macOS Collections

AIR supports the following macOS Evidences

macOS Evidence List

Evidence (click for details)

Category

Parsed

Sent to the Investigation Hub

Raw Files Collected

.DS_Store Files

DiskFilesystem

Yes

.Trash

DiskFilesystem

Yes

AnyDesk Logs

Applications

Yes

Apache Logs

Applications

Yes

Apple Audit Logs

System

Yes

Apple System Logs (ASL)

System

Yes

Application Usage

System

Yes

Arc Bookmarks

Applications

Yes

Arc Browsing History

Applications

Yes

Arc Cookies

Applications

Yes

Arc Downloads

Applications

Yes

Arc Favicons

Applications

Yes

Arc Form History

Applications

Yes

Arc Local Storage

Applications

Yes

Arc Login Data

Applications

Yes

Arc Sessions

Applications

Yes

Arc Thumbnails

Applications

Yes

Arc User Profiles

Applications

Yes

Arc Web Storage

Applications

Yes

Auto Loaded Processes

System

Yes

Block Devices

DiskFilesystem

Yes

Bluetooth Connections

System

Yes

Brave Bookmarks

Applications

Yes

Brave Browsing History

Applications

Yes

Brave Cookies

Applications

Yes

Brave Downloads

Applications

Yes

Brave Favicons

Applications

Yes

Brave Form History

Applications

Yes

Brave Local Storage

Applications

Yes

Brave Login Data

Applications

Yes

Brave Sessions

Applications

Yes

Brave Thumbnails

Applications

Yes

Brave User Profiles

Applications

Yes

Brave Web Storage

Applications

Yes

Chrome Bookmarks

Applications

Yes

Chrome Browsing History

Applications

Yes

Chrome Cookies

Applications

Yes

Chrome Downloads

Applications

Yes

Chrome Extensions

Applications

Yes

Chrome Favicons

Applications

Yes

Chrome Form History

Applications

Yes

Chrome Local Storage

Applications

Yes

Chrome Login Data

Applications

Yes

Chrome Sessions

Applications

Yes

Chrome Thumbnails

Applications

Yes

Chrome User Profiles

Applications

Yes

Chrome Web Storage

Applications

Yes

Collect File System (FS) Events

DiskFilesystem

Yes

Command Line Activity

EventLogs

Yes

Crashes

System

Yes

Cron Jobs

System

Yes

DHCP Settings

Network

Yes

DMG File Opened

DiskFilesystem

Yes

DNS Resolvers

Network

Yes

Default Browser

Applications

Yes

Discord Desktop Cache

Applications

Yes

Disk Encryption

DiskFilesystem

Yes

Dock Items

System

Yes

Docker Changes

Applications

Yes

Docker Container Logs

Applications

Yes

Docker Containers

Applications

Yes

Docker Image History

Applications

Yes

Docker Images

Applications

Yes

Docker Info

Applications

Yes

Docker Logs

Applications

Yes

Docker Networks

Applications

Yes

Docker Processes

Applications

Yes

Docker Volumes

Applications

Yes

Document Revisions

System

Yes

Downloaded Files Information

System

Yes

Dump Arc Indexed DB

Applications

Yes

Dump Brave Indexed DB

Applications

Yes

Dump Chrome Indexed DB

Applications

Yes

Dump Edge Indexed DB

Applications

Yes

Dump Opera Indexed DB

Applications

Yes

Dump QQ Indexed DB

Applications

Yes

Dump Vivaldi Indexed DB

Applications

Yes

ETC Files

System

Yes

ETC Hosts

Network

Yes

ETC Protocols

Network

Yes

ETC Services

Network

Yes

Edge Bookmarks

Applications

Yes

Edge Browsing History

Applications

Yes

Edge Cookies

Applications

Yes

Edge Downloads

Applications

Yes

Edge Extensions

Applications

Yes

Edge Favicons

Applications

Yes

Edge Form History

Applications

Yes

Edge Local Storage

Applications

Yes

Edge Login Data

Applications

Yes

Edge Sessions

Applications

Yes

Edge Thumbnails

Applications

Yes

Edge User Profiles

Applications

Yes

Edge Web Storage

Applications

Yes

Emond Clients

System

Yes

Event Taps

System

Yes

Extended Attributes

System

Yes

Failed Sudo

EventLogs

Yes

File Last Used

DiskFilesystem

Yes

100

File System Enumeration

DiskFilesystem

Yes

101

Finder Mounted Volume

DiskFilesystem

Yes

102

Firefox Browsing History

Applications

Yes

103

Firefox Cookies

Applications

Yes

104

Firefox Downloads

Applications

Yes

105

Firefox Extensions

Applications

Yes

106

Gatekeeper

System

Yes

107

Gatekeeper Approved Apps

System

Yes

108

Homebrew Logs

Applications

Yes

109

IP Routes

Network

Yes

110

Install Logs

System

Yes

111

Installed Applications

System

Yes

112

Kernel Extensions

EventLogs

Yes

113

Kernel Extensions Info

System

Yes

114

Keyboard Dictionary

System

Yes

115

Keychain

EventLogs

Yes

116

KnowledgeC

System

Yes

117

Launchd Files

System

Yes

118

Launchd Overrides

System

Yes

119

Listening Ports

Network

Yes

120

Logged Users

System

Yes

121

System

Yes

122

System

Yes

123

Logind

EventLogs

Yes

124

Logout Hooks

System

Yes

125

Mail Rules

System

Yes

126

Manuel Configuration Profile Install

EventLogs

Yes

127

MongoDB Logs

Applications

Yes

128

Most Recently Used (MRU)

System

Yes

129

Mount

DiskFilesystem

Yes

130

MySQL Logs

Applications

Yes

131

NGINX Logs

Applications

Yes

132

Network Interfaces

Network

Yes

133

Network Usage

Network

Yes

134

NetworkFlow

System

Yes

135

Notification Info

System

Yes

136

Opera Bookmarks

Applications

Yes

137

Opera Browsing History

Applications

Yes

138

Opera Cookies

Applications

Yes

139

Opera Downloads

Applications

Yes

140

Opera Extensions

Applications

Yes

141

Opera Favicons

Applications

Yes

142

Opera Form History

Applications

Yes

143

Opera Local Storage

Applications

Yes

144

Opera Login Data

Applications

Yes

145

Opera Sessions

Applications

Yes

146

Opera Thumbnails

Applications

Yes

147

Opera User Profiles

Applications

Yes

148

Opera Web Storage

Applications

Yes

149

PCAP

System

Yes

150

Package Install History

System

Yes

151

Parallels Logs

Applications

Yes

152

Parse File System (FS) Events

DiskFilesystem

Yes

153

PostgreSQL Logs

Applications

Yes

154

Print Jobs

System

Yes

155

Printer Info

System

Yes

156

Processes

System

Yes

157

QQ Bookmarks

Applications

Yes

158

QQ Browsing History

Applications

Yes

159

QQ Cookies

Applications

Yes

160

QQ Downloads

Applications

Yes

161

QQ Favicons

Applications

Yes

162

QQ Form History

Applications

Yes

163

QQ Local Storage

Applications

Yes

164

QQ Login Data

Applications

Yes

165

QQ Sessions

Applications

Yes

166

QQ Thumbnails

Applications

Yes

167

QQ User Profiles

Applications

Yes

168

QQ Web Storage

Applications

Yes

169

Quarantine Events

System

Yes

170

Quick Look Cache

System

Yes

171

Re-Opened Apps

System

Yes

172

SSH Authorized Keys

Network

Yes

173

SSH Configs

Network

Yes

174

SSH Files

System

Yes

175

SSH Known Hosts

Network

Yes

176

SSHD Configs

Network

Yes

177

Safari Browsing History

Applications

Yes

178

Safari Downloads

Applications

Yes

179

Screensharing

EventLogs

Yes

180

Session Creation and Destruction

EventLogs

Yes

181

Shared File List

System

Yes

182

Shell History

System

Yes

183

Software Update Information

System

Yes

184

Sophos Events Database

Applications

Yes

185

Sophos Logs

Applications

Yes

186

Splashtop Mac Logs

Applications

Yes

187

Spotlight

System

Yes

188

Sshd

EventLogs

Yes

189

Sudo Last Run

System

Yes

190

System Extension Info

System

Yes

191

System Integrity Protection Status

System

Yes

192

System Logs

System

Yes

193

Tccd

EventLogs

Yes

194

Teamviewer Logs

Applications

Yes

195

Transparency, Consent, and Control (TCC)

System

Yes

196

USB Info

System

Yes

197

User Groups

System

Yes

198

Users

System

Yes

199

Vivaldi Bookmarks

Applications

Yes

200

Vivaldi Browsing History

Applications

Yes

201

Vivaldi Cookies

Applications

Yes

202

Vivaldi Downloads

Applications

Yes

203

Vivaldi Favicons

Applications

Yes

204

Vivaldi Form History

Applications

Yes

205

Vivaldi Local Storage

Applications

Yes

206

Vivaldi Login Data

Applications

Yes

207

Vivaldi Sessions

Applications

Yes

208

Vivaldi Thumbnails

Applications

Yes

209

Vivaldi User Profiles

Applications

Yes

210

Vivaldi Web Storage

Applications

Yes

211

Waterfox Browsing History

Applications

Yes

212

Waterfox Downloads

Applications

Yes

213

Wifi Logs

Network

Yes

214

Wireless Network Connections

Network

Yes

215

XProtect Remediation

EventLogs

Yes

216

iMessage

System

Yes

PreviousZoom Media NextAnyDesk Logs

Last updated 4 days ago

Was this helpful?