LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
    • AIR's User Settings
      • General
      • Assets
      • Security
      • Features
      • Evidence Repositories
      • Policies
      • User Management
        • User Groups
        • User Roles
      • Backup
      • Investigation Hub Disk Usage
      • Danger Zone
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Windows Evidence List
  • Windows Artifact List:

Was this helpful?

Export as PDF
  1. AIR
  2. Features
  3. Acquisition
  4. Supported Evidence

Windows Collections

AIR supports the following Windows Evidence and Artifacts

Windows Evidence List

1

System

Crash Dump Information

Collect information about crash dumps

2

System

Recycle Bin Information

Collect information about items in recycle bin

3

System

System Restore Points Information

Collect information about system restore points

4

System

Drivers List

Collect driver list

5

System

Running Processes and Modules

Collect running processes and modules list

6

System

Antivirus Information

Collect information about installed antivirus

7

System

DNS Servers

Collect DNS Server addresses

8

System

Proxy List

Collect information about proxy list

9

System

Installed Applications

Enumerate Installed Applications

10

System

Firewall Rules

Enumerate Firewall Rules

11

System

USB Storage History

Collect USB Storage History

12

System

Downloaded Files Information

Collect information about downloaded files

13

System

Shadow Copy as CSV

Dump Latest Shadow Copy Files Information in CSV Format

14

System

EventTranscript DB

Collect EventTranscript DB

15

System

Users

Collect Users

16

System

User Access Logs (UAL)

Collect and Parse User Access Logs

17

System

SAM Users and Groups

Collect SAM Users and Groups

18

System

Wireless Connection History

Enumerate Wireless Connection History

19

System

Windows Error Reporting Files

Collect WER Files

20

System

NTDS.dit

Collect Active Directory NTDS Database

21

System

Environment Variables

Enumerate Environment Variables

22

System

User Folders

Collect User Folders Information

23

System

PDB Information

Collect Program Database Information

24

System

Object Directory

Collect Object Directory Information

25

System

Driver Objects

Collect Driver Objects Information

26

Persistence

WMI Active Script

Dump WMI Active Script Event Consumers

27

Persistence

WMI Command Line

Dump WMI Command Line Event Consumers

28

Persistence

Registry Items

Enumerate Registry Items

29

Persistence

Scheduled Tasks

Enumerate Scheduled Tasks

30

Persistence

Service List

Enumerate Service List

31

Persistence

Startup Items

Enumerate Startup Items

32

Disk

Volumes Information

Collect information about volumes

33

Disk

MBR

Collect Master Boot Record

34

Memory

RAM Image

Create an image of RAM

35

Memory

Page File

Dump system page file

36

Memory

Swap File

Dump system swap file

37

Memory

Hibernation File

Dump hibernation file

38

Browser

Default Browser

Collect Default Browser

39

Browser

Chrome Cookies

Collect Chrome Cookies

40

Browser

Edge Cookies

Collect Edge Cookies

41

Browser

Opera Cookies

Collect Opera Cookies

42

Browser

Vivaldi Cookies

Collect Vivaldi Cookies

43

Browser

Brave Cookies

Collect Brave Cookies

44

Browser

QQ Cookies

Collect QQ Cookies

45

Browser

Chrome Bookmarks

Collect Chrome Bookmarks

46

Browser

Edge Bookmarks

Collect Edge Bookmarks

47

Browser

Opera Bookmarks

Collect Opera Bookmarks

48

Browser

Vivaldi Bookmarks

Collect Vivaldi Bookmarks

49

Browser

Brave Bookmarks

Collect Brave Bookmarks

50

Browser

QQ Bookmarks

Collect QQ Bookmarks

51

Browser

Chrome User Profiles

Collect Chrome User Profiles

52

Browser

Edge User Profiles

Collect Edge User Profiles

53

Browser

Opera User Profiles

Collect Opera User Profiles

54

Browser

Vivaldi User Profiles

Collect Vivaldi User Profiles

55

Browser

Brave User Profiles

Collect Brave User Profiles

56

Browser

QQ User Profiles

Collect QQ User Profiles

57

Browser

Chrome Extensions

Collect Chrome Extensions

58

Browser

Edge Extensions

Collect Edge Extensions

59

Browser

Opera Extensions

Collect Opera Extensions

60

Browser

Brave Extensions

Collect Brave Extensions

61

Browser

Vivaldi Extensions

Collect Vivaldi Extensions

62

Browser

QQ Extensions

Collect QQ Extensions

63

Browser

Firefox Extensions

Collect Firefox Extensions (Addons)

64

Browser

Chrome Local Storage

Collect Chrome Local Storage

65

Browser

Edge Local Storage

Collect Edge Local Storage

66

Browser

Opera Local Storage

Collect Opera Local Storage

67

Browser

Vivaldi Local Storage

Collect Vivaldi Local Storage

68

Browser

Brave Local Storage

Collect Brave Local Storage

69

Browser

QQ Local Storage

Collect QQ Local Storage

70

Browser

Dump Chrome Indexed DB

Dump Chrome Indexed DB

71

Browser

Dump Edge Indexed DB

Dump Edge Indexed DB

72

Browser

Dump Opera Indexed DB

Dump Opera Indexed DB

73

Browser

Dump Vivaldi Indexed DB

Dump Vivaldi Indexed DB

74

Browser

Dump Brave Indexed DB

Dump Brave Indexed DB

75

Browser

Dump QQ Indexed DB

Dump QQ Indexed DB

76

Browser

Chrome Web Storage

Collect Chrome Web Storage

77

Browser

Edge Web Storage

Collect Edge Web Storage

78

Browser

Opera Web Storage

Collect Opera Web Storage

79

Browser

Vivaldi Web Storage

Collect Vivaldi Web Storage

80

Browser

Brave Web Storage

Collect Brave Web Storage

81

Browser

QQ Web Storage

Collect QQ Web Storage

82

Browser

Chrome Form History

Collect Chrome Form History

83

Browser

Edge Form History

Collect Edge Form History

84

Browser

Opera Form History

Collect Opera Form History

85

Browser

Vivaldi Form History

Collect Vivaldi Form History

86

Browser

Brave Form History

Collect Brave Form History

87

Browser

QQ Form History

Collect QQ Form History

88

Browser

Chrome Thumbnails

Collect Chrome Thumbnails

89

Browser

Edge Thumbnails

Collect Edge Thumbnails

90

Browser

Opera Thumbnails

Collect Opera Thumbnails

91

Browser

Vivaldi Thumbnails

Collect Vivaldi Thumbnails

92

Browser

Brave Thumbnails

Collect Brave Thumbnails

93

Browser

QQ Thumbnails

Collect QQ Thumbnails

94

Browser

Chrome Favicons

Collect Chrome Favicons

95

Browser

Edge Favicons

Collect Edge Favicons

96

Browser

Opera Favicons

Collect Opera Favicons

97

Browser

Vivaldi Favicons

Collect Vivaldi Favicons

98

Browser

Brave Favicons

Collect Brave Favicons

99

Browser

QQ Favicons

Collect QQ Favicons

100

Browser

Chrome Login Data

Collect Chrome Login Data

101

Browser

Edge Login Data

Collect Edge Login Data

102

Browser

Opera Login Data

Collect Opera Login Data

103

Browser

Vivaldi Login Data

Collect Vivaldi Login Data

104

Browser

Brave Login Data

Collect Brave Login Data

105

Browser

QQ Login Data

Collect QQ Login Data

106

Browser

Chrome Sessions

Collect Chrome Sessions

107

Browser

Edge Sessions

Collect Edge Sessions

108

Browser

Opera Sessions

Collect Opera Sessions

109

Browser

Brave Sessions

Collect Brave Sessions

110

Browser

Vivaldi Sessions

Collect Vivaldi Sessions

111

Browser

QQ Sessions

Collect QQ Sessions

112

Browser

Chrome Browsing History

Collect visited URLs from Google Chrome

113

Browser

Firefox Browsing History

Collect visited URLs from Mozilla Firefox

114

Browser

IE 7,8,9 Browsing History

Collect visited URLs from Internet Explorer

115

Browser

IE 10,11,Edge Browsing History

Collect visited URLs from Internet Explorer and Edge

116

Browser

Opera Browsing History

Collect Visited URLs from Opera

117

Browser

Brave Browsing History

Collect Visited URLs from Brave

118

Browser

Vivaldi Browsing History

Collect Visited URLs from Vivaldi

119

Browser

QQ Browsing History

Collect Visited URLs from QQ

120

Browser

Chrome Downloads

Collect Chrome Downloads

121

Browser

Edge Downloads

Collect Edge Downloads

122

Browser

Firefox Downloads

Collect Firefox Downloads

123

Browser

Opera Downloads

Collect Opera Downloads

124

Browser

Brave Downloads

Collect Brave Downloads

125

Browser

Vivaldi Downloads

Collect Vivaldi Downloads

126

Browser

QQ Downloads

Collect QQ Downloads

127

Browser

Firefox Cookies

Collect Firefox Cookies

128

NTFS

MFT as CSV

Dump MFT entries in CSV format

129

NTFS

MFT

Dump raw contents of $MFT

130

NTFS

MFT Mirror

Dump MFT Mirror as raw

131

NTFS

USN Journal as CSV

Parse USN Journal Entries in CSV Format

132

NTFS

$Log File

Dump raw contents of $LogFile

133

NTFS

USN Journal

Dump contents of $UsnJrnl file

134

NTFS

$Boot

Dump Raw Contents of $Boot File

135

NTFS

USN Journal $Max

Dump Contents of $UsnJrnl:$Max

136

NTFS

$Secure:$SDS

Dump Contents of $Secure:$SDS

137

NTFS

$TxfLog $Tops:$T

Dump Contents of $TxfLog\$Tops:$T

138

Registry

Registry Hives

Dump registry hives

139

Registry

Old Registry Hives

Dump old registry hives in upgraded operating systems

140

Registry

ShellBags

Enumerate ShellBags

141

Registry

AppCompactCache

Enumarate AppCompatCache (aka ShimCache)

142

Registry

UserAssist

Enumerate UserAssist

143

Registry

TypedPaths

Enumerate TypedPaths

144

Registry

FirstFolder

Enumerate FirstFolder

145

Registry

RecentDocs

Enumerate RecentDocs

146

Registry

WordWheelQuery

Enumerate WordWheelQuery

147

Registry

FileExts

Enumerate FileExts

148

Registry

ShellFolders

Enumerate ShellFolders

149

Registry

RunMRU

Enumerate RunMRU

150

Registry

Map Network Drive MRU

Enumerate Map Network Drive MRU

151

Registry

TypedURLs

Enumerate TypedURLs

152

Registry

OfficeMRU

Enumerate OfficeMRU

153

Registry

AppPaths

Enumerate AppPaths

154

Registry

CIDSizeMRU

Enumerate CIDSizeMRU

155

Registry

LastVisitedPidlMRU

Enumerate LastVisitedPidlMRU

156

Registry

OpenSavePidlMRU

Enumerate OpenSavePidlMRU

157

Registry

Winrar History

Enumerate Winrar History

158

Network

DNS Cache

Collect DNS Cache

159

Network

TCP Table

Collect TCP Table

160

Network

UDP Table

Collect UDP Table

161

Network

ARP Table

Collect ARP Table

162

Network

IPv4 Routes

Collect IPv4 Routes

163

Network

Network Adapters

Collect information about network adapters

164

Network

Network Shares

Collect information about network shares

165

Network

Hosts

Dump Hosts File

166

Event Logs

Event Log EVT Files

Dump evt event log files

167

Event Logs

Event Log EVTX Files

Dump evtx event log files

168

Event Logs

Event Log EVT Records

Collect most recent event log records

169

Process Execution

Prefetch Files

Collect Prefetch Files and Parse

170

Process Execution

SRUM

Collect SRUM and Parse

171

Process Execution

Windows Timeline

Collect Windows Timeline

172

Process Execution

AmCache

Collect Amcache and Parse

173

Process Execution

Recent File Cache

Collect recent file cache files

174

Process Execution

Parse LNK Files

Parse LNK Files

175

Process Execution

Collect LNK Files

Collect LNK Files

176

Process Execution

JumpList Automatic Files

Collect JumpList Automatic Files

177

Process Execution

JumpList Automatic Entries

Parse JumpList Automatic Entries

178

Process Execution

JumpList Custom Files

Collect JumpList Custom Files

179

Process Execution

JumpList Custom Entries

Parse JumpList Custom Entries

180

Other Evidence

ETL

Collect ETL Log

181

Other Evidence

CLR

Collect CLR Log

182

Other Evidence

Windows Index Search

Collect Windows Index Search Database

183

Other Evidence

Superfetch

Collect Superfetch Files

184

Other Evidence

WBEM

Collect WBEM Files

185

Other Evidence

INF Setup

Collect INF Setup Log Files

186

Other Evidence

SDB

Collect SDB

187

Other Evidence

Powershell Logs

Collect Powershell Logs

188

Other Evidence

Powershell ConsoleHost History

Collect Powershell ConsoleHost History

189

Other Evidence

Thumbcache

Collect Thumbcache

190

Other Evidence

Iconcache

Collect Iconcache

191

Other Evidence

RDP Cache

Collect RDP Cache Files

Windows Artifact List:

1

Server

Apache Logs

Collect Apache Logs

2

Server

MongoDB Logs

Collect MongoDB Logs

3

Server

IIS Logs

Collect IIS Logs

4

Server

MSSQL Logs

Collect MSSQL Logs

5

Server

Microsoft Exchange Logs

Collect Microsoft Exchange Logs

6

Server

DHCP Server Logs

Collect DHCP Server Logs

7

Server

DNS Server Logs

Collect DNS Server Logs

8

Server

Active Directory Logs

Collect Active Directory Logs

9

Microsoft Applications

Microsoft Photos

Collect Microsoft Photos History Database

10

Microsoft Applications

Cortana History

Collect Cortana History Databases

11

Microsoft Applications

Microsoft Store Applications List

Collect Microsoft Store Applications List Database

12

Microsoft Applications

Microsoft Sticky Notes

Collect Microsoft Sticky Notes

13

Microsoft Applications

Microsoft Maps

Collect Microsoft Maps Locations

14

Microsoft Applications

Microsoft Voice Record History

Collect Microsoft Voice Record History

15

Microsoft Applications

Windows Notification History

Collect Windows Notification History

16

Microsoft Applications

Search History

Collect Windows Start Menu Search History

17

Microsoft Applications

Microsoft People

Collect Microsoft People Data

18

Microsoft Applications

Microsoft Calendar

Collect Microsoft Calendar Data

19

Communication

Discord Desktop Cache

Collect Discord Desktop Cache

20

Communication

Microsoft Mail

Collect Microsoft Mail Emails

21

Communication

Microsoft Outlook

Collect Microsoft Outlook Emails

22

Communication

Mozilla Thunderbird

Collect Mozilla Thunderbird Emails

23

Communication

Skype Databases

Collect Skype Databases

24

Communication

Skype Media

Collect Skype Media

25

Communication

Telegram Desktop Data

Collect Telegram Desktop Data

26

Communication

Telegram Desktop Download

Collect Telegram Desktop Download Folder

27

Communication

WhatsApp Desktop Cache

Collect WhatsApp Desktop Cache

28

Communication

WhatsApp Desktop Cookie

Collect WhatsApp Desktop Cookie

29

Communication

Windows Live Mail User Settings

Collect Windows Live Mail User Settings

30

Communication

Zoom Databases

Collect Zoom Databases

31

Communication

Zoom Media

Collect Zoom Media Files & Link Previews

32

Remote Desktop/Management Tools

Action1 RMM Logs

Collect Action1 RMM Logs

33

Remote Desktop/Management Tools

AmmyAdmin Logs

Collect AmmyAdmin Logs

34

Remote Desktop/Management Tools

AnyDesk Logs

Collect AnyDesk Logs

35

Remote Desktop/Management Tools

GoTo Logs

Collect GoTo Logs

36

Remote Desktop/Management Tools

Kaseya Logs

Collect Kaseya Logs

37

Remote Desktop/Management Tools

Level Logs

Collect Level Application Specific Files and Logs

38

Remote Desktop/Management Tools

LogMeIn Logs

Collect LogMeIn Logs

39

Remote Desktop/Management Tools

RealVNC Logs

Collect RealVNC Application Debug Logs

40

Remote Desktop/Management Tools

RemComSvc Logs

Collect RemComSvc Logs

41

Remote Desktop/Management Tools

Remote Utilities Logs

Collect Remote Utilities Application Logs

42

Remote Desktop/Management Tools

ScreenConnect (ConnectWise Control) Application Data

Collect Various Types of ScreenConnect (ConnectWise Control) Application Data

43

Remote Desktop/Management Tools

Splashtop Logs

Collect Splashtop Application Logs

44

Remote Desktop/Management Tools

Supremo Remote Desktop Logs

Collect Supremo Remote Desktop Application Logs

45

Remote Desktop/Management Tools

Teamviewer Logs

Collect Teamviewer Connection Logs

46

Remote Desktop/Management Tools

TightVNC Logs

Collect TightVNC Application Logs

47

Remote Desktop/Management Tools

Ultraviewer Logs

Collect Ultraviewer Logs

48

Remote Desktop/Management Tools

UltraVNC Logs

Collect UltraVNC Application Specific Log Files

49

Remote Desktop/Management Tools

Xeox Logs

Collect Xeox Application Specific Log Files

50

Remote Desktop/Management Tools

ZohoAssist Logs

Collect ZohoAssist Application Specific Logs

51

Social Artifacts

Twitter Databases

Collect Twitter Store Application Databases

52

Social Artifacts

Twitter Cache

Collect Twitter Store Application Cache

53

Social Artifacts

Facebook Databases

Collect Facebook Store Application User Databases

54

Social Artifacts

Facebook Cache

Collect Facebook Store Application Cache

55

Social Artifacts

LinkedIn Cache

Collect LinkedIn Store Application Cache

56

Social Artifacts

Spotify Recently Played List

Collect Spotify Recently Played List & Social Manager

57

Social Artifacts

Spotify Cache

Collect Spotify Cache

58

Productivity Artifacts

Sublime Text Sessions

Collect Sublime Text Sessions & Contents

59

Productivity Artifacts

Notepad++ Sessions

Collect Notepad++ Search History & Sessions

60

Productivity Artifacts

OpenVPN Config

Collect OpenVPN Config Files

61

Productivity Artifacts

Everything History

Collect Everything Run History

62

Productivity Artifacts

Evernote Databases

Collect Evernote Databases

63

Productivity Artifacts

Evernote Drag and Drop Files

Collect Evernote Drag and Drop Files

64

Productivity Artifacts

Evernote Logs

Collect Evernote Logs

65

Utilities Artifacts

iTunes Backups

Collect iTunes Backups

66

Utilities Artifacts

VMware Config

Collect VMware Config

67

Utilities Artifacts

VMware Drag and Drop Files

Collect VMware Drag and Drop Files

68

Utilities Artifacts

VMware Logs

Collect VMware Logs

69

Developer Tools

FileZilla Sessions

Collect FileZilla Sessions & Site Manager Settings

70

Developer Tools

Visual Studio Team Explorer Config

Collect Visual Studio Team Explorer Config

71

Developer Tools

Github Desktop Databases

Collect Github Desktop Databases

72

Developer Tools

Github Desktop Cache

Collect Github Desktop Cache

73

Developer Tools

Github Desktop Logs

Collect Github Desktop Logs

74

Developer Tools

WSL

Collect Windows Subsystem for Linux Files

75

Developer Tools

Tortoise Git Logs

Collect Tortoise Git Synchronization Logs

76

Cloud Artifacts

Google Drive Databases

Collect Google Drive Synchronization Databases

77

Cloud Artifacts

Dropbox Databases

Collect Dropbox Synchronization Databases

78

Cloud Artifacts

Dropbox Logs

Collect Dropbox Logs

79

Cloud Artifacts

Dropbox Cache

Collect Dropbox Cache

80

Cloud Artifacts

OneDrive Logs

Collect OneDrive Logs

81

Docker

Docker Changes

Collect Docker Changes

82

Docker

Docker Containers

Collect Docker Containers

83

Docker

Docker Image History

Collect Docker Image History

84

Docker

Docker Images

Collect Docker Images

85

Docker

Docker Info

Collect Docker Info

86

Docker

Docker Networks

Collect Docker Networks

87

Docker

Docker Processes

Collect Docker Processes

88

Docker

Docker Volumes

Collect Docker Volumes

89

Docker

Docker Container Logs

Collect Docker Container Logs

90

Antivirus Logs

Avast Logs

Collect Avast Logs

91

Antivirus Logs

AVG Logs

Collect AVG Logs

92

Antivirus Logs

Avira Logs

Collect Avira Logs

93

Antivirus Logs

Bitdefender Logs

Collect Bitdefender Logs

94

Antivirus Logs

Carbon Black Logs

Collect Carbon Black Logs

95

Antivirus Logs

Cisco AMP Logs

Collect Cisco AMP Logs

96

Antivirus Logs

ComboFix

Collect ComboFix Logs

97

Antivirus Logs

Cybereason Logs

Collect Cybereason Logs

98

Antivirus Logs

Cylance Logs

Collect Cylance Logs

99

Antivirus Logs

Deep Instinct Logs

Collect Deep Instinct Logs

100

Antivirus Logs

Elastic Logs

Collect Elastic Logs

101

Antivirus Logs

Eset Logs

Collect Eset Logs

102

Antivirus Logs

F-Secure Logs

Collect F-Secure Logs

103

Antivirus Logs

FireEye Logs

Collect FireEye Logs

104

Antivirus Logs

HitmanPro Logs

Collect HitmanPro Logs

105

Antivirus Logs

MalwareBytes Logs

Collect MalwareBytes Logs

106

Antivirus Logs

McAfee Logs

Collect McAfee Logs

107

Antivirus Logs

Palo Alto Logs

Collect Palo Alto Logs

108

Antivirus Logs

RogueKiller Reports

Collect RogueKiller Reports

109

Antivirus Logs

SentinelOne Logs

Collect SentinelOne Logs

110

Antivirus Logs

Sophos Logs

Collect Sophos Logs

111

Antivirus Logs

Sourcefire FireAMP Logs

Collect Sourcefire FireAMP Logs

112

Antivirus Logs

SUPERAntiSpyware Logs

Collect SUPERAntiSpyware Logs

113

Antivirus Logs

Symantec Logs

Collect Symantec Logs

114

Antivirus Logs

Tanium Logs

Collect Tanium Logs

115

Antivirus Logs

TotalAv Logs

Collect TotalAv Logs

116

Antivirus Logs

Trend Micro Logs

Collect Trend Micro Logs

117

Antivirus Logs

VIPRE Logs

Collect VIPRE Logs

118

Antivirus Logs

Webroot Logs

Collect Webroot Logs

119

Antivirus Logs

Windows Defender Logs

Collect Windows Defender Logs

PreviousSupported EvidenceNextmacOS Collections

Last updated 8 days ago

Was this helpful?