AIR Evidence Types

Evidence List

SYSTEM EVIDENCE TYPES

 Collect clipboard contents
  Collect information about crash dumps
  Collect information about items in recycle bin
  Collect information about system restore points
  Collect driver list
  Collect process and modules list
  Capture screen shot of application windows
  Collect information about installed antivirus
  Collect DNS Server addresses
  Collect information about proxy list
  Enumerate Installed Applications
  Enumerate Firewall Rules
  Collect Information About Downloaded Files
  Collect Information About Autoruns
 Dump Latest Shadow Copy Files Information in CSV Format
 Collect EventTranscript DB
 Collect system controls
 Collect cron jobs
 Collect AppArmor profiles
 Collect ulimit information
 Collect kernel modules
 Collect lock files
 Collect Crashes
 Collect Gatekeeper details
 Collect Gatekeeper apps allowed to run
 Collect info on installed apps
 Collect kernel extensions info
 Collect override keys for LaunchDaemons and Agents
 Collect Package Install History
 Collect system extension info
 Collect SIP status
 Collect print job info
 Collect printer info

DISK EVIDENCE TYPES

  Collect information about volumes
  Collect Master Boot Record
  Collect block devices
  Collect fstab configuration
  Collect mounts
  Collect NFS exports
  Collect Block Devices
  Collect Disk Encryption status

MEMORY EVIDENCE TYPES

  Create an image of RAM
  Dump system page file
  Dump system swap file
  Dump hibernation file
  Collect shared memory
  Collect memory map
  Collect swap info
  Create an image of RAM

 

FILE SYSTEM EVIDENCE TYPES

  Dump file and folder information

 

CONFIGURATION EVIDENCE TYPES

  Collect ETC Hosts
  Collect ETC Protocols
  Collect ETC Services

 

PROCESSES EVIDENCE TYPES

  Collect process list
  Collect process open files information
  Collect info on autoloaded processes
  Collect Processes

 

BROWSER EVIDENCE TYPES

  Collect visited URLs from Google Chrome
  Collect visited URLs from Mozilla Firefox
  Collect visited URLs from Internet Explorer and Edge
  Collect Visited URLs from Opera
  Collect Visited URLs from Safari

 

USERS EVIDENCE TYPES

  Collect user group list
  Collect user list
  Collect last access records
  Collect logged user list
  Collect shadow content
  Collect sudoers
  Collect failed login attempts
  Collect User Groups
  Collect Users

 

KNOWLEDGEC EVIDENCE TYPES (macOS only)

 Collect Application Usage
 Collect Bluetooth Connections
 Collect Notification Info

 

SHH EVIDENCE TYPES

  Collect SSH known hosts
  Collect SSH authorized keys
  Collect SSH configurations
  Collect SSHD configurations

NTFS EVIDENCE TYPES

 Dump MFT entries in CSV format
 Dump raw contents of $MFT
 Dump MFT Mirror as raw
 Dump raw contents of $LogFile
 Dump contents of $UsnJrnl file
 Dump Raw Contents of $Boot File
 Dump Contents of $UsnJrnl:$Max
 Dump Contents of $Secure:$SDS
 Dump Contents of $TxfLog\$Tops:$T

REGISTRY EVIDENCE TYPES

  Dump registry hives
  Dump old registry hives in upgraded operating systems
  Enumerate ShellBags
  Enumarate AppCompatCache (aka ShimCache)
  Enumerate UserAssist
  Enumerate TypedPaths
  Enumerate FirstFolder
  Enumerate RecentDocs
  Enumerate WordWheelQuery
  Enumerate FileExts
  Enumerate ShellFolders
  Enumerate RunMRU
  Enumerate Map Network Drive MRU
  Enumerate TypedURLs
  Enumerate OfficeMRU
  Enumerate AppPaths
  Enumerate CIDSizeMRU
  Enumerate LastVisitedPidlMRU
  Enumerate OpenSavePidlMRU

NETWORK EVIDENCE TYPES

  Collect DNS Cache
  Collect TCP Table
  Collect UDP Table
  Collect ARP Table
  Collect IPv4 Routes
  Collect information about network adapters
  Collect information about network shares
  Dump Hosts File
  Collect hosts
  Collect ICMP table
  Collect IP routes
  Collect IP tables
  Collect Raw table
  Collect network interfaces
  Collect TCP table
  Collect UDPLite table
  Collect UDP table
  Collect Unix sockets
  Collect ARP table
  Collect DNS resolvers
  Collect Listening Ports

EVENT LOGS EVIDENCE TYPES

  Dump evt event log files
  Collect most recent event log records

WMI EVIDENCE TYPES

  Dump WMI active script event consumers
  Dump WMI command line event consumers

PROCESS EXECUTION EVIDENCE TYPES

  Collect Prefetch Files and Parse
  Collect SRUM and Parse
  Dump activities db files
  Collect Amcache and Parse
  Collect recent file cache files

 

Chrome Extensions (Linux Only)

 Collect Chrome Extensions

OTHER EVIDENCE TYPES

  Collect ETL Log
  Collect CLR Log
  Collect Jump List Files
  Collect LNK Files
  Collect Windows Index Search Database
  Collect Superfetch Files
  Collect WBEM Files
  Collect INF Setup Log Files
  Collect Shim Database
  Collect Powershell Logs
  Collect Thumbcache
  Collect Iconcache
  Collect RDP Cache Files
  Collect APT sources
  Collect APT history
  Collect Debian packages
  Collect YUM sources
  Collect SELinux configurations
  Collect SELinux settings
  Collect SUID binaries
  Collect shell history
  Collect system artifacts (Files of collected evidence. For example: /etc/passwd file)
  Collect log files under /var/log/

Artifacts List

SERVER ARTIFACTS

 Collect Apache Logs
  Collect MongoDB Logs
 Collect IIS Logs
 Collect MSSQL Logs
 Collect Microsoft Exchange Logs
 Collect DHCP Server Logs
 Collect Active Directory Logs
 Collect Apache Logs
 Collect NGINX Logs
 Collect MongoDB Logs
 Collect MySQL Logs
 Collect PostgreSQL Logs
 Collect SSH Server Logs
 Collect DHCP Server Logs
 Collect Apache Logs
 Collect NGINX Logs
 Collect MongoDB Logs
 Collect MySQL Logs
 Collect PostgreSQL Logs

MICROSOFT APPLICATIONS ARTIFACTS

 Collect Microsoft Photos History Database
 Collect Cortana History Databases
 Collect Microsoft Store Applications List Database
 Collect Microsoft Sticky Notes
 Collect Microsoft Maps Locations
 Collect Microsoft Voice Record History
 Collect Windows Notification History
 Collect Windows Start Menu Search History
  Collect Microsoft People Data
  Collect Microsoft Calendar Data

COMMUNICATIONS ARTIFACTS

  Collect AnyDesk Logs
  Collect Discord Desktop Cache
  Collect LogMeIn Logs
  Collect Microsoft Mail Emails
  Collect Microsoft Outlook Emails
  Collect Mozilla Thunderbird Emails
  Collect RemComSvc Logs
  Collect Skype Databases
  Collect Skype Media
  Collect Teamviewer Connection Logs
  Collect Telegram Desktop Data
  Collect Telegram Desktop Download Folder
  Collect Ultraviewer Logs
  Collect WhatsApp Desktop Cache
  Collect WhatsApp Desktop Cookie
  Collect Windows Live Mail User Settings
  Collect Zoom Databases
  Collect Zoom Media Files & Link Previews

SOCIAL ARTIFACTS

 Collect Twitter Store Application Databases
 Collect Twitter Store Application Cache
 Collect Facebook Store Application User Databases
 Collect Facebook Store Application Cache
 Collect LinkedIn Store Application Cache
 Collect Spotify Recently Played List & Social Manager
 Collect Spotify Cache

PRODUCTIVITY ARTIFACTS

 Collect Sublime Text Sessions & Contents
 Collect Notepad++ Search History & Sessions
 Collect OpenVPN Config Files
 Collect Everything Run History
 Collect Evernote Databases
 Collect Evernote Drag and Drop Files
 Collect Evernote Logs

UTILITY ARTIFACTS

 Collect iTunes Backups
 Collect VMware Config
 Collect VMware Drag and Drop Files
 Collect VMware Logs

DEVELOPER TOOLS ARTIFACTS

 Collect FileZilla Sessions & Site Manager Settings
 Collect Visual Studio Team Explorer Config
 Collect Github Desktop Databases
 Collect Github Desktop Cache
 Collect Github Desktop Logs
 Collect Windows Subsystem for Linux Files
 Collect Tortoise Git Synchronization Logs

CLOUD ARTIFACTS

  Collect Google Drive Synchronization Databases
 Collect Dropbox Synchronization Databases
 Collect Dropbox Logs
 Collect Dropbox Cache

ANTIVIRUS LOGS

 Collect Avast Logs
 Collect AVG Logs
 Collect Avira Logs
 Collect Bitdefender Logs
 Collect Carbon Black Logs
 Collect Cisco AMP Logs
 Collect ComboFix Logs
 Collect Cybereason Logs
 Collect Cylance Logs
 Collect Deep Instinct Logs
 Collect Elastic Logs
 Collect Eset Logs
 Collect F-Secure Logs
 Collect FireEye Logs
 Collect HitmanPro Logs
 Collect MalwareBytes Logs
 Collect McAfee Logs
 Collect Palo Alto Logs
 Collect RogueKiller Reports
 Collect SentinelOne Logs
 Collect Sophos Logs
 Collect Sourcefire FireAMP Logs
 Collect SUPERAntiSpyware Logs
 Collect Symantec Logs
 Collect Tanium Logs
 Collect TotalAv Logs
 Collect Trend Micro Logs
 Collect VIPRE Logs
 Collect Webroot Logs
 Collect Windows Defender Logs

DOCKER ARTIFACTS

 Collect Docker Changes
 Collect Docker Containers
 Collect Docker Image History
 Collect Docker Images
 Collect Docker Info
 Collect Docker Networks
 Collect Docker Processes
 Collect Docker Volumes

 

SYSTEM ARTIFACTS

 Collect System Logs
 Collect Messages Logs
 Collect Auth Logs
 Collect Secure Logs
 Collect Boot Logs
 Collect Kernel Logs
 Collect Mail Logs
 Collect System Logs
 Collect Install Logs
 Collect Wifi Logs
 Collect KnowledgeC Database