Windows Collections
AIR supports the following Windows Evidence and Artifacts
Windows Evidence List
1
System
Crash Dump Information
Collect information about crash dumps
2
System
Recycle Bin Information
Collect information about items in recycle bin
3
System
System Restore Points Information
Collect information about system restore points
4
System
Drivers List
Collect driver list
5
System
Running Processes and Modules
Collect running processes and modules list
6
System
Antivirus Information
Collect information about installed antivirus
7
System
DNS Servers
Collect DNS Server addresses
8
System
Proxy List
Collect information about proxy list
9
System
Installed Applications
Enumerate Installed Applications
10
System
Firewall Rules
Enumerate Firewall Rules
11
System
USB Storage History
Collect USB Storage History
12
System
Downloaded Files Information
Collect information about downloaded files
13
System
Shadow Copy as CSV
Dump Latest Shadow Copy Files Information in CSV Format
14
System
EventTranscript DB
Collect EventTranscript DB
15
System
Users
Collect Users
16
System
User Access Logs (UAL)
Collect and Parse User Access Logs
17
System
SAM Users and Groups
Collect SAM Users and Groups
18
System
Wireless Connection History
Enumerate Wireless Connection History
19
System
Windows Error Reporting Files
Collect WER Files
20
System
NTDS.dit
Collect Active Directory NTDS Database
21
System
Environment Variables
Enumerate Environment Variables
22
Persistence
WMI Active Script
Dump WMI Active Script Event Consumers
23
Persistence
WMI Command Line
Dump WMI Command Line Event Consumers
24
Persistence
Registry Items
Enumerate Registry Items
25
Persistence
Scheduled Tasks
Enumerate Scheduled Tasks
26
Persistence
Service List
Enumerate Service List
27
Persistence
Startup Items
Enumerate Startup Items
28
Disk
Volumes Information
Collect information about volumes
29
Disk
MBR
Collect Master Boot Record
30
Memory
RAM Image
Create an image of RAM
31
Memory
Page File
Dump system page file
32
Memory
Swap File
Dump system swap file
33
Memory
Hibernation File
Dump hibernation file
34
Browser
Default Browser
Collect Default Browser
35
Browser
Chrome Cookies
Collect Chrome Cookies
36
Browser
Edge Cookies
Collect Edge Cookies
37
Browser
Opera Cookies
Collect Opera Cookies
38
Browser
Vivaldi Cookies
Collect Vivaldi Cookies
39
Browser
Brave Cookies
Collect Brave Cookies
40
Browser
QQ Cookies
Collect QQ Cookies
41
Browser
Chrome Bookmarks
Collect Chrome Bookmarks
42
Browser
Edge Bookmarks
Collect Edge Bookmarks
43
Browser
Opera Bookmarks
Collect Opera Bookmarks
44
Browser
Vivaldi Bookmarks
Collect Vivaldi Bookmarks
45
Browser
Brave Bookmarks
Collect Brave Bookmarks
46
Browser
QQ Bookmarks
Collect QQ Bookmarks
47
Browser
Chrome User Profiles
Collect Chrome User Profiles
48
Browser
Edge User Profiles
Collect Edge User Profiles
49
Browser
Opera User Profiles
Collect Opera User Profiles
50
Browser
Vivaldi User Profiles
Collect Vivaldi User Profiles
51
Browser
Brave User Profiles
Collect Brave User Profiles
52
Browser
QQ User Profiles
Collect QQ User Profiles
53
Browser
Chrome Extensions
Collect Chrome Extensions
54
Browser
Edge Extensions
Collect Edge Extensions
55
Browser
Opera Extensions
Collect Opera Extensions
56
Browser
Brave Extensions
Collect Brave Extensions
57
Browser
Vivaldi Extensions
Collect Vivaldi Extensions
58
Browser
QQ Extensions
Collect QQ Extensions
59
Browser
Chrome Local Storage
Collect Chrome Local Storage
60
Browser
Edge Local Storage
Collect Edge Local Storage
61
Browser
Opera Local Storage
Collect Opera Local Storage
62
Browser
Vivaldi Local Storage
Collect Vivaldi Local Storage
63
Browser
Brave Local Storage
Collect Brave Local Storage
64
Browser
QQ Local Storage
Collect QQ Local Storage
65
Browser
Dump Chrome Indexed DB
Dump Chrome Indexed DB
66
Browser
Dump Edge Indexed DB
Dump Edge Indexed DB
67
Browser
Dump Opera Indexed DB
Dump Opera Indexed DB
68
Browser
Dump Vivaldi Indexed DB
Dump Vivaldi Indexed DB
69
Browser
Dump Brave Indexed DB
Dump Brave Indexed DB
70
Browser
Dump QQ Indexed DB
Dump QQ Indexed DB
71
Browser
Chrome Web Storage
Collect Chrome Web Storage
72
Browser
Edge Web Storage
Collect Edge Web Storage
73
Browser
Opera Web Storage
Collect Opera Web Storage
74
Browser
Vivaldi Web Storage
Collect Vivaldi Web Storage
75
Browser
Brave Web Storage
Collect Brave Web Storage
76
Browser
QQ Web Storage
Collect QQ Web Storage
77
Browser
Chrome Form History
Collect Chrome Form History
78
Browser
Edge Form History
Collect Edge Form History
79
Browser
Opera Form History
Collect Opera Form History
80
Browser
Vivaldi Form History
Collect Vivaldi Form History
81
Browser
Brave Form History
Collect Brave Form History
82
Browser
QQ Form History
Collect QQ Form History
83
Browser
Chrome Thumbnails
Collect Chrome Thumbnails
84
Browser
Edge Thumbnails
Collect Edge Thumbnails
85
Browser
Opera Thumbnails
Collect Opera Thumbnails
86
Browser
Vivaldi Thumbnails
Collect Vivaldi Thumbnails
87
Browser
Brave Thumbnails
Collect Brave Thumbnails
88
Browser
QQ Thumbnails
Collect QQ Thumbnails
89
Browser
Chrome Favicons
Collect Chrome Favicons
90
Browser
Edge Favicons
Collect Edge Favicons
91
Browser
Opera Favicons
Collect Opera Favicons
92
Browser
Vivaldi Favicons
Collect Vivaldi Favicons
93
Browser
Brave Favicons
Collect Brave Favicons
94
Browser
QQ Favicons
Collect QQ Favicons
95
Browser
Chrome Login Data
Collect Chrome Login Data
96
Browser
Edge Login Data
Collect Edge Login Data
97
Browser
Opera Login Data
Collect Opera Login Data
98
Browser
Vivaldi Login Data
Collect Vivaldi Login Data
99
Browser
Brave Login Data
Collect Brave Login Data
100
Browser
QQ Login Data
Collect QQ Login Data
101
Browser
Chrome Sessions
Collect Chrome Sessions
102
Browser
Edge Sessions
Collect Edge Sessions
103
Browser
Opera Sessions
Collect Opera Sessions
104
Browser
Brave Sessions
Collect Brave Sessions
105
Browser
Vivaldi Sessions
Collect Vivaldi Sessions
106
Browser
QQ Sessions
Collect QQ Sessions
107
Browser
Chrome Browsing History
Collect visited URLs from Google Chrome
108
Browser
Firefox Browsing History
Collect visited URLs from Mozilla Firefox
109
Browser
IE 7,8,9 Browsing History
Collect visited URLs from Internet Explorer
110
Browser
IE 10,11,Edge Browsing History
Collect visited URLs from Internet Explorer and Edge
111
Browser
Opera Browsing History
Collect Visited URLs from Opera
112
Browser
Brave Browsing History
Collect Visited URLs from Brave
113
Browser
Vivaldi Browsing History
Collect Visited URLs from Vivaldi
114
Browser
QQ Browsing History
Collect Visited URLs from QQ
115
Browser
Chrome Downloads
Collect Chrome Downloads
116
Browser
Edge Downloads
Collect Edge Downloads
117
Browser
Firefox Downloads
Collect Firefox Downloads
118
Browser
Opera Downloads
Collect Opera Downloads
119
Browser
Brave Downloads
Collect Brave Downloads
120
Browser
Vivaldi Downloads
Collect Vivaldi Downloads
121
Browser
QQ Downloads
Collect QQ Downloads
122
Browser
Firefox Cookies
Collect Firefox Cookies
123
NTFS
MFT as CSV
Dump MFT entries in CSV format
124
NTFS
MFT
Dump raw contents of $MFT
125
NTFS
MFT Mirror
Dump MFT Mirror as raw
126
NTFS
USN Journal as CSV
Parse USN Journal Entries in CSV Format
127
NTFS
$Log File
Dump raw contents of $LogFile
128
NTFS
USN Journal
Dump contents of $UsnJrnl file
129
NTFS
$Boot
Dump Raw Contents of $Boot File
130
NTFS
USN Journal $Max
Dump Contents of $UsnJrnl:$Max
131
NTFS
$Secure:$SDS
Dump Contents of $Secure:$SDS
132
NTFS
$TxfLog $Tops:$T
Dump Contents of $TxfLog\$Tops:$T
133
Registry
Registry Hives
Dump registry hives
134
Registry
Old Registry Hives
Dump old registry hives in upgraded operating systems
135
Registry
ShellBags
Enumerate ShellBags
136
Registry
AppCompactCache
Enumarate AppCompatCache (aka ShimCache)
137
Registry
UserAssist
Enumerate UserAssist
138
Registry
TypedPaths
Enumerate TypedPaths
139
Registry
FirstFolder
Enumerate FirstFolder
140
Registry
RecentDocs
Enumerate RecentDocs
141
Registry
WordWheelQuery
Enumerate WordWheelQuery
142
Registry
FileExts
Enumerate FileExts
143
Registry
ShellFolders
Enumerate ShellFolders
144
Registry
RunMRU
Enumerate RunMRU
145
Registry
Map Network Drive MRU
Enumerate Map Network Drive MRU
146
Registry
TypedURLs
Enumerate TypedURLs
147
Registry
OfficeMRU
Enumerate OfficeMRU
148
Registry
AppPaths
Enumerate AppPaths
149
Registry
CIDSizeMRU
Enumerate CIDSizeMRU
150
Registry
LastVisitedPidlMRU
Enumerate LastVisitedPidlMRU
151
Registry
OpenSavePidlMRU
Enumerate OpenSavePidlMRU
152
Registry
Winrar History
Enumerate Winrar History
153
Network
DNS Cache
Collect DNS Cache
154
Network
TCP Table
Collect TCP Table
155
Network
UDP Table
Collect UDP Table
156
Network
ARP Table
Collect ARP Table
157
Network
IPv4 Routes
Collect IPv4 Routes
158
Network
Network Adapters
Collect information about network adapters
159
Network
Network Shares
Collect information about network shares
160
Network
Hosts
Dump Hosts File
161
Event Logs
Event Log EVT Files
Dump evt event log files
162
Event Logs
Event Log EVTX Files
Dump evtx event log files
163
Event Logs
Event Log EVT Records
Collect most recent event log records
164
Process Execution
Prefetch Files
Collect Prefetch Files and Parse
165
Process Execution
SRUM
Collect SRUM and Parse
166
Process Execution
Windows Timeline
Collect Windows Timeline
167
Process Execution
AmCache
Collect Amcache and Parse
168
Process Execution
Recent File Cache
Collect recent file cache files
169
Process Execution
Parse LNK Files
Parse LNK Files
170
Process Execution
Collect LNK Files
Collect LNK Files
171
Other Evidence
ETL
Collect ETL Log
172
Other Evidence
CLR
Collect CLR Log
173
Other Evidence
Jump List
Collect Jump List Files
174
Other Evidence
Windows Index Search
Collect Windows Index Search Database
175
Other Evidence
Superfetch
Collect Superfetch Files
176
Other Evidence
WBEM
Collect WBEM Files
177
Other Evidence
INF Setup
Collect INF Setup Log Files
178
Other Evidence
SDB
Collect SDB
179
Other Evidence
Powershell Logs
Collect Powershell Logs
180
Other Evidence
Powershell ConsoleHost History
Collect Powershell ConsoleHost History
181
Other Evidence
Thumbcache
Collect Thumbcache
182
Other Evidence
Iconcache
Collect Iconcache
183
Other Evidence
RDP Cache
Collect RDP Cache Files
Windows Artifact List:
1
Server
Apache Logs
Collect Apache Logs
2
Server
MongoDB Logs
Collect MongoDB Logs
3
Server
IIS Logs
Collect IIS Logs
4
Server
MSSQL Logs
Collect MSSQL Logs
5
Server
Microsoft Exchange Logs
Collect Microsoft Exchange Logs
6
Server
DHCP Server Logs
Collect DHCP Server Logs
7
Server
DNS Server Logs
Collect DNS Server Logs
8
Server
Active Directory Logs
Collect Active Directory Logs
9
Microsoft Applications
Microsoft Photos
Collect Microsoft Photos History Database
10
Microsoft Applications
Cortana History
Collect Cortana History Databases
11
Microsoft Applications
Microsoft Store Applications List
Collect Microsoft Store Applications List Database
12
Microsoft Applications
Microsoft Sticky Notes
Collect Microsoft Sticky Notes
13
Microsoft Applications
Microsoft Maps
Collect Microsoft Maps Locations
14
Microsoft Applications
Microsoft Voice Record History
Collect Microsoft Voice Record History
15
Microsoft Applications
Windows Notification History
Collect Windows Notification History
16
Microsoft Applications
Search History
Collect Windows Start Menu Search History
17
Microsoft Applications
Microsoft People
Collect Microsoft People Data
18
Microsoft Applications
Microsoft Calendar
Collect Microsoft Calendar Data
19
Communication
Discord Desktop Cache
Collect Discord Desktop Cache
20
Communication
Microsoft Mail
Collect Microsoft Mail Emails
21
Communication
Microsoft Outlook
Collect Microsoft Outlook Emails
22
Communication
Mozilla Thunderbird
Collect Mozilla Thunderbird Emails
23
Communication
Skype Databases
Collect Skype Databases
24
Communication
Skype Media
Collect Skype Media
25
Communication
Telegram Desktop Data
Collect Telegram Desktop Data
26
Communication
Telegram Desktop Download
Collect Telegram Desktop Download Folder
27
Communication
WhatsApp Desktop Cache
Collect WhatsApp Desktop Cache
28
Communication
WhatsApp Desktop Cookie
Collect WhatsApp Desktop Cookie
29
Communication
Windows Live Mail User Settings
Collect Windows Live Mail User Settings
30
Communication
Zoom Databases
Collect Zoom Databases
31
Communication
Zoom Media
Collect Zoom Media Files & Link Previews
32
Remote Desktop/Management Tools
Action1 RMM Logs
Collect Action1 RMM Logs
33
Remote Desktop/Management Tools
AmmyAdmin Logs
Collect AmmyAdmin Logs
34
Remote Desktop/Management Tools
AnyDesk Logs
Collect AnyDesk Logs
35
Remote Desktop/Management Tools
GoTo Logs
Collect GoTo Logs
36
Remote Desktop/Management Tools
Kaseya Logs
Collect Kaseya Logs
37
Remote Desktop/Management Tools
Level Logs
Collect Level Application Specific Files and Logs
38
Remote Desktop/Management Tools
LogMeIn Logs
Collect LogMeIn Logs
39
Remote Desktop/Management Tools
RealVNC Logs
Collect RealVNC Application Debug Logs
40
Remote Desktop/Management Tools
RemComSvc Logs
Collect RemComSvc Logs
41
Remote Desktop/Management Tools
Remote Utilities Logs
Collect Remote Utilities Application Logs
42
Remote Desktop/Management Tools
ScreenConnect (ConnectWise Control) Application Data
Collect Various Types of ScreenConnect (ConnectWise Control) Application Data
43
Remote Desktop/Management Tools
Splashtop Logs
Collect Splashtop Application Logs
44
Remote Desktop/Management Tools
Supremo Remote Desktop Logs
Collect Supremo Remote Desktop Application Logs
45
Remote Desktop/Management Tools
Teamviewer Logs
Collect Teamviewer Connection Logs
46
Remote Desktop/Management Tools
TightVNC Logs
Collect TightVNC Application Logs
47
Remote Desktop/Management Tools
Ultraviewer Logs
Collect Ultraviewer Logs
48
Remote Desktop/Management Tools
UltraVNC Logs
Collect UltraVNC Application Specific Log Files
49
Remote Desktop/Management Tools
Xeox Logs
Collect Xeox Application Specific Log Files
50
Remote Desktop/Management Tools
ZohoAssist Logs
Collect ZohoAssist Application Specific Logs
51
Social Artifacts
Twitter Databases
Collect Twitter Store Application Databases
52
Social Artifacts
Twitter Cache
Collect Twitter Store Application Cache
53
Social Artifacts
Facebook Databases
Collect Facebook Store Application User Databases
54
Social Artifacts
Facebook Cache
Collect Facebook Store Application Cache
55
Social Artifacts
LinkedIn Cache
Collect LinkedIn Store Application Cache
56
Social Artifacts
Spotify Recently Played List
Collect Spotify Recently Played List & Social Manager
57
Social Artifacts
Spotify Cache
Collect Spotify Cache
58
Productivity Artifacts
Sublime Text Sessions
Collect Sublime Text Sessions & Contents
59
Productivity Artifacts
Notepad++ Sessions
Collect Notepad++ Search History & Sessions
60
Productivity Artifacts
OpenVPN Config
Collect OpenVPN Config Files
61
Productivity Artifacts
Everything History
Collect Everything Run History
62
Productivity Artifacts
Evernote Databases
Collect Evernote Databases
63
Productivity Artifacts
Evernote Drag and Drop Files
Collect Evernote Drag and Drop Files
64
Productivity Artifacts
Evernote Logs
Collect Evernote Logs
65
Utilities Artifacts
iTunes Backups
Collect iTunes Backups
66
Utilities Artifacts
VMware Config
Collect VMware Config
67
Utilities Artifacts
VMware Drag and Drop Files
Collect VMware Drag and Drop Files
68
Utilities Artifacts
VMware Logs
Collect VMware Logs
69
Developer Tools
FileZilla Sessions
Collect FileZilla Sessions & Site Manager Settings
70
Developer Tools
Visual Studio Team Explorer Config
Collect Visual Studio Team Explorer Config
71
Developer Tools
Github Desktop Databases
Collect Github Desktop Databases
72
Developer Tools
Github Desktop Cache
Collect Github Desktop Cache
73
Developer Tools
Github Desktop Logs
Collect Github Desktop Logs
74
Developer Tools
WSL
Collect Windows Subsystem for Linux Files
75
Developer Tools
Tortoise Git Logs
Collect Tortoise Git Synchronization Logs
76
Cloud Artifacts
Google Drive Databases
Collect Google Drive Synchronization Databases
77
Cloud Artifacts
Dropbox Databases
Collect Dropbox Synchronization Databases
78
Cloud Artifacts
Dropbox Logs
Collect Dropbox Logs
79
Cloud Artifacts
Dropbox Cache
Collect Dropbox Cache
80
Cloud Artifacts
OneDrive Logs
Collect OneDrive Logs
81
Docker
Docker Changes
Collect Docker Changes
82
Docker
Docker Containers
Collect Docker Containers
83
Docker
Docker Image History
Collect Docker Image History
84
Docker
Docker Images
Collect Docker Images
85
Docker
Docker Info
Collect Docker Info
86
Docker
Docker Networks
Collect Docker Networks
87
Docker
Docker Processes
Collect Docker Processes
88
Docker
Docker Volumes
Collect Docker Volumes
89
Docker
Docker Container Logs
Collect Docker Container Logs
90
Antivirus Logs
Avast Logs
Collect Avast Logs
91
Antivirus Logs
AVG Logs
Collect AVG Logs
92
Antivirus Logs
Avira Logs
Collect Avira Logs
93
Antivirus Logs
Bitdefender Logs
Collect Bitdefender Logs
94
Antivirus Logs
Carbon Black Logs
Collect Carbon Black Logs
95
Antivirus Logs
Cisco AMP Logs
Collect Cisco AMP Logs
96
Antivirus Logs
ComboFix
Collect ComboFix Logs
97
Antivirus Logs
Cybereason Logs
Collect Cybereason Logs
98
Antivirus Logs
Cylance Logs
Collect Cylance Logs
99
Antivirus Logs
Deep Instinct Logs
Collect Deep Instinct Logs
100
Antivirus Logs
Elastic Logs
Collect Elastic Logs
101
Antivirus Logs
Eset Logs
Collect Eset Logs
102
Antivirus Logs
F-Secure Logs
Collect F-Secure Logs
103
Antivirus Logs
FireEye Logs
Collect FireEye Logs
104
Antivirus Logs
HitmanPro Logs
Collect HitmanPro Logs
105
Antivirus Logs
MalwareBytes Logs
Collect MalwareBytes Logs
106
Antivirus Logs
McAfee Logs
Collect McAfee Logs
107
Antivirus Logs
Palo Alto Logs
Collect Palo Alto Logs
108
Antivirus Logs
RogueKiller Reports
Collect RogueKiller Reports
109
Antivirus Logs
SentinelOne Logs
Collect SentinelOne Logs
110
Antivirus Logs
Sophos Logs
Collect Sophos Logs
111
Antivirus Logs
Sourcefire FireAMP Logs
Collect Sourcefire FireAMP Logs
112
Antivirus Logs
SUPERAntiSpyware Logs
Collect SUPERAntiSpyware Logs
113
Antivirus Logs
Symantec Logs
Collect Symantec Logs
114
Antivirus Logs
Tanium Logs
Collect Tanium Logs
115
Antivirus Logs
TotalAv Logs
Collect TotalAv Logs
116
Antivirus Logs
Trend Micro Logs
Collect Trend Micro Logs
117
Antivirus Logs
VIPRE Logs
Collect VIPRE Logs
118
Antivirus Logs
Webroot Logs
Collect Webroot Logs
119
Antivirus Logs
Windows Defender Logs
Collect Windows Defender Logs
Last updated