Investigation Package data


Be aware that some of the information collected in investigation packages from the users' workstations qualifies as Personal Identifiable Information (PII).

Make sure you perform your due diligence to safeguard sensitive user information and comply with local laws on user data privacy.

An Investigation package compiles in a downloadable archive the following logs and data:

  • Bitdefender Endpoint Security Tools (BEST) product logs

  • Windows Event Logs

  • System Info

  • Registry hive files from:

    • %SystemRoot%\System32\Config: SOFTWARE, SYSTEM, DEFAULT, DRIVERS, SAM, SECURITY (including .LOG1 and .LOG2 files)


  • amcache (%SystemRoot%\AppCompat\Programs\Amcache.hve)

  • shimcache (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache)

  • prefetch (C:\WINDOWS\Prefetch)

  • Net info:

    • ActiveNetConnections (C:\WINDOWS\system32\netstat.exe -abno)

    • AddressResolutionProtocolCache (C:\WINDOWS\system32\arp.exe -a)

    • DnsCache (C:\WINDOWS\system32\ipconfig.exe /displaydns)

    • SmbInboundSessions (C:\WINDOWS\system32\net.exe session)

    • SmbOutboundSessions:

      • HKEY_USERS\S-1-5-21-1272178354-3831401975-2086234833-500\Network

      • HKEY_USERS\S-1-5-21-1272178354-3831401975-2086234833-1001\Network

      • HKEY_USERS\S-1-5-21-1272178354-3831401975-2086234833-504\Network

    • FirewallLogs:

      • C:\WINDOWS\system32\cmd.exe /C "for /f "tokens=2 delims= " %F in ('Get-NetFirewallProfile ^| findstr FileName') do cmd /C xcopy /F /Y /Q "%F" "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\..\" & cmd /C move "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\..\pfirewall.log" "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\Network Connections\pfirewall.log""

  • Temp Dir Files (Listing with details for all users and system):

    • dir /a /n /q /r /s

  • ScheduledTasks (C:\WINDOWS\system32\schtasks.exe /query /v /fo CSV)

  • Powershell history (if enabled)

  • Webcache (%LOCALAPPDATA%\Microsoft\Windows\WebCache)

  • WdSupportLogs:

    • C:\WINDOWS\system32\cmd.exe /C ""%ProgramFiles%\Windows Defender\mpcmdrun.exe" -GetFiles & copy "%programdata%\Microsoft\Windows Defender\Support\" "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\WdSupportLogs""

  • Users and Groups (Listing of all local users and groups):

    • net user; net localgroup

    • Groups membership listing: for /f "delims=" %x in ('net localgroup ^|find ""') do net localgroup "%x"

    • Current logged-in users: query user

  • SRUDB:

    • C:\Windows\System32\sru

  • Background Activity Moderator:

    • HKLM\SYSTEM\ControlSet001\Services\bam

  • wbem repository:

    • %windir%System32\Wbem\Repository

  • Forensic data collection report in CSV format:

    • CSV header: | Timestamp | Name | Command | Command Execution Status | Command Exit Code | Destination Path |


The forensic data gathering operation will skip items that are locked or do not exist. Depending on the operating system version and system configuration, some items could be missing or be uncollectable.