Back to binalyze.com

macOS Collections

AIR supports the following macOS Evidence and Artifacts

macOS Evidence List

1

Processes

Auto Loaded Processes

Collect info on autoloaded processes

2

Processes

Processes

Collect Processes

3

Browser

Default Browser

Collect Default Browser

4

Browser

Chrome Cookies

Collect Chrome Cookies

5

Browser

Edge Cookies

Collect Edge Cookies

6

Browser

Opera Cookies

Collect Opera Cookies

7

Browser

Vivaldi Cookies

Collect Vivaldi Cookies

8

Browser

Arc Cookies

Collect Arc Cookies

9

Browser

Brave Cookies

Collect Brave Cookies

10

Browser

QQ Cookies

Collect QQ Cookies

11

Browser

Chrome Bookmarks

Collect Chrome Bookmarks

12

Browser

Edge Bookmarks

Collect Edge Bookmarks

13

Browser

Opera Bookmarks

Collect Opera Bookmarks

14

Browser

Vivaldi Bookmarks

Collect Vivaldi Bookmarks

15

Browser

Arc Bookmarks

Collect Arc Bookmarks

16

Browser

Brave Bookmarks

Collect Brave Bookmarks

17

Browser

QQ Bookmarks

Collect QQ Bookmarks

18

Browser

Chrome User Profiles

Collect Chrome User Profiles

19

Browser

Edge User Profiles

Collect Edge User Profiles

20

Browser

Opera User Profiles

Collect Opera User Profiles

21

Browser

Vivaldi User Profiles

Collect Vivaldi User Profiles

22

Browser

Arc User Profiles

Collect Arc User Profiles

23

Browser

Brave User Profiles

Collect Brave User Profiles

24

Browser

QQ User Profiles

Collect QQ User Profiles

25

Browser

Chrome Extensions

Collect Chrome Extensions

26

Browser

Chrome Local Storage

Collect Chrome Local Storage

27

Browser

Edge Local Storage

Collect Edge Local Storage

28

Browser

Opera Local Storage

Collect Opera Local Storage

29

Browser

Vivaldi Local Storage

Collect Vivaldi Local Storage

30

Browser

Arc Local Storage

Collect Arc Local Storage

31

Browser

Brave Local Storage

Collect Brave Local Storage

32

Browser

QQ Local Storage

Collect QQ Local Storage

33

Browser

Dump Chrome Indexed DB

Dump Chrome Indexed DB

34

Browser

Dump Edge Indexed DB

Dump Edge Indexed DB

35

Browser

Dump Opera Indexed DB

Dump Opera Indexed DB

36

Browser

Dump Vivaldi Indexed DB

Dump Vivaldi Indexed DB

37

Browser

Dump Arc Indexed DB

Dump Arc Indexed DB

38

Browser

Dump Brave Indexed DB

Dump Brave Indexed DB

39

Browser

Dump QQ Indexed DB

Dump QQ Indexed DB

40

Browser

Chrome Web Storage

Collect Chrome Web Storage

41

Browser

Edge Web Storage

Collect Edge Web Storage

42

Browser

Opera Web Storage

Collect Opera Web Storage

43

Browser

Vivaldi Web Storage

Collect Vivaldi Web Storage

44

Browser

Arc Web Storage

Collect Arc Web Storage

45

Browser

Brave Web Storage

Collect Brave Web Storage

46

Browser

QQ Web Storage

Collect QQ Web Storage

47

Browser

Chrome Form History

Collect Chrome Form History

48

Browser

Edge Form History

Collect Edge Form History

49

Browser

Opera Form History

Collect Opera Form History

50

Browser

Vivaldi Form History

Collect Vivaldi Form History

51

Browser

Arc Form History

Collect Arc Form History

52

Browser

Brave Form History

Collect Brave Form History

53

Browser

QQ Form History

Collect QQ Form History

54

Browser

Chrome Thumbnails

Collect Chrome Thumbnails

55

Browser

Edge Thumbnails

Collect Edge Thumbnails

56

Browser

Opera Thumbnails

Collect Opera Thumbnails

57

Browser

Vivaldi Thumbnails

Collect Vivaldi Thumbnails

58

Browser

Arc Thumbnails

Collect Arc Thumbnails

59

Browser

Brave Thumbnails

Collect Brave Thumbnails

60

Browser

QQ Thumbnails

Collect QQ Thumbnails

61

Browser

Chrome Favicons

Collect Chrome Favicons

62

Browser

Edge Favicons

Collect Edge Favicons

63

Browser

Opera Favicons

Collect Opera Favicons

64

Browser

Vivaldi Favicons

Collect Vivaldi Favicons

65

Browser

Arc Favicons

Collect Arc Favicons

66

Browser

Brave Favicons

Collect Brave Favicons

67

Browser

QQ Favicons

Collect QQ Favicons

68

Browser

Chrome Login Data

Collect Chrome Login Data

69

Browser

Edge Login Data

Collect Edge Login Data

70

Browser

Opera Login Data

Collect Opera Login Data

71

Browser

Vivaldi Login Data

Collect Vivaldi Login Data

72

Browser

Arc Login Data

Collect Arc Login Data

73

Browser

Brave Login Data

Collect Brave Login Data

74

Browser

QQ Login Data

Collect QQ Login Data

75

Browser

Chrome Sessions

Collect Chrome Sessions

76

Browser

Edge Sessions

Collect Edge Sessions

77

Browser

Opera Sessions

Collect Opera Sessions

78

Browser

Vivaldi Sessions

Collect Vivaldi Sessions

79

Browser

Arc Sessions

Collect Arc Sessions

80

Browser

Brave Sessions

Collect Brave Sessions

81

Browser

QQ Sessions

Collect QQ Sessions

82

Browser

Chrome Browsing History

Collect visited URLs from Google Chrome

83

Browser

Edge Browsing History

Collect visited URLs from Microsoft Edge

84

Browser

Firefox Browsing History

Collect visited URLs from Mozilla Firefox

85

Browser

Opera Browsing History

Collect visited URLs from Opera

86

Browser

Safari Browsing History

Collect visited URLs from Safari

87

Browser

Vivaldi Browsing History

Collect visited URLs from Vivaldi

88

Browser

Waterfox Browsing History

Collect visited URLs from Waterfox

89

Browser

Brave Browsing History

Collect visited URLs from Brave

90

Browser

Arc Browsing History

Collect visited URLs from Arc

91

Browser

QQ Browsing History

Collect Visited URLs from QQ

92

Browser

Chrome Downloads

Collect Chrome Downloads

93

Browser

Safari Downloads

Collect Safari Downloads

94

Browser

Firefox Downloads

Collect Firefox Downloads

95

Browser

Edge Downloads

Collect Edge Downloads

96

Browser

Opera Downloads

Collect Opera Downloads

97

Browser

Vivaldi Downloads

Collect Vivaldi Downloads

98

Browser

Arc Downloads

Collect Arc Downloads

99

Browser

Brave Downloads

Collect Brave Downloads

100

Browser

Waterfox Downloads

Collect Waterfox Downloads

101

Browser

QQ Downloads

Collect QQ Downloads

102

Browser

Firefox Cookies

Collect Firefox Cookies

103

System

Crashes

Collect Crashes

104

System

Gatekeeper

Collect Gatekeeper details

105

System

Gatekeeper Approved Apps

Collect Gatekeeper apps allowed to run

106

System

Installed Applications

Collect info on installed apps

107

System

Kernel Extensions Info

Collect kernel extensions info

108

System

Launchd Overrides

Collect override keys for LaunchDaemons and Agents

109

System

Package Install History

Collect Package Install History

110

System

System Extension Info

Collect system extension info

111

System

System Integrity Protection Status

Collect SIP status

112

System

Print Jobs

Collect print job info

113

System

Printer Info

Collect printer info

114

System

Transparency, Consent, and Control (TCC)

Collect Transparency, Consent, and Control Information

115

System

Quarantine Events

Collect Quarantine Events Database

116

System

Sudo Last Run

Collect Sudo Last Run

117

System

iMessage

Collect iMessages

118

System

Dock Items

Collect Dock Items

119

System

Document Revisions

Collect Document Revisions

120

System

Apple System Logs

Collect Apple System Logs

121

System

Apple Audit Logs

Collect Apple Audit Logs

122

System

Shared File List

Collect Shared File List (SFL) items

123

System

Shell History

Collect Shell History

124

System

Downloaded Files Information

Collect information about downloaded files

125

System

Cron Jobs

Collect Cron Jobs

126

System

Quick Look Cache

Collect Quick Look Cache

127

System

Event Taps

Collect Event Taps

128

System

Re-Opened Apps

Collect Re-Opened Apps

129

System

Most Recently Used

Collect Most Recently Used (MRU) items

130

System

Login Items

Collect Login Items

131

System

File System (FS) Events

Collect File System Events

132

Disk

Block Devices

Collect Block Devices

133

Disk

Disk Encryption

Collect Disk Encryption status

134

File System

File System Enumeration

Dump file and folder information.

135

File System

DS_Store

Collect information about .DS_Store files.

136

Configurations

ETC Hosts

Collect ETC Hosts

137

Configurations

ETC Protocols

Collect ETC Protocols

138

Configurations

ETC Services

Collect ETC Services

139

Network

Listening Ports

Collect Listening Ports

140

Network

IP Routes

Collect IP Routes

141

Network

Network Interfaces

Collect Network Interfaces

142

Network

DNS Resolvers

Collect DNS Resolvers

143

Users

User Groups

Collect User Groups

144

Users

Users

Collect Users

145

Users

Logged Users

Collect Logged Users

146

KnowledgeC

Application Usage

Collect Application Usage

147

KnowledgeC

Bluetooth Connections

Collect Bluetooth Connections

148

KnowledgeC

Notification Info

Collect Notification Info

149

Unified Logs

Logind

Filter user login events

150

Unified Logs

Tccd

Filter tccd events

151

Unified Logs

Sshd

Filter ssh activity events

152

Unified Logs

Command Line Activity

Filter command line activity run with elevated privileges

153

Unified Logs

Kernel Extensions

Filter kernel extension events

154

Unified Logs

Screensharing

Filter screen sharing events

155

Unified Logs

Keychain

Filter keychain unlock events

156

Unified Logs

Session Creation and Destruction

Filter sessions creation and destruction events

157

Unified Logs

XProtect Remediation

Filter detecting and blocking malicious software events

158

Unified Logs

Failed Sudo

Filter failed sudo events

159

Unified Logs

Manuel Configuration Profile Install

Filter MDM Clients Events

160

Persistence

Mail Rules

Collect Mail Rules that contain AppleScript

161

Persistence

Login Hooks

Collect Login Hooks

162

Persistence

Logout Hooks

Collect Logout Hooks

163

Persistence

Emond Clients

Collect Emond Clients

164

SSH

SSH Authorized Keys

Collect SSH authorized keys

165

SSH

SSH Configs

Collect SSH configurations

166

SSH

SSH Known Hosts

Collect SSH known hosts

167

SSH

SSHD Configs

Collect SSHD configurations

macOS Artifact List

1

Server

Apache Logs

Collect Apache Logs

2

Server

NGINX Logs

Collect NGINX Logs

3

Server

MongoDB Logs

Collect MongoDB Logs

4

Server

MySQL Logs

Collect MySQL Logs

5

Server

PostgreSQL Logs

Collect PostgreSQL Logs

6

System

System Logs

Collect System Logs

7

System

Install Logs

Collect Install Logs

8

System

Wifi Logs

Collect Wifi Logs

9

System

KnowledgeC

Collect KnowledgeC Database

10

Docker

Docker Changes

Collect Docker Changes

11

Docker

Docker Containers

Collect Docker Containers

12

Docker

Docker Image History

Collect Docker Image History

13

Docker

Docker Images

Collect Docker Images

14

Docker

Docker Info

Collect Docker Info

15

Docker

Docker Networks

Collect Docker Networks

16

Docker

Docker Processes

Collect Docker Processes

17

Docker

Docker Volumes

Collect Docker Volumes

18

Docker

Docker Container Logs

Collect Docker Container Logs

19

Docker

Docker Logs

Collect Docker Logs on Filesystem

20

Communication

AnyDesk Logs

Collect AnyDesk Logs

21

Communication

Teamviewer Logs

Collect Teamviewer Logs

22

Communication

Discord Desktop Cache

Collect Discord Desktop Cache

23

Communication

Splashtop Mac Logs

Collect Splashtop Mac Application Logs

24

Utilities Artifacts

Parallels Logs

Collect Parallels Logs

25

Utilities Artifacts

Homebrew Logs

Collect Homebrew Logs

26

Antivirus Logs

Sophos Events Database

Collect Sophos Events Database

27

Antivirus Logs

Sophos Logs

Collect Sophos Logs

PreviousWindows CollectionsNextLinux Collections

Last updated