acquire

Acquire can collect forensic artefacts from a live system or an image. Resulting images can be fed to other Dissect tools like target-query.

To run acquire on a live system:

$ acquire

Note

To be able to access the full system to collect all its artefacts one must run acquire with administrator privileges.

Output

By default, an acquire operation will result in 3 files:

  • a log file (the contents of this file will also appear on the screen)

  • a report file in JSON

  • a tar file that contains the requested artefacts

You can feed the resulting tar to tools like target-query, as shown below:

$ target-query N-1A9ODN6ZXK4LQ_20240502133639.tar -f ips
<Target N-1A9ODN6ZXK4LQ_20240502133639.tar> ['192.168.1.111']

Profiles

By design, Acquire runs with the default profile, providing a curated selection of artifacts that aims to fulfill the requirements of most scenarios efficiently. This prefabricated suite encompasses a balanced assortment designed to deliver comprehensive results without extensive processing time. Alternatively, users have the flexibility to tailor their collection process by choosing individual artifacts of interest or by opting for a different predefined profile to suit their specific needs.

Selecting a single artefact:

$ acquire --evtx

Selecting an acquisition profile:

$ acquire --profile full

You can select a profile with the --profile option. There are 4 basic profiles full, default, minimal and none.

Note

For a complete overview of the basic profiles see here.