Back to binalyze.com

macOS Collections

AIR supports the following macOS Evidence and Artifacts

macOS Evidence List

#

Category

Evidence (click for details)

Parsed

Investigation Hub

Source Files Collected

1

Processes

Auto Loaded Processes

Yes

Yes

No

2

Processes

Processes

Yes

Yes

No

3

Browser

Default Browser

Yes

Yes

No

4

Browser

Chrome Cookies

Yes

Yes

No

5

Browser

Edge Cookies

Yes

Yes

No

6

Browser

Opera Cookies

Yes

Yes

No

7

Browser

Vivaldi Cookies

Yes

Yes

No

8

Browser

Arc Cookies

Yes

Yes

No

9

Browser

Brave Cookies

Yes

Yes

No

10

Browser

QQ Cookies

Yes

Yes

No

11

Browser

Chrome Bookmarks

Yes

Yes

No

12

Browser

Edge Bookmarks

Yes

Yes

No

13

Browser

Opera Bookmarks

Yes

Yes

No

14

Browser

Vivaldi Bookmarks

Yes

Yes

No

15

Browser

Arc Bookmarks

Yes

Yes

No

16

Browser

Brave Bookmarks

Yes

Yes

No

17

Browser

QQ Bookmarks

Yes

Yes

No

18

Browser

Chrome User Profiles

Yes

Yes

No

19

Browser

Edge User Profiles

Yes

Yes

No

20

Browser

Opera User Profiles

Yes

Yes

No

21

Browser

Vivaldi User Profiles

Yes

Yes

No

22

Browser

Arc User Profiles

Yes

Yes

No

23

Browser

Brave User Profiles

Yes

Yes

No

24

Browser

QQ User Profiles

Yes

Yes

No

25

Browser

Chrome Extensions

Yes

Yes

No

26

Browser

Edge Extensions

Yes

Yes

No

27

Browser

Opera Extensions

Yes

Yes

No

28

Browser

Firefox Extensions

Yes

Yes

No

29

Browser

Chrome Local Storage

Yes

Yes

No

30

Browser

Edge Local Storage

Yes

Yes

No

31

Browser

Opera Local Storage

Yes

Yes

No

32

Browser

Vivaldi Local Storage

Yes

Yes

No

33

Browser

Arc Local Storage

Yes

Yes

No

34

Browser

Brave Local Storage

Yes

Yes

No

35

Browser

QQ Local Storage

Yes

Yes

No

36

Browser

Dump Chrome Indexed DB

Yes

Yes

No

37

Browser

Dump Edge Indexed DB

Yes

Yes

No

38

Browser

Dump Opera Indexed DB

Yes

Yes

No

39

Browser

Dump Vivaldi Indexed DB

Yes

Yes

No

40

Browser

Dump Arc Indexed DB

Yes

Yes

No

41

Browser

Dump Brave Indexed DB

Yes

Yes

No

42

Browser

Dump QQ Indexed DB

Yes

Yes

No

43

Browser

Chrome Web Storage

Yes

Yes

No

44

Browser

Edge Web Storage

Yes

Yes

No

45

Browser

Opera Web Storage

Yes

Yes

No

46

Browser

Vivaldi Web Storage

Yes

Yes

No

47

Browser

Arc Web Storage

Yes

Yes

No

48

Browser

Brave Web Storage

Yes

Yes

No

49

Browser

QQ Web Storage

Yes

Yes

No

50

Browser

Chrome Form History

Yes

Yes

No

51

Browser

Edge Form History

Yes

Yes

No

52

Browser

Opera Form History

Yes

Yes

No

53

Browser

Vivaldi Form History

Yes

Yes

No

54

Browser

Arc Form History

Yes

Yes

No

55

Browser

Brave Form History

Yes

Yes

No

56

Browser

QQ Form History

Yes

Yes

No

57

Browser

Chrome Thumbnails

Yes

Yes

No

58

Browser

Edge Thumbnails

Yes

Yes

No

59

Browser

Opera Thumbnails

Yes

Yes

No

60

Browser

Vivaldi Thumbnails

Yes

Yes

No

61

Browser

Arc Thumbnails

Yes

Yes

No

62

Browser

Brave Thumbnails

Yes

Yes

No

63

Browser

QQ Thumbnails

Yes

Yes

No

64

Browser

Chrome Favicons

Yes

Yes

No

65

Browser

Edge Favicons

Yes

Yes

No

66

Browser

Opera Favicons

Yes

Yes

No

67

Browser

Vivaldi Favicons

Yes

Yes

No

68

Browser

Arc Favicons

Yes

Yes

No

69

Browser

Brave Favicons

Yes

Yes

No

70

Browser

QQ Favicons

Yes

Yes

No

71

Browser

Chrome Login Data

Yes

Yes

No

72

Browser

Edge Login Data

Yes

Yes

No

73

Browser

Opera Login Data

Yes

Yes

No

74

Browser

Vivaldi Login Data

Yes

Yes

No

75

Browser

Arc Login Data

Yes

Yes

No

76

Browser

Brave Login Data

Yes

Yes

No

77

Browser

QQ Login Data

Yes

Yes

No

78

Browser

Chrome Sessions

Yes

Yes

No

79

Browser

Edge Sessions

Yes

Yes

No

80

Browser

Opera Sessions

Yes

Yes

No

81

Browser

Vivaldi Sessions

Yes

Yes

No

82

Browser

Arc Sessions

Yes

Yes

No

83

Browser

Brave Sessions

Yes

Yes

No

84

Browser

QQ Sessions

Yes

Yes

No

85

Browser

Chrome Browsing History

Yes

Yes

No

86

Browser

Edge Browsing History

Yes

Yes

No

87

Browser

Firefox Browsing History

Yes

Yes

No

88

Browser

Opera Browsing History

Yes

Yes

No

89

Browser

Safari Browsing History

Yes

Yes

No

90

Browser

Vivaldi Browsing History

Yes

Yes

No

91

Browser

Waterfox Browsing History

Yes

Yes

No

92

Browser

Brave Browsing History

Yes

Yes

No

93

Browser

Arc Browsing History

Yes

Yes

No

94

Browser

QQ Browsing History

Yes

Yes

No

95

Browser

Chrome Downloads

Yes

Yes

No

96

Browser

Safari Downloads

Yes

Yes

No

97

Browser

Firefox Downloads

Yes

Yes

No

98

Browser

Edge Downloads

Yes

Yes

No

99

Browser

Opera Downloads

Yes

Yes

No

100

Browser

Vivaldi Downloads

Yes

Yes

No

101

Browser

Arc Downloads

Yes

Yes

No

102

Browser

Brave Downloads

Yes

Yes

No

103

Browser

Waterfox Downloads

Yes

Yes

No

104

Browser

QQ Downloads

Yes

Yes

No

105

Browser

Firefox Cookies

Yes

Yes

No

106

System

Crashes

Yes

Yes

No

107

System

Gatekeeper

Yes

Yes

No

108

System

Gatekeeper Approved Apps

Yes

Yes

No

109

System

Installed Applications

Yes

Yes

No

110

System

Kernel Extensions Info

Yes

Yes

No

111

System

Launchd Overrides

Yes

Yes

No

112

System

Package Install History

Yes

Yes

No

113

System

System Extension Info

Yes

Yes

No

114

System

System Integrity Protection Status

Yes

Yes

No

115

System

Print Jobs

Yes

Yes

No

116

System

Printer Info

Yes

Yes

No

117

System

Transparency, Consent, and Control (TCC)

Yes

Yes

No

118

System

Quarantine Events

Yes

Yes

No

119

System

Sudo Last Run

Yes

Yes

No

120

System

iMessage

Yes

Yes

No

121

System

Dock Items

Yes

Yes

No

122

System

Document Revisions

Yes

Yes

No

123

System

Apple System Logs (ASL)

Yes

Yes

No

124

System

Apple Audit Logs

Yes

Yes

No

125

System

Shared File List

Yes

Yes

No

126

System

Shell History

Yes

Yes

No

127

System

Downloaded Files Information

Yes

Yes

No

128

System

Cron Jobs

Yes

Yes

No

129

System

Quick Look Cache

Yes

Yes

No

130

System

Event Taps

Yes

Yes

No

131

System

Re-Opened Apps

Yes

Yes

No

132

System

Most Recently Used (MRU)

Yes

Yes

No

133

System

Login Items

Yes

Yes

No

134

System

Collect File System (FS) Events

Yes

Yes

No

135

System

Parse File System (FS) Events

Yes

Yes

No

136

Disk

Block Devices

Yes

Yes

No

137

Disk

Disk Encryption

Yes

Yes

No

138

File System

File System Enumeration

Yes

Yes

No

139

File System

.DS_Store Files

Yes

Yes

No

140

File System

Trash Files

Yes

Yes

No

141

Configurations

ETC Hosts

Yes

Yes

No

142

Configurations

ETC Protocols

Yes

Yes

No

143

Configurations

ETC Services

Yes

Yes

No

144

Network

Listening Ports

Yes

Yes

No

145

Network

IP Routes

Yes

Yes

No

146

Network

Network Interfaces

Yes

Yes

No

147

Network

DNS Resolvers

Yes

Yes

No

148

Network

DHCP Settings

Yes

Yes

No

149

Network

Wireless Network Connections

Yes

Yes

No

150

Users

User Groups

Yes

Yes

No

151

Users

Users

Yes

Yes

No

152

Users

Logged Users

Yes

Yes

No

153

KnowledgeC

Application Usage

Yes

Yes

No

154

KnowledgeC

Bluetooth Connections

Yes

Yes

No

155

KnowledgeC

Notification Info

Yes

Yes

No

156

Unified Logs

Logind

Yes

Yes

No

157

Unified Logs

Tccd

Yes

Yes

No

158

Unified Logs

Sshd

Yes

Yes

No

159

Unified Logs

Command Line Activity

Yes

Yes

No

160

Unified Logs

Kernel Extensions

Yes

Yes

No

161

Unified Logs

Screensharing

Yes

Yes

No

162

Unified Logs

Keychain

Yes

Yes

No

163

Unified Logs

Session Creation and Destruction

Yes

Yes

No

164

Unified Logs

XProtect Remediation

Yes

Yes

No

165

Unified Logs

Failed Sudo

Yes

Yes

No

166

Unified Logs

Manuel Configuration Profile Install

Yes

Yes

No

167

Unified Logs

Network Usage

Yes

Yes

No

168

Persistence

Mail Rules

Yes

Yes

No

169

Persistence

Login Hooks

Yes

Yes

No

170

Persistence

Logout Hooks

Yes

Yes

No

171

Persistence

Emond Clients

Yes

Yes

No

172

SSH

SSH Authorized Keys

Yes

Yes

No

173

SSH

SSH Configs

Yes

Yes

No

174

SSH

SSH Known Hosts

Yes

Yes

No

175

SSH

SSHD Configs

Yes

Yes

No

macOS Artifact List

#

Category

Artifact (click for details)

Parsed

Investigation Hub

Source Files Collected

1

Server

Apache Logs

Yes

Yes

No

2

Server

NGINX Logs

Yes

Yes

No

3

Server

MongoDB Logs

Yes

Yes

No

4

Server

MySQL Logs

Yes

Yes

No

5

Server

PostgreSQL Logs

Yes

Yes

No

6

System

System Logs

Yes

Yes

No

7

System

Install Logs

Yes

Yes

No

8

System

Wifi Logs

Yes

Yes

No

9

System

KnowledgeC

Yes

Yes

No

10

Docker

Docker Changes

Yes

Yes

No

11

Docker

Docker Containers

Yes

Yes

No

12

Docker

Docker Image History

Yes

Yes

No

13

Docker

Docker Images

Yes

Yes

No

14

Docker

Docker Info

Yes

Yes

No

15

Docker

Docker Networks

Yes

Yes

No

16

Docker

Docker Processes

Yes

Yes

No

17

Docker

Docker Volumes

Yes

Yes

No

18

Docker

Docker Container Logs

Yes

Yes

No

19

Docker

Docker Logs

Yes

Yes

No

20

Communication

AnyDesk Logs

Yes

Yes

No

21

Communication

Teamviewer Logs

Yes

Yes

No

22

Communication

Discord Desktop Cache

Yes

Yes

No

23

Communication

Splashtop Mac Logs

Yes

Yes

No

24

Utilities Artifacts

Parallels Logs

Yes

Yes

No

25

Utilities Artifacts

Homebrew Logs

Yes

Yes

No

26

Antivirus Logs

Sophos Events Database

Yes

Yes

No

27

Antivirus Logs

Sophos Logs

Yes

Yes

No

PreviousARP TableNextAnyDesk Logs

Last updated

Was this helpful?