Windows Collections
AIR supports the following Windows Evidence and Artifacts
Windows Evidence List
1 | System | Crash Dump Information | Collect information about crash dumps |
2 | System | Recycle Bin Information | Collect information about items in recycle bin |
3 | System | System Restore Points Information | Collect information about system restore points |
4 | System | Drivers List | Collect driver list |
5 | System | Process and Modules | Collect process and modules list |
6 | System | Antivirus Information | Collect information about installed antivirus |
7 | System | DNS Servers | Collect DNS Server addresses |
8 | System | Proxy List | Collect information about proxy list |
9 | System | Installed Applications | Enumerate Installed Applications |
10 | System | Firewall Rules | Enumerate Firewall Rules |
11 | System | USB Storage History | Collect USB Storage History |
12 | System | Downloaded Files Information | Collect information about downloaded files |
13 | System | Shadow Copy as CSV | Dump Latest Shadow Copy Files Information in CSV Format |
14 | System | EventTranscript DB | Collect EventTranscript DB |
15 | System | Users | Collect Users |
16 | System | User Access Logs (UAL) | Collect and Parse User Access Logs |
17 | System | SAM Users and Groups | Collect SAM Users and Groups |
18 | System | Wireless Connection History | Enumerate Wireless Connection History |
19 | System | Windows Error Reporting Files | Collect WER Files |
20 | System | NTDS.dit | Collect Active Directory NTDS Database |
21 | System | Environment Variables | Enumerate Environment Variables |
22 | Persistence | WMI Active Script | Dump WMI Active Script Event Consumers |
23 | Persistence | WMI Command Line | Dump WMI Command Line Event Consumers |
24 | Persistence | Registry Items | Enumerate Registry Items |
25 | Persistence | Scheduled Tasks | Enumerate Scheduled Tasks |
26 | Persistence | Service List | Enumerate Service List |
27 | Persistence | Startup Items | Enumerate Startup Items |
28 | Disk | Volumes Information | Collect information about volumes |
29 | Disk | MBR | Collect Master Boot Record |
30 | Memory | RAM Image | Create an image of RAM |
31 | Memory | Page File | Dump system page file |
32 | Memory | Swap File | Dump system swap file |
33 | Memory | Hibernation File | Dump hibernation file |
34 | Browser | Default Browser | Collect Default Browser |
35 | Browser | Chrome Cookies | Collect Chrome Cookies |
36 | Browser | Edge Cookies | Collect Edge Cookies |
37 | Browser | Opera Cookies | Collect Opera Cookies |
38 | Browser | Vivaldi Cookies | Collect Vivaldi Cookies |
39 | Browser | Brave Cookies | Collect Brave Cookies |
40 | Browser | QQ Cookies | Collect QQ Cookies |
41 | Browser | Chrome Bookmarks | Collect Chrome Bookmarks |
42 | Browser | Edge Bookmarks | Collect Edge Bookmarks |
43 | Browser | Opera Bookmarks | Collect Opera Bookmarks |
44 | Browser | Vivaldi Bookmarks | Collect Vivaldi Bookmarks |
45 | Browser | Brave Bookmarks | Collect Brave Bookmarks |
46 | Browser | QQ Bookmarks | Collect QQ Bookmarks |
47 | Browser | Chrome User Profiles | Collect Chrome User Profiles |
48 | Browser | Edge User Profiles | Collect Edge User Profiles |
49 | Browser | Opera User Profiles | Collect Opera User Profiles |
50 | Browser | Vivaldi User Profiles | Collect Vivaldi User Profiles |
51 | Browser | Brave User Profiles | Collect Brave User Profiles |
52 | Browser | QQ User Profiles | Collect QQ User Profiles |
53 | Browser | Chrome Extensions | Collect Chrome Extensions |
54 | Browser | Chrome Local Storage | Collect Chrome Local Storage |
55 | Browser | Edge Local Storage | Collect Edge Local Storage |
56 | Browser | Opera Local Storage | Collect Opera Local Storage |
57 | Browser | Vivaldi Local Storage | Collect Vivaldi Local Storage |
58 | Browser | Brave Local Storage | Collect Brave Local Storage |
59 | Browser | QQ Local Storage | Collect QQ Local Storage |
60 | Browser | Dump Chrome Indexed DB | Dump Chrome Indexed DB |
61 | Browser | Dump Edge Indexed DB | Dump Edge Indexed DB |
62 | Browser | Dump Opera Indexed DB | Dump Opera Indexed DB |
63 | Browser | Dump Vivaldi Indexed DB | Dump Vivaldi Indexed DB |
64 | Browser | Dump Brave Indexed DB | Dump Brave Indexed DB |
65 | Browser | Dump QQ Indexed DB | Dump QQ Indexed DB |
66 | Browser | Chrome Web Storage | Collect Chrome Web Storage |
67 | Browser | Edge Web Storage | Collect Edge Web Storage |
68 | Browser | Opera Web Storage | Collect Opera Web Storage |
69 | Browser | Vivaldi Web Storage | Collect Vivaldi Web Storage |
70 | Browser | Brave Web Storage | Collect Brave Web Storage |
71 | Browser | QQ Web Storage | Collect QQ Web Storage |
72 | Browser | Chrome Form History | Collect Chrome Form History |
73 | Browser | Edge Form History | Collect Edge Form History |
74 | Browser | Opera Form History | Collect Opera Form History |
75 | Browser | Vivaldi Form History | Collect Vivaldi Form History |
76 | Browser | Brave Form History | Collect Brave Form History |
77 | Browser | QQ Form History | Collect QQ Form History |
78 | Browser | Chrome Thumbnails | Collect Chrome Thumbnails |
79 | Browser | Edge Thumbnails | Collect Edge Thumbnails |
80 | Browser | Opera Thumbnails | Collect Opera Thumbnails |
81 | Browser | Vivaldi Thumbnails | Collect Vivaldi Thumbnails |
82 | Browser | Brave Thumbnails | Collect Brave Thumbnails |
83 | Browser | QQ Thumbnails | Collect QQ Thumbnails |
84 | Browser | Chrome Favicons | Collect Chrome Favicons |
85 | Browser | Edge Favicons | Collect Edge Favicons |
86 | Browser | Opera Favicons | Collect Opera Favicons |
87 | Browser | Vivaldi Favicons | Collect Vivaldi Favicons |
88 | Browser | Brave Favicons | Collect Brave Favicons |
89 | Browser | QQ Favicons | Collect QQ Favicons |
90 | Browser | Chrome Login Data | Collect Chrome Login Data |
91 | Browser | Edge Login Data | Collect Edge Login Data |
92 | Browser | Opera Login Data | Collect Opera Login Data |
93 | Browser | Vivaldi Login Data | Collect Vivaldi Login Data |
94 | Browser | Brave Login Data | Collect Brave Login Data |
95 | Browser | QQ Login Data | Collect QQ Login Data |
96 | Browser | Chrome Sessions | Collect Chrome Sessions |
97 | Browser | Edge Sessions | Collect Edge Sessions |
98 | Browser | Opera Sessions | Collect Opera Sessions |
99 | Browser | Brave Sessions | Collect Brave Sessions |
100 | Browser | Vivaldi Sessions | Collect Vivaldi Sessions |
101 | Browser | QQ Sessions | Collect QQ Sessions |
102 | Browser | Chrome Browsing History | Collect visited URLs from Google Chrome |
103 | Browser | Firefox Browsing History | Collect visited URLs from Mozilla Firefox |
104 | Browser | IE 7,8,9 Browsing History | Collect visited URLs from Internet Explorer |
105 | Browser | IE 10,11,Edge Browsing History | Collect visited URLs from Internet Explorer and Edge |
106 | Browser | Opera Browsing History | Collect Visited URLs from Opera |
107 | Browser | Brave Browsing History | Collect Visited URLs from Brave |
108 | Browser | Vivaldi Browsing History | Collect Visited URLs from Vivaldi |
109 | Browser | QQ Browsing History | Collect Visited URLs from QQ |
110 | Browser | Chrome Downloads | Collect Chrome Downloads |
111 | Browser | Edge Downloads | Collect Edge Downloads |
112 | Browser | Firefox Downloads | Collect Firefox Downloads |
113 | Browser | Opera Downloads | Collect Opera Downloads |
114 | Browser | Brave Downloads | Collect Brave Downloads |
115 | Browser | Vivaldi Downloads | Collect Vivaldi Downloads |
116 | Browser | QQ Downloads | Collect QQ Downloads |
117 | Browser | Firefox Cookies | Collect Firefox Cookies |
118 | NTFS | MFT as CSV | Dump MFT entries in CSV format |
119 | NTFS | MFT | Dump raw contents of $MFT |
120 | NTFS | MFT Mirror | Dump MFT Mirror as raw |
121 | NTFS | USN Journal as CSV | Parse USN Journal Entries in CSV Format |
122 | NTFS | $Log File | Dump raw contents of $LogFile |
123 | NTFS | USN Journal | Dump contents of $UsnJrnl file |
124 | NTFS | $Boot | Dump Raw Contents of $Boot File |
125 | NTFS | USN Journal $Max | Dump Contents of $UsnJrnl:$Max |
126 | NTFS | $Secure:$SDS | Dump Contents of $Secure:$SDS |
127 | NTFS | $TxfLog $Tops:$T | Dump Contents of $TxfLog\$Tops:$T |
128 | Registry | Registry Hives | Dump registry hives |
129 | Registry | Old Registry Hives | Dump old registry hives in upgraded operating systems |
130 | Registry | ShellBags | Enumerate ShellBags |
131 | Registry | AppCompactCache | Enumarate AppCompatCache (aka ShimCache) |
132 | Registry | UserAssist | Enumerate UserAssist |
133 | Registry | TypedPaths | Enumerate TypedPaths |
134 | Registry | FirstFolder | Enumerate FirstFolder |
135 | Registry | RecentDocs | Enumerate RecentDocs |
136 | Registry | WordWheelQuery | Enumerate WordWheelQuery |
137 | Registry | FileExts | Enumerate FileExts |
138 | Registry | ShellFolders | Enumerate ShellFolders |
139 | Registry | RunMRU | Enumerate RunMRU |
140 | Registry | Map Network Drive MRU | Enumerate Map Network Drive MRU |
141 | Registry | TypedURLs | Enumerate TypedURLs |
142 | Registry | OfficeMRU | Enumerate OfficeMRU |
143 | Registry | AppPaths | Enumerate AppPaths |
144 | Registry | CIDSizeMRU | Enumerate CIDSizeMRU |
145 | Registry | LastVisitedPidlMRU | Enumerate LastVisitedPidlMRU |
146 | Registry | OpenSavePidlMRU | Enumerate OpenSavePidlMRU |
147 | Registry | Winrar History | Enumerate Winrar History |
148 | Network | DNS Cache | Collect DNS Cache |
149 | Network | TCP Table | Collect TCP Table |
150 | Network | UDP Table | Collect UDP Table |
151 | Network | ARP Table | Collect ARP Table |
152 | Network | IPv4 Routes | Collect IPv4 Routes |
153 | Network | Network Adapters | Collect information about network adapters |
154 | Network | Network Shares | Collect information about network shares |
155 | Network | Hosts | Dump Hosts File |
156 | Event Logs | EVT Files | Dump evt event log files |
157 | Event Logs | EVTX Files | Dump evtx event log files |
158 | Event Logs | EVT Records | Collect most recent event log records |
159 | Process Execution | Prefetch Files | Collect Prefetch Files and Parse |
160 | Process Execution | SRUM | Collect SRUM and Parse |
161 | Process Execution | Windows Timeline | Collect Windows Timeline |
162 | Process Execution | AmCache | Collect Amcache and Parse |
163 | Process Execution | Recent File Cache | Collect recent file cache files |
164 | Process Execution | Parse LNK Files | Parse LNK Files |
165 | Process Execution | Collect LNK Files | Collect LNK Files |
166 | Other Evidence | ETL | Collect ETL Log |
167 | Other Evidence | CLR | Collect CLR Log |
168 | Other Evidence | Jump List | Collect Jump List Files |
169 | Other Evidence | Windows Index Search | Collect Windows Index Search Database |
170 | Other Evidence | Superfetch | Collect Superfetch Files |
171 | Other Evidence | WBEM | Collect WBEM Files |
172 | Other Evidence | INF Setup | Collect INF Setup Log Files |
173 | Other Evidence | SDB | Collect SDB |
174 | Other Evidence | Powershell Logs | Collect Powershell Logs |
175 | Other Evidence | Powershell ConsoleHost History | Collect Powershell ConsoleHost History |
176 | Other Evidence | Thumbcache | Collect Thumbcache |
177 | Other Evidence | Iconcache | Collect Iconcache |
178 | Other Evidence | RDP Cache | Collect RDP Cache Files |
Windows Artifact List:
1 | Server | Apache Logs | Collect Apache Logs |
2 | Server | MongoDB Logs | Collect MongoDB Logs |
3 | Server | IIS Logs | Collect IIS Logs |
4 | Server | MSSQL Logs | Collect MSSQL Logs |
5 | Server | Microsoft Exchange Logs | Collect Microsoft Exchange Logs |
6 | Server | DHCP Server Logs | Collect DHCP Server Logs |
7 | Server | DNS Server Logs | Collect DNS Server Logs |
8 | Server | Active Directory Logs | Collect Active Directory Logs |
9 | Microsoft Applications | Microsoft Photos | Collect Microsoft Photos History Database |
10 | Microsoft Applications | Cortana History | Collect Cortana History Databases |
11 | Microsoft Applications | Microsoft Store Applications List | Collect Microsoft Store Applications List Database |
12 | Microsoft Applications | Microsoft Sticky Notes | Collect Microsoft Sticky Notes |
13 | Microsoft Applications | Microsoft Maps | Collect Microsoft Maps Locations |
14 | Microsoft Applications | Microsoft Voice Record History | Collect Microsoft Voice Record History |
15 | Microsoft Applications | Windows Notification History | Collect Windows Notification History |
16 | Microsoft Applications | Search History | Collect Windows Start Menu Search History |
17 | Microsoft Applications | Microsoft People | Collect Microsoft People Data |
18 | Microsoft Applications | Microsoft Calendar | Collect Microsoft Calendar Data |
19 | Communication | Discord Desktop Cache | Collect Discord Desktop Cache |
20 | Communication | Microsoft Mail | Collect Microsoft Mail Emails |
21 | Communication | Microsoft Outlook | Collect Microsoft Outlook Emails |
22 | Communication | Mozilla Thunderbird | Collect Mozilla Thunderbird Emails |
23 | Communication | Skype Databases | Collect Skype Databases |
24 | Communication | Skype Media | Collect Skype Media |
25 | Communication | Telegram Desktop Data | Collect Telegram Desktop Data |
26 | Communication | Telegram Desktop Download | Collect Telegram Desktop Download Folder |
27 | Communication | WhatsApp Desktop Cache | Collect WhatsApp Desktop Cache |
28 | Communication | WhatsApp Desktop Cookie | Collect WhatsApp Desktop Cookie |
29 | Communication | Windows Live Mail User Settings | Collect Windows Live Mail User Settings |
30 | Communication | Zoom Databases | Collect Zoom Databases |
31 | Communication | Zoom Media | Collect Zoom Media Files & Link Previews |
32 | Remote Desktop/Management Tools | Action1 RMM Logs | Collect Action1 RMM Logs |
33 | Remote Desktop/Management Tools | AmmyAdmin Logs | Collect AmmyAdmin Logs |
34 | Remote Desktop/Management Tools | AnyDesk Logs | Collect AnyDesk Logs |
35 | Remote Desktop/Management Tools | GoTo Logs | Collect GoTo Logs |
36 | Remote Desktop/Management Tools | Kaseya Logs | Collect Kaseya Logs |
37 | Remote Desktop/Management Tools | Level Logs | Collect Level Application Specific Files and Logs |
38 | Remote Desktop/Management Tools | LogMeIn Logs | Collect LogMeIn Logs |
39 | Remote Desktop/Management Tools | RealVNC Logs | Collect RealVNC Application Debug Logs |
40 | Remote Desktop/Management Tools | RemComSvc Logs | Collect RemComSvc Logs |
41 | Remote Desktop/Management Tools | Remote Utilities Logs | Collect Remote Utilities Application Logs |
42 | Remote Desktop/Management Tools | ScreenConnect (ConnectWise Control) Application Data | Collect Various Types of ScreenConnect (ConnectWise Control) Application Data |
43 | Remote Desktop/Management Tools | Splashtop Logs | Collect Splashtop Application Logs |
44 | Remote Desktop/Management Tools | Supremo Remote Desktop Logs | Collect Supremo Remote Desktop Application Logs |
45 | Remote Desktop/Management Tools | Teamviewer Logs | Collect Teamviewer Connection Logs |
46 | Remote Desktop/Management Tools | TightVNC Logs | Collect TightVNC Application Logs |
47 | Remote Desktop/Management Tools | Ultraviewer Logs | Collect Ultraviewer Logs |
48 | Remote Desktop/Management Tools | UltraVNC Logs | Collect UltraVNC Application Specific Log Files |
49 | Remote Desktop/Management Tools | Xeox Logs | Collect Xeox Application Specific Log Files |
50 | Remote Desktop/Management Tools | ZohoAssist Logs | Collect ZohoAssist Application Specific Logs |
51 | Social Artifacts | Twitter Databases | Collect Twitter Store Application Databases |
52 | Social Artifacts | Twitter Cache | Collect Twitter Store Application Cache |
53 | Social Artifacts | Facebook Databases | Collect Facebook Store Application User Databases |
54 | Social Artifacts | Facebook Cache | Collect Facebook Store Application Cache |
55 | Social Artifacts | LinkedIn Cache | Collect LinkedIn Store Application Cache |
56 | Social Artifacts | Spotify Recently Played List | Collect Spotify Recently Played List & Social Manager |
57 | Social Artifacts | Spotify Cache | Collect Spotify Cache |
58 | Productivity Artifacts | Sublime Text Sessions | Collect Sublime Text Sessions & Contents |
59 | Productivity Artifacts | Notepad++ Sessions | Collect Notepad++ Search History & Sessions |
60 | Productivity Artifacts | OpenVPN Config | Collect OpenVPN Config Files |
61 | Productivity Artifacts | Everything History | Collect Everything Run History |
62 | Productivity Artifacts | Evernote Databases | Collect Evernote Databases |
63 | Productivity Artifacts | Evernote Drag and Drop Files | Collect Evernote Drag and Drop Files |
64 | Productivity Artifacts | Evernote Logs | Collect Evernote Logs |
65 | Utilities Artifacts | iTunes Backups | Collect iTunes Backups |
66 | Utilities Artifacts | VMware Config | Collect VMware Config |
67 | Utilities Artifacts | VMware Drag and Drop Files | Collect VMware Drag and Drop Files |
68 | Utilities Artifacts | VMware Logs | Collect VMware Logs |
69 | Developer Tools | FileZilla Sessions | Collect FileZilla Sessions & Site Manager Settings |
70 | Developer Tools | Visual Studio Team Explorer Config | Collect Visual Studio Team Explorer Config |
71 | Developer Tools | Github Desktop Databases | Collect Github Desktop Databases |
72 | Developer Tools | Github Desktop Cache | Collect Github Desktop Cache |
73 | Developer Tools | Github Desktop Logs | Collect Github Desktop Logs |
74 | Developer Tools | WSL | Collect Windows Subsystem for Linux Files |
75 | Developer Tools | Tortoise Git Logs | Collect Tortoise Git Synchronization Logs |
76 | Cloud Artifacts | Google Drive Databases | Collect Google Drive Synchronization Databases |
77 | Cloud Artifacts | Dropbox Databases | Collect Dropbox Synchronization Databases |
78 | Cloud Artifacts | Dropbox Logs | Collect Dropbox Logs |
79 | Cloud Artifacts | Dropbox Cache | Collect Dropbox Cache |
80 | Cloud Artifacts | OneDrive Logs | Collect OneDrive Logs |
81 | Docker | Docker Changes | Collect Docker Changes |
82 | Docker | Docker Containers | Collect Docker Containers |
83 | Docker | Docker Image History | Collect Docker Image History |
84 | Docker | Docker Images | Collect Docker Images |
85 | Docker | Docker Info | Collect Docker Info |
86 | Docker | Docker Networks | Collect Docker Networks |
87 | Docker | Docker Processes | Collect Docker Processes |
88 | Docker | Docker Volumes | Collect Docker Volumes |
89 | Antivirus Logs | Avast Logs | Collect Avast Logs |
90 | Antivirus Logs | AVG Logs | Collect AVG Logs |
91 | Antivirus Logs | Avira Logs | Collect Avira Logs |
92 | Antivirus Logs | Bitdefender Logs | Collect Bitdefender Logs |
93 | Antivirus Logs | Carbon Black Logs | Collect Carbon Black Logs |
94 | Antivirus Logs | Cisco AMP Logs | Collect Cisco AMP Logs |
95 | Antivirus Logs | ComboFix | Collect ComboFix Logs |
96 | Antivirus Logs | Cybereason Logs | Collect Cybereason Logs |
97 | Antivirus Logs | Cylance Logs | Collect Cylance Logs |
98 | Antivirus Logs | Deep Instinct Logs | Collect Deep Instinct Logs |
99 | Antivirus Logs | Elastic Logs | Collect Elastic Logs |
100 | Antivirus Logs | Eset Logs | Collect Eset Logs |
101 | Antivirus Logs | F-Secure Logs | Collect F-Secure Logs |
102 | Antivirus Logs | FireEye Logs | Collect FireEye Logs |
103 | Antivirus Logs | HitmanPro Logs | Collect HitmanPro Logs |
104 | Antivirus Logs | MalwareBytes Logs | Collect MalwareBytes Logs |
105 | Antivirus Logs | McAfee Logs | Collect McAfee Logs |
106 | Antivirus Logs | Palo Alto Logs | Collect Palo Alto Logs |
107 | Antivirus Logs | RogueKiller Reports | Collect RogueKiller Reports |
108 | Antivirus Logs | SentinelOne Logs | Collect SentinelOne Logs |
109 | Antivirus Logs | Sophos Logs | Collect Sophos Logs |
110 | Antivirus Logs | Sourcefire FireAMP Logs | Collect Sourcefire FireAMP Logs |
111 | Antivirus Logs | SUPERAntiSpyware Logs | Collect SUPERAntiSpyware Logs |
112 | Antivirus Logs | Symantec Logs | Collect Symantec Logs |
113 | Antivirus Logs | Tanium Logs | Collect Tanium Logs |
114 | Antivirus Logs | TotalAv Logs | Collect TotalAv Logs |
115 | Antivirus Logs | Trend Micro Logs | Collect Trend Micro Logs |
116 | Antivirus Logs | VIPRE Logs | Collect VIPRE Logs |
117 | Antivirus Logs | Webroot Logs | Collect Webroot Logs |
118 | Antivirus Logs | Windows Defender Logs | Collect Windows Defender Logs |
Last updated