Back to binalyze.com
Search…
Welcome
AIR
AIR
Introduction
Setup
Features
Integrations
FAQ
TACTICAL
TACTICAL
What is TACTICAL?
Running TACTICAL from command line
Command Line Options
Evidence Types
Artifact Types
Command Line Examples
Exit Codes
DRONE
DRONE
Introduction
How to use it?
Settings
Reporting
Features
General
Licenses
Powered By
GitBook
Evidence Types
You can use the command line options for enabling each evidence type separately when Custom collection profile is selected by providing --profile custom option.
Name
Long Form
Short Form
Default
Clipboard
--Clipboard
-clp
TRUE
Crash Dump Info
--CrashDumpInfo
-cdi
TRUE
Recycle Bin Info
--RecycleBinInfo
-rbi
TRUE
Restore Point Info
--RestorePointInfo
-rpi
TRUE
Driver Info
--DriverInfo
-dri
TRUE
Process Info
--ProcessInfo
-pri
TRUE
Screenshots
--Screenshots
-scr
TRUE
AntiVirus Info
--AVInfo
-avi
TRUE
DNS Server
--DNSServer
-dnss
TRUE
Proxy Info
--ProxyInfo
-prxy
TRUE
Downloads Info
--DownloadsInfo
-dli
FALSE
Autoruns
--Autoruns
-aui
TRUE
Installed Apps
--InstalledApps
-apps
TRUE
Firewall Rules
--Firewall
-frwl
TRUE
Volume Info
--VolumeInfo
-voli
TRUE
MBR
--MBR
-mbr
FALSE
RAM
--RAM
-ram
TRUE
PageFile
--PageFile
-pgf
TRUE
SwapFile
--SwapFile
-swp
FALSE
Hibernation File
--HibernationFile
-hbr
FALSE
Chrome History
--ChromeHistory
-chst
TRUE
Firefox History
--FirefoxHistory
-fhst
TRUE
IE History
--InternetExplorerHistory
-ihst
TRUE
Edge History
--EdgeHistory
-ehst
TRUE
Opera History
--OperaHistory
-ohst
TRUE
MFT as CSV
--MFTCsv
-mftcsv
TRUE
MFT as Binary
--MFTBin
-mft
FALSE
MFT Mirror
--MFTMirr
-mftmir
FALSE
Ntfs LogFile
--NtfsLogFile
-ntfslog
TRUE
Ntfs UsnJournal
--NtfsUsnJournal
-usnjrn
TRUE
Registry Hives
--Hives
-hiv
TRUE
Registry Hives (Windows.Old)
--HivesOld
-hivold
TRUE
ShellBags
--ShellBags
-sbgs
TRUE
App Compat Cache
--AppCompatCache
-appcc
TRUE
DNS Cache
--DNSCache
-dnsc
TRUE
TCP Table
--TCPTable
-tcpt
TRUE
UDP Table
--UDPTable
-udpt
TRUE
ARP Table
--ARPTable
-arpt
TRUE
IPv4 Routes
--IPv4Routes
-ipv4
TRUE
Network Adapters
--NetworkAdapters
-netadp
TRUE
Network Shares
--NetworkShares
-netshr
TRUE
Hosts File
--HostsFile
-hosts
TRUE
EVT
--EVT
-evt
TRUE
EVTX
--EVTX
-evtx
TRUE
Event Records
--EVTR
-evtr
TRUE
WMI Active Script
--WMIActiveScript
-wmiasc
TRUE
WMI Command Line
--WMICommandLine
-wmicec
TRUE
Prefetch
--Prefetch
-pf
TRUE
SRUM
--Srum
-srum
TRUE
Activities DB
--ActivitiesDb
-adb
TRUE
AmCache
--AmCache
-amc
TRUE
RecentFileCache
--RecentFileCache
-rfc
TRUE
ETL
--ETL
-etl
FALSE
CLR
--CLR
-clr
FALSE
JumpList
--JumpList
-jmplst
TRUE
LNK Files
--LnkFiles
-lnkf
TRUE
Index Search
--IndexSearch
-indxs
FALSE
SuperFetch
--SuperFetch
-sprf
FALSE
WBEM
--WBEM
-wbem
FALSE
INF LOG
--INFLOG
-infl
FALSE
Shim Database
--SDB
-sdb
FALSE
Powershell
--Powershell
-pwrs
TRUE
Thumb Cache
--Thumbcache
-tc
FALSE
Icon Cache
--Iconcache
-ic
FALSE
RDP Cache
--RDPcache
-rdpc
FALSE
​
TACTICAL - Previous
Command Line Options
Next - TACTICAL
Artifact Types
Last modified
1mo ago
Copy link