Windows Collections

AIR supports the following Windows Evidence and Artifacts

Windows Evidence List

System

Crash Dump Information

Collect information about crash dumps

System

Recycle Bin Information

Collect information about items in recycle bin

System

System Restore Points Information

Collect information about system restore points

System

Drivers List

Collect driver list

System

Running Processes and Modules

Collect running processes and modules list

System

Antivirus Information

Collect information about installed antivirus

System

DNS Servers

Collect DNS Server addresses

System

Proxy List

Collect information about proxy list

System

Installed Applications

Enumerate Installed Applications

System

Firewall Rules

Enumerate Firewall Rules

System

USB Storage History

Collect USB Storage History

System

Downloaded Files Information

Collect information about downloaded files

System

Shadow Copy as CSV

Dump Latest Shadow Copy Files Information in CSV Format

System

EventTranscript DB

Collect EventTranscript DB

System

Users

Collect Users

System

User Access Logs (UAL)

Collect and Parse User Access Logs

System

SAM Users and Groups

Collect SAM Users and Groups

System

Wireless Connection History

Enumerate Wireless Connection History

System

Windows Error Reporting Files

Collect WER Files

System

NTDS.dit

Collect Active Directory NTDS Database

System

Environment Variables

Enumerate Environment Variables

Persistence

WMI Active Script

Dump WMI Active Script Event Consumers

Persistence

WMI Command Line

Dump WMI Command Line Event Consumers

Persistence

Registry Items

Enumerate Registry Items

Persistence

Scheduled Tasks

Enumerate Scheduled Tasks

Persistence

Service List

Enumerate Service List

Persistence

Startup Items

Enumerate Startup Items

Disk

Volumes Information

Collect information about volumes

Disk

MBR

Collect Master Boot Record

Memory

RAM Image

Create an image of RAM

Memory

Page File

Dump system page file

Memory

Swap File

Dump system swap file

Memory

Hibernation File

Dump hibernation file

Browser

Default Browser

Collect Default Browser

Browser

Chrome Cookies

Collect Chrome Cookies

Browser

Edge Cookies

Collect Edge Cookies

Browser

Opera Cookies

Collect Opera Cookies

Browser

Vivaldi Cookies

Collect Vivaldi Cookies

Browser

Brave Cookies

Collect Brave Cookies

Browser

QQ Cookies

Collect QQ Cookies

Browser

Chrome Bookmarks

Collect Chrome Bookmarks

Browser

Edge Bookmarks

Collect Edge Bookmarks

Browser

Opera Bookmarks

Collect Opera Bookmarks

Browser

Vivaldi Bookmarks

Collect Vivaldi Bookmarks

Browser

Brave Bookmarks

Collect Brave Bookmarks

Browser

QQ Bookmarks

Collect QQ Bookmarks

Browser

Chrome User Profiles

Collect Chrome User Profiles

Browser

Edge User Profiles

Collect Edge User Profiles

Browser

Opera User Profiles

Collect Opera User Profiles

Browser

Vivaldi User Profiles

Collect Vivaldi User Profiles

Browser

Brave User Profiles

Collect Brave User Profiles

Browser

QQ User Profiles

Collect QQ User Profiles

Browser

Chrome Extensions

Collect Chrome Extensions

Browser

Edge Extensions

Collect Edge Extensions

Browser

Opera Extensions

Collect Opera Extensions

Browser

Brave Extensions

Collect Brave Extensions

Browser

Vivaldi Extensions

Collect Vivaldi Extensions

Browser

QQ Extensions

Collect QQ Extensions

Browser

Firefox Extensions

Collect Firefox Extensions (Addons)

Browser

Chrome Local Storage

Collect Chrome Local Storage

Browser

Edge Local Storage

Collect Edge Local Storage

Browser

Opera Local Storage

Collect Opera Local Storage

Browser

Vivaldi Local Storage

Collect Vivaldi Local Storage

Browser

Brave Local Storage

Collect Brave Local Storage

Browser

QQ Local Storage

Collect QQ Local Storage

Browser

Dump Chrome Indexed DB

Browser

Dump Edge Indexed DB

Browser

Dump Opera Indexed DB

Browser

Dump Vivaldi Indexed DB

Browser

Dump Brave Indexed DB

Browser

Dump QQ Indexed DB

Browser

Chrome Web Storage

Collect Chrome Web Storage

Browser

Edge Web Storage

Collect Edge Web Storage

Browser

Opera Web Storage

Collect Opera Web Storage

Browser

Vivaldi Web Storage

Collect Vivaldi Web Storage

Browser

Brave Web Storage

Collect Brave Web Storage

Browser

QQ Web Storage

Collect QQ Web Storage

Browser

Chrome Form History

Collect Chrome Form History

Browser

Edge Form History

Collect Edge Form History

Browser

Opera Form History

Collect Opera Form History

Browser

Vivaldi Form History

Collect Vivaldi Form History

Browser

Brave Form History

Collect Brave Form History

Browser

QQ Form History

Collect QQ Form History

Browser

Chrome Thumbnails

Collect Chrome Thumbnails

Browser

Edge Thumbnails

Collect Edge Thumbnails

Browser

Opera Thumbnails

Collect Opera Thumbnails

Browser

Vivaldi Thumbnails

Collect Vivaldi Thumbnails

Browser

Brave Thumbnails

Collect Brave Thumbnails

Browser

QQ Thumbnails

Collect QQ Thumbnails

Browser

Chrome Favicons

Collect Chrome Favicons

Browser

Edge Favicons

Collect Edge Favicons

Browser

Opera Favicons

Collect Opera Favicons

Browser

Vivaldi Favicons

Collect Vivaldi Favicons

Browser

Brave Favicons

Collect Brave Favicons

Browser

QQ Favicons

Collect QQ Favicons

Browser

Chrome Login Data

Collect Chrome Login Data

Browser

Edge Login Data

Collect Edge Login Data

Browser

Opera Login Data

Collect Opera Login Data

Browser

Vivaldi Login Data

Collect Vivaldi Login Data

100

Browser

Brave Login Data

Collect Brave Login Data

101

Browser

QQ Login Data

Collect QQ Login Data

102

Browser

Chrome Sessions

Collect Chrome Sessions

103

Browser

Edge Sessions

Collect Edge Sessions

104

Browser

Opera Sessions

Collect Opera Sessions

105

Browser

Brave Sessions

Collect Brave Sessions

106

Browser

Vivaldi Sessions

Collect Vivaldi Sessions

107

Browser

QQ Sessions

Collect QQ Sessions

108

Browser

Chrome Browsing History

Collect visited URLs from Google Chrome

109

Browser

Firefox Browsing History

Collect visited URLs from Mozilla Firefox

110

Browser

IE 7,8,9 Browsing History

Collect visited URLs from Internet Explorer

111

Browser

IE 10,11,Edge Browsing History

Collect visited URLs from Internet Explorer and Edge

112

Browser

Opera Browsing History

Collect Visited URLs from Opera

113

Browser

Brave Browsing History

Collect Visited URLs from Brave

114

Browser

Vivaldi Browsing History

Collect Visited URLs from Vivaldi

115

Browser

QQ Browsing History

Collect Visited URLs from QQ

116

Browser

Chrome Downloads

Collect Chrome Downloads

117

Browser

Edge Downloads

Collect Edge Downloads

118

Browser

Firefox Downloads

Collect Firefox Downloads

119

Browser

Opera Downloads

Collect Opera Downloads

120

Browser

Brave Downloads

Collect Brave Downloads

121

Browser

Vivaldi Downloads

Collect Vivaldi Downloads

122

Browser

QQ Downloads

Collect QQ Downloads

123

Browser

Firefox Cookies

Collect Firefox Cookies

124

NTFS

MFT as CSV

Dump MFT entries in CSV format

125

NTFS

MFT

Dump raw contents of $MFT

126

NTFS

MFT Mirror

Dump MFT Mirror as raw

127

NTFS

USN Journal as CSV

Parse USN Journal Entries in CSV Format

128

NTFS

$Log File

Dump raw contents of $LogFile

129

NTFS

USN Journal

Dump contents of $UsnJrnl file

130

NTFS

$Boot

Dump Raw Contents of $Boot File

131

NTFS

USN Journal $Max

Dump Contents of $UsnJrnl:$Max

132

NTFS

$Secure:$SDS

Dump Contents of $Secure:$SDS

133

NTFS

$TxfLog $Tops:$T

Dump Contents of $TxfLog\$Tops:$T

134

Registry

Registry Hives

Dump registry hives

135

Registry

Old Registry Hives

Dump old registry hives in upgraded operating systems

136

Registry

ShellBags

Enumerate ShellBags

137

Registry

AppCompactCache

Enumarate AppCompatCache (aka ShimCache)

138

Registry

UserAssist

Enumerate UserAssist

139

Registry

TypedPaths

Enumerate TypedPaths

140

Registry

FirstFolder

Enumerate FirstFolder

141

Registry

RecentDocs

Enumerate RecentDocs

142

Registry

WordWheelQuery

Enumerate WordWheelQuery

143

Registry

FileExts

Enumerate FileExts

144

Registry

ShellFolders

Enumerate ShellFolders

145

Registry

RunMRU

Enumerate RunMRU

146

Registry

Map Network Drive MRU

Enumerate Map Network Drive MRU

147

Registry

TypedURLs

Enumerate TypedURLs

148

Registry

OfficeMRU

Enumerate OfficeMRU

149

Registry

AppPaths

Enumerate AppPaths

150

Registry

CIDSizeMRU

Enumerate CIDSizeMRU

151

Registry

LastVisitedPidlMRU

Enumerate LastVisitedPidlMRU

152

Registry

OpenSavePidlMRU

Enumerate OpenSavePidlMRU

153

Registry

Winrar History

Enumerate Winrar History

154

Network

DNS Cache

Collect DNS Cache

155

Network

TCP Table

Collect TCP Table

156

Network

UDP Table

Collect UDP Table

157

Network

ARP Table

Collect ARP Table

158

Network

IPv4 Routes

Collect IPv4 Routes

159

Network

Network Adapters

Collect information about network adapters

160

Network

Network Shares

Collect information about network shares

161

Network

Hosts

Dump Hosts File

162

Event Logs

Event Log EVT Files

Dump evt event log files

163

Event Logs

Event Log EVTX Files

Dump evtx event log files

164

Event Logs

Event Log EVT Records

Collect most recent event log records

165

Process Execution

Prefetch Files

Collect Prefetch Files and Parse

166

Process Execution

SRUM

Collect SRUM and Parse

167

Process Execution

Windows Timeline

Collect Windows Timeline

168

Process Execution

AmCache

Collect Amcache and Parse

169

Process Execution

Recent File Cache

Collect recent file cache files

170

Process Execution

Parse LNK Files

171

Process Execution

Collect LNK Files

172

Other Evidence

ETL

Collect ETL Log

173

Other Evidence

CLR

Collect CLR Log

174

Other Evidence

Jump List

Collect Jump List Files

175

Other Evidence

Windows Index Search

Collect Windows Index Search Database

176

Other Evidence

Superfetch

Collect Superfetch Files

177

Other Evidence

WBEM

Collect WBEM Files

178

Other Evidence

INF Setup

Collect INF Setup Log Files

179

Other Evidence

SDB

Collect SDB

180

Other Evidence

Powershell Logs

Collect Powershell Logs

181

Other Evidence

Powershell ConsoleHost History

Collect Powershell ConsoleHost History

182

Other Evidence

Thumbcache

Collect Thumbcache

183

Other Evidence

Iconcache

Collect Iconcache

184

Other Evidence

RDP Cache

Collect RDP Cache Files

Windows Artifact List:

Server

Apache Logs

Collect Apache Logs

Server

MongoDB Logs

Collect MongoDB Logs

Server

IIS Logs

Collect IIS Logs

Server

MSSQL Logs

Collect MSSQL Logs

Server

Microsoft Exchange Logs

Collect Microsoft Exchange Logs

Server

DHCP Server Logs

Collect DHCP Server Logs

Server

DNS Server Logs

Collect DNS Server Logs

Server

Active Directory Logs

Collect Active Directory Logs

Microsoft Applications

Microsoft Photos

Collect Microsoft Photos History Database

Microsoft Applications

Cortana History

Collect Cortana History Databases

Microsoft Applications

Microsoft Store Applications List

Collect Microsoft Store Applications List Database

Microsoft Applications

Microsoft Sticky Notes

Collect Microsoft Sticky Notes

Microsoft Applications

Microsoft Maps

Collect Microsoft Maps Locations

Microsoft Applications

Microsoft Voice Record History

Collect Microsoft Voice Record History

Microsoft Applications

Windows Notification History

Collect Windows Notification History

Microsoft Applications

Search History

Collect Windows Start Menu Search History

Microsoft Applications

Microsoft People

Collect Microsoft People Data

Microsoft Applications

Microsoft Calendar

Collect Microsoft Calendar Data

Communication

Discord Desktop Cache

Collect Discord Desktop Cache

Communication

Microsoft Mail

Collect Microsoft Mail Emails

Communication

Microsoft Outlook

Collect Microsoft Outlook Emails

Communication

Mozilla Thunderbird

Collect Mozilla Thunderbird Emails

Communication

Skype Databases

Collect Skype Databases

Communication

Skype Media

Collect Skype Media

Communication

Telegram Desktop Data

Collect Telegram Desktop Data

Communication

Telegram Desktop Download

Collect Telegram Desktop Download Folder

Communication

WhatsApp Desktop Cache

Collect WhatsApp Desktop Cache

Communication

WhatsApp Desktop Cookie

Collect WhatsApp Desktop Cookie

Communication

Windows Live Mail User Settings

Collect Windows Live Mail User Settings

Communication

Zoom Databases

Collect Zoom Databases

Communication

Zoom Media

Collect Zoom Media Files & Link Previews