAMDATA_MICRECORDS_LOGS_DAT,
// &KAPE_FILE_PROGRAMDATA_HPSUPPORT_LOGS_DAT,
// &KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_DB,
// &KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_XML,
// &KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_CONNECTIONS_LOG,
// &KAPE_FILE_DEVOLUTIONS_REMOTEDESKTOPMANAGER_REMOTEDESKTOPMANA,
// &KAPE_FILE_MRU_XML,
// &KAPE_FILE_FAVORITES_XML,
// &KAPE_FILE_REMOTE_MANIPULATOR_SYSTEM_HOST_LOGS_RMS_LOG_HTML,
// &KAPE_FILE_REMOTE_MANIPULATOR_SYSTEM_LOGS_RMS_LOG_HTML,
// &KAPE_FILE_PROGRAMDATA_REMOTE_MANIPULATOR_SYSTEM_INSTALL_LOG,
// &KAPE_FILE_REMOTE_UTILITIES_HOST_LOGS_RUT_LOG_HTML,
// &KAPE_FILE_REMOTE_UTILITIES_LOGS_RUT_LOG_HTML,
// &KAPE_FILE_PROGRAMDATA_REMOTE_UTILITIES_INSTALL_LOG,
// &KAPE_FILE_SCRIPTS_S,
// &KAPE_FILE_DEBUG_LOG,
// &KAPE_FILE_LOGS_3,
// &KAPE_FILE_CONFIG_XML,
// &KAPE_FILE_SSH_KEYS,
// &KAPE_FILE_SSL_CERTIFICATES,
// &KAPE_FILE_PGP_KEYS,
// &KAPE_FILE_ROBO_FTP_SSH_KEYS,
// &KAPE_FILE_ROBO_FTP_SSL_CERTIFI,
// &KAPE_FILE_ROBO_FTP_PGP_KEYS,
// &KAPE_FILE_DEBUG,
// &KAPE_FILE_ROBO_FTP_SCRIPT_TRAC,
// &KAPE_FILE_PROGRAMDATA_CONFIG_XML,
// &KAPE_FILE_PROGRAMDATA_SCHEDULERSERVICE_SQLITE,
// &KAPE_FILE_ROAMING_RUSTDESK,
// &KAPE_FILE_LOG_SERVER,
// &KAPE_FILE_POWERSHELL_PSREADLINECONSOLEHOST_HISTORY_TXT,
// &KAPE_FILE_USERS_USER_BASH_HISTORY,
// &KAPE_FILE_USERS_USER_ZSH_HISTORY,
// &KAPE_FILE_USERS_USER_PS1,
// &KAPE_FILE_USERS_USER_BAT,
// &KAPE_FILE_USERS_USER_CMD,
// &KAPE_FILE_USERS_USER_SH,
// &KAPE_FILE_USER_SSHKNOWN_HOSTS,
// &KAPE_FILE_USER_SSHCONFIG,
// &KAPE_FILE_USER_SSH,
// &KAPE_FILE_APP_DATA_SESSION_DB,
// &KAPE_FILE_APP_DATA_USER_XML,
// &KAPE_FILE_APPLICATIONEVENTS_TKAPE_4,
// &KAPE_FILE_SCREENCONNECT_CLIENT_USER_CONFIG,
// &KAPE_FILE_ROAMING_SESSION,
// &KAPE_FILE_DOCUMENTS_SHAREX,
// &KAPE_FILE_PORTAL_SETTINGS,
// &KAPE_FILE_SIGNAL_ATTACHMENTS_NOINDEX,
// &KAPE_FILE_SIGNAL_LOGS,
// &KAPE_FILE_SIGNAL_CONFIG_JSON,
// &KAPE_FILE_SQL_DB_SQLITE,
// &KAPE_FILE_JWRAPPER_REMOTE_ACCESS_LOGS,
// &KAPE_FILE_SIMPLEHELP_LOGS,
// &KAPE_FILE_JWRAPPER_SIMPLEHELP_TECHNICIAN_LOGS,
// &KAPE_FILE_MAIN_DB,
// &KAPE_FILE_SKYPE_DB,
// &KAPE_FILE_MAIN_DB_XP,
// &KAPE_FILE_MAIN_DB_WIN7,
// &KAPE_FILE_LOCALSTATE_S4L_DB,
// &KAPE_FILE_INDEXEDDB_LEVELDB,
// &KAPE_FILE_SKYPE_FOR_DESKTOP_CACHE,
// &KAPE_FILE_SLACK_INDEXEDDB,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_4,
// &KAPE_FILE_SLACK_LOGS,
// &KAPE_FILE_SLACK_CACHE,
// &KAPE_FILE_SLACK_STORAGE,
// &KAPE_FILE_SNAGIT_DATASTORE,
// &KAPE_FILE_C_NETSCAN_XML,
// &KAPE_FILE_SPEEDPROJECT_SPEEDCOMMANDER_19,
// &KAPE_FILE_SERVER_LOG,
// &KAPE_FILE_TEMP_LOG,
// &KAPE_FILE_SPLASHTOP_GATEWAY_LOG,
// &KAPE_FILE_LOG,
// &KAPE_FILE_APPCACHE_LIBRARYCACHE,
// &KAPE_FILE_CONFIG_LOGINUSERS_VDF,
// &KAPE_FILE_CONFIG_LOCALCONFIG_VDF,
// &KAPE_FILE_CONFIG_AVATARCACHE,
// &KAPE_FILE_STEAM_GAMES,
// &KAPE_FILE_LOGS_BOOTSTRAP_LOG_TXT,
// &KAPE_FILE_STEAM_GAME_IMAGE_FIL,
// &KAPE_FILE_STEAM_LOGIN_METADATA,
// &KAPE_FILE_STEAM_FRIEND_LIST_AN,
// &KAPE_FILE_STEAM_USER_AVATAR_FI,
// &KAPE_FILE_STEAM_GAME_TRAY_ICON,
// &KAPE_FILE_STEAM_STARTUP_TIMES,
// &KAPE_FILE_SETTINGS_SESSION_SUBLIME_SESSION,
// &KAPE_FILE_LOCAL_SUBLIME_SESSION,
// &KAPE_FILE_SUGARSYNC_SC1_LOG,
// &KAPE_FILE_DOCUMENTS_SUGARSYNC_SHARED_FOLDERS,
// &KAPE_FILE_DOCUMENTS_MY_SUGARSYNC,
// &KAPE_FILE_LOCAL_SUMATRAPDFSUMATRAPDF_SETTINGS_TXT,
// &KAPE_FILE_SUMATRAPDF_SUMATRAPDFCACHE,
// &KAPE_FILE_SUPREMOREMOTEDESKTOP_LOG_LOG,
// &KAPE_FILE_SUPREMOREMOTEDESKTOP_INBOX,
// &KAPE_FILE_LOCAL_SYNCTHING,
// &KAPE_FILE_LOCAL_SYNCTRAZOR,
// &KAPE_FILE_ROAMING_SYNCTRAZOR,
// &KAPE_FILE_CONFIG_REMEMBER_XML,
// &KAPE_FILE_CONFIG_WINDOW_XML,
// &KAPE_FILE_CONFIG_WINDOW1_XML,
// &KAPE_FILE_TEAMVIEWER_CONNECTIONS_TXT,
// &KAPE_FILE_TEAMVIEWER_TEAMVIEWER_LOGFILE,
// &KAPE_FILE_TEAMVIEWER_APPLICATI,
// &KAPE_FILE_MRU_REMOTESUPPORT,
// &KAPE_FILE_ROAMING_TELEGRAM_DESKTOP,
// &KAPE_FILE_DOWNLOADS_TELEGRAM_DESKTOP,
// &KAPE_FILE_ROAMING_TERACOPY,
// &KAPE_FILE_CRASH_REPORTS_INSTALLTIME,
// &KAPE_FILE_THUNDERBIRD_PROFILES_INI,
// &KAPE_FILE_PREFS_JS,
// &KAPE_FILE_GLOBAL_MESSAGES_DB_SQLITE,
// &KAPE_FILE_LOGINS_JSON,
// &KAPE_FILE_PLACES_SQLITE,
// &KAPE_FILE_IMAPMAIL_INBOX,
// &KAPE_FILE_MAIL_INBOX,
// &KAPE_FILE_CALENDAR_DATA_LOCAL_SQLITE,
// &KAPE_FILE_ATTACHMENTS,
// &KAPE_FILE_ABOOK_SQLITE,
// &KAPE_FILE_GHISLER_WINCMD_INI,
// &KAPE_FILE_C_TOTALCMD_LOG,
// &KAPE_FILE_TEMP_FTP_TMP,
// &KAPE_FILE_GHISLER_WCX_FTP_INI,
// &KAPE_FILE_GHISLER_TREEINFO_WC,
// &KAPE_FILE_GHISLER_TCDIRFRQ_TXT,
// &KAPE_FILE_TEMP_TCFTP_LOG,
// &KAPE_FILE_JAM_SOFTWARE_TREESIZE_SCANHISTORY_XML,
// &KAPE_FILE_UEMS_AGENT_LOGS_LOG,
// &KAPE_FILE_UNIFIED_ENDPOINT_MAN,
// &KAPE_FILE_ROAMING_ULTRAVIEWER,
// &KAPE_FILE_ULTRAVIEWER_SYSTEM_L,
// &KAPE_FILE_PROGRAM_FILES_ULTRAVIEWERULTRAVIEWERSERVICE_LOG_TX,
// &KAPE_FILE_PROGRAM_FILES_ULTRAVIEWERCONNECTIONLOG_LOG,
// &KAPE_FILE_VLC_VLC_QT_INTERFACE_INI,
// &KAPE_FILE_VIDEOS_VLC_AVI,
// &KAPE_FILE_ROAMING_VMWARE,
// &KAPE_FILE_C_VMEM,
// &KAPE_FILE_C_VMSS,
// &KAPE_FILE_C_VMSN,
// &KAPE_FILE_REALVNC_VNCSERVER_LOG,
// &KAPE_FILE_REALVNC_VNCVIEWER_LOG,
// &KAPE_FILE_PROGRAMDATA_REALVNC_SERVICEVNCSERVER_LOG,
// &KAPE_FILE_APPLICATIONEVENTS_TKAPE_5,
// &KAPE_FILE_SERVER_LOGS_2,
// &KAPE_FILE_VIBERPC_CONFIG_DB,
// &KAPE_FILE_VIBER_DB,
// &KAPE_FILE_AVATARS,
// &KAPE_FILE_BACKGROUNDS,
// &KAPE_FILE_THUMBNAILS,
// &KAPE_FILE_C_VBOX,
// &KAPE_FILE_C_VBOX_PREV,
// &KAPE_FILE_C_VBOX_LOG,
// &KAPE_FILE_VIRTUALBOX_BACKUP_LO,
// &KAPE_FILE_C_VBOXHARDENING_LOG,
// &KAPE_FILE_C_SAV,
// &KAPE_FILE_HISTORY,
// &KAPE_FILE_GLOBALSTORAGE_STORAGE_JSON,
// &KAPE_FILE_CACHEDEXTENSIONS_USER,
// &KAPE_FILE_USER_SETTINGS_JSON,
// &KAPE_FILE_CODE_PREFERENCES,
// &KAPE_FILE_NETWORK_COOKIES,
// &KAPE_FILE_NETWORK_NETWORK_PERSISTENT_STATE,
// &KAPE_FILE_CODE_LOGS,
// &KAPE_FILE_BACKUPS,
// &KAPE_FILE_WHATSAPP_CACHE,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_5,
// &KAPE_FILE_MICROSOFT_STORE_WHAT,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_2_2,
// &KAPE_FILE_LOCALSTATE_PROFILEPICTURES,
// &KAPE_FILE_TRANSFERSREGEX_JPG_MP4_PDF_WEBP,
// &KAPE_FILE_C_WINSCP_INI,
// &KAPE_FILE_LOCALCACHE_INDEXED,
// &KAPE_FILE_XYPLORER_XYPLORER_INI,
// &KAPE_FILE_PANE_INI,
// &KAPE_FILE_XYPLORER_AUTOBACKUP,
// &KAPE_FILE_ROAMING_XYPLORER_DAT,
// &KAPE_FILE_PROGRAM_FILES_XEOX_LOG,
// &KAPE_FILE_LOCAL_ZSCALER,
// &KAPE_FILE_ZOHOMEETING_LOG,
// &KAPE_FILE_LOCAL_ZOHOMEETING_CONF,
// &KAPE_FILE_ZOHO_ASSIST_LOG_FILE,
// &KAPE_FILE_PROGRAMDATA_ZOHOMEETING_CONF,
// &KAPE_FILE_ZOHOMEETING_LOGS,
// &KAPE_FILE_UNATTENDED_ZOHOMEETING_CONF,
// &KAPE_FILE_UNATTENDED_ZOHOMEETING_TXT,
// &KAPE_FILE_ZOOM_LOGS,
// &KAPE_FILE_ZOOM,
// &KAPE_FILE_ZOOM_CLIENT_RECORDIN,
// &KAPE_FILE_ROAMING_ZOOM_PLUGIN_JSON,
// &KAPE_FILE_MOBILESYNC_BACKUP,
// &KAPE_FILE_ITUNES_BACKUP_FOLDER,
// &KAPE_FILE_MOBILESYNC_BACKUP_2,
// &KAPE_FILE_MIRC_LOGS,
// &KAPE_FILE_MIRC_CHAT_LOGS_2000,
// &KAPE_FILE_MREMOTENG_MREMOTENG_LOG,
// &KAPE_FILE_MREMOTENG_CONFCONS_XML,
// &KAPE_FILE_MREMOTENG_USER_CONFIG,
// &KAPE_FILE_PCLOUD_DB,
// &KAPE_FILE_PCLOUD_DB_WAL,
// &KAPE_FILE_PCLOUD_DB_SHM,
// &KAPE_FILE_360BOOKMARKS,
// &KAPE_FILE_COOKIES,
// &KAPE_FILE_CURRENT_SESSION,
// &KAPE_FILE_CURRENT_TABS,
// &KAPE_FILE_DOWNLOADMETADATA,
// &KAPE_FILE_EXTENSION_COOKIES,
// &KAPE_FILE_FAVICONS,
// &KAPE_FILE_360HISTORY,
// &KAPE_FILE_LAST_SESSION,
// &KAPE_FILE_LAST_TABS,
// &KAPE_FILE_SESSIONS,
// &KAPE_FILE_LOGIN_DATA,
// &KAPE_FILE_MEDIA_HISTORY,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE,
// &KAPE_FILE_PREFERENCES,
// &KAPE_FILE_QUOTAMANAGER,
// &KAPE_FILE_REPORTING_AND_NEL,
// &KAPE_FILE_SHORTCUTS,
// &KAPE_FILE_TOP_SITES,
// &KAPE_FILE_TRUST_TOKENS,
// &KAPE_FILE_SYNC_DATA,
// &KAPE_FILE_VISITED_LINKS,
// &KAPE_FILE_WEB_DATA,
// &KAPE_FILE_PROTECT_2,
// &KAPE_FILE_SNAPSHOTS,
// &KAPE_FILE_NETWORKCOOKIES,
// &KAPE_FILE_FAVICONS_2,
// &KAPE_FILE_HISTORY_2,
// &KAPE_FILE_SESSIONS_2,
// &KAPE_FILE_LOGIN_DATA_2,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_2,
// &KAPE_FILE_PREFERENCES_2,
// &KAPE_FILE_SHORTCUTS_2,
// &KAPE_FILE_TOP_SITES_2,
// &KAPE_FILE_SYNC_DATA_2,
// &KAPE_FILE_BOOKMARKS,
// &KAPE_FILE_VISITED_LINKS_2,
// &KAPE_FILE_WEB_DATA_2,
// &KAPE_FILE_LOCAL_ARCSTORABLE_JSON,
// &KAPE_FILE_LOCALCACHE_LOCALCOM_PLIST,
// &KAPE_FILE_BOOKMARKS_2,
// &KAPE_FILE_COOKIES_2,
// &KAPE_FILE_CURRENT_SESSION_2,
// &KAPE_FILE_CURRENT_TABS_2,
// &KAPE_FILE_DOWNLOADMETADATA_2,
// &KAPE_FILE_FAVICONS_3,
// &KAPE_FILE_HISTORY_3,
// &KAPE_FILE_DEFAULT_SESSIONS,
// &KAPE_FILE_LOGIN_DATA_3,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_3,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_2,
// &KAPE_FILE_PREFERENCES_3,
// &KAPE_FILE_QUOTAMANAGER_2,
// &KAPE_FILE_REPORTING_AND_NEL_2,
// &KAPE_FILE_SHORTCUTS_3,
// &KAPE_FILE_PUBLISHER_INFO_DB,
// &KAPE_FILE_TOP_SITES_3,
// &KAPE_FILE_VISITED_LINKS_3,
// &KAPE_FILE_WEB_DATA_3,
// &KAPE_FILE_SECURE_PREFERENCES,
// &KAPE_FILE_CACHE,
// &KAPE_FILE_CHROME_BETA_CACHE_FO,
// &KAPE_FILE_CHROME_DEV_CACHE_FOL,
// &KAPE_FILE_CHROME_SXS_CANARY_CA,
// &KAPE_FILE_CHROMIUM_EDGE_CACHE,
// &KAPE_FILE_CHROMIUM_EDGE_BETA_C,
// &KAPE_FILE_CHROMIUM_EDGE_DEV_CA,
// &KAPE_FILE_CHROMIUM_EDGE_SXS_CA,
// &KAPE_FILE_CHROMIUM_CACHE_FOLDE,
// &KAPE_FILE_PROFILES,
// &KAPE_FILE_WINDOWS_TEMPORARY_INTERNET_FILES,
// &KAPE_FILE_CONTENT_IE5_INDEX_DAT,
// &KAPE_FILE_WINDOWS_INETCACHE,
// &KAPE_FILE_WINDOWS_WEBCACHE,
// &KAPE_FILE_CACHE_CACHE_DATA,
// &KAPE_FILE_BOOKMARKS_3,
// &KAPE_FILE_COOKIES_3,
// &KAPE_FILE_CURRENT_SESSION_3,
// &KAPE_FILE_CURRENT_TABS_3,
// &KAPE_FILE_FAVICONS_4,
// &KAPE_FILE_HISTORY_4,
// &KAPE_FILE_LAST_SESSION_2,
// &KAPE_FILE_LAST_TABS_2,
// &KAPE_FILE_LOGIN_DATA_4,
// &KAPE_FILE_PREFERENCES_4,
// &KAPE_FILE_SHORTCUTS_4,
// &KAPE_FILE_TOP_SITES_4,
// &KAPE_FILE_VISITED_LINKS_4,
// &KAPE_FILE_WEB_DATA_4,
// &KAPE_FILE_CHROME_BOOKMARKS,
// &KAPE_FILE_CHROME_COOKIES,
// &KAPE_FILE_CHROME_CURRENT_SESSI,
// &KAPE_FILE_CHROME_CURRENT_TABS,
// &KAPE_FILE_DOWNLOADMETADATA_3,
// &KAPE_FILE_EXTENSION_COOKIES_2,
// &KAPE_FILE_CHROME_FAVICONS,
// &KAPE_FILE_CHROME_HISTORY,
// &KAPE_FILE_CHROME_LAST_SESSION,
// &KAPE_FILE_CHROME_LAST_TABS,
// &KAPE_FILE_SESSIONS_3,
// &KAPE_FILE_CHROME_LOGIN_DATA,
// &KAPE_FILE_MEDIA_HISTORY_2,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_4,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_3,
// &KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE,
// &KAPE_FILE_CHROME_PREFERENCES,
// &KAPE_FILE_QUOTAMANAGER_3,
// &KAPE_FILE_WEBSTORAGEQUOTAMANAGER,
// &KAPE_FILE_REPORTING_AND_NEL_3,
// &KAPE_FILE_NETWORKREPORTING_AND_NEL,
// &KAPE_FILE_CHROME_SHORTCUTS,
// &KAPE_FILE_CHROME_TOP_SITES,
// &KAPE_FILE_TRUST_TOKENS_2,
// &KAPE_FILE_NETWORKTRUST_TOKENS,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3,
// &KAPE_FILE_CHROME_VISITED_LINKS,
// &KAPE_FILE_CHROME_WEB_DATA,
// &KAPE_FILE_INDEXEDDB,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_6,
// &KAPE_FILE_PROTECT_3,
// &KAPE_FILE_SNAPSHOTS_2,
// &KAPE_FILE_SYSTEM_CHROME_HISTOR,
// &KAPE_FILE_BOOKMARKS_4,
// &KAPE_FILE_COOKIES_4,
// &KAPE_FILE_CURRENT_SESSION_4,
// &KAPE_FILE_CURRENT_TABS_4,
// &KAPE_FILE_FAVICONS_5,
// &KAPE_FILE_HISTORY_5,
// &KAPE_FILE_LAST_SESSION_3,
// &KAPE_FILE_LAST_TABS_3,
// &KAPE_FILE_LOGIN_DATA_5,
// &KAPE_FILE_PREFERENCES_5,
// &KAPE_FILE_SHORTCUTS_5,
// &KAPE_FILE_TOP_SITES_5,
// &KAPE_FILE_VISITED_LINKS_5,
// &KAPE_FILE_WEB_DATA_5,
// &KAPE_FILE_CHROME_BETA_BOOKMARK,
// &KAPE_FILE_CHROME_BETA_COOKIES,
// &KAPE_FILE_CHROME_BETA_CURRENT,
// &KAPE_FILE_CURRENT_TABS_2_2,
// &KAPE_FILE_DOWNLOADMETADATA_4,
// &KAPE_FILE_EXTENSION_COOKIES_3,
// &KAPE_FILE_CHROME_BETA_FAVICONS,
// &KAPE_FILE_CHROME_BETA_HISTORY,
// &KAPE_FILE_CHROME_BETA_LAST_SES,
// &KAPE_FILE_CHROME_BETA_LAST_TAB,
// &KAPE_FILE_SESSIONS_4,
// &KAPE_FILE_CHROME_BETA_LOGIN_DA,
// &KAPE_FILE_MEDIA_HISTORY_3,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_5,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_4,
// &KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_2,
// &KAPE_FILE_CHROME_BETA_PREFEREN,
// &KAPE_FILE_QUOTAMANAGER_4,
// &KAPE_FILE_WEBSTORAGEQUOTAMANAGER_2,
// &KAPE_FILE_REPORTING_AND_NEL_4,
// &KAPE_FILE_NETWORKREPORTING_AND_NEL_2,
// &KAPE_FILE_CHROME_BETA_SHORTCUT,
// &KAPE_FILE_CHROME_BETA_TOP_SITE,
// &KAPE_FILE_TRUST_TOKENS_3,
// &KAPE_FILE_NETWORKTRUST_TOKENS_2,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_2,
// &KAPE_FILE_CHROME_BETA_VISITED,
// &KAPE_FILE_CHROME_BETA_WEB_DATA,
// &KAPE_FILE_INDEXEDDB_2,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_7,
// &KAPE_FILE_PROTECT_4,
// &KAPE_FILE_SNAPSHOTS_3,
// &KAPE_FILE_SYSTEM_CHROME_BETA_H,
// &KAPE_FILE_BOOKMARKS_5,
// &KAPE_FILE_COOKIES_5,
// &KAPE_FILE_CURRENT_SESSION_5,
// &KAPE_FILE_CURRENT_TABS_5,
// &KAPE_FILE_FAVICONS_6,
// &KAPE_FILE_HISTORY_6,
// &KAPE_FILE_LAST_SESSION_4,
// &KAPE_FILE_LAST_TABS_4,
// &KAPE_FILE_LOGIN_DATA_6,
// &KAPE_FILE_PREFERENCES_6,
// &KAPE_FILE_SHORTCUTS_6,
// &KAPE_FILE_TOP_SITES_6,
// &KAPE_FILE_VISITED_LINKS_6,
// &KAPE_FILE_WEB_DATA_6,
// &KAPE_FILE_CHROME_DEV_BOOKMARKS,
// &KAPE_FILE_CHROME_DEV_COOKIES,
// &KAPE_FILE_CHROME_DEV_CURRENT_S,
// &KAPE_FILE_CHROME_DEV_CURRENT_T,
// &KAPE_FILE_DOWNLOADMETADATA_5,
// &KAPE_FILE_EXTENSION_COOKIES_4,
// &KAPE_FILE_CHROME_DEV_FAVICONS,
// &KAPE_FILE_CHROME_DEV_HISTORY,
// &KAPE_FILE_CHROME_DEV_LAST_SESS,
// &KAPE_FILE_CHROME_DEV_LAST_TABS,
// &KAPE_FILE_SESSIONS_5,
// &KAPE_FILE_CHROME_DEV_LOGIN_DAT,
// &KAPE_FILE_MEDIA_HISTORY_4,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_6,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_5,
// &KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_3,
// &KAPE_FILE_CHROME_DEV_PREFERENC,
// &KAPE_FILE_QUOTAMANAGER_5,
// &KAPE_FILE_WEBSTORAGEQUOTAMANAGER_3,
// &KAPE_FILE_REPORTING_AND_NEL_5,
// &KAPE_FILE_NETWORKREPORTING_AND_NEL_3,
// &KAPE_FILE_CHROME_DEV_SHORTCUTS,
// &KAPE_FILE_CHROME_DEV_TOP_SITES,
// &KAPE_FILE_TRUST_TOKENS_4,
// &KAPE_FILE_NETWORKTRUST_TOKENS_3,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_3,
// &KAPE_FILE_CHROME_DEV_VISITED_L,
// &KAPE_FILE_CHROME_DEV_WEB_DATA,
// &KAPE_FILE_INDEXEDDB_3,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_8,
// &KAPE_FILE_PROTECT_5,
// &KAPE_FILE_SNAPSHOTS_4,
// &KAPE_FILE_SYSTEM_CHROME_DEV_HI,
// &KAPE_FILE_EXTENSIONS_MANIFEST_JSON,
// &KAPE_FILE_EN_MESSAGES_JSON,
// &KAPE_FILE_CHROME_BETA_BROWSER,
// &KAPE_FILE_EN_MESSAGES_JSON_2,
// &KAPE_FILE_CHROME_DEV_BROWSER_E,
// &KAPE_FILE_EN_MESSAGES_JSON_3,
// &KAPE_FILE_CHROME_SXS_CANARY_BR,
// &KAPE_FILE_EN_MESSAGES_JSON_4,
// &KAPE_FILE_EXTENSIONS,
// &KAPE_FILE_CHROME_EXTENSION_FIL,
// &KAPE_FILE_CHROME_BETA_EXTENSIO,
// &KAPE_FILE_EXTENSIONS_2,
// &KAPE_FILE_CHROME_DEV_EXTENSION,
// &KAPE_FILE_EXTENSIONS_3,
// &KAPE_FILE_CHROME_SXS_CANARY_EX,
// &KAPE_FILE_EXTENSIONS_4,
// &KAPE_FILE_FILE_SYSTEM,
// &KAPE_FILE_CHROME_BETA_HTML5_FI,
// &KAPE_FILE_CHROME_DEV_HTML5_FIL,
// &KAPE_FILE_CHROME_SXS_CANARY_HT,
// &KAPE_FILE_BOOKMARKS_6,
// &KAPE_FILE_COOKIES_6,
// &KAPE_FILE_CURRENT_SESSION_6,
// &KAPE_FILE_CURRENT_TABS_6,
// &KAPE_FILE_FAVICONS_7,
// &KAPE_FILE_HISTORY_7,
// &KAPE_FILE_LAST_SESSION_5,
// &KAPE_FILE_LAST_TABS_5,
// &KAPE_FILE_LOGIN_DATA_7,
// &KAPE_FILE_PREFERENCES_7,
// &KAPE_FILE_SHORTCUTS_7,
// &KAPE_FILE_TOP_SITES_7,
// &KAPE_FILE_VISITED_LINKS_7,
// &KAPE_FILE_WEB_DATA_7,
// &KAPE_FILE_CHROME_SXS_BOOKMARKS,
// &KAPE_FILE_CHROME_SXS_COOKIES,
// &KAPE_FILE_CHROME_SXS_CURRENT_S,
// &KAPE_FILE_CHROME_SXS_CURRENT_T,
// &KAPE_FILE_DOWNLOADMETADATA_6,
// &KAPE_FILE_EXTENSION_COOKIES_5,
// &KAPE_FILE_CHROME_SXS_FAVICONS,
// &KAPE_FILE_CHROME_SXS_HISTORY,
// &KAPE_FILE_CHROME_SXS_LAST_SESS,
// &KAPE_FILE_CHROME_SXS_LAST_TABS,
// &KAPE_FILE_SESSIONS_6,
// &KAPE_FILE_CHROME_SXS_LOGIN_DAT,
// &KAPE_FILE_MEDIA_HISTORY_5,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_7,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_6,
// &KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_4,
// &KAPE_FILE_CHROME_SXS_PREFERENC,
// &KAPE_FILE_QUOTAMANAGER_6,
// &KAPE_FILE_WEBSTORAGEQUOTAMANAGER_4,
// &KAPE_FILE_REPORTING_AND_NEL_6,
// &KAPE_FILE_NETWORKREPORTING_AND_NEL_4,
// &KAPE_FILE_CHROME_SXS_SHORTCUTS,
// &KAPE_FILE_CHROME_SXS_TOP_SITES,
// &KAPE_FILE_TRUST_TOKENS_5,
// &KAPE_FILE_NETWORKTRUST_TOKENS_4,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_4,
// &KAPE_FILE_CHROME_SXS_VISITED_L,
// &KAPE_FILE_CHROME_SXS_WEB_DATA,
// &KAPE_FILE_INDEXEDDB_4,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_9,
// &KAPE_FILE_PROTECT_6,
// &KAPE_FILE_SNAPSHOTS_5,
// &KAPE_FILE_SYSTEM_CHROME_SXS_HI,
// &KAPE_FILE_BOOKMARKS_7,
// &KAPE_FILE_COOKIES_7,
// &KAPE_FILE_CURRENT_SESSION_7,
// &KAPE_FILE_CURRENT_TABS_7,
// &KAPE_FILE_FAVICONS_8,
// &KAPE_FILE_HISTORY_8,
// &KAPE_FILE_LAST_SESSION_6,
// &KAPE_FILE_LAST_TABS_6,
// &KAPE_FILE_LOGIN_DATA_8,
// &KAPE_FILE_PREFERENCES_8,
// &KAPE_FILE_SHORTCUTS_8,
// &KAPE_FILE_TOP_SITES_8,
// &KAPE_FILE_VISITED_LINKS_8,
// &KAPE_FILE_WEB_DATA_8,
// &KAPE_FILE_CHROMIUM_BOOKMARKS,
// &KAPE_FILE_CHROMIUM_COOKIES,
// &KAPE_FILE_CHROMIUM_CURRENT_SES,
// &KAPE_FILE_CHROMIUM_CURRENT_TAB,
// &KAPE_FILE_DOWNLOADMETADATA_7,
// &KAPE_FILE_EXTENSION_COOKIES_6,
// &KAPE_FILE_CHROMIUM_FAVICONS,
// &KAPE_FILE_CHROMIUM_HISTORY,
// &KAPE_FILE_CHROMIUM_LAST_SESSIO,
// &KAPE_FILE_CHROMIUM_LAST_TABS,
// &KAPE_FILE_SESSIONS_7,
// &KAPE_FILE_CHROMIUM_LOGIN_DATA,
// &KAPE_FILE_MEDIA_HISTORY_6,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_8,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_7,
// &KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_5,
// &KAPE_FILE_CHROMIUM_PREFERENCES,
// &KAPE_FILE_QUOTAMANAGER_7,
// &KAPE_FILE_WEBSTORAGEQUOTAMANAGER_5,
// &KAPE_FILE_REPORTING_AND_NEL_7,
// &KAPE_FILE_NETWORKREPORTING_AND_NEL_5,
// &KAPE_FILE_CHROMIUM_SHORTCUTS,
// &KAPE_FILE_CHROMIUM_TOP_SITES,
// &KAPE_FILE_TRUST_TOKENS_6,
// &KAPE_FILE_NETWORKTRUST_TOKENS_5,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_5,
// &KAPE_FILE_CHROMIUM_VISITED_LIN,
// &KAPE_FILE_CHROMIUM_WEB_DATA,
// &KAPE_FILE_INDEXEDDB_5,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_10,
// &KAPE_FILE_PROTECT_7,
// &KAPE_FILE_SNAPSHOTS_6,
// &KAPE_FILE_SYSTEM_CHROMIUM_HIST,
// &KAPE_FILE_BOOKMARKS_8,
// &KAPE_FILE_COOKIES_8,
// &KAPE_FILE_CURRENT_SESSION_8,
// &KAPE_FILE_CURRENT_TABS_8,
// &KAPE_FILE_DOWNLOADMETADATA_8,
// &KAPE_FILE_EXTENSION_COOKIES_7,
// &KAPE_FILE_FAVICONS_9,
// &KAPE_FILE_HISTORY_9,
// &KAPE_FILE_LAST_SESSION_7,
// &KAPE_FILE_LAST_TABS_7,
// &KAPE_FILE_SESSIONS_8,
// &KAPE_FILE_LOGIN_DATA_9,
// &KAPE_FILE_MEDIA_HISTORY_7,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_9,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_8,
// &KAPE_FILE_PREFERENCES_9,
// &KAPE_FILE_QUOTAMANAGER_8,
// &KAPE_FILE_REPORTING_AND_NEL_8,
// &KAPE_FILE_SHORTCUTS_9,
// &KAPE_FILE_TOP_SITES_9,
// &KAPE_FILE_TRUST_TOKENS_7,
// &KAPE_FILE_SYNC_DATA_3,
// &KAPE_FILE_VISITED_LINKS_9,
// &KAPE_FILE_WEB_DATA_9,
// &KAPE_FILE_PROTECT_8,
// &KAPE_FILE_SNAPSHOTS_7,
// &KAPE_FILE_PACKAGES_MICROSOFT_MICROSOFTEDGE_8WEKYB3D8BBWE,
// &KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE,
// &KAPE_FILE_BOOKMARKS_9,
// &KAPE_FILE_NETWORKCOOKIES_2,
// &KAPE_FILE_CURRENT_SESSION_9,
// &KAPE_FILE_CURRENT_TABS_9,
// &KAPE_FILE_EXTENSION_COOKIES_8,
// &KAPE_FILE_FAVICONS_10,
// &KAPE_FILE_HISTORY_10,
// &KAPE_FILE_LAST_SESSION_8,
// &KAPE_FILE_LAST_TABS_8,
// &KAPE_FILE_SESSIONS_9,
// &KAPE_FILE_LOGIN_DATA_10,
// &KAPE_FILE_MEDIA_HISTORY_8,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_10,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_9,
// &KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_6,
// &KAPE_FILE_PREFERENCES_10,
// &KAPE_FILE_QUOTAMANAGER_9,
// &KAPE_FILE_WEBSTORAGEQUOTAMANAGER_6,
// &KAPE_FILE_REPORTING_AND_NEL_9,
// &KAPE_FILE_NETWORKREPORTING_AND_NEL_6,
// &KAPE_FILE_SHORTCUTS_10,
// &KAPE_FILE_TOP_SITES_10,
// &KAPE_FILE_TRUST_TOKENS_8,
// &KAPE_FILE_NETWORKTRUST_TOKENS_6,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_6,
// &KAPE_FILE_VISITED_LINKS_10,
// &KAPE_FILE_WEB_DATA_10,
// &KAPE_FILE_INDEXEDDB_6,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_11,
// &KAPE_FILE_WEBASSISTDATABASE,
// &KAPE_FILE_PROTECT_9,
// &KAPE_FILE_SNAPSHOTS_8,
// &KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_2,
// &KAPE_FILE_BOOKMARKS_10,
// &KAPE_FILE_NETWORKCOOKIES_3,
// &KAPE_FILE_CURRENT_SESSION_10,
// &KAPE_FILE_CURRENT_TABS_10,
// &KAPE_FILE_EXTENSION_COOKIES_9,
// &KAPE_FILE_FAVICONS_11,
// &KAPE_FILE_HISTORY_11,
// &KAPE_FILE_LAST_SESSION_9,
// &KAPE_FILE_LAST_TABS_9,
// &KAPE_FILE_SESSIONS_10,
// &KAPE_FILE_LOGIN_DATA_11,
// &KAPE_FILE_MEDIA_HISTORY_9,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_11,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_10,
// &KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_7,
// &KAPE_FILE_PREFERENCES_11,
// &KAPE_FILE_QUOTAMANAGER_10,
// &KAPE_FILE_WEBSTORAGEQUOTAMANAGER_7,
// &KAPE_FILE_REPORTING_AND_NEL_10,
// &KAPE_FILE_NETWORKREPORTING_AND_NEL_7,
// &KAPE_FILE_SHORTCUTS_11,
// &KAPE_FILE_TOP_SITES_11,
// &KAPE_FILE_TRUST_TOKENS_9,
// &KAPE_FILE_NETWORKTRUST_TOKENS_7,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_7,
// &KAPE_FILE_VISITED_LINKS_11,
// &KAPE_FILE_WEB_DATA_11,
// &KAPE_FILE_INDEXEDDB_7,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_12,
// &KAPE_FILE_WEBASSISTDATABASE_2,
// &KAPE_FILE_PROTECT_10,
// &KAPE_FILE_SNAPSHOTS_9,
// &KAPE_FILE_EXTENSIONS_5,
// &KAPE_FILE_EDGE_BETA_CHROMIUM_E,
// &KAPE_FILE_EDGE_DEV_CHROMIUM_EX,
// &KAPE_FILE_EDGE_SXS_CANARY_CHRO,
// &KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_3,
// &KAPE_FILE_BOOKMARKS_11,
// &KAPE_FILE_NETWORKCOOKIES_4,
// &KAPE_FILE_CURRENT_SESSION_11,
// &KAPE_FILE_CURRENT_TABS_11,
// &KAPE_FILE_EXTENSION_COOKIES_10,
// &KAPE_FILE_FAVICONS_12,
// &KAPE_FILE_HISTORY_12,
// &KAPE_FILE_LAST_SESSION_10,
// &KAPE_FILE_LAST_TABS_10,
// &KAPE_FILE_SESSIONS_11,
// &KAPE_FILE_LOGIN_DATA_12,
// &KAPE_FILE_MEDIA_HISTORY_10,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_12,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_11,
// &KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_8,
// &KAPE_FILE_PREFERENCES_12,
// &KAPE_FILE_QUOTAMANAGER_11,
// &KAPE_FILE_WEBSTORAGEQUOTAMANAGER_8,
// &KAPE_FILE_REPORTING_AND_NEL_11,
// &KAPE_FILE_NETWORKREPORTING_AND_NEL_8,
// &KAPE_FILE_SHORTCUTS_12,
// &KAPE_FILE_TOP_SITES_12,
// &KAPE_FILE_TRUST_TOKENS_10,
// &KAPE_FILE_NETWORKTRUST_TOKENS_8,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_8,
// &KAPE_FILE_VISITED_LINKS_12,
// &KAPE_FILE_WEB_DATA_12,
// &KAPE_FILE_INDEXEDDB_8,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_13,
// &KAPE_FILE_WEBASSISTDATABASE_3,
// &KAPE_FILE_PROTECT_11,
// &KAPE_FILE_SNAPSHOTS_10,
// &KAPE_FILE_FILE_SYSTEM_2,
// &KAPE_FILE_EDGE_BETA_HTML5_FILE,
// &KAPE_FILE_EDGE_DEV_HTML5_FILE,
// &KAPE_FILE_EDGE_SXS_CANARY_HTML,
// &KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_4,
// &KAPE_FILE_BOOKMARKS_12,
// &KAPE_FILE_NETWORKCOOKIES_5,
// &KAPE_FILE_CURRENT_SESSION_12,
// &KAPE_FILE_CURRENT_TABS_12,
// &KAPE_FILE_EXTENSION_COOKIES_11,
// &KAPE_FILE_FAVICONS_13,
// &KAPE_FILE_HISTORY_13,
// &KAPE_FILE_LAST_SESSION_11,
// &KAPE_FILE_LAST_TABS_11,
// &KAPE_FILE_SESSIONS_12,
// &KAPE_FILE_LOGIN_DATA_13,
// &KAPE_FILE_MEDIA_HISTORY_11,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_13,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_12,
// &KAPE_FILE_NETWORKNETWORK_PERSISTENT_STATE_9,
// &KAPE_FILE_PREFERENCES_13,
// &KAPE_FILE_QUOTAMANAGER_12,
// &KAPE_FILE_WEBSTORAGEQUOTAMANAGER_9,
// &KAPE_FILE_REPORTING_AND_NEL_12,
// &KAPE_FILE_NETWORKREPORTING_AND_NEL_9,
// &KAPE_FILE_SHORTCUTS_13,
// &KAPE_FILE_TOP_SITES_13,
// &KAPE_FILE_TRUST_TOKENS_11,
// &KAPE_FILE_NETWORKTRUST_TOKENS_9,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_9,
// &KAPE_FILE_VISITED_LINKS_13,
// &KAPE_FILE_WEB_DATA_13,
// &KAPE_FILE_INDEXEDDB_9,
// &KAPE_FILE_LOCAL_STORAGE_LEVELDB_14,
// &KAPE_FILE_WEBASSISTDATABASE_4,
// &KAPE_FILE_PROTECT_12,
// &KAPE_FILE_SNAPSHOTS_11,
// &KAPE_FILE_ADDONS_SQLITE,
// &KAPE_FILE_WEAVE_BOOKMARKS_SQLITE,
// &KAPE_FILE_BOOKMARKBACKUPS,
// &KAPE_FILE_COOKIES_SQLITE,
// &KAPE_FILE_FIREFOX_COOKIES_SQLITE,
// &KAPE_FILE_DOWNLOADS_SQLITE,
// &KAPE_FILE_EXTENSIONS_JSON,
// &KAPE_FILE_FAVICONS_SQLITE,
// &KAPE_FILE_FORMHISTORY_SQLITE,
// &KAPE_FILE_PERMISSIONS_SQLITE,
// &KAPE_FILE_PLACES_SQLITE_2,
// &KAPE_FILE_PROTECTIONS_SQLITE,
// &KAPE_FILE_SEARCH_SQLITE,
// &KAPE_FILE_SIGNONS_SQLITE,
// &KAPE_FILE_STORAGE_SYNC_SQLITE,
// &KAPE_FILE_WEBAPPSTORE_SQLITE,
// &KAPE_FILE_KEY_DB,
// &KAPE_FILE_SIGNON,
// &KAPE_FILE_LOGINS_JSON_2,
// &KAPE_FILE_PREFS_JS_2,
// &KAPE_FILE_SESSIONSTORE,
// &KAPE_FILE_SESSIONSTORE_BACKUPS,
// &KAPE_FILE_PLACES_XP,
// &KAPE_FILE_DOWNLOADS_XP,
// &KAPE_FILE_FORM_HISTORY_XP,
// &KAPE_FILE_COOKIES_XP,
// &KAPE_FILE_SIGNONS_XP,
// &KAPE_FILE_WEBAPPSTORE_XP,
// &KAPE_FILE_FAVICONS_XP,
// &KAPE_FILE_ADDONS_XP,
// &KAPE_FILE_SEARCH_XP,
// &KAPE_FILE_PASSWORD_XP,
// &KAPE_FILE_SIGNON_2,
// &KAPE_FILE_LOGINS_JSON_2_2,
// &KAPE_FILE_SESSIONSTORE_XP,
// &KAPE_FILE_HISTORY_IE5_INDEX_DAT,
// &KAPE_FILE_INDEX_DAT,
// &KAPE_FILE_COOKIES_INDEX_DAT,
// &KAPE_FILE_USERDATA_INDEX_DAT,
// &KAPE_FILE_RECENT_INDEX_DAT,
// &KAPE_FILE_INDEX_DAT_OFFICE,
// &KAPE_FILE_MICROSOFT_INTERNET_EXPLORER,
// &KAPE_FILE_ROAMING_INTERNET_EXP,
// &KAPE_FILE_WINDOWS_HISTORY,
// &KAPE_FILE_WINDOWS_COOKIES,
// &KAPE_FILE_WINDOWS_IEDOWNLOADHISTORY,
// &KAPE_FILE_WINDOWS_WEBCACHE_2,
// &KAPE_FILE_WINDOWS_INETCOOKIES,
// &KAPE_FILE_OPERA_SOFTWARE_OPERA_STABLE,
// &KAPE_FILE_OPERA_ROAMING_FOLDER,
// &KAPE_FILE_BOOKMARKS_13,
// &KAPE_FILE_COOKIES_9,
// &KAPE_FILE_CURRENT_SESSION_13,
// &KAPE_FILE_CURRENT_TABS_13,
// &KAPE_FILE_FAVICONS_14,
// &KAPE_FILE_HISTORY_14,
// &KAPE_FILE_LAST_SESSION_12,
// &KAPE_FILE_LAST_TABS_12,
// &KAPE_FILE_LOGIN_DATA_14,
// &KAPE_FILE_PREFERENCES_14,
// &KAPE_FILE_SHORTCUTS_14,
// &KAPE_FILE_TOP_SITES_14,
// &KAPE_FILE_VISITED_LINKS_14,
// &KAPE_FILE_WEB_DATA_14,
// &KAPE_FILE_PRISMA_ACCESS_BROWSE,
// &KAPE_FILE_COOKIES_2_2,
// &KAPE_FILE_CURRENT_SESSION_2_2,
// &KAPE_FILE_CURRENT_TABS_2_3,
// &KAPE_FILE_DOWNLOADMETADATA_9,
// &KAPE_FILE_EXTENSION_COOKIES_12,
// &KAPE_FILE_FAVICONS_2_2,
// &KAPE_FILE_HISTORY_2_2,
// &KAPE_FILE_LAST_SESSION_2_2,
// &KAPE_FILE_LAST_TABS_2_2,
// &KAPE_FILE_SESSIONS_13,
// &KAPE_FILE_LOGIN_DATA_2_2,
// &KAPE_FILE_MEDIA_HISTORY_12,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_14,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_13,
// &KAPE_FILE_PREFERENCES_2_2,
// &KAPE_FILE_QUOTAMANAGER_13,
// &KAPE_FILE_REPORTING_AND_NEL_13,
// &KAPE_FILE_SHORTCUTS_2_2,
// &KAPE_FILE_TOP_SITES_2_2,
// &KAPE_FILE_TRUST_TOKENS_12,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_10,
// &KAPE_FILE_VISITED_LINKS_2_2,
// &KAPE_FILE_WEB_DATA_2_2,
// &KAPE_FILE_PROTECT_13,
// &KAPE_FILE_SNAPSHOTS_12,
// &KAPE_FILE_SYSTEM_CHROME_HISTOR_2,
// &KAPE_FILE_PRISMAACCESSBROWSER_USER_DATA_BACKUP,
// &KAPE_FILE_LOCAL_PUFFINSECUREBROWSERDATA_DB,
// &KAPE_FILE_LOCAL_PUFFINSECUREBROWSERAUTOCOMPLETES_DAT,
// &KAPE_FILE_LOCAL_PUFFINSECUREBROWSERPASSWORDFORMS_DAT,
// &KAPE_FILE_LOCAL_PUFFINSECUREBROWSERCREDENTIAL_DAT,
// &KAPE_FILE_LOCAL_PUFFINSECUREBROWSERSUBSCRIPTION,
// &KAPE_FILE_LOCAL_PUFFINSECUREBROWSERCOOKIES_DAT,
// &KAPE_FILE_PUFFINSECUREBROWSER_IMAGE_CACHE,
// &KAPE_FILE_BOOKMARKS_14,
// &KAPE_FILE_COOKIES_10,
// &KAPE_FILE_CURRENT_SESSION_14,
// &KAPE_FILE_CURRENT_TABS_14,
// &KAPE_FILE_DOWNLOADMETADATA_10,
// &KAPE_FILE_EXTENSION_COOKIES_13,
// &KAPE_FILE_FAVICONS_15,
// &KAPE_FILE_HISTORY_15,
// &KAPE_FILE_LAST_SESSION_13,
// &KAPE_FILE_LAST_TABS_13,
// &KAPE_FILE_SESSIONS_14,
// &KAPE_FILE_LOGIN_DATA_15,
// &KAPE_FILE_MEDIA_HISTORY_13,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_15,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_14,
// &KAPE_FILE_PREFERENCES_15,
// &KAPE_FILE_QUOTAMANAGER_14,
// &KAPE_FILE_REPORTING_AND_NEL_14,
// &KAPE_FILE_SHORTCUTS_15,
// &KAPE_FILE_TOP_SITES_15,
// &KAPE_FILE_TRUST_TOKENS_13,
// &KAPE_FILE_SYNC_DATA_4,
// &KAPE_FILE_VISITED_LINKS_15,
// &KAPE_FILE_WEB_DATA_15,
// &KAPE_FILE_PROTECT_14,
// &KAPE_FILE_SNAPSHOTS_13,
// &KAPE_FILE_BOOKMARKS_15,
// &KAPE_FILE_COOKIES_11,
// &KAPE_FILE_CURRENT_SESSION_15,
// &KAPE_FILE_CURRENT_TABS_15,
// &KAPE_FILE_FAVICONS_16,
// &KAPE_FILE_HISTORY_16,
// &KAPE_FILE_LAST_SESSION_14,
// &KAPE_FILE_LAST_TABS_14,
// &KAPE_FILE_SESSIONS_15,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_16,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_15,
// &KAPE_FILE_LOGIN_DATA_16,
// &KAPE_FILE_PREFERENCES_16,
// &KAPE_FILE_REPORTING_AND_NEL_15,
// &KAPE_FILE_TRUST_TOKENS_14,
// &KAPE_FILE_SYNC_DATA_5,
// &KAPE_FILE_SHORTCUTS_16,
// &KAPE_FILE_TOP_SITES_16,
// &KAPE_FILE_VISITED_LINKS_16,
// &KAPE_FILE_WEB_DATA_16,
// &KAPE_FILE_SUPERMIUM_BOOKMARKS,
// &KAPE_FILE_SUPERMIUM_COOKIES,
// &KAPE_FILE_SUPERMIUM_CURRENT_SE,
// &KAPE_FILE_SUPERMIUM_CURRENT_TA,
// &KAPE_FILE_DOWNLOADMETADATA_11,
// &KAPE_FILE_EXTENSION_COOKIES_14,
// &KAPE_FILE_SUPERMIUM_FAVICONS,
// &KAPE_FILE_SUPERMIUM_HISTORY,
// &KAPE_FILE_SUPERMIUM_LAST_SESSI,
// &KAPE_FILE_SUPERMIUM_LAST_TABS,
// &KAPE_FILE_SUPERMIUM_SESSIONS_F,
// &KAPE_FILE_SUPERMIUM_LOGIN_DATA,
// &KAPE_FILE_MEDIA_HISTORY_14,
// &KAPE_FILE_SUPERMIUM_NETWORK_AC,
// &KAPE_FILE_SUPERMIUM_NETWORK_PE,
// &KAPE_FILE_SUPERMIUM_PREFERENCE,
// &KAPE_FILE_QUOTAMANAGER_15,
// &KAPE_FILE_SUPERMIUM_REPORTING,
// &KAPE_FILE_SUPERMIUM_SHORTCUTS,
// &KAPE_FILE_SUPERMIUM_TOP_SITES,
// &KAPE_FILE_SUPERMIUM_TRUST_TOKE,
// &KAPE_FILE_SUPERMIUM_SYNCDATA_D,
// &KAPE_FILE_SUPERMIUM_VISITED_LI,
// &KAPE_FILE_SUPERMIUM_WEB_DATA,
// &KAPE_FILE_PROTECT_15,
// &KAPE_FILE_SNAPSHOTS_14,
// &KAPE_FILE_SYSTEM_SUPERMIUM_HIS,
// &KAPE_FILE_BOOKMARKS_16,
// &KAPE_FILE_COOKIES_12,
// &KAPE_FILE_CURRENT_SESSION_16,
// &KAPE_FILE_CURRENT_TABS_16,
// &KAPE_FILE_DOWNLOADMETADATA_12,
// &KAPE_FILE_EXTENSION_COOKIES_15,
// &KAPE_FILE_FAVICONS_17,
// &KAPE_FILE_HISTORY_17,
// &KAPE_FILE_LAST_SESSION_15,
// &KAPE_FILE_LAST_TABS_15,
// &KAPE_FILE_SESSIONS_16,
// &KAPE_FILE_LOGIN_DATA_17,
// &KAPE_FILE_MEDIA_HISTORY_15,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_17,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_16,
// &KAPE_FILE_PREFERENCES_17,
// &KAPE_FILE_QUOTAMANAGER_16,
// &KAPE_FILE_REPORTING_AND_NEL_16,
// &KAPE_FILE_SHORTCUTS_17,
// &KAPE_FILE_TOP_SITES_17,
// &KAPE_FILE_TRUST_TOKENS_15,
// &KAPE_FILE_SYNC_DATA_6,
// &KAPE_FILE_VISITED_LINKS_17,
// &KAPE_FILE_WEB_DATA_17,
// &KAPE_FILE_PROTECT_16,
// &KAPE_FILE_SNAPSHOTS_15,
// &KAPE_FILE_COOKIES_13,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_17,
// &KAPE_FILE_FAVICONS_18,
// &KAPE_FILE_HISTORY_18,
// &KAPE_FILE_SESSIONS_17,
// &KAPE_FILE_LOGIN_DATA_18,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_18,
// &KAPE_FILE_PREFERENCES_18,
// &KAPE_FILE_TOP_SITES_18,
// &KAPE_FILE_BOOKMARKS_17,
// &KAPE_FILE_VISITED_LINKS_18,
// &KAPE_FILE_WEB_DATA_18,
// &KAPE_FILE_USER_VIVALDI_REPORTING_DATA,
// &KAPE_FILE_CALENDAR,
// &KAPE_FILE_CONTACTS,
// &KAPE_FILE_NOTES,
// &KAPE_FILE_DOWNLOADMETADATA_13,
// &KAPE_FILE_BOOKMARKS_18,
// &KAPE_FILE_COOKIES_14,
// &KAPE_FILE_CURRENT_SESSION_17,
// &KAPE_FILE_CURRENT_TABS_17,
// &KAPE_FILE_DOWNLOADMETADATA_14,
// &KAPE_FILE_EXTENSION_COOKIES_16,
// &KAPE_FILE_FAVICONS_19,
// &KAPE_FILE_HISTORY_19,
// &KAPE_FILE_LAST_SESSION_16,
// &KAPE_FILE_LAST_TABS_16,
// &KAPE_FILE_SESSIONS_18,
// &KAPE_FILE_LOGIN_DATA_19,
// &KAPE_FILE_MEDIA_HISTORY_16,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_19,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_18,
// &KAPE_FILE_PREFERENCES_19,
// &KAPE_FILE_QUOTAMANAGER_17,
// &KAPE_FILE_REPORTING_AND_NEL_17,
// &KAPE_FILE_SHORTCUTS_18,
// &KAPE_FILE_TOP_SITES_19,
// &KAPE_FILE_TRUST_TOKENS_16,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_11,
// &KAPE_FILE_VISITED_LINKS_19,
// &KAPE_FILE_WEB_DATA_19,
// &KAPE_FILE_PROTECT_17,
// &KAPE_FILE_SNAPSHOTS_16,
// &KAPE_FILE_SYSTEM_WAVEBROWSER_H,
// &KAPE_FILE_COOKIES_15,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_19,
// &KAPE_FILE_FAVICONS_20,
// &KAPE_FILE_HISTORY_20,
// &KAPE_FILE_SESSIONS_19,
// &KAPE_FILE_YA_PASSMAN_DATA,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_20,
// &KAPE_FILE_PREFERENCES_20,
// &KAPE_FILE_TOP_SITES_20,
// &KAPE_FILE_BOOKMARKS_19,
// &KAPE_FILE_VISITED_LINKS_20,
// &KAPE_FILE_WEB_DATA_20,
// &KAPE_FILE_YA_AUTOFILL_DATA,
// &KAPE_FILE_PASSMAN_LOGS,
// &KAPE_FILE_SHORTCUTS_19,
// &KAPE_FILE_EVENTLOGS_TKAPE,
// &KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE,
// &KAPE_FILE_FILESYSTEM_TKAPE,
// &KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE,
// &KAPE_FILE_POWERSHELLCONSOLE_TKAPE,
// &KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE,
// &KAPE_FILE_REGISTRYHIVES_TKAPE,
// &KAPE_FILE_SCHEDULEDTASKS_TKAPE,
// &KAPE_FILE_SRUM_TKAPE,
// &KAPE_FILE_THUMBCACHE_TKAPE,
// &KAPE_FILE_USBDEVICESLOGS_TKAPE,
// &KAPE_FILE_WINDOWSINDEXSEARCH_TKAPE,
// &KAPE_FILE_ANTIVIRUS_TKAPE,
// &KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE,
// &KAPE_FILE_COMBINEDLOGS_TKAPE,
// &KAPE_FILE_GROUPPOLICY_TKAPE,
// &KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_2,
// &KAPE_FILE_FILESYSTEM_TKAPE_2,
// &KAPE_FILE_FTPCLIENTS_TKAPE,
// &KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_2,
// &KAPE_FILE_MESSAGINGCLIENTS_TKAPE,
// &KAPE_FILE_NETWORKSCANNER_TKAPE,
// &KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_2,
// &KAPE_FILE_REGISTRYHIVES_TKAPE_2,
// &KAPE_FILE_REMOTEADMIN_TKAPE,
// &KAPE_FILE_SCHEDULEDTASKS_TKAPE_2,
// &KAPE_FILE_SRUM_TKAPE_2,
// &KAPE_FILE_SUM_TKAPE,
// &KAPE_FILE_WER_TKAPE,
// &KAPE_FILE_THUMBCACHE_TKAPE_2,
// &KAPE_FILE_WBEM_TKAPE,
// &KAPE_FILE_BITS_TKAPE,
// &KAPE_FILE_WEBBROWSERS_TKAPE,
// &KAPE_FILE_WINDOWSINDEXSEARCH_TKAPE_2,
// &KAPE_FILE_WINDOWSTIMELINE_TKAPE,
// &KAPE_FILE_AVAST_TKAPE,
// &KAPE_FILE_AVG_TKAPE,
// &KAPE_FILE_AVIRAAVLOGS_TKAPE,
// &KAPE_FILE_BITDEFENDER_TKAPE,
// &KAPE_FILE_COMBOFIX_TKAPE,
// &KAPE_FILE_CROWDSTRIKEFALCON_TKAPE,
// &KAPE_FILE_CYBEREASON_TKAPE,
// &KAPE_FILE_CYLANCE_TKAPE,
// &KAPE_FILE_ELASTICDEFEND_TKAPE,
// &KAPE_FILE_EMSISOFT_TKAPE,
// &KAPE_FILE_ESET_TKAPE,
// &KAPE_FILE_FSECURE_TKAPE,
// &KAPE_FILE_HITMANPRO_TKAPE,
// &KAPE_FILE_MALWAREBYTES_TKAPE,
// &KAPE_FILE_MCAFEE_TKAPE,
// &KAPE_FILE_MCAFEE_EPO_TKAPE,
// &KAPE_FILE_MICROSOFTSAFETYSCANNER_TKAPE,
// &KAPE_FILE_ROGUEKILLER_TKAPE,
// &KAPE_FILE_SECUREAGE_TKAPE,
// &KAPE_FILE_SENTINELONE_TKAPE,
// &KAPE_FILE_SOPHOS_TKAPE,
// &KAPE_FILE_SUPERANTISPYWARE_TKAPE,
// &KAPE_FILE_SYMANTEC_AV_LOGS_TKAPE,
// &KAPE_FILE_TOTALAV_TKAPE,
// &KAPE_FILE_TRENDMICRO_TKAPE,
// &KAPE_FILE_VIPRE_TKAPE,
// &KAPE_FILE_WEBROOT_TKAPE,
// &KAPE_FILE_WINDOWSDEFENDER_TKAPE,
// &KAPE_FILE_BOXDRIVE_USERFILES_TKAPE,
// &KAPE_FILE_DROPBOX_USERFILES_TKAPE,
// &KAPE_FILE_GOOGLEDRIVEBACKUPSYNC_USERFILES_TKAPE,
// &KAPE_FILE_ONEDRIVE_USERFILES_TKAPE,
// &KAPE_FILE_PCLOUDDATABASE_TKAPE,
// &KAPE_FILE_SUGARSYNC_TKAPE,
// &KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE_2,
// &KAPE_FILE_IDRIVE_TKAPE,
// &KAPE_FILE_BOXDRIVE_METADATA_TKAPE,
// &KAPE_FILE_DROPBOX_METADATA_TKAPE,
// &KAPE_FILE_GOOGLEDRIVE_METADATA_TKAPE,
// &KAPE_FILE_MEGASYNC_TKAPE,
// &KAPE_FILE_ONEDRIVE_METADATA_TKAPE,
// &KAPE_FILE_RCLONECONF_TKAPE,
// &KAPE_FILE_FREEFILESYNC_TKAPE,
// &KAPE_FILE_ONEDRIVE_METADATA_TKAPE_2,
// &KAPE_FILE_REGISTRYHIVESUSER_TKAPE,
// &KAPE_FILE_RECYCLEBIN_TKAPE,
// &KAPE_FILE_EVENTLOGS_TKAPE_2,
// &KAPE_FILE_EVENTTRACELOGS_TKAPE,
// &KAPE_FILE_POWERSHELLCONSOLE_TKAPE_2,
// &KAPE_FILE_POWERSHELLTRANSCRIPTS_TKAPE,
// &KAPE_FILE_WINDOWSFIREWALL_TKAPE,
// &KAPE_FILE_USBDEVICESLOGS_TKAPE_2,
// &KAPE_FILE_NETCLRUSAGELOGS_TKAPE,
// &KAPE_FILE_AMCACHE_TKAPE,
// &KAPE_FILE_APPCOMPATPCA_TKAPE,
// &KAPE_FILE_PREFETCH_TKAPE,
// &KAPE_FILE_RECENTFILECACHE_TKAPE,
// &KAPE_FILE_SYSCACHE_TKAPE,
// &KAPE_FILE_EXCHANGECLIENTACCESS_TKAPE,
// &KAPE_FILE_EXCHANGETRANSPORT_TKAPE,
// &KAPE_FILE_EXCHANGESETUPLOG_TKAPE,
// &KAPE_FILE_FILEZILLACLIENT_TKAPE,
// &KAPE_FILE_FILEZILLASERVER_TKAPE,
// &KAPE_FILE_WINSCP_TKAPE,
// &KAPE_FILE_ROBO_FTP_TKAPE,
// &KAPE_FILE_DIRECTORYOPUS_TKAPE,
// &KAPE_FILE_DOUBLECOMMANDER_TKAPE,
// &KAPE_FILE_EFCOMMANDER_TKAPE,
// &KAPE_FILE_FREECOMMANDER_TKAPE,
// &KAPE_FILE_MIDNIGHTCOMMANDER_TKAPE,
// &KAPE_FILE_MULTICOMMANDER_TKAPE,
// &KAPE_FILE_ONECOMMANDER_TKAPE,
// &KAPE_FILE_Q_DIR_TKAPE,
// &KAPE_FILE_SPEEDCOMMANDER_TKAPE,
// &KAPE_FILE_TABLACUSEXPLORER_TKAPE,
// &KAPE_FILE_TOTALCOMMANDER_TKAPE,
// &KAPE_FILE_XYPLORER_TKAPE,
// &KAPE_FILE_MFT_TKAPE,
// &KAPE_FILE_LOGFILE_TKAPE,
// &KAPE_FILE_J_TKAPE,
// &KAPE_FILE_SDS_TKAPE,
// &KAPE_FILE_BOOT_TKAPE,
// &KAPE_FILE_T_TKAPE,
// &KAPE_FILE_HEXCHAT_TKAPE,
// &KAPE_FILE_ICECHAT_TKAPE,
// &KAPE_FILE_MIRC_TKAPE,
// &KAPE_FILE_ANTIVIRUS_TKAPE_2,
// &KAPE_FILE_CLOUDSTORAGE_METADATA_TKAPE_3,
// &KAPE_FILE_EVENTLOGS_TKAPE_3,
// &KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_3,
// &KAPE_FILE_FILESYSTEM_TKAPE_3,
// &KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_3,
// &KAPE_FILE_NOTEPAD_TKAPE,
// &KAPE_FILE_POWERSHELLCONSOLE_TKAPE_3,
// &KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_3,
// &KAPE_FILE_REGISTRYHIVES_TKAPE_3,
// &KAPE_FILE_REMOTEADMIN_TKAPE_2,
// &KAPE_FILE_SCHEDULEDTASKS_TKAPE_3,
// &KAPE_FILE_SRUM_TKAPE_3,
// &KAPE_FILE_SUM_TKAPE_2,
// &KAPE_FILE_WER_TKAPE_2,
// &KAPE_FILE_WBEM_TKAPE_2,
// &KAPE_FILE_WEBBROWSERS_TKAPE_2,
// &KAPE_FILE_WINDOWSTIMELINE_TKAPE_2,
// &KAPE_FILE_IRCCLIENTS_TKAPE,
// &KAPE_FILE_CISCOJABBER_TKAPE,
// &KAPE_FILE_DISCORD_TKAPE,
// &KAPE_FILE_MATTERMOST_TKAPE,
// &KAPE_FILE_MICROSOFTTEAMS_TKAPE,
// &KAPE_FILE_SIGNAL_TKAPE,
// &KAPE_FILE_SKYPE_TKAPE,
// &KAPE_FILE_SLACK_TKAPE,
// &KAPE_FILE_TELEGRAM_TKAPE,
// &KAPE_FILE_VIBER_TKAPE,
// &KAPE_FILE_WHATSAPP_TKAPE,
// &KAPE_FILE_EVENTLOGS_TKAPE_4,
// &KAPE_FILE_FILESYSTEM_TKAPE_4,
// &KAPE_FILE_REGISTRYHIVES_TKAPE_4,
// &KAPE_FILE_ADVANCEDIPSCANNER_TKAPE,
// &KAPE_FILE_ADVANCEDPORTSCANNER_TKAPE,
// &KAPE_FILE_SOFTPERFECTNETSCAN_TKAPE,
// &KAPE_FILE_DC_TKAPE,
// &KAPE_FILE_EMULE_TKAPE,
// &KAPE_FILE_FROSTWIRE_TKAPE,
// &KAPE_FILE_GIGATRIBE_TKAPE,
// &KAPE_FILE_SHAREAZA_TKAPE,
// &KAPE_FILE_SOULSEEK_TKAPE,
// &KAPE_FILE_CHOCOLATEY_TKAPE,
// &KAPE_FILE_AMCACHE_TKAPE_2,
// &KAPE_FILE_APPCOMPATPCA_TKAPE_2,
// &KAPE_FILE_PREFETCH_TKAPE_2,
// &KAPE_FILE_RECENTFILECACHE_TKAPE_2,
// &KAPE_FILE_SYSCACHE_TKAPE_2,
// &KAPE_FILE_POWERSHELLTRANSCRIPTS_TKAPE_2,
// &KAPE_FILE_POWERSHELLCONSOLE_TKAPE_4,
// &KAPE_FILE_WBEM_TKAPE_3,
// &KAPE_FILE_WER_TKAPE_3,
// &KAPE_FILE_WINDOWSTIMELINE_TKAPE_3,
// &KAPE_FILE_JUMPLISTS_TKAPE,
// &KAPE_FILE_NETCLRUSAGELOGS_TKAPE_2,
// &KAPE_FILE_RECYCLEBIN_INFOFILES_TKAPE_4,
// &KAPE_FILE_RECYCLEBIN_DATAFILES_TKAPE,
// &KAPE_FILE_REGISTRYHIVESSYSTEM_TKAPE,
// &KAPE_FILE_REGISTRYHIVESUSER_TKAPE_2,
// &KAPE_FILE_REGISTRYHIVESMSIXAPPS_TKAPE,
// &KAPE_FILE_ACTION1_TKAPE,
// &KAPE_FILE_AMMYY_TKAPE,
// &KAPE_FILE_ANYDESK_TKAPE,
// &KAPE_FILE_APPLICATIONEVENTS_TKAPE_6,
// &KAPE_FILE_DWAGENT_TKAPE,
// &KAPE_FILE_ISLONLINE_TKAPE,
// &KAPE_FILE_ITARIAN_TKAPE,
// &KAPE_FILE_KASEYA_TKAPE,
// &KAPE_FILE_LEVEL_TKAPE,
// &KAPE_FILE_LOGMEIN_TKAPE,
// &KAPE_FILE_MESHAGENT_TKAPE,
// &KAPE_FILE_MREMOTENG_TKAPE,
// &KAPE_FILE_NETMONITORFOREMPLOYEESPROFESSIONAL_TKAPE,
// &KAPE_FILE_QUICKASSIST_TKAPE,
// &KAPE_FILE_RADMIN_TKAPE,
// &KAPE_FILE_RDPCACHE_TKAPE,
// &KAPE_FILE_RDPLOGS_TKAPE,
// &KAPE_FILE_REMCOS_TKAPE,
// &KAPE_FILE_REMOTEMANIPULATORSYSTEM_TKAPE,
// &KAPE_FILE_REMOTEUTILITIES_APP_TKAPE,
// &KAPE_FILE_RUSTDESK_TKAPE,
// &KAPE_FILE_SCREENCONNECT_TKAPE,
// &KAPE_FILE_SPLASHTOP_TKAPE,
// &KAPE_FILE_SUPREMOREMOTEDESKTOP_TKAPE,
// &KAPE_FILE_TEAMVIEWERLOGS_TKAPE,
// &KAPE_FILE_UEMS_TKAPE,
// &KAPE_FILE_ULTRAVIEWER_TKAPE,
// &KAPE_FILE_VNCLOGS_TKAPE,
// &KAPE_FILE_XEOX_TKAPE,
// &KAPE_FILE_ZOHOASSIST_TKAPE,
// &KAPE_FILE_EVENTLOGS_TKAPE_5,
// &KAPE_FILE_EVIDENCEOFEXECUTION_TKAPE_4,
// &KAPE_FILE_FILESYSTEM_TKAPE_5,
// &KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_4,
// &KAPE_FILE_PREFETCH_TKAPE_3,
// &KAPE_FILE_4K_VIDEO_DOWNLOADER_4K_VIDEO_DOWNLOADER_SQLITE_2,
// &KAPE_FILE_FULLTEXTSEARCHINDEX_2,
// &KAPE_FILE_ONENOTE_NOTIFICATIONSRECENTNOTEBOOKS_SEENURLS_2,
// &KAPE_FILE_16_0_ACCESSIBILITYCHECKERINDEX_2,
// &KAPE_FILE_16_0_NOTETAGS_LIVEID_DB_2,
// &KAPE_FILE_16_0_RECENTSEARCHESRECENTSEARCHES_DB_2,
// &KAPE_FILE_LOCALSTATE_PLUM_SQLITE_2,
// &KAPE_FILE_TODOSQLITE_DB_2,
// &KAPE_FILE_PROGRAMDATA_SCHEDULERSERVICE_SQLITE_2,
// &KAPE_FILE_TERACOPY_HISTORY_DB,
// &KAPE_FILE_TERACOPY_MAIN_DB,
// &KAPE_FILE_ROAMING_NOTION_NOTION_DB_2,
// &KAPE_FILE_IDBS,
// &KAPE_FILE_FILECACHE_DB,
// &KAPE_FILE_CONFIG_DBX,
// &KAPE_FILE_HOME_DB,
// &KAPE_FILE_ICON_DB,
// &KAPE_FILE_SYNC_HISTORY_DB,
// &KAPE_FILE_SYNC_NUCLEUS_SQLITE3,
// &KAPE_FILE_DROPBOX_HOST_DB_2,
// &KAPE_FILE_DROPBOX_HOST_DBX_2,
// &KAPE_FILE_SYNC_AGGREGATION_DBX,
// &KAPE_FILE_AVATARCACHE_DB,
// &KAPE_FILE_DROPBOX_METADATA,
// &KAPE_FILE_CLOUD_GRAPH_CLOUD_GRAPH_DB,
// &KAPE_FILE_CHANGE_BUFFER,
// &KAPE_FILE_SNAPSHOT_DB,
// &KAPE_FILE_SYNC_CONFIG_DB,
// &KAPE_FILE_FILEZILLA_SQLITE3_2,
// &KAPE_FILE_BOOKMARKS_20,
// &KAPE_FILE_COOKIES_16,
// &KAPE_FILE_CURRENT_SESSION_18,
// &KAPE_FILE_CURRENT_TABS_18,
// &KAPE_FILE_FAVICONS_21,
// &KAPE_FILE_HISTORY_21,
// &KAPE_FILE_LAST_SESSION_17,
// &KAPE_FILE_LAST_TABS_17,
// &KAPE_FILE_LOGIN_DATA_20,
// &KAPE_FILE_PREFERENCES_21,
// &KAPE_FILE_SHORTCUTS_20,
// &KAPE_FILE_TOP_SITES_21,
// &KAPE_FILE_VISITED_LINKS_21,
// &KAPE_FILE_WEB_DATA_21,
// &KAPE_FILE_CHROME_BOOKMARKS_2,
// &KAPE_FILE_CHROME_COOKIES_2,
// &KAPE_FILE_CHROME_CURRENT_SESSI_2,
// &KAPE_FILE_CHROME_CURRENT_TABS_2,
// &KAPE_FILE_DOWNLOAD_METADATA,
// &KAPE_FILE_EXTENSION_COOKIES_17,
// &KAPE_FILE_CHROME_FAVICONS_2,
// &KAPE_FILE_CHROME_HISTORY_2,
// &KAPE_FILE_CHROME_LAST_SESSION_2,
// &KAPE_FILE_CHROME_LAST_TABS_2,
// &KAPE_FILE_CHROME_LOGIN_DATA_2,
// &KAPE_FILE_MEDIA_HISTORY_17,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_21,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_20,
// &KAPE_FILE_CHROME_PREFERENCES_2,
// &KAPE_FILE_QUOTAMANAGER_18,
// &KAPE_FILE_REPORTING_AND_NEL_18,
// &KAPE_FILE_CHROME_SHORTCUTS_2,
// &KAPE_FILE_CHROME_TOP_SITES_2,
// &KAPE_FILE_TRUST_TOKENS_17,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_12,
// &KAPE_FILE_CHROME_VISITED_LINKS_2,
// &KAPE_FILE_CHROME_WEB_DATA_2,
// &KAPE_FILE_EDGE_BOOKMARKS,
// &KAPE_FILE_COLLECTIONSCOLLECTIONSSQLITE_5,
// &KAPE_FILE_EDGE_COOKIES,
// &KAPE_FILE_EDGE_CURRENT_SESSION,
// &KAPE_FILE_EDGE_CURRENT_TABS,
// &KAPE_FILE_EDGE_FAVICONS,
// &KAPE_FILE_EDGE_HISTORY,
// &KAPE_FILE_EDGE_LAST_SESSION,
// &KAPE_FILE_EDGE_LAST_TABS,
// &KAPE_FILE_EDGE_LOGIN_DATA,
// &KAPE_FILE_EDGE_MEDIA_HISTORY,
// &KAPE_FILE_EDGE_NETWORK_ACTION,
// &KAPE_FILE_EDGE_PREFERENCES,
// &KAPE_FILE_EDGE_SHORTCUTS,
// &KAPE_FILE_EDGE_TOP_SITES,
// &KAPE_FILE_EDGE_SYNCDATA_DATABA,
// &KAPE_FILE_BOOKMARKS_2_2,
// &KAPE_FILE_EDGE_VISITED_LINKS,
// &KAPE_FILE_EDGE_WEB_DATA,
// &KAPE_FILE_ADDONS_SQLITE_2,
// &KAPE_FILE_WEAVE_BOOKMARKS_SQLITE_2,
// &KAPE_FILE_COOKIES_SQLITE_2,
// &KAPE_FILE_FIREFOX_COOKIES_SQLITE_2,
// &KAPE_FILE_DOWNLOADS_SQLITE_2,
// &KAPE_FILE_FAVICONS_SQLITE_2,
// &KAPE_FILE_FORMHISTORY_SQLITE_2,
// &KAPE_FILE_PERMISSIONS_SQLITE_2,
// &KAPE_FILE_PLACES_SQLITE_3,
// &KAPE_FILE_PROTECTIONS_SQLITE_2,
// &KAPE_FILE_SEARCH_SQLITE_2,
// &KAPE_FILE_SIGNONS_SQLITE_2,
// &KAPE_FILE_STORAGE_SYNC_SQLITE_2,
// &KAPE_FILE_WEBAPPSTORE_SQLITE_2,
// &KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB,
// &KAPE_FILE_NOTIFICATIONS_APPDB_DAT,
// &KAPE_FILE_ACTIVITIESCACHE_DB,
// &KAPE_FILE_USOPRIVATE_UPDATESTORESTORE_DB,
// &KAPE_FILE_REGEX_DB_DB_WAL_DB_SHM_2,
// &KAPE_FILE_DIAGNOSIS_EVENTTRANSCRIPT_EVENTTRANSCRIPT_DB,
// &KAPE_FILE_EVENTTRANSCRIPT_DB,
// &KAPE_FILE_WEBSERVERS_TKAPE,
// &KAPE_FILE_MONGODBLOGS_TKAPE,
// &KAPE_FILE_EXCHANGE_TKAPE,
// &KAPE_FILE_CONFLUENCELOGS_TKAPE,
// &KAPE_FILE_FILEZILLASERVER_TKAPE_2,
// &KAPE_FILE_OPENSSHSERVER_TKAPE,
// &KAPE_FILE_MANAGEENGINELOGS_TKAPE,
// &KAPE_FILE_BITTORRENT_TKAPE,
// &KAPE_FILE_QBITTORRENT_TKAPE,
// &KAPE_FILE_UTORRENT_TKAPE,
// &KAPE_FILE_USBDEVICESLOGS_TKAPE_3,
// &KAPE_FILE_REGISTRYHIVES_TKAPE_5,
// &KAPE_FILE_EVENTLOGS_TKAPE_6,
// &KAPE_FILE_LNKFILESANDJUMPLISTS_TKAPE_5,
// &KAPE_FILE_AMCACHE_TKAPE_3,
// &KAPE_FILE_NEWSBINPRO_TKAPE,
// &KAPE_FILE_NEWSLEECHER_TKAPE,
// &KAPE_FILE_NZBGET_TKAPE,
// &KAPE_FILE_SABNBZD_TKAPE,
// &KAPE_FILE_VMWAREINVENTORY_TKAPE,
// &KAPE_FILE_VMWAREMEMORY_TKAPE,
// &KAPE_FILE_VIRTUALDISKS_TKAPE,
// &KAPE_FILE_PROTONVPN_TKAPE,
// &KAPE_FILE_OPENVPNCLIENT_TKAPE,
// &KAPE_FILE_PALOALTO_TKAPE,
// &KAPE_FILE_FORTICLIENTVPN_TKAPE,
// &KAPE_FILE_PULSESECURE_TKAPE,
// &KAPE_FILE_VIRTUALBOXLOGS_TKAPE,
// &KAPE_FILE_VIRTUALBOXMEMORY_TKAPE,
// &KAPE_FILE_VIRTUALBOXCONFIG_TKAPE,
// &KAPE_FILE_VIRTUALDISKS_TKAPE_2,
// &KAPE_FILE_DEBIAN_TKAPE,
// &KAPE_FILE_UBUNTU_TKAPE,
// &KAPE_FILE_KALI_TKAPE,
// &KAPE_FILE_OPENSUSE_TKAPE,
// &KAPE_FILE_SUSELINUXENTERPRISESERVER_TKAPE,
// &KAPE_FILE_360SECUREBROWSER_TKAPE,
// &KAPE_FILE_ARC_TKAPE,
// &KAPE_FILE_BRAVEBROWSER_TKAPE,
// &KAPE_FILE_CHROME_TKAPE,
// &KAPE_FILE_CHROMEBETA_TKAPE,
// &KAPE_FILE_CHROMEDEV_TKAPE,
// &KAPE_FILE_CHROMESXS_TKAPE,
// &KAPE_FILE_CHROMIUM_TKAPE,
// &KAPE_FILE_COCCOC_TKAPE,
// &KAPE_FILE_EDGE_TKAPE,
// &KAPE_FILE_EDGEBETACHROMIUM_TKAPE,
// &KAPE_FILE_EDGECHROMIUM_TKAPE,
// &KAPE_FILE_EDGEDEVCHROMIUM_TKAPE,
// &KAPE_FILE_EDGESXSCHROMIUM_TKAPE,
// &KAPE_FILE_FIREFOX_TKAPE,
// &KAPE_FILE_INTERNETEXPLORER_TKAPE,
// &KAPE_FILE_OPERA_TKAPE,
// &KAPE_FILE_PRISMAACCESSBROWSER_TKAPE,
// &KAPE_FILE_PUFFINSECUREBROWSER_TKAPE,
// &KAPE_FILE_QQBROWSER_TKAPE,
// &KAPE_FILE_SUPERMIUM_TKAPE,
// &KAPE_FILE_UCBROWSER_TKAPE,
// &KAPE_FILE_VIVALDI_TKAPE,
// &KAPE_FILE_WAVEBROWSER_TKAPE,
// &KAPE_FILE_YANDEX_TKAPE,
// &KAPE_FILE_APACHEACCESSLOG_TKAPE,
// &KAPE_FILE_IISLOGFILES_TKAPE,
// &KAPE_FILE_NGINXLOGS_TKAPE,
// &KAPE_FILE_MSSQLERRORLOG_TKAPE,
// &KAPE_FILE_C_ACCESS_LOG,
// &KAPE_FILE_W3SVC_LOG,
// &KAPE_FILE_IIS_LOG_FILES,
// &KAPE_FILE_LOGFILES_LOG,
// &KAPE_FILE_W3SVC_LOG_2,
// &KAPE_FILE_W3SVC_LOG_3,
// &KAPE_FILE_HTTPERR_LOG,
// &KAPE_FILE_FTPSVC_LOG,
// &KAPE_FILE_LOG_2,
// &KAPE_FILE_LOG_ERRORLOG,
// &KAPE_FILE_MS_SQL_ERRORLOGS,
// &KAPE_FILE_DESKTOPCENTRAL_SERVER_LOGS,
// &KAPE_FILE_ADSELFSERVICE_PLUS_LOGS,
// &KAPE_FILE_LOG_LOG_4,
// &KAPE_FILE_LOGS_LOG_4,
// &KAPE_FILE_MONGODB_LOGS_C_DATA,
// &KAPE_FILE_MONGODB_LOGS_PROGRAM,
// &KAPE_FILE_MONGODB_LOGS_ALTERNA,
// &KAPE_FILE_LOGS_LOG_5,
// &KAPE_FILE_PSREADLINE_HISTORY_TXT,
// &KAPE_FILE_POWERSHELL_CONSOLE_L,
// &KAPE_FILE_PSREADLINE_HISTORY_TXT_2,
// &KAPE_FILE_AUTOSAVEFILES_PS1,
// &KAPE_FILE_CONFIG,
// &KAPE_FILE_BITTORRENT_DAT,
// &KAPE_FILE_DC_LOGS,
// &KAPE_FILE_FREENET_NODE,
// &KAPE_FILE_FREENET_COMPLETED_LIST_DOWNLOADS,
// &KAPE_FILE_FREENET_COMPLETED_LIST_UPLOADS,
// &KAPE_FILE_FREENET_BAK,
// &KAPE_FILE_FREENET_DOWNLOADS,
// &KAPE_FILE_FROSTWIRE_TORRENT_DATA,
// &KAPE_FILE_USER_FROSTWIRE5_FROSTWIRE_PROPS,
// &KAPE_FILE_USER_FROSTWIRE5_ITUNES_PROPS,
// &KAPE_FILE_LOCAL_SHALSOFT,
// &KAPE_FILE_APPLICATION_DATA_GIGATRIBE,
// &KAPE_FILE_APPLICATION_DATA_SHALSOFT,
// &KAPE_FILE_NZBGET_NZBGET_LOG,
// &KAPE_FILE_NZBGET_NZB,
// &KAPE_FILE_NEWSBIN_DOWNLOADED_DB3,
// &KAPE_FILE_NEWSLEECHER_DOWNLOADED_DAT,
// &KAPE_FILE_NICOTINE_LOGS,
// &KAPE_FILE_NICOTINE_INCOMPLETE,
// &KAPE_FILE_NICOTINE_BUDDYFILES_DB,
// &KAPE_FILE_NICOTINE_BUDDYSTREAMS_DB,
// &KAPE_FILE_NICOTINE_BUDDYMTIMES_DB,
// &KAPE_FILE_NICOTINE_BUDDYFILEINDEX_DB,
// &KAPE_FILE_ROAMING_NICOTINE_BUDDYWORDINDEX_DB,
// &KAPE_FILE_NICOTINE_CONFIG,
// &KAPE_FILE_NICOTINE_USERSHARES,
// &KAPE_FILE_ROAMING_NICOTINE_DOWNLOADS_JSON,
// &KAPE_FILE_ROAMING_NICOTINE_UPLOADS_JSON,
// &KAPE_FILE_LOGS_SABNZBD_LOG,
// &KAPE_FILE_ADMIN_HISTORY1_DB,
// &KAPE_FILE_ROAMING_SHAREAZA,
// &KAPE_FILE_SOULSEEKQT_SOULSEEK_CHAT_LOGS,
// &KAPE_FILE_1_DAT,
// &KAPE_FILE_C_TORRENT,
// &KAPE_FILE_C_NZB,
// &KAPE_FILE_LOCAL_EMULE,
// &KAPE_FILE_C_PART_MET,
// &KAPE_FILE_QBITTORRENT_INI,
// &KAPE_FILE_QBITTORRENT_LOGS,
// &KAPE_FILE_QBITTORRENT_GEODB,
// &KAPE_FILE_QBITTORRENT_BT_BACKUP,
// &KAPE_FILE_UTORRENT_DAT,
// &KAPE_FILE_C_BITMAP,
// &KAPE_FILE_C_BOOT,
// &KAPE_FILE_EXTEND_USNJRNL_J,
// &KAPE_FILE_EXTEND_USNJRNL_MAX,
// &KAPE_FILE_EXTEND_J,
// &KAPE_FILE_EXTEND_MAX,
// &KAPE_FILE_C_LOGFILE,
// &KAPE_FILE_C_MFT,
// &KAPE_FILE_C_MFTMIRR,
// &KAPE_FILE_C_SECURE_SDS,
// &KAPE_FILE_SDS,
// &KAPE_FILE_TXFLOG_TOPS_T,
// &KAPE_FILE_TXFLOG_T,
// &KAPE_FILE_WINDOWS_NTDS,
// &KAPE_FILE_WINDOWS_SYSVOL,
// &KAPE_FILE_PROGRAMS_AMCACHE_HVE,
// &KAPE_FILE_AMCACHE,
// &KAPE_FILE_PROGRAMS_AMCACHE_HVE_LOG,
// &KAPE_FILE_AMCACHE_TRANSACTION,
// &KAPE_FILE_APPCOMPAT_PCA,
// &KAPE_FILE_WINDOWSAPPS_DELETED,
// &KAPE_FILE_WINDOWS_SYSTEMAPPS,
// &KAPE_FILE_LOCAL_PACKAGES,
// &KAPE_FILE_PACKAGES_STATEREPOSITORY_SRD,
// &KAPE_FILE_PROGRAMDATA_PACKAGES,
// &KAPE_FILE_CONFIG_APPEVENT_EVT,
// &KAPE_FILE_APPLICATION_EVENT_LO,
// &KAPE_FILE_LOGS_APPLICATION_EVTX,
// &KAPE_FILE_LOGS_APPLICATION_EVTX_2,
// &KAPE_FILE_BOOT_BCD,
// &KAPE_FILE_BOOT_BCD_LOG,
// &KAPE_FILE_NETWORK_DOWNLOADER,
// &KAPE_FILE_CAPABILITYACCESSMANAGER_CAPABILITYACCESSMANAGER_DB,
// &KAPE_FILE_MICROSOFT_CRYPTNETURLCACHE,
// &KAPE_FILE_SYSTEM_WOW64_CRYPTNE,
// &KAPE_FILE_USER_CRYPTNETURLCACH,
// &KAPE_FILE_INETCACHE_IE,
// &KAPE_FILE_DRIVERS_SYS,
// &KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE,
// &KAPE_FILE_ENCAPSULATIONLOGGING,
// &KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE_LOG,
// &KAPE_FILE_PROGRAMS_ENCAPSULATIONLOGGING_HVE_LOG_2,
// &KAPE_FILE_LOGS_SYSTEM_EVTX,
// &KAPE_FILE_EVENT_LOGS_WIN7,
// &KAPE_FILE_LOGS_SECURITY_EVTX,
// &KAPE_FILE_LOGS_SECURITY_EVTX_2,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_2,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO_2,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN_2,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI_2,
// &KAPE_FILE_CONFIG_EVT,
// &KAPE_FILE_LOGS_EVTX,
// &KAPE_FILE_EVENT_LOGS_WIN7_2,
// &KAPE_FILE_LOGFILES_ETL,
// &KAPE_FILE_WDI_TRACE_LOGS_1,
// &KAPE_FILE_WDI,
// &KAPE_FILE_WDI_TRACE_LOGS_2,
// &KAPE_FILE_LOGFILES_WMI,
// &KAPE_FILE_WMI_TRACE_LOGS,
// &KAPE_FILE_SYSTEM32_SLEEPSTUDY,
// &KAPE_FILE_SLEEPSTUDY_TRACE_LOG,
// &KAPE_FILE_POWEREFFICIENCY_DIAGNOSTICS_ENERGY_NTKL_ETL,
// &KAPE_FILE_LOGS_ETL,
// &KAPE_FILE_DIAGNOSIS_EVENTTRANSCRIPT_EVENTTRANSCRIPT_DB_2,
// &KAPE_FILE_EVENTTRANSCRIPT_DB_2,
// &KAPE_FILE_TEMP_DIAGNOSTICS,
// &KAPE_FILE_LOGGING_LOG,
// &KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED,
// &KAPE_FILE_EXCHANGE_SERVER_MODI,
// &KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED_2,
// &KAPE_FILE_B_A_ZA_Z0_9_8_B_COMPILED_3,
// &KAPE_FILE_EXCHANGESETUPLOGS_EXCHANGESETUP_LOG,
// &KAPE_FILE_LOGS_LOG_6,
// &KAPE_FILE_SYSTEM32_GROUPPOLICY,
// &KAPE_FILE_GROUP_POLICY_HISTORY,
// &KAPE_FILE_USER_GROUP_POLICY_FI,
// &KAPE_FILE_GROUPPOLICY_INI,
// &KAPE_FILE_GROUPPOLICY_POL,
// &KAPE_FILE_LOCAL_GROUP_POLICY_F,
// &KAPE_FILE_SCRIPTS,
// &KAPE_FILE_SCRIPTS_2,
// &KAPE_FILE_ETC_HOSTS,
// &KAPE_FILE_CONFIG_APPLICATIONHOST_CONFIG,
// &KAPE_FILE_CONFIG_ADMINISTRATION_CONFIG,
// &KAPE_FILE_CONFIG_REDIRECTION_CONFIG,
// &KAPE_FILE_INETPUB_WWWROOT_WEB_CONFIG,
// &KAPE_FILE_LOCAL_ICONCACHE_DB,
// &KAPE_FILE_RECENT_AUTOMATICDESTINATIONS,
// &KAPE_FILE_RECENT_CUSTOMDESTINATIONS,
// &KAPE_FILE_WINDOWS_RECENT,
// &KAPE_FILE_OFFICE_RECENT,
// &KAPE_FILE_START_MENU_PROGRAMS_LNK,
// &KAPE_FILE_USER_RECENT,
// &KAPE_FILE_DESKTOP_LNK,
// &KAPE_FILE_DESKTOP_LNK_FILES,
// &KAPE_FILE_RP_LNK,
// &KAPE_FILE_PROGRAMS_LNK,
// &KAPE_FILE_BASH_HISTORY,
// &KAPE_FILE_BASH_LOGOUT,
// &KAPE_FILE_BASHRC,
// &KAPE_FILE_PROFILE,
// &KAPE_FILE_SYSTEM32_LOGFILES,
// &KAPE_FILE_LOGFILES,
// &KAPE_FILE_WINDOWS_PFRO_LOG,
// &KAPE_FILE_C_MOF,
// &KAPE_FILE_C_HIBERFIL_SYS,
// &KAPE_FILE_C_PAGEFILE_SYS,
// &KAPE_FILE_C_SWAPFILE_SYS,
// &KAPE_FILE_MINIDUMP_DMP,
// &KAPE_FILE_SMALL_MEMORY_DUMP_DI,
// &KAPE_FILE_BACKSTAGEINAPPNAVCACHE,
// &KAPE_FILE_CLR_LOG,
// &KAPE_FILE_NET_CLR_USAGELOGS_SY,
// &KAPE_FILE_LOCALSTATE_TABSTATE_BIN,
// &KAPE_FILE_WINDOWSTATE_BIN,
// &KAPE_FILE_SETTINGS_SETTINGS_DAT,
// &KAPE_FILE_SYSTEMAPPDATA_HELIUM_DAT_2,
// &KAPE_FILE_MICROSOFT_WORD,
// &KAPE_FILE_MICROSOFT_EXCEL,
// &KAPE_FILE_MICROSOFT_POWERPOINT,
// &KAPE_FILE_MICROSOFT_PUBLISHER,
// &KAPE_FILE_DIAGNOSTICS_PCW_DEBUGREPORT_XML,
// &KAPE_FILE_ELEVATEDDIAGNOSTICS_PCW_DEBUGREPORT_XML,
// &KAPE_FILE_OFFICEFILECACHE,
// &KAPE_FILE_C_PERFLOGS,
// &KAPE_FILE_POWERSHELL_7_POWERSHELL_CONFIG_JSON,
// &KAPE_FILE_DOCUMENTS_POWERSHELL_TRANSCRIPT_TXT,
// &KAPE_FILE_20_POWERSHELL_TRANSCRIPT_TXT,
// &KAPE_FILE_POWERSHELL_TRANSCRIPT_TXT,
// &KAPE_FILE_POWERSHELL_TRANSCRIP,
// &KAPE_FILE_POWERSHELL_TRANSCRIPT_TXT_2,
// &KAPE_FILE_20_POWERSHELL_TRANSCRIPT_TXT_2,
// &KAPE_FILE_PREFETCH_PF,
// &KAPE_FILE_PREFETCH,
// &KAPE_FILE_C_PROGRAMDATA,
// &KAPE_FILE_NOTIFICATIONS_APPDB_DAT_2,
// &KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB_2,
// &KAPE_FILE_TEMP_QUICKASSIST,
// &KAPE_FILE_TEMP_REMOTEHELP,
// &KAPE_FILE_TERMINAL_SERVER_CLIENT_CACHE,
// &KAPE_FILE_WINDOWS_OLD_RDP_CACH,
// &KAPE_FILE_RDP_CACHE_FILES,
// &KAPE_FILE_PACKAGES_MICROSOFT_REMOTEDESKTOP_8WEKYB3D8BBWE,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_REMOTECONN_3,
// &KAPE_FILE_REMOTECONNECTIONMANA,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_LOCALSESSI_3,
// &KAPE_FILE_LOCALSESSIONMANAGER,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_TERMINALSERVICES_RDPCLIENT_3,
// &KAPE_FILE_RDPCLIENT_EVENT_LOGS,
// &KAPE_FILE_LOGS_MICROSOFT_WINDOWS_REMOTEDESKTOPSERVICES_RDPCO_3,
// &KAPE_FILE_RDPCORETS_EVENT_LOGS,
// &KAPE_FILE_PROGRAMS_RECENTFILECACHE_BCF,
// &KAPE_FILE_RECENTFILECACHE,
// &KAPE_FILE_WINDOWS_RECENT_2,
// &KAPE_FILE_OFFICE_RECENT_2,
// &KAPE_FILE_RECYCLE_BIN_R,
// &KAPE_FILE_R,
// &KAPE_FILE_RECYCLE_D,
// &KAPE_FILE_RECYCLE_BIN_I,
// &KAPE_FILE_RECYCLE_INFO2,
// &KAPE_FILE_HELIUM_REGISTRY_DAT,
// &KAPE_FILE_REGISTRY_DAT,
// &KAPE_FILE_REGISTRY_DAT_MSIX_HI,
// &KAPE_FILE_SETTINGS_SETTINGS_DAT_2,
// &KAPE_FILE_HELIUM_USER_DAT,
// &KAPE_FILE_HELIUM_USERCLASSES_DAT,
// &KAPE_FILE_CONFIG_BBI,
// &KAPE_FILE_BBI_REGISTRY_HIVE,
// &KAPE_FILE_CONFIG_BBI_LOG,
// &KAPE_FILE_BBI_REGISTRY_TRANSAC,
// &KAPE_FILE_CONFIG_BCD_TEMPLATE,
// &KAPE_FILE_BCD_TEMPLATE_REGISTR,
// &KAPE_FILE_CONFIG_BCD_TEMPLATE_LOG,
// &KAPE_FILE_CONFIG_BCD_TEMPLATE_LOG_2,
// &KAPE_FILE_CONFIG_COMPONENTS,
// &KAPE_FILE_COMPONENTS_REGISTRY,
// &KAPE_FILE_CONFIG_COMPONENTS_LOG,
// &KAPE_FILE_CONFIG_COMPONENTS_LOG_2,
// &KAPE_FILE_CONFIG_DRIVERS,
// &KAPE_FILE_DRIVERS_REGISTRY_HIV,
// &KAPE_FILE_CONFIG_DRIVERS_LOG,
// &KAPE_FILE_DRIVERS_REGISTRY_TRA,
// &KAPE_FILE_CONFIG_ELAM,
// &KAPE_FILE_ELAM_REGISTRY_HIVE,
// &KAPE_FILE_CONFIG_ELAM_LOG,
// &KAPE_FILE_ELAM_REGISTRY_TRANSA,
// &KAPE_FILE_CONFIG_USERDIFF,
// &KAPE_FILE_USERDIFF_REGISTRY_HI,
// &KAPE_FILE_CONFIG_USERDIFF_LOG,
// &KAPE_FILE_USERDIFF_REGISTRY_TR,
// &KAPE_FILE_CONFIG_VSMIDK,
// &KAPE_FILE_VSMIDK_REGISTRY_HIVE,
// &KAPE_FILE_CONFIG_VSMIDK_LOG,
// &KAPE_FILE_VSMIDK_REGISTRY_TRAN,
// &KAPE_FILE_CONFIG_SAM_LOG,
// &KAPE_FILE_SAM_REGISTRY_TRANSAC,
// &KAPE_FILE_CONFIG_SECURITY_LOG,
// &KAPE_FILE_SECURITY_REGISTRY_TR,
// &KAPE_FILE_CONFIG_SOFTWARE_LOG,
// &KAPE_FILE_SOFTWARE_REGISTRY_TR,
// &KAPE_FILE_CONFIG_SYSTEM_LOG,
// &KAPE_FILE_SYSTEM_REGISTRY_TRAN,
// &KAPE_FILE_CONFIG_SAM,
// &KAPE_FILE_SAM_REGISTRY_HIVE,
// &KAPE_FILE_CONFIG_SECURITY,
// &KAPE_FILE_SECURITY_REGISTRY_HI,
// &KAPE_FILE_CONFIG_SOFTWARE,
// &KAPE_FILE_SOFTWARE_REGISTRY_HI,
// &KAPE_FILE_CONFIG_SYSTEM,
// &KAPE_FILE_SYSTEM_REGISTRY_HIVE,
// &KAPE_FILE_REGBACK_LOG,
// &KAPE_FILE_REGBACK_REGISTRY_TRA,
// &KAPE_FILE_REGBACK_SAM,
// &KAPE_FILE_SAM_REGISTRY_HIVE_RE,
// &KAPE_FILE_REGBACK_SECURITY,
// &KAPE_FILE_REGBACK_SECURITY_2,
// &KAPE_FILE_REGBACK_SOFTWARE,
// &KAPE_FILE_REGBACK_SOFTWARE_2,
// &KAPE_FILE_REGBACK_SYSTEM,
// &KAPE_FILE_REGBACK_SYSTEM_2,
// &KAPE_FILE_REGBACK_SYSTEM1,
// &KAPE_FILE_REGBACK_SYSTEM1_2,
// &KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT,
// &KAPE_FILE_SYSTEM_PROFILE_REGIS,
// &KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT_LOG,
// &KAPE_FILE_SYSTEMPROFILE_NTUSER_DAT_LOG_2,
// &KAPE_FILE_LOCALSERVICE_NTUSER_DAT,
// &KAPE_FILE_LOCAL_SERVICE_REGIST,
// &KAPE_FILE_LOCALSERVICE_NTUSER_DAT_LOG,
// &KAPE_FILE_LOCALSERVICE_NTUSER_DAT_LOG_2,
// &KAPE_FILE_NETWORKSERVICE_NTUSER_DAT,
// &KAPE_FILE_NETWORK_SERVICE_REGI,
// &KAPE_FILE_NETWORKSERVICE_NTUSER_DAT_LOG,
// &KAPE_FILE_NETWORKSERVICE_NTUSER_DAT_LOG_2,
// &KAPE_FILE_SNAPSHOT_REGISTRY,
// &KAPE_FILE_USER_NTUSER_DAT,
// &KAPE_FILE_NTUSER_DAT_REGISTRY,
// &KAPE_FILE_USER_NTUSER_DAT_LOG,
// &KAPE_FILE_CONFIG_DEFAULT,
// &KAPE_FILE_NTUSER_DAT_DEFAULT_R,
// &KAPE_FILE_CONFIG_DEFAULT_LOG,
// &KAPE_FILE_NTUSER_DAT_DEFAULT_T,
// &KAPE_FILE_WINDOWS_USRCLASS_DAT,
// &KAPE_FILE_WINDOWS_USRCLASS_DAT_LOG,
// &KAPE_FILE_C_NTUSER_DAT,
// &KAPE_FILE_C_NTUSER_DAT_LOG,
// &KAPE_FILE_C_DEFAULT,
// &KAPE_FILE_C_DEFAULT_LOG,
// &KAPE_FILE_C_USRCLASS_DAT,
// &KAPE_FILE_C_USRCLASS_DAT_LOG,
// &KAPE_FILE_C_LNK,
// &KAPE_FILE_MICROSOFT_WORD_2,
// &KAPE_FILE_MICROSOFT_EXCEL_2,
// &KAPE_FILE_MICROSOFT_POWERPOINT_2,
// &KAPE_FILE_MICROSOFT_PUBLISHER_2,
// &KAPE_FILE_PUBLISHER_AUTOSAVE_L,
// &KAPE_FILE_OFFICEFILECACHE_2,
// &KAPE_FILE_OFFICE_DOCUMENT_CACH,
// &KAPE_FILE_BOOKMARKS_21,
// &KAPE_FILE_CHROME_BOOKMARKS_3,
// &KAPE_FILE_COOKIES_17,
// &KAPE_FILE_CHROME_COOKIES_3,
// &KAPE_FILE_CURRENT_SESSION_19,
// &KAPE_FILE_CHROME_CURRENT_SESSI_3,
// &KAPE_FILE_CURRENT_TABS_19,
// &KAPE_FILE_CHROME_CURRENT_TABS_3,
// &KAPE_FILE_DOWNLOAD_METADATA_2,
// &KAPE_FILE_CHROME_DOWNLOAD_META,
// &KAPE_FILE_EXTENSION_COOKIES_18,
// &KAPE_FILE_CHROME_EXTENSION_COO,
// &KAPE_FILE_FAVICONS_22,
// &KAPE_FILE_CHROME_FAVICONS_3,
// &KAPE_FILE_HISTORY_22,
// &KAPE_FILE_CHROME_HISTORY_3,
// &KAPE_FILE_LAST_SESSION_18,
// &KAPE_FILE_CHROME_LAST_SESSION_3,
// &KAPE_FILE_LAST_TABS_18,
// &KAPE_FILE_CHROME_LAST_TABS_3,
// &KAPE_FILE_SESSIONS_20,
// &KAPE_FILE_CHROME_SESSIONS_FOLD,
// &KAPE_FILE_LOGIN_DATA_21,
// &KAPE_FILE_CHROME_LOGIN_DATA_3,
// &KAPE_FILE_MEDIA_HISTORY_18,
// &KAPE_FILE_CHROME_MEDIA_HISTORY,
// &KAPE_FILE_NETWORK_ACTION_PREDICTOR_22,
// &KAPE_FILE_CHROME_NETWORK_ACTIO,
// &KAPE_FILE_NETWORK_PERSISTENT_STATE_21,
// &KAPE_FILE_CHROME_NETWORK_PERSI,
// &KAPE_FILE_PREFERENCES_22,
// &KAPE_FILE_CHROME_PREFERENCES_3,
// &KAPE_FILE_QUOTAMANAGER_19,
// &KAPE_FILE_CHROME_QUOTA_MANAGER,
// &KAPE_FILE_REPORTING_AND_NEL_19,
// &KAPE_FILE_CHROME_REPORTING_AND,
// &KAPE_FILE_SHORTCUTS_21,
// &KAPE_FILE_CHROME_SHORTCUTS_3,
// &KAPE_FILE_TOP_SITES_22,
// &KAPE_FILE_CHROME_TOP_SITES_3,
// &KAPE_FILE_TRUST_TOKENS_18,
// &KAPE_FILE_CHROME_TRUST_TOKENS,
// &KAPE_FILE_SYNC_DATASYNCDATA_SQLITE3_13,
// &KAPE_FILE_CHROME_SYNCDATA_DATA,
// &KAPE_FILE_VISITED_LINKS_22,
// &KAPE_FILE_CHROME_VISITED_LINKS_3,
// &KAPE_FILE_WEB_DATA_22,
// &KAPE_FILE_CHROME_WEB_DATA_3,
// &KAPE_FILE_PROTECT_18,
// &KAPE_FILE_WINDOWS_PROTECT_FOLD,
// &KAPE_FILE_PACKAGES_MICROSOFT_MICROSOFTEDGE_8WEKYB3D8BBWE_2,
// &KAPE_FILE_EDGE_FOLDER,
// &KAPE_FILE_C_AMCACHE_HVE,
// &KAPE_FILE_C_AMCACHE_HVE_LOG,
// &KAPE_FILE_WINDOWS_RECENT_3,
// &KAPE_FILE_LNK_FILES_FROM_RECEN,
// &KAPE_FILE_OFFICE_RECENT_3,
// &KAPE_FILE_LNK_FILES_FROM_MICRO,
// &KAPE_FILE_DESKTOP_LNK_FILES_2,
// &KAPE_FILE_CCM_LOGS,
// &KAPE_FILE_CUSTOM_SDB,
// &KAPE_FILE_SDB_FILES,
// &KAPE_FILE_CUSTOM64_SDB,
// &KAPE_FILE_SDB_FILES_X64,
// &KAPE_FILE_SYSTEM32_SRU,
// &KAPE_FILE_SRUM,
// &KAPE_FILE_CONFIG_SOFTWARE_2,
// &KAPE_FILE_SOFTWARE_REGISTRY_HI_2,
// &KAPE_FILE_CONFIG_SOFTWARE_LOG_2,
// &KAPE_FILE_SOFTWARE_REGISTRY_TR_2,
// &KAPE_FILE_LOGFILES_SUM,
// &KAPE_FILE_TASKS_JOB,
// &KAPE_FILE_AT_JOB,
// &KAPE_FILE_WINDOWS_SCHEDLGU_TXT,
// &KAPE_FILE_AT_SCHEDLGU_TXT,
// &KAPE_FILE_SYSTEM32_TASKS,
// &KAPE_FILE_SYSWOW64_TASKS,
// &KAPE_FILE_XML,
// &KAPE_FILE_POWERSHELL_SCHEDULEDJOBS,
// &KAPE_FILE_OUTPUT,
// &KAPE_FILE_POWERSHELL_SCHEDULED,
// &KAPE_FILE_OUTPUT_2,
// &KAPE_FILE_POWERSHELL_SCHEDULEDJOBS_2,
// &KAPE_FILE_OUTPUT_3,
// &KAPE_FILE_SYSTEM32_CATROOT,
// &KAPE_FILE_SIGNATURECATALOG,
// &KAPE_FILE_TEMPSTATE_PNG,
// &KAPE_FILE_SNIP_SKETCH,
// &KAPE_FILE_SCREENCLIP_JSON,
// &KAPE_FILE_SCREENSHOTS_PNG,
// &KAPE_FILE_SNIPS_PNG,
// &KAPE_FILE_PROGRAMS_STARTUP,
// &KAPE_FILE_SYSTEM_WIDE_STARTUP,
// &KAPE_FILE_STARTUPINFO_XML,
// &KAPE_FILE_STARTUPINFO_XML_FILE,
// &KAPE_FILE_SYSTEM_VOLUME_INFORMATION_SYSCACHE_HVE,
// &KAPE_FILE_SYSTEM_VOLUME_INFORMATION_SYSCACHE_HVE_LOG,
// &KAPE_FILE_EXPLORER_THUMBCACHE_DB,
// &KAPE_FILE_WINDOWS_SETUPAPI_LOG,
// &KAPE_FILE_INF_SETUPAPI_LOG,
// &KAPE_FILE_SETUPAPI_LOG_WIN7,
// &KAPE_FILE_USERS_USER,
// &KAPE_FILE_C_VHD,
// &KAPE_FILE_C_VHDX,
// &KAPE_FILE_C_VDI,
// &KAPE_FILE_C_VMDK,
// &KAPE_FILE_WBEM_REPOSITORY,
// &KAPE_FILE_WBEM,
// &KAPE_FILE_WINDOWS_WER,
// &KAPE_FILE_WER_FILES,
// &KAPE_FILE_CRASHDUMPS_DMP,
// &KAPE_FILE_WINDOWS_DMP,
// &KAPE_FILE_CRASH_DUMPS,
// &KAPE_FILE_LOGCAT_LOG,
// &KAPE_FILE_LOCALCACHE_PNG,
// &KAPE_FILE_LOCALCACHE_ICO,
// &KAPE_FILE_LOCALSTATE_APPCOMPATDB_JSON,
// &KAPE_FILE_LOCALCACHE_USERDATA_VHDX,
// &KAPE_FILE_ETC_DEBIAN_VERSION,
// &KAPE_FILE_ETC_FSTAB,
// &KAPE_FILE_ETC_OS_RELEASE,
// &KAPE_FILE_ETC_PASSWD,
// &KAPE_FILE_ETC_GROUP,
// &KAPE_FILE_ETC_SHADOW,
// &KAPE_FILE_ETC_TIMEZONE,
// &KAPE_FILE_ETC_HOSTNAME,
// &KAPE_FILE_ETC_HOSTS_2,
// &KAPE_FILE_ETC_CRONTAB,
// &KAPE_FILE_ETC_BASH_BASHRC,
// &KAPE_FILE_ETC_PROFILE,
// &KAPE_FILE_ROOTFS_BASH_HISTORY,
// &KAPE_FILE_ROOTFS_BASHRC,
// &KAPE_FILE_ROOTFS_PROFILE,
// &KAPE_FILE_CRON_CRONTABS,
// &KAPE_FILE_APT_LOG,
// &KAPE_FILE_LOCALSTATE_EXT4_VHDX,
// &KAPE_FILE_ETC_DEBIAN_VERSION_2,
// &KAPE_FILE_ETC_FSTAB_2,
// &KAPE_FILE_ETC_OS_RELEASE_2,
// &KAPE_FILE_ETC_PASSWD_2,
// &KAPE_FILE_ETC_GROUP_2,
// &KAPE_FILE_ETC_SHADOW_2,
// &KAPE_FILE_ETC_TIMEZONE_2,
// &KAPE_FILE_ETC_HOSTNAME_2,
// &KAPE_FILE_ETC_HOSTS_3,
// &KAPE_FILE_ETC_CRONTAB_2,
// &KAPE_FILE_ETC_BASH_BASHRC_2,
// &KAPE_FILE_ETC_PROFILE_2,
// &KAPE_FILE_ROOTFS_BASH_HISTORY_2,
// &KAPE_FILE_ROOTFS_BASHRC_2,
// &KAPE_FILE_ROOTFS_PROFILE_2,
// &KAPE_FILE_CRON_CRONTABS_2,
// &KAPE_FILE_APT_LOG_2,
// &KAPE_FILE_LOCALSTATE_EXT4_VHDX_2,
// &KAPE_FILE_ETC_OS_RELEASE_3,
// &KAPE_FILE_ETC_FSTAB_3,
// &KAPE_FILE_ETC_PASSWD_3,
// &KAPE_FILE_ETC_GROUP_3,
// &KAPE_FILE_ETC_SHADOW_3,
// &KAPE_FILE_ETC_TIMEZONE_3,
// &KAPE_FILE_ETC_HOSTNAME_3,
// &KAPE_FILE_ETC_HOSTS_4,
// &KAPE_FILE_ETC_BASH_BASHRC_3,
// &KAPE_FILE_ETC_PROFILE_3,
// &KAPE_FILE_ROOTFS_BASH_HISTORY_3,
// &KAPE_FILE_ROOTFS_BASHRC_3,
// &KAPE_FILE_ROOTFS_PROFILE_3,
// &KAPE_FILE_LOCALSTATE_EXT4_VHDX_3,
// &KAPE_FILE_ETC_OS_RELEASE_4,
// &KAPE_FILE_ETC_FSTAB_4,
// &KAPE_FILE_ETC_PASSWD_4,
// &KAPE_FILE_ETC_GROUP_4,
// &KAPE_FILE_ETC_SHADOW_4,
// &KAPE_FILE_ETC_TIMEZONE_4,
// &KAPE_FILE_ETC_HOSTNAME_4,
// &KAPE_FILE_ETC_HOSTS_5,
// &KAPE_FILE_ETC_CRONTAB_3,
// &KAPE_FILE_ETC_BASH_BASHRC_4,
// &KAPE_FILE_ETC_PROFILE_4,
// &KAPE_FILE_ROOTFS_BASH_HISTORY_4,
// &KAPE_FILE_ROOTFS_BASHRC_4,
// &KAPE_FILE_ROOTFS_PROFILE_4,
// &KAPE_FILE_CRON_CRONTABS_3,
// &KAPE_FILE_APT_LOG_3,
// &KAPE_FILE_LOCALSTATE_EXT4_VHDX_4,
// &KAPE_FILE_ETC_OS_RELEASE_5,
// &KAPE_FILE_ETC_FSTAB_5,
// &KAPE_FILE_ETC_PASSWD_5,
// &KAPE_FILE_ETC_GROUP_5,
// &KAPE_FILE_ETC_SHADOW_5,
// &KAPE_FILE_ETC_TIMEZONE_5,
// &KAPE_FILE_ETC_HOSTNAME_5,
// &KAPE_FILE_ETC_HOSTS_6,
// &KAPE_FILE_ETC_BASH_BASHRC_5,
// &KAPE_FILE_ETC_PROFILE_5,
// &KAPE_FILE_ROOTFS_BASH_HISTORY_5,
// &KAPE_FILE_ROOTFS_BASHRC_5,
// &KAPE_FILE_ROOTFS_PROFILE_5,
// &KAPE_FILE_LOCALSTATE_EXT4_VHDX_5,
// &KAPE_FILE_DIAGOUTPUTDIR_WINDOWS365,
// &KAPE_FILE_COREAIPLATFORM_00_UKP,
// &KAPE_FILE_FIREWALL_PFIREWALL,
// &KAPE_FILE_WINDOWS_FIREWALL_LOG,
// &KAPE_FILE_CRYPTO_KEYS,
// &KAPE_FILE_S_1_5_18_USER,
// &KAPE_FILE_MICROSOFT_NGC,
// &KAPE_FILE_CONFIG_SECURITY_LOG_2,
// &KAPE_FILE_SECURITY_REGISTRY_TR_2,
// &KAPE_FILE_CONFIG_SOFTWARE_LOG_3,
// &KAPE_FILE_SOFTWARE_REGISTRY_TR_3,
// &KAPE_FILE_CONFIG_SYSTEM_LOG_2,
// &KAPE_FILE_SYSTEM_REGISTRY_TRAN_2,
// &KAPE_FILE_CONFIG_SECURITY_2,
// &KAPE_FILE_SECURITY_REGISTRY_HI_2,
// &KAPE_FILE_CONFIG_SOFTWARE_3,
// &KAPE_FILE_SOFTWARE_REGISTRY_HI_3,
// &KAPE_FILE_CONFIG_SYSTEM_2,
// &KAPE_FILE_SYSTEM_REGISTRY_HIVE_2,
// &KAPE_FILE_REGBACK_SECURITY_3,
// &KAPE_FILE_REGBACK_SECURITY_2_2,
// &KAPE_FILE_REGBACK_SOFTWARE_3,
// &KAPE_FILE_REGBACK_SOFTWARE_2_2,
// &KAPE_FILE_REGBACK_SYSTEM_3,
// &KAPE_FILE_REGBACK_SYSTEM_2_2,
// &KAPE_FILE_REGBACK_SYSTEM1_3,
// &KAPE_FILE_REGBACK_SYSTEM1_2_2,
// &KAPE_FILE_APPLICATIONS_WINDOWS,
// &KAPE_FILE_APPLICATIONS_S_1,
// &KAPE_FILE_S_1_GATHERLOGS,
// &KAPE_FILE_WINDOWS_GATHERLOGS,
// &KAPE_FILE_DRIVERS_ETC,
// &KAPE_FILE_NOTIFICATIONS_WPNDATABASE_DB_3,
// &KAPE_FILE_NOTIFICATIONS_APPDB_DAT_3,
// &KAPE_FILE_WINDOWS_PANTHERMIGLOG_XML,
// &KAPE_FILE_WINDOWS_PANTHERSETUPACT_LOG,
// &KAPE_FILE_WINDOWS_PANTHER_HUMANREADABLE_XML,
// &KAPE_FILE_PANTHER_ROLLBACKFOLDERMOVELOG_TXT,
// &KAPE_FILE_USOPRIVATE_UPDATESTORESTORE_DB_2,
// &KAPE_FILE_WINDOWS_POWER_EFFICIENCY_DIAGNOSTICS,
// &KAPE_FILE_CONFIG_NETLOGON,
// &KAPE_FILE_SYSTEM32_DNS,
// &KAPE_FILE_SYSTEM32_DHCP,
// &KAPE_FILE_DIAGNOSIS_EVENTS_RBS,
// &KAPE_FILE_LEGACY_RBS_FILES_REL,
// &KAPE_FILE_CONNECTEDDEVICESPLATFORM_ACTIVITIESCACHE_DB,
// &KAPE_FILE_SYSTEM_ETL,
// &KAPE_FILE_WINDOWSUPDATE_WINDOWSUPDATE_ETL,
// &KAPE_FILE_CBS_CBS_LOG,
// &KAPE_FILE_SOFTWAREDISTRIBUTION_DATASTORE,
// &KAPE_FILE_C_SYSTEM_VOLUME_INFORMATION,
// ];