Scripts Executed on Forensics

Following is the list of data that is collected from Windows Agent 5.1.30 and above for Forensics data collection:

Event Log


User Accounts


Process Files

Prefetch Files

On a Windows operating system, when a program is executed, the Prefetch file allows you to access the program quickly. It contains the name of the program when it was executed alongwith other information. The prefetch files are located at `%systemroot%\Prefetch`. 

This file acts as an evidence that proves a malicious program was executed on the system along with the timestamp at which it was executed. The prefetch parser script lists the following fields in its output: