acquire
acquire copied to clipboard
fox-it
acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container.
in the utils.py, there are two instances where `--output_file` is used instead of `--output-file` this needs to be changed for consistency [https://github.com/fox-it/acquire/blob/8a3a0b5eaf3d6e251aa52b5cad7e0b49a22cf7cd/acquire/utils.py#L302](https://github.com/fox-it/acquire/blob/8a3a0b5eaf3d6e251aa52b5cad7e0b49a22cf7cd/acquire/utils.py#L302|smart-link)
CarbonBlack logs can contain interesting information, they reside in the following directory on Windows: - `c:\ProgramData\CarbonBlack\Logs` Some example log files in this directory: - confer.log and confer.log.\*.zip - cblr.log -...
Acquire can give confusing output, that does not make it obvious whether it exited cleanly or not. Even after a summary it sometimes still provides confusing output. This makes it...
Currently it’s only used when the target is ESXi, not necessarily the host system. This can give issues when trying to acquire an offline VM from an ESXi shell directly,...
Acquire part for https://github.com/fox-it/dissect.target/pull/540. For now, only collect the Windows 11 notepad tab directory, but this may of course be extended. Also added it to the `full` profile.
https://github.com/fox-it/acquire/blob/00533952ace6d432c230edc338a7f01b8e650b1f/acquire/acquire.py#L1410 This file is wrongly marked as a directory. It is, in fact, a regular file: ``` $ ls -lah total 40 drwxrwxr-x 4 root admin 128B Mar 18 21:58...
The UEFI partition is FAT based, and dissect.fat _should_ just work. Might need some investigation into the differences between Windows and Linux based systems.
The following files would be beneficial when collecting data with Acquire. {code:java} C:\$LogFile C:\$Extend\$UsnJrnl:$Max C:\$Extend\$RmMetadata\$TxfLog\$Tops:$T C:\$Extend\$RmMetadata\$TxfLog\$T{code}
Instead of a python function for everything
We recently had a case where relevant logs (and other traces) were stored in Docker volumes. It would be nice to have a way (a {{docker}} plugin?) to acquire the...