Create your own acquisition profiles and start collecting digital evidence with a single click.
Pre-defined acquisition profiles
By default, AIR comes with pre-defined acquisition profiles namely for collecting all evidence types and application artifacts, quick profile for collecting more comprehensive endpoint information, memory (RAM + PageFile) for a memory only investigation, event logs for collecting EVT/EVTX files from the endpoint, browsing history for capturing the visited websites as a CSV file and network capture profile.
The pre-defined acquisition profiles are already available when you start an acquisition task. You can learn more about starting an acquisition here.
Create a new acquisition profile
Create new acquisition profiles by going to the AIR dashboard and clicking on the "Acquisition" section. All newly created profiles will be automatically available in the acquisition profile dropdown when you start a new acquisition task.
Customize to your own needs
As you see creating new acquisition profiles is very easy. You can create as many new profiles as you need (there is no limit) and you can customize them by enabling/disabling specific evidence types, artifacts types, custom content profiles, and further enriching them with capturing network traffic.
You can have a dedicated network capture profile or you can add other evidence acquisition requirements to the profile from Evidence List, Artifact List, or Custom Content Profiles. Please note that, if combining evidence types like this, the completion of the evidence acquisition will be delayed for the duration of the network capture.