macOS Collections
AIR supports the following macOS Evidence and Artifacts
macOS Evidence List
1 | Processes | Auto Loaded Processes | Collect info on autoloaded processes |
2 | Processes | Processes | Collect Processes |
3 | Browser | Default Browser | Collect Default Browser |
4 | Browser | Chrome Cookies | Collect Chrome Cookies |
5 | Browser | Edge Cookies | Collect Edge Cookies |
6 | Browser | Opera Cookies | Collect Opera Cookies |
7 | Browser | Vivaldi Cookies | Collect Vivaldi Cookies |
8 | Browser | Arc Cookies | Collect Arc Cookies |
9 | Browser | Brave Cookies | Collect Brave Cookies |
10 | Browser | QQ Cookies | Collect QQ Cookies |
11 | Browser | Chrome Bookmarks | Collect Chrome Bookmarks |
12 | Browser | Edge Bookmarks | Collect Edge Bookmarks |
13 | Browser | Opera Bookmarks | Collect Opera Bookmarks |
14 | Browser | Vivaldi Bookmarks | Collect Vivaldi Bookmarks |
15 | Browser | Arc Bookmarks | Collect Arc Bookmarks |
16 | Browser | Brave Bookmarks | Collect Brave Bookmarks |
17 | Browser | QQ Bookmarks | Collect QQ Bookmarks |
18 | Browser | Chrome User Profiles | Collect Chrome User Profiles |
19 | Browser | Edge User Profiles | Collect Edge User Profiles |
20 | Browser | Opera User Profiles | Collect Opera User Profiles |
21 | Browser | Vivaldi User Profiles | Collect Vivaldi User Profiles |
22 | Browser | Arc User Profiles | Collect Arc User Profiles |
23 | Browser | Brave User Profiles | Collect Brave User Profiles |
24 | Browser | QQ User Profiles | Collect QQ User Profiles |
25 | Browser | Chrome Extensions | Collect Chrome Extensions |
26 | Browser | Chrome Local Storage | Collect Chrome Local Storage |
27 | Browser | Edge Local Storage | Collect Edge Local Storage |
28 | Browser | Opera Local Storage | Collect Opera Local Storage |
29 | Browser | Vivaldi Local Storage | Collect Vivaldi Local Storage |
30 | Browser | Arc Local Storage | Collect Arc Local Storage |
31 | Browser | Brave Local Storage | Collect Brave Local Storage |
32 | Browser | QQ Local Storage | Collect QQ Local Storage |
33 | Browser | Dump Chrome Indexed DB | Dump Chrome Indexed DB |
34 | Browser | Dump Edge Indexed DB | Dump Edge Indexed DB |
35 | Browser | Dump Opera Indexed DB | Dump Opera Indexed DB |
36 | Browser | Dump Vivaldi Indexed DB | Dump Vivaldi Indexed DB |
37 | Browser | Dump Arc Indexed DB | Dump Arc Indexed DB |
38 | Browser | Dump Brave Indexed DB | Dump Brave Indexed DB |
39 | Browser | Dump QQ Indexed DB | Dump QQ Indexed DB |
40 | Browser | Chrome Web Storage | Collect Chrome Web Storage |
41 | Browser | Edge Web Storage | Collect Edge Web Storage |
42 | Browser | Opera Web Storage | Collect Opera Web Storage |
43 | Browser | Vivaldi Web Storage | Collect Vivaldi Web Storage |
44 | Browser | Arc Web Storage | Collect Arc Web Storage |
45 | Browser | Brave Web Storage | Collect Brave Web Storage |
46 | Browser | QQ Web Storage | Collect QQ Web Storage |
47 | Browser | Chrome Form History | Collect Chrome Form History |
48 | Browser | Edge Form History | Collect Edge Form History |
49 | Browser | Opera Form History | Collect Opera Form History |
50 | Browser | Vivaldi Form History | Collect Vivaldi Form History |
51 | Browser | Arc Form History | Collect Arc Form History |
52 | Browser | Brave Form History | Collect Brave Form History |
53 | Browser | QQ Form History | Collect QQ Form History |
54 | Browser | Chrome Thumbnails | Collect Chrome Thumbnails |
55 | Browser | Edge Thumbnails | Collect Edge Thumbnails |
56 | Browser | Opera Thumbnails | Collect Opera Thumbnails |
57 | Browser | Vivaldi Thumbnails | Collect Vivaldi Thumbnails |
58 | Browser | Arc Thumbnails | Collect Arc Thumbnails |
59 | Browser | Brave Thumbnails | Collect Brave Thumbnails |
60 | Browser | QQ Thumbnails | Collect QQ Thumbnails |
61 | Browser | Chrome Favicons | Collect Chrome Favicons |
62 | Browser | Edge Favicons | Collect Edge Favicons |
63 | Browser | Opera Favicons | Collect Opera Favicons |
64 | Browser | Vivaldi Favicons | Collect Vivaldi Favicons |
65 | Browser | Arc Favicons | Collect Arc Favicons |
66 | Browser | Brave Favicons | Collect Brave Favicons |
67 | Browser | QQ Favicons | Collect QQ Favicons |
68 | Browser | Chrome Login Data | Collect Chrome Login Data |
69 | Browser | Edge Login Data | Collect Edge Login Data |
70 | Browser | Opera Login Data | Collect Opera Login Data |
71 | Browser | Vivaldi Login Data | Collect Vivaldi Login Data |
72 | Browser | Arc Login Data | Collect Arc Login Data |
73 | Browser | Brave Login Data | Collect Brave Login Data |
74 | Browser | QQ Login Data | Collect QQ Login Data |
75 | Browser | Chrome Sessions | Collect Chrome Sessions |
76 | Browser | Edge Sessions | Collect Edge Sessions |
77 | Browser | Opera Sessions | Collect Opera Sessions |
78 | Browser | Vivaldi Sessions | Collect Vivaldi Sessions |
79 | Browser | Arc Sessions | Collect Arc Sessions |
80 | Browser | Brave Sessions | Collect Brave Sessions |
81 | Browser | QQ Sessions | Collect QQ Sessions |
82 | Browser | Chrome Browsing History | Collect visited URLs from Google Chrome |
83 | Browser | Edge Browsing History | Collect visited URLs from Microsoft Edge |
84 | Browser | Firefox Browsing History | Collect visited URLs from Mozilla Firefox |
85 | Browser | Opera Browsing History | Collect visited URLs from Opera |
86 | Browser | Safari Browsing History | Collect visited URLs from Safari |
87 | Browser | Vivaldi Browsing History | Collect visited URLs from Vivaldi |
88 | Browser | Waterfox Browsing History | Collect visited URLs from Waterfox |
89 | Browser | Brave Browsing History | Collect visited URLs from Brave |
90 | Browser | Arc Browsing History | Collect visited URLs from Arc |
91 | Browser | QQ Browsing History | Collect Visited URLs from QQ |
92 | Browser | Chrome Downloads | Collect Chrome Downloads |
93 | Browser | Safari Downloads | Collect Safari Downloads |
94 | Browser | Firefox Downloads | Collect Firefox Downloads |
95 | Browser | Edge Downloads | Collect Edge Downloads |
96 | Browser | Opera Downloads | Collect Opera Downloads |
97 | Browser | Vivaldi Downloads | Collect Vivaldi Downloads |
98 | Browser | Arc Downloads | Collect Arc Downloads |
99 | Browser | Brave Downloads | Collect Brave Downloads |
100 | Browser | Waterfox Downloads | Collect Waterfox Downloads |
101 | Browser | QQ Downloads | Collect QQ Downloads |
102 | Browser | Firefox Cookies | Collect Firefox Cookies |
103 | System | Crashes | Collect Crashes |
104 | System | Gatekeeper | Collect Gatekeeper details |
105 | System | Gatekeeper Approved Apps | Collect Gatekeeper apps allowed to run |
106 | System | Installed Applications | Collect info on installed apps |
107 | System | Kernel Extensions Info | Collect kernel extensions info |
108 | System | Launchd Overrides | Collect override keys for LaunchDaemons and Agents |
109 | System | Package Install History | Collect Package Install History |
110 | System | System Extension Info | Collect system extension info |
111 | System | System Integrity Protection Status | Collect SIP status |
112 | System | Print Jobs | Collect print job info |
113 | System | Printer Info | Collect printer info |
114 | System | Transparency, Consent, and Control (TCC) | Collect Transparency, Consent, and Control Information |
115 | System | Quarantine Events | Collect Quarantine Events Database |
116 | System | Sudo Last Run | Collect Sudo Last Run |
117 | System | iMessage | Collect iMessages |
118 | System | Dock Items | Collect Dock Items |
119 | System | Document Revisions | Collect Document Revisions |
120 | System | Apple System Logs | Collect Apple System Logs |
121 | System | Apple Audit Logs | Collect Apple Audit Logs |
122 | System | Shared File List | Collect Shared File List (SFL) items |
123 | System | Shell History | Collect Shell History |
124 | System | Downloaded Files Information | Collect information about downloaded files |
125 | System | Cron Jobs | Collect Cron Jobs |
126 | System | Quick Look Cache | Collect Quick Look Cache |
127 | System | Event Taps | Collect Event Taps |
128 | System | Re-Opened Apps | Collect Re-Opened Apps |
129 | System | Most Recently Used | Collect Most Recently Used (MRU) items |
130 | System | Login Items | Collect Login Items |
131 | System | File System (FS) Events | Collect File System Events |
132 | Disk | Block Devices | Collect Block Devices |
133 | Disk | Disk Encryption | Collect Disk Encryption status |
134 | File System | File System Enumeration | Dump file and folder information. |
135 | File System | DS_Store | Collect information about .DS_Store files. |
136 | Configurations | ETC Hosts | Collect ETC Hosts |
137 | Configurations | ETC Protocols | Collect ETC Protocols |
138 | Configurations | ETC Services | Collect ETC Services |
139 | Network | Listening Ports | Collect Listening Ports |
140 | Network | IP Routes | Collect IP Routes |
141 | Network | Network Interfaces | Collect Network Interfaces |
142 | Network | DNS Resolvers | Collect DNS Resolvers |
143 | Users | User Groups | Collect User Groups |
144 | Users | Users | Collect Users |
145 | Users | Logged Users | Collect Logged Users |
146 | KnowledgeC | Application Usage | Collect Application Usage |
147 | KnowledgeC | Bluetooth Connections | Collect Bluetooth Connections |
148 | KnowledgeC | Notification Info | Collect Notification Info |
149 | Unified Logs | Logind | Filter user login events |
150 | Unified Logs | Tccd | Filter tccd events |
151 | Unified Logs | Sshd | Filter ssh activity events |
152 | Unified Logs | Command Line Activity | Filter command line activity run with elevated privileges |
153 | Unified Logs | Kernel Extensions | Filter kernel extension events |
154 | Unified Logs | Screensharing | Filter screen sharing events |
155 | Unified Logs | Keychain | Filter keychain unlock events |
156 | Unified Logs | Session Creation and Destruction | Filter sessions creation and destruction events |
157 | Unified Logs | XProtect Remediation | Filter detecting and blocking malicious software events |
158 | Unified Logs | Failed Sudo | Filter failed sudo events |
159 | Unified Logs | Manuel Configuration Profile Install | Filter MDM Clients Events |
160 | Persistence | Mail Rules | Collect Mail Rules that contain AppleScript |
161 | Persistence | Login Hooks | Collect Login Hooks |
162 | Persistence | Logout Hooks | Collect Logout Hooks |
163 | Persistence | Emond Clients | Collect Emond Clients |
164 | SSH | SSH Authorized Keys | Collect SSH authorized keys |
165 | SSH | SSH Configs | Collect SSH configurations |
166 | SSH | SSH Known Hosts | Collect SSH known hosts |
167 | SSH | SSHD Configs | Collect SSHD configurations |
macOS Artifact List
| Category | Name | Collection Type |
|---|---|---|
Server | Apache Logs | File collected |
Server | NGINX Logs | File collected |
Server | MongoDB Logs | File collected |
Server | MySQL Logs | File collected |
Server | PostgreSQL Logs | File collected |
System | System Logs | File collected |
System | Install Logs | File collected |
System | Wifi Logs | File collected |
System | KnowledgeC | File collected |
Docker | Docker Changes | Parsed & presented in Investigation Hub |
Docker | Docker Containers | Parsed & presented in Investigation Hub |
Docker | Docker Image History | Parsed & presented in Investigation Hub |
Docker | Docker Images | Parsed & presented in Investigation Hub |
Docker | Docker Info | Parsed & presented in Investigation Hub |
Docker | Docker Networks | Parsed & presented in Investigation Hub |
Docker | Docker Processes | Parsed & presented in Investigation Hub |
Docker | Docker Volumes | Parsed & presented in Investigation Hub |
Communication | AnyDesk Logs | File collected |
Communication | Teamviewer Logs | File collected |
Communication | Discord Desktop Cache | File collected |
Communication | Splashtop Mac Logs | File collected |
Utilities Artifacts | Parallels Logs | File collected |
Utilities Artifacts | Homebrew Logs | File collected |
Antivirus Logs | Sophos Event Database | File collected |
Antivirus Logs | Sophos Logs | File collected |
1 | Server | Apache Logs | Collect Apache Logs |
2 | Server | NGINX Logs | Collect NGINX Logs |
3 | Server | MongoDB Logs | Collect MongoDB Logs |
4 | Server | MySQL Logs | Collect MySQL Logs |
5 | Server | PostgreSQL Logs | Collect PostgreSQL Logs |
6 | System | System Logs | Collect System Logs |
7 | System | Install Logs | Collect Install Logs |
8 | System | Wifi Logs | Collect Wifi Logs |
9 | System | KnowledgeC | Collect KnowledgeC Database |
10 | Docker | Docker Changes | Collect Docker Changes |
11 | Docker | Docker Containers | Collect Docker Containers |
12 | Docker | Docker Image History | Collect Docker Image History |
13 | Docker | Docker Images | Collect Docker Images |
14 | Docker | Docker Info | Collect Docker Info |
15 | Docker | Docker Networks | Collect Docker Networks |
16 | Docker | Docker Processes | Collect Docker Processes |
17 | Docker | Docker Volumes | Collect Docker Volumes |
18 | Communication | AnyDesk Logs | Collect AnyDesk Logs |
19 | Communication | Teamviewer Logs | Collect Teamviewer Logs |
20 | Communication | Discord Desktop Cache | Collect Discord Desktop Cache |
21 | Communication | Splashtop Mac Logs | Collect Splashtop Mac Application Logs |
22 | Utilities Artifacts | Parallels Logs | Collect Parallels Logs |
23 | Utilities Artifacts | Homebrew Logs | Collect Homebrew Logs |
24 | Antivirus Logs | Sophos Events Database | Collect Sophos Events Database |
25 | Antivirus Logs | Sophos Logs | Collect Sophos Logs |
Last updated