View on GitHub

acquire is a tool to quickly gather forensic artefacts from disk images or a live system into a lightweight container. This makes acquire an excellent tool to, among others, speed up the process of digital forensic triage. It uses Dissect to gather that information from the raw disk, if possible.

acquire gathers artefacts based on modules. These modules are paths or globs on a filesystem which acquire attempts to gather. Multiple modules can be executed at once, which have been collected together inside a profile. These profiles (used with --profile) are full, default, minimal and none. Depending on what operating system gets detected, different artefacts are collected.


acquire is available on PyPI.

$ pip install acquire


The most basic usage of acquire is as follows:

$ sudo acquire

The tool requires administrative access to read raw disk data instead of using the operating system for file access. However, there are some options available to use the operating system as a fallback option. (e.g --fallback or --force-fallback)


For more information regarding the usage of acquire, please refer to the acquire tool documentation.