How to collect evidence?
One of the core features of AIR is collecting evidence remotely. As of the latest version, it supports collecting 120+ evidence types out-of-box.
This feature is made possible by "Acquisition Profiles" that are basically a group of different evidence categories.
By default, AIR comes with pre-defined acquisition profiles namely:
- Full for collecting all evidence types and application artifacts,
- Quick for collecting more comprehensive endpoint information,
- Memory (RAM + PageFile) for a memory only investigation,
- Event Logs for collecting EVT/EVTX files from and endpoint,
- Browsing History for capturing the visited websites as a CSV file.
You can always create additional acquisition profiles based on your needs by enabling/disabling specific evidence types.
AIR supports collecting more than 60 evidence types that can be found on a workstation/server such as MFT, RAM Image, Prefetch Files, Shim Cache, Autoruns, and etc.
Every new release comes with additional evidence types.
Besides standard evidence types mentioned above, there is also support for collecting more than 60 widely used application artifacts such as IIS Logs, Skype Databases, MSSQL Logs, Zoom Databases, and etc.
Each acquisition profile provides you with an opportunity to add an unlimited number of wildcard patterns whether it is a specific application not listed in the above lists or some critical file created by an attacker in all user desktops. This way you can create fully customized acquisition profiles based on your needs.