Back to binalyze.com

Windows Collections

AIR supports the following Windows Evidence and Artifacts

Windows Evidence List

#

Category

Evidence (click for details)

Parsed

Sent to the Investigation Hub

Source Files Collected

1

Other

Activities DB

Yes

Yes

No

2

Other

Clipboard

No

Yes

No

3

Other

Collect SRUM Database Files

No

Yes

No

4

Other

NetworkFlow

No

Yes

No

5

Other

Parse SRUM Application Timeline

No

Yes

No

6

Other

Parse SRUM Application Usage

No

Yes

No

7

Other

Parse SRUM Energy Usage

No

Yes

No

8

Other

Parse SRUM Network Connectivity

No

Yes

No

9

Other

Parse SRUM Network Usage

No

Yes

No

10

Other

Window Screenshots

No

Yes

Yes

11

Applications

Brave Bookmarks

Yes

Yes

No

12

Applications

Brave Browsing History

Yes

Yes

No

13

Applications

Brave Cookies

Yes

Yes

No

14

Applications

Brave Downloads

Yes

Yes

No

15

Applications

Brave Extensions

Yes

Yes

No

16

Applications

Brave Favicons

Yes

Yes

No

17

Applications

Brave Form History

Yes

Yes

No

18

Applications

Brave Local Storage

Yes

Yes

No

19

Applications

Brave Login Data

Yes

Yes

No

20

Applications

Brave Sessions

Yes

Yes

No

21

Applications

Brave Thumbnails

Yes

Yes

No

22

Applications

Brave User Profiles

Yes

Yes

No

23

Applications

Brave Web Storage

Yes

Yes

No

24

Applications

Chrome Bookmarks

Yes

Yes

No

25

Applications

Chrome Browsing History

Yes

Yes

No

26

Applications

Chrome Cookies

Yes

Yes

No

27

Applications

Chrome Downloads

Yes

Yes

No

28

Applications

Chrome Extensions

Yes

Yes

No

29

Applications

Chrome Favicons

Yes

Yes

No

30

Applications

Chrome Form History

Yes

Yes

No

31

Applications

Chrome Local Storage

Yes

Yes

No

32

Applications

Chrome Login Data

Yes

Yes

No

33

Applications

Chrome Sessions

Yes

Yes

No

34

Applications

Chrome Thumbnails

Yes

Yes

No

35

Applications

Chrome User Profiles

Yes

Yes

No

36

Applications

Chrome Web Storage

Yes

Yes

No

37

Applications

Default Browser

Yes

Yes

No

38

Applications

Docker Changes

Yes

Yes

No

39

Applications

Docker Container Logs

Yes

Yes

No

40

Applications

Docker Containers

Yes

Yes

No

41

Applications

Docker Image History

Yes

Yes

No

42

Applications

Docker Images

Yes

Yes

No

43

Applications

Docker Info

Yes

Yes

No

44

Applications

Docker Networks

Yes

Yes

No

45

Applications

Docker Processes

Yes

Yes

No

46

Applications

Docker Volumes

Yes

Yes

No

47

Applications

Dump Brave Indexed DB

Yes

Yes

No

48

Applications

Dump Chrome Indexed DB

Yes

Yes

No

49

Applications

Dump Edge Indexed DB

Yes

Yes

No

50

Applications

Dump Opera Indexed DB

Yes

Yes

No

51

Applications

Dump QQ Indexed DB

Yes

Yes

No

52

Applications

Dump Vivaldi Indexed DB

Yes

Yes

No

53

Applications

Edge Bookmarks

Yes

Yes

No

54

Applications

Edge Cookies

Yes

Yes

No

55

Applications

Edge Downloads

Yes

Yes

No

56

Applications

Edge Extensions

Yes

Yes

No

57

Applications

Edge Favicons

Yes

Yes

No

58

Applications

Edge Form History

Yes

Yes

No

59

Applications

Edge Local Storage

Yes

Yes

No

60

Applications

Edge Login Data

Yes

Yes

No

61

Applications

Edge Sessions

Yes

Yes

No

62

Applications

Edge Thumbnails

Yes

Yes

No

63

Applications

Edge User Profiles

Yes

Yes

No

64

Applications

Edge Web Storage

Yes

Yes

No

65

Applications

Firefox Browsing History

Yes

Yes

No

66

Applications

Firefox Cookies

Yes

Yes

No

67

Applications

Firefox Downloads

Yes

Yes

No

68

Applications

Firefox Extensions

Yes

Yes

No

69

Applications

IE 10,11,Edge Browsing History

Yes

Yes

Yes

70

Applications

IE 7,8,9 Browsing History

Yes

Yes

Yes

71

Applications

Opera Bookmarks

Yes

Yes

No

72

Applications

Opera Browsing History

Yes

Yes

No

73

Applications

Opera Cookies

Yes

Yes

No

74

Applications

Opera Downloads

Yes

Yes

No

75

Applications

Opera Extensions

Yes

Yes

No

76

Applications

Opera Favicons

Yes

Yes

No

77

Applications

Opera Form History

Yes

Yes

No

78

Applications

Opera Local Storage

Yes

Yes

No

79

Applications

Opera Login Data

Yes

Yes

No

80

Applications

Opera Sessions

Yes

Yes

No

81

Applications

Opera Thumbnails

Yes

Yes

No

82

Applications

Opera User Profiles

Yes

Yes

No

83

Applications

Opera Web Storage

Yes

Yes

No

84

Applications

QQ Bookmarks

Yes

Yes

No

85

Applications

QQ Browsing History

Yes

Yes

No

86

Applications

QQ Cookies

Yes

Yes

No

87

Applications

QQ Downloads

Yes

Yes

No

88

Applications

QQ Extensions

Yes

Yes

No

89

Applications

QQ Favicons

Yes

Yes

No

90

Applications

QQ Form History

Yes

Yes

No

91

Applications

QQ Local Storage

Yes

Yes

No

92

Applications

QQ Login Data

Yes

Yes

No

93

Applications

QQ Sessions

Yes

Yes

No

94

Applications

QQ Thumbnails

Yes

Yes

No

95

Applications

QQ User Profiles

Yes

Yes

No

96

Applications

QQ Web Storage

Yes

Yes

No

97

Applications

Vivaldi Bookmarks

Yes

Yes

No

98

Applications

Vivaldi Browsing History

Yes

Yes

No

99

Applications

Vivaldi Cookies

Yes

Yes

No

100

Applications

Vivaldi Downloads

Yes

Yes

No

101

Applications

Vivaldi Extensions

Yes

Yes

No

102

Applications

Vivaldi Favicons

Yes

Yes

No

103

Applications

Vivaldi Form History

Yes

Yes

No

104

Applications

Vivaldi Local Storage

Yes

Yes

No

105

Applications

Vivaldi Login Data

Yes

Yes

No

106

Applications

Vivaldi Sessions

Yes

Yes

No

107

Applications

Vivaldi Thumbnails

Yes

Yes

No

108

Applications

Vivaldi User Profiles

Yes

Yes

No

109

Applications

Vivaldi Web Storage

Yes

Yes

No

110

Applications

WinRAR History

Yes

Yes

No

111

DiskFilesystem

$Boot

No

Yes

Yes

112

DiskFilesystem

$Log File

No

Yes

Yes

113

DiskFilesystem

$Secure:$SDS

No

Yes

Yes

114

DiskFilesystem

$TxfLog $Tops:$T

No

Yes

Yes

115

DiskFilesystem

MBR

No

Yes

Yes

116

DiskFilesystem

MFT

No

Yes

Yes

117

DiskFilesystem

MFT Mirror

No

Yes

Yes

118

DiskFilesystem

MFT as CSV

Yes

Yes

Yes

119

DiskFilesystem

Shadow Copy as CSV

Yes

Yes

No

120

DiskFilesystem

USB Storage History

Yes

Yes

No

121

DiskFilesystem

USN Journal

No

Yes

Yes

122

DiskFilesystem

USN Journal $Max

No

Yes

Yes

123

DiskFilesystem

USN Journal as CSV

Yes

Yes

No

124

DiskFilesystem

Volumes Information

Yes

Yes

No

125

EventLogs

Event Log EVT Files

Yes

Yes

No

126

EventLogs

Event Log EVT Records

Yes

Yes

Yes

127

EventLogs

Event Log EVTX Files

Yes

Yes

No

128

Memory

Hibernation File

No

Yes

Yes

129

Memory

Page File

No

Yes

Yes

130

Memory

RAM Image

No

Yes

Yes

131

Memory

Swap File

No

Yes

Yes

132

Network

ARP Table

Yes

Yes

No

133

Network

DNS Cache

Yes

Yes

No

134

Network

DNS Servers

Yes

Yes

No

135

Network

Firewall Rules

Yes

Yes

No

136

Network

Hosts

Yes

Yes

Yes

137

Network

IPv4 Routes

Yes

Yes

No

138

Network

Network Adapters

Yes

Yes

No

139

Network

Network Shares

Yes

Yes

No

140

Network

Proxy List

Yes

Yes

No

141

Network

TCP Table

Yes

Yes

No

142

Network

UDP Table

Yes

Yes

No

143

Network

Wireless Connection History

Yes

Yes

No

144

System

AmCache

Yes

Yes

Yes

145

System

Antivirus Information

Yes

Yes

No

146

System

AppCompactCache

Yes

Yes

No

147

System

AppPaths

Yes

Yes

No

148

System

CIDSizeMRU

Yes

Yes

No

149

System

CLR

No

Yes

Yes

150

System

Collect LNK Files

Yes

Yes

Yes

151

System

Crash Dump Information

Yes

Yes

No

152

System

Downloaded Files Information

Yes

Yes

No

153

System

Driver Objects

Yes

Yes

No

154

System

Drivers List

Yes

Yes

No

155

System

ETL

No

Yes

Yes

156

System

Environment Variables

Yes

Yes

No

157

System

EventTranscript DB

Yes

Yes

Yes

158

System

FileExts

Yes

Yes

No

159

System

FirstFolder

Yes

Yes

No

160

System

INF Setup

No

Yes

Yes

161

System

Iconcache

No

Yes

Yes

162

System

Installed Applications

Yes

Yes

No

163

System

JumpList Automatic Entries

Yes

Yes

No

164

System

JumpList Automatic Files

Yes

Yes

Yes

165

System

JumpList Custom Entries

Yes

Yes

No

166

System

JumpList Custom Files

Yes

Yes

Yes

167

System

LastVisitedPidlMRU

Yes

Yes

No

168

System

Map Network Drive MRU

Yes

Yes

No

169

System

NTDS.dit

No

Yes

Yes

170

System

Object Directory

Yes

Yes

No

171

System

OfficeMRU

Yes

Yes

No

172

System

Old Registry Hives

No

Yes

Yes

173

System

OpenSavePidlMRU

Yes

Yes

No

174

System

PDB Information

Yes

Yes

No

175

System

Parse LNK Files

Yes

Yes

No

176

System

Powershell ConsoleHost History

Yes

Yes

No

177

System

Powershell Logs

No

Yes

Yes

178

System

Prefetch Files

Yes

Yes

Yes

179

System

Quick Assist

Yes

Yes

No

180

System

RDP Cache

No

Yes

Yes

181

System

Recent File Cache

No

Yes

Yes

182

System

RecentDocs

Yes

Yes

No

183

System

Recycle Bin Information

Yes

Yes

No

184

System

Registry Hives

No

Yes

Yes

185

System

Registry Items

Yes

Yes

Yes

186

System

RunMRU

Yes

Yes

No

187

System

Running Processes and Modules

Yes

Yes

No

188

System

SAM Users and Groups

Yes

Yes

No

189

System

SDB

No

Yes

Yes

190

System

SRUM

Yes

Yes

Yes

191

System

Scheduled Tasks

Yes

Yes

Yes

192

System

Service List

Yes

Yes

Yes

193

System

ShellBags

Yes

Yes

No

194

System

ShellFolders

Yes

Yes

No

195

System

Startup Items

Yes

Yes

Yes

196

System

Superfetch

No

Yes

Yes

197

System

System Restore Points Information

Yes

Yes

No

198

System

Thumbcache

No

Yes

Yes

199

System

TypedPaths

Yes

Yes

No

200

System

TypedURLs

Yes

Yes

No

201

System

User Access Logs (UAL)

Yes

Yes

Yes

202

System

User Folders

Yes

Yes

No

203

System

UserAssist

Yes

Yes

No

204

System

Users

Yes

Yes

No

205

System

WBEM

No

Yes

Yes

206

System

WMI Active Script

Yes

Yes

No

207

System

WMI Command Line

Yes

Yes

No

208

System

Windows Index Search

No

Yes

Yes

209

System

Windows Timeline

Yes

Yes

Yes

210

System

WordWheelQuery

Yes

Yes

No

Windows Artifact List:

#

Category

Evidence (click for details)

Parsed

Sent to the Investigation Hub

Source Files Collected

1

Applications

AVG Logs

No

No

Yes

2

Applications

Action1 RMM Logs

No

No

Yes

3

Applications

Active Directory Logs

No

No

Yes

4

Applications

AmmyAdmin Logs

No

No

Yes

5

Applications

AnyDesk Logs

No

No

Yes

6

Applications

Apache Logs

No

No

Yes

7

Applications

Avast Logs

No

No

Yes

8

Applications

Avira Logs

No

No

Yes

9

Applications

Bitdefender Logs

No

No

Yes

10

Applications

Carbon Black Logs

No

No

Yes

11

Applications

Cisco AMP Logs

No

No

Yes

12

Applications

ComboFix

No

No

Yes

13

Applications

Cortana History

No

No

Yes

14

Applications

Cybereason Logs

No

No

Yes

15

Applications

Cylance Logs

No

No

Yes

16

Applications

DHCP Server Logs

No

No

Yes

17

Applications

DNS Server Logs

No

No

Yes

18

Applications

Deep Instinct Logs

No

No

Yes

19

Applications

Discord Desktop Cache

No

No

Yes

20

Applications

Dropbox Cache

No

No

Yes

21

Applications

Dropbox Databases

No

No

Yes

22

Applications

Dropbox Logs

No

No

Yes

23

Applications

Elastic Logs

No

No

Yes

24

Applications

Eset Logs

No

No

Yes

25

Applications

Evernote Databases

No

No

Yes

26

Applications

Evernote Drag and Drop Files

No

No

Yes

27

Applications

Evernote Logs

No

No

Yes

28

Applications

Everything History

No

No

Yes

29

Applications

F-Secure Logs

No

No

Yes

30

Applications

Facebook Cache

No

No

Yes

31

Applications

Facebook Databases

No

No

Yes

32

Applications

FileZilla Sessions

No

No

Yes

33

Applications

FireEye Logs

No

No

Yes

34

Applications

Github Desktop Cache

No

No

Yes

35

Applications

Github Desktop Databases

No

No

Yes

36

Applications

Github Desktop Logs

No

No

Yes

37

Applications

GoTo Logs

No

No

Yes

38

Applications

Google Drive Databases

No

No

Yes

39

Applications

HitmanPro Logs

No

No

Yes

40

Applications

IIS Logs

No

No

Yes

41

Applications

Kaseya Logs

No

No

Yes

42

Applications

Level Logs

No

No

Yes

43

Applications

LinkedIn Cache

No

No

Yes

44

Applications

LogMeIn Logs

No

No

Yes

45

Applications

MSSQL Logs

No

No

Yes

46

Applications

MalwareBytes Logs

No

No

Yes

47

Applications

McAfee Logs

No

No

Yes

48

Applications

Microsoft Calendar

No

No

Yes

49

Applications

Microsoft Exchange Logs

No

No

Yes

50

Applications

Microsoft Mail

No

No

Yes

51

Applications

Microsoft Maps

No

No

Yes

52

Applications

Microsoft Outlook

No

No

Yes

53

Applications

Microsoft People

No

No

Yes

54

Applications

Microsoft Photos

No

No

Yes

55

Applications

Microsoft Sticky Notes

No

No

Yes

56

Applications

Microsoft Store Applications List

No

No

Yes

57

Applications

Microsoft Voice Record History

No

No

Yes

58

Applications

MongoDB Logs

No

No

Yes

59

Applications

Mozilla Thunderbird

No

No

Yes

60

Applications

Notepad++ Sessions

No

No

Yes

61

Applications

OneDrive Logs

No

No

Yes

62

Applications

OpenVPN Config

No

No

Yes

63

Applications

Palo Alto Logs

No

No

Yes

64

Applications

RealVNC Logs

No

No

Yes

65

Applications

RemComSvc Logs

No

No

Yes

66

Applications

Remote Utilities Logs

No

No

Yes

67

Applications

RogueKiller Reports

No

No

Yes

68

Applications

SUPERAntiSpyware Logs

No

No

Yes

69

Applications

ScreenConnect (ConnectWise Control) Application Data

No

No

Yes

70

Applications

Search History

No

No

Yes

71

Applications

SentinelOne Logs

No

No

Yes

72

Applications

Skype Databases

No

No

Yes

73

Applications

Skype Media

No

No

Yes

74

Applications

Sophos Logs

No

No

Yes

75

Applications

Sourcefire FireAMP Logs

No

No

Yes

76

Applications

Splashtop Logs

No

No

Yes

77

Applications

Spotify Cache

No

No

Yes

78

Applications

Spotify Recently Played List

No

No

Yes

79

Applications

Sublime Text Sessions

No

No

Yes

80

Applications

Supremo Remote Desktop Logs

No

No

Yes

81

Applications

Symantec Logs

No

No

Yes

82

Applications

Tanium Logs

No

No

Yes

83

Applications

Teamviewer Logs

No

No

Yes

84

Applications

Telegram Desktop Data

No

No

Yes

85

Applications

Telegram Desktop Download

No

No

Yes

86

Applications

TightVNC Logs

No

No

Yes

87

Applications

Tortoise Git Logs

No

No

Yes

88

Applications

TotalAv Logs

No

No

Yes

89

Applications

Trend Micro Logs

No

No

Yes

90

Applications

Twitter Cache

No

No

Yes

91

Applications

Twitter Databases

No

No

Yes

92

Applications

UltraVNC Logs

No

No

Yes

93

Applications

Ultraviewer Logs

No

No

Yes

94

Applications

VIPRE Logs

No

No

Yes

95

Applications

VMware Config

No

No

Yes

96

Applications

VMware Drag and Drop Files

No

No

Yes

97

Applications

VMware Logs

No

No

Yes

98

Applications

Visual Studio Team Explorer Config

No

No

Yes

99

Applications

WSL

No

No

Yes

100

Applications

Webroot Logs

No

No

Yes

101

Applications

WhatsApp Desktop Cache

No

No

Yes

102

Applications

WhatsApp Desktop Cookie

No

No

Yes

103

Applications

Windows Defender Logs

No

No

Yes

104

Applications

Windows Live Mail User Settings

No

No

Yes

105

Applications

Windows Notification History

No

No

Yes

106

Applications

Xeox Logs

No

No

Yes

107

Applications

ZohoAssist Logs

No

No

Yes

108

Applications

Zoom Databases

No

No

Yes

109

Applications

Zoom Media

No

No

Yes

110

Applications

iTunes Backups

No

No

Yes

111

System

Windows Error Reporting Files

No

No

Yes

PreviousSupported EvidenceNext$Boot

Last updated

Was this helpful?