From 162a28e267be1e2a7bcdbe67857fd61fc8a6eb8e Mon Sep 17 00:00:00 2001
From: Mike Cohen <scudette@users.noreply.github.com>
Date: Tue, 8 Jun 2021 13:39:45 +1000
Subject: [PATCH] Updated KapeFiles Targets artifact (#1097)

Also various cleanups.
---
 .../Windows/Applications/SBECmd.yaml          |   69 +-
 .../Windows/KapeFiles/Targets.yaml            | 2200 +++++++++--------
 artifacts/definitions/Windows/NTFS/I30.yaml   |   70 +-
 .../definitions/Windows/Registry/WDigest.yaml |   45 +-
 .../src/components/core/paged-table.js        |    7 +
 .../src/components/flows/flow-logs.js         |    9 +
 .../src/components/flows/flow-results.js      |    1 +
 scripts/kape_files.py                         |   19 +-
 8 files changed, 1229 insertions(+), 1191 deletions(-)

diff --git a/artifacts/definitions/Windows/Applications/SBECmd.yaml b/artifacts/definitions/Windows/Applications/SBECmd.yaml
index 35d11185c1f..5ca6bb61fb7 100644
--- a/artifacts/definitions/Windows/Applications/SBECmd.yaml
+++ b/artifacts/definitions/Windows/Applications/SBECmd.yaml
@@ -1,45 +1,42 @@
 name: Windows.Applications.SBECmd
 description: |
     Execute Eric Zimmerman's SBECmd and return output for analysis
-    
+
     Objective:
-    
-    - Find which folders were accessed on the local machine, the network, and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders were accessed.
+
+    - Find which folders were accessed on the local machine, the
+      network, and/or removable devices. Evidence of previously
+      existing folders after deletion/overwrite. When certain folders
+      were accessed.
 
     Interpretation:
-    
-    - Stores information about which folders were most recently browsed by the user.
-    
+
+    - Stores information about which folders were most recently
+      browsed by the user.
+
     MITRE ATT&CK ID: TA0009 - Collection
-    
+
 author: Eduardo Mattos - @eduardfir
 
 reference:
   - https://github.com/EricZimmerman
-  
-required_permissions:
-  - EXECVE
 
 type: CLIENT
 
 tools:
   - name: SBECmd
+    url: https://github.com/Velocidex/Tools/raw/main/SBECmd/ShellBagsExplorer/SBECmd.exe
 
 precondition: SELECT OS From info() where OS = 'windows'
 
 parameters:
-  - name: tactic
-    description: ATT&CK tactic
-    default: collection
-    type: hidden
-    
   - name: userRegex
     default: .
 
   - name: UploadFiles
     description: "Select to Upload SBECmd Output files."
     type: bool
-    
+
   - name: RemovePayload
     description: "Select to Remove Payload after execution."
     type: bool
@@ -51,10 +48,10 @@ sources:
       LET payload <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
                     ToolName="SBECmd", IsExecutable=TRUE)
 
-      -- build tempfolder for output    
+      -- build tempfolder for output
       LET tempfolder <= tempdir(remove_last=TRUE)
 
-      -- get users with profiles 
+      -- get users with profiles
       LET UserProfiles = SELECT Uid, Name, Directory, UUID, Mtime
                         FROM Artifact.Windows.Sys.Users()
                         WHERE Name =~ userRegex and Directory =~ "Users"
@@ -78,19 +75,23 @@ sources:
       })
 
   - name: Uploads
-    queries:
-          - |
-              SELECT * FROM chain(
-                a={
-                    SELECT * FROM if(condition=UploadFiles,
-                        then={
-                            SELECT Name, upload(file=FullPath, name=relpath(base=tempfile, path=FullPath)) as FileDetails
-                            FROM glob(globs="/**", root=tempfolder)})
-                },
-                b={ 
-                    SELECT * FROM if(condition=RemovePayload,
-                        then={
-                            SELECT * FROM execve(argv=['powershell','Remove-Item',
-                                                    payload.FullPath[0],'-Force' ])})
-                })
-              WHERE Stdout =~ "SBECmd"
+    query: |
+      SELECT * FROM chain(
+      a={
+         SELECT * FROM if(
+           condition=UploadFiles,
+           then={
+             SELECT Name, upload(file=FullPath,
+                                 name=relpath(base=tempfile, path=FullPath)) as FileDetails
+             FROM glob(globs="/**", root=tempfolder)
+           })
+      },
+      b={
+         SELECT * FROM if(
+           condition=RemovePayload,
+           then={
+             SELECT * FROM execve(argv=['powershell','Remove-Item',
+                                             payload.FullPath[0],'-Force' ])
+           })
+      })
+      WHERE Stdout =~ "SBECmd"
diff --git a/artifacts/definitions/Windows/KapeFiles/Targets.yaml b/artifacts/definitions/Windows/KapeFiles/Targets.yaml
index 3e7f719abfc..bc7b1a40b68 100644
--- a/artifacts/definitions/Windows/KapeFiles/Targets.yaml
+++ b/artifacts/definitions/Windows/KapeFiles/Targets.yaml
@@ -36,10 +36,10 @@ parameters:
     description: If set we run the collection across all VSS and collect only unique changes.
 
   - name: _BasicCollection
-    description: "Basic Collection (by Phill Moore): Thumbcache DB, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt, XML, XML, LNK Files from Recent, LNK Files from Microsoft Office Recent, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData, Amcache, Amcache, Amcache transaction files, Amcache transaction files, $SDS, WindowsIndexSearch, $LogFile, $Boot, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files, PowerShell Console Log, RecentFileCache, RecentFileCache, $MFT, $Recycle.Bin, RECYCLER WinXP, SRUM, SRUM, $J, $Max, Setupapi.log XP, Setupapi.log Win7+, Setupapi.log Win7+, Prefetch, Prefetch, Syscache, Syscache transaction files, Event logs XP, Event logs Win7+, Event logs Win7+, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), $T"
+    description: "Basic Collection (by Phill Moore): $Boot, $J, $LogFile, $MFT, $Max, $Recycle.Bin, $SDS, $T, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Desktop LNK Files, Desktop LNK Files XP, Event logs Win7+, Event logs Win7+, Event logs XP, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, PowerShell Console Log, Prefetch, Prefetch, RECYCLER WinXP, RecentFileCache, RecentFileCache, RegBack registry transaction files, RegBack registry transaction files, Restore point LNK Files XP, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SRUM, SRUM, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, Setupapi.log Win7+, Setupapi.log Win7+, Setupapi.log XP, Syscache, Syscache transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), Thumbcache DB, UsrClass.dat registry hive, UsrClass.dat registry transaction files, WindowsIndexSearch, XML, XML, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt"
     type: bool
   - name: _SANS_Triage
-    description: "SANS Triage Collection. (by Mark Hallman): Event logs XP, Event logs Win7+, Event logs Win7+, Prefetch, Prefetch, RecentFileCache, RecentFileCache, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Syscache, Syscache transaction files, PowerShell Console Log, $MFT, $LogFile, $J, $Max, $SDS, $Boot, $T, LNK files from Recent, LNK files from Microsoft Office Recent, LNK files from Recent (XP), Desktop LNK files XP, Desktop LNK files, Restore point LNK files XP, $Recycle.Bin, RECYCLER WinXP, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt, XML, XML, SRUM, SRUM, Thumbcache DB, Setupapi.log XP, Setupapi.log Win7+, Setupapi.log Win7+, WindowsIndexSearch, WBEM, WBEM, PST XP, OST XP, PST, OST, main.db (App <v12), skype.db (App +v12), main.db XP, main.db Win7+, s4l-[username].db (App +v8), leveldb (Skype for Desktop +v8), Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Preferences, Chrome Shortcuts, Chrome Top Sites, Chrome Visited Links, Chrome Web Data, Chrome Extension Files, Chrome Extension Files XP, Edge folder, WebcacheV01.dat, Firefox Places, Firefox Downloads, Firefox Form history, Firefox Cookies, Firefox Signons, Firefox Webappstore, Firefox Favicons, Firefox Addons, Firefox Search, Firefox Places (XP), Firefox Downloads (XP), Firefox Form history (XP), Firefox Cookies (XP), Forefox Signons (XP), Firefox Webappstore (XP), Firefox Favicons (XP), Firefox Addons (XP), Firefox Search  (XP), Index.dat History, Index.dat History subdirectory, Index.dat temp internet files, Index.dat cookies (XP), Index.dat UserData (XP), Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cache, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, IE 11 Cache, IE 11 Cookies, ActivitiesCache.db, ActivitiesCache.db-shm, ActivitiesCache.db-wal"
+    description: "SANS Triage Collection. (by Mark Hallman): $Boot, $J, $LogFile, $MFT, $Max, $Recycle.Bin, $SDS, $T, ActivitiesCache.db, ActivitiesCache.db-shm, ActivitiesCache.db-wal, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Chrome Cookies, Chrome Cookies XP, Chrome Current Session, Chrome Current Session XP, Chrome Current Tabs, Chrome Current Tabs XP, Chrome Extension Files, Chrome Extension Files XP, Chrome Favicons, Chrome Favicons XP, Chrome History, Chrome History XP, Chrome Last Session, Chrome Last Session XP, Chrome Last Tabs, Chrome Last Tabs XP, Chrome Preferences, Chrome Preferences XP, Chrome Shortcuts, Chrome Shortcuts XP, Chrome Top Sites, Chrome Top Sites XP, Chrome Visited Links, Chrome Visited Links XP, Chrome Web Data, Chrome Web Data XP, Chrome bookmarks, Chrome bookmarks XP, Desktop LNK files, Desktop LNK files XP, Edge folder, Event logs Win7+, Event logs Win7+, Event logs XP, Firefox Addons, Firefox Addons (XP), Firefox Cookies, Firefox Cookies (XP), Firefox Downloads, Firefox Downloads (XP), Firefox Favicons, Firefox Favicons (XP), Firefox Form history, Firefox Form history (XP), Firefox Places, Firefox Places (XP), Firefox Search, Firefox Search  (XP), Firefox Signons, Firefox Webappstore, Firefox Webappstore (XP), Forefox Signons (XP), IE 11 Cache, IE 11 Cookies, IE 11 Metadata, IE 9/10 Cache, IE 9/10 Cookies, IE 9/10 Download History, IE 9/10 History, Index.dat History, Index.dat History subdirectory, Index.dat Office, Index.dat Office XP, Index.dat UserData (XP), Index.dat cookies (XP), Index.dat temp internet files, LNK files from Microsoft Office Recent, LNK files from Recent, LNK files from Recent (XP), Local Internet Explorer folder, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, OST, OST XP, PST, PST XP, PowerShell Console Log, Prefetch, Prefetch, RECYCLER WinXP, RecentFileCache, RecentFileCache, RegBack registry transaction files, RegBack registry transaction files, Restore point LNK files XP, Roaming Internet Explorer folder, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SRUM, SRUM, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, Setupapi.log Win7+, Setupapi.log Win7+, Setupapi.log XP, Syscache, Syscache transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), Thumbcache DB, UsrClass.dat registry hive, UsrClass.dat registry transaction files, WBEM, WBEM, WebcacheV01.dat, WindowsIndexSearch, XML, XML, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt, leveldb (Skype for Desktop +v8), main.db (App <v12), main.db Win7+, main.db XP, s4l-[username].db (App +v8), skype.db (App +v12)"
     type: bool
   - name: _Boot
     description: "$Boot (by Eric Zimmerman): $Boot"
@@ -63,16 +63,16 @@ parameters:
     description: "$T (by Eric Zimmerman): $T"
     type: bool
   - name: 1Password
-    description: "1Password Password Manager (by Matt Dawson): 1Password Database, 1Password Backup Databases, 1Password Logs"
+    description: "1Password Password Manager (by Matt Dawson): 1Password Backup Databases, 1Password Database, 1Password Logs"
     type: bool
   - name: AVG
-    description: "AVG Antivirus Data (by Kirtan Shah): AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs"
+    description: "AVG Antivirus Data (by Kirtan Shah): AVG AV Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG Report Logs"
     type: bool
   - name: AceText
     description: "AceText (by Andrew Rathbun): AceText - Clipboard History"
     type: bool
   - name: AcronisTrueImage
-    description: "Acronis True Image (by Andrew Rathbun): Acronis True Image - Logs, Acronis True Image - Database Files, Acronis True Image - Scripts Folder"
+    description: "Acronis True Image (by Andrew Rathbun): Acronis True Image - Database Files, Acronis True Image - Logs, Acronis True Image - Scripts Folder"
     type: bool
   - name: Amcache
     description: "Amcache.hve (by Eric Zimmerman): Amcache, Amcache, Amcache transaction files, Amcache transaction files"
@@ -81,7 +81,7 @@ parameters:
     description: "Ammyy Data (by Drew Ervin): Ammyy Program Data"
     type: bool
   - name: Antivirus
-    description: "Antivirus (by Andrew Rathbun): AVG AV Logs (XP), AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, Trend Micro Logs, Trend Micro Security Agent Report Logs, Trend Micro Security Agent Connection Logs, TotalAV Logs, TotalAV Logs, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, Sophos Logs (XP), Sophos Logs, Avira Activity Logs, Windows Defender Logs, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Avast AV Logs (XP), Avast AV Logs, Avast AV User Logs, Avast AV Index, SUPERAntiSpyware Logs, Webroot Program Data, Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs, F-Secure Logs, F-Secure User Logs, F-Secure Scheduled Scan Reports, VIPRE Business Agent Logs, VIPRE Business User Logs (v7+), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), ComboFix, HitmanPro Logs, HitmanPro Alert Logs, HitmanPro Database, McAfee ePO Logs, McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, SentinelOne EDR Log, RogueKiller Reports, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection Quarantine"
+    description: "Antivirus (by Andrew Rathbun): AVG AV Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG Report Logs, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Avast AV Index, Avast AV Logs, Avast AV Logs (XP), Avast AV User Logs, Avira Activity Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, ComboFix, Cybereason Anti-Ransomware Logs, Cybereason Application Control and NGAV Logs, Cybereason Sensor Communications and Anti-Malware Logs, ESET NOD32 AV Logs, ESET NOD32 AV Logs (XP), F-Secure Logs, F-Secure Scheduled Scan Reports, F-Secure User Logs, HitmanPro Alert Logs, HitmanPro Database, HitmanPro Logs, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, MalwareBytes Anti-Malware Service Logs, McAfee Desktop Protection Logs, McAfee Desktop Protection Logs XP, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, RogueKiller Reports, SUPERAntiSpyware Logs, SentinelOne EDR Log, Sophos Logs, Sophos Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, TotalAV Logs, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs, VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+), Webroot Program Data, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs"
     type: bool
   - name: AnyDesk
     description: "AnyDesk (by Andrew Rathbun): AnyDesk Logs, AnyDesk Videos"
@@ -93,13 +93,13 @@ parameters:
     description: "AppData (by Phill Moore): AppData"
     type: bool
   - name: ApplicationEvents
-    description: "Windows Application Event Log (by Drew Ervin): Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP"
+    description: "Windows Application Event Log (by Drew Ervin): Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP"
     type: bool
   - name: AsperaConnect
     description: "Aspera Connect Log Files (by Dennis Reneau): Aspera Client Logs, Aspera Server Logs"
     type: bool
   - name: Avast
-    description: "Avast Antivirus Data (by Drew Ervin): Avast AV User Logs, Avast AV Index, Avast AV Logs (XP), Avast AV Logs"
+    description: "Avast Antivirus Data (by Drew Ervin): Avast AV Index, Avast AV Logs, Avast AV Logs (XP), Avast AV User Logs"
     type: bool
   - name: AviraAVLogs
     description: "Avira Logs (by Fabian Murer): Avira Activity Logs"
@@ -117,13 +117,13 @@ parameters:
     description: "Bitdefender Antivirus Data (by Drew Ervin): Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs"
     type: bool
   - name: BoxDrive
-    description: "Box Cloud Storage Files and Metadata (by Chad Tilbury): Box User Files, Box Sync User Files, Box Drive Application Metadata, Box Sync Application Metadata"
+    description: "Box Cloud Storage Files and Metadata (by Chad Tilbury): Box Drive Application Metadata, Box Sync Application Metadata, Box Sync User Files, Box User Files"
     type: bool
   - name: BrowserCache
-    description: "Browser Caches (by Bjorn Vanhaeren): Chrome Cache Folder, Firefox Cache Folder, IE 9/10 Cache, IE Index.dat temp internet files, IE 11 Cache, Edge WebcacheV01.dat"
+    description: "Browser Caches (by Bjorn Vanhaeren): Chrome Cache Folder, Edge WebcacheV01.dat, Firefox Cache Folder, IE 11 Cache, IE 9/10 Cache, IE Index.dat temp internet files"
     type: bool
   - name: Chrome
-    description: "Chrome (by Eric Zimmerman): Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome bookmarks XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Login Data, Chrome Network Action Predictor, Chrome Preferences, Chrome Shortcuts, Chrome Top Sites, Chrome SyncData Database, Chrome bookmarks, Chrome Visited Links, Chrome Web Data, Windows Protect Folder"
+    description: "Chrome (by Eric Zimmerman): Chrome Cookies, Chrome Cookies XP, Chrome Current Session, Chrome Current Session XP, Chrome Current Tabs, Chrome Current Tabs XP, Chrome Favicons, Chrome Favicons XP, Chrome History, Chrome History XP, Chrome Last Session, Chrome Last Session XP, Chrome Last Tabs, Chrome Last Tabs XP, Chrome Login Data, Chrome Login Data XP, Chrome Network Action Predictor, Chrome Preferences, Chrome Preferences XP, Chrome Shortcuts, Chrome Shortcuts XP, Chrome SyncData Database, Chrome Top Sites, Chrome Top Sites XP, Chrome Visited Links, Chrome Visited Links XP, Chrome Web Data, Chrome Web Data XP, Chrome bookmarks, Chrome bookmarks, Chrome bookmarks XP, Chrome bookmarks XP, Windows Protect Folder"
     type: bool
   - name: ChromeExtensions
     description: "Chrome Extension Files (by piesecurity): Chrome Extension Files, Chrome Extension Files XP"
@@ -135,13 +135,13 @@ parameters:
     description: "Jabber (by Andrew Bannon): Cisco Jabber Database"
     type: bool
   - name: ClipboardMaster
-    description: "ClipboardMaster (by Andrew Rathbun): ClipboardMaster - Clipboard History - Text, ClipboardMaster - Clipboard History - Images, ClipboardMaster - Clipboard History - Backups"
+    description: "ClipboardMaster (by Andrew Rathbun): ClipboardMaster - Clipboard History - Backups, ClipboardMaster - Clipboard History - Images, ClipboardMaster - Clipboard History - Text"
     type: bool
   - name: CloudStorage
-    description: "Cloud Storage Contents and Metadata (by Chad Tilbury and Andrew Rathbun): Google Drive User Files, Google Drive Metadata, Google File Stream Metadata, OneDrive User Files, OneDrive Metadata Logs, Box User Files, Box Sync User Files, Box Drive Application Metadata, Box Sync Application Metadata, OneDrive Metadata Settings, SugarSync Log File, SugarSync - Shared Folders (Default Location), SugarSync - My SugarSync (Default Location), Dropbox User Files, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Windows Protect Folder"
+    description: "Cloud Storage Contents and Metadata (by Chad Tilbury and Andrew Rathbun): Box Drive Application Metadata, Box Sync Application Metadata, Box Sync User Files, Box User Files, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox User Files, Google Drive Metadata, Google Drive User Files, Google File Stream Metadata, OneDrive Metadata Logs, OneDrive Metadata Settings, OneDrive User Files, SugarSync - My SugarSync (Default Location), SugarSync - Shared Folders (Default Location), SugarSync Log File, Windows Protect Folder"
     type: bool
   - name: CombinedLogs
-    description: "Collect Event logs, Trace logs, Windows Firewall and PowerShell console (by Mike Cary): WMI Trace Logs, WMI Trace Logs, SleepStudy Trace Logs, SleepStudy Trace Logs, Energy-NTKL Trace Logs, Event logs XP, Event logs Win7+, Event logs Win7+, Windows Firewall Logs, PowerShell Console Log, Windows Firewall Logs, WDI Trace Logs 1, WDI Trace Logs 1, WDI Trace Logs 2, WDI Trace Logs 2"
+    description: "Collect Event logs, Trace logs, Windows Firewall and PowerShell console (by Mike Cary): Energy-NTKL Trace Logs, Event logs Win7+, Event logs Win7+, Event logs XP, PowerShell Console Log, SleepStudy Trace Logs, SleepStudy Trace Logs, WDI Trace Logs 1, WDI Trace Logs 1, WDI Trace Logs 2, WDI Trace Logs 2, WMI Trace Logs, WMI Trace Logs, Windows Firewall Logs, Windows Firewall Logs"
     type: bool
   - name: ComboFix
     description: "ComboFix Antivirus Data (by Drew Ervin): ComboFix"
@@ -150,13 +150,13 @@ parameters:
     description: "Confluence Log Files (by Eric Capuano): Confluence Wiki Log Files, Confluence Wiki Log Files"
     type: bool
   - name: Cybereason
-    description: "Cybereason Sensor/Detection Logs (by piesecurity): Cybereason Anti-Ransomware Logs, Cybereason Sensor Communications and Anti-Malware Logs, Cybereason Application Control and NGAV Logs"
+    description: "Cybereason Sensor/Detection Logs (by piesecurity): Cybereason Anti-Ransomware Logs, Cybereason Application Control and NGAV Logs, Cybereason Sensor Communications and Anti-Malware Logs"
     type: bool
   - name: DC__
     description: "DC++ (by Andrew Rathbun): DC++ Chat Logs"
     type: bool
   - name: Debian
-    description: "Debian on Windows Subsystem for Linux (by Matt Dawson): Debian WSL /etc/debian_version, Debian WSL /etc/fstab, Debian WSL /etc/os-release, Debian WSL /etc/passwd, Debian WSL /etc/group, Debian WSL /etc/shadow, Debian WSL /etc/timezone, Debian WSL /etc/hostname, Debian WSL /etc/hosts, Debian WSL /etc/crontab, Debian WSL /etc/bash.bashrc, Debian WSL /etc/profile, Debian WSL .bash_history, Debian WSL .bashrc, Debian WSL .profile, Debian WSL User Crontabs, Debian WSL Apt Logs"
+    description: "Debian on Windows Subsystem for Linux (by Matt Dawson): Debian WSL .bash_history, Debian WSL .bashrc, Debian WSL .profile, Debian WSL /etc/bash.bashrc, Debian WSL /etc/crontab, Debian WSL /etc/debian_version, Debian WSL /etc/fstab, Debian WSL /etc/group, Debian WSL /etc/hostname, Debian WSL /etc/hosts, Debian WSL /etc/os-release, Debian WSL /etc/passwd, Debian WSL /etc/profile, Debian WSL /etc/shadow, Debian WSL /etc/timezone, Debian WSL Apt Logs, Debian WSL User Crontabs"
     type: bool
   - name: DirectoryOpus
     description: "Directory Opus (by Andrew Rathbun): Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus"
@@ -168,19 +168,19 @@ parameters:
     description: "Discord Cache and LevelDB Files (by Christian Johansen and Matt Dawson): Discord Cache Files, Discord Local Storage LevelDB Files"
     type: bool
   - name: DoubleCommander
-    description: "Double Commander (by Andrew Rathbun): Double Commander - history.xml, Double Commander - doublecmd.xml"
+    description: "Double Commander (by Andrew Rathbun): Double Commander - doublecmd.xml, Double Commander - history.xml"
     type: bool
   - name: Dropbox
-    description: "Dropbox Cloud Storage Files and Metadata (by Chad Tilbury): Dropbox User Files, Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Windows Protect Folder"
+    description: "Dropbox Cloud Storage Files and Metadata (by Chad Tilbury): Dropbox Metadata, Dropbox Metadata, Dropbox Metadata, Dropbox User Files, Windows Protect Folder"
     type: bool
   - name: ESET
-    description: "ESET Antivirus Data (by Drew Ervin): ESET NOD32 AV Logs (XP), ESET NOD32 AV Logs"
+    description: "ESET Antivirus Data (by Drew Ervin): ESET NOD32 AV Logs, ESET NOD32 AV Logs (XP)"
     type: bool
   - name: Edge
     description: "Edge (by Phill Moore): Edge folder"
     type: bool
   - name: EdgeChromium
-    description: "Microsoft Edge Chromium Artifacts (by Chad Tilbury): Edge bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Bookmarks, Edge Visited Links, Edge Web Data, Windows Protect Folder"
+    description: "Microsoft Edge Chromium Artifacts (by Chad Tilbury): Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge SyncData Database, Edge Top Sites, Edge Visited Links, Edge Web Data, Edge bookmarks, Windows Protect Folder"
     type: bool
   - name: EncapsulationLogging
     description: "EncapsulationLogging (by Troy Larson): EncapsulationLogging, EncapsulationLogging, EncapsulationLogging Logs, EncapsulationLogging Logs"
@@ -192,19 +192,19 @@ parameters:
     description: "Event logs (by Eric Zimmerman): Event logs Win7+, Event logs Win7+, Event logs XP"
     type: bool
   - name: EventTraceLogs
-    description: "Event Trace Logs (by Mark Hallman): WMI Trace Logs, WMI Trace Logs, SleepStudy Trace Logs, SleepStudy Trace Logs, Energy-NTKL Trace Logs, WDI Trace Logs 1, WDI Trace Logs 1, WDI Trace Logs 2, WDI Trace Logs 2"
+    description: "Event Trace Logs (by Mark Hallman): Energy-NTKL Trace Logs, SleepStudy Trace Logs, SleepStudy Trace Logs, WDI Trace Logs 1, WDI Trace Logs 1, WDI Trace Logs 2, WDI Trace Logs 2, WMI Trace Logs, WMI Trace Logs"
     type: bool
   - name: Evernote
-    description: "Evernote (by Matt Dawson): Evernote Notebooks, Evernote Notebook Snippets, Evernote Accounts"
+    description: "Evernote (by Matt Dawson): Evernote Accounts, Evernote Notebook Snippets, Evernote Notebooks"
     type: bool
   - name: Everything__VoidTools_
     description: "Pulls Everything.db from AppData folder for use with Everything (VoidTools) Module. Also pulls Run/Search History as of 1.1 (by Andrew Rathbun): Everything (VoidTools), Everything (VoidTools) - Run History, Everything (VoidTools) - Search History"
     type: bool
   - name: EvidenceOfExecution
-    description: "Evidence of execution related files (by Eric Zimmerman): Prefetch, Prefetch, Syscache, Syscache transaction files, RecentFileCache, RecentFileCache, Amcache, Amcache, Amcache transaction files, Amcache transaction files"
+    description: "Evidence of execution related files (by Eric Zimmerman): Amcache, Amcache, Amcache transaction files, Amcache transaction files, Prefetch, Prefetch, RecentFileCache, RecentFileCache, Syscache, Syscache transaction files"
     type: bool
   - name: Exchange
-    description: "Exchange Log Files (by Keith Twombley): Exchange client access log files, Exchange TransportRoles log files"
+    description: "Exchange Log Files (by Keith Twombley): Exchange TransportRoles log files, Exchange client access log files"
     type: bool
   - name: ExchangeClientAccess
     description: "Exchange Client Access Log Files (by Keith Twombley): Exchange client access log files"
@@ -213,43 +213,43 @@ parameters:
     description: "Exchange Transport Log Files (by Keith Twombley): Exchange TransportRoles log files"
     type: bool
   - name: FSecure
-    description: "F-Secure Antivirus Data (by Drew Ervin): F-Secure User Logs, F-Secure Scheduled Scan Reports, F-Secure Logs"
+    description: "F-Secure Antivirus Data (by Drew Ervin): F-Secure Logs, F-Secure Scheduled Scan Reports, F-Secure User Logs"
     type: bool
   - name: Fences
     description: "Fences (by Andrew Rathbun): Fences - Desktop Screenshots"
     type: bool
   - name: FileExplorerReplacements
-    description: "File Explorer Replacements (by Andrew Rathbun): Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Free Commander - FreeCommander.ini, Free Commander - FreeCommander.ftp.ini, Free Commander - FreeCommander.hist.ini, Free Commander - FreeCommander.fav.xml, Free Commander - Backup Settings, Double Commander - history.xml, Double Commander - doublecmd.xml, XYplorer - .ini file, XYplorer - .ini file for each respective pane, Total Commander - .ini File, Total Commander - Log File, XYplorer - AutoBackup folder, XYplorer - .dat files"
+    description: "File Explorer Replacements (by Andrew Rathbun): Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Directory Opus, Double Commander - doublecmd.xml, Double Commander - history.xml, Free Commander - Backup Settings, Free Commander - FreeCommander.fav.xml, Free Commander - FreeCommander.ftp.ini, Free Commander - FreeCommander.hist.ini, Free Commander - FreeCommander.ini, Total Commander - .ini File, Total Commander - Log File, XYplorer - .dat files, XYplorer - .ini file, XYplorer - .ini file for each respective pane, XYplorer - AutoBackup folder"
     type: bool
   - name: FileSystem
-    description: "File system metadata (by Eric Zimmerman): $SDS, $MFT, $LogFile, $T, $J, $Max, $Boot"
+    description: "File system metadata (by Eric Zimmerman): $Boot, $J, $LogFile, $MFT, $Max, $SDS, $T"
     type: bool
   - name: FileZilla
-    description: "FileZilla XML and SQLite Log Files (by Dennis Reneau): FileZilla XML Log Files, FileZilla SQLite3 Log Files"
+    description: "FileZilla XML and SQLite Log Files (by Dennis Reneau): FileZilla SQLite3 Log Files, FileZilla XML Log Files"
     type: bool
   - name: Firefox
-    description: "Firefox (by Eric Zimmerman): Addons XP, Search XP, Password XP, Password XP, Password XP, Sessionstore XP, Places, Downloads, Form history, Cookies, Signons, Webappstore, Favicons, Addons, Search, Password, Password, Password, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP"
+    description: "Firefox (by Eric Zimmerman): Addons, Addons XP, Cookies, Cookies XP, Downloads, Downloads XP, Favicons, Favicons XP, Form history, Form history XP, Password, Password, Password, Password XP, Password XP, Password XP, Places, Places XP, Search, Search XP, Sessionstore, Sessionstore Folder, Sessionstore XP, Signons, Signons XP, Webappstore, Webappstore XP"
     type: bool
   - name: FreeCommander
-    description: "FreeCommander XE (by Andrew Rathbun): Free Commander - FreeCommander.ini, Free Commander - FreeCommander.ftp.ini, Free Commander - FreeCommander.hist.ini, Free Commander - FreeCommander.fav.xml, Free Commander - Backup Settings"
+    description: "FreeCommander XE (by Andrew Rathbun): Free Commander - Backup Settings, Free Commander - FreeCommander.fav.xml, Free Commander - FreeCommander.ftp.ini, Free Commander - FreeCommander.hist.ini, Free Commander - FreeCommander.ini"
     type: bool
   - name: FreeDownloadManager
-    description: "Free Download Manager (by Matt Dawson): FDM Database, FDM Backup Info, FDM Database (userdata.zip)"
+    description: "Free Download Manager (by Matt Dawson): FDM Backup Info, FDM Database, FDM Database (userdata.zip)"
     type: bool
   - name: FreeFileSync
     description: "FreeFileSync (by Andrew Rathbun): FreeFileSync"
     type: bool
   - name: FrostWire
-    description: "FrostWire (by Andrew Rathbun): FrostWire Downloads, FrostWire AppData, FrostWire AppData"
+    description: "FrostWire (by Andrew Rathbun): FrostWire AppData, FrostWire AppData, FrostWire Downloads"
     type: bool
   - name: Gigatribe
-    description: "Gigatribe Files (by Linus Nissi): Gigatribe Files Windows XP, Gigatribe Files Windows XP, Gigatribe Files Windows Vista/7/8/10"
+    description: "Gigatribe Files (by Linus Nissi): Gigatribe Files Windows Vista/7/8/10, Gigatribe Files Windows XP, Gigatribe Files Windows XP"
     type: bool
   - name: GoogleDrive
-    description: "Google Drive Storage Files and Metadata (by Chad Tilbury): Google Drive User Files, Google Drive Metadata, Google File Stream Metadata"
+    description: "Google Drive Storage Files and Metadata (by Chad Tilbury): Google Drive Metadata, Google Drive User Files, Google File Stream Metadata"
     type: bool
   - name: GroupPolicy
-    description: "Current Group Policy Enforcement (by piesecurity): Local Group Policy INI Files, Local Group Policy INI Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Startup/Shutdown Scripts, Local Group Policy Files - Startup/Shutdown Scripts"
+    description: "Current Group Policy Enforcement (by piesecurity): Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Startup/Shutdown Scripts, Local Group Policy Files - Startup/Shutdown Scripts, Local Group Policy INI Files, Local Group Policy INI Files"
     type: bool
   - name: HexChat
     description: "HexChat (by Andrew Rathbun): HexChat Chat Logs"
@@ -261,31 +261,31 @@ parameters:
     description: "IIS Log Files (by Troy Larson): IIS log files, IIS log files, IIS log files, IIS log files, IIS log files"
     type: bool
   - name: IRCClients
-    description: "IRC Clients (by Andrew Rathbun): HexChat Chat Logs, mIRC Chat Logs, IceChat Chat Logs"
+    description: "IRC Clients (by Andrew Rathbun): HexChat Chat Logs, IceChat Chat Logs, mIRC Chat Logs"
     type: bool
   - name: IceChat
     description: "IceChat (by Andrew Rathbun): IceChat Chat Logs"
     type: bool
   - name: InternetExplorer
-    description: "Internet Explorer (by Eric Zimmerman): Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, IE 11 Cookies"
+    description: "Internet Explorer (by Eric Zimmerman): IE 11 Cookies, IE 11 Metadata, IE 9/10 Cookies, IE 9/10 Download History, IE 9/10 History, Index.dat History, Index.dat History subdirectory, Index.dat Office, Index.dat Office XP, Index.dat UserData, Index.dat cookies, Local Internet Explorer folder, Roaming Internet Explorer folder"
     type: bool
   - name: JDownloader2
-    description: "JDownloader 2 (by Matt Dawson): JDownloader 2.0 Download Lists, JDownloader 2.0 Link Collector, JDownloader 2.0 General Settings, JDownloader 2.0 Link Grabber Settings, JDownloader 2.0 Proxy Settings"
+    description: "JDownloader 2 (by Matt Dawson): JDownloader 2.0 Download Lists, JDownloader 2.0 General Settings, JDownloader 2.0 Link Collector, JDownloader 2.0 Link Grabber Settings, JDownloader 2.0 Proxy Settings"
     type: bool
   - name: JavaWebCache
-    description: "Java WebStart Cache - (IDX Files) (by piesecurity): Java WebStart Cache User Level - Default, Java WebStart Cache User Level - IE Protected Mode, Java WebStart Cache System level, Java WebStart Cache System level, Java WebStart Cache System level - IE Protected Mode, Java WebStart Cache System level - IE Protected Mode, Java WebStart Cache System level (SysWow64), Java WebStart Cache System level (SysWow64), Java WebStart Cache System level (SysWow64) - IE Protected Mode, Java WebStart Cache System level (SysWow64) - IE Protected Mode, Java WebStart Cache User Level - XP"
+    description: "Java WebStart Cache - (IDX Files) (by piesecurity): Java WebStart Cache System level, Java WebStart Cache System level, Java WebStart Cache System level (SysWow64), Java WebStart Cache System level (SysWow64), Java WebStart Cache System level (SysWow64) - IE Protected Mode, Java WebStart Cache System level (SysWow64) - IE Protected Mode, Java WebStart Cache System level - IE Protected Mode, Java WebStart Cache System level - IE Protected Mode, Java WebStart Cache User Level - Default, Java WebStart Cache User Level - IE Protected Mode, Java WebStart Cache User Level - XP"
     type: bool
   - name: Kali
-    description: "Kali on Windows Subsystem for Linux (by Matt Dawson): Kali WSL /etc/debian_version, Kali WSL /etc/fstab, Kali WSL /etc/os-release, Kali WSL /etc/passwd, Kali WSL /etc/group, Kali WSL /etc/shadow, Kali WSL /etc/timezone, Kali WSL /etc/hostname, Kali WSL /etc/hosts, Kali WSL /etc/crontab, Kali WSL /etc/bash.bashrc, Kali WSL /etc/profile, Kali WSL .bash_history, Kali WSL .bashrc, Kali WSL .profile, Kali WSL User Crontabs, Kali WSL Apt Logs"
+    description: "Kali on Windows Subsystem for Linux (by Matt Dawson): Kali WSL .bash_history, Kali WSL .bashrc, Kali WSL .profile, Kali WSL /etc/bash.bashrc, Kali WSL /etc/crontab, Kali WSL /etc/debian_version, Kali WSL /etc/fstab, Kali WSL /etc/group, Kali WSL /etc/hostname, Kali WSL /etc/hosts, Kali WSL /etc/os-release, Kali WSL /etc/passwd, Kali WSL /etc/profile, Kali WSL /etc/shadow, Kali WSL /etc/timezone, Kali WSL Apt Logs, Kali WSL User Crontabs"
     type: bool
   - name: KapeTriage
-    description: "Kape Triage collections that will collect most of the files needed for a DFIR Investigation.  This module pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, Jump Lists, 3rd party remote access software logs, 3rd party antivirus software logs. (by Scott Downie): Favicons, Ammyy Program Data, ScreenConnect Session Database, ScreenConnect Session Database, Addons, Windows Defender Logs, Sophos Logs (XP), Downloads XP, Search, Symantec Endpoint Protection Logs (XP), TeamViewer Connection Logs, TeamViewer Application Logs, TeamViewer Configuration Files, Password, Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, Symantec Endpoint Protection Logs, Windows Defender Logs, Chrome Current Session, Avira Activity Logs, Windows Defender Event Logs, Chrome Current Tabs, Password, Symantec Endpoint Protection User Logs, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt, XML, XML, Chrome History, Chrome Last Session, LNK Files from Recent, LNK Files from Microsoft Office Recent, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Chrome Last Tabs, Password, Application Event Log XP, Application Event Log Win7+, $SDS, Application Event Log Win7+, Application Event Log XP, AVG AV Logs (XP), Chrome Preferences, AVG AV Report Logs (XP), AVG AV Logs, AVG Report Logs, Trend Micro Logs, Chrome Shortcuts, Trend Micro Security Agent Report Logs, Trend Micro Security Agent Connection Logs, TotalAV Logs, TotalAV Logs, Chrome Top Sites, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, Chrome SyncData Database, Sophos Logs, Sessionstore, Windows Defender Logs, RDP Cache Files, Chrome bookmarks, $LogFile, $Boot, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files, Chrome Visited Links, Chrome Web Data, Form history XP, Windows Protect Folder, VIPRE Business Agent Logs, Windows Defender Event Logs, VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4), Places, HitmanPro Logs, Sessionstore Folder, HitmanPro Database, McAfee ePO Logs, Downloads, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, LocalSessionManager Event Logs, Form history, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, Cookies, Edge folder, Signons, Windows Defender Logs, Webappstore, Chrome bookmarks XP, RecentFileCache, RecentFileCache, $MFT, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, SRUM, SRUM, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, $J, $Max, Chrome bookmarks XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Prefetch, Prefetch, Syscache, Syscache transaction files, Chrome Favicons, Event logs XP, Event logs Win7+, Event logs Win7+, Chrome Login Data, Chrome Network Action Predictor, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), Cookies XP, Webappstore XP, $T, Favicons XP, Addons XP, IE 9/10 Download History, IE 11 Metadata, IE 11 Cookies, Puffin - data.db, Search XP, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, Password XP, Edge bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Password XP, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Password XP, Signons XP, Edge Preferences, Edge Shortcuts, Edge Top Sites, Sessionstore XP, Edge Bookmarks, Edge Visited Links, Edge Web Data, Windows Protect Folder, Opera - Local Folder, Opera - Roaming Folder, F-Secure Logs, F-Secure User Logs, F-Secure Scheduled Scan Reports, Index.dat History, Index.dat History subdirectory, Avast AV User Logs, VIPRE Business User Logs (v7+), Index.dat cookies, Index.dat UserData, Index.dat Office XP, Avast AV Logs (XP), Symantec Event Log Win7+, ComboFix, Index.dat Office, Local Internet Explorer folder, Avast AV Index, HitmanPro Alert Logs, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, SUPERAntiSpyware Logs, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, Symantec Endpoint Protection Quarantine (XP), McAfee VirusScan Logs, Puffin - Autocomplete Data, SentinelOne EDR Log, RogueKiller Reports, RDP Cache Files, Webroot Program Data, Symantec Event Log Win7+, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, ESET NOD32 AV Logs (XP), Puffin - Image Cache, ESET NOD32 AV Logs, Cybereason Anti-Ransomware Logs, Edge Current Tabs, Cybereason Sensor Communications and Anti-Malware Logs, Edge Login Data, Avast AV Logs, Edge Network Action Predictor, Cybereason Application Control and NGAV Logs, Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, Radmin Viewer Chats, LogMeIn ProgramData Logs, Edge SyncData Database, LogMeIn Application Logs, RealVNC Log, Places XP, AnyDesk Logs, AnyDesk Videos, Symantec Endpoint Protection Quarantine"
+    description: "Kape Triage collections that will collect most of the files needed for a DFIR Investigation.  This module pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, Jump Lists, 3rd party remote access software logs, 3rd party antivirus software logs. (by Scott Downie): $Boot, $J, $LogFile, $MFT, $Max, $SDS, $T, AVG AV Logs, AVG AV Logs (XP), AVG AV Report Logs (XP), AVG Report Logs, Addons, Addons XP, Amcache, Amcache, Amcache transaction files, Amcache transaction files, Ammyy Program Data, AnyDesk Logs, AnyDesk Videos, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Avast AV Index, Avast AV Logs, Avast AV Logs (XP), Avast AV User Logs, Avira Activity Logs, Bitdefender Endpoint Security Logs, Bitdefender Internet Security Logs, Chrome Cookies, Chrome Cookies XP, Chrome Current Session, Chrome Current Session XP, Chrome Current Tabs, Chrome Current Tabs XP, Chrome Favicons, Chrome Favicons XP, Chrome History, Chrome History XP, Chrome Last Session, Chrome Last Session XP, Chrome Last Tabs, Chrome Last Tabs XP, Chrome Login Data, Chrome Login Data XP, Chrome Network Action Predictor, Chrome Preferences, Chrome Preferences XP, Chrome Shortcuts, Chrome Shortcuts XP, Chrome SyncData Database, Chrome Top Sites, Chrome Top Sites XP, Chrome Visited Links, Chrome Visited Links XP, Chrome Web Data, Chrome Web Data XP, Chrome bookmarks, Chrome bookmarks, Chrome bookmarks XP, Chrome bookmarks XP, ComboFix, Cookies, Cookies XP, Cybereason Anti-Ransomware Logs, Cybereason Application Control and NGAV Logs, Cybereason Sensor Communications and Anti-Malware Logs, Desktop LNK Files, Desktop LNK Files XP, Downloads, Downloads XP, ESET NOD32 AV Logs, ESET NOD32 AV Logs (XP), Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge SyncData Database, Edge Top Sites, Edge Visited Links, Edge Web Data, Edge bookmarks, Edge folder, Event logs Win7+, Event logs Win7+, Event logs XP, F-Secure Logs, F-Secure Scheduled Scan Reports, F-Secure User Logs, Favicons, Favicons XP, Form history, Form history XP, HitmanPro Alert Logs, HitmanPro Database, HitmanPro Logs, IE 11 Cookies, IE 11 Metadata, IE 9/10 Cookies, IE 9/10 Download History, IE 9/10 History, Index.dat History, Index.dat History subdirectory, Index.dat Office, Index.dat Office XP, Index.dat UserData, Index.dat cookies, Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Local Internet Explorer folder, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, LocalSessionManager Event Logs, LocalSessionManager Event Logs, LogMeIn Application Logs, LogMeIn ProgramData Logs, MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, MalwareBytes Anti-Malware Service Logs, McAfee Desktop Protection Logs, McAfee Desktop Protection Logs XP, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs, McAfee ePO Logs, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, Opera - Local Folder, Opera - Roaming Folder, Password, Password, Password, Password XP, Password XP, Password XP, Places, Places XP, Prefetch, Prefetch, Puffin - Autocomplete Data, Puffin - Cookies, Puffin - Image Cache, Puffin - Password (Encrypted), Puffin - Password Forms Data, Puffin - Subscription Data, Puffin - data.db, RDP Cache Files, RDP Cache Files, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, Radmin Server 32bit Chats, Radmin Server 32bit Log, Radmin Server 64bit Chats, Radmin Server 64bit Log, Radmin Viewer Chats, RealVNC Log, RecentFileCache, RecentFileCache, RegBack registry transaction files, RegBack registry transaction files, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, Restore point LNK Files XP, Roaming Internet Explorer folder, RogueKiller Reports, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SRUM, SRUM, SUPERAntiSpyware Logs, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, ScreenConnect Session Database, ScreenConnect Session Database, Search, Search XP, SentinelOne EDR Log, Sessionstore, Sessionstore Folder, Sessionstore XP, Signons, Signons XP, Sophos Logs, Sophos Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, Syscache, Syscache transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), TeamViewer Application Logs, TeamViewer Configuration Files, TeamViewer Connection Logs, TotalAV Logs, TotalAV Logs, Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs, UsrClass.dat registry hive, UsrClass.dat registry transaction files, VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+), Webappstore, Webappstore XP, Webroot Program Data, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Protect Folder, Windows Protect Folder, XML, XML, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt"
     type: bool
   - name: Kaseya
-    description: "Kaseya Data (by Drew Ervin): Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log"
+    description: "Kaseya Data (by Drew Ervin): Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log"
     type: bool
   - name: LNKFilesAndJumpLists
-    description: "LNK Files and jump lists (by Eric Zimmerman and Andrew Rathbun): LNK Files from Recent, LNK Files from Microsoft Office Recent, LNK Files from Recent (XP), Desktop LNK Files XP, Desktop LNK Files, Restore point LNK Files XP, LNK Files from C:\ProgramData"
+    description: "LNK Files and jump lists (by Eric Zimmerman and Andrew Rathbun): Desktop LNK Files, Desktop LNK Files XP, LNK Files from C:\ProgramData, LNK Files from Microsoft Office Recent, LNK Files from Recent, LNK Files from Recent (XP), Restore point LNK Files XP"
     type: bool
   - name: LinuxOnWindowsProfileFiles
     description: "Linux on Windows Profile Files (by Troy Larson): .bash_history, .bash_logout, .bashrc, .profile"
@@ -297,7 +297,7 @@ parameters:
     description: "LogFiles (by Fabian Murer): LogFiles, LogFiles"
     type: bool
   - name: LogMeIn
-    description: "LogMeIn Data (by Drew Ervin): Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, LogMeIn ProgramData Logs, LogMeIn Application Logs, Application Event Log XP"
+    description: "LogMeIn Data (by Drew Ervin): Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, LogMeIn Application Logs, LogMeIn ProgramData Logs"
     type: bool
   - name: MOF
     description: "MOF files (WMI) (by Eric Zimmerman): MOF files"
@@ -309,7 +309,7 @@ parameters:
     description: "Macrium Reflect (by Andrew Rathbun): Macrium Reflect, Macrium Reflect, Macrium Reflect"
     type: bool
   - name: Malwarebytes
-    description: "Malwarebytes Data (by Drew Ervin & Kirtan Shah): MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Service Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs"
+    description: "Malwarebytes Data (by Drew Ervin & Kirtan Shah): MalwareBytes Anti-Malware Logs, MalwareBytes Anti-Malware Scan Logs, MalwareBytes Anti-Malware Scan Results Logs, MalwareBytes Anti-Malware Service Logs"
     type: bool
   - name: ManageEngineLogs
     description: "ManageEngine Desktop Central Log Files (by Whitney Champion): ManageEngine Desktop Central Log Files"
@@ -318,25 +318,25 @@ parameters:
     description: "Mattermost (by Andrew Rathbun): Mattermost - Chat Logs"
     type: bool
   - name: McAfee
-    description: "McAfee Log Files (by Sam Smoker): McAfee Desktop Protection Logs XP, McAfee Desktop Protection Logs, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs"
+    description: "McAfee Log Files (by Sam Smoker): McAfee Desktop Protection Logs, McAfee Desktop Protection Logs XP, McAfee Endpoint Security Logs, McAfee Endpoint Security Logs, McAfee VirusScan Logs"
     type: bool
   - name: McAfee_ePO
     description: "McAfee ePO Log Files (by Doug Metz): McAfee ePO Logs"
     type: bool
   - name: MemoryFiles
-    description: "Memory Files (by Ahmed Elshaer, Teo Kia Meng): hiberfil.sys, pagefile.sys, swapfile.sys, Small Memory Dump directory, Small Memory Dump directory"
+    description: "Memory Files (by Ahmed Elshaer, Teo Kia Meng): Small Memory Dump directory, Small Memory Dump directory, hiberfil.sys, pagefile.sys, swapfile.sys"
     type: bool
   - name: Microsoft_Teams
-    description: "Microsoft Teams (by Matt Dawson): Microsoft Teams Local Storage Cache, Microsoft Teams Config, Microsoft Teams IndexedDB Cache"
+    description: "Microsoft Teams (by Matt Dawson): Microsoft Teams Config, Microsoft Teams IndexedDB Cache, Microsoft Teams Local Storage Cache"
     type: bool
   - name: MiniTimelineCollection
-    description: "MFT, Registry and Event Logs to generate a mini timeline (by Mari DeGrazia): SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), $SDS, SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), $T, $LogFile, $Boot, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files, $MFT, $J, $Max, Event logs XP, Event logs Win7+, Event logs Win7+, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack)"
+    description: "MFT, Registry and Event Logs to generate a mini timeline (by Mari DeGrazia): $Boot, $J, $LogFile, $MFT, $Max, $SDS, $T, Event logs Win7+, Event logs Win7+, Event logs XP, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), UsrClass.dat registry hive, UsrClass.dat registry transaction files"
     type: bool
   - name: NGINXLogs
     description: "NGINX Log Files (by Eric Capuano): NGINX Log Files"
     type: bool
   - name: NZBGet
-    description: "NZBGet (by Andrew Rathbun): Usenet Clients - NZBGet NZBs, Usenet Clients - NZBGet Log File"
+    description: "NZBGet (by Andrew Rathbun): Usenet Clients - NZBGet Log File, Usenet Clients - NZBGet NZBs"
     type: bool
   - name: NewsbinPro
     description: "Newsbin Pro (by Andrew Rathbun): Usenet Clients - Newsbin Pro"
@@ -348,7 +348,7 @@ parameters:
     description: "Notepad++ Backups, recently searched/replaced terms and recently opened documents (by Banaanhangwagen and Matt Dawson): Notepad++ Config, Notepad++ Unsaved Edits"
     type: bool
   - name: OfficeAutosave
-    description: "Office Autosave (by Russ Taylor): Word Autosave Location, Excel Autosave Location, Powerpoint Autosave Location, Publisher Autosave Location"
+    description: "Office Autosave (by Russ Taylor): Excel Autosave Location, Powerpoint Autosave Location, Publisher Autosave Location, Word Autosave Location"
     type: bool
   - name: OfficeDocumentCache
     description: "Office Document Cache (by Banaanhangwagen): Office Document Cache"
@@ -363,10 +363,10 @@ parameters:
     description: "Opera (by Andrew Rathbun): Opera - Local Folder, Opera - Roaming Folder"
     type: bool
   - name: OutlookPSTOST
-    description: "Outlook PST and OST files (by Eric Zimmerman): PST, OST, PST XP, OST XP"
+    description: "Outlook PST and OST files (by Eric Zimmerman): OST, OST XP, PST, PST XP"
     type: bool
   - name: P2PClients
-    description: "P2P Clients (by Andrew Rathbun): Shareaza Logs, DC++ Chat Logs, Soulseek Chat Logs, Soulseek Search History/Shared Folders/Settings, Gigatribe Files Windows Vista/7/8/10, Gigatribe Files Windows XP, Gigatribe Files Windows XP, FrostWire Downloads, FrostWire AppData, FrostWire AppData"
+    description: "P2P Clients (by Andrew Rathbun): DC++ Chat Logs, FrostWire AppData, FrostWire AppData, FrostWire Downloads, Gigatribe Files Windows Vista/7/8/10, Gigatribe Files Windows XP, Gigatribe Files Windows XP, Shareaza Logs, Soulseek Chat Logs, Soulseek Search History/Shared Folders/Settings"
     type: bool
   - name: PowerShellConsole
     description: "PowerShell Console Log File (by Mike Cary): PowerShell Console Log"
@@ -378,7 +378,7 @@ parameters:
     description: "ProtonVPN (by Andrew Rathbun): ProtonVPN - Connection Logs"
     type: bool
   - name: PuffinSecureBrowser
-    description: "Puffin Secure Browser (by Andrew Rathbun): Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, Puffin - Image Cache"
+    description: "Puffin Secure Browser (by Andrew Rathbun): Puffin - Autocomplete Data, Puffin - Cookies, Puffin - Image Cache, Puffin - Password (Encrypted), Puffin - Password Forms Data, Puffin - Subscription Data, Puffin - data.db"
     type: bool
   - name: QFinderPro__QNAP_
     description: "QFinderPro (QNAP) (by Andrew Rathbun): QFinderPro"
@@ -387,10 +387,10 @@ parameters:
     description: "RDP Cache Files (by Hadar Yudovich): RDP Cache Files, RDP Cache Files"
     type: bool
   - name: RDPLogs
-    description: "RDP Logs (by Drew Ervin): RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs"
+    description: "RDP Logs (by Drew Ervin): LocalSessionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs"
     type: bool
   - name: Radmin
-    description: "Radmin Server/Viewer Logs and Chats (by Mathias Frank): Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, Radmin Viewer Chats"
+    description: "Radmin Server/Viewer Logs and Chats (by Mathias Frank): Radmin Server 32bit Chats, Radmin Server 32bit Log, Radmin Server 64bit Chats, Radmin Server 64bit Log, Radmin Viewer Chats"
     type: bool
   - name: RecentFileCache
     description: "RecentFileCache (by Eric Zimmerman): RecentFileCache, RecentFileCache"
@@ -399,16 +399,16 @@ parameters:
     description: "Recycle Bin (by Mark Hallman): $Recycle.Bin, RECYCLER WinXP"
     type: bool
   - name: RegistryHives
-    description: "System and user related Registry hives (by Eric Zimmerman): SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), NTUSER.DAT registry hive XP, NTUSER.DAT registry hive, NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files, SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack)"
+    description: "System and user related Registry hives (by Eric Zimmerman): Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP), UsrClass.dat registry hive, UsrClass.dat registry transaction files"
     type: bool
   - name: RegistryHivesSystem
-    description: "System level/related Registry hives (by Eric Zimmerman / Mark Hallman): SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, System Restore Points Registry Hives (XP), SAM registry transaction files, SAM registry transaction files, SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry transaction files, SYSTEM registry transaction files, SAM registry hive, SAM registry hive, SECURITY registry hive, SECURITY registry hive, SOFTWARE registry hive, SOFTWARE registry hive, SYSTEM registry hive, SYSTEM registry hive, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive (RegBack), SAM registry hive (RegBack)"
+    description: "System level/related Registry hives (by Eric Zimmerman / Mark Hallman): Local Service registry hive, Local Service registry hive, Local Service registry transaction files, Local Service registry transaction files, Network Service registry hive, Network Service registry hive, Network Service registry transaction files, Network Service registry transaction files, RegBack registry transaction files, RegBack registry transaction files, SAM registry hive, SAM registry hive, SAM registry hive (RegBack), SAM registry hive (RegBack), SAM registry transaction files, SAM registry transaction files, SECURITY registry hive, SECURITY registry hive, SECURITY registry hive (RegBack), SECURITY registry hive (RegBack), SECURITY registry transaction files, SECURITY registry transaction files, SOFTWARE registry hive, SOFTWARE registry hive, SOFTWARE registry hive (RegBack), SOFTWARE registry hive (RegBack), SOFTWARE registry transaction files, SOFTWARE registry transaction files, SYSTEM registry hive, SYSTEM registry hive, SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry hive (RegBack), SYSTEM registry transaction files, SYSTEM registry transaction files, System Profile registry hive, System Profile registry hive, System Profile registry transaction files, System Profile registry transaction files, System Restore Points Registry Hives (XP)"
     type: bool
   - name: RegistryHivesUser
-    description: "User Related Registry hives (by Eric Zimmerman / Mark Hallman): NTUSER.DAT registry transaction files, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files, NTUSER.DAT registry hive XP, NTUSER.DAT registry hive"
+    description: "User Related Registry hives (by Eric Zimmerman / Mark Hallman): NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT registry hive, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT DEFAULT transaction files, NTUSER.DAT registry hive, NTUSER.DAT registry hive XP, NTUSER.DAT registry transaction files, UsrClass.dat registry hive, UsrClass.dat registry transaction files"
     type: bool
   - name: RemoteAdmin
-    description: "Composite target for files related to remote administration tools (by Drew Ervin, Mathias Frank, Andrew Rathbun): Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, Ammyy Program Data, ScreenConnect Session Database, ScreenConnect Session Database, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, LocalSessionManager Event Logs, LocalSessionManager Event Logs, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, TeamViewer Connection Logs, TeamViewer Application Logs, TeamViewer Configuration Files, Kaseya Live Connect Logs (XP), Kaseya Live Connect Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Endpoint Service Logs, Kaseya Agent Service Log, Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, Radmin Server 32bit Log, Radmin Server 64bit Log, Radmin Server 32bit Chats, Radmin Server 64bit Chats, Radmin Viewer Chats, LogMeIn ProgramData Logs, LogMeIn Application Logs, RealVNC Log, RDP Cache Files, RDP Cache Files, AnyDesk Logs, AnyDesk Videos, Application Event Log XP"
+    description: "Composite target for files related to remote administration tools (by Drew Ervin, Mathias Frank, Andrew Rathbun): Ammyy Program Data, AnyDesk Logs, AnyDesk Videos, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Kaseya Agent Endpoint Service Logs, Kaseya Agent Endpoint Service Logs (XP), Kaseya Agent Service Log, Kaseya Live Connect Logs, Kaseya Live Connect Logs (XP), Kaseya Setup Log, Kaseya Setup Log, Kaseya Setup Log, LocalSessionManager Event Logs, LocalSessionManager Event Logs, LogMeIn Application Logs, LogMeIn ProgramData Logs, RDP Cache Files, RDP Cache Files, RDPClient Event Logs, RDPClient Event Logs, RDPCoreTS Event Logs, RDPCoreTS Event Logs, Radmin Server 32bit Chats, Radmin Server 32bit Log, Radmin Server 64bit Chats, Radmin Server 64bit Log, Radmin Viewer Chats, RealVNC Log, RemoteConnectionManager Event Logs, RemoteConnectionManager Event Logs, ScreenConnect Session Database, ScreenConnect Session Database, TeamViewer Application Logs, TeamViewer Configuration Files, TeamViewer Connection Logs"
     type: bool
   - name: RogueKiller
     description: "RogueKiller Anti-Malware (by Adlice Software) (by Drew Ervin): RogueKiller Reports"
@@ -417,7 +417,7 @@ parameters:
     description: "SABnbzd (by Andrew Rathbun): Usenet Clients - SABnzbd Download Logs, Usenet Clients - SABnzbd History.db"
     type: bool
   - name: SDB
-    description: "Shim SDB FIles (by Troy Larson): SDB Files, SDB Files x64, SDB Files x64, SDB Files"
+    description: "Shim SDB FIles (by Troy Larson): SDB Files, SDB Files, SDB Files x64, SDB Files x64"
     type: bool
   - name: SRUM
     description: "System Resource Usage Monitor (SRUM) Data (by Mark Hallman): SRUM, SRUM"
@@ -426,13 +426,13 @@ parameters:
     description: "SUPERAntiSpyware Data (by Drew Ervin): SUPERAntiSpyware Logs"
     type: bool
   - name: SUSELinuxEnterpriseServer
-    description: "SUSE Linux Enterprise Server on Windows Subsystem for Linux (by Matt Dawson): SUSE Linux Enterprise Server WSL .bashrc, SUSE Linux Enterprise Server WSL .profile, SUSE Linux Enterprise Server WSL /etc/os-release, SUSE Linux Enterprise Server WSL /etc/fstab, SUSE Linux Enterprise Server WSL /etc/passwd, SUSE Linux Enterprise Server WSL /etc/group, SUSE Linux Enterprise Server WSL /etc/shadow, SUSE Linux Enterprise Server WSL /etc/timezone, SUSE Linux Enterprise Server WSL /etc/hostname, SUSE Linux Enterprise Server WSL /etc/hosts, SUSE Linux Enterprise Server WSL /etc/bash.bashrc, SUSE Linux Enterprise Server WSL /etc/profile, SUSE Linux Enterprise Server WSL .bash_history"
+    description: "SUSE Linux Enterprise Server on Windows Subsystem for Linux (by Matt Dawson): SUSE Linux Enterprise Server WSL .bash_history, SUSE Linux Enterprise Server WSL .bashrc, SUSE Linux Enterprise Server WSL .profile, SUSE Linux Enterprise Server WSL /etc/bash.bashrc, SUSE Linux Enterprise Server WSL /etc/fstab, SUSE Linux Enterprise Server WSL /etc/group, SUSE Linux Enterprise Server WSL /etc/hostname, SUSE Linux Enterprise Server WSL /etc/hosts, SUSE Linux Enterprise Server WSL /etc/os-release, SUSE Linux Enterprise Server WSL /etc/passwd, SUSE Linux Enterprise Server WSL /etc/profile, SUSE Linux Enterprise Server WSL /etc/shadow, SUSE Linux Enterprise Server WSL /etc/timezone"
     type: bool
   - name: ScheduledTasks
-    description: "Scheduled tasks (*.job and XML) (by Eric Zimmerman): at .job, at .job, at SchedLgU.txt, at SchedLgU.txt, XML, XML"
+    description: "Scheduled tasks (*.job and XML) (by Eric Zimmerman): XML, XML, at .job, at .job, at SchedLgU.txt, at SchedLgU.txt"
     type: bool
   - name: ScreenConnect
-    description: "ScreenConnect Data (now known as ConnectWise Control) (by Drew Ervin): Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, ScreenConnect Session Database, ScreenConnect Session Database, Application Event Log XP"
+    description: "ScreenConnect Data (now known as ConnectWise Control) (by Drew Ervin): Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, ScreenConnect Session Database, ScreenConnect Session Database"
     type: bool
   - name: SentinelOne
     description: "Sentinel One Logs (by Kirtan Shah): SentinelOne EDR Log"
@@ -447,7 +447,7 @@ parameters:
     description: "Obtain detached signature catalog files (by Mike Pilkington): SignatureCatalog, SignatureCatalog"
     type: bool
   - name: Skype
-    description: "Skype (by Eric Zimmerman): main.db (App <v12), skype.db (App +v12), main.db XP, main.db Win7+, s4l-[username].db (App +v8), leveldb (Skype for Desktop +v8)"
+    description: "Skype (by Eric Zimmerman): leveldb (Skype for Desktop +v8), main.db (App <v12), main.db Win7+, main.db XP, s4l-[username].db (App +v8), skype.db (App +v12)"
     type: bool
   - name: Slack
     description: "Slack (by Andrew Rathbun): Slack - Chat Logs"
@@ -456,7 +456,7 @@ parameters:
     description: "Snagit (by Andrew Rathbun): Snagit - Captures"
     type: bool
   - name: Sophos
-    description: "Sophos Data (by Drew Ervin): Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, Sophos Logs (XP), Sophos Logs, Application Event Log XP"
+    description: "Sophos Data (by Drew Ervin): Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Sophos Logs, Sophos Logs (XP)"
     type: bool
   - name: Soulseek
     description: "Soulseek (by Andrew Rathbun): Soulseek Chat Logs, Soulseek Search History/Shared Folders/Settings"
@@ -468,16 +468,16 @@ parameters:
     description: "Sublime Text 2/3 Auto Save Session (by Mathias Frank): SublimeText 2/3 Auto Save Session"
     type: bool
   - name: SugarSync
-    description: "SugarSync (by Andrew Rathbun): SugarSync Log File, SugarSync - Shared Folders (Default Location), SugarSync - My SugarSync (Default Location)"
+    description: "SugarSync (by Andrew Rathbun): SugarSync - My SugarSync (Default Location), SugarSync - Shared Folders (Default Location), SugarSync Log File"
     type: bool
   - name: Symantec_AV_Logs
-    description: "Symantec AV Logs (by Brian Maloney): Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Logs, Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection Quarantine"
+    description: "Symantec AV Logs (by Brian Maloney): Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, Symantec Endpoint Protection Logs, Symantec Endpoint Protection Logs (XP), Symantec Endpoint Protection Quarantine, Symantec Endpoint Protection Quarantine (XP), Symantec Endpoint Protection User Logs, Symantec Event Log Win7+, Symantec Event Log Win7+"
     type: bool
   - name: Syscache
     description: "syscache.hve (by Phill Moore): Syscache, Syscache transaction files"
     type: bool
   - name: TeamViewerLogs
-    description: "Team Viewer Logs (by Hadar Yudovich): TeamViewer Connection Logs, TeamViewer Application Logs, TeamViewer Configuration Files"
+    description: "Team Viewer Logs (by Hadar Yudovich): TeamViewer Application Logs, TeamViewer Configuration Files, TeamViewer Connection Logs"
     type: bool
   - name: Telegram
     description: "Telegram Desktop (by Simone Marinari): Telegram app folder, Telegram downloaded files"
@@ -489,10 +489,10 @@ parameters:
     description: "Thumbcache DB (by Eric Zimmerman): Thumbcache DB"
     type: bool
   - name: Thunderbird
-    description: "Mozilla Thunderbird Email Client (by Matt Dawson): Mozilla Thunderbird Install Date, Mozilla Thunderbird Profiles.ini, Mozilla Thunderbird prefs.js, Mozilla Thunderbird Global Messages Database, Mozilla Thunderbird logins.json, Mozilla Thunderbird places.sqlite, Mozilla Thunderbird ImapMail INBOX, Mozilla Thunderbird Mail INBOX, Mozilla Thunderbird Calendar Data, Mozilla Thunderbird Attachments, Mozilla Thunderbird Address Book"
+    description: "Mozilla Thunderbird Email Client (by Matt Dawson): Mozilla Thunderbird Address Book, Mozilla Thunderbird Attachments, Mozilla Thunderbird Calendar Data, Mozilla Thunderbird Global Messages Database, Mozilla Thunderbird ImapMail INBOX, Mozilla Thunderbird Install Date, Mozilla Thunderbird Mail INBOX, Mozilla Thunderbird Profiles.ini, Mozilla Thunderbird logins.json, Mozilla Thunderbird places.sqlite, Mozilla Thunderbird prefs.js"
     type: bool
   - name: TorrentClients
-    description: "Torrent Clients (by Andrew Rathbun): TorrentClients - qBittorrent, TorrentClients - qBittorrent, TorrentClients - uTorrent, TorrentClients - BitTorrent"
+    description: "Torrent Clients (by Andrew Rathbun): TorrentClients - BitTorrent, TorrentClients - qBittorrent, TorrentClients - qBittorrent, TorrentClients - uTorrent"
     type: bool
   - name: Torrents
     description: "Torrent Files (by Tony Knutson): Torrents"
@@ -504,28 +504,28 @@ parameters:
     description: "Total Commander (by Andrew Rathbun and Jessica Venturo): Total Commander - .ini File, Total Commander - Log File"
     type: bool
   - name: TrendMicro
-    description: "Trend Micro Data (by Drew Ervin): Trend Micro Logs, Trend Micro Security Agent Report Logs, Trend Micro Security Agent Connection Logs"
+    description: "Trend Micro Data (by Drew Ervin): Trend Micro Logs, Trend Micro Security Agent Connection Logs, Trend Micro Security Agent Report Logs"
     type: bool
   - name: USBDevicesLogs
-    description: "USB devices log files (by Eric Zimmerman): Setupapi.log Win7+, Setupapi.log XP, Setupapi.log Win7+"
+    description: "USB devices log files (by Eric Zimmerman): Setupapi.log Win7+, Setupapi.log Win7+, Setupapi.log XP"
     type: bool
   - name: Ubuntu
-    description: "Ubuntu on Windows Subsystem for Linux (by Matt Dawson): Ubuntu WSL .bashrc, Ubuntu WSL .profile, Ubuntu WSL User Crontabs, Ubuntu WSL Apt Logs, Ubuntu WSL /etc/os-release, Ubuntu WSL /etc/fstab, Ubuntu WSL /etc/passwd, Ubuntu WSL /etc/group, Ubuntu WSL /etc/shadow, Ubuntu WSL /etc/timezone, Ubuntu WSL /etc/hostname, Ubuntu WSL /etc/hosts, Ubuntu WSL /etc/crontab, Ubuntu WSL /etc/bash.bashrc, Ubuntu WSL /etc/profile, Ubuntu WSL .bash_history"
+    description: "Ubuntu on Windows Subsystem for Linux (by Matt Dawson): Ubuntu WSL .bash_history, Ubuntu WSL .bashrc, Ubuntu WSL .profile, Ubuntu WSL /etc/bash.bashrc, Ubuntu WSL /etc/crontab, Ubuntu WSL /etc/fstab, Ubuntu WSL /etc/group, Ubuntu WSL /etc/hostname, Ubuntu WSL /etc/hosts, Ubuntu WSL /etc/os-release, Ubuntu WSL /etc/passwd, Ubuntu WSL /etc/profile, Ubuntu WSL /etc/shadow, Ubuntu WSL /etc/timezone, Ubuntu WSL Apt Logs, Ubuntu WSL User Crontabs"
     type: bool
   - name: Usenet
     description: "Usenet (NZB) Files (by Andrew Rathbun): Usenet (NZB) Files"
     type: bool
   - name: UsenetClients
-    description: "Usenet Clients (by Andrew Rathbun): Usenet Clients - NZBGet NZBs, Usenet Clients - Newsleecher, Usenet Clients - SABnzbd Download Logs, Usenet Clients - SABnzbd History.db, Usenet Clients - Newsbin Pro, Usenet Clients - NZBGet Log File"
+    description: "Usenet Clients (by Andrew Rathbun): Usenet Clients - NZBGet Log File, Usenet Clients - NZBGet NZBs, Usenet Clients - Newsbin Pro, Usenet Clients - Newsleecher, Usenet Clients - SABnzbd Download Logs, Usenet Clients - SABnzbd History.db"
     type: bool
   - name: VIPRE
-    description: "VIPRE Data (by Drew Ervin): VIPRE Business Agent Logs, VIPRE Business User Logs (v7+), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (up to v4)"
+    description: "VIPRE Data (by Drew Ervin): VIPRE Business Agent Logs, VIPRE Business User Logs (up to v4), VIPRE Business User Logs (v5-v6), VIPRE Business User Logs (v7+)"
     type: bool
   - name: VLC_Media_Player
-    description: "VLC Media Player (by Matt Dawson): VLC Recorded Files, VLC Recently Opened Files"
+    description: "VLC Media Player (by Matt Dawson): VLC Recently Opened Files, VLC Recorded Files"
     type: bool
   - name: VMware
-    description: "Runs all VMware modules to collect VMware VM config files, logs and Virtual Hard Disks (by Matt Dawson): VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), VMDK, VHD, VHDX, VDI, VMware - Virtual Machine Inventory"
+    description: "Runs all VMware modules to collect VMware VM config files, logs and Virtual Hard Disks (by Matt Dawson): VDI, VHD, VHDX, VMDK, VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), VMware - Virtual Machine Inventory"
     type: bool
   - name: VMwareInventory
     description: "VMware - Virtual Machine Inventory (by Andrew Rathbun): VMware - Virtual Machine Inventory"
@@ -534,37 +534,37 @@ parameters:
     description: "VMware - Virtual Machine Memory (by Andrew Rathbun): VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player), VMware (Fusion/Workstation/Server/Player)"
     type: bool
   - name: VNCLogs
-    description: "VNC Logs (by Phill Moore): Application Event Log XP, Application Event Log Win7+, Application Event Log Win7+, RealVNC Log, Application Event Log XP"
+    description: "VNC Logs (by Phill Moore): Application Event Log Win7+, Application Event Log Win7+, Application Event Log XP, Application Event Log XP, RealVNC Log"
     type: bool
   - name: Viber
-    description: "ViberPC Messaging App (by Matt Dawson): Viber Config Database, Viber Users Data Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Thumbnails Cache"
+    description: "ViberPC Messaging App (by Matt Dawson): Viber Config Database, Viber Users Avatars Cache, Viber Users Backgrounds Cache, Viber Users Data Database, Viber Users Thumbnails Cache"
     type: bool
   - name: VirtualBox
-    description: "Runs all VirtualBox modules to collect Virtualbox VM config files, logs and Virtual Hard Disks (by Matt Dawson): VHD, VHDX, VDI, VirtualBox VM configs, VirtualBox VM backup configs, VirtualBox Logs, VirtualBox Backup Logs, VirtualBox Hardening Logs, VMDK, VirtualBox"
+    description: "Runs all VirtualBox modules to collect Virtualbox VM config files, logs and Virtual Hard Disks (by Matt Dawson): VDI, VHD, VHDX, VMDK, VirtualBox, VirtualBox Backup Logs, VirtualBox Hardening Logs, VirtualBox Logs, VirtualBox VM backup configs, VirtualBox VM configs"
     type: bool
   - name: VirtualBoxConfig
-    description: "Collects VirtualBox configuration files (by Matt Dawson): VirtualBox VM configs, VirtualBox VM backup configs"
+    description: "Collects VirtualBox configuration files (by Matt Dawson): VirtualBox VM backup configs, VirtualBox VM configs"
     type: bool
   - name: VirtualBoxLogs
-    description: "Collects VirtualBox log files (by Matt Dawson): VirtualBox Logs, VirtualBox Backup Logs, VirtualBox Hardening Logs"
+    description: "Collects VirtualBox log files (by Matt Dawson): VirtualBox Backup Logs, VirtualBox Hardening Logs, VirtualBox Logs"
     type: bool
   - name: VirtualBoxMemory
     description: "VirtualBox - Memory (by Andrew Rathbun): VirtualBox"
     type: bool
   - name: VirtualDisks
-    description: "Virtual Disks (by Phill Moore): VHD, VHDX, VDI, VMDK"
+    description: "Virtual Disks (by Phill Moore): VDI, VHD, VHDX, VMDK"
     type: bool
   - name: WBEM
     description: "Web-Based Enterprise Management (WBEM) (by Mark Hallman): WBEM, WBEM"
     type: bool
   - name: WER
-    description: "Windows Error Reporting (by Troy Larson): Crash Dumps, Crash Dumps, WER Files, Crash Dumps"
+    description: "Windows Error Reporting (by Troy Larson): Crash Dumps, Crash Dumps, Crash Dumps, WER Files"
     type: bool
   - name: WSL
-    description: "All Windows Subsystem for Linux targets (by Matt Dawson): openSUSE WSL /etc/os-release, openSUSE WSL /etc/fstab, openSUSE WSL /etc/passwd, openSUSE WSL /etc/group, openSUSE WSL /etc/shadow, openSUSE WSL /etc/timezone, openSUSE WSL /etc/hostname, openSUSE WSL /etc/hosts, openSUSE WSL /etc/bash.bashrc, openSUSE WSL /etc/profile, openSUSE WSL .bash_history, openSUSE WSL .bashrc, openSUSE WSL .profile, Ubuntu WSL /etc/os-release, Ubuntu WSL /etc/fstab, Ubuntu WSL /etc/passwd, Ubuntu WSL /etc/group, Ubuntu WSL /etc/shadow, Ubuntu WSL /etc/timezone, Ubuntu WSL /etc/hostname, Ubuntu WSL /etc/hosts, Ubuntu WSL /etc/crontab, Ubuntu WSL /etc/bash.bashrc, Ubuntu WSL /etc/profile, Ubuntu WSL .bash_history, Ubuntu WSL .bashrc, Ubuntu WSL .profile, Ubuntu WSL User Crontabs, Ubuntu WSL Apt Logs, Kali WSL /etc/debian_version, Kali WSL /etc/fstab, Kali WSL /etc/os-release, Kali WSL /etc/passwd, Kali WSL /etc/group, Kali WSL /etc/shadow, Kali WSL /etc/timezone, Kali WSL /etc/hostname, Kali WSL /etc/hosts, Kali WSL /etc/crontab, Kali WSL /etc/bash.bashrc, Kali WSL /etc/profile, Kali WSL .bash_history, Kali WSL .bashrc, Kali WSL .profile, Kali WSL User Crontabs, Kali WSL Apt Logs, SUSE Linux Enterprise Server WSL /etc/os-release, SUSE Linux Enterprise Server WSL /etc/fstab, SUSE Linux Enterprise Server WSL /etc/passwd, SUSE Linux Enterprise Server WSL /etc/group, SUSE Linux Enterprise Server WSL /etc/shadow, SUSE Linux Enterprise Server WSL /etc/timezone, SUSE Linux Enterprise Server WSL /etc/hostname, SUSE Linux Enterprise Server WSL /etc/hosts, SUSE Linux Enterprise Server WSL /etc/bash.bashrc, SUSE Linux Enterprise Server WSL /etc/profile, SUSE Linux Enterprise Server WSL .bash_history, SUSE Linux Enterprise Server WSL .bashrc, SUSE Linux Enterprise Server WSL .profile, Debian WSL /etc/debian_version, Debian WSL /etc/fstab, Debian WSL /etc/os-release, Debian WSL /etc/passwd, Debian WSL /etc/group, Debian WSL /etc/shadow, Debian WSL /etc/timezone, Debian WSL /etc/hostname, Debian WSL /etc/hosts, Debian WSL /etc/crontab, Debian WSL /etc/bash.bashrc, Debian WSL /etc/profile, Debian WSL .bash_history, Debian WSL .bashrc, Debian WSL .profile, Debian WSL User Crontabs, Debian WSL Apt Logs"
+    description: "All Windows Subsystem for Linux targets (by Matt Dawson): Debian WSL .bash_history, Debian WSL .bashrc, Debian WSL .profile, Debian WSL /etc/bash.bashrc, Debian WSL /etc/crontab, Debian WSL /etc/debian_version, Debian WSL /etc/fstab, Debian WSL /etc/group, Debian WSL /etc/hostname, Debian WSL /etc/hosts, Debian WSL /etc/os-release, Debian WSL /etc/passwd, Debian WSL /etc/profile, Debian WSL /etc/shadow, Debian WSL /etc/timezone, Debian WSL Apt Logs, Debian WSL User Crontabs, Kali WSL .bash_history, Kali WSL .bashrc, Kali WSL .profile, Kali WSL /etc/bash.bashrc, Kali WSL /etc/crontab, Kali WSL /etc/debian_version, Kali WSL /etc/fstab, Kali WSL /etc/group, Kali WSL /etc/hostname, Kali WSL /etc/hosts, Kali WSL /etc/os-release, Kali WSL /etc/passwd, Kali WSL /etc/profile, Kali WSL /etc/shadow, Kali WSL /etc/timezone, Kali WSL Apt Logs, Kali WSL User Crontabs, SUSE Linux Enterprise Server WSL .bash_history, SUSE Linux Enterprise Server WSL .bashrc, SUSE Linux Enterprise Server WSL .profile, SUSE Linux Enterprise Server WSL /etc/bash.bashrc, SUSE Linux Enterprise Server WSL /etc/fstab, SUSE Linux Enterprise Server WSL /etc/group, SUSE Linux Enterprise Server WSL /etc/hostname, SUSE Linux Enterprise Server WSL /etc/hosts, SUSE Linux Enterprise Server WSL /etc/os-release, SUSE Linux Enterprise Server WSL /etc/passwd, SUSE Linux Enterprise Server WSL /etc/profile, SUSE Linux Enterprise Server WSL /etc/shadow, SUSE Linux Enterprise Server WSL /etc/timezone, Ubuntu WSL .bash_history, Ubuntu WSL .bashrc, Ubuntu WSL .profile, Ubuntu WSL /etc/bash.bashrc, Ubuntu WSL /etc/crontab, Ubuntu WSL /etc/fstab, Ubuntu WSL /etc/group, Ubuntu WSL /etc/hostname, Ubuntu WSL /etc/hosts, Ubuntu WSL /etc/os-release, Ubuntu WSL /etc/passwd, Ubuntu WSL /etc/profile, Ubuntu WSL /etc/shadow, Ubuntu WSL /etc/timezone, Ubuntu WSL Apt Logs, Ubuntu WSL User Crontabs, openSUSE WSL .bash_history, openSUSE WSL .bashrc, openSUSE WSL .profile, openSUSE WSL /etc/bash.bashrc, openSUSE WSL /etc/fstab, openSUSE WSL /etc/group, openSUSE WSL /etc/hostname, openSUSE WSL /etc/hosts, openSUSE WSL /etc/os-release, openSUSE WSL /etc/passwd, openSUSE WSL /etc/profile, openSUSE WSL /etc/shadow, openSUSE WSL /etc/timezone"
     type: bool
   - name: WebBrowsers
-    description: "Web browser history, bookmarks, etc. (by Eric Zimmerman): Edge folder, Chrome bookmarks XP, Chrome Cookies XP, Chrome Current Session XP, Chrome Current Tabs XP, Chrome Favicons XP, Chrome History XP, Chrome Last Session XP, Chrome Last Tabs XP, Chrome Login Data XP, Chrome Preferences XP, Chrome Shortcuts XP, Chrome Top Sites XP, Chrome bookmarks XP, Chrome Visited Links XP, Chrome Web Data XP, Chrome bookmarks, Chrome Cookies, Chrome Current Session, Chrome Current Tabs, Chrome Favicons, Chrome History, Chrome Last Session, Chrome Last Tabs, Chrome Login Data, Chrome Network Action Predictor, Chrome Preferences, Chrome Shortcuts, Chrome Top Sites, Chrome SyncData Database, Chrome bookmarks, Chrome Visited Links, Chrome Web Data, Windows Protect Folder, Places, Downloads, Form history, Cookies, Signons, Webappstore, Favicons, Addons, Search, Password, Password, Password, Sessionstore, Sessionstore Folder, Places XP, Downloads XP, Form history XP, Cookies XP, Signons XP, Webappstore XP, Favicons XP, Addons XP, Search XP, Password XP, Password XP, Password XP, Sessionstore XP, Index.dat History, Index.dat History subdirectory, Index.dat cookies, Index.dat UserData, Index.dat Office XP, Index.dat Office, Local Internet Explorer folder, Roaming Internet Explorer folder, IE 9/10 History, IE 9/10 Cookies, IE 9/10 Download History, IE 11 Metadata, IE 11 Cookies, Puffin - data.db, Puffin - Autocomplete Data, Puffin - Password Forms Data, Puffin - Password (Encrypted), Puffin - Subscription Data, Puffin - Cookies, Puffin - Image Cache, Edge bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge Top Sites, Edge SyncData Database, Edge Bookmarks, Edge Visited Links, Edge Web Data, Windows Protect Folder, Opera - Local Folder, Opera - Roaming Folder"
+    description: "Web browser history, bookmarks, etc. (by Eric Zimmerman): Addons, Addons XP, Chrome Cookies, Chrome Cookies XP, Chrome Current Session, Chrome Current Session XP, Chrome Current Tabs, Chrome Current Tabs XP, Chrome Favicons, Chrome Favicons XP, Chrome History, Chrome History XP, Chrome Last Session, Chrome Last Session XP, Chrome Last Tabs, Chrome Last Tabs XP, Chrome Login Data, Chrome Login Data XP, Chrome Network Action Predictor, Chrome Preferences, Chrome Preferences XP, Chrome Shortcuts, Chrome Shortcuts XP, Chrome SyncData Database, Chrome Top Sites, Chrome Top Sites XP, Chrome Visited Links, Chrome Visited Links XP, Chrome Web Data, Chrome Web Data XP, Chrome bookmarks, Chrome bookmarks, Chrome bookmarks XP, Chrome bookmarks XP, Cookies, Cookies XP, Downloads, Downloads XP, Edge Bookmarks, Edge Collections, Edge Cookies, Edge Current Session, Edge Current Tabs, Edge Favicons, Edge History, Edge Last Session, Edge Last Tabs, Edge Login Data, Edge Network Action Predictor, Edge Preferences, Edge Shortcuts, Edge SyncData Database, Edge Top Sites, Edge Visited Links, Edge Web Data, Edge bookmarks, Edge folder, Favicons, Favicons XP, Form history, Form history XP, IE 11 Cookies, IE 11 Metadata, IE 9/10 Cookies, IE 9/10 Download History, IE 9/10 History, Index.dat History, Index.dat History subdirectory, Index.dat Office, Index.dat Office XP, Index.dat UserData, Index.dat cookies, Local Internet Explorer folder, Opera - Local Folder, Opera - Roaming Folder, Password, Password, Password, Password XP, Password XP, Password XP, Places, Places XP, Puffin - Autocomplete Data, Puffin - Cookies, Puffin - Image Cache, Puffin - Password (Encrypted), Puffin - Password Forms Data, Puffin - Subscription Data, Puffin - data.db, Roaming Internet Explorer folder, Search, Search XP, Sessionstore, Sessionstore Folder, Sessionstore XP, Signons, Signons XP, Webappstore, Webappstore XP, Windows Protect Folder, Windows Protect Folder"
     type: bool
   - name: Webroot
     description: "Webroot Antivirus (by Drew Ervin): Webroot Program Data"
@@ -573,7 +573,7 @@ parameters:
     description: "WhatsApp Local Files (by Matt Dawson): WhatsApp Cache, WhatsApp Local Storage"
     type: bool
   - name: WindowsDefender
-    description: "Windows Defender Data (by Drew Ervin): Windows Defender Logs, Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs"
+    description: "Windows Defender Data (by Drew Ervin): Windows Defender Event Logs, Windows Defender Event Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs, Windows Defender Logs"
     type: bool
   - name: WindowsFirewall
     description: "Windows Firewall Logs (by Mike Cary): Windows Firewall Logs, Windows Firewall Logs"
@@ -585,7 +585,7 @@ parameters:
     description: "Windows 10 Notification DB (by Hadar Yudovich): Windows 10 Notification DB, Windows 10 Notification DB"
     type: bool
   - name: WindowsStickyNotes
-    description: "Windows Sticky Notes (by Andrew Rathbun): Windows Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier, Windows Sticky Notes - 1607 and later"
+    description: "Windows Sticky Notes (by Andrew Rathbun): Windows Sticky Notes - 1607 and later, Windows Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier"
     type: bool
   - name: WindowsTimeline
     description: "ActivitiesCache.db collector (by Lee Whitfield): ActivitiesCache.db"
@@ -597,7 +597,7 @@ parameters:
     description: "XP Restore Points - System Volume Information directory (by Phill Moore): System Volume Information"
     type: bool
   - name: XYplorer
-    description: "XYplorer (by Andrew Rathbun): XYplorer - .ini file, XYplorer - .ini file for each respective pane, XYplorer - AutoBackup folder, XYplorer - .dat files"
+    description: "XYplorer (by Andrew Rathbun): XYplorer - .dat files, XYplorer - .ini file, XYplorer - .ini file for each respective pane, XYplorer - AutoBackup folder"
     type: bool
   - name: iTunesBackup
     description: "iTunes Backups (by Tony Knutson): iTunes Backup Folder, iTunes Backup Folder, iTunes Backup Folder - iOS13"
@@ -606,7 +606,7 @@ parameters:
     description: "mIRC (by Andrew Rathbun): mIRC Chat Logs"
     type: bool
   - name: openSUSE
-    description: "openSUSE on Windows Subsystem for Linux (by Matt Dawson): openSUSE WSL /etc/os-release, openSUSE WSL /etc/fstab, openSUSE WSL /etc/passwd, openSUSE WSL /etc/group, openSUSE WSL /etc/shadow, openSUSE WSL /etc/timezone, openSUSE WSL /etc/hostname, openSUSE WSL /etc/hosts, openSUSE WSL /etc/bash.bashrc, openSUSE WSL /etc/profile, openSUSE WSL .bash_history, openSUSE WSL .bashrc, openSUSE WSL .profile"
+    description: "openSUSE on Windows Subsystem for Linux (by Matt Dawson): openSUSE WSL .bash_history, openSUSE WSL .bashrc, openSUSE WSL .profile, openSUSE WSL /etc/bash.bashrc, openSUSE WSL /etc/fstab, openSUSE WSL /etc/group, openSUSE WSL /etc/hostname, openSUSE WSL /etc/hosts, openSUSE WSL /etc/os-release, openSUSE WSL /etc/passwd, openSUSE WSL /etc/profile, openSUSE WSL /etc/shadow, openSUSE WSL /etc/timezone"
     type: bool
   - name: qBittorrent
     description: "qBittorrent (by Banaanhangwagen): TorrentClients - qBittorrent, TorrentClients - qBittorrent"
@@ -620,1020 +620,1020 @@ parameters:
     description: A CSV file controlling the different Kape Target Rules
     default: |
       Id,Name,Category,Glob,Accessor,Comment
-      1,AppData,UserData,Users\*\AppData/**10,lazy_ntfs,
-      2,Zips,Archives,**10/*.zip,lazy_ntfs,This is an example of how to walk a drive for a file mask. Probably do not want to use this one as is
-      3,User Files - Desktop,LiveUserFiles,Users\*\Desktop/**10,lazy_ntfs,
-      4,User Files - Documents,LiveUserFiles,Users\*\Documents/**10,lazy_ntfs,
-      5,User Files - Downloads,LiveUserFiles,Users\*\Downloads/**10,lazy_ntfs,
-      6,User Files - Dropbox,LiveUserFiles,Users\*\Dropbox*/**10,lazy_ntfs,
-      7,openSUSE WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/os-release,lazy_ntfs,
-      8,openSUSE WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/fstab,lazy_ntfs,
-      9,openSUSE WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/passwd,lazy_ntfs,
-      10,openSUSE WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/group,lazy_ntfs,
-      11,openSUSE WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/shadow,lazy_ntfs,
-      12,openSUSE WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/timezone,lazy_ntfs,
-      13,openSUSE WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/hostname,lazy_ntfs,
-      14,openSUSE WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/hosts,lazy_ntfs,
-      15,openSUSE WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/bash.bashrc,lazy_ntfs,
-      16,openSUSE WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/profile,lazy_ntfs,
-      17,openSUSE WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs/**10/.bash_history,lazy_ntfs,
-      18,openSUSE WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs/**10/.bashrc,lazy_ntfs,
-      19,openSUSE WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs/**10/.profile,lazy_ntfs,
-      20,Ubuntu WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/os-release,lazy_ntfs,
-      21,Ubuntu WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/fstab,lazy_ntfs,
-      22,Ubuntu WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/passwd,lazy_ntfs,
-      23,Ubuntu WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/group,lazy_ntfs,
-      24,Ubuntu WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/shadow,lazy_ntfs,
-      25,Ubuntu WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/timezone,lazy_ntfs,
-      26,Ubuntu WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/hostname,lazy_ntfs,
-      27,Ubuntu WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/hosts,lazy_ntfs,
-      28,Ubuntu WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/crontab,lazy_ntfs,
-      29,Ubuntu WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/bash.bashrc,lazy_ntfs,
-      30,Ubuntu WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/profile,lazy_ntfs,
-      31,Ubuntu WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs/**10/.bash_history,lazy_ntfs,
-      32,Ubuntu WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs/**10/.bashrc,lazy_ntfs,
-      33,Ubuntu WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs/**10/.profile,lazy_ntfs,
-      34,Ubuntu WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\spool\cron\crontabs/**10,lazy_ntfs,
-      35,Ubuntu WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\log\apt/**10/*.log,lazy_ntfs,
-      36,Kali WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/debian_version,lazy_ntfs,
-      37,Kali WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/fstab,lazy_ntfs,
-      38,Kali WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/os-release,lazy_ntfs,
-      39,Kali WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/passwd,lazy_ntfs,
-      40,Kali WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/group,lazy_ntfs,
-      41,Kali WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/shadow,lazy_ntfs,
-      42,Kali WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/timezone,lazy_ntfs,
-      43,Kali WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/hostname,lazy_ntfs,
-      44,Kali WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/hosts,lazy_ntfs,
-      45,Kali WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/crontab,lazy_ntfs,
-      46,Kali WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/bash.bashrc,lazy_ntfs,
-      47,Kali WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/profile,lazy_ntfs,
-      48,Kali WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs/**10/.bash_history,lazy_ntfs,
-      49,Kali WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs/**10/.bashrc,lazy_ntfs,
-      50,Kali WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs/**10/.profile,lazy_ntfs,
-      51,Kali WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\spool\cron\crontabs/**10,lazy_ntfs,
-      52,Kali WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\log\apt/**10/*.log,lazy_ntfs,
-      53,SUSE Linux Enterprise Server WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/os-release,lazy_ntfs,
-      54,SUSE Linux Enterprise Server WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/fstab,lazy_ntfs,
-      55,SUSE Linux Enterprise Server WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/passwd,lazy_ntfs,
-      56,SUSE Linux Enterprise Server WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/group,lazy_ntfs,
-      57,SUSE Linux Enterprise Server WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/shadow,lazy_ntfs,
-      58,SUSE Linux Enterprise Server WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/timezone,lazy_ntfs,
-      59,SUSE Linux Enterprise Server WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/hostname,lazy_ntfs,
-      60,SUSE Linux Enterprise Server WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/hosts,lazy_ntfs,
-      61,SUSE Linux Enterprise Server WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/bash.bashrc,lazy_ntfs,
-      62,SUSE Linux Enterprise Server WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/profile,lazy_ntfs,
-      63,SUSE Linux Enterprise Server WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs/**10/.bash_history,lazy_ntfs,
-      64,SUSE Linux Enterprise Server WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs/**10/.bashrc,lazy_ntfs,
-      65,SUSE Linux Enterprise Server WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs/**10/.profile,lazy_ntfs,
-      66,Debian WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/debian_version,lazy_ntfs,
-      67,Debian WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/fstab,lazy_ntfs,
-      68,Debian WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/os-release,lazy_ntfs,
-      69,Debian WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/passwd,lazy_ntfs,
-      70,Debian WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/group,lazy_ntfs,
-      71,Debian WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/shadow,lazy_ntfs,
-      72,Debian WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/timezone,lazy_ntfs,
-      73,Debian WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/hostname,lazy_ntfs,
-      74,Debian WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/hosts,lazy_ntfs,
-      75,Debian WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/crontab,lazy_ntfs,
-      76,Debian WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/bash.bashrc,lazy_ntfs,
-      77,Debian WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/profile,lazy_ntfs,
-      78,Debian WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs/**10/.bash_history,lazy_ntfs,
-      79,Debian WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs/**10/.bashrc,lazy_ntfs,
-      80,Debian WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs/**10/.profile,lazy_ntfs,
-      81,Debian WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\spool\cron\crontabs/**10,lazy_ntfs,
-      82,Debian WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\log\apt/**10/*.log,lazy_ntfs,
-      83,Usenet Clients - Newsbin Pro,FileDownload,Users\*\AppData\Local\Newsbin/Downloaded.db3,lazy_ntfs,Locates Newsbin Pro download log database
-      84,Soulseek Chat Logs,FileDownload,Users\*\AppData\Local\SoulseekQt\Soulseek Chat Logs/**10,lazy_ntfs,Locates Soulseek chat logs and copies them. Chat logs are in plaintext. Current as of version 2019.7.22.
-      85,Soulseek Search History/Shared Folders/Settings,FileDownload,Users\*\AppData\Local\SoulseekQt\1/*.dat,lazy_ntfs,"Locates .dat file(s) containing: search history, active searches (search_record), current shared folders (shared_file_folder), and wish list items (wish_list_item)."
-      86,TorrentClients - BitTorrent,FileDownload,Users\*\AppData\Roaming\BitTorrent/*.dat,lazy_ntfs,
-      87,Gigatribe Files Windows Vista/7/8/10,FileDownload,Users\*\AppData\Local\Shalsoft/**10,lazy_ntfs,Locates Gigatribe files and copies them
-      88,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Gigatribe/**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Gigatribe
-      89,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Shalsoft/**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Shalsoft
-      90,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Roaming\qBittorrent/*.ini,lazy_ntfs,
-      91,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\logs\,lazy_ntfs,
-      92,FrostWire Downloads,FileDownload,Users\*\Documents\FrostWire\Torrent Data/**10,lazy_ntfs,Locates files downloaded that land in the default location as specified by FrostWire
-      93,FrostWire AppData,FileDownload,Users\*\.frostwire5/frostwire.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system
-      94,FrostWire AppData,FileDownload,Users\*\.frostwire5/itunes.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system
-      95,Usenet Clients - NZBGet Log File,FileDownload,ProgramData\NZBGet/nzbget.log,lazy_ntfs,Locates NZBGet download log file
-      96,Usenet Clients - NZBGet NZBs,FileDownload,ProgramData\NZBGet\nzb\,lazy_ntfs,Locates NZBGet NZB files that were used by the user
-      97,Shareaza Logs,FileDownload,Users\*\AppData\Roaming\Shareaza/**10,lazy_ntfs,Locates Shareaza logs and copies them.
-      98,DC++ Chat Logs,FileDownload,Users\*\AppData\Local\DC++\Logs/**10,lazy_ntfs,Locates DC++ hub/chat logs and copies them. Current as of version 0.868.
-      99,Usenet Clients - Newsleecher,FileDownload,Users\*\AppData\Roaming\NewsLeecher/downloaded.dat,lazy_ntfs,Locates Newsleecher download .dat file
-      100,Torrents,FileDownload,**10/*.torrent,lazy_ntfs,
-      101,TorrentClients - uTorrent,FileDownload,Users\*\AppData\Roaming\uTorrent/*.dat,lazy_ntfs,
-      102,Usenet Clients - SABnzbd Download Logs,FileDownload,Users\*\AppData\Local\sabnzbd\logs/sabnzbd.log,lazy_ntfs,Locates SABnzbd download log
-      103,Usenet Clients - SABnzbd History.db,FileDownload,Users\*\AppData\Local\sabnzbd\admin/history1.db,lazy_ntfs,Locates SABnzbd history log
-      104,Usenet (NZB) Files,FileDownload,**10/*.nzb,lazy_ntfs,
-      105,Thumbcache DB,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\Explorer/thumbcache_*.db,lazy_ntfs,
-      106,SignatureCatalog,FileMetadata,Windows\System32\CatRoot/**10,lazy_ntfs,
-      107,SignatureCatalog,FileMetadata,Windows.old\Windows\System32\CatRoot/**10,lazy_ntfs,
-      108,at .job,Persistence,Windows\Tasks/*.job,lazy_ntfs,
-      109,at .job,Persistence,Windows.old\Windows\Tasks/*.job,lazy_ntfs,
-      110,at SchedLgU.txt,Persistence,Windows/SchedLgU.txt,lazy_ntfs,
-      111,at SchedLgU.txt,Persistence,Windows.old\Windows/SchedLgU.txt,lazy_ntfs,
-      112,XML,Persistence,Windows\System32\Tasks/**10,lazy_ntfs,
-      113,XML,Persistence,Windows.old\Windows\System32\Tasks/**10,lazy_ntfs,
-      114,BCD,Registry,Boot/BCD,lazy_ntfs,
-      115,BCD Logs,Registry,Boot/BCD.LOG*,lazy_ntfs,
-      116,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent/**10,lazy_ntfs,Also includes automatic and custom jumplist directories
-      117,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent/**10,lazy_ntfs,
-      118,LNK Files from Recent (XP),LNKFiles,Documents and Settings\*\Recent/**10,lazy_ntfs,
-      119,Desktop LNK Files XP,LNKFiles,Documents and Settings\*\Desktop/*.LNK,lazy_ntfs,
-      120,Desktop LNK Files,LNKFiles,Users\*\Desktop/*.LNK,lazy_ntfs,
-      121,Restore point LNK Files XP,LNKFiles,System Volume Information\_restore*\RP*/*.LNK,lazy_ntfs,
-      122,LNK Files from C:\ProgramData,LNKFiles,ProgramData\Microsoft\Windows\Start Menu\Programs/*.LNK,lazy_ntfs,
-      123,Amcache,ApplicationCompatibility,Windows\AppCompat\Programs/Amcache.hve,lazy_ntfs,
-      124,Amcache,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs/Amcache.hve,lazy_ntfs,
-      125,Amcache transaction files,ApplicationCompatibility,Windows\AppCompat\Programs/Amcache.hve.LOG*,lazy_ntfs,
-      126,Amcache transaction files,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs/Amcache.hve.LOG*,lazy_ntfs,
-      127,Application Event Log XP,EventLogs,Windows\System32\config/AppEvent.evt,lazy_ntfs,
-      128,Application Event Log XP,EventLogs,Windows.old\Windows\System32\config/AppEvent.evt,lazy_ntfs,
-      129,Application Event Log Win7+,EventLogs,Windows\System32\winevt\logs/application.evtx,lazy_ntfs,
-      130,Application Event Log Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/application.evtx,lazy_ntfs,
-      131,$SDS,FileSystem,$Secure:$SDS,ntfs,
-      132,.bash_history,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*/.bash_history,lazy_ntfs,
-      133,.bash_logout,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*/.bash_logout,lazy_ntfs,
-      134,.bashrc,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*/.bashrc,lazy_ntfs,
-      135,.profile,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*/.profile,lazy_ntfs,
-      136,"Windows Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier",Apps,Users\*\AppData\Roaming\Microsoft\StickyNotes/StickyNotes.snt,lazy_ntfs,
-      137,Windows Sticky Notes - 1607 and later,Apps,Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState/plum.sqlite*,lazy_ntfs,
-      138,ActivitiesCache.db,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\*/ActivitiesCache.db*,lazy_ntfs,
-      139,Windows Firewall Logs,WindowsFirewallLogs,Windows\System32\LogFiles\Firewall/pfirewall.*,lazy_ntfs,
-      140,Windows Firewall Logs,WindowsFirewallLogs,Windows.old\Windows\System32\LogFiles\Firewall/pfirewall.*,lazy_ntfs,
-      141,System Volume Information,Folder capture,System Volume Information/**10,lazy_ntfs,
-      142,WER Files,Executables,ProgramData\Microsoft\Windows\WER/**10,lazy_ntfs,
-      143,Crash Dumps,SQL Exploitation,Users\*\AppData\Local\CrashDumps/*.dmp,lazy_ntfs,
-      144,Crash Dumps,SQL Exploitation,Windows/*.dmp,lazy_ntfs,
-      145,Crash Dumps,SQL Exploitation,Windows.old\Windows/*.dmp,lazy_ntfs,
-      146,EncapsulationLogging,Executables,Windows\Appcompat\Programs/EncapsulationLogging.hve,lazy_ntfs,
-      147,EncapsulationLogging,Executables,Windows.old\Windows\Appcompat\Programs/EncapsulationLogging.hve,lazy_ntfs,
-      148,EncapsulationLogging Logs,Executables,Windows\Appcompat\Programs/EncapsulationLogging.hve.log*,lazy_ntfs,
-      149,EncapsulationLogging Logs,Executables,Windows.old\Windows\Appcompat\Programs/EncapsulationLogging.hve.log*,lazy_ntfs,
-      150,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache/**10,lazy_ntfs,
-      151,SDB Files,Executables,Windows\apppatch\Custom/*.sdb,lazy_ntfs,
-      152,SDB Files,Executables,Windows.old\Windows\apppatch\Custom/*.sdb,lazy_ntfs,
-      153,SDB Files x64,Executables,Windows\apppatch\Custom\Custom64/*.sdb,lazy_ntfs,
-      154,SDB Files x64,Executables,Windows.old\Windows\apppatch\Custom\Custom64/*.sdb,lazy_ntfs,
-      155,WindowsIndexSearch,FileKnowledge,programdata\microsoft\search\data\applications\windows/Windows.edb,lazy_ntfs,
-      156,$LogFile,FileSystem,$LogFile,ntfs,
-      157,$Boot,FileSystem,$Boot,ntfs,
-      158,NTUSER.DAT registry hive XP,Registry,Documents and Settings\*/NTUSER.DAT,lazy_ntfs,
-      159,NTUSER.DAT registry hive,Registry,Users\*/NTUSER.DAT,lazy_ntfs,
-      160,NTUSER.DAT registry transaction files,Registry,Users\*/NTUSER.DAT.LOG*,lazy_ntfs,
-      161,NTUSER.DAT DEFAULT registry hive,Registry,Windows\System32\config/DEFAULT,lazy_ntfs,
-      162,NTUSER.DAT DEFAULT registry hive,Registry,Windows.old\Windows\System32\config/DEFAULT,lazy_ntfs,
-      163,NTUSER.DAT DEFAULT transaction files,Registry,Windows\System32\config/DEFAULT.LOG*,lazy_ntfs,
-      164,NTUSER.DAT DEFAULT transaction files,Registry,Windows.old\Windows\System32\config/DEFAULT.LOG*,lazy_ntfs,
-      165,UsrClass.dat registry hive,Registry,Users\*\AppData\Local\Microsoft\Windows/UsrClass.dat,lazy_ntfs,
-      166,UsrClass.dat registry transaction files,Registry,Users\*\AppData\Local\Microsoft\Windows/UsrClass.dat.LOG*,lazy_ntfs,
-      167,$MFTMirr,FileSystem,$MFTMirr,ntfs,$MFTMirr is a redundant copy of the first four (4) records of the MFT.
-      168,Word Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word/**10,lazy_ntfs,
-      169,Excel Autosave Location,ApplicationCompatibility,Users\*\AppData\Roaming\Microsoft\Excel/**10,lazy_ntfs,
-      170,Powerpoint Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Powerpoint/**10,lazy_ntfs,
-      171,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Publisher/**10,lazy_ntfs,
-      172,Local Group Policy INI Files,Communication,Windows\System32\grouppolicy/*.ini,lazy_ntfs,
-      173,Local Group Policy INI Files,Communication,Windows.old\Windows\System32\grouppolicy/*.ini,lazy_ntfs,
-      174,Local Group Policy Files - Registry Policy Files,Communication,Windows\System32\grouppolicy/*.pol,lazy_ntfs,
-      175,Local Group Policy Files - Registry Policy Files,Communication,Windows.old\Windows\System32\grouppolicy/*.pol,lazy_ntfs,
-      176,Local Group Policy Files - Startup/Shutdown Scripts,Communication,Windows\System32\grouppolicy\*\Scripts/**10,lazy_ntfs,
-      177,Local Group Policy Files - Startup/Shutdown Scripts,Communication,Windows.old\Windows\System32\grouppolicy\*\Scripts/**10,lazy_ntfs,
-      178,StartupInfo XML Files,Persistence,Windows\System32\WDI\LogFiles\StartupInfo/*.xml,lazy_ntfs,
-      179,StartupInfo XML Files,Persistence,Windows.old\Windows\System32\WDI\LogFiles\StartupInfo/*.xml,lazy_ntfs,
-      180,RemoteConnectionManager Event Logs,EventLogs,Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs,
-      181,RemoteConnectionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs,
-      182,LocalSessionManager Event Logs,EventLogs,Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs,
-      183,LocalSessionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs,
-      184,RDPClient Event Logs,EventLogs,Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs,
-      185,RDPClient Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs,
-      186,RDPCoreTS Event Logs,EventLogs,Windows\System32\winevt\logs/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP
-      187,RDPCoreTS Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP
-      188,WDI Trace Logs 1,Event Trace Logs,Windows\System32\WDI\LogFiles/*.etl*,lazy_ntfs,
-      189,WDI Trace Logs 1,Event Trace Logs,Windows.old\Windows\System32\WDI\LogFiles/*.etl*,lazy_ntfs,
-      190,WDI Trace Logs 2,Event Trace Logs,Windows\System32\WDI\{*/**10,lazy_ntfs,
-      191,WDI Trace Logs 2,Event Trace Logs,Windows.old\Windows\System32\WDI\{*/**10,lazy_ntfs,
-      192,WMI Trace Logs,Event Trace Logs,Windows\System32\LogFiles\WMI/**10,lazy_ntfs,
-      193,WMI Trace Logs,Event Trace Logs,Windows.old\Windows\System32\LogFiles\WMI/**10,lazy_ntfs,
-      194,SleepStudy Trace Logs,Event Trace Logs,Windows\System32\SleepStudy/**10,lazy_ntfs,
-      195,SleepStudy Trace Logs,Event Trace Logs,Windows.old\Windows\System32\SleepStudy/**10,lazy_ntfs,
-      196,Energy-NTKL Trace Logs,Event Trace Logs,ProgramData\Microsoft\Windows\PowerEfficiency Diagnostics/energy-ntkl.etl,lazy_ntfs,
-      197,Event logs Win7+,EventLogs,Windows\System32\winevt\logs/System.evtx,lazy_ntfs,
-      198,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/System.evtx,lazy_ntfs,
-      199,Event logs Win7+,EventLogs,Windows\System32\winevt\logs/Security.evtx,lazy_ntfs,
-      200,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/Security.evtx,lazy_ntfs,
-      201,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx/Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,lazy_ntfs,
-      202,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs/Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx,lazy_ntfs,
-      203,RecentFileCache,ApplicationCompatability,Windows\AppCompat\Programs/RecentFileCache.bcf,lazy_ntfs,
-      204,RecentFileCache,ApplicationCompatability,Windows.old\Windows\AppCompat\Programs/RecentFileCache.bcf,lazy_ntfs,
-      205,$MFT,FileSystem,$MFT,ntfs,
-      206,$Recycle.Bin,Deleted Files,$Recycle.Bin/**10,ntfs,
-      207,RECYCLER WinXP,Deleted Files,RECYCLER/**10,lazy_ntfs,
-      208,hiberfil.sys,Memory,hiberfil.sys,lazy_ntfs,
-      209,pagefile.sys,Memory,pagefile.sys,lazy_ntfs,
-      210,swapfile.sys,Memory,swapfile.sys,lazy_ntfs,
-      211,Small Memory Dump directory,Memory,Windows\Minidump/*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump
-      212,Small Memory Dump directory,Memory,Windows.old\Windows\Minidump/*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump
-      213,SRUM,Execution,Windows\System32\SRU/**10,lazy_ntfs,
-      214,SRUM,Execution,Windows.old\Windows\System32\SRU/**10,lazy_ntfs,
-      215,LogFiles,Logs,Windows\System32\LogFiles/**10,lazy_ntfs,
-      216,LogFiles,Logs,Windows.old\Windows\System32\LogFiles/**10,lazy_ntfs,
-      217,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications/wpndatabase.db,lazy_ntfs,
-      218,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications/appdb.dat,lazy_ntfs,
-      219,$J,FileSystem,$Extend/$UsnJrnl:$J,ntfs,
-      220,$Max,FileSystem,$Extend/$UsnJrnl:$Max,ntfs,
-      221,BITS files,Persistence,ProgramData\Microsoft\Network\Downloader/**10,lazy_ntfs,
-      222,Setupapi.log XP,USBDevices,Windows/setupapi.log,lazy_ntfs,
-      223,Setupapi.log Win7+,USBDevices,Windows\inf/setupapi.dev.log,lazy_ntfs,
-      224,Setupapi.log Win7+,USBDevices,Windows.old\Windows\inf/setupapi.dev.log,lazy_ntfs,
-      225,Windows Your Phone - All Databases,Apps,Users\*\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed/**10,lazy_ntfs,Locates all Your Phone database files
-      226,Prefetch,Prefetch,Windows\prefetch/*.pf,lazy_ntfs,
-      227,Prefetch,Prefetch,Windows.old\Windows\prefetch/*.pf,lazy_ntfs,
-      228,Syscache,Program Execution,System Volume Information/Syscache.hve,lazy_ntfs,
-      229,Syscache transaction files,Program Execution,System Volume Information/Syscache.hve.LOG*,lazy_ntfs,
-      230,MOF files,WMI,**10/*.MOF,lazy_ntfs,
-      231,Event logs XP,EventLogs,Windows\System32\config/*.evt,lazy_ntfs,
-      232,Event logs Win7+,EventLogs,Windows\System32\winevt\logs/*.evtx,lazy_ntfs,
-      233,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/*.evtx,lazy_ntfs,
-      234,RDP Cache Files,FileSystem,Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache/*,lazy_ntfs,
-      235,RDP Cache Files,FileSystem,Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache/*,lazy_ntfs,
-      236,SAM registry transaction files,Registry,Windows\System32\config/SAM.LOG*,lazy_ntfs,
-      237,SAM registry transaction files,Registry,Windows.old\Windows\System32\config/SAM.LOG*,lazy_ntfs,
-      238,SECURITY registry transaction files,Registry,Windows\System32\config/SECURITY.LOG*,lazy_ntfs,
-      239,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config/SECURITY.LOG*,lazy_ntfs,
-      240,SOFTWARE registry transaction files,Registry,Windows\System32\config/SOFTWARE.LOG*,lazy_ntfs,
-      241,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config/SOFTWARE.LOG*,lazy_ntfs,
-      242,SYSTEM registry transaction files,Registry,Windows\System32\config/SYSTEM.LOG*,lazy_ntfs,
-      243,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config/SYSTEM.LOG*,lazy_ntfs,
-      244,SAM registry hive,Registry,Windows\System32\config/SAM,lazy_ntfs,
-      245,SAM registry hive,Registry,Windows.old\Windows\System32\config/SAM,lazy_ntfs,
-      246,SECURITY registry hive,Registry,Windows\System32\config/SECURITY,lazy_ntfs,
-      247,SECURITY registry hive,Registry,Windows.old\Windows\System32\config/SECURITY,lazy_ntfs,
-      248,SOFTWARE registry hive,Registry,Windows\System32\config/SOFTWARE,lazy_ntfs,
-      249,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config/SOFTWARE,lazy_ntfs,
-      250,SYSTEM registry hive,Registry,Windows\System32\config/SYSTEM,lazy_ntfs,
-      251,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config/SYSTEM,lazy_ntfs,
-      252,RegBack registry transaction files,Registry,Windows\System32\config\RegBack/*.LOG*,lazy_ntfs,
-      253,RegBack registry transaction files,Registry,Windows.old\Windows\System32\config\RegBack/*.LOG*,lazy_ntfs,
-      254,SAM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SAM,lazy_ntfs,
-      255,SAM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SAM,lazy_ntfs,
-      256,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack/SECURITY,lazy_ntfs,
-      257,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SECURITY,lazy_ntfs,
-      258,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack/SOFTWARE,lazy_ntfs,
-      259,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SOFTWARE,lazy_ntfs,
-      260,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SYSTEM,lazy_ntfs,
-      261,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SYSTEM,lazy_ntfs,
-      262,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SYSTEM1,lazy_ntfs,
-      263,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SYSTEM1,lazy_ntfs,
-      264,System Profile registry hive,Registry,Windows\System32\config\systemprofile/NTUSER.DAT,lazy_ntfs,
-      265,System Profile registry hive,Registry,Windows.old\Windows\System32\config\systemprofile/NTUSER.DAT,lazy_ntfs,
-      266,System Profile registry transaction files,Registry,Windows\System32\config\systemprofile/NTUSER.DAT.LOG*,lazy_ntfs,
-      267,System Profile registry transaction files,Registry,Windows.old\Windows\System32\config\systemprofile/NTUSER.DAT.LOG*,lazy_ntfs,
-      268,Local Service registry hive,Registry,Windows\ServiceProfiles\LocalService/NTUSER.DAT,lazy_ntfs,
-      269,Local Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\LocalService/NTUSER.DAT,lazy_ntfs,
-      270,Local Service registry transaction files,Registry,Windows\ServiceProfiles\LocalService/NTUSER.DAT.LOG*,lazy_ntfs,
-      271,Local Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\LocalService/NTUSER.DAT.LOG*,lazy_ntfs,
-      272,Network Service registry hive,Registry,Windows\ServiceProfiles\NetworkService/NTUSER.DAT,lazy_ntfs,
-      273,Network Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\NetworkService/NTUSER.DAT,lazy_ntfs,
-      274,Network Service registry transaction files,Registry,Windows\ServiceProfiles\NetworkService/NTUSER.DAT.LOG*,lazy_ntfs,
-      275,Network Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\NetworkService/NTUSER.DAT.LOG*,lazy_ntfs,
-      276,System Restore Points Registry Hives (XP),Registry,System Volume Information\_restore*\RP*\snapshot/_REGISTRY_*,lazy_ntfs,
-      277,WBEM,WBEM,Windows\System32\wbem\Repository/**10,lazy_ntfs,
-      278,WBEM,WBEM,Windows.old\Windows\System32\wbem\Repository/**10,lazy_ntfs,
-      279,$T,FileSystem,$Extend\$RmMetadata\$TxfLog/$Tops:$T,ntfs,
-      280,VHD,Disk Images,**10/*.VHD,lazy_ntfs,
-      281,VHDX,Disk Images,**10/*.VHDX,lazy_ntfs,
-      282,VDI,Disk Images,**10/*.VDI,lazy_ntfs,
-      283,VMDK,Disk Images,**10/*.VMDK,lazy_ntfs,
-      284,Event logs XP,EventLogs,Windows\System32\config/*.evt,lazy_ntfs,
-      285,Event logs Win7+,EventLogs,Windows\System32\winevt\logs/*.evtx,lazy_ntfs,
-      286,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/*.evtx,lazy_ntfs,
-      287,Prefetch,Prefetch,Windows\prefetch/*.pf,lazy_ntfs,
-      288,Prefetch,Prefetch,Windows.old\Windows\prefetch/*.pf,lazy_ntfs,
-      289,RecentFileCache,ApplicationCompatability,Windows\AppCompat\Programs/RecentFileCache.bcf,lazy_ntfs,
-      290,RecentFileCache,ApplicationCompatability,Windows.old\Windows\AppCompat\Programs/RecentFileCache.bcf,lazy_ntfs,
-      291,Amcache,ApplicationCompatibility,Windows\AppCompat\Programs/Amcache.hve,lazy_ntfs,
-      292,Amcache,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs/Amcache.hve,lazy_ntfs,
-      293,Amcache transaction files,ApplicationCompatibility,Windows\AppCompat\Programs/Amcache.hve.LOG*,lazy_ntfs,
-      294,Amcache transaction files,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs/Amcache.hve.LOG*,lazy_ntfs,
-      295,Syscache,Program Execution,System Volume Information/Syscache.hve,lazy_ntfs,
-      296,Syscache transaction files,Program Execution,System Volume Information/Syscache.hve.LOG*,lazy_ntfs,
-      297,PowerShell Console Log,PowerShellConsleLog,Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline/ConsoleHost_history.txt,lazy_ntfs,
-      298,$MFT,FileSystem,$MFT,ntfs,
-      299,$LogFile,FileSystem,$LogFile,ntfs,
-      300,$J,FileSystem,$Extend/$UsnJrnl:$J,ntfs,
-      301,$Max,FileSystem,$Extend/$UsnJrnl:$Max,ntfs,
-      302,$SDS,FileSystem,$Secure:$SDS,ntfs,
-      303,$Boot,FileSystem,$Boot,ntfs,
-      304,$T,FileSystem,$Extend\$RmMetadata\$TxfLog/$Tops:$T,ntfs,
-      305,LNK files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent/**10,lazy_ntfs,Also includes automatic and custom jumplist directories
-      306,LNK files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent/**10,lazy_ntfs,
-      307,LNK files from Recent (XP),LNKFiles,Documents and Settings\*\Recent/**10,lazy_ntfs,
-      308,Desktop LNK files XP,LNKFiles,Documents and Settings\*\Desktop/*.LNK,lazy_ntfs,
-      309,Desktop LNK files,LNKFiles,Users\*\Desktop/*.LNK,lazy_ntfs,
-      310,Restore point LNK files XP,LNKFiles,System Volume Information\_restore*\RP*/*.LNK,lazy_ntfs,
-      311,$Recycle.Bin,Deleted Files,$Recycle.Bin/**10,ntfs,
-      312,RECYCLER WinXP,Deleted Files,RECYCLER/**10,lazy_ntfs,
-      313,SAM registry transaction files,Registry,Windows\System32\config/SAM.LOG*,lazy_ntfs,
-      314,SAM registry transaction files,Registry,Windows.old\Windows\System32\config/SAM.LOG*,lazy_ntfs,
-      315,SECURITY registry transaction files,Registry,Windows\System32\config/SECURITY.LOG*,lazy_ntfs,
-      316,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config/SECURITY.LOG*,lazy_ntfs,
-      317,SOFTWARE registry transaction files,Registry,Windows\System32\config/SOFTWARE.LOG*,lazy_ntfs,
-      318,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config/SOFTWARE.LOG*,lazy_ntfs,
-      319,SYSTEM registry transaction files,Registry,Windows\System32\config/SYSTEM.LOG*,lazy_ntfs,
-      320,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config/SYSTEM.LOG*,lazy_ntfs,
-      321,SAM registry hive,Registry,Windows\System32\config/SAM,lazy_ntfs,
-      322,SAM registry hive,Registry,Windows.old\Windows\System32\config/SAM,lazy_ntfs,
-      323,SECURITY registry hive,Registry,Windows\System32\config/SECURITY,lazy_ntfs,
-      324,SECURITY registry hive,Registry,Windows.old\Windows\System32\config/SECURITY,lazy_ntfs,
-      325,SOFTWARE registry hive,Registry,Windows\System32\config/SOFTWARE,lazy_ntfs,
-      326,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config/SOFTWARE,lazy_ntfs,
-      327,SYSTEM registry hive,Registry,Windows\System32\config/SYSTEM,lazy_ntfs,
-      328,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config/SYSTEM,lazy_ntfs,
-      329,RegBack registry transaction files,Registry,Windows\System32\config\RegBack/*.LOG*,lazy_ntfs,
-      330,RegBack registry transaction files,Registry,Windows.old\Windows\System32\config\RegBack/*.LOG*,lazy_ntfs,
-      331,SAM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SAM,lazy_ntfs,
-      332,SAM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SAM,lazy_ntfs,
-      333,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack/SECURITY,lazy_ntfs,
-      334,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SECURITY,lazy_ntfs,
-      335,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack/SOFTWARE,lazy_ntfs,
-      336,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SOFTWARE,lazy_ntfs,
-      337,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SYSTEM,lazy_ntfs,
-      338,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SYSTEM,lazy_ntfs,
-      339,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SYSTEM1,lazy_ntfs,
-      340,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SYSTEM1,lazy_ntfs,
-      341,System Profile registry hive,Registry,Windows\System32\config\systemprofile/NTUSER.DAT,lazy_ntfs,
-      342,System Profile registry hive,Registry,Windows.old\Windows\System32\config\systemprofile/NTUSER.DAT,lazy_ntfs,
-      343,System Profile registry transaction files,Registry,Windows\System32\config\systemprofile/NTUSER.DAT.LOG*,lazy_ntfs,
-      344,System Profile registry transaction files,Registry,Windows.old\Windows\System32\config\systemprofile/NTUSER.DAT.LOG*,lazy_ntfs,
-      345,Local Service registry hive,Registry,Windows\ServiceProfiles\LocalService/NTUSER.DAT,lazy_ntfs,
-      346,Local Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\LocalService/NTUSER.DAT,lazy_ntfs,
-      347,Local Service registry transaction files,Registry,Windows\ServiceProfiles\LocalService/NTUSER.DAT.LOG*,lazy_ntfs,
-      348,Local Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\LocalService/NTUSER.DAT.LOG*,lazy_ntfs,
-      349,Network Service registry hive,Registry,Windows\ServiceProfiles\NetworkService/NTUSER.DAT,lazy_ntfs,
-      350,Network Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\NetworkService/NTUSER.DAT,lazy_ntfs,
-      351,Network Service registry transaction files,Registry,Windows\ServiceProfiles\NetworkService/NTUSER.DAT.LOG*,lazy_ntfs,
-      352,Network Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\NetworkService/NTUSER.DAT.LOG*,lazy_ntfs,
-      353,System Restore Points Registry Hives (XP),Registry,System Volume Information\_restore*\RP*\snapshot/_REGISTRY_*,lazy_ntfs,
-      354,NTUSER.DAT registry hive XP,Registry,Documents and Settings\*/NTUSER.DAT,lazy_ntfs,
-      355,NTUSER.DAT registry hive,Registry,Users\*/NTUSER.DAT,lazy_ntfs,
-      356,NTUSER.DAT registry transaction files,Registry,Users\*/NTUSER.DAT.LOG*,lazy_ntfs,
-      357,NTUSER.DAT DEFAULT registry hive,Registry,Windows\System32\config/DEFAULT,lazy_ntfs,
-      358,NTUSER.DAT DEFAULT registry hive,Registry,Windows.old\Windows\System32\config/DEFAULT,lazy_ntfs,
-      359,NTUSER.DAT DEFAULT transaction files,Registry,Windows\System32\config/DEFAULT.LOG*,lazy_ntfs,
-      360,NTUSER.DAT DEFAULT transaction files,Registry,Windows.old\Windows\System32\config/DEFAULT.LOG*,lazy_ntfs,
-      361,UsrClass.dat registry hive,Registry,Users\*\AppData\Local\Microsoft\Windows/UsrClass.dat,lazy_ntfs,
-      362,UsrClass.dat registry transaction files,Registry,Users\*\AppData\Local\Microsoft\Windows/UsrClass.dat.LOG*,lazy_ntfs,
-      363,at .job,Persistence,Windows\Tasks/*.job,lazy_ntfs,
-      364,at .job,Persistence,Windows.old\Windows\Tasks/*.job,lazy_ntfs,
-      365,at SchedLgU.txt,Persistence,Windows/SchedLgU.txt,lazy_ntfs,
-      366,at SchedLgU.txt,Persistence,Windows.old\Windows/SchedLgU.txt,lazy_ntfs,
-      367,XML,Persistence,Windows\System32\Tasks/**10,lazy_ntfs,
-      368,XML,Persistence,Windows.old\Windows\System32\Tasks/**10,lazy_ntfs,
-      369,SRUM,Execution,Windows\System32\SRU/**10,lazy_ntfs,
-      370,SRUM,Execution,Windows.old\Windows\System32\SRU/**10,lazy_ntfs,
-      371,Thumbcache DB,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\Explorer/thumbcache_*.db,lazy_ntfs,
-      372,Setupapi.log XP,USBDevices,Windows/setupapi.log,lazy_ntfs,
-      373,Setupapi.log Win7+,USBDevices,Windows\inf/setupapi.dev.log,lazy_ntfs,
-      374,Setupapi.log Win7+,USBDevices,Windows.old\Windows\inf/setupapi.dev.log,lazy_ntfs,
-      375,WindowsIndexSearch,FileKnowledge,programdata\microsoft\search\data\applications\windows/Windows.edb,lazy_ntfs,
-      376,WBEM,WBEM,Windows\System32\wbem\Repository/**10,lazy_ntfs,
-      377,WBEM,WBEM,Windows.old\Windows\System32\wbem\Repository/**10,lazy_ntfs,
-      378,PST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook/*.pst,lazy_ntfs,
-      379,OST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook/*.ost,lazy_ntfs,
-      380,PST,Communications,Users\*\AppData\Local\Microsoft\Outlook/*.pst,lazy_ntfs,
-      381,OST,Communications,Users\*\AppData\Local\Microsoft\Outlook/*.ost,lazy_ntfs,
-      382,main.db (App <v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*/main.db,lazy_ntfs,
-      383,skype.db (App +v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*/skype.db,lazy_ntfs,
-      384,main.db XP,Communications,Documents and Settings\*\Application Data\Skype\*/main.db,lazy_ntfs,
-      385,main.db Win7+,Communications,Users\*\AppData\Roaming\Skype\*/main.db,lazy_ntfs,
-      386,s4l-[username].db (App +v8),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState/s4l-*.db,lazy_ntfs,
-      387,leveldb (Skype for Desktop +v8),Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb/*.log,lazy_ntfs,
-      388,Chrome bookmarks XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
-      389,Chrome Cookies XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Cookies*,lazy_ntfs,
-      390,Chrome Current Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Current Session,lazy_ntfs,
-      391,Chrome Current Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Current Tabs,lazy_ntfs,
-      392,Chrome Favicons XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Favicons*,lazy_ntfs,
-      393,Chrome History XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/History*,lazy_ntfs,
-      394,Chrome Last Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Last Session,lazy_ntfs,
-      395,Chrome Last Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Last Tabs,lazy_ntfs,
-      396,Chrome Preferences XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Preferences,lazy_ntfs,
-      397,Chrome Shortcuts XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Shortcuts*,lazy_ntfs,
-      398,Chrome Top Sites XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Top Sites*,lazy_ntfs,
-      399,Chrome Visited Links XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Visited Links,lazy_ntfs,
-      400,Chrome Web Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Web Data*,lazy_ntfs,
-      401,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
-      402,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Cookies*,lazy_ntfs,
-      403,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Current Session,lazy_ntfs,
-      404,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Current Tabs,lazy_ntfs,
-      405,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Favicons*,lazy_ntfs,
-      406,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/History*,lazy_ntfs,
-      407,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Last Session,lazy_ntfs,
-      408,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Last Tabs,lazy_ntfs,
-      409,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Preferences,lazy_ntfs,
-      410,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Shortcuts*,lazy_ntfs,
-      411,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Top Sites*,lazy_ntfs,
-      412,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Visited Links,lazy_ntfs,
-      413,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Web Data*,lazy_ntfs,
-      414,Chrome Extension Files,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions/**10,lazy_ntfs,
-      415,Chrome Extension Files XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions/**10,lazy_ntfs,
-      416,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe/**10,lazy_ntfs,
-      417,WebcacheV01.dat,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\,lazy_ntfs,
-      418,Firefox Places,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/places.sqlite*,lazy_ntfs,
-      419,Firefox Downloads,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/downloads.sqlite*,lazy_ntfs,
-      420,Firefox Form history,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/formhistory.sqlite*,lazy_ntfs,
-      421,Firefox Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/cookies.sqlite*,lazy_ntfs,
-      422,Firefox Signons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/signons.sqlite*,lazy_ntfs,
-      423,Firefox Webappstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/webappstore.sqlite*,lazy_ntfs,
-      424,Firefox Favicons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/favicons.sqlite*,lazy_ntfs,
-      425,Firefox Addons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/addons.sqlite*,lazy_ntfs,
-      426,Firefox Search,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/search.sqlite*,lazy_ntfs,
-      427,Firefox Places (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/places.sqlite*,lazy_ntfs,
-      428,Firefox Downloads (XP),Communications (XP),Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/downloads.sqlite*,lazy_ntfs,
-      429,Firefox Form history (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/formhistory.sqlite*,lazy_ntfs,
-      430,Firefox Cookies (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/cookies.sqlite*,lazy_ntfs,
-      431,Forefox Signons (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/signons.sqlite*,lazy_ntfs,
-      432,Firefox Webappstore (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/webappstore.sqlite*,lazy_ntfs,
-      433,Firefox Favicons (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/favicons.sqlite*,lazy_ntfs,
-      434,Firefox Addons (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/addons.sqlite*,lazy_ntfs,
-      435,Firefox Search  (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/search.sqlite*,lazy_ntfs,
-      436,Index.dat History,Communications,Documents and Settings\*\Local Settings\History\History.IE5/index.dat,lazy_ntfs,
-      437,Index.dat History subdirectory,Communications,Documents and Settings\*\Local Settings\History\History.IE5\*/index.dat,lazy_ntfs,
-      438,Index.dat temp internet files,Communications,Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5/index.dat,lazy_ntfs,
-      439,Index.dat cookies (XP),Communications,Documents and Settings\*\Cookies/index.dat,lazy_ntfs,
-      440,Index.dat UserData (XP),Communications,Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData/index.dat,lazy_ntfs,
-      441,Index.dat Office XP,Communications,Documents and Settings\*\Application Data\Microsoft\Office\Recent/index.dat,lazy_ntfs,
-      442,Index.dat Office,Communications,Users\*\AppData\Roaming\Microsoft\Office\Recent/index.dat,lazy_ntfs,
-      443,Local Internet Explorer folder,Communications,Users\*\AppData\Local\Microsoft\Internet Explorer/**10,lazy_ntfs,
-      444,Roaming Internet Explorer folder,Communications,Users\*\AppData\Roaming\Microsoft\Internet Explorer/**10,lazy_ntfs,
-      445,IE 9/10 History,Communications,Users\*\AppData\Local\Microsoft\Windows\History/**10,lazy_ntfs,
-      446,IE 9/10 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files/**10,lazy_ntfs,
-      447,IE 9/10 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\Cookies/**10,lazy_ntfs,
-      448,IE 9/10 Download History,Communications,Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory/**10,lazy_ntfs,
-      449,IE 11 Metadata,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\,lazy_ntfs,
-      450,IE 11 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCache/**10,lazy_ntfs,
-      451,IE 11 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCookies/**10,lazy_ntfs,
-      452,ActivitiesCache.db,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\*/ActivitiesCache.db,lazy_ntfs,
-      453,ActivitiesCache.db-shm,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\*/ActivitiesCache.db-shm,lazy_ntfs,
-      454,ActivitiesCache.db-wal,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\*/ActivitiesCache.db-wal,lazy_ntfs,
-      455,Evernote Accounts,App,Users\*\AppData\Local\Evernote\Evernote\Databases/**10/.accounts,lazy_ntfs,Holds username and email of accounts
-      456,Evernote Notebooks,App,Users\*\AppData\Local\Evernote\Evernote\Databases/**10/*.exb,lazy_ntfs,SQLite Database of the notes
-      457,Evernote Notebook Snippets,App,Users\*\AppData\Local\Evernote\Evernote\Databases/**10/*.exb.snippets,lazy_ntfs,Note 'Snippets'
-      458,ProtonVPN - Connection Logs,ApplicationLogs,Users\*\AppData\Local\ProtonVPN\Logs,lazy_ntfs,Locates ProtonVPN connection logs.
-      459,ShareX,Apps,Users\*\Documents\ShareX/**10,lazy_ntfs,Locates and captures all files within the default ShareX folder path
-      460,XYplorer - .ini file,Apps,Users\*\AppData\Roaming\XYplorer/XYplorer.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information.
-      461,XYplorer - .ini file for each respective pane,Apps,Users\*\AppData\Roaming\XYplorer\Panes\*/**10/pane.ini,lazy_ntfs,Locates the .ini file for the left and right pane.
-      462,XYplorer - AutoBackup folder,Apps,Users\*\AppData\Roaming\XYplorer\AutoBackup/**10,lazy_ntfs,Locates the AutoBackup folder and copies its contents.
-      463,XYplorer - .dat files,Apps,Users\*\AppData\Roaming\XYplorer/**10/*.dat,lazy_ntfs,"Locates the .dat files in the XYplorer's AppData folder, all of which are updated upon program's exit."
-      464,Total Commander - .ini File,Apps,Users\*\AppData\Roaming\GHISLER/wincmd.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information.
-      465,Total Commander - Log File,Apps,**10/totalcmd.log,lazy_ntfs,Locates log file associated with Total Commander. NOTE: this log file is NOT enabled by default and the filename can be modified.
-      466,Macrium Reflect,Apps,ProgramData\Macrium\Macrium Service\,lazy_ntfs,Copies out all log files
-      467,Macrium Reflect,Apps,ProgramData\Macrium\Reflect\,lazy_ntfs,Copies out the Reflect folder which contains many important logs
-      468,Macrium Reflect,Apps,ProgramData\Macrium\Reflect Launcher,lazy_ntfs,Copies out the Reflect folder which contains many important logs
-      469,Mozilla Thunderbird Install Date,Apps,Users\*\AppData\Roaming\Thunderbird\Crash Reports/InstallTime*,lazy_ntfs,Holds install time in Unix Seconds timestamp
-      470,Mozilla Thunderbird Profiles.ini,Apps,Users\*\AppData\Roaming\Thunderbird/profiles.ini,lazy_ntfs,Profiles list - can hold references to other profiles held elsewhere on the device
-      471,Mozilla Thunderbird prefs.js,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*/prefs.js,lazy_ntfs,User Preferences for that profile
-      472,Mozilla Thunderbird Global Messages Database,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*/global-messages-db.sqlite,lazy_ntfs,"Holds list of contacts, emails, and other potentially useful artifacts"
-      473,Mozilla Thunderbird logins.json,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*/logins.json,lazy_ntfs,"Holds last time online login used, last time password changed, hostname, HTTP(s) URL and more"
-      474,Mozilla Thunderbird places.sqlite,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*/places.sqlite,lazy_ntfs,"Holds history for Thunderbird - as it contains portions of Firefox embedded, it can be used to visit websites too"
-      475,Mozilla Thunderbird ImapMail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\ImapMail/**10/INBOX,lazy_ntfs,"Holds all email files with headers, content etc"
-      476,Mozilla Thunderbird Mail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Mail/**10/INBOX,lazy_ntfs,"Holds all email files with headers, content etc"
-      477,Mozilla Thunderbird Calendar Data,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\calendar-data/local.sqlite,lazy_ntfs,Holds local calendar data
-      478,Mozilla Thunderbird Attachments,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Attachments\,lazy_ntfs,Holds attachments
-      479,Mozilla Thunderbird Address Book,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*/abook.sqlite,lazy_ntfs,Holds local address book
-      480,Radmin Server 32bit Log,ApplicationLogs,Windows\SysWOW64\rserver30/Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections.
-      481,Radmin Server 64bit Log,ApplicationLogs,Windows\System32\rserver30/Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections.
-      482,Radmin Server 32bit Chats,ApplicationLogs,Windows\SysWOW64\rserver30\CHATLOGS\*/*.htm,lazy_ntfs,Previous chat logs
-      483,Radmin Server 64bit Chats,ApplicationLogs,Windows\System32\rserver30\CHATLOGS\*/*.htm,lazy_ntfs,Previous chat logs
-      484,Radmin Viewer Chats,ApplicationLogs,Users\*\Documents\ChatLogs\*/*.htm,lazy_ntfs,Previous chat logs
-      485,FreeFileSync,Apps,Users\*\AppData\Roaming\FreeFileSync\Logs,lazy_ntfs,Copies out all log files
-      486,LogMeIn ProgramData Logs,ApplicationLogs,ProgramData\LogMeIn\Logs/**10,lazy_ntfs,
-      487,LogMeIn Application Logs,ApplicationLogs,Users\*\AppData\Local\temp\LogMeInLogs/**10,lazy_ntfs,"Contains RemoteAssist (formerly GoToAssist), GoToMeeting, and other GoTo* logs"
-      488,Exchange client access log files,Logs,Program Files\Microsoft\Exchange Server\*\Logging/**10/*.log,lazy_ntfs,Highly dependent on Exchange configuration
-      489,RealVNC Log,ApplicationLogs,Users\*\AppData\Local\RealVNC/vncserver.log,lazy_ntfs,https://www.realvnc.com/en/connect/docs/logging.html#logging
-      490,Telegram app folder,Apps,Users\*\AppData\Roaming\Telegram Desktop/**10,lazy_ntfs,Telegram app folder structure
-      491,Telegram downloaded files,Apps,Users\*\Downloads\Telegram Desktop/**10,lazy_ntfs,Chat Attachments
-      492,HexChat Chat Logs,Communications,Users\*\AppData\Roaming\HexChat\logs/**10,lazy_ntfs,
-      493,VirtualBox VM configs,Apps,**10/*.vbox,lazy_ntfs,Locates all .vbox VM configuration files on disk
-      494,VirtualBox VM backup configs,Apps,**10/*.vbox-prev,lazy_ntfs,Locates all backup .vbox VM configuration files on disk
-      495,main.db (App <v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*/main.db,lazy_ntfs,
-      496,skype.db (App +v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*/skype.db,lazy_ntfs,
-      497,main.db XP,Communications,Documents and Settings\*\Application Data\Skype\*/main.db,lazy_ntfs,
-      498,main.db Win7+,Communications,Users\*\AppData\Roaming\Skype\*/main.db,lazy_ntfs,
-      499,s4l-[username].db (App +v8),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState/s4l-*.db,lazy_ntfs,
-      500,leveldb (Skype for Desktop +v8),Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb/*.log,lazy_ntfs,
-      501,AceText - Clipboard History,Apps,Users\*\Documents/*.atc,lazy_ntfs,Locates the Clipboard history for AceText
-      502,AnyDesk Logs,Communications,Users\*\AppData\Roaming\AnyDesk/ad.trace,lazy_ntfs,Collects the ad.trace logfile for AnyDesk
-      503,AnyDesk Videos,Communications,Users\*\Videos\AnyDesk/*.anydesk,lazy_ntfs,Collects any session recordings made by the user while using AnyDesk
-      504,VirtualBox Logs,Apps,**10/VBox.log,lazy_ntfs,Locates all VBox.log files on disk
-      505,VirtualBox Backup Logs,Apps,**10/VBox.log.*,lazy_ntfs,Locates all backup VBox.log files on disk - these can show historic VM usage
-      506,VirtualBox Hardening Logs,Apps,**10/VBoxHardening.log,lazy_ntfs,Locates all VBoxHardening.log files on disk
-      507,VMware - Virtual Machine Inventory,Apps,Users\*\AppData\Roaming\VMware,lazy_ntfs,Locates an inventory of all Virtual Machines on disk.
-      508,1Password Database,Apps,Users\*\AppData\Local\1password\data/1Password10.sqlite,lazy_ntfs,"Database which holds information about 1Password installation, such as accounts, categories, settings and more"
-      509,1Password Backup Databases,Apps,Users\*\AppData\Local\1password\backups/1Password10.sqlite,lazy_ntfs,Backups of 1Password Database
-      510,1Password Logs,Apps,Users\*\AppData\Local\1password\logs/*.log,lazy_ntfs,Log of usage of 1Password - can be useful for identifying periods of user activity
-      511,VirtualBox,Memory,**10/*.sav,lazy_ntfs,Captures all partial memory images from VirtualBox.
-      512,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU/rename_folders.osd,lazy_ntfs,Locates .osd file which contains names of folders that have been renamed manually by the user.
-      513,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU/rename_files.osd,lazy_ntfs,Locates .osd file which contains names of files that have been renamed manually by the user.
-      514,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU/find_contains.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with contents related to the search query.
-      515,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU/find_name.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with a filename related to the search query.
-      516,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU/find_path.osd,lazy_ntfs,Locates .osd file which contains file paths related to user activity - not exactly sure how these are generated at this time.
-      517,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data/recent.osd,lazy_ntfs,Locates .osd file which contains file paths related to recent user activity. Effectively the DOpus Shellbags-equivalent. Appears to be for last 10 folder visited within the Lister.
-      518,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data/backupconfig.osd,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.
-      519,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache\,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.
-      520,Ammyy Program Data,ApplicationLogs,ProgramData\Ammyy/**10,lazy_ntfs,"May not contain traditional log files, but presence of this folder may indicate historical usage"
-      521,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data/Session.db,lazy_ntfs,SQLite database with session information
-      522,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data/User.xml,lazy_ntfs,Contains each user's last authenticated time
-      523,Acronis True Image - Logs,Apps,ProgramData\Acronis\TrueImageHome\Logs\ti_demon\,lazy_ntfs,Copies out all log files
-      524,Acronis True Image - Database Files,Apps,ProgramData\Acronis\TrueImageHome\Database/archives.db*,lazy_ntfs,Copies out the Database folder which appears to have important information
-      525,Acronis True Image - Scripts Folder,Apps,ProgramData\Acronis\TrueImageHome\Scripts\,lazy_ntfs,Copies out all scripts files
-      526,Snagit - Captures,Apps,Users\*\AppData\Local\TechSmith\Snagit\DataStore,lazy_ntfs,Locates all Snagit captures
-      527,OneDrive User Files,Apps,Users\*\OneDrive*/**10,lazy_ntfs,Caution -- This target will collect OneDrive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use
-      528,OneDrive Metadata Logs,Apps,Users\*\AppData\Local\Microsoft\OneDrive\logs/**10,lazy_ntfs,
-      529,OneDrive Metadata Settings,Apps,Users\*\AppData\Local\Microsoft\OneDrive\settings/**10,lazy_ntfs,
-      530,SugarSync Log File,Apps,Users\*\AppData\Local\SugarSync/sc1.log,lazy_ntfs,Locates a log file the gives a play-by-play of what the user synced when.
-      531,SugarSync - Shared Folders (Default Location),Apps,Users\*\Documents\SugarSync Shared Folders/**10,lazy_ntfs,
-      532,SugarSync - My SugarSync (Default Location),Apps,Users\*\Documents\My SugarSync/**10,lazy_ntfs,
-      533,Fences - Desktop Screenshots,Apps,Users\*\AppData\Roaming\Stardock\Fences\Backups,lazy_ntfs,Locates all screenshots taken automatically by the Fences application
-      534,WhatsApp Cache,Apps,Users\*\AppData\Roaming\WhatsApp\Cache,lazy_ntfs,"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files"
-      535,WhatsApp Local Storage,Apps,Users\*\AppData\Roaming\WhatsApp\Local Storage\leveldb,lazy_ntfs,"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper"
-      536,FDM Database,App,Users\*\AppData\Local\Free Download Manager/**10/fdm.sqlite,lazy_ntfs,"fdm.sqlite shows Torrents, downloads, folder history, auth credentials and more. Will also pull fdm.sqlite in db_backup/"
-      537,FDM Backup Info,App,Users\*\AppData\Local\Free Download Manager\backup/backup.info,lazy_ntfs,"Backup info file - can change backup name from userdata.zip, so could give indication of file name"
-      538,FDM Database (userdata.zip),App,Users\*\AppData\Local\Free Download Manager\backup/userdata.zip,lazy_ntfs,fdm.sqlite can also appear in the backup folder in a compressed userdata.zip file
-      539,Slack - Chat Logs,Apps,Users\*\AppData\Roaming\Slack\IndexedDB/**10,lazy_ntfs,Locates Slack logs and copies them
-      540,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple\Mobilesync\Backup/**10,lazy_ntfs,
-      541,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple Computer\Mobilesync\Backup/**10,lazy_ntfs,
-      542,iTunes Backup Folder - iOS13,Communications,Users\*\Apple\Mobilesync\Backup\,lazy_ntfs,
-      543,QFinderPro,Apps,Users\*\AppData\Local\QNAP\QfinderPro,lazy_ntfs,Locates a JSON file that provides network location information for any QNAP connected devices.
-      544,Java WebStart Cache User Level - Default,Communication,Users\*\AppData\Local\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
-      545,Java WebStart Cache User Level - IE Protected Mode,Communication,Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
-      546,Java WebStart Cache System level,Communication,Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
-      547,Java WebStart Cache System level,Communication,Windows.old\Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
-      548,Java WebStart Cache System level - IE Protected Mode,Communication,Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
-      549,Java WebStart Cache System level - IE Protected Mode,Communication,Windows.old\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
-      550,Java WebStart Cache System level (SysWow64),Communication,Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
-      551,Java WebStart Cache System level (SysWow64),Communication,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
-      552,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communication,Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
-      553,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communication,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
-      554,Java WebStart Cache User Level - XP,Communications,Documents and Settings\*\Application Data\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
-      555,Exchange TransportRoles log files,Logs,Program Files\Microsoft\Exchange Server\*\TransportRoles\Logs/**10/*.log,lazy_ntfs,Highly dependent on Exchange configuration
-      556,TeraCopy,TeraCopy,Users\*\AppData\Roaming\TeraCopy/**10,lazy_ntfs,
-      557,mIRC Chat Logs,Communications,Users\*\AppData\Roaming\mIRC\logs/**10,lazy_ntfs,
-      558,Aspera Client Logs,FileDownload,Users\*\AppData\Local\Aspera\Aspera Connect\var\log/**10/*.log,lazy_ntfs,
-      559,Aspera Server Logs,FileDownload,Users\*\.aspera\connect\var\log/**10/*.log,lazy_ntfs,
-      560,Cisco Jabber Database,Communications,Users\*\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History/*.db,lazy_ntfs,The Cisco Jabber process needs to be killed before database can be copied.
-      561,Box User Files,Apps,Users\*\Box/**10,lazy_ntfs,Caution! This target will collect Box Drive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use
-      562,Box Sync User Files,Apps,Users\*\Box Sync/**10,lazy_ntfs,
-      563,Box Drive Application Metadata,Apps,Users\*\AppData\Local\Box\Box\*/**10,lazy_ntfs,
-      564,Box Sync Application Metadata,Apps,Users\*\AppData\Local\Box Sync\*/**10,lazy_ntfs,
-      565,Free Commander - FreeCommander.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings/FreeCommander.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts.
-      566,Free Commander - FreeCommander.ftp.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings/FreeCommander.ftp.ini,lazy_ntfs,Locates an .ini file that contains the file path to the FTP log for Free Commander.
-      567,Free Commander - FreeCommander.hist.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings/FreeCommander.hist.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom for both left and right directory browsers.
-      568,Free Commander - FreeCommander.fav.xml,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings/FreeCommander.fav.xml,lazy_ntfs,Locates an .xml file that contains favorited files/folder by the user.
-      569,Free Commander - Backup Settings,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*/**10,lazy_ntfs,"Locates an exact copy of the above files which will have a timestamped folder name, i.e. Bkp_Settings-YYYY-MM-DD HH-MM-SS."
-      570,Dropbox User Files,Apps,Users\*\Dropbox*/**10,lazy_ntfs,
-      571,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox/info.json,lazy_ntfs,Getting individual files because folder may contain very large extraneous files
-      572,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\*/filecache.dbx,lazy_ntfs,Getting individual files because folder may contain very large extraneous files
-      573,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\*/config.dbx,lazy_ntfs,Getting individual files because folder may contain very large extraneous files
-      574,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*/**10,lazy_ntfs,Required for offline decryption of Dropbox databases
-      575,VLC Recently Opened Files,Apps,Users\*\AppData\Roaming\vlc/vlc-qt-interface.ini,lazy_ntfs,Configuration file for VLC. Holds [RecentsMRL] key which lists recently opened files as well as sometimes retaining timestamps for file opening
-      576,VLC Recorded Files,Apps,Users\*\Videos/vlc-*.avi,lazy_ntfs,"Recorded files in VLC. Sometimes the Record button may be pressed instead of Play by suspects, which can record them watching content with VLC"
-      577,TeamViewer Connection Logs,Communications,Program Files*\TeamViewer/connections*.txt,lazy_ntfs,Includes connections_incoming.txt and connections.txt
-      578,TeamViewer Application Logs,ApplicationLogs,Program Files*\TeamViewer/TeamViewer*_Logfile*,lazy_ntfs,Includes TeamViewer<version>_Logfile.log and TeamViewer<version>_Logfile_OLD.log
-      579,TeamViewer Configuration Files,ApplicationLogs,Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport/**10,lazy_ntfs,Includes miscellaneous config files
-      580,JDownloader 2.0 Download Lists,App,Users\*\AppData\Local\JDownloader 2.0\cfg/**10/downloadList*.zip,lazy_ntfs,"Zip folder which contains several files (00,00_00 and extraInfo) which list the download folder, the time it was created, the name of the download, origin URL, referral URL and more"
-      581,JDownloader 2.0 Link Collector,App,Users\*\AppData\Local\JDownloader 2.0\cfg/**10/linkcollector*.zip,lazy_ntfs,"Zip folder which contains several files (0X,0X_00 and extraInfo) which list the websites crawled for links, the referral URLs, timestamps and more"
-      582,JDownloader 2.0 General Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg/**10/org.jdownloader.settings.GeneralSettings.json,lazy_ntfs,General user config for JDownloader 2.0. Holds default download folder.
-      583,JDownloader 2.0 Link Grabber Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg/**10/org.jdownloader.gui.views.linkgrabber.addlinksdialog.LinkgrabberSettings.json,lazy_ntfs,Linkgrabber Settings for JDownloader 2.0. Holds latest download destination folder.
-      584,JDownloader 2.0 Proxy Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg/**10/org.jdownloader.settings.InternetConnectionSettings.customproxylist.json,lazy_ntfs,Proxy configuration for JDownloader 2.0
-      585,Google Drive User Files,Apps,Users\*\Google Drive*/**10,lazy_ntfs,Google Drive Backup and Sync Application
-      586,Google Drive Metadata,Apps,Users\*\AppData\Local\Google\Drive/**10,lazy_ntfs,Google Drive Backup and Sync Application
-      587,Google File Stream Metadata,Apps,Users\*\AppData\Local\Google\DriveFS/**10,lazy_ntfs,Google Drive File Stream Application
-      588,Double Commander - history.xml,Apps,Users\*\AppData\Roaming\doublecmd/history.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from bottom to top.
-      589,Double Commander - doublecmd.xml,Apps,Users\*\AppData\Roaming\doublecmd/doublecmd.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom.
-      590,Kaseya Live Connect Logs (XP),ApplicationLogs,Documents and Settings\*\Application Data\Kaseya\Log/**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
-      591,Kaseya Live Connect Logs,ApplicationLogs,Users\*\AppData\Local\Kaseya\Log\KaseyaLiveConnect/**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
-      592,Kaseya Agent Endpoint Service Logs (XP),ApplicationLogs,Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint/**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
-      593,Kaseya Agent Endpoint Service Logs,ApplicationLogs,ProgramData\Kaseya\Log\Endpoint/**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
-      594,Kaseya Agent Service Log,ApplicationLogs,Program Files*\Kaseya\*/agentmon.log*,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
-      595,Kaseya Setup Log,ApplicationLogs,Users\*\AppData\Local\Temp/KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
-      596,Kaseya Setup Log,ApplicationLogs,Windows\Temp/KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
-      597,Kaseya Setup Log,ApplicationLogs,Windows.old\Windows\Temp/KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
-      598,PST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook/*.pst,lazy_ntfs,
-      599,OST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook/*.ost,lazy_ntfs,
-      600,PST,Communications,Users\*\AppData\Local\Microsoft\Outlook/*.pst,lazy_ntfs,
-      601,OST,Communications,Users\*\AppData\Local\Microsoft\Outlook/*.ost,lazy_ntfs,
-      602,FileZilla XML Log Files,Logs,Users\*\AppData\Roaming\FileZilla/*.xml*,lazy_ntfs,
-      603,FileZilla SQLite3 Log Files,Logs,Users\*\AppData\Roaming\FileZilla/*.sqlite3*,lazy_ntfs,
-      604,ClipboardMaster - Clipboard History - Text,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster/Clipboard.clm4,lazy_ntfs,Locates the user’s clipboard history (text) for ClipboardMaster
-      605,ClipboardMaster - Clipboard History - Images,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\pics/**10,lazy_ntfs,Locates the user’s clipboard history (images) for ClipboardMaster
-      606,ClipboardMaster - Clipboard History - Backups,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster/Clipboard.clm4.ba*,lazy_ntfs,Locates the user’s clipboard history (backups) for ClipboardMaster
-      607,Microsoft Teams IndexedDB Cache,Apps,Users\*\AppData\Roaming\Microsoft Teams\IndexedDB\,lazy_ntfs,"LevelDB database which can contain inbound/outbound chat messages, call history and more"
-      608,Microsoft Teams Local Storage Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\Local Storage\,lazy_ntfs,"LevelDB database which can contain meeting history, file transfer logs and more"
-      609,Microsoft Teams Config,Apps,Users\*\AppData\Roaming\Microsoft\Teams/desktop-config.json,lazy_ntfs,JSON config file for Teams
-      610,VMware (Fusion/Workstation/Server/Player),Memory,**10/*.vmem,lazy_ntfs,Captures all raw memory from VMware virtual machines.
-      611,VMware (Fusion/Workstation/Server/Player),Memory,**10/*.vmss,lazy_ntfs,Captures all memory images from VMware virtual machines.
-      612,VMware (Fusion/Workstation/Server/Player),Memory,**10/*.vmsn,lazy_ntfs,Captures all memory images from VMware virtual machines.
-      613,Mattermost - Chat Logs,Apps,Users\*\AppData\Roaming\Mattermost\IndexedDB/**10,lazy_ntfs,Locates Mattermost logs and copies them
-      614,IceChat Chat Logs,Communications,Users\*\AppData\Local\IceChat Networks\IceChat\Logs/**10,lazy_ntfs,
-      615,Notepad++ Unsaved Edits,Text Editor,Users\*\AppData\Roaming\Notepad++\backup/**10,lazy_ntfs,Locates non-saved Notepad++ files and copies them.
-      616,Notepad++ Config,Text Editor,Users\*\AppData\Roaming\Notepad++/config.xml,lazy_ntfs,"Retrieves config.xml which contains recently searched terms, replaced terms and recently opened documents"
-      617,Discord Cache Files,Communications,Users\*\AppData\Roaming\discord\cache/**10,lazy_ntfs,Gets cached data from Discord app
-      618,Discord Local Storage LevelDB Files,Communications,Users\*\AppData\Roaming\discord\local storage\leveldb/**10,lazy_ntfs,Gets LevelDB database from Discord app
-      619,SublimeText 2/3 Auto Save Session,Text Editor,Users\*\AppData\Roaming\Sublime Text*\Settings/Session.sublime_session,lazy_ntfs,Sublime Text 2/3 stores unsaved (temporary) files and its content in its Session.sublime_session file
-      620,Everything (VoidTools),FileSystem,Users\*\AppData\Local\Everything/Everything.db,lazy_ntfs,Copies out Everything.db
-      621,Everything (VoidTools) - Run History,FileSystem,Users\*\AppData\Roaming\Everything/Run History.csv,lazy_ntfs,Copies out a CSV containing the history of items ran from Everything's search results window
-      622,Everything (VoidTools) - Search History,FileSystem,Users\*\AppData\Roaming\Everything/Search History.csv,lazy_ntfs,Copies out a CSV containing the history of items searched for within Everything with timestamps
-      623,Confluence Wiki Log Files,Logs,Atlassian\Application Data\Confluence\logs/*.log*,lazy_ntfs,
-      624,Confluence Wiki Log Files,Logs,Program Files\Atlassian\Confluence\logs/*.log,lazy_ntfs,
-      625,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\config/**10,lazy_ntfs,Contains OpenVPN Configs (Profiles)
-      626,OpenVPN Client Config,ApplicationLogs,Program Files*\OpenVPN\config/**10,lazy_ntfs,Contains OpenVPN Configs(Profiles)
-      627,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\log/*.log,lazy_ntfs,Contains OpenVPN Logs for each Config(Profile)
-      628,Viber Config Database,Apps,Users\*\AppData\Roaming\ViberPC/config.db,lazy_ntfs,Configuration file for Viber
-      629,Viber Users Data Database,Apps,Users\*\AppData\Roaming\ViberPC\*/viber.db,lazy_ntfs,"Viber data for that user, containing Calls, Chat Messages, Contacts and more"
-      630,Viber Users Avatars Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Avatars,lazy_ntfs,Cache of the Avatars for other Viber users
-      631,Viber Users Backgrounds Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Backgrounds,lazy_ntfs,Store of the backgrounds
-      632,Viber Users Thumbnails Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Thumbnails,lazy_ntfs,Cache of the thumbnails for uploaded/downloaded images
-      633,Symantec Endpoint Protection Logs (XP),AntiVirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV/**10,lazy_ntfs,
-      634,Symantec Endpoint Protection Logs,AntiVirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs/**10,lazy_ntfs,
-      635,Symantec Endpoint Protection User Logs,AntiVirus,Users\*\AppData\Local\Symantec\Symantec Endpoint Protection\Logs/**10,lazy_ntfs,
-      636,Symantec Event Log Win7+,EventLogs,Windows\System32\winevt\logs/Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log
-      637,Symantec Event Log Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log
-      638,Symantec Endpoint Protection Quarantine (XP),AntiVirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine/**10,lazy_ntfs,
-      639,Symantec Endpoint Protection Quarantine,AntiVirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine/**10,lazy_ntfs,
-      640,AVG AV Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\AVG\Antivirus\log/**10,lazy_ntfs,
-      641,AVG AV Report Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\AVG\Antivirus\report/**10,lazy_ntfs,
-      642,AVG AV Logs,Antivirus,ProgramData\AVG\Antivirus\log/**10,lazy_ntfs,
-      643,AVG Report Logs,Antivirus,ProgramData\AVG\Antivirus\report/**10,lazy_ntfs,
-      644,Trend Micro Logs,Antivirus,ProgramData\Trend Micro/**10,lazy_ntfs,
-      645,Trend Micro Security Agent Report Logs,Antivirus,Program Files*\Trend Micro\Security Agent\Report/*.log,lazy_ntfs,
-      646,Trend Micro Security Agent Connection Logs,Antivirus,Program Files*\Trend Micro\Security Agent\ConnLog/*.log,lazy_ntfs,
-      647,TotalAV Logs,Antivirus,Program Files*\TotalAV\logs/**10,lazy_ntfs,
-      648,TotalAV Logs,Antivirus,ProgramData\TotalAV\logs/**10,lazy_ntfs,
-      649,MalwareBytes Anti-Malware Logs,Antivirus,ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs/mbam-log-*.xml,lazy_ntfs,
-      650,MalwareBytes Anti-Malware Service Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\logs/mbamservice.log*,lazy_ntfs,
-      651,MalwareBytes Anti-Malware Scan Logs,Antivirus,Users\*\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs/**10,lazy_ntfs,
-      652,MalwareBytes Anti-Malware Scan Results Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\ScanResults/**10,lazy_ntfs,
-      653,Sophos Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs/**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"
-      654,Sophos Logs,Antivirus,ProgramData\Sophos\Sophos *\Logs/**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"
-      655,Avira Activity Logs,AntiVirus,ProgramData\Avira\Antivirus\LOGFILES/**10,lazy_ntfs,Collects the scan logs of Avira AntiVirus
-      656,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Microsoft AntiMalware\Support/**10,lazy_ntfs,
-      657,Windows Defender Event Logs,EventLogs,Windows\System32\winevt\Logs/Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs,
-      658,Windows Defender Event Logs,EventLogs,Windows.old\Windows\System32\winevt\Logs/Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs,
-      659,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Windows Defender\Support/**10,lazy_ntfs,
-      660,Windows Defender Logs,Antivirus,Windows\Temp/MpCmdRun.log,lazy_ntfs,
-      661,Windows Defender Logs,Antivirus,Windows.old\Windows\Temp/MpCmdRun.log,lazy_ntfs,
-      662,Avast AV Logs (XP),Antivirus,Documents And Settings\All Users\Application Data\Avast Software\Avast\Log/**10,lazy_ntfs,
-      663,Avast AV Logs,Antivirus,ProgramData\Avast Software\Avast\Log/**10,lazy_ntfs,
-      664,Avast AV User Logs,Antivirus,Users\*\Avast Software\Avast\Log/**10,lazy_ntfs,
-      665,Avast AV Index,Antivirus,ProgramData\Avast Software\Avast\Chest/index.xml,lazy_ntfs,
-      666,SUPERAntiSpyware Logs,Antivirus,Users\*\AppData\Roaming\SUPERAntiSpyware\Logs/**10,lazy_ntfs,
-      667,Webroot Program Data,Antivirus,ProgramData\WRData/WRLog.log,lazy_ntfs,
-      668,Cybereason Anti-Ransomware Logs,AntiVirus,ProgramData\crs1\Logs/**10,lazy_ntfs,
-      669,Cybereason Sensor Communications and Anti-Malware Logs,AntiVirus,ProgramData\apv2\Logs/**10,lazy_ntfs,
-      670,Cybereason Application Control and NGAV Logs,AntiVirus,ProgramData\crb1\Logs/**10,lazy_ntfs,
-      671,F-Secure Logs,Antivirus,ProgramData\F-Secure\Log/**10,lazy_ntfs,
-      672,F-Secure User Logs,Antivirus,Users\*\AppData\Local\F-Secure\Log/**10,lazy_ntfs,
-      673,F-Secure Scheduled Scan Reports,Antivirus,ProgramData\F-Secure\Antivirus\ScheduledScanReports/**10,lazy_ntfs,
-      674,VIPRE Business Agent Logs,Antivirus,ProgramData\VIPRE Business Agent\Logs/**10,lazy_ntfs,
-      675,VIPRE Business User Logs (v7+),Antivirus,Users\*\AppData\Roaming\VIPRE Business/**10,lazy_ntfs,
-      676,VIPRE Business User Logs (v5-v6),Antivirus,Users\*\AppData\Roaming\GFI Software\AntiMalware\Logs/**10,lazy_ntfs,
-      677,VIPRE Business User Logs (up to v4),Antivirus,Users\*\AppData\Roaming\Sunbelt Software\AntiMalware\Logs/**10,lazy_ntfs,
-      678,ComboFix,Antivirus,ComboFix.txt,lazy_ntfs,
-      679,HitmanPro Logs,Antivirus,ProgramData\HitmanPro\Logs/**10,lazy_ntfs,
-      680,HitmanPro Alert Logs,Antivirus,ProgramData\HitmanPro.Alert\Logs/**10,lazy_ntfs,
-      681,HitmanPro Database,Antivirus,ProgramData\HitmanPro.Alert/excalibur.db,lazy_ntfs,SQl Lite DB
-      682,McAfee ePO Logs,AntiVirus,ProgramData\McAfee\Endpoint Security\Logs/**10,lazy_ntfs,
-      683,McAfee Desktop Protection Logs XP,AntiVirus,Users\All Users\Application Data\McAfee\DesktopProtection/**10,lazy_ntfs,
-      684,McAfee Desktop Protection Logs,AntiVirus,ProgramData\McAfee\DesktopProtection/**10,lazy_ntfs,
-      685,McAfee Endpoint Security Logs,AntiVirus,ProgramData\McAfee\Endpoint Security\Logs/**10,lazy_ntfs,
-      686,McAfee Endpoint Security Logs,AntiVirus,ProgramData\McAfee\Endpoint Security\Logs_Old/**10,lazy_ntfs,
-      687,McAfee VirusScan Logs,AntiVirus,ProgramData\Mcafee\VirusScan/**10,lazy_ntfs,
-      688,SentinelOne EDR Log,Antivirus,programdata\sentinel\logs/**10,lazy_ntfs,Logs are in Binary Format (.binlog)
-      689,RogueKiller Reports,Antivirus,ProgramData\RogueKiller\logs/AdliceReport_*.json,lazy_ntfs,
-      690,Bitdefender Endpoint Security Logs,Antivirus,ProgramData\Bitdefender\Endpoint Security\Logs/**10,lazy_ntfs,
-      691,Bitdefender Internet Security Logs,Antivirus,ProgramData\Bitdefender\Desktop\Profiles\Logs/**10,lazy_ntfs,
-      692,ESET NOD32 AV Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs/**10,lazy_ntfs,
-      693,ESET NOD32 AV Logs,Antivirus,ProgramData\ESET\ESET NOD32 Antivirus\Logs/**10,lazy_ntfs,Parser available at https://github.com/laciKE/EsetLogParser
-      694,MS SQL Errorlog,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG/ERRORLOG,lazy_ntfs,
-      695,MS SQL Errorlogs,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG/ERRORLOG.*,lazy_ntfs,
-      696,IIS log files,Logs,Windows\System32\LogFiles\W3SVC*/*.log,lazy_ntfs,
-      697,IIS log files,Logs,Windows.old\Windows\System32\LogFiles\W3SVC*/*.log,lazy_ntfs,
-      698,IIS log files,Logs,inetpub\logs\LogFiles/*.log,lazy_ntfs,
-      699,IIS log files,Logs,inetpub\logs\LogFiles\W3SVC*/*.log,lazy_ntfs,
-      700,IIS log files,Logs,Resources\directory\* \LogFiles\Web\W3SVC*/*.log,lazy_ntfs,
-      701,NGINX Log Files,Logs,nginx\logs/*.log,lazy_ntfs,
-      702,PowerShell Console Log,PowerShellConsleLog,Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline/ConsoleHost_history.txt,lazy_ntfs,
-      703,ManageEngine Desktop Central Log Files,Logs,ManageEngine\DesktopCentral_Server\logs/**10,lazy_ntfs,
-      704,Apache Access Log,Webservers,**10/access.log,lazy_ntfs,
-      705,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe/**10,lazy_ntfs,
-      706,Chrome Extension Files,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions/**10,lazy_ntfs,
-      707,Chrome Extension Files XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions/**10,lazy_ntfs,
-      708,Chrome Cache Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Cache/**10,lazy_ntfs,
-      709,Firefox Cache Folder,Communications,Users\*\AppData\Local\Mozilla\Firefox\Profiles\*/**10,lazy_ntfs,
-      710,IE 9/10 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files/**10,lazy_ntfs,
-      711,IE Index.dat temp internet files,Communications,Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5/index.dat,lazy_ntfs,
-      712,IE 11 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCache/**10,lazy_ntfs,
-      713,Edge WebcacheV01.dat,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\,lazy_ntfs,
-      714,Chrome bookmarks XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
-      715,Chrome Cookies XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Cookies*,lazy_ntfs,
-      716,Chrome Current Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Current Session,lazy_ntfs,
-      717,Chrome Current Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Current Tabs,lazy_ntfs,
-      718,Chrome Favicons XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Favicons*,lazy_ntfs,
-      719,Chrome History XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/History*,lazy_ntfs,
-      720,Chrome Last Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Last Session,lazy_ntfs,
-      721,Chrome Last Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Last Tabs,lazy_ntfs,
-      722,Chrome Login Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Login Data,lazy_ntfs,
-      723,Chrome Preferences XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Preferences,lazy_ntfs,
-      724,Chrome Shortcuts XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Shortcuts*,lazy_ntfs,
-      725,Chrome Top Sites XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Top Sites*,lazy_ntfs,
-      726,Chrome bookmarks XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
-      727,Chrome Visited Links XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Visited Links,lazy_ntfs,
-      728,Chrome Web Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Web Data*,lazy_ntfs,
-      729,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
-      730,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Cookies*,lazy_ntfs,
-      731,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Current Session,lazy_ntfs,
-      732,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Current Tabs,lazy_ntfs,
-      733,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Favicons*,lazy_ntfs,
-      734,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/History*,lazy_ntfs,
-      735,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Last Session,lazy_ntfs,
-      736,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Last Tabs,lazy_ntfs,
-      737,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Login Data,lazy_ntfs,
-      738,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Network Action Predictor,lazy_ntfs,
-      739,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Preferences,lazy_ntfs,
-      740,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Shortcuts*,lazy_ntfs,
-      741,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Top Sites*,lazy_ntfs,
-      742,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data/SyncData.sqlite3,lazy_ntfs,
-      743,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
-      744,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Visited Links,lazy_ntfs,
-      745,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Web Data*,lazy_ntfs,
-      746,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*/**10,lazy_ntfs,Required for offline decryption
-      747,Places,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/places.sqlite*,lazy_ntfs,
-      748,Downloads,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/downloads.sqlite*,lazy_ntfs,
-      749,Form history,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/formhistory.sqlite*,lazy_ntfs,
-      750,Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/cookies.sqlite*,lazy_ntfs,
-      751,Signons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/signons.sqlite*,lazy_ntfs,
-      752,Webappstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/webappstore.sqlite*,lazy_ntfs,
-      753,Favicons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/favicons.sqlite*,lazy_ntfs,
-      754,Addons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/addons.sqlite*,lazy_ntfs,
-      755,Search,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/search.sqlite*,lazy_ntfs,
-      756,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/key*.db,lazy_ntfs,
-      757,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/signon*.*,lazy_ntfs,
-      758,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/logins.json,lazy_ntfs,
-      759,Sessionstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/sessionstore*,lazy_ntfs,
-      760,Sessionstore Folder,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups/**10,lazy_ntfs,
-      761,Places XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/places.sqlite*,lazy_ntfs,
-      762,Downloads XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/downloads.sqlite*,lazy_ntfs,
-      763,Form history XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/formhistory.sqlite*,lazy_ntfs,
-      764,Cookies XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/cookies.sqlite*,lazy_ntfs,
-      765,Signons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/signons.sqlite*,lazy_ntfs,
-      766,Webappstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/webappstore.sqlite*,lazy_ntfs,
-      767,Favicons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/favicons.sqlite*,lazy_ntfs,
-      768,Addons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/addons.sqlite*,lazy_ntfs,
-      769,Search XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/search.sqlite*,lazy_ntfs,
-      770,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/key*.db,lazy_ntfs,
-      771,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/signon*.*,lazy_ntfs,
-      772,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/logins.json,lazy_ntfs,
-      773,Sessionstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/sessionstore*,lazy_ntfs,
-      774,Chrome HTML5 File System Folder,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\File System/**10,lazy_ntfs,
-      775,Index.dat History,Communications,Documents and Settings\*\Local Settings\History\History.IE5/index.dat,lazy_ntfs,
-      776,Index.dat History subdirectory,Communications,Documents and Settings\*\Local Settings\History\History.IE5\*/index.dat,lazy_ntfs,
-      777,Index.dat cookies,Communications,Documents and Settings\*\Cookies/index.dat,lazy_ntfs,
-      778,Index.dat UserData,Communications,Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData/index.dat,lazy_ntfs,
-      779,Index.dat Office XP,Communications,Documents and Settings\*\Application Data\Microsoft\Office\Recent/index.dat,lazy_ntfs,
-      780,Index.dat Office,Communications,Users\*\AppData\Roaming\Microsoft\Office\Recent/index.dat,lazy_ntfs,
-      781,Local Internet Explorer folder,Communications,Users\*\AppData\Local\Microsoft\Internet Explorer/**10,lazy_ntfs,
-      782,Roaming Internet Explorer folder,Communications,Users\*\AppData\Roaming\Microsoft\Internet Explorer/**10,lazy_ntfs,
-      783,IE 9/10 History,Communications,Users\*\AppData\Local\Microsoft\Windows\History/**10,lazy_ntfs,
-      784,IE 9/10 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\Cookies/**10,lazy_ntfs,
-      785,IE 9/10 Download History,Communications,Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory/**10,lazy_ntfs,
-      786,IE 11 Metadata,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\,lazy_ntfs,
-      787,IE 11 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCookies/**10,lazy_ntfs,
-      788,Puffin - data.db,Communications,Users\*\AppData\Local\PuffinSecureBrowser/data.db,lazy_ntfs,Grabs an important database file that contains browser history
-      789,Puffin - Autocomplete Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser/autocompletes.dat,lazy_ntfs,Grabs a file that stores autocomplete data
-      790,Puffin - Password Forms Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser/passwordForms.dat,lazy_ntfs,Grabs a file that stores some saved password data
-      791,Puffin - Password (Encrypted),Communications,Users\*\AppData\Local\PuffinSecureBrowser/credential.dat,lazy_ntfs,Grabs a file that stores passwords in an encrypted format
-      792,Puffin - Subscription Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser/subscription,lazy_ntfs,Grabs a file that stores the user's email address that's associated with their Puffin subscription
-      793,Puffin - Cookies,Communications,Users\*\AppData\Local\PuffinSecureBrowser/cookies.dat,lazy_ntfs,Grabs a file that stores information related to cookies
-      794,Puffin - Image Cache,Communications,Users\*\AppData\Local\PuffinSecureBrowser\image_cache/**10,lazy_ntfs,Grabs a directory that caches images from websites visited
-      795,Edge bookmarks,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Bookmarks*,lazy_ntfs,
-      796,Edge Collections,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections/collectionsSQLite,lazy_ntfs,
-      797,Edge Cookies,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Cookies*,lazy_ntfs,
-      798,Edge Current Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Current Session,lazy_ntfs,
-      799,Edge Current Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Current Tabs,lazy_ntfs,
-      800,Edge Favicons,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Favicons*,lazy_ntfs,
-      801,Edge History,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/History*,lazy_ntfs,
-      802,Edge Last Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Last Session,lazy_ntfs,
-      803,Edge Last Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Last Tabs,lazy_ntfs,
-      804,Edge Login Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Login Data,lazy_ntfs,
-      805,Edge Network Action Predictor,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Network Action Predictor,lazy_ntfs,
-      806,Edge Preferences,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Preferences,lazy_ntfs,
-      807,Edge Shortcuts,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Shortcuts*,lazy_ntfs,
-      808,Edge Top Sites,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Top Sites*,lazy_ntfs,
-      809,Edge SyncData Database,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data/SyncData.sqlite3,lazy_ntfs,
-      810,Edge Bookmarks,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Bookmarks*,lazy_ntfs,
-      811,Edge Visited Links,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Visited Links,lazy_ntfs,
-      812,Edge Web Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Web Data*,lazy_ntfs,
-      813,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*/**10,lazy_ntfs,Required for offline DPAPI decryption
-      814,Opera - Local Folder,Communications,Users\*\AppData\Local\Opera Software\Opera Stable/**10,lazy_ntfs,Grabs entire contents of the Opera AppData
+      1,AVG AV Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\AVG\Antivirus\log/**10,lazy_ntfs,
+      2,AVG AV Report Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\AVG\Antivirus\report/**10,lazy_ntfs,
+      3,AVG AV Logs,Antivirus,ProgramData\AVG\Antivirus\log/**10,lazy_ntfs,
+      4,AVG Report Logs,Antivirus,ProgramData\AVG\Antivirus\report/**10,lazy_ntfs,
+      5,Avast AV Logs (XP),Antivirus,Documents And Settings\All Users\Application Data\Avast Software\Avast\Log/**10,lazy_ntfs,
+      6,Avast AV Logs,Antivirus,ProgramData\Avast Software\Avast\Log/**10,lazy_ntfs,
+      7,Avast AV User Logs,Antivirus,Users\*\Avast Software\Avast\Log/**10,lazy_ntfs,
+      8,Avast AV Index,Antivirus,ProgramData\Avast Software\Avast\Chest/index.xml,lazy_ntfs,
+      9,Avira Activity Logs,AntiVirus,ProgramData\Avira\Antivirus\LOGFILES/**10,lazy_ntfs,Collects the scan logs of Avira AntiVirus
+      10,Bitdefender Endpoint Security Logs,Antivirus,ProgramData\Bitdefender\Endpoint Security\Logs/**10,lazy_ntfs,
+      11,Bitdefender Internet Security Logs,Antivirus,ProgramData\Bitdefender\Desktop\Profiles\Logs/**10,lazy_ntfs,
+      12,ComboFix,Antivirus,ComboFix.txt,lazy_ntfs,
+      13,Cybereason Anti-Ransomware Logs,AntiVirus,ProgramData\crs1\Logs/**10,lazy_ntfs,
+      14,Cybereason Sensor Communications and Anti-Malware Logs,AntiVirus,ProgramData\apv2\Logs/**10,lazy_ntfs,
+      15,Cybereason Application Control and NGAV Logs,AntiVirus,ProgramData\crb1\Logs/**10,lazy_ntfs,
+      16,ESET NOD32 AV Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs/**10,lazy_ntfs,
+      17,ESET NOD32 AV Logs,Antivirus,ProgramData\ESET\ESET NOD32 Antivirus\Logs/**10,lazy_ntfs,Parser available at https://github.com/laciKE/EsetLogParser
+      18,F-Secure Logs,Antivirus,ProgramData\F-Secure\Log/**10,lazy_ntfs,
+      19,F-Secure User Logs,Antivirus,Users\*\AppData\Local\F-Secure\Log/**10,lazy_ntfs,
+      20,F-Secure Scheduled Scan Reports,Antivirus,ProgramData\F-Secure\Antivirus\ScheduledScanReports/**10,lazy_ntfs,
+      21,HitmanPro Logs,Antivirus,ProgramData\HitmanPro\Logs/**10,lazy_ntfs,
+      22,HitmanPro Alert Logs,Antivirus,ProgramData\HitmanPro.Alert\Logs/**10,lazy_ntfs,
+      23,HitmanPro Database,Antivirus,ProgramData\HitmanPro.Alert/excalibur.db,lazy_ntfs,SQl Lite DB
+      24,MalwareBytes Anti-Malware Logs,Antivirus,ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs/mbam-log-*.xml,lazy_ntfs,
+      25,MalwareBytes Anti-Malware Service Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\logs/mbamservice.log*,lazy_ntfs,
+      26,MalwareBytes Anti-Malware Scan Logs,Antivirus,Users\*\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs/**10,lazy_ntfs,
+      27,MalwareBytes Anti-Malware Scan Results Logs,Antivirus,ProgramData\Malwarebytes\MBAMService\ScanResults/**10,lazy_ntfs,
+      28,McAfee Desktop Protection Logs XP,AntiVirus,Users\All Users\Application Data\McAfee\DesktopProtection/**10,lazy_ntfs,
+      29,McAfee Desktop Protection Logs,AntiVirus,ProgramData\McAfee\DesktopProtection/**10,lazy_ntfs,
+      30,McAfee Endpoint Security Logs,AntiVirus,ProgramData\McAfee\Endpoint Security\Logs/**10,lazy_ntfs,
+      31,McAfee Endpoint Security Logs,AntiVirus,ProgramData\McAfee\Endpoint Security\Logs_Old/**10,lazy_ntfs,
+      32,McAfee VirusScan Logs,AntiVirus,ProgramData\Mcafee\VirusScan/**10,lazy_ntfs,
+      33,McAfee ePO Logs,AntiVirus,ProgramData\McAfee\Endpoint Security\Logs/**10,lazy_ntfs,
+      34,RogueKiller Reports,Antivirus,ProgramData\RogueKiller\logs/AdliceReport_*.json,lazy_ntfs,
+      35,SUPERAntiSpyware Logs,Antivirus,Users\*\AppData\Roaming\SUPERAntiSpyware\Logs/**10,lazy_ntfs,
+      36,SentinelOne EDR Log,Antivirus,programdata\sentinel\logs/**10,lazy_ntfs,Logs are in Binary Format (.binlog)
+      37,Sophos Logs (XP),Antivirus,Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs/**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"
+      38,Sophos Logs,Antivirus,ProgramData\Sophos\Sophos *\Logs/**10,lazy_ntfs,"Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"
+      39,Symantec Endpoint Protection Logs (XP),AntiVirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV/**10,lazy_ntfs,
+      40,Symantec Endpoint Protection Logs,AntiVirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs/**10,lazy_ntfs,
+      41,Symantec Endpoint Protection User Logs,AntiVirus,Users\*\AppData\Local\Symantec\Symantec Endpoint Protection\Logs/**10,lazy_ntfs,
+      42,Symantec Event Log Win7+,EventLogs,Windows\System32\winevt\logs/Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log
+      43,Symantec Event Log Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/Symantec Endpoint Protection Client.evtx,lazy_ntfs,Symantec specific Windows event log
+      44,Symantec Endpoint Protection Quarantine (XP),AntiVirus,Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine/**10,lazy_ntfs,
+      45,Symantec Endpoint Protection Quarantine,AntiVirus,ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine/**10,lazy_ntfs,
+      46,TotalAV Logs,Antivirus,Program Files*\TotalAV\logs/**10,lazy_ntfs,
+      47,TotalAV Logs,Antivirus,ProgramData\TotalAV\logs/**10,lazy_ntfs,
+      48,Trend Micro Logs,Antivirus,ProgramData\Trend Micro/**10,lazy_ntfs,
+      49,Trend Micro Security Agent Report Logs,Antivirus,Program Files*\Trend Micro\Security Agent\Report/*.log,lazy_ntfs,
+      50,Trend Micro Security Agent Connection Logs,Antivirus,Program Files*\Trend Micro\Security Agent\ConnLog/*.log,lazy_ntfs,
+      51,VIPRE Business Agent Logs,Antivirus,ProgramData\VIPRE Business Agent\Logs/**10,lazy_ntfs,
+      52,VIPRE Business User Logs (v7+),Antivirus,Users\*\AppData\Roaming\VIPRE Business/**10,lazy_ntfs,
+      53,VIPRE Business User Logs (v5-v6),Antivirus,Users\*\AppData\Roaming\GFI Software\AntiMalware\Logs/**10,lazy_ntfs,
+      54,VIPRE Business User Logs (up to v4),Antivirus,Users\*\AppData\Roaming\Sunbelt Software\AntiMalware\Logs/**10,lazy_ntfs,
+      55,Webroot Program Data,Antivirus,ProgramData\WRData/WRLog.log,lazy_ntfs,
+      56,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Microsoft AntiMalware\Support/**10,lazy_ntfs,
+      57,Windows Defender Event Logs,EventLogs,Windows\System32\winevt\Logs/Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs,
+      58,Windows Defender Event Logs,EventLogs,Windows.old\Windows\System32\winevt\Logs/Microsoft-Windows-Windows Defender*.evtx,lazy_ntfs,
+      59,Windows Defender Logs,Antivirus,ProgramData\Microsoft\Windows Defender\Support/**10,lazy_ntfs,
+      60,Windows Defender Logs,Antivirus,Windows\Temp/MpCmdRun.log,lazy_ntfs,
+      61,Windows Defender Logs,Antivirus,Windows.old\Windows\Temp/MpCmdRun.log,lazy_ntfs,
+      62,Debian WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/debian_version,lazy_ntfs,
+      63,Debian WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/fstab,lazy_ntfs,
+      64,Debian WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/os-release,lazy_ntfs,
+      65,Debian WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/passwd,lazy_ntfs,
+      66,Debian WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/group,lazy_ntfs,
+      67,Debian WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/shadow,lazy_ntfs,
+      68,Debian WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/timezone,lazy_ntfs,
+      69,Debian WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/hostname,lazy_ntfs,
+      70,Debian WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/hosts,lazy_ntfs,
+      71,Debian WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/crontab,lazy_ntfs,
+      72,Debian WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/bash.bashrc,lazy_ntfs,
+      73,Debian WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\etc/profile,lazy_ntfs,
+      74,Debian WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs/**10/.bash_history,lazy_ntfs,
+      75,Debian WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs/**10/.bashrc,lazy_ntfs,
+      76,Debian WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs/**10/.profile,lazy_ntfs,
+      77,Debian WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\spool\cron\crontabs/**10,lazy_ntfs,
+      78,Debian WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\TheDebianProject.DebianGNULinux_*\LocalState\rootfs\var\log\apt/**10/*.log,lazy_ntfs,
+      79,Kali WSL /etc/debian_version,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/debian_version,lazy_ntfs,
+      80,Kali WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/fstab,lazy_ntfs,
+      81,Kali WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/os-release,lazy_ntfs,
+      82,Kali WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/passwd,lazy_ntfs,
+      83,Kali WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/group,lazy_ntfs,
+      84,Kali WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/shadow,lazy_ntfs,
+      85,Kali WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/timezone,lazy_ntfs,
+      86,Kali WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/hostname,lazy_ntfs,
+      87,Kali WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/hosts,lazy_ntfs,
+      88,Kali WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/crontab,lazy_ntfs,
+      89,Kali WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/bash.bashrc,lazy_ntfs,
+      90,Kali WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\etc/profile,lazy_ntfs,
+      91,Kali WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs/**10/.bash_history,lazy_ntfs,
+      92,Kali WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs/**10/.bashrc,lazy_ntfs,
+      93,Kali WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs/**10/.profile,lazy_ntfs,
+      94,Kali WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\spool\cron\crontabs/**10,lazy_ntfs,
+      95,Kali WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\KaliLinux.54290C8133FEE_*\LocalState\rootfs\var\log\apt/**10/*.log,lazy_ntfs,
+      96,SUSE Linux Enterprise Server WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/os-release,lazy_ntfs,
+      97,SUSE Linux Enterprise Server WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/fstab,lazy_ntfs,
+      98,SUSE Linux Enterprise Server WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/passwd,lazy_ntfs,
+      99,SUSE Linux Enterprise Server WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/group,lazy_ntfs,
+      100,SUSE Linux Enterprise Server WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/shadow,lazy_ntfs,
+      101,SUSE Linux Enterprise Server WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/timezone,lazy_ntfs,
+      102,SUSE Linux Enterprise Server WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/hostname,lazy_ntfs,
+      103,SUSE Linux Enterprise Server WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/hosts,lazy_ntfs,
+      104,SUSE Linux Enterprise Server WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/bash.bashrc,lazy_ntfs,
+      105,SUSE Linux Enterprise Server WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs\etc/profile,lazy_ntfs,
+      106,SUSE Linux Enterprise Server WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs/**10/.bash_history,lazy_ntfs,
+      107,SUSE Linux Enterprise Server WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs/**10/.bashrc,lazy_ntfs,
+      108,SUSE Linux Enterprise Server WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.SUSELinuxEnterpriseServer*\LocalState\rootfs/**10/.profile,lazy_ntfs,
+      109,Ubuntu WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/os-release,lazy_ntfs,
+      110,Ubuntu WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/fstab,lazy_ntfs,
+      111,Ubuntu WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/passwd,lazy_ntfs,
+      112,Ubuntu WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/group,lazy_ntfs,
+      113,Ubuntu WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/shadow,lazy_ntfs,
+      114,Ubuntu WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/timezone,lazy_ntfs,
+      115,Ubuntu WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/hostname,lazy_ntfs,
+      116,Ubuntu WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/hosts,lazy_ntfs,
+      117,Ubuntu WSL /etc/crontab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/crontab,lazy_ntfs,
+      118,Ubuntu WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/bash.bashrc,lazy_ntfs,
+      119,Ubuntu WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\etc/profile,lazy_ntfs,
+      120,Ubuntu WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs/**10/.bash_history,lazy_ntfs,
+      121,Ubuntu WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs/**10/.bashrc,lazy_ntfs,
+      122,Ubuntu WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs/**10/.profile,lazy_ntfs,
+      123,Ubuntu WSL User Crontabs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\spool\cron\crontabs/**10,lazy_ntfs,
+      124,Ubuntu WSL Apt Logs,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu*\LocalState\rootfs\var\log\apt/**10/*.log,lazy_ntfs,
+      125,openSUSE WSL /etc/os-release,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/os-release,lazy_ntfs,
+      126,openSUSE WSL /etc/fstab,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/fstab,lazy_ntfs,
+      127,openSUSE WSL /etc/passwd,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/passwd,lazy_ntfs,
+      128,openSUSE WSL /etc/group,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/group,lazy_ntfs,
+      129,openSUSE WSL /etc/shadow,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/shadow,lazy_ntfs,
+      130,openSUSE WSL /etc/timezone,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/timezone,lazy_ntfs,
+      131,openSUSE WSL /etc/hostname,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/hostname,lazy_ntfs,
+      132,openSUSE WSL /etc/hosts,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/hosts,lazy_ntfs,
+      133,openSUSE WSL /etc/bash.bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/bash.bashrc,lazy_ntfs,
+      134,openSUSE WSL /etc/profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs\etc/profile,lazy_ntfs,
+      135,openSUSE WSL .bash_history,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs/**10/.bash_history,lazy_ntfs,
+      136,openSUSE WSL .bashrc,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs/**10/.bashrc,lazy_ntfs,
+      137,openSUSE WSL .profile,Windows Subsystem for Linux,Users\*\AppData\Local\Packages\46932SUSE.openSUSE*Leap*\LocalState\rootfs/**10/.profile,lazy_ntfs,
+      138,Apache Access Log,Webservers,**10/access.log,lazy_ntfs,
+      139,IIS log files,Logs,Windows\System32\LogFiles\W3SVC*/*.log,lazy_ntfs,
+      140,IIS log files,Logs,Windows.old\Windows\System32\LogFiles\W3SVC*/*.log,lazy_ntfs,
+      141,IIS log files,Logs,inetpub\logs\LogFiles/*.log,lazy_ntfs,
+      142,IIS log files,Logs,inetpub\logs\LogFiles\W3SVC*/*.log,lazy_ntfs,
+      143,IIS log files,Logs,Resources\directory\* \LogFiles\Web\W3SVC*/*.log,lazy_ntfs,
+      144,MS SQL Errorlog,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG/ERRORLOG,lazy_ntfs,
+      145,MS SQL Errorlogs,SQL Exploitation,Program Files\Microsoft SQL Server\*\MSSQL\LOG/ERRORLOG.*,lazy_ntfs,
+      146,ManageEngine Desktop Central Log Files,Logs,ManageEngine\DesktopCentral_Server\logs/**10,lazy_ntfs,
+      147,NGINX Log Files,Logs,nginx\logs/*.log,lazy_ntfs,
+      148,PowerShell Console Log,PowerShellConsleLog,Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline/ConsoleHost_history.txt,lazy_ntfs,
+      149,Event logs XP,EventLogs,Windows\System32\config/*.evt,lazy_ntfs,
+      150,Event logs Win7+,EventLogs,Windows\System32\winevt\logs/*.evtx,lazy_ntfs,
+      151,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/*.evtx,lazy_ntfs,
+      152,Prefetch,Prefetch,Windows\prefetch/*.pf,lazy_ntfs,
+      153,Prefetch,Prefetch,Windows.old\Windows\prefetch/*.pf,lazy_ntfs,
+      154,RecentFileCache,ApplicationCompatability,Windows\AppCompat\Programs/RecentFileCache.bcf,lazy_ntfs,
+      155,RecentFileCache,ApplicationCompatability,Windows.old\Windows\AppCompat\Programs/RecentFileCache.bcf,lazy_ntfs,
+      156,Amcache,ApplicationCompatibility,Windows\AppCompat\Programs/Amcache.hve,lazy_ntfs,
+      157,Amcache,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs/Amcache.hve,lazy_ntfs,
+      158,Amcache transaction files,ApplicationCompatibility,Windows\AppCompat\Programs/Amcache.hve.LOG*,lazy_ntfs,
+      159,Amcache transaction files,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs/Amcache.hve.LOG*,lazy_ntfs,
+      160,Syscache,Program Execution,System Volume Information/Syscache.hve,lazy_ntfs,
+      161,Syscache transaction files,Program Execution,System Volume Information/Syscache.hve.LOG*,lazy_ntfs,
+      162,PowerShell Console Log,PowerShellConsleLog,Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline/ConsoleHost_history.txt,lazy_ntfs,
+      163,$MFT,FileSystem,$MFT,ntfs,
+      164,$LogFile,FileSystem,$LogFile,ntfs,
+      165,$J,FileSystem,$Extend/$UsnJrnl:$J,ntfs,
+      166,$Max,FileSystem,$Extend/$UsnJrnl:$Max,ntfs,
+      167,$SDS,FileSystem,$Secure:$SDS,ntfs,
+      168,$Boot,FileSystem,$Boot,ntfs,
+      169,$T,FileSystem,$Extend\$RmMetadata\$TxfLog/$Tops:$T,ntfs,
+      170,LNK files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent/**10,lazy_ntfs,Also includes automatic and custom jumplist directories
+      171,LNK files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent/**10,lazy_ntfs,
+      172,LNK files from Recent (XP),LNKFiles,Documents and Settings\*\Recent/**10,lazy_ntfs,
+      173,Desktop LNK files XP,LNKFiles,Documents and Settings\*\Desktop/*.LNK,lazy_ntfs,
+      174,Desktop LNK files,LNKFiles,Users\*\Desktop/*.LNK,lazy_ntfs,
+      175,Restore point LNK files XP,LNKFiles,System Volume Information\_restore*\RP*/*.LNK,lazy_ntfs,
+      176,$Recycle.Bin,Deleted Files,$Recycle.Bin/**10,ntfs,
+      177,RECYCLER WinXP,Deleted Files,RECYCLER/**10,lazy_ntfs,
+      178,SAM registry transaction files,Registry,Windows\System32\config/SAM.LOG*,lazy_ntfs,
+      179,SAM registry transaction files,Registry,Windows.old\Windows\System32\config/SAM.LOG*,lazy_ntfs,
+      180,SECURITY registry transaction files,Registry,Windows\System32\config/SECURITY.LOG*,lazy_ntfs,
+      181,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config/SECURITY.LOG*,lazy_ntfs,
+      182,SOFTWARE registry transaction files,Registry,Windows\System32\config/SOFTWARE.LOG*,lazy_ntfs,
+      183,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config/SOFTWARE.LOG*,lazy_ntfs,
+      184,SYSTEM registry transaction files,Registry,Windows\System32\config/SYSTEM.LOG*,lazy_ntfs,
+      185,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config/SYSTEM.LOG*,lazy_ntfs,
+      186,SAM registry hive,Registry,Windows\System32\config/SAM,lazy_ntfs,
+      187,SAM registry hive,Registry,Windows.old\Windows\System32\config/SAM,lazy_ntfs,
+      188,SECURITY registry hive,Registry,Windows\System32\config/SECURITY,lazy_ntfs,
+      189,SECURITY registry hive,Registry,Windows.old\Windows\System32\config/SECURITY,lazy_ntfs,
+      190,SOFTWARE registry hive,Registry,Windows\System32\config/SOFTWARE,lazy_ntfs,
+      191,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config/SOFTWARE,lazy_ntfs,
+      192,SYSTEM registry hive,Registry,Windows\System32\config/SYSTEM,lazy_ntfs,
+      193,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config/SYSTEM,lazy_ntfs,
+      194,RegBack registry transaction files,Registry,Windows\System32\config\RegBack/*.LOG*,lazy_ntfs,
+      195,RegBack registry transaction files,Registry,Windows.old\Windows\System32\config\RegBack/*.LOG*,lazy_ntfs,
+      196,SAM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SAM,lazy_ntfs,
+      197,SAM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SAM,lazy_ntfs,
+      198,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack/SECURITY,lazy_ntfs,
+      199,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SECURITY,lazy_ntfs,
+      200,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack/SOFTWARE,lazy_ntfs,
+      201,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SOFTWARE,lazy_ntfs,
+      202,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SYSTEM,lazy_ntfs,
+      203,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SYSTEM,lazy_ntfs,
+      204,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SYSTEM1,lazy_ntfs,
+      205,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SYSTEM1,lazy_ntfs,
+      206,System Profile registry hive,Registry,Windows\System32\config\systemprofile/NTUSER.DAT,lazy_ntfs,
+      207,System Profile registry hive,Registry,Windows.old\Windows\System32\config\systemprofile/NTUSER.DAT,lazy_ntfs,
+      208,System Profile registry transaction files,Registry,Windows\System32\config\systemprofile/NTUSER.DAT.LOG*,lazy_ntfs,
+      209,System Profile registry transaction files,Registry,Windows.old\Windows\System32\config\systemprofile/NTUSER.DAT.LOG*,lazy_ntfs,
+      210,Local Service registry hive,Registry,Windows\ServiceProfiles\LocalService/NTUSER.DAT,lazy_ntfs,
+      211,Local Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\LocalService/NTUSER.DAT,lazy_ntfs,
+      212,Local Service registry transaction files,Registry,Windows\ServiceProfiles\LocalService/NTUSER.DAT.LOG*,lazy_ntfs,
+      213,Local Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\LocalService/NTUSER.DAT.LOG*,lazy_ntfs,
+      214,Network Service registry hive,Registry,Windows\ServiceProfiles\NetworkService/NTUSER.DAT,lazy_ntfs,
+      215,Network Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\NetworkService/NTUSER.DAT,lazy_ntfs,
+      216,Network Service registry transaction files,Registry,Windows\ServiceProfiles\NetworkService/NTUSER.DAT.LOG*,lazy_ntfs,
+      217,Network Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\NetworkService/NTUSER.DAT.LOG*,lazy_ntfs,
+      218,System Restore Points Registry Hives (XP),Registry,System Volume Information\_restore*\RP*\snapshot/_REGISTRY_*,lazy_ntfs,
+      219,NTUSER.DAT registry hive XP,Registry,Documents and Settings\*/NTUSER.DAT,lazy_ntfs,
+      220,NTUSER.DAT registry hive,Registry,Users\*/NTUSER.DAT,lazy_ntfs,
+      221,NTUSER.DAT registry transaction files,Registry,Users\*/NTUSER.DAT.LOG*,lazy_ntfs,
+      222,NTUSER.DAT DEFAULT registry hive,Registry,Windows\System32\config/DEFAULT,lazy_ntfs,
+      223,NTUSER.DAT DEFAULT registry hive,Registry,Windows.old\Windows\System32\config/DEFAULT,lazy_ntfs,
+      224,NTUSER.DAT DEFAULT transaction files,Registry,Windows\System32\config/DEFAULT.LOG*,lazy_ntfs,
+      225,NTUSER.DAT DEFAULT transaction files,Registry,Windows.old\Windows\System32\config/DEFAULT.LOG*,lazy_ntfs,
+      226,UsrClass.dat registry hive,Registry,Users\*\AppData\Local\Microsoft\Windows/UsrClass.dat,lazy_ntfs,
+      227,UsrClass.dat registry transaction files,Registry,Users\*\AppData\Local\Microsoft\Windows/UsrClass.dat.LOG*,lazy_ntfs,
+      228,at .job,Persistence,Windows\Tasks/*.job,lazy_ntfs,
+      229,at .job,Persistence,Windows.old\Windows\Tasks/*.job,lazy_ntfs,
+      230,at SchedLgU.txt,Persistence,Windows/SchedLgU.txt,lazy_ntfs,
+      231,at SchedLgU.txt,Persistence,Windows.old\Windows/SchedLgU.txt,lazy_ntfs,
+      232,XML,Persistence,Windows\System32\Tasks/**10,lazy_ntfs,
+      233,XML,Persistence,Windows.old\Windows\System32\Tasks/**10,lazy_ntfs,
+      234,SRUM,Execution,Windows\System32\SRU/**10,lazy_ntfs,
+      235,SRUM,Execution,Windows.old\Windows\System32\SRU/**10,lazy_ntfs,
+      236,Thumbcache DB,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\Explorer/thumbcache_*.db,lazy_ntfs,
+      237,Setupapi.log XP,USBDevices,Windows/setupapi.log,lazy_ntfs,
+      238,Setupapi.log Win7+,USBDevices,Windows\inf/setupapi.dev.log,lazy_ntfs,
+      239,Setupapi.log Win7+,USBDevices,Windows.old\Windows\inf/setupapi.dev.log,lazy_ntfs,
+      240,WindowsIndexSearch,FileKnowledge,programdata\microsoft\search\data\applications\windows/Windows.edb,lazy_ntfs,
+      241,WBEM,WBEM,Windows\System32\wbem\Repository/**10,lazy_ntfs,
+      242,WBEM,WBEM,Windows.old\Windows\System32\wbem\Repository/**10,lazy_ntfs,
+      243,PST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook/*.pst,lazy_ntfs,
+      244,OST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook/*.ost,lazy_ntfs,
+      245,PST,Communications,Users\*\AppData\Local\Microsoft\Outlook/*.pst,lazy_ntfs,
+      246,OST,Communications,Users\*\AppData\Local\Microsoft\Outlook/*.ost,lazy_ntfs,
+      247,main.db (App <v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*/main.db,lazy_ntfs,
+      248,skype.db (App +v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*/skype.db,lazy_ntfs,
+      249,main.db XP,Communications,Documents and Settings\*\Application Data\Skype\*/main.db,lazy_ntfs,
+      250,main.db Win7+,Communications,Users\*\AppData\Roaming\Skype\*/main.db,lazy_ntfs,
+      251,s4l-[username].db (App +v8),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState/s4l-*.db,lazy_ntfs,
+      252,leveldb (Skype for Desktop +v8),Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb/*.log,lazy_ntfs,
+      253,Chrome bookmarks XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
+      254,Chrome Cookies XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Cookies*,lazy_ntfs,
+      255,Chrome Current Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Current Session,lazy_ntfs,
+      256,Chrome Current Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Current Tabs,lazy_ntfs,
+      257,Chrome Favicons XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Favicons*,lazy_ntfs,
+      258,Chrome History XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/History*,lazy_ntfs,
+      259,Chrome Last Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Last Session,lazy_ntfs,
+      260,Chrome Last Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Last Tabs,lazy_ntfs,
+      261,Chrome Preferences XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Preferences,lazy_ntfs,
+      262,Chrome Shortcuts XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Shortcuts*,lazy_ntfs,
+      263,Chrome Top Sites XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Top Sites*,lazy_ntfs,
+      264,Chrome Visited Links XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Visited Links,lazy_ntfs,
+      265,Chrome Web Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Web Data*,lazy_ntfs,
+      266,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
+      267,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Cookies*,lazy_ntfs,
+      268,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Current Session,lazy_ntfs,
+      269,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Current Tabs,lazy_ntfs,
+      270,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Favicons*,lazy_ntfs,
+      271,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/History*,lazy_ntfs,
+      272,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Last Session,lazy_ntfs,
+      273,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Last Tabs,lazy_ntfs,
+      274,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Preferences,lazy_ntfs,
+      275,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Shortcuts*,lazy_ntfs,
+      276,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Top Sites*,lazy_ntfs,
+      277,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Visited Links,lazy_ntfs,
+      278,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Web Data*,lazy_ntfs,
+      279,Chrome Extension Files,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions/**10,lazy_ntfs,
+      280,Chrome Extension Files XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions/**10,lazy_ntfs,
+      281,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe/**10,lazy_ntfs,
+      282,WebcacheV01.dat,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\*,lazy_ntfs,
+      283,Firefox Places,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/places.sqlite*,lazy_ntfs,
+      284,Firefox Downloads,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/downloads.sqlite*,lazy_ntfs,
+      285,Firefox Form history,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/formhistory.sqlite*,lazy_ntfs,
+      286,Firefox Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/cookies.sqlite*,lazy_ntfs,
+      287,Firefox Signons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/signons.sqlite*,lazy_ntfs,
+      288,Firefox Webappstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/webappstore.sqlite*,lazy_ntfs,
+      289,Firefox Favicons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/favicons.sqlite*,lazy_ntfs,
+      290,Firefox Addons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/addons.sqlite*,lazy_ntfs,
+      291,Firefox Search,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/search.sqlite*,lazy_ntfs,
+      292,Firefox Places (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/places.sqlite*,lazy_ntfs,
+      293,Firefox Downloads (XP),Communications (XP),Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/downloads.sqlite*,lazy_ntfs,
+      294,Firefox Form history (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/formhistory.sqlite*,lazy_ntfs,
+      295,Firefox Cookies (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/cookies.sqlite*,lazy_ntfs,
+      296,Forefox Signons (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/signons.sqlite*,lazy_ntfs,
+      297,Firefox Webappstore (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/webappstore.sqlite*,lazy_ntfs,
+      298,Firefox Favicons (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/favicons.sqlite*,lazy_ntfs,
+      299,Firefox Addons (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/addons.sqlite*,lazy_ntfs,
+      300,Firefox Search  (XP),Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/search.sqlite*,lazy_ntfs,
+      301,Index.dat History,Communications,Documents and Settings\*\Local Settings\History\History.IE5/index.dat,lazy_ntfs,
+      302,Index.dat History subdirectory,Communications,Documents and Settings\*\Local Settings\History\History.IE5\*/index.dat,lazy_ntfs,
+      303,Index.dat temp internet files,Communications,Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5/index.dat,lazy_ntfs,
+      304,Index.dat cookies (XP),Communications,Documents and Settings\*\Cookies/index.dat,lazy_ntfs,
+      305,Index.dat UserData (XP),Communications,Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData/index.dat,lazy_ntfs,
+      306,Index.dat Office XP,Communications,Documents and Settings\*\Application Data\Microsoft\Office\Recent/index.dat,lazy_ntfs,
+      307,Index.dat Office,Communications,Users\*\AppData\Roaming\Microsoft\Office\Recent/index.dat,lazy_ntfs,
+      308,Local Internet Explorer folder,Communications,Users\*\AppData\Local\Microsoft\Internet Explorer/**10,lazy_ntfs,
+      309,Roaming Internet Explorer folder,Communications,Users\*\AppData\Roaming\Microsoft\Internet Explorer/**10,lazy_ntfs,
+      310,IE 9/10 History,Communications,Users\*\AppData\Local\Microsoft\Windows\History/**10,lazy_ntfs,
+      311,IE 9/10 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files/**10,lazy_ntfs,
+      312,IE 9/10 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\Cookies/**10,lazy_ntfs,
+      313,IE 9/10 Download History,Communications,Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory/**10,lazy_ntfs,
+      314,IE 11 Metadata,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\*,lazy_ntfs,
+      315,IE 11 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCache/**10,lazy_ntfs,
+      316,IE 11 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCookies/**10,lazy_ntfs,
+      317,ActivitiesCache.db,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\*/ActivitiesCache.db,lazy_ntfs,
+      318,ActivitiesCache.db-shm,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\*/ActivitiesCache.db-shm,lazy_ntfs,
+      319,ActivitiesCache.db-wal,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\*/ActivitiesCache.db-wal,lazy_ntfs,
+      320,Chrome Cache Folder,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Cache/**10,lazy_ntfs,
+      321,Firefox Cache Folder,Communications,Users\*\AppData\Local\Mozilla\Firefox\Profiles\*/**10,lazy_ntfs,
+      322,IE 9/10 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files/**10,lazy_ntfs,
+      323,IE Index.dat temp internet files,Communications,Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5/index.dat,lazy_ntfs,
+      324,IE 11 Cache,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCache/**10,lazy_ntfs,
+      325,Edge WebcacheV01.dat,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\*,lazy_ntfs,
+      326,Chrome bookmarks XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
+      327,Chrome Cookies XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Cookies*,lazy_ntfs,
+      328,Chrome Current Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Current Session,lazy_ntfs,
+      329,Chrome Current Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Current Tabs,lazy_ntfs,
+      330,Chrome Favicons XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Favicons*,lazy_ntfs,
+      331,Chrome History XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/History*,lazy_ntfs,
+      332,Chrome Last Session XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Last Session,lazy_ntfs,
+      333,Chrome Last Tabs XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Last Tabs,lazy_ntfs,
+      334,Chrome Login Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Login Data,lazy_ntfs,
+      335,Chrome Preferences XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Preferences,lazy_ntfs,
+      336,Chrome Shortcuts XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Shortcuts*,lazy_ntfs,
+      337,Chrome Top Sites XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Top Sites*,lazy_ntfs,
+      338,Chrome bookmarks XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
+      339,Chrome Visited Links XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Visited Links,lazy_ntfs,
+      340,Chrome Web Data XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*/Web Data*,lazy_ntfs,
+      341,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
+      342,Chrome Cookies,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Cookies*,lazy_ntfs,
+      343,Chrome Current Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Current Session,lazy_ntfs,
+      344,Chrome Current Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Current Tabs,lazy_ntfs,
+      345,Chrome Favicons,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Favicons*,lazy_ntfs,
+      346,Chrome History,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/History*,lazy_ntfs,
+      347,Chrome Last Session,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Last Session,lazy_ntfs,
+      348,Chrome Last Tabs,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Last Tabs,lazy_ntfs,
+      349,Chrome Login Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Login Data,lazy_ntfs,
+      350,Chrome Network Action Predictor,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Network Action Predictor,lazy_ntfs,
+      351,Chrome Preferences,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Preferences,lazy_ntfs,
+      352,Chrome Shortcuts,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Shortcuts*,lazy_ntfs,
+      353,Chrome Top Sites,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Top Sites*,lazy_ntfs,
+      354,Chrome SyncData Database,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*\Sync Data/SyncData.sqlite3,lazy_ntfs,
+      355,Chrome bookmarks,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Bookmarks*,lazy_ntfs,
+      356,Chrome Visited Links,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Visited Links,lazy_ntfs,
+      357,Chrome Web Data,Communications,Users\*\AppData\Local\Google\Chrome\User Data\*/Web Data*,lazy_ntfs,
+      358,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*/**10,lazy_ntfs,Required for offline decryption
+      359,Chrome Extension Files,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions/**10,lazy_ntfs,
+      360,Chrome Extension Files XP,Communications,Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions/**10,lazy_ntfs,
+      361,Chrome HTML5 File System Folder,Communication,Users\*\AppData\Local\Google\Chrome\User Data\*\File System/**10,lazy_ntfs,
+      362,Edge folder,Communications,Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe/**10,lazy_ntfs,
+      363,Edge bookmarks,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Bookmarks*,lazy_ntfs,
+      364,Edge Collections,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Collections/collectionsSQLite,lazy_ntfs,
+      365,Edge Cookies,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Cookies*,lazy_ntfs,
+      366,Edge Current Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Current Session,lazy_ntfs,
+      367,Edge Current Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Current Tabs,lazy_ntfs,
+      368,Edge Favicons,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Favicons*,lazy_ntfs,
+      369,Edge History,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/History*,lazy_ntfs,
+      370,Edge Last Session,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Last Session,lazy_ntfs,
+      371,Edge Last Tabs,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Last Tabs,lazy_ntfs,
+      372,Edge Login Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Login Data,lazy_ntfs,
+      373,Edge Network Action Predictor,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Network Action Predictor,lazy_ntfs,
+      374,Edge Preferences,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Preferences,lazy_ntfs,
+      375,Edge Shortcuts,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Shortcuts*,lazy_ntfs,
+      376,Edge Top Sites,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Top Sites*,lazy_ntfs,
+      377,Edge SyncData Database,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*\Sync Data/SyncData.sqlite3,lazy_ntfs,
+      378,Edge Bookmarks,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Bookmarks*,lazy_ntfs,
+      379,Edge Visited Links,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Visited Links,lazy_ntfs,
+      380,Edge Web Data,Communications,Users\*\AppData\Local\Microsoft\Edge\User Data\*/Web Data*,lazy_ntfs,
+      381,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*/**10,lazy_ntfs,Required for offline DPAPI decryption
+      382,Places,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/places.sqlite*,lazy_ntfs,
+      383,Downloads,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/downloads.sqlite*,lazy_ntfs,
+      384,Form history,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/formhistory.sqlite*,lazy_ntfs,
+      385,Cookies,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/cookies.sqlite*,lazy_ntfs,
+      386,Signons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/signons.sqlite*,lazy_ntfs,
+      387,Webappstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/webappstore.sqlite*,lazy_ntfs,
+      388,Favicons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/favicons.sqlite*,lazy_ntfs,
+      389,Addons,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/addons.sqlite*,lazy_ntfs,
+      390,Search,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/search.sqlite*,lazy_ntfs,
+      391,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/key*.db,lazy_ntfs,
+      392,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/signon*.*,lazy_ntfs,
+      393,Password,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/logins.json,lazy_ntfs,
+      394,Sessionstore,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*/sessionstore*,lazy_ntfs,
+      395,Sessionstore Folder,Communications,Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups/**10,lazy_ntfs,
+      396,Places XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/places.sqlite*,lazy_ntfs,
+      397,Downloads XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/downloads.sqlite*,lazy_ntfs,
+      398,Form history XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/formhistory.sqlite*,lazy_ntfs,
+      399,Cookies XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/cookies.sqlite*,lazy_ntfs,
+      400,Signons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/signons.sqlite*,lazy_ntfs,
+      401,Webappstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/webappstore.sqlite*,lazy_ntfs,
+      402,Favicons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/favicons.sqlite*,lazy_ntfs,
+      403,Addons XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/addons.sqlite*,lazy_ntfs,
+      404,Search XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/search.sqlite*,lazy_ntfs,
+      405,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/key*.db,lazy_ntfs,
+      406,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/signon*.*,lazy_ntfs,
+      407,Password XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/logins.json,lazy_ntfs,
+      408,Sessionstore XP,Communications,Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*/sessionstore*,lazy_ntfs,
+      409,Index.dat History,Communications,Documents and Settings\*\Local Settings\History\History.IE5/index.dat,lazy_ntfs,
+      410,Index.dat History subdirectory,Communications,Documents and Settings\*\Local Settings\History\History.IE5\*/index.dat,lazy_ntfs,
+      411,Index.dat cookies,Communications,Documents and Settings\*\Cookies/index.dat,lazy_ntfs,
+      412,Index.dat UserData,Communications,Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData/index.dat,lazy_ntfs,
+      413,Index.dat Office XP,Communications,Documents and Settings\*\Application Data\Microsoft\Office\Recent/index.dat,lazy_ntfs,
+      414,Index.dat Office,Communications,Users\*\AppData\Roaming\Microsoft\Office\Recent/index.dat,lazy_ntfs,
+      415,Local Internet Explorer folder,Communications,Users\*\AppData\Local\Microsoft\Internet Explorer/**10,lazy_ntfs,
+      416,Roaming Internet Explorer folder,Communications,Users\*\AppData\Roaming\Microsoft\Internet Explorer/**10,lazy_ntfs,
+      417,IE 9/10 History,Communications,Users\*\AppData\Local\Microsoft\Windows\History/**10,lazy_ntfs,
+      418,IE 9/10 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\Cookies/**10,lazy_ntfs,
+      419,IE 9/10 Download History,Communications,Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory/**10,lazy_ntfs,
+      420,IE 11 Metadata,Communications,Users\*\AppData\Local\Microsoft\Windows\WebCache\*,lazy_ntfs,
+      421,IE 11 Cookies,Communications,Users\*\AppData\Local\Microsoft\Windows\INetCookies/**10,lazy_ntfs,
+      422,Opera - Local Folder,Communications,Users\*\AppData\Local\Opera Software\Opera Stable/**10,lazy_ntfs,Grabs entire contents of the Opera AppData
       ocal folder
-      815,Opera - Roaming Folder,Communications,Users\*\AppData\Roaming\Opera Software\Opera Stable/**10,lazy_ntfs,“Grabs entire contents of the Opera AppData\Roaming folder”
+      423,Opera - Roaming Folder,Communications,Users\*\AppData\Roaming\Opera Software\Opera Stable/**10,lazy_ntfs,“Grabs entire contents of the Opera AppData\Roaming folder”
+      424,Puffin - data.db,Communications,Users\*\AppData\Local\PuffinSecureBrowser/data.db,lazy_ntfs,Grabs an important database file that contains browser history
+      425,Puffin - Autocomplete Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser/autocompletes.dat,lazy_ntfs,Grabs a file that stores autocomplete data
+      426,Puffin - Password Forms Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser/passwordForms.dat,lazy_ntfs,Grabs a file that stores some saved password data
+      427,Puffin - Password (Encrypted),Communications,Users\*\AppData\Local\PuffinSecureBrowser/credential.dat,lazy_ntfs,Grabs a file that stores passwords in an encrypted format
+      428,Puffin - Subscription Data,Communications,Users\*\AppData\Local\PuffinSecureBrowser/subscription,lazy_ntfs,Grabs a file that stores the user's email address that's associated with their Puffin subscription
+      429,Puffin - Cookies,Communications,Users\*\AppData\Local\PuffinSecureBrowser/cookies.dat,lazy_ntfs,Grabs a file that stores information related to cookies
+      430,Puffin - Image Cache,Communications,Users\*\AppData\Local\PuffinSecureBrowser\image_cache/**10,lazy_ntfs,Grabs a directory that caches images from websites visited
+      431,AppData,UserData,Users\*\AppData/**10,lazy_ntfs,
+      432,Zips,Archives,**10/*.zip,lazy_ntfs,This is an example of how to walk a drive for a file mask. Probably do not want to use this one as is
+      433,User Files - Desktop,LiveUserFiles,Users\*\Desktop/**10,lazy_ntfs,
+      434,User Files - Documents,LiveUserFiles,Users\*\Documents/**10,lazy_ntfs,
+      435,User Files - Downloads,LiveUserFiles,Users\*\Downloads/**10,lazy_ntfs,
+      436,User Files - Dropbox,LiveUserFiles,Users\*\Dropbox*/**10,lazy_ntfs,
+      437,TorrentClients - BitTorrent,FileDownload,Users\*\AppData\Roaming\BitTorrent/*.dat,lazy_ntfs,
+      438,DC++ Chat Logs,FileDownload,Users\*\AppData\Local\DC++\Logs/**10,lazy_ntfs,Locates DC++ hub/chat logs and copies them. Current as of version 0.868.
+      439,FrostWire Downloads,FileDownload,Users\*\Documents\FrostWire\Torrent Data/**10,lazy_ntfs,Locates files downloaded that land in the default location as specified by FrostWire
+      440,FrostWire AppData,FileDownload,Users\*\.frostwire5/frostwire.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system
+      441,FrostWire AppData,FileDownload,Users\*\.frostwire5/itunes.props,lazy_ntfs,Locates a file that contains important information about the instance of FrostWire on the user's system
+      442,Gigatribe Files Windows Vista/7/8/10,FileDownload,Users\*\AppData\Local\Shalsoft/**10,lazy_ntfs,Locates Gigatribe files and copies them
+      443,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Gigatribe/**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Gigatribe
+      444,Gigatribe Files Windows XP,FileDownload,Documents and Settings\*\*\Application Data\Shalsoft/**10,lazy_ntfs,Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and Settings\<username>\Lokala Inställningar\Application Data\Shalsoft
+      445,Usenet Clients - NZBGet Log File,FileDownload,ProgramData\NZBGet/nzbget.log,lazy_ntfs,Locates NZBGet download log file
+      446,Usenet Clients - NZBGet NZBs,FileDownload,ProgramData\NZBGet\nzb\*,lazy_ntfs,Locates NZBGet NZB files that were used by the user
+      447,Usenet Clients - Newsbin Pro,FileDownload,Users\*\AppData\Local\Newsbin/Downloaded.db3,lazy_ntfs,Locates Newsbin Pro download log database
+      448,Usenet Clients - Newsleecher,FileDownload,Users\*\AppData\Roaming\NewsLeecher/downloaded.dat,lazy_ntfs,Locates Newsleecher download .dat file
+      449,Usenet Clients - SABnzbd Download Logs,FileDownload,Users\*\AppData\Local\sabnzbd\logs/sabnzbd.log,lazy_ntfs,Locates SABnzbd download log
+      450,Usenet Clients - SABnzbd History.db,FileDownload,Users\*\AppData\Local\sabnzbd\admin/history1.db,lazy_ntfs,Locates SABnzbd history log
+      451,Shareaza Logs,FileDownload,Users\*\AppData\Roaming\Shareaza/**10,lazy_ntfs,Locates Shareaza logs and copies them.
+      452,Soulseek Chat Logs,FileDownload,Users\*\AppData\Local\SoulseekQt\Soulseek Chat Logs/**10,lazy_ntfs,Locates Soulseek chat logs and copies them. Chat logs are in plaintext. Current as of version 2019.7.22.
+      453,Soulseek Search History/Shared Folders/Settings,FileDownload,Users\*\AppData\Local\SoulseekQt\1/*.dat,lazy_ntfs,"Locates .dat file(s) containing: search history, active searches (search_record), current shared folders (shared_file_folder), and wish list items (wish_list_item)."
+      454,Torrents,FileDownload,**10/*.torrent,lazy_ntfs,
+      455,Usenet (NZB) Files,FileDownload,**10/*.nzb,lazy_ntfs,
+      456,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Roaming\qBittorrent/*.ini,lazy_ntfs,
+      457,TorrentClients - qBittorrent,FileDownload,Users\*\AppData\Local\qBittorrent\logs\*,lazy_ntfs,
+      458,TorrentClients - uTorrent,FileDownload,Users\*\AppData\Roaming\uTorrent/*.dat,lazy_ntfs,
+      459,$Boot,FileSystem,$Boot,ntfs,
+      460,$J,FileSystem,$Extend/$UsnJrnl:$J,ntfs,
+      461,$Max,FileSystem,$Extend/$UsnJrnl:$Max,ntfs,
+      462,$LogFile,FileSystem,$LogFile,ntfs,
+      463,$MFT,FileSystem,$MFT,ntfs,
+      464,$MFTMirr,FileSystem,$MFTMirr,ntfs,$MFTMirr is a redundant copy of the first four (4) records of the MFT.
+      465,$SDS,FileSystem,$Secure:$SDS,ntfs,
+      466,$T,FileSystem,$Extend\$RmMetadata\$TxfLog/$Tops:$T,ntfs,
+      467,Amcache,ApplicationCompatibility,Windows\AppCompat\Programs/Amcache.hve,lazy_ntfs,
+      468,Amcache,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs/Amcache.hve,lazy_ntfs,
+      469,Amcache transaction files,ApplicationCompatibility,Windows\AppCompat\Programs/Amcache.hve.LOG*,lazy_ntfs,
+      470,Amcache transaction files,ApplicationCompatibility,Windows.old\Windows\AppCompat\Programs/Amcache.hve.LOG*,lazy_ntfs,
+      471,Application Event Log XP,EventLogs,Windows\System32\config/AppEvent.evt,lazy_ntfs,
+      472,Application Event Log XP,EventLogs,Windows.old\Windows\System32\config/AppEvent.evt,lazy_ntfs,
+      473,Application Event Log Win7+,EventLogs,Windows\System32\winevt\logs/application.evtx,lazy_ntfs,
+      474,Application Event Log Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/application.evtx,lazy_ntfs,
+      475,BCD,Registry,Boot/BCD,lazy_ntfs,
+      476,BCD Logs,Registry,Boot/BCD.LOG*,lazy_ntfs,
+      477,BITS files,Persistence,ProgramData\Microsoft\Network\Downloader/**10,lazy_ntfs,
+      478,EncapsulationLogging,Executables,Windows\Appcompat\Programs/EncapsulationLogging.hve,lazy_ntfs,
+      479,EncapsulationLogging,Executables,Windows.old\Windows\Appcompat\Programs/EncapsulationLogging.hve,lazy_ntfs,
+      480,EncapsulationLogging Logs,Executables,Windows\Appcompat\Programs/EncapsulationLogging.hve.log*,lazy_ntfs,
+      481,EncapsulationLogging Logs,Executables,Windows.old\Windows\Appcompat\Programs/EncapsulationLogging.hve.log*,lazy_ntfs,
+      482,Event logs Win7+,EventLogs,Windows\System32\winevt\logs/System.evtx,lazy_ntfs,
+      483,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/System.evtx,lazy_ntfs,
+      484,Event logs Win7+,EventLogs,Windows\System32\winevt\logs/Security.evtx,lazy_ntfs,
+      485,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/Security.evtx,lazy_ntfs,
+      486,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx/Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx,lazy_ntfs,
+      487,Event logs Win7+,EventLogs,Windows\System32\winevt\Logs/Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx,lazy_ntfs,
+      488,Event logs XP,EventLogs,Windows\System32\config/*.evt,lazy_ntfs,
+      489,Event logs Win7+,EventLogs,Windows\System32\winevt\logs/*.evtx,lazy_ntfs,
+      490,Event logs Win7+,EventLogs,Windows.old\Windows\System32\winevt\logs/*.evtx,lazy_ntfs,
+      491,WDI Trace Logs 1,Event Trace Logs,Windows\System32\WDI\LogFiles/*.etl*,lazy_ntfs,
+      492,WDI Trace Logs 1,Event Trace Logs,Windows.old\Windows\System32\WDI\LogFiles/*.etl*,lazy_ntfs,
+      493,WDI Trace Logs 2,Event Trace Logs,Windows\System32\WDI\{*/**10,lazy_ntfs,
+      494,WDI Trace Logs 2,Event Trace Logs,Windows.old\Windows\System32\WDI\{*/**10,lazy_ntfs,
+      495,WMI Trace Logs,Event Trace Logs,Windows\System32\LogFiles\WMI/**10,lazy_ntfs,
+      496,WMI Trace Logs,Event Trace Logs,Windows.old\Windows\System32\LogFiles\WMI/**10,lazy_ntfs,
+      497,SleepStudy Trace Logs,Event Trace Logs,Windows\System32\SleepStudy/**10,lazy_ntfs,
+      498,SleepStudy Trace Logs,Event Trace Logs,Windows.old\Windows\System32\SleepStudy/**10,lazy_ntfs,
+      499,Energy-NTKL Trace Logs,Event Trace Logs,ProgramData\Microsoft\Windows\PowerEfficiency Diagnostics/energy-ntkl.etl,lazy_ntfs,
+      500,Local Group Policy INI Files,Communication,Windows\System32\grouppolicy/*.ini,lazy_ntfs,
+      501,Local Group Policy INI Files,Communication,Windows.old\Windows\System32\grouppolicy/*.ini,lazy_ntfs,
+      502,Local Group Policy Files - Registry Policy Files,Communication,Windows\System32\grouppolicy/*.pol,lazy_ntfs,
+      503,Local Group Policy Files - Registry Policy Files,Communication,Windows.old\Windows\System32\grouppolicy/*.pol,lazy_ntfs,
+      504,Local Group Policy Files - Startup/Shutdown Scripts,Communication,Windows\System32\grouppolicy\*\Scripts/**10,lazy_ntfs,
+      505,Local Group Policy Files - Startup/Shutdown Scripts,Communication,Windows.old\Windows\System32\grouppolicy\*\Scripts/**10,lazy_ntfs,
+      506,LNK Files from Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Windows\Recent/**10,lazy_ntfs,Also includes automatic and custom jumplist directories
+      507,LNK Files from Microsoft Office Recent,LNKFiles,Users\*\AppData\Roaming\Microsoft\Office\Recent/**10,lazy_ntfs,
+      508,LNK Files from Recent (XP),LNKFiles,Documents and Settings\*\Recent/**10,lazy_ntfs,
+      509,Desktop LNK Files XP,LNKFiles,Documents and Settings\*\Desktop/*.LNK,lazy_ntfs,
+      510,Desktop LNK Files,LNKFiles,Users\*\Desktop/*.LNK,lazy_ntfs,
+      511,Restore point LNK Files XP,LNKFiles,System Volume Information\_restore*\RP*/*.LNK,lazy_ntfs,
+      512,LNK Files from C:\ProgramData,LNKFiles,ProgramData\Microsoft\Windows\Start Menu\Programs/*.LNK,lazy_ntfs,
+      513,.bash_history,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*/.bash_history,lazy_ntfs,
+      514,.bash_logout,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*/.bash_logout,lazy_ntfs,
+      515,.bashrc,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*/.bashrc,lazy_ntfs,
+      516,.profile,Windows Linux Profile,Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*/.profile,lazy_ntfs,
+      517,LogFiles,Logs,Windows\System32\LogFiles/**10,lazy_ntfs,
+      518,LogFiles,Logs,Windows.old\Windows\System32\LogFiles/**10,lazy_ntfs,
+      519,MOF files,WMI,**10/*.MOF,lazy_ntfs,
+      520,hiberfil.sys,Memory,hiberfil.sys,lazy_ntfs,
+      521,pagefile.sys,Memory,pagefile.sys,lazy_ntfs,
+      522,swapfile.sys,Memory,swapfile.sys,lazy_ntfs,
+      523,Small Memory Dump directory,Memory,Windows\Minidump/*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump
+      524,Small Memory Dump directory,Memory,Windows.old\Windows\Minidump/*.dmp,lazy_ntfs,https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/small-memory-dump
+      525,Word Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Word/**10,lazy_ntfs,
+      526,Excel Autosave Location,ApplicationCompatibility,Users\*\AppData\Roaming\Microsoft\Excel/**10,lazy_ntfs,
+      527,Powerpoint Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Powerpoint/**10,lazy_ntfs,
+      528,Publisher Autosave Location,FileKnowledge,Users\*\AppData\Roaming\Microsoft\Publisher/**10,lazy_ntfs,
+      529,Office Document Cache,FileKnowledge,Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache/**10,lazy_ntfs,
+      530,Prefetch,Prefetch,Windows\prefetch/*.pf,lazy_ntfs,
+      531,Prefetch,Prefetch,Windows.old\Windows\prefetch/*.pf,lazy_ntfs,
+      532,RDP Cache Files,FileSystem,Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs,
+      533,RDP Cache Files,FileSystem,Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*,lazy_ntfs,
+      534,RemoteConnectionManager Event Logs,EventLogs,Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs,
+      535,RemoteConnectionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-RemoteConnectionManager*,lazy_ntfs,
+      536,LocalSessionManager Event Logs,EventLogs,Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs,
+      537,LocalSessionManager Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-LocalSessionManager*,lazy_ntfs,
+      538,RDPClient Event Logs,EventLogs,Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs,
+      539,RDPClient Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs/Microsoft-Windows-TerminalServices-RDPClient*,lazy_ntfs,
+      540,RDPCoreTS Event Logs,EventLogs,Windows\System32\winevt\logs/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP
+      541,RDPCoreTS Event Logs,EventLogs,Windows.old\Windows\System32\winevt\logs/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*,lazy_ntfs,Can be used to correlate RDP logon failures by originating IP
+      542,RecentFileCache,ApplicationCompatability,Windows\AppCompat\Programs/RecentFileCache.bcf,lazy_ntfs,
+      543,RecentFileCache,ApplicationCompatability,Windows.old\Windows\AppCompat\Programs/RecentFileCache.bcf,lazy_ntfs,
+      544,$Recycle.Bin,Deleted Files,$Recycle.Bin/**10,ntfs,
+      545,RECYCLER WinXP,Deleted Files,RECYCLER/**10,lazy_ntfs,
+      546,SAM registry transaction files,Registry,Windows\System32\config/SAM.LOG*,lazy_ntfs,
+      547,SAM registry transaction files,Registry,Windows.old\Windows\System32\config/SAM.LOG*,lazy_ntfs,
+      548,SECURITY registry transaction files,Registry,Windows\System32\config/SECURITY.LOG*,lazy_ntfs,
+      549,SECURITY registry transaction files,Registry,Windows.old\Windows\System32\config/SECURITY.LOG*,lazy_ntfs,
+      550,SOFTWARE registry transaction files,Registry,Windows\System32\config/SOFTWARE.LOG*,lazy_ntfs,
+      551,SOFTWARE registry transaction files,Registry,Windows.old\Windows\System32\config/SOFTWARE.LOG*,lazy_ntfs,
+      552,SYSTEM registry transaction files,Registry,Windows\System32\config/SYSTEM.LOG*,lazy_ntfs,
+      553,SYSTEM registry transaction files,Registry,Windows.old\Windows\System32\config/SYSTEM.LOG*,lazy_ntfs,
+      554,SAM registry hive,Registry,Windows\System32\config/SAM,lazy_ntfs,
+      555,SAM registry hive,Registry,Windows.old\Windows\System32\config/SAM,lazy_ntfs,
+      556,SECURITY registry hive,Registry,Windows\System32\config/SECURITY,lazy_ntfs,
+      557,SECURITY registry hive,Registry,Windows.old\Windows\System32\config/SECURITY,lazy_ntfs,
+      558,SOFTWARE registry hive,Registry,Windows\System32\config/SOFTWARE,lazy_ntfs,
+      559,SOFTWARE registry hive,Registry,Windows.old\Windows\System32\config/SOFTWARE,lazy_ntfs,
+      560,SYSTEM registry hive,Registry,Windows\System32\config/SYSTEM,lazy_ntfs,
+      561,SYSTEM registry hive,Registry,Windows.old\Windows\System32\config/SYSTEM,lazy_ntfs,
+      562,RegBack registry transaction files,Registry,Windows\System32\config\RegBack/*.LOG*,lazy_ntfs,
+      563,RegBack registry transaction files,Registry,Windows.old\Windows\System32\config\RegBack/*.LOG*,lazy_ntfs,
+      564,SAM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SAM,lazy_ntfs,
+      565,SAM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SAM,lazy_ntfs,
+      566,SECURITY registry hive (RegBack),Registry,Windows\System32\config\RegBack/SECURITY,lazy_ntfs,
+      567,SECURITY registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SECURITY,lazy_ntfs,
+      568,SOFTWARE registry hive (RegBack),Registry,Windows\System32\config\RegBack/SOFTWARE,lazy_ntfs,
+      569,SOFTWARE registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SOFTWARE,lazy_ntfs,
+      570,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SYSTEM,lazy_ntfs,
+      571,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SYSTEM,lazy_ntfs,
+      572,SYSTEM registry hive (RegBack),Registry,Windows\System32\config\RegBack/SYSTEM1,lazy_ntfs,
+      573,SYSTEM registry hive (RegBack),Registry,Windows.old\Windows\System32\config\RegBack/SYSTEM1,lazy_ntfs,
+      574,System Profile registry hive,Registry,Windows\System32\config\systemprofile/NTUSER.DAT,lazy_ntfs,
+      575,System Profile registry hive,Registry,Windows.old\Windows\System32\config\systemprofile/NTUSER.DAT,lazy_ntfs,
+      576,System Profile registry transaction files,Registry,Windows\System32\config\systemprofile/NTUSER.DAT.LOG*,lazy_ntfs,
+      577,System Profile registry transaction files,Registry,Windows.old\Windows\System32\config\systemprofile/NTUSER.DAT.LOG*,lazy_ntfs,
+      578,Local Service registry hive,Registry,Windows\ServiceProfiles\LocalService/NTUSER.DAT,lazy_ntfs,
+      579,Local Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\LocalService/NTUSER.DAT,lazy_ntfs,
+      580,Local Service registry transaction files,Registry,Windows\ServiceProfiles\LocalService/NTUSER.DAT.LOG*,lazy_ntfs,
+      581,Local Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\LocalService/NTUSER.DAT.LOG*,lazy_ntfs,
+      582,Network Service registry hive,Registry,Windows\ServiceProfiles\NetworkService/NTUSER.DAT,lazy_ntfs,
+      583,Network Service registry hive,Registry,Windows.old\Windows\ServiceProfiles\NetworkService/NTUSER.DAT,lazy_ntfs,
+      584,Network Service registry transaction files,Registry,Windows\ServiceProfiles\NetworkService/NTUSER.DAT.LOG*,lazy_ntfs,
+      585,Network Service registry transaction files,Registry,Windows.old\Windows\ServiceProfiles\NetworkService/NTUSER.DAT.LOG*,lazy_ntfs,
+      586,System Restore Points Registry Hives (XP),Registry,System Volume Information\_restore*\RP*\snapshot/_REGISTRY_*,lazy_ntfs,
+      587,NTUSER.DAT registry hive XP,Registry,Documents and Settings\*/NTUSER.DAT,lazy_ntfs,
+      588,NTUSER.DAT registry hive,Registry,Users\*/NTUSER.DAT,lazy_ntfs,
+      589,NTUSER.DAT registry transaction files,Registry,Users\*/NTUSER.DAT.LOG*,lazy_ntfs,
+      590,NTUSER.DAT DEFAULT registry hive,Registry,Windows\System32\config/DEFAULT,lazy_ntfs,
+      591,NTUSER.DAT DEFAULT registry hive,Registry,Windows.old\Windows\System32\config/DEFAULT,lazy_ntfs,
+      592,NTUSER.DAT DEFAULT transaction files,Registry,Windows\System32\config/DEFAULT.LOG*,lazy_ntfs,
+      593,NTUSER.DAT DEFAULT transaction files,Registry,Windows.old\Windows\System32\config/DEFAULT.LOG*,lazy_ntfs,
+      594,UsrClass.dat registry hive,Registry,Users\*\AppData\Local\Microsoft\Windows/UsrClass.dat,lazy_ntfs,
+      595,UsrClass.dat registry transaction files,Registry,Users\*\AppData\Local\Microsoft\Windows/UsrClass.dat.LOG*,lazy_ntfs,
+      596,SDB Files,Executables,Windows\apppatch\Custom/*.sdb,lazy_ntfs,
+      597,SDB Files,Executables,Windows.old\Windows\apppatch\Custom/*.sdb,lazy_ntfs,
+      598,SDB Files x64,Executables,Windows\apppatch\Custom\Custom64/*.sdb,lazy_ntfs,
+      599,SDB Files x64,Executables,Windows.old\Windows\apppatch\Custom\Custom64/*.sdb,lazy_ntfs,
+      600,SRUM,Execution,Windows\System32\SRU/**10,lazy_ntfs,
+      601,SRUM,Execution,Windows.old\Windows\System32\SRU/**10,lazy_ntfs,
+      602,at .job,Persistence,Windows\Tasks/*.job,lazy_ntfs,
+      603,at .job,Persistence,Windows.old\Windows\Tasks/*.job,lazy_ntfs,
+      604,at SchedLgU.txt,Persistence,Windows/SchedLgU.txt,lazy_ntfs,
+      605,at SchedLgU.txt,Persistence,Windows.old\Windows/SchedLgU.txt,lazy_ntfs,
+      606,XML,Persistence,Windows\System32\Tasks/**10,lazy_ntfs,
+      607,XML,Persistence,Windows.old\Windows\System32\Tasks/**10,lazy_ntfs,
+      608,SignatureCatalog,FileMetadata,Windows\System32\CatRoot/**10,lazy_ntfs,
+      609,SignatureCatalog,FileMetadata,Windows.old\Windows\System32\CatRoot/**10,lazy_ntfs,
+      610,StartupInfo XML Files,Persistence,Windows\System32\WDI\LogFiles\StartupInfo/*.xml,lazy_ntfs,
+      611,StartupInfo XML Files,Persistence,Windows.old\Windows\System32\WDI\LogFiles\StartupInfo/*.xml,lazy_ntfs,
+      612,Syscache,Program Execution,System Volume Information/Syscache.hve,lazy_ntfs,
+      613,Syscache transaction files,Program Execution,System Volume Information/Syscache.hve.LOG*,lazy_ntfs,
+      614,Thumbcache DB,FileKnowledge,Users\*\AppData\Local\Microsoft\Windows\Explorer/thumbcache_*.db,lazy_ntfs,
+      615,Setupapi.log XP,USBDevices,Windows/setupapi.log,lazy_ntfs,
+      616,Setupapi.log Win7+,USBDevices,Windows\inf/setupapi.dev.log,lazy_ntfs,
+      617,Setupapi.log Win7+,USBDevices,Windows.old\Windows\inf/setupapi.dev.log,lazy_ntfs,
+      618,VHD,Disk Images,**10/*.VHD,lazy_ntfs,
+      619,VHDX,Disk Images,**10/*.VHDX,lazy_ntfs,
+      620,VDI,Disk Images,**10/*.VDI,lazy_ntfs,
+      621,VMDK,Disk Images,**10/*.VMDK,lazy_ntfs,
+      622,WBEM,WBEM,Windows\System32\wbem\Repository/**10,lazy_ntfs,
+      623,WBEM,WBEM,Windows.old\Windows\System32\wbem\Repository/**10,lazy_ntfs,
+      624,WER Files,Executables,ProgramData\Microsoft\Windows\WER/**10,lazy_ntfs,
+      625,Crash Dumps,SQL Exploitation,Users\*\AppData\Local\CrashDumps/*.dmp,lazy_ntfs,
+      626,Crash Dumps,SQL Exploitation,Windows/*.dmp,lazy_ntfs,
+      627,Crash Dumps,SQL Exploitation,Windows.old\Windows/*.dmp,lazy_ntfs,
+      628,Windows Firewall Logs,WindowsFirewallLogs,Windows\System32\LogFiles\Firewall/pfirewall.*,lazy_ntfs,
+      629,Windows Firewall Logs,WindowsFirewallLogs,Windows.old\Windows\System32\LogFiles\Firewall/pfirewall.*,lazy_ntfs,
+      630,WindowsIndexSearch,FileKnowledge,programdata\microsoft\search\data\applications\windows/Windows.edb,lazy_ntfs,
+      631,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications/wpndatabase.db,lazy_ntfs,
+      632,Windows 10 Notification DB,Notifications,Users\*\AppData\Local\Microsoft\Windows\Notifications/appdb.dat,lazy_ntfs,
+      633,"Windows Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier",Apps,Users\*\AppData\Roaming\Microsoft\StickyNotes/StickyNotes.snt,lazy_ntfs,
+      634,Windows Sticky Notes - 1607 and later,Apps,Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState/plum.sqlite*,lazy_ntfs,
+      635,ActivitiesCache.db,FileFolderAccess,Users\*\AppData\Local\ConnectedDevicesPlatform\*/ActivitiesCache.db*,lazy_ntfs,
+      636,Windows Your Phone - All Databases,Apps,Users\*\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed/**10,lazy_ntfs,Locates all Your Phone database files 
+      637,System Volume Information,Folder capture,System Volume Information/**10,lazy_ntfs,
+      638,1Password Database,Apps,Users\*\AppData\Local\1password\data/1Password10.sqlite,lazy_ntfs,"Database which holds information about 1Password installation, such as accounts, categories, settings and more"
+      639,1Password Backup Databases,Apps,Users\*\AppData\Local\1password\backups/1Password10.sqlite,lazy_ntfs,Backups of 1Password Database
+      640,1Password Logs,Apps,Users\*\AppData\Local\1password\logs/*.log,lazy_ntfs,Log of usage of 1Password - can be useful for identifying periods of user activity
+      641,AceText - Clipboard History,Apps,Users\*\Documents/*.atc,lazy_ntfs,Locates the Clipboard history for AceText
+      642,Acronis True Image - Logs,Apps,ProgramData\Acronis\TrueImageHome\Logs\ti_demon\*,lazy_ntfs,Copies out all log files
+      643,Acronis True Image - Database Files,Apps,ProgramData\Acronis\TrueImageHome\Database/archives.db*,lazy_ntfs,Copies out the Database folder which appears to have important information
+      644,Acronis True Image - Scripts Folder,Apps,ProgramData\Acronis\TrueImageHome\Scripts\*,lazy_ntfs,Copies out all scripts files
+      645,Ammyy Program Data,ApplicationLogs,ProgramData\Ammyy/**10,lazy_ntfs,"May not contain traditional log files, but presence of this folder may indicate historical usage"
+      646,AnyDesk Logs,Communications,Users\*\AppData\Roaming\AnyDesk/ad.trace,lazy_ntfs,Collects the ad.trace logfile for AnyDesk
+      647,AnyDesk Videos,Communications,Users\*\Videos\AnyDesk/*.anydesk,lazy_ntfs,Collects any session recordings made by the user while using AnyDesk
+      648,Aspera Client Logs,FileDownload,Users\*\AppData\Local\Aspera\Aspera Connect\var\log/**10/*.log,lazy_ntfs,
+      649,Aspera Server Logs,FileDownload,Users\*\.aspera\connect\var\log/**10/*.log,lazy_ntfs,
+      650,Box User Files,Apps,Users\*\Box/**10,lazy_ntfs,Caution! This target will collect Box Drive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use
+      651,Box Sync User Files,Apps,Users\*\Box Sync/**10,lazy_ntfs,
+      652,Box Drive Application Metadata,Apps,Users\*\AppData\Local\Box\Box\*/**10,lazy_ntfs,
+      653,Box Sync Application Metadata,Apps,Users\*\AppData\Local\Box Sync\*/**10,lazy_ntfs,
+      654,Cisco Jabber Database,Communications,Users\*\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History/*.db,lazy_ntfs,The Cisco Jabber process needs to be killed before database can be copied.
+      655,ClipboardMaster - Clipboard History - Text,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster/Clipboard.clm4,lazy_ntfs,Locates the user’s clipboard history (text) for ClipboardMaster
+      656,ClipboardMaster - Clipboard History - Images,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster\pics/**10,lazy_ntfs,Locates the user’s clipboard history (images) for ClipboardMaster
+      657,ClipboardMaster - Clipboard History - Backups,Apps,Users\*\AppData\Roaming\Jumping Bytes\ClipboardMaster/Clipboard.clm4.ba*,lazy_ntfs,Locates the user’s clipboard history (backups) for ClipboardMaster
+      658,Confluence Wiki Log Files,Logs,Atlassian\Application Data\Confluence\logs/*.log*,lazy_ntfs,
+      659,Confluence Wiki Log Files,Logs,Program Files\Atlassian\Confluence\logs/*.log,lazy_ntfs,
+      660,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU/rename_folders.osd,lazy_ntfs,Locates .osd file which contains names of folders that have been renamed manually by the user.
+      661,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU/rename_files.osd,lazy_ntfs,Locates .osd file which contains names of files that have been renamed manually by the user.
+      662,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU/find_contains.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with contents related to the search query.
+      663,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU/find_name.osd,lazy_ntfs,Locates .osd file which contains search queries initiated by the user during a search for files with a filename related to the search query.
+      664,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data\MRU/find_path.osd,lazy_ntfs,Locates .osd file which contains file paths related to user activity - not exactly sure how these are generated at this time.
+      665,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data/recent.osd,lazy_ntfs,Locates .osd file which contains file paths related to recent user activity. Effectively the DOpus Shellbags-equivalent. Appears to be for last 10 folder visited within the Lister.
+      666,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\State Data/backupconfig.osd,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.
+      667,Directory Opus,Apps,Users\*\AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache\*,lazy_ntfs,Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.
+      668,Discord Cache Files,Communications,Users\*\AppData\Roaming\discord\cache/**10,lazy_ntfs,Gets cached data from Discord app
+      669,Discord Local Storage LevelDB Files,Communications,Users\*\AppData\Roaming\discord\local storage\leveldb/**10,lazy_ntfs,Gets LevelDB database from Discord app
+      670,Double Commander - history.xml,Apps,Users\*\AppData\Roaming\doublecmd/history.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from bottom to top.
+      671,Double Commander - doublecmd.xml,Apps,Users\*\AppData\Roaming\doublecmd/doublecmd.xml,lazy_ntfs,Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom.
+      672,Dropbox User Files,Apps,Users\*\Dropbox*/**10,lazy_ntfs,
+      673,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox/info.json,lazy_ntfs,Getting individual files because folder may contain very large extraneous files
+      674,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\*/filecache.dbx,lazy_ntfs,Getting individual files because folder may contain very large extraneous files
+      675,Dropbox Metadata,Apps,Users\*\AppData\Local\Dropbox\*/config.dbx,lazy_ntfs,Getting individual files because folder may contain very large extraneous files
+      676,Windows Protect Folder,FileSystem,Users\*\AppData\Roaming\Microsoft\Protect\*/**10,lazy_ntfs,Required for offline decryption of Dropbox databases
+      677,Evernote Accounts,App,Users\*\AppData\Local\Evernote\Evernote\Databases/**10/.accounts,lazy_ntfs,Holds username and email of accounts
+      678,Evernote Notebooks,App,Users\*\AppData\Local\Evernote\Evernote\Databases/**10/*.exb,lazy_ntfs,SQLite Database of the notes
+      679,Evernote Notebook Snippets,App,Users\*\AppData\Local\Evernote\Evernote\Databases/**10/*.exb.snippets,lazy_ntfs,Note 'Snippets'
+      680,Everything (VoidTools),FileSystem,Users\*\AppData\Local\Everything/Everything.db,lazy_ntfs,Copies out Everything.db
+      681,Everything (VoidTools) - Run History,FileSystem,Users\*\AppData\Roaming\Everything/Run History.csv,lazy_ntfs,Copies out a CSV containing the history of items ran from Everything's search results window
+      682,Everything (VoidTools) - Search History,FileSystem,Users\*\AppData\Roaming\Everything/Search History.csv,lazy_ntfs,Copies out a CSV containing the history of items searched for within Everything with timestamps
+      683,Exchange client access log files,Logs,Program Files\Microsoft\Exchange Server\*\Logging/**10/*.log,lazy_ntfs,Highly dependent on Exchange configuration
+      684,Exchange TransportRoles log files,Logs,Program Files\Microsoft\Exchange Server\*\TransportRoles\Logs/**10/*.log,lazy_ntfs,Highly dependent on Exchange configuration
+      685,Fences - Desktop Screenshots,Apps,Users\*\AppData\Roaming\Stardock\Fences\Backups,lazy_ntfs,Locates all screenshots taken automatically by the Fences application
+      686,FileZilla XML Log Files,Logs,Users\*\AppData\Roaming\FileZilla/*.xml*,lazy_ntfs,
+      687,FileZilla SQLite3 Log Files,Logs,Users\*\AppData\Roaming\FileZilla/*.sqlite3*,lazy_ntfs,
+      688,Free Commander - FreeCommander.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings/FreeCommander.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts.
+      689,Free Commander - FreeCommander.ftp.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings/FreeCommander.ftp.ini,lazy_ntfs,Locates an .ini file that contains the file path to the FTP log for Free Commander.
+      690,Free Commander - FreeCommander.hist.ini,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings/FreeCommander.hist.ini,lazy_ntfs,Locates an .ini file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom for both left and right directory browsers.
+      691,Free Commander - FreeCommander.fav.xml,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings/FreeCommander.fav.xml,lazy_ntfs,Locates an .xml file that contains favorited files/folder by the user.
+      692,Free Commander - Backup Settings,Apps,Users\*\AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*/**10,lazy_ntfs,"Locates an exact copy of the above files which will have a timestamped folder name, i.e. Bkp_Settings-YYYY-MM-DD HH-MM-SS."
+      693,FDM Database,App,Users\*\AppData\Local\Free Download Manager/**10/fdm.sqlite,lazy_ntfs,"fdm.sqlite shows Torrents, downloads, folder history, auth credentials and more. Will also pull fdm.sqlite in db_backup/"
+      694,FDM Backup Info,App,Users\*\AppData\Local\Free Download Manager\backup/backup.info,lazy_ntfs,"Backup info file - can change backup name from userdata.zip, so could give indication of file name"
+      695,FDM Database (userdata.zip),App,Users\*\AppData\Local\Free Download Manager\backup/userdata.zip,lazy_ntfs,fdm.sqlite can also appear in the backup folder in a compressed userdata.zip file
+      696,FreeFileSync,Apps,Users\*\AppData\Roaming\FreeFileSync\Logs,lazy_ntfs,Copies out all log files
+      697,Google Drive User Files,Apps,Users\*\Google Drive*/**10,lazy_ntfs,Google Drive Backup and Sync Application
+      698,Google Drive Metadata,Apps,Users\*\AppData\Local\Google\Drive/**10,lazy_ntfs,Google Drive Backup and Sync Application
+      699,Google File Stream Metadata,Apps,Users\*\AppData\Local\Google\DriveFS/**10,lazy_ntfs,Google Drive File Stream Application
+      700,HexChat Chat Logs,Communications,Users\*\AppData\Roaming\HexChat\logs/**10,lazy_ntfs,
+      701,IceChat Chat Logs,Communications,Users\*\AppData\Local\IceChat Networks\IceChat\Logs/**10,lazy_ntfs,
+      702,JDownloader 2.0 Download Lists,App,Users\*\AppData\Local\JDownloader 2.0\cfg/**10/downloadList*.zip,lazy_ntfs,"Zip folder which contains several files (00,00_00 and extraInfo) which list the download folder, the time it was created, the name of the download, origin URL, referral URL and more"
+      703,JDownloader 2.0 Link Collector,App,Users\*\AppData\Local\JDownloader 2.0\cfg/**10/linkcollector*.zip,lazy_ntfs,"Zip folder which contains several files (0X,0X_00 and extraInfo) which list the websites crawled for links, the referral URLs, timestamps and more"
+      704,JDownloader 2.0 General Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg/**10/org.jdownloader.settings.GeneralSettings.json,lazy_ntfs,General user config for JDownloader 2.0. Holds default download folder.
+      705,JDownloader 2.0 Link Grabber Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg/**10/org.jdownloader.gui.views.linkgrabber.addlinksdialog.LinkgrabberSettings.json,lazy_ntfs,Linkgrabber Settings for JDownloader 2.0. Holds latest download destination folder.
+      706,JDownloader 2.0 Proxy Settings,App,Users\*\AppData\Local\JDownloader 2.0\cfg/**10/org.jdownloader.settings.InternetConnectionSettings.customproxylist.json,lazy_ntfs,Proxy configuration for JDownloader 2.0
+      707,Java WebStart Cache User Level - Default,Communication,Users\*\AppData\Local\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
+      708,Java WebStart Cache User Level - IE Protected Mode,Communication,Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
+      709,Java WebStart Cache System level,Communication,Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
+      710,Java WebStart Cache System level,Communication,Windows.old\Windows\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
+      711,Java WebStart Cache System level - IE Protected Mode,Communication,Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
+      712,Java WebStart Cache System level - IE Protected Mode,Communication,Windows.old\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
+      713,Java WebStart Cache System level (SysWow64),Communication,Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
+      714,Java WebStart Cache System level (SysWow64),Communication,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
+      715,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communication,Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
+      716,Java WebStart Cache System level (SysWow64) - IE Protected Mode,Communication,Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
+      717,Java WebStart Cache User Level - XP,Communications,Documents and Settings\*\Application Data\Sun\Java\Deployment\cache\*\*/*.idx,lazy_ntfs,
+      718,Kaseya Live Connect Logs (XP),ApplicationLogs,Documents and Settings\*\Application Data\Kaseya\Log/**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
+      719,Kaseya Live Connect Logs,ApplicationLogs,Users\*\AppData\Local\Kaseya\Log\KaseyaLiveConnect/**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
+      720,Kaseya Agent Endpoint Service Logs (XP),ApplicationLogs,Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint/**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
+      721,Kaseya Agent Endpoint Service Logs,ApplicationLogs,ProgramData\Kaseya\Log\Endpoint/**10,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
+      722,Kaseya Agent Service Log,ApplicationLogs,Program Files*\Kaseya\*/agentmon.log*,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations
+      723,Kaseya Setup Log,ApplicationLogs,Users\*\AppData\Local\Temp/KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
+      724,Kaseya Setup Log,ApplicationLogs,Windows\Temp/KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
+      725,Kaseya Setup Log,ApplicationLogs,Windows.old\Windows\Temp/KASetup.log,lazy_ntfs,https://helpdesk.kaseya.com/hc/en-gb/articles/229011448
+      726,LogMeIn ProgramData Logs,ApplicationLogs,ProgramData\LogMeIn\Logs/**10,lazy_ntfs,
+      727,LogMeIn Application Logs,ApplicationLogs,Users\*\AppData\Local\temp\LogMeInLogs/**10,lazy_ntfs,"Contains RemoteAssist (formerly GoToAssist), GoToMeeting, and other GoTo* logs"
+      728,Macrium Reflect,Apps,ProgramData\Macrium\Macrium Service\*,lazy_ntfs,Copies out all log files
+      729,Macrium Reflect,Apps,ProgramData\Macrium\Reflect\*,lazy_ntfs,Copies out the Reflect folder which contains many important logs
+      730,Macrium Reflect,Apps,ProgramData\Macrium\Reflect Launcher,lazy_ntfs,Copies out the Reflect folder which contains many important logs
+      731,Mattermost - Chat Logs,Apps,Users\*\AppData\Roaming\Mattermost\IndexedDB/**10,lazy_ntfs,Locates Mattermost logs and copies them
+      732,Microsoft Teams IndexedDB Cache,Apps,Users\*\AppData\Roaming\Microsoft Teams\IndexedDB\*,lazy_ntfs,"LevelDB database which can contain inbound/outbound chat messages, call history and more"
+      733,Microsoft Teams Local Storage Cache,Apps,Users\*\AppData\Roaming\Microsoft\Teams\Local Storage\*,lazy_ntfs,"LevelDB database which can contain meeting history, file transfer logs and more"
+      734,Microsoft Teams Config,Apps,Users\*\AppData\Roaming\Microsoft\Teams/desktop-config.json,lazy_ntfs,JSON config file for Teams
+      735,Notepad++ Unsaved Edits,Text Editor,Users\*\AppData\Roaming\Notepad++\backup/**10,lazy_ntfs,Locates non-saved Notepad++ files and copies them.
+      736,Notepad++ Config,Text Editor,Users\*\AppData\Roaming\Notepad++/config.xml,lazy_ntfs,"Retrieves config.xml which contains recently searched terms, replaced terms and recently opened documents"
+      737,OneDrive User Files,Apps,Users\*\OneDrive*/**10,lazy_ntfs,Caution -- This target will collect OneDrive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use
+      738,OneDrive Metadata Logs,Apps,Users\*\AppData\Local\Microsoft\OneDrive\logs/**10,lazy_ntfs,
+      739,OneDrive Metadata Settings,Apps,Users\*\AppData\Local\Microsoft\OneDrive\settings/**10,lazy_ntfs,
+      740,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\config/**10,lazy_ntfs,Contains OpenVPN Configs (Profiles)
+      741,OpenVPN Client Config,ApplicationLogs,Program Files*\OpenVPN\config/**10,lazy_ntfs,Contains OpenVPN Configs(Profiles)
+      742,OpenVPN Client Config,ApplicationLogs,Users\*\OpenVPN\log/*.log,lazy_ntfs,Contains OpenVPN Logs for each Config(Profile)
+      743,PST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook/*.pst,lazy_ntfs,
+      744,OST XP,Communications,Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook/*.ost,lazy_ntfs,
+      745,PST,Communications,Users\*\AppData\Local\Microsoft\Outlook/*.pst,lazy_ntfs,
+      746,OST,Communications,Users\*\AppData\Local\Microsoft\Outlook/*.ost,lazy_ntfs,
+      747,ProtonVPN - Connection Logs,ApplicationLogs,Users\*\AppData\Local\ProtonVPN\Logs,lazy_ntfs,Locates ProtonVPN connection logs.
+      748,QFinderPro,Apps,Users\*\AppData\Local\QNAP\QfinderPro,lazy_ntfs,Locates a JSON file that provides network location information for any QNAP connected devices.
+      749,Radmin Server 32bit Log,ApplicationLogs,Windows\SysWOW64\rserver30/Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections.
+      750,Radmin Server 64bit Log,ApplicationLogs,Windows\System32\rserver30/Radm_log.htm,lazy_ntfs,Contains Application Log entries such as service start and incomming connections.
+      751,Radmin Server 32bit Chats,ApplicationLogs,Windows\SysWOW64\rserver30\CHATLOGS\*/*.htm,lazy_ntfs,Previous chat logs
+      752,Radmin Server 64bit Chats,ApplicationLogs,Windows\System32\rserver30\CHATLOGS\*/*.htm,lazy_ntfs,Previous chat logs
+      753,Radmin Viewer Chats,ApplicationLogs,Users\*\Documents\ChatLogs\*/*.htm,lazy_ntfs,Previous chat logs
+      754,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data/Session.db,lazy_ntfs,SQLite database with session information
+      755,ScreenConnect Session Database,ApplicationLogs,Program Files*\ScreenConnect\App_Data/User.xml,lazy_ntfs,Contains each user's last authenticated time
+      756,ShareX,Apps,Users\*\Documents\ShareX/**10,lazy_ntfs,Locates and captures all files within the default ShareX folder path
+      757,main.db (App <v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*/main.db,lazy_ntfs,
+      758,skype.db (App +v12),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*/skype.db,lazy_ntfs,
+      759,main.db XP,Communications,Documents and Settings\*\Application Data\Skype\*/main.db,lazy_ntfs,
+      760,main.db Win7+,Communications,Users\*\AppData\Roaming\Skype\*/main.db,lazy_ntfs,
+      761,s4l-[username].db (App +v8),Communications,Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState/s4l-*.db,lazy_ntfs,
+      762,leveldb (Skype for Desktop +v8),Communications,Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb/*.log,lazy_ntfs,
+      763,Slack - Chat Logs,Apps,Users\*\AppData\Roaming\Slack\IndexedDB/**10,lazy_ntfs,Locates Slack logs and copies them
+      764,Snagit - Captures,Apps,Users\*\AppData\Local\TechSmith\Snagit\DataStore,lazy_ntfs,Locates all Snagit captures
+      765,SublimeText 2/3 Auto Save Session,Text Editor,Users\*\AppData\Roaming\Sublime Text*\Settings/Session.sublime_session,lazy_ntfs,Sublime Text 2/3 stores unsaved (temporary) files and its content in its Session.sublime_session file
+      766,SugarSync Log File,Apps,Users\*\AppData\Local\SugarSync/sc1.log,lazy_ntfs,Locates a log file the gives a play-by-play of what the user synced when.
+      767,SugarSync - Shared Folders (Default Location),Apps,Users\*\Documents\SugarSync Shared Folders/**10,lazy_ntfs,
+      768,SugarSync - My SugarSync (Default Location),Apps,Users\*\Documents\My SugarSync/**10,lazy_ntfs,
+      769,TeamViewer Connection Logs,Communications,Program Files*\TeamViewer/connections*.txt,lazy_ntfs,Includes connections_incoming.txt and connections.txt
+      770,TeamViewer Application Logs,ApplicationLogs,Program Files*\TeamViewer/TeamViewer*_Logfile*,lazy_ntfs,Includes TeamViewer<version>_Logfile.log and TeamViewer<version>_Logfile_OLD.log
+      771,TeamViewer Configuration Files,ApplicationLogs,Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport/**10,lazy_ntfs,Includes miscellaneous config files
+      772,Telegram app folder,Apps,Users\*\AppData\Roaming\Telegram Desktop/**10,lazy_ntfs,Telegram app folder structure
+      773,Telegram downloaded files,Apps,Users\*\Downloads\Telegram Desktop/**10,lazy_ntfs,Chat Attachments
+      774,TeraCopy,TeraCopy,Users\*\AppData\Roaming\TeraCopy/**10,lazy_ntfs,
+      775,Mozilla Thunderbird Install Date,Apps,Users\*\AppData\Roaming\Thunderbird\Crash Reports/InstallTime*,lazy_ntfs,Holds install time in Unix Seconds timestamp
+      776,Mozilla Thunderbird Profiles.ini,Apps,Users\*\AppData\Roaming\Thunderbird/profiles.ini,lazy_ntfs,Profiles list - can hold references to other profiles held elsewhere on the device
+      777,Mozilla Thunderbird prefs.js,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*/prefs.js,lazy_ntfs,User Preferences for that profile
+      778,Mozilla Thunderbird Global Messages Database,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*/global-messages-db.sqlite,lazy_ntfs,"Holds list of contacts, emails, and other potentially useful artifacts"
+      779,Mozilla Thunderbird logins.json,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*/logins.json,lazy_ntfs,"Holds last time online login used, last time password changed, hostname, HTTP(s) URL and more"
+      780,Mozilla Thunderbird places.sqlite,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*/places.sqlite,lazy_ntfs,"Holds history for Thunderbird - as it contains portions of Firefox embedded, it can be used to visit websites too"
+      781,Mozilla Thunderbird ImapMail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\ImapMail/**10/INBOX,lazy_ntfs,"Holds all email files with headers, content etc"
+      782,Mozilla Thunderbird Mail INBOX,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Mail/**10/INBOX,lazy_ntfs,"Holds all email files with headers, content etc"
+      783,Mozilla Thunderbird Calendar Data,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\calendar-data/local.sqlite,lazy_ntfs,Holds local calendar data
+      784,Mozilla Thunderbird Attachments,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*\Attachments\*,lazy_ntfs,Holds attachments
+      785,Mozilla Thunderbird Address Book,Apps,Users\*\AppData\Roaming\Thunderbird\Profiles\*/abook.sqlite,lazy_ntfs,Holds local address book
+      786,Total Commander - .ini File,Apps,Users\*\AppData\Roaming\GHISLER/wincmd.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information.
+      787,Total Commander - Log File,Apps,**10/totalcmd.log,lazy_ntfs,Locates log file associated with Total Commander. NOTE: this log file is NOT enabled by default and the filename can be modified.
+      788,VLC Recently Opened Files,Apps,Users\*\AppData\Roaming\vlc/vlc-qt-interface.ini,lazy_ntfs,Configuration file for VLC. Holds [RecentsMRL] key which lists recently opened files as well as sometimes retaining timestamps for file opening
+      789,VLC Recorded Files,Apps,Users\*\Videos/vlc-*.avi,lazy_ntfs,"Recorded files in VLC. Sometimes the Record button may be pressed instead of Play by suspects, which can record them watching content with VLC"
+      790,VMware - Virtual Machine Inventory,Apps,Users\*\AppData\Roaming\VMware,lazy_ntfs,Locates an inventory of all Virtual Machines on disk.
+      791,VMware (Fusion/Workstation/Server/Player),Memory,**10/*.vmem,lazy_ntfs,Captures all raw memory from VMware virtual machines.
+      792,VMware (Fusion/Workstation/Server/Player),Memory,**10/*.vmss,lazy_ntfs,Captures all memory images from VMware virtual machines.
+      793,VMware (Fusion/Workstation/Server/Player),Memory,**10/*.vmsn,lazy_ntfs,Captures all memory images from VMware virtual machines.
+      794,RealVNC Log,ApplicationLogs,Users\*\AppData\Local\RealVNC/vncserver.log,lazy_ntfs,https://www.realvnc.com/en/connect/docs/logging.html#logging
+      795,Viber Config Database,Apps,Users\*\AppData\Roaming\ViberPC/config.db,lazy_ntfs,Configuration file for Viber
+      796,Viber Users Data Database,Apps,Users\*\AppData\Roaming\ViberPC\*/viber.db,lazy_ntfs,"Viber data for that user, containing Calls, Chat Messages, Contacts and more"
+      797,Viber Users Avatars Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Avatars,lazy_ntfs,Cache of the Avatars for other Viber users
+      798,Viber Users Backgrounds Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Backgrounds,lazy_ntfs,Store of the backgrounds
+      799,Viber Users Thumbnails Cache,Apps,Users\*\AppData\Roaming\ViberPC\*\Thumbnails,lazy_ntfs,Cache of the thumbnails for uploaded/downloaded images
+      800,VirtualBox VM configs,Apps,**10/*.vbox,lazy_ntfs,Locates all .vbox VM configuration files on disk
+      801,VirtualBox VM backup configs,Apps,**10/*.vbox-prev,lazy_ntfs,Locates all backup .vbox VM configuration files on disk
+      802,VirtualBox Logs,Apps,**10/VBox.log,lazy_ntfs,Locates all VBox.log files on disk
+      803,VirtualBox Backup Logs,Apps,**10/VBox.log.*,lazy_ntfs,Locates all backup VBox.log files on disk - these can show historic VM usage
+      804,VirtualBox Hardening Logs,Apps,**10/VBoxHardening.log,lazy_ntfs,Locates all VBoxHardening.log files on disk
+      805,VirtualBox,Memory,**10/*.sav,lazy_ntfs,Captures all partial memory images from VirtualBox.
+      806,WhatsApp Cache,Apps,Users\*\AppData\Roaming\WhatsApp\Cache,lazy_ntfs,"Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files"
+      807,WhatsApp Local Storage,Apps,Users\*\AppData\Roaming\WhatsApp\Local Storage\leveldb,lazy_ntfs,"Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper"
+      808,XYplorer - .ini file,Apps,Users\*\AppData\Roaming\XYplorer/XYplorer.ini,lazy_ntfs,Locates .ini file associated with Total Commander which stores useful user activity information.
+      809,XYplorer - .ini file for each respective pane,Apps,Users\*\AppData\Roaming\XYplorer\Panes\*/**10/pane.ini,lazy_ntfs,Locates the .ini file for the left and right pane.
+      810,XYplorer - AutoBackup folder,Apps,Users\*\AppData\Roaming\XYplorer\AutoBackup/**10,lazy_ntfs,Locates the AutoBackup folder and copies its contents.
+      811,XYplorer - .dat files,Apps,Users\*\AppData\Roaming\XYplorer/**10/*.dat,lazy_ntfs,"Locates the .dat files in the XYplorer's AppData folder, all of which are updated upon program's exit."
+      812,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple\Mobilesync\Backup/**10,lazy_ntfs,
+      813,iTunes Backup Folder,Communications,Users\*\AppData\Roaming\Apple Computer\Mobilesync\Backup/**10,lazy_ntfs,
+      814,iTunes Backup Folder - iOS13,Communications,Users\*\Apple\Mobilesync\Backup\*,lazy_ntfs,
+      815,mIRC Chat Logs,Communications,Users\*\AppData\Roaming\mIRC\logs/**10,lazy_ntfs,
   - name: KapeTargets
     type: hidden
     description: Each parameter above represents a group of rules to be triggered. This table specifies which rule IDs will be included when the parameter is checked.
     default: |
       Group,RuleIds
-      _BasicCollection,"[105, 108, 109, 110, 111, 112, 113, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 131, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 203, 204, 205, 206, 207, 213, 214, 219, 220, 222, 223, 224, 226, 227, 228, 229, 231, 232, 233, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 279, 702]"
-      _SANS_Triage,"[284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 359, 360, 361, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 451, 452, 453, 454]"
-      _Boot,[157]
-      _J,"[219, 220]"
-      _LogFile,[156]
-      _MFT,[205]
-      _MFTMirr,[167]
-      _SDS,[131]
-      _T,[279]
-      1Password,"[508, 509, 510]"
-      AVG,"[640, 641, 642, 643]"
-      AceText,[501]
-      AcronisTrueImage,"[523, 524, 525]"
-      Amcache,"[123, 124, 125, 126]"
-      Ammyy,[520]
-      Antivirus,"[127, 128, 129, 130, 633, 634, 635, 636, 637, 638, 639, 640, 641, 642, 643, 644, 645, 646, 647, 648, 649, 650, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671, 672, 673, 674, 675, 676, 677, 678, 679, 680, 681, 682, 683, 684, 685, 686, 687, 688, 689, 690, 691, 692, 693]"
-      AnyDesk,"[502, 503]"
-      ApacheAccessLog,[704]
-      AppData,[1]
-      ApplicationEvents,"[127, 128, 129, 130]"
-      AsperaConnect,"[558, 559]"
-      Avast,"[662, 663, 664, 665]"
-      AviraAVLogs,[655]
-      BCD,"[114, 115]"
-      BITS,[221]
-      BitTorrent,[86]
-      Bitdefender,"[690, 691]"
-      BoxDrive,"[561, 562, 563, 564]"
-      BrowserCache,"[708, 709, 710, 711, 712, 713]"
-      Chrome,"[714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746]"
-      ChromeExtensions,"[706, 707]"
-      ChromeFileSystem,[774]
-      CiscoJabber,[560]
-      ClipboardMaster,"[604, 605, 606]"
-      CloudStorage,"[527, 528, 529, 530, 531, 532, 561, 562, 563, 564, 570, 571, 572, 573, 574, 585, 586, 587]"
-      CombinedLogs,"[139, 140, 188, 189, 190, 191, 192, 193, 194, 195, 196, 231, 232, 233, 702]"
-      ComboFix,[678]
-      ConfluenceLogs,"[623, 624]"
-      Cybereason,"[668, 669, 670]"
-      DC__,[98]
-      Debian,"[66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82]"
-      DirectoryOpus,"[512, 513, 514, 515, 516, 517, 518, 519]"
-      DirectoryTraversalWildCardExample,[2]
-      Discord,"[617, 618]"
-      DoubleCommander,"[588, 589]"
-      Dropbox,"[570, 571, 572, 573, 574]"
-      ESET,"[692, 693]"
-      Edge,[705]
-      EdgeChromium,"[795, 796, 797, 798, 799, 800, 801, 802, 803, 804, 805, 806, 807, 808, 809, 810, 811, 812, 813]"
-      EncapsulationLogging,"[146, 147, 148, 149]"
-      EventLogs_RDP,"[197, 198, 199, 200, 201, 202]"
-      EventLogs,"[231, 232, 233]"
-      EventTraceLogs,"[188, 189, 190, 191, 192, 193, 194, 195, 196]"
-      Evernote,"[455, 456, 457]"
-      Everything__VoidTools_,"[620, 621, 622]"
-      EvidenceOfExecution,"[123, 124, 125, 126, 203, 204, 226, 227, 228, 229]"
-      Exchange,"[488, 555]"
-      ExchangeClientAccess,[488]
-      ExchangeTransport,[555]
-      FSecure,"[671, 672, 673]"
-      Fences,[533]
-      FileExplorerReplacements,"[460, 461, 462, 463, 464, 465, 512, 513, 514, 515, 516, 517, 518, 519, 565, 566, 567, 568, 569, 588, 589]"
-      FileSystem,"[131, 156, 157, 205, 219, 220, 279]"
-      FileZilla,"[602, 603]"
-      Firefox,"[747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773]"
-      FreeCommander,"[565, 566, 567, 568, 569]"
-      FreeDownloadManager,"[536, 537, 538]"
-      FreeFileSync,[485]
-      FrostWire,"[92, 93, 94]"
-      Gigatribe,"[87, 88, 89]"
-      GoogleDrive,"[585, 586, 587]"
-      GroupPolicy,"[172, 173, 174, 175, 176, 177]"
-      HexChat,[492]
-      HitmanPro,"[679, 680, 681]"
-      IISLogFiles,"[696, 697, 698, 699, 700]"
-      IRCClients,"[492, 557, 614]"
-      IceChat,[614]
-      InternetExplorer,"[775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787]"
-      JDownloader2,"[580, 581, 582, 583, 584]"
-      JavaWebCache,"[544, 545, 546, 547, 548, 549, 550, 551, 552, 553, 554]"
-      Kali,"[36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52]"
-      KapeTriage,"[108, 109, 110, 111, 112, 113, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 180, 181, 182, 183, 184, 185, 186, 187, 203, 204, 205, 213, 214, 219, 220, 226, 227, 228, 229, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 279, 480, 481, 482, 483, 484, 486, 487, 489, 502, 503, 520, 521, 522, 577, 578, 579, 590, 591, 592, 593, 594, 595, 596, 597, 633, 634, 635, 636, 637, 638, 639, 640, 641, 642, 643, 644, 645, 646, 647, 648, 649, 650, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671, 672, 673, 674, 675, 676, 677, 678, 679, 680, 681, 682, 683, 684, 685, 686, 687, 688, 689, 690, 691, 692, 693, 705, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788, 789, 790, 791, 792, 793, 794, 795, 796, 797, 798, 799, 800, 801, 802, 803, 804, 805, 806, 807, 808, 809, 810, 811, 812, 813, 814, 815]"
-      Kaseya,"[590, 591, 592, 593, 594, 595, 596, 597]"
-      LNKFilesAndJumpLists,"[116, 117, 118, 119, 120, 121, 122]"
-      LinuxOnWindowsProfileFiles,"[132, 133, 134, 135]"
-      LiveUserFiles,"[3, 4, 5, 6]"
-      LogFiles,"[215, 216]"
-      LogMeIn,"[127, 128, 129, 130, 486, 487]"
-      MOF,[230]
-      MSSQLErrorLog,"[694, 695]"
-      MacriumReflect,"[466, 467, 468]"
-      Malwarebytes,"[649, 650, 651, 652]"
-      ManageEngineLogs,[703]
-      Mattermost,[613]
-      McAfee,"[683, 684, 685, 686, 687]"
-      McAfee_ePO,[682]
-      MemoryFiles,"[208, 209, 210, 211, 212]"
-      Microsoft_Teams,"[607, 608, 609]"
-      MiniTimelineCollection,"[131, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 205, 219, 220, 231, 232, 233, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 279]"
-      NGINXLogs,[701]
-      NZBGet,"[95, 96]"
-      NewsbinPro,[83]
-      Newsleecher,[99]
-      Notepad__,"[615, 616]"
-      OfficeAutosave,"[168, 169, 170, 171]"
-      OfficeDocumentCache,[150]
-      OneDrive,"[527, 528, 529]"
-      OpenVPNClient,"[625, 626, 627]"
-      Opera,"[814, 815]"
-      OutlookPSTOST,"[598, 599, 600, 601]"
-      P2PClients,"[84, 85, 87, 88, 89, 92, 93, 94, 97, 98]"
-      PowerShellConsole,[702]
-      Prefetch,"[226, 227]"
-      ProtonVPN,[458]
-      PuffinSecureBrowser,"[788, 789, 790, 791, 792, 793, 794]"
-      QFinderPro__QNAP_,[543]
-      RDPCache,"[234, 235]"
-      RDPLogs,"[180, 181, 182, 183, 184, 185, 186, 187]"
-      Radmin,"[480, 481, 482, 483, 484]"
-      RecentFileCache,"[203, 204]"
-      RecycleBin,"[206, 207]"
-      RegistryHives,"[158, 159, 160, 161, 162, 163, 164, 165, 166, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276]"
-      RegistryHivesSystem,"[236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276]"
-      RegistryHivesUser,"[158, 159, 160, 161, 162, 163, 164, 165, 166]"
-      RemoteAdmin,"[127, 128, 129, 130, 180, 181, 182, 183, 184, 185, 186, 187, 234, 235, 480, 481, 482, 483, 484, 486, 487, 489, 502, 503, 520, 521, 522, 577, 578, 579, 590, 591, 592, 593, 594, 595, 596, 597]"
-      RogueKiller,[689]
-      SABnbzd,"[102, 103]"
-      SDB,"[151, 152, 153, 154]"
-      SRUM,"[213, 214]"
-      SUPERAntiSpyware,[666]
-      SUSELinuxEnterpriseServer,"[53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65]"
-      ScheduledTasks,"[108, 109, 110, 111, 112, 113]"
-      ScreenConnect,"[127, 128, 129, 130, 521, 522]"
-      SentinelOne,[688]
-      ShareX,[459]
-      Shareaza,[97]
-      SignatureCatalog,"[106, 107]"
-      Skype,"[495, 496, 497, 498, 499, 500]"
-      Slack,[539]
-      Snagit,[526]
-      Sophos,"[127, 128, 129, 130, 653, 654]"
-      Soulseek,"[84, 85]"
-      StartupInfo,"[178, 179]"
-      SublimeText,[619]
-      SugarSync,"[530, 531, 532]"
-      Symantec_AV_Logs,"[127, 128, 129, 130, 633, 634, 635, 636, 637, 638, 639]"
-      Syscache,"[228, 229]"
-      TeamViewerLogs,"[577, 578, 579]"
-      Telegram,"[490, 491]"
-      TeraCopy,[556]
-      ThumbCache,[105]
-      Thunderbird,"[469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479]"
-      TorrentClients,"[86, 90, 91, 101]"
-      Torrents,[100]
-      TotalAV,"[647, 648]"
-      TotalCommander,"[464, 465]"
-      TrendMicro,"[644, 645, 646]"
-      USBDevicesLogs,"[222, 223, 224]"
-      Ubuntu,"[20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35]"
-      Usenet,[104]
-      UsenetClients,"[83, 95, 96, 99, 102, 103]"
-      VIPRE,"[674, 675, 676, 677]"
-      VLC_Media_Player,"[575, 576]"
-      VMware,"[280, 281, 282, 283, 507, 610, 611, 612]"
-      VMwareInventory,[507]
-      VMwareMemory,"[610, 611, 612]"
-      VNCLogs,"[127, 128, 129, 130, 489]"
-      Viber,"[628, 629, 630, 631, 632]"
-      VirtualBox,"[280, 281, 282, 283, 493, 494, 504, 505, 506, 511]"
-      VirtualBoxConfig,"[493, 494]"
-      VirtualBoxLogs,"[504, 505, 506]"
-      VirtualBoxMemory,[511]
-      VirtualDisks,"[280, 281, 282, 283]"
-      WBEM,"[277, 278]"
-      WER,"[142, 143, 144, 145]"
-      WSL,"[7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82]"
-      WebBrowsers,"[705, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788, 789, 790, 791, 792, 793, 794, 795, 796, 797, 798, 799, 800, 801, 802, 803, 804, 805, 806, 807, 808, 809, 810, 811, 812, 813, 814, 815]"
-      Webroot,[667]
-      WhatsApp,"[534, 535]"
-      WindowsDefender,"[656, 657, 658, 659, 660, 661]"
-      WindowsFirewall,"[139, 140]"
-      WindowsIndexSearch,[155]
-      WindowsNotificationsDB,"[217, 218]"
-      WindowsStickyNotes,"[136, 137]"
-      WindowsTimeline,[138]
-      WindowsYourPhone,[225]
-      XPRestorePoints,[141]
-      XYplorer,"[460, 461, 462, 463]"
-      iTunesBackup,"[540, 541, 542]"
-      mIRC,[557]
-      openSUSE,"[7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19]"
-      qBittorrent,"[90, 91]"
-      uTorrent,[101]
+      _BasicCollection,"[148, 459, 460, 461, 462, 463, 465, 466, 467, 468, 469, 470, 488, 489, 490, 506, 507, 508, 509, 510, 511, 512, 530, 531, 542, 543, 544, 545, 546, 547, 548, 549, 550, 551, 552, 553, 554, 555, 556, 557, 558, 559, 560, 561, 562, 563, 564, 565, 566, 567, 568, 569, 570, 571, 572, 573, 574, 575, 576, 577, 578, 579, 580, 581, 582, 583, 584, 585, 586, 587, 588, 589, 590, 591, 592, 593, 594, 595, 600, 601, 602, 603, 604, 605, 606, 607, 612, 613, 614, 615, 616, 617, 630]"
+      _SANS_Triage,"[149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319]"
+      _Boot,[459]
+      _J,"[460, 461]"
+      _LogFile,[462]
+      _MFT,[463]
+      _MFTMirr,[464]
+      _SDS,[465]
+      _T,[466]
+      1Password,"[638, 639, 640]"
+      AVG,"[1, 2, 3, 4]"
+      AceText,[641]
+      AcronisTrueImage,"[642, 643, 644]"
+      Amcache,"[467, 468, 469, 470]"
+      Ammyy,[645]
+      Antivirus,"[1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 471, 472, 473, 474]"
+      AnyDesk,"[646, 647]"
+      ApacheAccessLog,[138]
+      AppData,[431]
+      ApplicationEvents,"[471, 472, 473, 474]"
+      AsperaConnect,"[648, 649]"
+      Avast,"[5, 6, 7, 8]"
+      AviraAVLogs,[9]
+      BCD,"[475, 476]"
+      BITS,[477]
+      BitTorrent,[437]
+      Bitdefender,"[10, 11]"
+      BoxDrive,"[650, 651, 652, 653]"
+      BrowserCache,"[320, 321, 322, 323, 324, 325]"
+      Chrome,"[326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358]"
+      ChromeExtensions,"[359, 360]"
+      ChromeFileSystem,[361]
+      CiscoJabber,[654]
+      ClipboardMaster,"[655, 656, 657]"
+      CloudStorage,"[650, 651, 652, 653, 672, 673, 674, 675, 676, 697, 698, 699, 737, 738, 739, 766, 767, 768]"
+      CombinedLogs,"[148, 488, 489, 490, 491, 492, 493, 494, 495, 496, 497, 498, 499, 628, 629]"
+      ComboFix,[12]
+      ConfluenceLogs,"[658, 659]"
+      Cybereason,"[13, 14, 15]"
+      DC__,[438]
+      Debian,"[62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78]"
+      DirectoryOpus,"[660, 661, 662, 663, 664, 665, 666, 667]"
+      DirectoryTraversalWildCardExample,[432]
+      Discord,"[668, 669]"
+      DoubleCommander,"[670, 671]"
+      Dropbox,"[672, 673, 674, 675, 676]"
+      ESET,"[16, 17]"
+      Edge,[362]
+      EdgeChromium,"[363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381]"
+      EncapsulationLogging,"[478, 479, 480, 481]"
+      EventLogs_RDP,"[482, 483, 484, 485, 486, 487]"
+      EventLogs,"[488, 489, 490]"
+      EventTraceLogs,"[491, 492, 493, 494, 495, 496, 497, 498, 499]"
+      Evernote,"[677, 678, 679]"
+      Everything__VoidTools_,"[680, 681, 682]"
+      EvidenceOfExecution,"[467, 468, 469, 470, 530, 531, 542, 543, 612, 613]"
+      Exchange,"[683, 684]"
+      ExchangeClientAccess,[683]
+      ExchangeTransport,[684]
+      FSecure,"[18, 19, 20]"
+      Fences,[685]
+      FileExplorerReplacements,"[660, 661, 662, 663, 664, 665, 666, 667, 670, 671, 688, 689, 690, 691, 692, 786, 787, 808, 809, 810, 811]"
+      FileSystem,"[459, 460, 461, 462, 463, 465, 466]"
+      FileZilla,"[686, 687]"
+      Firefox,"[382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408]"
+      FreeCommander,"[688, 689, 690, 691, 692]"
+      FreeDownloadManager,"[693, 694, 695]"
+      FreeFileSync,[696]
+      FrostWire,"[439, 440, 441]"
+      Gigatribe,"[442, 443, 444]"
+      GoogleDrive,"[697, 698, 699]"
+      GroupPolicy,"[500, 501, 502, 503, 504, 505]"
+      HexChat,[700]
+      HitmanPro,"[21, 22, 23]"
+      IISLogFiles,"[139, 140, 141, 142, 143]"
+      IRCClients,"[700, 701, 815]"
+      IceChat,[701]
+      InternetExplorer,"[409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421]"
+      JDownloader2,"[702, 703, 704, 705, 706]"
+      JavaWebCache,"[707, 708, 709, 710, 711, 712, 713, 714, 715, 716, 717]"
+      Kali,"[79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95]"
+      KapeTriage,"[1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 459, 460, 461, 462, 463, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 488, 489, 490, 506, 507, 508, 509, 510, 511, 512, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 541, 542, 543, 546, 547, 548, 549, 550, 551, 552, 553, 554, 555, 556, 557, 558, 559, 560, 561, 562, 563, 564, 565, 566, 567, 568, 569, 570, 571, 572, 573, 574, 575, 576, 577, 578, 579, 580, 581, 582, 583, 584, 585, 586, 587, 588, 589, 590, 591, 592, 593, 594, 595, 600, 601, 602, 603, 604, 605, 606, 607, 612, 613, 645, 646, 647, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 749, 750, 751, 752, 753, 754, 755, 769, 770, 771, 794]"
+      Kaseya,"[718, 719, 720, 721, 722, 723, 724, 725]"
+      LNKFilesAndJumpLists,"[506, 507, 508, 509, 510, 511, 512]"
+      LinuxOnWindowsProfileFiles,"[513, 514, 515, 516]"
+      LiveUserFiles,"[433, 434, 435, 436]"
+      LogFiles,"[517, 518]"
+      LogMeIn,"[471, 472, 473, 474, 726, 727]"
+      MOF,[519]
+      MSSQLErrorLog,"[144, 145]"
+      MacriumReflect,"[728, 729, 730]"
+      Malwarebytes,"[24, 25, 26, 27]"
+      ManageEngineLogs,[146]
+      Mattermost,[731]
+      McAfee,"[28, 29, 30, 31, 32]"
+      McAfee_ePO,[33]
+      MemoryFiles,"[520, 521, 522, 523, 524]"
+      Microsoft_Teams,"[732, 733, 734]"
+      MiniTimelineCollection,"[459, 460, 461, 462, 463, 465, 466, 488, 489, 490, 546, 547, 548, 549, 550, 551, 552, 553, 554, 555, 556, 557, 558, 559, 560, 561, 562, 563, 564, 565, 566, 567, 568, 569, 570, 571, 572, 573, 574, 575, 576, 577, 578, 579, 580, 581, 582, 583, 584, 585, 586, 587, 588, 589, 590, 591, 592, 593, 594, 595]"
+      NGINXLogs,[147]
+      NZBGet,"[445, 446]"
+      NewsbinPro,[447]
+      Newsleecher,[448]
+      Notepad__,"[735, 736]"
+      OfficeAutosave,"[525, 526, 527, 528]"
+      OfficeDocumentCache,[529]
+      OneDrive,"[737, 738, 739]"
+      OpenVPNClient,"[740, 741, 742]"
+      Opera,"[422, 423]"
+      OutlookPSTOST,"[743, 744, 745, 746]"
+      P2PClients,"[438, 439, 440, 441, 442, 443, 444, 451, 452, 453]"
+      PowerShellConsole,[148]
+      Prefetch,"[530, 531]"
+      ProtonVPN,[747]
+      PuffinSecureBrowser,"[424, 425, 426, 427, 428, 429, 430]"
+      QFinderPro__QNAP_,[748]
+      RDPCache,"[532, 533]"
+      RDPLogs,"[534, 535, 536, 537, 538, 539, 540, 541]"
+      Radmin,"[749, 750, 751, 752, 753]"
+      RecentFileCache,"[542, 543]"
+      RecycleBin,"[544, 545]"
+      RegistryHives,"[546, 547, 548, 549, 550, 551, 552, 553, 554, 555, 556, 557, 558, 559, 560, 561, 562, 563, 564, 565, 566, 567, 568, 569, 570, 571, 572, 573, 574, 575, 576, 577, 578, 579, 580, 581, 582, 583, 584, 585, 586, 587, 588, 589, 590, 591, 592, 593, 594, 595]"
+      RegistryHivesSystem,"[546, 547, 548, 549, 550, 551, 552, 553, 554, 555, 556, 557, 558, 559, 560, 561, 562, 563, 564, 565, 566, 567, 568, 569, 570, 571, 572, 573, 574, 575, 576, 577, 578, 579, 580, 581, 582, 583, 584, 585, 586]"
+      RegistryHivesUser,"[587, 588, 589, 590, 591, 592, 593, 594, 595]"
+      RemoteAdmin,"[471, 472, 473, 474, 532, 533, 534, 535, 536, 537, 538, 539, 540, 541, 645, 646, 647, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 749, 750, 751, 752, 753, 754, 755, 769, 770, 771, 794]"
+      RogueKiller,[34]
+      SABnbzd,"[449, 450]"
+      SDB,"[596, 597, 598, 599]"
+      SRUM,"[600, 601]"
+      SUPERAntiSpyware,[35]
+      SUSELinuxEnterpriseServer,"[96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108]"
+      ScheduledTasks,"[602, 603, 604, 605, 606, 607]"
+      ScreenConnect,"[471, 472, 473, 474, 754, 755]"
+      SentinelOne,[36]
+      ShareX,[756]
+      Shareaza,[451]
+      SignatureCatalog,"[608, 609]"
+      Skype,"[757, 758, 759, 760, 761, 762]"
+      Slack,[763]
+      Snagit,[764]
+      Sophos,"[37, 38, 471, 472, 473, 474]"
+      Soulseek,"[452, 453]"
+      StartupInfo,"[610, 611]"
+      SublimeText,[765]
+      SugarSync,"[766, 767, 768]"
+      Symantec_AV_Logs,"[39, 40, 41, 42, 43, 44, 45, 471, 472, 473, 474]"
+      Syscache,"[612, 613]"
+      TeamViewerLogs,"[769, 770, 771]"
+      Telegram,"[772, 773]"
+      TeraCopy,[774]
+      ThumbCache,[614]
+      Thunderbird,"[775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785]"
+      TorrentClients,"[437, 456, 457, 458]"
+      Torrents,[454]
+      TotalAV,"[46, 47]"
+      TotalCommander,"[786, 787]"
+      TrendMicro,"[48, 49, 50]"
+      USBDevicesLogs,"[615, 616, 617]"
+      Ubuntu,"[109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124]"
+      Usenet,[455]
+      UsenetClients,"[445, 446, 447, 448, 449, 450]"
+      VIPRE,"[51, 52, 53, 54]"
+      VLC_Media_Player,"[788, 789]"
+      VMware,"[618, 619, 620, 621, 790, 791, 792, 793]"
+      VMwareInventory,[790]
+      VMwareMemory,"[791, 792, 793]"
+      VNCLogs,"[471, 472, 473, 474, 794]"
+      Viber,"[795, 796, 797, 798, 799]"
+      VirtualBox,"[618, 619, 620, 621, 800, 801, 802, 803, 804, 805]"
+      VirtualBoxConfig,"[800, 801]"
+      VirtualBoxLogs,"[802, 803, 804]"
+      VirtualBoxMemory,[805]
+      VirtualDisks,"[618, 619, 620, 621]"
+      WBEM,"[622, 623]"
+      WER,"[624, 625, 626, 627]"
+      WSL,"[62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137]"
+      WebBrowsers,"[326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430]"
+      Webroot,[55]
+      WhatsApp,"[806, 807]"
+      WindowsDefender,"[56, 57, 58, 59, 60, 61]"
+      WindowsFirewall,"[628, 629]"
+      WindowsIndexSearch,[630]
+      WindowsNotificationsDB,"[631, 632]"
+      WindowsStickyNotes,"[633, 634]"
+      WindowsTimeline,[635]
+      WindowsYourPhone,[636]
+      XPRestorePoints,[637]
+      XYplorer,"[808, 809, 810, 811]"
+      iTunesBackup,"[812, 813, 814]"
+      mIRC,[815]
+      openSUSE,"[125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137]"
+      qBittorrent,"[456, 457]"
+      uTorrent,[458]
   - name: DontBeLazy
     description: Normally we prefer to use lazy_ntfs for speed. Sometimes this might miss stuff so setting this will fallback to the regular ntfs accessor.
     type: bool
@@ -1762,3 +1762,5 @@ reports:
       {{ end }}
 
       {{ Query $query | Table }}
+
+
diff --git a/artifacts/definitions/Windows/NTFS/I30.yaml b/artifacts/definitions/Windows/NTFS/I30.yaml
index b128a1e9f6b..8ac86410613 100644
--- a/artifacts/definitions/Windows/NTFS/I30.yaml
+++ b/artifacts/definitions/Windows/NTFS/I30.yaml
@@ -7,42 +7,60 @@ description: |
 
 parameters:
  - name: DirectoryGlobs
-   default: C:\Users\**
+   default: C:\Users\*
 
  - name: SlackOnly
    description: "Select to return only entries from Slack space."
    type: bool
 
-precondition:
-  SELECT * FROM info() where OS = 'windows'
+ - name: AlsoUpload
+   description: Select to also upload the raw $I30 stream.
+   type: bool
 
 sources:
   - name: UploadI30Streams
-    queries:
-       - LET inodes = SELECT FullPath, Data.mft AS MFT,
+    precondition:
+      SELECT * FROM info() where OS = 'windows' AND AlsoUpload
+
+    query: |
+       LET inodes = SELECT FullPath, Data.mft AS MFT,
              parse_ntfs(device=FullPath, inode=Data.mft) AS MFTInfo
-         FROM glob(globs=DirectoryGlobs, accessor="ntfs")
-         WHERE IsDir and log(message=MFT)
+       FROM glob(globs=DirectoryGlobs, accessor="ntfs")
+       WHERE IsDir
 
-       - LET upload_streams = SELECT * FROM foreach(
-            row=MFTInfo.Attributes,
-            query={
-              SELECT Type, TypeId, Id, Inode, Size, Name, FullPath,
-                     upload(accessor="mft", file=MFTInfo.Device + Inode,
-                            name=FullPath + "/" + Inode) AS IndexUpload
-              FROM scope()
-              WHERE Type =~ "INDEX_"
-            })
+       LET upload_streams = SELECT * FROM foreach(
+         row=MFTInfo.Attributes,
+         query={
+           SELECT _value.Type AS Type,
+                  _value.TypeId AS TypeId,
+                  _value.Id AS Id,
+                  _value.Inode AS Inode,
+                  _value.Size AS Size,
+                  _value.Name AS Name,
+                  _value.FullPath AS FullPath,
+                  upload(accessor="mft", file=MFTInfo.Device + _value.Inode,
+                         name=_value.FullPath + "/" + _value.Inode) AS IndexUpload
+           FROM scope()
+           WHERE Type =~ "INDEX_"
+       })
 
-       - SELECT * FROM foreach(row=inodes, query=upload_streams)
+       SELECT * FROM foreach(row=inodes, query=upload_streams)
 
   - name: AnalyzeI30
-    queries:
-       - SELECT * FROM foreach(
-           row=inodes,
-           query={
-                 SELECT FullPath, Name, NameType, Size, AllocatedSize,
-                        IsSlack, SlackOffset, Mtime, Atime, Ctime, Btime, MFTId
-                 FROM parse_ntfs_i30(device=MFTInfo.Device, inode=MFT)
-                 WHERE IsSlack = true or NOT SlackOnly
-                })
+    precondition:
+      SELECT * FROM info() where OS = 'windows'
+
+    query: |
+       LET inodes = SELECT FullPath, Data.mft AS MFT,
+             parse_ntfs(device=FullPath, inode=Data.mft) AS MFTInfo
+       FROM glob(globs=DirectoryGlobs, accessor="ntfs")
+       WHERE IsDir
+
+       SELECT * FROM foreach(
+         row=inodes,
+         query={
+            SELECT FullPath, Name, NameType, Size, AllocatedSize,
+                   IsSlack, SlackOffset, Mtime, Atime, Ctime, Btime, MFTId
+            FROM parse_ntfs_i30(device=MFTInfo.Device, inode=MFT)
+            WHERE IsSlack = true or NOT SlackOnly
+       })
diff --git a/artifacts/definitions/Windows/Registry/WDigest.yaml b/artifacts/definitions/Windows/Registry/WDigest.yaml
index 64f51b97e6b..455db73a8ba 100644
--- a/artifacts/definitions/Windows/Registry/WDigest.yaml
+++ b/artifacts/definitions/Windows/Registry/WDigest.yaml
@@ -2,11 +2,22 @@ name: Windows.Registry.WDigest
 description: |
     Find WDigest registry values on the filesystem.
 
-    In order to prevent the “clear-text” password from being placed in LSASS, the following registry key needs to be set to “0” (Digest Disabled):
+    In order to prevent the “clear-text” password from being placed in
+    LSASS, the following registry key needs to be set to “0” (Digest
+    Disabled):
 
      - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)
 
-    This registry key is worth monitoring in an environment as an attacker may wish to set it to 1 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7 / 2008R2 up to Windows 10 / 2012R2. Furthermore, Windows 8.1 / 2012 R2 and newer do not have a “UseLogonCredential” DWORD value, so the key needs to be added. The existence of the key is suspicious, if not expected.
+    This registry key is worth monitoring in an environment as an
+    attacker may wish to set it to 1 to enable Digest password support
+    which forces “clear-text” passwords to be placed in LSASS on any
+    version of Windows from Windows 7 / 2008R2 up to Windows 10 /
+    2012R2. Furthermore, Windows 8.1 / 2012 R2 and newer do not have a
+    “UseLogonCredential” DWORD value, so the key needs to be
+    added. The existence of the key is suspicious, if not expected.
+
+    * ATT&CK tactic: Defense Evasion, Credential Access
+    * ATT&CK technique: T1112, T1003.001
 
 type: CLIENT
 
@@ -16,40 +27,20 @@ precondition:
   SELECT * FROM info() where OS = 'windows'
 
 parameters:
-  - name: tactic
-    description: ATT&CK tactic
-    default: Defense Evasion
-    type: hidden
-       
-  - name: technique
-    description: ATT&CK technique
-    default: T1112
-    type: hidden 
-    
-  - name: tactic
-    description: ATT&CK tactic
-    default: Credential Access
-    type: hidden
-    
-  - name: technique
-    description: ATT&CK technique
-    default: T1003.001
-    type: hidden
-    
   - name: SearchRegistryGlob
     default: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\**
     description: Use a glob to define the files that will be searched.
 
 sources:
   - query: |
-        SELECT  Name, 
-                FullPath, 
-                Data, 
-                Sys, 
+        SELECT  Name,
+                FullPath,
+                Data,
+                Sys,
                 ModTime as Modified
         FROM glob(globs=SearchRegistryGlob, accessor='registry')
         WHERE Name =~ "LogonCredential"
-        
+
 column_types:
   - name: Modified
     type: timestamp
diff --git a/gui/velociraptor/src/components/core/paged-table.js b/gui/velociraptor/src/components/core/paged-table.js
index 3efdf030858..4074ede101d 100644
--- a/gui/velociraptor/src/components/core/paged-table.js
+++ b/gui/velociraptor/src/components/core/paged-table.js
@@ -96,6 +96,9 @@ class VeloPagedTable extends Component {
 
         // When called will cause the table to be recalculated.
         refresh: PropTypes.func,
+
+        // A version to force refresh of the table.
+        version: PropTypes.object,
     }
 
     state = {
@@ -124,6 +127,10 @@ class VeloPagedTable extends Component {
     }
 
     componentDidUpdate(prevProps, prevState, snapshot) {
+        if (!_.isEqual(prevProps.version, this.props.version)) {
+            this.fetchRows();
+        };
+
         if (!_.isEqual(prevProps.params, this.props.params)) {
             this.setState({start_row: 0, toggles: {}, columns: []});
         };
diff --git a/gui/velociraptor/src/components/flows/flow-logs.js b/gui/velociraptor/src/components/flows/flow-logs.js
index 7b42c15905b..fbcd35645b6 100644
--- a/gui/velociraptor/src/components/flows/flow-logs.js
+++ b/gui/velociraptor/src/components/flows/flow-logs.js
@@ -1,9 +1,17 @@
+import _ from 'lodash';
 import React from 'react';
 import PropTypes from 'prop-types';
 
 import VeloPagedTable from '../core/paged-table.js';
 import VeloTimestamp from "../utils/time.js";
 
+
+function getFlowState(flow) {
+    return {flow_id: flow.session_id,
+            total_logs: flow.total_logs};
+}
+
+
 export default class FlowLogs extends React.Component {
     static propTypes = {
         flow: PropTypes.object,
@@ -37,6 +45,7 @@ export default class FlowLogs extends React.Component {
                   flow_id: this.props.flow.session_id,
                   type: "log",
               }}
+              version={getFlowState(this.props.flow)}
             />
         );
     }
diff --git a/gui/velociraptor/src/components/flows/flow-results.js b/gui/velociraptor/src/components/flows/flow-results.js
index edacc207e04..f4258e7e074 100644
--- a/gui/velociraptor/src/components/flows/flow-results.js
+++ b/gui/velociraptor/src/components/flows/flow-results.js
@@ -87,6 +87,7 @@ export default class FlowResults extends React.Component {
               <VeloPagedTable
                 className="col-12"
                 params={this.state.params}
+                version={getFlowState(this.props.flow)}
               />
             </>
         );
diff --git a/scripts/kape_files.py b/scripts/kape_files.py
index 78063014ac4..6a9b218b528 100644
--- a/scripts/kape_files.py
+++ b/scripts/kape_files.py
@@ -22,6 +22,7 @@
 import re
 import os
 import yaml
+from collections import OrderedDict
 
 BLACKLISTED = ["!ALL.tkape"]
 
@@ -30,13 +31,13 @@ class KapeContext:
     groups = {}
     rows = [["Id", "Name", "Category", "Glob", "Accessor", "Comment"]]
     kape_files = []
-    kape_data = {}
+    kape_data = OrderedDict()
 
 def read_targets(ctx, project_path):
     for root, dirs, files in os.walk(
             project_path + "/Targets", topdown=False):
 
-        for name in files:
+        for name in sorted(files):
             if not name.endswith(".tkape") or name in BLACKLISTED:
                 continue
 
@@ -61,6 +62,11 @@ def read_targets(ctx, project_path):
             if mask:
                 glob = glob.rstrip("\\") + "/" + mask
 
+            # If the glob ends with \\ it means that it is a directory
+            # and we actually mean to collect all the files in it.
+            if glob.endswith("\\"):
+                glob += "*"
+
             # Expand the targets in the glob
             if ".tkape" in glob:
                 continue
@@ -189,7 +195,7 @@ def format(ctx):
       -- selection.
       LET targets <= SELECT * FROM parse_csv(
            filename=KapeTargets, accessor="data")
-      WHERE get(member=Group)
+      WHERE get(member=Group) AND log(message="Selecting " + Group)
 
       -- Filter only the rules in the rule table that have an Id we
       -- want. Targets with $ in their name probably refer to ntfs
@@ -199,10 +205,12 @@ def format(ctx):
       LET rule_specs_ntfs <= SELECT Id, Glob
         FROM parse_csv(filename=KapeRules, accessor="data")
         WHERE Id in array(array=targets.RuleIds) AND Accessor='ntfs'
+        AND log(message="ntfs: Selecting glob " + Glob)
 
       LET rule_specs_lazy_ntfs <= SELECT Id, Glob
         FROM parse_csv(filename=KapeRules, accessor="data")
         WHERE Id in array(array=targets.RuleIds) AND Accessor='lazy_ntfs'
+        AND log(message="auto: Selecting glob " + Glob)
 
       -- Call the generic VSS file collector with the globs we want in
       -- a new CSV file.
@@ -243,6 +251,7 @@ def format(ctx):
                       collectionSpec=rule_specs_lazy_ntfs)
                })
            })
+
       SELECT * FROM all_results WHERE _Source =~ "Metadata"
 
   - name: Uploads
@@ -277,7 +286,7 @@ def format(ctx):
       <!-- There could be a huge number of rows just to get the count, so we cap at 10000 -->
       {{ $count := Get ( Query (print "LET X = " $query " LIMIT 10000 " \\
          " SELECT 1 AS ALL, count() AS Count FROM X Group BY ALL") | Expand ) \\
-         "0.Count" }}
+         "0.Count" 0 }}
 
       <!-- If this is a flow show the parameters. -->
       {{ $flow := Query "LET X = SELECT Request.Parameters.env AS \\
@@ -313,7 +322,7 @@ def format(ctx):
             sanitize(k),
             ctx.kape_data[k].get("Description"),
             ctx.kape_data[k].get("Author"),
-            ", ".join([ctx.rows[x][1] for x in v]))
+            ", ".join(sorted([ctx.rows[x][1] for x in v])))
 
         ids = ['%s' % x for x in v]
         if len(ids) > 0: