target-shell gives you the ability to access a target using a virtual shell environment. Once a shell is opened on a target, type help to list the available commands. To see the documentation of each command, you can use help [COMMAND].

Opening a shell on a target is straight-forward. You can do so by specifying a path to a target as follows:

$ target-shell targets/EXAMPLE.vmx
EXAMPLE /> help

Documented commands (type help <topic>):
cat    disks  filesystems  help     less  python    save
cd     exit   find         hexdump  ls    readlink  stat
clear  file   hash         info     pwd   registry  volumes


Further interacting with the target can be done using the commands listed above. You can exit the shell by running exit or pressing CTRL+D.

Using target-shell on multiple targets opens a different prompt, this is called “Target Hub”. Within this hub you have the ability to choose the target you want to interact with. Listing all targets in the hub can be done by using the list command.

To enter a specific target you can pass the index or hostname of that target to the enter command:

$ target-shell targets/*
dissect> help

Target Hub
List and enter targets by using 'list' and 'enter'.

Documented commands (type help <topic>):
enter  exit  help  list  python

dissect> list

dissect> enter 0

When exitting a target specific shell, you return to the hub. Here you can enter another shell or re-enter the previous target. Re-entering preserves your current path.

See also

Please refer to Use-cases for more examples of how to use target-shell.


target-shell - CLI interface

target-shell [-h] [-p] [-r] [-L LOADER] [-K KEYCHAIN_FILE] [-Kv KEYCHAIN_VALUE] [-v] [-q]
             [--plugin-path PLUGIN_PATH [PLUGIN_PATH ...]]
             [TARGETS ...]

target-shell positional arguments

  • TARGETS - targets to load (default: None)

target-shell optional arguments

  • -h, --help - show this help message and exit

  • -p, --python - (I)Python shell

  • -r, --registry - registry shell

  • -L LOADER, --loader LOADER - select a specific loader (i.e. vmx, raw) (default: None)

  • -K KEYCHAIN_FILE, --keychain-file KEYCHAIN_FILE - keychain file in CSV format (default: None)

  • -Kv KEYCHAIN_VALUE, --keychain-value KEYCHAIN_VALUE - passphrase, recovery key or key file path value (default: None)

  • -v, --verbose - increase output verbosity (default: 0)

  • -q, --quiet - do not output logging information

  • --plugin-path PLUGIN_PATH - a file or directory containing plugins and extensions (default: None)

For more information on the -K, --keychain-file and -Kv, --keychain-value arguments, please refer to Disk encryption (FVE).

The -p, --python argument

The -p, --python argument opens an interactive (I)Python shell on one or more targets. This gives you the ability to programmatically interact with the one or more targets. Within this Python shell the first target is loaded in the t variable, all other targets (including the first) are loaded in the targets variable.

$ target-shell -p targets/EXAMPLE.vmx
Python 3.X.X
Type 'copyright', 'credits' or 'license' for more information
IPython X.X.X -- An enhanced Interactive Python. Type '?' for help.

Loaded targets in 'targets' variable. First target is in 't'.

In [1]: t, targets
Out[1]: (<Target EXAMPLE.tar>, [<Target EXAMPLE.tar>])

In [2]: t.hostname, targets[0].hostname
Out[2]: ('EXAMPLE', 'EXAMPLE')

The -r, --registry argument

To directly examine the registry of a Windows target, the shell can be opened in registry mode with the -r, --registry argument.

This registry shell lets you explore the registry as if it was a filesystem. Navigate through the keys with the cd command and show the value of a key with the cat command. Note, however, that to go back up the directory tree, the up command should be used instead of using cd ... This is because .. is a valid name for a registry key or value.

$ target-shell targets/EXAMPLE.E01 -r
EXAMPLE/registry > ls
EXAMPLE/registry > cd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework
EXAMPLE/registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework> cat Enable64Bit