acquire#

acquire is a tool to quickly gather forensic artefacts from disk images or a live system into a lightweight container. This makes acquire an excellent tool to, among others, speed up the process of digital forensic triage. acquire uses dissect to gather forensic artefacts from the raw disk, if possible.

The most basic usage of acquire is as follows:

$ sudo acquire

The tool requires administrative access to read raw disk data. However, there are some options available to use the local operating systems’s filesystem as a fallback option. (e.g --fallback or --force-fallback)

Filesystem acquisition#

acquire gathers artefacts based on modules. These modules contain paths or globs that acquire attempts to gather from a filesystem. acquire can execute multiple modules at once. Instead of specifying modules manually, it’s possible to use a predefined collection known as a profile. These profiles (used with --profile) are full, default, minimal and none. Depending on the detected operating system, acquire collects different artefacts.

The following list shows the modules belonging to each profile.

full profile:
  windows: NTFS, EventLogs, Registry, Tasks, PowerShell,
           Prefetch, Appcompat, PCA, Misc, ETL, Recents,
           RecycleBin, Drivers, Syscache, WBEM, AV, BITS,
           DHCP, DNS, ActiveDirectory, RemoteAccess,
           ActivitiesCache, History, NTDS, QuarantinedFiles,
           WindowsNotifications, SSH, IIS
  linux  : Etc, Boot, Home, SSH, Var, History, WebHosting
  bsd    : Etc, Boot, Home, SSH, Var, BSD
  esxi   : Bootbanks, ESXi, SSH, VMFS
  osx    : Etc, Home, Var, OSX, OSXApplicationsInfo, History,
           SSH

default profile:
  windows: NTFS, EventLogs, Registry, Tasks, PowerShell,
           Prefetch, Appcompat, PCA, Misc, ETL, Recents,
           RecycleBin, Drivers, Syscache, WBEM, AV, BITS,
           DHCP, DNS, ActiveDirectory, RemoteAccess,
           ActivitiesCache
  linux  : Etc, Boot, Home, SSH, Var
  bsd    : Etc, Boot, Home, SSH, Var, BSD
  esxi   : Bootbanks, ESXi, SSH, VMFS
  osx    : Etc, Home, Var, OSX, OSXApplicationsInfo

minimal profile:
  windows: NTFS, EventLogs, Registry, Tasks, PowerShell,
           Prefetch, Appcompat, PCA, Misc
  linux  : Etc, Boot, Home, SSH, Var
  bsd    : Etc, Boot, Home, SSH, Var, BSD
  esxi   : Bootbanks, ESXi, SSH
  osx    : Etc, Home, Var, OSX, OSXApplicationsInfo

Profile none is a special case where no module gets collected. Profiles can be used in combination with --dir, --file or --glob to collect specific user-defined paths from a target. These arguments do the following:

  • --dir: Collects a directory recursively.

  • --file: Collects one specific file.

  • --glob: Collects any file or directory that matches the specific glob pattern. (e.g /path*/test would collect for example /path1/test and /path_to_other_test_file/test)

You can specify these arguments multiple times for every file, directory or glob you want to collect.

Volatile acquisition#

Use --volatile-profile to obtain artefacts that are not persistent on disk but are located in memory. Volatile Windows artefacts are stored under the $metadata$ folder in the resulting archive. Windows volatile artefacts are gathered through the use of internal Windows commands and Python’s ctypes interface. For Linux systems, /proc and /sys are gathered and stored under /proc/1/... or /sys/fs/... respectively in the resulting archive.

Volatile Profiles#

Like regular profiles, the volatile profiles allow you to run predefined groups of volatile modules. These profiles, are default, extensive and none, where none is the default. As with --profile, what gets collected depends on the detected operating system.

The following list shows the modules that belong to each volatile profile.

default profile:
  windows: Netstat, WinProcesses, WinProcEnv, WinArpCache,
           WinRDPSessions, WinDnsClientCache

extensive profile:
  windows: Netstat, WinProcesses, WinProcEnv, WinArpCache,
           WinRDPSessions, WinDnsClientCache
  linux  : Proc, Sys
  bsd    : Proc, Sys
  esxi   : Proc, Sys

Both --volatile-profile and --profile can be used simultaneously and configured separately from each other.

Deployment#

Since acquire leverages Dissect to do its data collection, it can be used in different scenarios and ways.

One way is to use acquire on targets that are supported by dissect.target, for example VMDK or E01 disk images. This gives you a smaller forensic container for analysis. This can be useful in scenarios where you may have several thousand virtual machine backups you want to analyze, but don’t have the time (or storage) to fully copy them all. You can perform your initial analysis and triage on the acquire container, and collect a copy of the full VM at a later stage if you require.

Besides various disk images, dissect.target also supports a local target, which is the host machine it’s currently running on. This is the default target for acquire. For example, on Windows this means that \\.\PhysicalDrive0 and friends are opened and the filesystem on it is parsed using Dissect. On Linux systems this will be /dev/sda, on ESXi /vmfs/devices/disks/vml.*, etc. By parsing straight from the raw disk devices, we ensure we bypass any file locks and filesystem drivers.

So how do you go about running acquire on a separate system? It’s hardly practical to install Python and Dissect on a compromised machine. At Fox-IT we have an internal solution for this, but fortunately there are also public options, such as PyOxidizer and PyInstaller. Unfortunately, however, neither support cross platform executable creation.

PyOxidizer is a relatively new Python application packer that integrates heavily with Rust. It has a lot of exciting options and functionality, at the cost of a fairly large executable size and complex configuration options.

A major benefit of PyOxidizer is that, by default, it runs all of its Python code completely from memory, no file extraction necessary. This can result in the preservation of important filesystem artefacts.

Since dissect.target dynamically locates its plugins, we have to pre-generate a list of all plugins for it to work when running in a self-contained executable.

Example usage of PyOxidizer with acquire:

$ pip install pyoxidizer
$ pyoxidizer init-config-file my-acquire-bin
$ cd my-acquire-bin
## Edit pyoxidizer.bzl with your favourite text editor and see below for the minimal required changes
$ target-build-pluginlist > /path/to/src/dissect.target/dissect/target/plugins/_pluginlist.py
$ pyoxidizer build

The minimal required changes to be made to the make_exe() function in the pyoxidizer.bzl file are as follows:

policy.resources_location_fallback = "filesystem-relative:prefix"
python_config.run_module = "acquire.acquire"
exe.add_python_resources(exe.pip_install(["/path/to/src/dissect.target", "acquire"]))

This is just a very basic example. There are a lot more settings to tweak and optimizations to be made, but those are left as an exercise to the reader.

PyInstaller has been around for a long time and can be considered the de facto utility for packaging Python into executables, for both legitimate and malicious purposes. It has a lot less options to play with than PyOxidizer, but it’s considerably easier to use and the resulting binaries are a lot smaller.

A major downside of PyInstaller is that you have to either ship multiple files or use the --onefile option, which extracts files to a temporary directory on the filesystem. This can destroy forensic filesystem artefacts, so keep that in mind when using PyInstaller.

Similar to PyOxidizer, we also have to pre-generate a list of plugins for PyInstaller.

Example usage of PyInstaller with acquire:

$ pip install pyinstaller
$ target-build-pluginlist > /path/to/src/dissect.target/dissect/target/plugins/_pluginlist.py
$ pyinstaller /path/to/src/acquire/acquire.py --hidden-import dissect --collect-submodules dissect --onefile

This is again a very basic example. More optimized PyInstaller builds are left as an exercise to the reader.

Usage#

acquire - CLI interface#

acquire [-h] [-o OUTPUT] [-ot {tar,dir,zip}] [--compress] [--targetd] [--encrypt] [-l LOG]
        [-p {full,default,minimal,none}] [--volatile-profile {default,extensive,none}]
        [-f FILE] [-d DIRECTORY] [-g GLOB] [--disable-report] [--child CHILD] [--children]
        [--skip-parent] [--force-fallback] [--fallback] [-u] [--upload UPLOAD [UPLOAD ...]]
        [--no-proxy] [--sys] [--proc] [-n] [-r] [--netstat] [--win-processes]
        [--win-proc-env] [--win-arp-cache] [--win-rdp-sessions] [--winpmem] [--winmem-files]
        [-e] [-t] [-ad] [-nt] [--etl] [--recents] [--startup] [--no-data-files]
        [--large-files] [--recyclebin] [--drivers] [--exchange] [--iis] [--prefetch]
        [--appcompat] [--pca] [--syscache] [--win-notifications] [--bits] [--wbem] [--dhcp]
        [--dns] [--win-dns-cache] [--powershell] [--thumbnail-cache] [--misc] [--av]
        [--quarantined] [--history] [--remoteaccess] [--webhosting] [--wer] [--etc] [--boot]
        [--home] [--private-keys] [--ssh] [--var] [--bsd] [--osx] [--osx-applications-info]
        [--bootbanks] [--esxi] [--vmfs] [--activities-cache] [--glob-to-hash GLOB_TO_HASH]
        [--ext-to-hash EXT_TO_HASH] [--dir-to-hash DIR_TO_HASH]
        [--hash-func {md5,sha1,sha256}] [--hashes]
        [--handle-types [{ALPC Port,Callback,Desktop,Device,Directory,Driver,EtwRegistration,Event,File,FilterConnectionPort,IoCompletion,IRTimer,Job,Key,KeyedEvent,Mutant,Mutex,Partition,Process,Section,Session,Semaphore,SymbolicLink,Timer,Thread,Token,TpWorkerFactory,Type,WaitCompletionPacket,WindowStation,Unknown} ...]]
        [--handles] [-v]
        [TARGET]

acquire positional arguments#

  • TARGET - target to load (default: local) (default: local)

acquire optional arguments#

  • -h, --help - show this help message and exit

  • -o OUTPUT, --output OUTPUT - output directory (default: .)

  • -ot OUTPUT_TYPE, --output-type OUTPUT_TYPE - output type (default: tar) (default: tar)

  • --compress - compress output (if supported by the output type)

  • --targetd - setup and install targetd agent

  • --encrypt - encrypt output (if supported by the output type)

  • -l LOG, --log LOG - log directory location (default: None)

  • -p PROFILE, --profile PROFILE - collection profile (default: None)

  • --volatile-profile VOLATILE_PROFILE - volatile profile (default: none)

  • -f FILE, --file FILE - acquire file (default: None)

  • -d DIRECTORY, --directory DIRECTORY - acquire directory recursively (default: None)

  • -g GLOB, --glob GLOB - acquire files matching glob pattern (default: None)

  • --disable-report - disable acquisition report file

  • --child CHILD - only collect specific child (default: None)

  • --children - collect all children in addition to main target

  • --skip-parent - skip parent collection (when using –children)

  • --force-fallback - force filesystem access directly through OS level. Only supported with target 'local'

  • --fallback - fallback to OS level filesystem access if filesystem type is not supported. Only supported with target 'local'

  • -u, --auto-upload - upload result files after collection

  • --upload UPLOAD - upload specified files (all other acquire actions are ignored) (default: None)

  • --no-proxy - don’t autodetect proxies

  • --sys - acquire Sysfs files (live systems only)

  • --proc - acquire Procfs files (live systems only)

  • -n, --ntfs - acquire NTFS filesystem metadata

  • -r, --registry - acquire registry hives

  • --netstat - acquire netstat output

  • --win-processes - acquire Windows process list

  • --win-proc-env - acquire Process environment variables

  • --win-arp-cache - acquire ARP Cache

  • --win-rdp-sessions - acquire Windows Remote Desktop session information

  • --winpmem - acquire Windows full memory dump

  • --winmem-files - acquire Windows memory files

  • -e, --eventlogs - acquire event logs

  • -t, --tasks - acquire Tasks

  • -ad, --active-directory - acquire Active Directory data (policies, scripts, etc.)

  • -nt, --ntds - acquire NTDS

  • --etl - acquire interesting ETL files

  • --recents - acquire Windows recently used files artifacts

  • --startup - acquire Windows Startup folder

  • --no-data-files - Skip collection of data files in the Recycle Bin

  • --large-files - Collect files larger than 10MB in the Recycle Bin

  • --recyclebin - acquire recycle bin metadata and data files

  • --drivers - acquire installed drivers

  • --exchange - acquire interesting Exchange configuration files

  • --iis - acquire IIS logs

  • --prefetch - acquire Windows Prefetch files

  • --appcompat - acquire Windows Amcache and RecentFileCache

  • --pca - acquire Windows Program Compatibility Assistant

  • --syscache - acquire Windows Syscache hive and log files

  • --win-notifications - acquire Windows Push Notifications Database files.

  • --bits - acquire Background Intelligent Transfer Service (BITS) queue/log DB

  • --wbem - acquire Windows WBEM (WMI) database files

  • --dhcp - acquire Windows Server DHCP files

  • --dns - acquire Windows Server DNS files

  • --win-dns-cache - acquire The contents of Windows DNS client cache

  • --powershell - acquire Windows PowerShell Artefacts

  • --thumbnail-cache - acquire Windows thumbnail db artifacts

  • --misc - acquire miscellaneous Windows artefacts

  • --av - acquire various antivirus logs

  • --quarantined - acquire files quarantined by various antivirus products

  • --history - acquire browser history from IE, Edge, Firefox, and Chrome

  • --remoteaccess - acquire common remote access tools’ log files

  • --webhosting - acquire Web hosting software log files

  • --wer - acquire WER (Windows Error Reporting) related files

  • --etc - acquire Etc

  • --boot - acquire Boot

  • --home - acquire Home

  • --private-keys - Add any private keys

  • --ssh - acquire SSH

  • --var - acquire Var

  • --bsd - acquire BSD

  • --osx - acquire OS-X specific files and directories

  • --osx-applications-info - acquire OS-X info.plist from all installed applications

  • --bootbanks - acquire ESXi bootbanks

  • --esxi - acquire ESXi interesting files

  • --vmfs - acquire ESXi VMFS metadata files

  • --activities-cache - acquire user’s activities caches

  • --glob-to-hash GLOB_TO_HASH - Hash only files that match provided glob (default: None)

  • --ext-to-hash EXT_TO_HASH - Hash only files with the extensions provided (default: None)

  • --dir-to-hash DIR_TO_HASH - Hash only files in a provided directory (default: None)

  • --hash-func HASH_FUNC - Hash function to use (default: None)

  • --hashes - acquire file hashes

  • --handle-types HANDLE_TYPES - Collect only specified handle types (default: None)

  • --handles - acquire Open handles

  • -v, --verbose - increase output verbosity (default: 3)

If no target is specified, 'local' is used.

If no options are given, the collection profile 'default' is used.