acquire#
acquire
is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container.
This makes acquire
an excellent tool to, among others, speed up the process of digital forensic triage.
It uses Dissect to gather that information from the raw disk, if possible.
acquire
gathers artifacts based on modules. These modules are paths or globs on a filesystem which acquire attempts to gather.
Multiple modules can be executed at once, which have been collected together inside a profile.
These profiles (used with --profile
) are full
, default
, minimal
and none
.
Depending on what operating system gets detected, different artifacts are collected.
Installation#
acquire
is available on PyPI.
$ pip install acquire
Usage#
The most basic usage of acquire
is as follows:
$ sudo acquire
The tool requires administrative access to read raw disk data instead of using the operating system for file access.
However, there are some options available to use the operating system as a fallback option. (e.g --fallback
or --force-fallback
)
Reference#
For more information regarding the usage of acquire, please refer to the acquire tool documentation.