acquire.acquire.acquire¶
Module Contents¶
Classes¶
Enum where members are also (and must be) ints |
|
Functions¶
A decorator that sets property __local__ on a module class to mark it for local target only |
|
Attributes¶
- acquire.acquire.acquire.version = '0.0.dev'¶
- acquire.acquire.acquire.CONFIG¶
- acquire.acquire.acquire.VERSION¶
- acquire.acquire.acquire.ACQUIRE_BANNER = Multiline-String¶
Show Value
""" _ __ _ ___ __ _ _ _(_)_ __ ___ / _` |/ __/ _` | | | | | '__/ _ \ | (_| | (_| (_| | |_| | | | | __/ \__,_|\___\__, |\__,_|_|_| \___| by Fox-IT |_| vUninferable part of NCC Group """
- acquire.acquire.acquire.MODULES¶
- acquire.acquire.acquire.MODULE_LOOKUP¶
- acquire.acquire.acquire.CLI_ARGS_MODULE = 'cli-args'¶
- acquire.acquire.acquire.log¶
- acquire.acquire.acquire.log_file_handler = None¶
- acquire.acquire.acquire.misc_windows_user_homes(target: dissect.target.Target) collections.abc.Iterator[dissect.target.helpers.fsutil.TargetPath]¶
- acquire.acquire.acquire.misc_unix_user_homes(target: dissect.target.Target) collections.abc.Iterator[dissect.target.helpers.fsutil.TargetPath]¶
- acquire.acquire.acquire.misc_osx_user_homes(target: dissect.target.Target) collections.abc.Iterator[dissect.target.helpers.fsutil.TargetPath]¶
- acquire.acquire.acquire.MISC_MAPPING¶
- acquire.acquire.acquire.from_user_home(target: dissect.target.Target, path: str) collections.abc.Iterator[str]¶
- acquire.acquire.acquire.iter_ntfs_filesystems(target: dissect.target.Target) collections.abc.Iterator[tuple[dissect.target.filesystems.ntfs.NtfsFilesystem, str | None, str, str]]¶
- acquire.acquire.acquire.iter_esxi_filesystems(target: dissect.target.Target) collections.abc.Iterator[tuple[dissect.target.filesystem.Filesystem, str, str, str | None]]¶
- acquire.acquire.acquire.local_module(cls: type[object]) object¶
A decorator that sets property __local__ on a module class to mark it for local target only
- class acquire.acquire.acquire.ExecutionOrder¶
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- TOP = 0¶
- DEFAULT = 1¶
- BOTTOM = 2¶
- class acquire.acquire.acquire.Module¶
- DESC = None¶
- SPEC = ()¶
- EXEC_ORDER¶
- classmethod run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) None¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.Sys¶
Bases:
Module- DESC = 'Sysfs files (live systems only)'¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.Proc¶
Bases:
Module- DESC = 'Procfs files (live systems only)'¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.ProcNet¶
Bases:
Module- DESC = 'Procfs network files (live systems only)'¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.NTFS¶
Bases:
Module- DESC = 'NTFS filesystem metadata'¶
- classmethod collect_usnjrnl(collector: acquire.collector.Collector, fs: dissect.target.filesystem.Filesystem, name: str) None¶
- class acquire.acquire.acquire.Registry¶
Bases:
Module- DESC = 'registry hives'¶
- HIVES = ('drivers', 'sam', 'security', 'software', 'system', 'default')¶
- SPEC¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.Netstat¶
Bases:
Module- DESC = 'netstat output'¶
- SPEC = (('command', (['powershell.exe', 'netstat', '-a', '-n', '-o'], 'netstat')),)¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.WinProcesses¶
Bases:
Module- DESC = 'Windows process list'¶
- SPEC = (('command', (['tasklist', '/V', '/fo', 'csv'], 'win-processes')),)¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.WinProcEnv¶
Bases:
Module- DESC = 'Process environment variables'¶
- SPEC = (('command', (['PowerShell', '-command', 'Get-Process | ForEach-Object...¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.WinArpCache¶
Bases:
Module- DESC = 'ARP Cache'¶
- EXEC_ORDER¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.WinRDPSessions¶
Bases:
Module- DESC = 'Windows Remote Desktop session information'¶
- EXEC_ORDER¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.WinMemDump¶
Bases:
Module- DESC = 'Windows full memory dump'¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.WinMemFiles¶
Bases:
Module- DESC = 'Windows memory files'¶
- SPEC = (('file', 'sysvol/pagefile.sys'), ('file', 'sysvol/hiberfil.sys'), ('file',...¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.EventLogs¶
Bases:
Module- DESC = 'event logs'¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.Tasks¶
Bases:
Module- SPEC = (('dir', 'sysvol/windows/tasks'), ('dir', 'sysvol/windows/system32/tasks'), ('dir',...¶
- class acquire.acquire.acquire.ActiveDirectory¶
Bases:
Module- DESC = 'Active Directory data (policies, scripts, etc.)'¶
- SPEC = (('dir', 'sysvol/windows/sysvol/domain'),)¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.NTDS¶
Bases:
Module- SPEC = (('dir', 'sysvol/windows/NTDS'),)¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.ETL¶
Bases:
Module- DESC = 'interesting ETL files'¶
- SPEC = (('glob', 'sysvol/Windows/System32/WDI/LogFiles/*.etl'),)¶
- class acquire.acquire.acquire.Recents¶
Bases:
Module- DESC = 'Windows recently used files artifacts'¶
- SPEC¶
- acquire.acquire.acquire.recyclebin_filter(path: dissect.target.helpers.fsutil.TargetPath) bool¶
- class acquire.acquire.acquire.RecycleBin¶
Bases:
Module- DESC = 'recycle bin metadata and data files'¶
- class acquire.acquire.acquire.Drivers¶
Bases:
Module- DESC = 'installed drivers'¶
- SPEC = (('glob', 'sysvol/windows/system32/drivers/*.sys'),)¶
- class acquire.acquire.acquire.Exchange¶
Bases:
Module- DESC = 'interesting Exchange configuration files'¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.MSSQL¶
Bases:
Module- DESC = 'MSSQL error logs'¶
- SPEC = (('glob', '/var/opt/mssql/log/errorlog*'),)¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple[str, str]]¶
- class acquire.acquire.acquire.IIS¶
Bases:
Module- DESC = 'IIS logs'¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.Prefetch¶
Bases:
Module- DESC = 'Windows Prefetch files'¶
- SPEC = (('dir', 'sysvol/windows/prefetch'),)¶
- class acquire.acquire.acquire.Appcompat¶
Bases:
Module- DESC = 'Windows Amcache and RecentFileCache'¶
- SPEC = (('dir', 'sysvol/windows/appcompat'),)¶
- class acquire.acquire.acquire.PCA¶
Bases:
Module- DESC = 'Windows Program Compatibility Assistant'¶
- SPEC = (('dir', 'sysvol/windows/pca'),)¶
- class acquire.acquire.acquire.Syscache¶
Bases:
Module- DESC = 'Windows Syscache hive and log files'¶
- SPEC = (('file', 'sysvol/System Volume Information/Syscache.hve'), ('glob', 'sysvol/System Volume...¶
- class acquire.acquire.acquire.WindowsNotifications¶
Bases:
Module- DESC = 'Windows Push Notifications Database files.'¶
- SPEC¶
- class acquire.acquire.acquire.BITS¶
Bases:
Module- DESC = 'Background Intelligent Transfer Service (BITS) queue/log DB'¶
- SPEC = (('glob', 'sysvol/Documents and Settings/All Users/Application...¶
- class acquire.acquire.acquire.WBEM¶
Bases:
Module- DESC = 'Windows WBEM (WMI) database files'¶
- SPEC = (('dir', 'sysvol/windows/system32/wbem/Repository'),)¶
- class acquire.acquire.acquire.DHCP¶
Bases:
Module- DESC = 'Windows Server DHCP files'¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.DNS¶
Bases:
Module- DESC = 'Windows Server DNS files'¶
- SPEC = (('glob', 'sysvol/windows/system32/config/netlogon.*'), ('dir', 'sysvol/windows/system32/dns'))¶
- class acquire.acquire.acquire.WinDnsClientCache¶
Bases:
Module- DESC = 'The contents of Windows DNS client cache'¶
- SPEC = (('command', (['powershell.exe', '-Command', 'Get-DnsClientCache | ConvertTo-Csv...¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.PowerShell¶
Bases:
Module- DESC = 'Windows PowerShell Artefacts'¶
- SPEC¶
- class acquire.acquire.acquire.ThumbnailCache¶
Bases:
Module- DESC = 'Windows thumbnail db artifacts'¶
- SPEC¶
- class acquire.acquire.acquire.TextEditor¶
Bases:
Module- DESC = 'text editor (un)saved tab contents'¶
- SPEC¶
- class acquire.acquire.acquire.QuarantinedFiles¶
Bases:
Module- DESC = 'files quarantined by various antivirus products'¶
- SPEC = (('dir', 'sysvol/ProgramData/Microsoft/Windows Defender/Quarantine'), ('dir', 'sysvol/Documents...¶
- class acquire.acquire.acquire.EDR¶
Bases:
Module- DESC = 'various Endpoint Detection and Response (EDR) logs'¶
- SPEC = (('dir', 'sysvol/ProgramData/CarbonBlack/Logs'),)¶
- class acquire.acquire.acquire.History¶
Bases:
Module- DESC = 'browser history from IE, Edge, Firefox, and Chrome'¶
- class DirCombinations¶
Bases:
NamedTuple- root_dirs: list[str]¶
- dir_extensions: list[str]¶
- history_files: list[str]¶
- COMMON_DIR_COMBINATIONS¶
- SPEC¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.RemoteAccess¶
Bases:
Module- DESC = "common remote access tools' log files"¶
- SPEC¶
- class acquire.acquire.acquire.WebHosting¶
Bases:
Module- DESC = 'Web hosting software log files'¶
- SPEC¶
- class acquire.acquire.acquire.WER¶
Bases:
Module- DESC = 'WER (Windows Error Reporting) related files'¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.Etc¶
Bases:
Module- SPEC = (('dir', '/etc'), ('dir', '/usr/local/etc'))¶
- class acquire.acquire.acquire.Boot¶
Bases:
Module- SPEC = (('glob', '/boot/config*'), ('glob', '/boot/efi*'), ('glob', '/boot/grub*'), ('glob',...¶
- acquire.acquire.acquire.private_key_filter(path: dissect.target.helpers.fsutil.TargetPath) bool¶
- class acquire.acquire.acquire.SSH¶
Bases:
Module- SPEC¶
- classmethod run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) None¶
- class acquire.acquire.acquire.Docker¶
Bases:
Module- DESC = 'various Docker logs and configuration files'¶
- SPEC¶
- class acquire.acquire.acquire.Var¶
Bases:
Module- SPEC = (('dir', '/var/log'), ('dir', '/var/spool/at'), ('dir', '/var/spool/cron'), ('dir',...¶
- class acquire.acquire.acquire.BSD¶
Bases:
Module- SPEC = (('file', '/bin/freebsd-version'), ('dir', '/usr/ports'))¶
- class acquire.acquire.acquire.OSX¶
Bases:
Module- DESC = 'OS-X specific files and directories'¶
- SPEC = (('dir', '/.fseventsd'), ('dir', '/Library/Extensions'), ('dir', '/System/Library/Extensions'),...¶
- class acquire.acquire.acquire.OSXApplicationsInfo¶
Bases:
Module- DESC = 'OS-X info.plist from all installed applications'¶
- SPEC¶
- class acquire.acquire.acquire.ESXi¶
Bases:
Module- DESC = 'ESXi interesting files'¶
- SPEC = (('dir', '/scratch/log'), ('dir', '/locker/packages/var'), ('dir', '/scratch/cache'), ('dir',...¶
- class acquire.acquire.acquire.ActivitiesCache¶
Bases:
Module- DESC = "user's activities caches"¶
- SPEC¶
- class acquire.acquire.acquire.FileHashes¶
Bases:
Module- DESC = 'file hashes'¶
- DEFAULT_HASH_FUNCS¶
- DEFAULT_EXTENSIONS = ('bat', 'cmd', 'com', 'dll', 'exe', 'installlog', 'installutil', 'js', 'lnk', 'ps1', 'sys', 'tlb', 'vbs')¶
- DEFAULT_PATHS = ('sysvol/Windows/',)¶
- MAX_FILE_SIZE_BYTES = 104857600¶
- DEFAULT_FILE_FILTERS¶
- classmethod run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) None¶
- classmethod get_specs(cli_args: argparse.Namespace) collections.abc.Iterator[tuple]¶
- class acquire.acquire.acquire.OpenHandles¶
Bases:
Module- DESC = 'Open handles'¶
- classmethod run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) None¶
- acquire.acquire.acquire.print_disks_overview(target: dissect.target.Target) None¶
- acquire.acquire.acquire.print_volumes_overview(target: dissect.target.Target) None¶
- acquire.acquire.acquire.print_acquire_warning(target: dissect.target.Target) None¶
- acquire.acquire.acquire.acquire_target(target: dissect.target.Target, args: argparse.Namespace, output_ts: str | None = None) list[str | pathlib.Path]¶
- acquire.acquire.acquire.upload_files(paths: list[str | pathlib.Path], upload_plugin: acquire.uploaders.plugin.UploaderPlugin, no_proxy: bool = False) None¶
- acquire.acquire.acquire.PROFILES¶
- acquire.acquire.acquire.VOLATILE¶
- acquire.acquire.acquire.exit_success(default_args: list[str]) NoReturn¶
- acquire.acquire.acquire.exit_failure(default_args: list[str]) NoReturn¶
- acquire.acquire.acquire.main() None¶
- acquire.acquire.acquire.load_child(target: dissect.target.Target, child_path: pathlib.Path) None¶
- acquire.acquire.acquire.acquire_children_and_targets(target: dissect.target.Target, args: argparse.Namespace) list[str | pathlib.Path]¶
- acquire.acquire.acquire.sort_files(files: list[str | pathlib.Path]) list[pathlib.Path]¶