Windows Collections
AIR supports the following Windows Evidence and Artifacts
Windows Evidence List
1
System
Crash Dump Information
Collect information about crash dumps
2
System
Recycle Bin Information
Collect information about items in recycle bin
3
System
System Restore Points Information
Collect information about system restore points
4
System
Drivers List
Collect driver list
5
System
Running Processes and Modules
Collect running processes and modules list
6
System
Antivirus Information
Collect information about installed antivirus
7
System
DNS Servers
Collect DNS Server addresses
8
System
Proxy List
Collect information about proxy list
9
System
Installed Applications
Enumerate Installed Applications
10
System
Firewall Rules
Enumerate Firewall Rules
11
System
USB Storage History
Collect USB Storage History
12
System
Downloaded Files Information
Collect information about downloaded files
13
System
Shadow Copy as CSV
Dump Latest Shadow Copy Files Information in CSV Format
14
System
EventTranscript DB
Collect EventTranscript DB
15
System
Users
Collect Users
16
System
User Access Logs (UAL)
Collect and Parse User Access Logs
17
System
SAM Users and Groups
Collect SAM Users and Groups
18
System
Wireless Connection History
Enumerate Wireless Connection History
19
System
Windows Error Reporting Files
Collect WER Files
20
System
NTDS.dit
Collect Active Directory NTDS Database
21
System
Environment Variables
Enumerate Environment Variables
22
System
User Folders
Collect User Folders Information
23
System
PDB Information
Collect Program Database Information
24
System
Object Directory
Collect Object Directory Information
25
System
Driver Objects
Collect Driver Objects Information
26
Persistence
WMI Active Script
Dump WMI Active Script Event Consumers
27
Persistence
WMI Command Line
Dump WMI Command Line Event Consumers
28
Persistence
Registry Items
Enumerate Registry Items
29
Persistence
Scheduled Tasks
Enumerate Scheduled Tasks
30
Persistence
Service List
Enumerate Service List
31
Persistence
Startup Items
Enumerate Startup Items
32
Disk
Volumes Information
Collect information about volumes
33
Disk
MBR
Collect Master Boot Record
34
Memory
RAM Image
Create an image of RAM
35
Memory
Page File
Dump system page file
36
Memory
Swap File
Dump system swap file
37
Memory
Hibernation File
Dump hibernation file
38
Browser
Default Browser
Collect Default Browser
39
Browser
Chrome Cookies
Collect Chrome Cookies
40
Browser
Edge Cookies
Collect Edge Cookies
41
Browser
Opera Cookies
Collect Opera Cookies
42
Browser
Vivaldi Cookies
Collect Vivaldi Cookies
43
Browser
Brave Cookies
Collect Brave Cookies
44
Browser
QQ Cookies
Collect QQ Cookies
45
Browser
Chrome Bookmarks
Collect Chrome Bookmarks
46
Browser
Edge Bookmarks
Collect Edge Bookmarks
47
Browser
Opera Bookmarks
Collect Opera Bookmarks
48
Browser
Vivaldi Bookmarks
Collect Vivaldi Bookmarks
49
Browser
Brave Bookmarks
Collect Brave Bookmarks
50
Browser
QQ Bookmarks
Collect QQ Bookmarks
51
Browser
Chrome User Profiles
Collect Chrome User Profiles
52
Browser
Edge User Profiles
Collect Edge User Profiles
53
Browser
Opera User Profiles
Collect Opera User Profiles
54
Browser
Vivaldi User Profiles
Collect Vivaldi User Profiles
55
Browser
Brave User Profiles
Collect Brave User Profiles
56
Browser
QQ User Profiles
Collect QQ User Profiles
57
Browser
Chrome Extensions
Collect Chrome Extensions
58
Browser
Edge Extensions
Collect Edge Extensions
59
Browser
Opera Extensions
Collect Opera Extensions
60
Browser
Brave Extensions
Collect Brave Extensions
61
Browser
Vivaldi Extensions
Collect Vivaldi Extensions
62
Browser
QQ Extensions
Collect QQ Extensions
63
Browser
Firefox Extensions
Collect Firefox Extensions (Addons)
64
Browser
Chrome Local Storage
Collect Chrome Local Storage
65
Browser
Edge Local Storage
Collect Edge Local Storage
66
Browser
Opera Local Storage
Collect Opera Local Storage
67
Browser
Vivaldi Local Storage
Collect Vivaldi Local Storage
68
Browser
Brave Local Storage
Collect Brave Local Storage
69
Browser
QQ Local Storage
Collect QQ Local Storage
70
Browser
Dump Chrome Indexed DB
Dump Chrome Indexed DB
71
Browser
Dump Edge Indexed DB
Dump Edge Indexed DB
72
Browser
Dump Opera Indexed DB
Dump Opera Indexed DB
73
Browser
Dump Vivaldi Indexed DB
Dump Vivaldi Indexed DB
74
Browser
Dump Brave Indexed DB
Dump Brave Indexed DB
75
Browser
Dump QQ Indexed DB
Dump QQ Indexed DB
76
Browser
Chrome Web Storage
Collect Chrome Web Storage
77
Browser
Edge Web Storage
Collect Edge Web Storage
78
Browser
Opera Web Storage
Collect Opera Web Storage
79
Browser
Vivaldi Web Storage
Collect Vivaldi Web Storage
80
Browser
Brave Web Storage
Collect Brave Web Storage
81
Browser
QQ Web Storage
Collect QQ Web Storage
82
Browser
Chrome Form History
Collect Chrome Form History
83
Browser
Edge Form History
Collect Edge Form History
84
Browser
Opera Form History
Collect Opera Form History
85
Browser
Vivaldi Form History
Collect Vivaldi Form History
86
Browser
Brave Form History
Collect Brave Form History
87
Browser
QQ Form History
Collect QQ Form History
88
Browser
Chrome Thumbnails
Collect Chrome Thumbnails
89
Browser
Edge Thumbnails
Collect Edge Thumbnails
90
Browser
Opera Thumbnails
Collect Opera Thumbnails
91
Browser
Vivaldi Thumbnails
Collect Vivaldi Thumbnails
92
Browser
Brave Thumbnails
Collect Brave Thumbnails
93
Browser
QQ Thumbnails
Collect QQ Thumbnails
94
Browser
Chrome Favicons
Collect Chrome Favicons
95
Browser
Edge Favicons
Collect Edge Favicons
96
Browser
Opera Favicons
Collect Opera Favicons
97
Browser
Vivaldi Favicons
Collect Vivaldi Favicons
98
Browser
Brave Favicons
Collect Brave Favicons
99
Browser
QQ Favicons
Collect QQ Favicons
100
Browser
Chrome Login Data
Collect Chrome Login Data
101
Browser
Edge Login Data
Collect Edge Login Data
102
Browser
Opera Login Data
Collect Opera Login Data
103
Browser
Vivaldi Login Data
Collect Vivaldi Login Data
104
Browser
Brave Login Data
Collect Brave Login Data
105
Browser
QQ Login Data
Collect QQ Login Data
106
Browser
Chrome Sessions
Collect Chrome Sessions
107
Browser
Edge Sessions
Collect Edge Sessions
108
Browser
Opera Sessions
Collect Opera Sessions
109
Browser
Brave Sessions
Collect Brave Sessions
110
Browser
Vivaldi Sessions
Collect Vivaldi Sessions
111
Browser
QQ Sessions
Collect QQ Sessions
112
Browser
Chrome Browsing History
Collect visited URLs from Google Chrome
113
Browser
Firefox Browsing History
Collect visited URLs from Mozilla Firefox
114
Browser
IE 7,8,9 Browsing History
Collect visited URLs from Internet Explorer
115
Browser
IE 10,11,Edge Browsing History
Collect visited URLs from Internet Explorer and Edge
116
Browser
Opera Browsing History
Collect Visited URLs from Opera
117
Browser
Brave Browsing History
Collect Visited URLs from Brave
118
Browser
Vivaldi Browsing History
Collect Visited URLs from Vivaldi
119
Browser
QQ Browsing History
Collect Visited URLs from QQ
120
Browser
Chrome Downloads
Collect Chrome Downloads
121
Browser
Edge Downloads
Collect Edge Downloads
122
Browser
Firefox Downloads
Collect Firefox Downloads
123
Browser
Opera Downloads
Collect Opera Downloads
124
Browser
Brave Downloads
Collect Brave Downloads
125
Browser
Vivaldi Downloads
Collect Vivaldi Downloads
126
Browser
QQ Downloads
Collect QQ Downloads
127
Browser
Firefox Cookies
Collect Firefox Cookies
128
NTFS
MFT as CSV
Dump MFT entries in CSV format
129
NTFS
MFT
Dump raw contents of $MFT
130
NTFS
MFT Mirror
Dump MFT Mirror as raw
131
NTFS
USN Journal as CSV
Parse USN Journal Entries in CSV Format
132
NTFS
$Log File
Dump raw contents of $LogFile
133
NTFS
USN Journal
Dump contents of $UsnJrnl file
134
NTFS
$Boot
Dump Raw Contents of $Boot File
135
NTFS
USN Journal $Max
Dump Contents of $UsnJrnl:$Max
136
NTFS
$Secure:$SDS
Dump Contents of $Secure:$SDS
137
NTFS
$TxfLog $Tops:$T
Dump Contents of $TxfLog\$Tops:$T
138
Registry
Registry Hives
Dump registry hives
139
Registry
Old Registry Hives
Dump old registry hives in upgraded operating systems
140
Registry
ShellBags
Enumerate ShellBags
141
Registry
AppCompactCache
Enumarate AppCompatCache (aka ShimCache)
142
Registry
UserAssist
Enumerate UserAssist
143
Registry
TypedPaths
Enumerate TypedPaths
144
Registry
FirstFolder
Enumerate FirstFolder
145
Registry
RecentDocs
Enumerate RecentDocs
146
Registry
WordWheelQuery
Enumerate WordWheelQuery
147
Registry
FileExts
Enumerate FileExts
148
Registry
ShellFolders
Enumerate ShellFolders
149
Registry
RunMRU
Enumerate RunMRU
150
Registry
Map Network Drive MRU
Enumerate Map Network Drive MRU
151
Registry
TypedURLs
Enumerate TypedURLs
152
Registry
OfficeMRU
Enumerate OfficeMRU
153
Registry
AppPaths
Enumerate AppPaths
154
Registry
CIDSizeMRU
Enumerate CIDSizeMRU
155
Registry
LastVisitedPidlMRU
Enumerate LastVisitedPidlMRU
156
Registry
OpenSavePidlMRU
Enumerate OpenSavePidlMRU
157
Registry
Winrar History
Enumerate Winrar History
158
Network
DNS Cache
Collect DNS Cache
159
Network
TCP Table
Collect TCP Table
160
Network
UDP Table
Collect UDP Table
161
Network
ARP Table
Collect ARP Table
162
Network
IPv4 Routes
Collect IPv4 Routes
163
Network
Network Adapters
Collect information about network adapters
164
Network
Network Shares
Collect information about network shares
165
Network
Hosts
Dump Hosts File
166
Event Logs
Event Log EVT Files
Dump evt event log files
167
Event Logs
Event Log EVTX Files
Dump evtx event log files
168
Event Logs
Event Log EVT Records
Collect most recent event log records
169
Process Execution
Prefetch Files
Collect Prefetch Files and Parse
170
Process Execution
SRUM
Collect SRUM and Parse
171
Process Execution
Windows Timeline
Collect Windows Timeline
172
Process Execution
AmCache
Collect Amcache and Parse
173
Process Execution
Recent File Cache
Collect recent file cache files
174
Process Execution
Parse LNK Files
Parse LNK Files
175
Process Execution
Collect LNK Files
Collect LNK Files
176
Process Execution
JumpList Automatic Files
Collect JumpList Automatic Files
177
Process Execution
JumpList Automatic Entries
Parse JumpList Automatic Entries
178
Process Execution
JumpList Custom Files
Collect JumpList Custom Files
179
Process Execution
JumpList Custom Entries
Parse JumpList Custom Entries
180
Other Evidence
ETL
Collect ETL Log
181
Other Evidence
CLR
Collect CLR Log
182
Other Evidence
Windows Index Search
Collect Windows Index Search Database
183
Other Evidence
Superfetch
Collect Superfetch Files
184
Other Evidence
WBEM
Collect WBEM Files
185
Other Evidence
INF Setup
Collect INF Setup Log Files
186
Other Evidence
SDB
Collect SDB
187
Other Evidence
Powershell Logs
Collect Powershell Logs
188
Other Evidence
Powershell ConsoleHost History
Collect Powershell ConsoleHost History
189
Other Evidence
Thumbcache
Collect Thumbcache
190
Other Evidence
Iconcache
Collect Iconcache
191
Other Evidence
RDP Cache
Collect RDP Cache Files
Windows Artifact List:
1
Server
Apache Logs
Collect Apache Logs
2
Server
MongoDB Logs
Collect MongoDB Logs
3
Server
IIS Logs
Collect IIS Logs
4
Server
MSSQL Logs
Collect MSSQL Logs
5
Server
Microsoft Exchange Logs
Collect Microsoft Exchange Logs
6
Server
DHCP Server Logs
Collect DHCP Server Logs
7
Server
DNS Server Logs
Collect DNS Server Logs
8
Server
Active Directory Logs
Collect Active Directory Logs
9
Microsoft Applications
Microsoft Photos
Collect Microsoft Photos History Database
10
Microsoft Applications
Cortana History
Collect Cortana History Databases
11
Microsoft Applications
Microsoft Store Applications List
Collect Microsoft Store Applications List Database
12
Microsoft Applications
Microsoft Sticky Notes
Collect Microsoft Sticky Notes
13
Microsoft Applications
Microsoft Maps
Collect Microsoft Maps Locations
14
Microsoft Applications
Microsoft Voice Record History
Collect Microsoft Voice Record History
15
Microsoft Applications
Windows Notification History
Collect Windows Notification History
16
Microsoft Applications
Search History
Collect Windows Start Menu Search History
17
Microsoft Applications
Microsoft People
Collect Microsoft People Data
18
Microsoft Applications
Microsoft Calendar
Collect Microsoft Calendar Data
19
Communication
Discord Desktop Cache
Collect Discord Desktop Cache
20
Communication
Microsoft Mail
Collect Microsoft Mail Emails
21
Communication
Microsoft Outlook
Collect Microsoft Outlook Emails
22
Communication
Mozilla Thunderbird
Collect Mozilla Thunderbird Emails
23
Communication
Skype Databases
Collect Skype Databases
24
Communication
Skype Media
Collect Skype Media
25
Communication
Telegram Desktop Data
Collect Telegram Desktop Data
26
Communication
Telegram Desktop Download
Collect Telegram Desktop Download Folder
27
Communication
WhatsApp Desktop Cache
Collect WhatsApp Desktop Cache
28
Communication
WhatsApp Desktop Cookie
Collect WhatsApp Desktop Cookie
29
Communication
Windows Live Mail User Settings
Collect Windows Live Mail User Settings
30
Communication
Zoom Databases
Collect Zoom Databases
31
Communication
Zoom Media
Collect Zoom Media Files & Link Previews
32
Remote Desktop/Management Tools
Action1 RMM Logs
Collect Action1 RMM Logs
33
Remote Desktop/Management Tools
AmmyAdmin Logs
Collect AmmyAdmin Logs
34
Remote Desktop/Management Tools
AnyDesk Logs
Collect AnyDesk Logs
35
Remote Desktop/Management Tools
GoTo Logs
Collect GoTo Logs
36
Remote Desktop/Management Tools
Kaseya Logs
Collect Kaseya Logs
37
Remote Desktop/Management Tools
Level Logs
Collect Level Application Specific Files and Logs
38
Remote Desktop/Management Tools
LogMeIn Logs
Collect LogMeIn Logs
39
Remote Desktop/Management Tools
RealVNC Logs
Collect RealVNC Application Debug Logs
40
Remote Desktop/Management Tools
RemComSvc Logs
Collect RemComSvc Logs
41
Remote Desktop/Management Tools
Remote Utilities Logs
Collect Remote Utilities Application Logs
42
Remote Desktop/Management Tools
ScreenConnect (ConnectWise Control) Application Data
Collect Various Types of ScreenConnect (ConnectWise Control) Application Data
43
Remote Desktop/Management Tools
Splashtop Logs
Collect Splashtop Application Logs
44
Remote Desktop/Management Tools
Supremo Remote Desktop Logs
Collect Supremo Remote Desktop Application Logs
45
Remote Desktop/Management Tools
Teamviewer Logs
Collect Teamviewer Connection Logs
46
Remote Desktop/Management Tools
TightVNC Logs
Collect TightVNC Application Logs
47
Remote Desktop/Management Tools
Ultraviewer Logs
Collect Ultraviewer Logs
48
Remote Desktop/Management Tools
UltraVNC Logs
Collect UltraVNC Application Specific Log Files
49
Remote Desktop/Management Tools
Xeox Logs
Collect Xeox Application Specific Log Files
50
Remote Desktop/Management Tools
ZohoAssist Logs
Collect ZohoAssist Application Specific Logs
51
Social Artifacts
Twitter Databases
Collect Twitter Store Application Databases
52
Social Artifacts
Twitter Cache
Collect Twitter Store Application Cache
53
Social Artifacts
Facebook Databases
Collect Facebook Store Application User Databases
54
Social Artifacts
Facebook Cache
Collect Facebook Store Application Cache
55
Social Artifacts
LinkedIn Cache
Collect LinkedIn Store Application Cache
56
Social Artifacts
Spotify Recently Played List
Collect Spotify Recently Played List & Social Manager
57
Social Artifacts
Spotify Cache
Collect Spotify Cache
58
Productivity Artifacts
Sublime Text Sessions
Collect Sublime Text Sessions & Contents
59
Productivity Artifacts
Notepad++ Sessions
Collect Notepad++ Search History & Sessions
60
Productivity Artifacts
OpenVPN Config
Collect OpenVPN Config Files
61
Productivity Artifacts
Everything History
Collect Everything Run History
62
Productivity Artifacts
Evernote Databases
Collect Evernote Databases
63
Productivity Artifacts
Evernote Drag and Drop Files
Collect Evernote Drag and Drop Files
64
Productivity Artifacts
Evernote Logs
Collect Evernote Logs
65
Utilities Artifacts
iTunes Backups
Collect iTunes Backups
66
Utilities Artifacts
VMware Config
Collect VMware Config
67
Utilities Artifacts
VMware Drag and Drop Files
Collect VMware Drag and Drop Files
68
Utilities Artifacts
VMware Logs
Collect VMware Logs
69
Developer Tools
FileZilla Sessions
Collect FileZilla Sessions & Site Manager Settings
70
Developer Tools
Visual Studio Team Explorer Config
Collect Visual Studio Team Explorer Config
71
Developer Tools
Github Desktop Databases
Collect Github Desktop Databases
72
Developer Tools
Github Desktop Cache
Collect Github Desktop Cache
73
Developer Tools
Github Desktop Logs
Collect Github Desktop Logs
74
Developer Tools
WSL
Collect Windows Subsystem for Linux Files
75
Developer Tools
Tortoise Git Logs
Collect Tortoise Git Synchronization Logs
76
Cloud Artifacts
Google Drive Databases
Collect Google Drive Synchronization Databases
77
Cloud Artifacts
Dropbox Databases
Collect Dropbox Synchronization Databases
78
Cloud Artifacts
Dropbox Logs
Collect Dropbox Logs
79
Cloud Artifacts
Dropbox Cache
Collect Dropbox Cache
80
Cloud Artifacts
OneDrive Logs
Collect OneDrive Logs
81
Docker
Docker Changes
Collect Docker Changes
82
Docker
Docker Containers
Collect Docker Containers
83
Docker
Docker Image History
Collect Docker Image History
84
Docker
Docker Images
Collect Docker Images
85
Docker
Docker Info
Collect Docker Info
86
Docker
Docker Networks
Collect Docker Networks
87
Docker
Docker Processes
Collect Docker Processes
88
Docker
Docker Volumes
Collect Docker Volumes
89
Docker
Docker Container Logs
Collect Docker Container Logs
90
Antivirus Logs
Avast Logs
Collect Avast Logs
91
Antivirus Logs
AVG Logs
Collect AVG Logs
92
Antivirus Logs
Avira Logs
Collect Avira Logs
93
Antivirus Logs
Bitdefender Logs
Collect Bitdefender Logs
94
Antivirus Logs
Carbon Black Logs
Collect Carbon Black Logs
95
Antivirus Logs
Cisco AMP Logs
Collect Cisco AMP Logs
96
Antivirus Logs
ComboFix
Collect ComboFix Logs
97
Antivirus Logs
Cybereason Logs
Collect Cybereason Logs
98
Antivirus Logs
Cylance Logs
Collect Cylance Logs
99
Antivirus Logs
Deep Instinct Logs
Collect Deep Instinct Logs
100
Antivirus Logs
Elastic Logs
Collect Elastic Logs
101
Antivirus Logs
Eset Logs
Collect Eset Logs
102
Antivirus Logs
F-Secure Logs
Collect F-Secure Logs
103
Antivirus Logs
FireEye Logs
Collect FireEye Logs
104
Antivirus Logs
HitmanPro Logs
Collect HitmanPro Logs
105
Antivirus Logs
MalwareBytes Logs
Collect MalwareBytes Logs
106
Antivirus Logs
McAfee Logs
Collect McAfee Logs
107
Antivirus Logs
Palo Alto Logs
Collect Palo Alto Logs
108
Antivirus Logs
RogueKiller Reports
Collect RogueKiller Reports
109
Antivirus Logs
SentinelOne Logs
Collect SentinelOne Logs
110
Antivirus Logs
Sophos Logs
Collect Sophos Logs
111
Antivirus Logs
Sourcefire FireAMP Logs
Collect Sourcefire FireAMP Logs
112
Antivirus Logs
SUPERAntiSpyware Logs
Collect SUPERAntiSpyware Logs
113
Antivirus Logs
Symantec Logs
Collect Symantec Logs
114
Antivirus Logs
Tanium Logs
Collect Tanium Logs
115
Antivirus Logs
TotalAv Logs
Collect TotalAv Logs
116
Antivirus Logs
Trend Micro Logs
Collect Trend Micro Logs
117
Antivirus Logs
VIPRE Logs
Collect VIPRE Logs
118
Antivirus Logs
Webroot Logs
Collect Webroot Logs
119
Antivirus Logs
Windows Defender Logs
Collect Windows Defender Logs
Last updated
Was this helpful?