Welcome to Dissect!

Effortlessly extract and investigate forensic artefacts from any source with Dissect. Go from intake call to patient zero in a matter of hours, even in infrastructures with thousands of systems.

Quick Demo

In just a couple of seconds you can query a forensic image or even open a shell!

_images/demo.gif

Usage Example

One of the most prominent tools that Dissect offers is called target-query. With this simple command you can, for example, extract all user accounts from a disk image:

$ target-query pc.img -f users

<windows/user ... name='systemprofile' ...>
<windows/user ... name='LocalService' ...>
<windows/user ... name='NetworkService' ...>
<windows/user ... name='Mr. Evil' ...>

To see what other useful artefacts you can query use -l:

$ target-query pc.img -l

This will list all Dissect functions and artefacts that are available for this image. To list all functions and artefacts, regardless of the image, just leave out the image argument!

Try the Tutorial to get started!

Key features

Dissect is a powerful artefact extractor and parser that saves you a lot of time. With Dissect you can:

  • Quickly extract artefacts from any source (for example IMG, EWF, Kape, DD, VDI, PVM).

  • Access artefacts from almost any OS (for example Windows, macOS, Linux/Unix, ESXi).

  • Access almost any filesystem (for example NTFS, EXT, XFS, QNX6).

  • Parse logs, registry entries, cookies, history and more, directly from the source.

  • Export findings to text, JSON, CSV or stream to datastores like Splunk, Elastic, MySQL.

  • Feed, filter and script to process found data in any way you like.

  • Investigate images with powerful tools like target-shell, target-mount or using our friendly Python API.

These features can enable you to:

  • Make a timeline of the event log from all your investigation data at once.

  • Identify anomalies in artefacts such as services, tasks and run keys over a large amount of investigation data.

  • Do incident response on virtual machine disks encrypted by ransomware.

  • Extract artefacts from LVM, RAID and other disk setups, without any manual configuration.

  • Perform complex IOC checks on thousands of hosts in a couple of hours.

  • Collect forensic artefacts from running virtual machines directly from the hypervisor without down time.

Learn more

Excited? Great, so are we! The next step is to get to know Dissect a little better.

Or you can start by taking a look at some community articles and videos: Dissect in Action or Talks and Conferences to begin with.

Get in touch, join us on github!