:py:mod:`acquire.acquire.acquire` ================================= .. py:module:: acquire.acquire.acquire Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: acquire.acquire.acquire.ExecutionOrder acquire.acquire.acquire.Module acquire.acquire.acquire.Sys acquire.acquire.acquire.Proc acquire.acquire.acquire.NTFS acquire.acquire.acquire.Registry acquire.acquire.acquire.Netstat acquire.acquire.acquire.WinProcesses acquire.acquire.acquire.WinProcEnv acquire.acquire.acquire.WinArpCache acquire.acquire.acquire.WinRDPSessions acquire.acquire.acquire.WinMemDump acquire.acquire.acquire.WinMemFiles acquire.acquire.acquire.EventLogs acquire.acquire.acquire.Tasks acquire.acquire.acquire.ActiveDirectory acquire.acquire.acquire.NTDS acquire.acquire.acquire.ETL acquire.acquire.acquire.Recents acquire.acquire.acquire.Startup acquire.acquire.acquire.RecycleBin acquire.acquire.acquire.Drivers acquire.acquire.acquire.Exchange acquire.acquire.acquire.IIS acquire.acquire.acquire.Prefetch acquire.acquire.acquire.Appcompat acquire.acquire.acquire.PCA acquire.acquire.acquire.Syscache acquire.acquire.acquire.WindowsNotifications acquire.acquire.acquire.BITS acquire.acquire.acquire.WBEM acquire.acquire.acquire.DHCP acquire.acquire.acquire.DNS acquire.acquire.acquire.WinDnsClientCache acquire.acquire.acquire.PowerShell acquire.acquire.acquire.ThumbnailCache acquire.acquire.acquire.Misc acquire.acquire.acquire.AV acquire.acquire.acquire.QuarantinedFiles acquire.acquire.acquire.History acquire.acquire.acquire.RemoteAccess acquire.acquire.acquire.WebHosting acquire.acquire.acquire.WER acquire.acquire.acquire.Etc acquire.acquire.acquire.Boot acquire.acquire.acquire.Home acquire.acquire.acquire.SSH acquire.acquire.acquire.Var acquire.acquire.acquire.BSD acquire.acquire.acquire.OSX acquire.acquire.acquire.OSXApplicationsInfo acquire.acquire.acquire.Bootbanks acquire.acquire.acquire.ESXi acquire.acquire.acquire.VMFS acquire.acquire.acquire.ActivitiesCache acquire.acquire.acquire.FileHashes acquire.acquire.acquire.OpenHandles acquire.acquire.acquire.WindowsProfile acquire.acquire.acquire.LinuxProfile acquire.acquire.acquire.BsdProfile acquire.acquire.acquire.ESXiProfile acquire.acquire.acquire.OSXProfile acquire.acquire.acquire.VolatileProfile Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: acquire.acquire.acquire.misc_windows_user_homes acquire.acquire.acquire.misc_unix_user_homes acquire.acquire.acquire.misc_osx_user_homes acquire.acquire.acquire.from_user_home acquire.acquire.acquire.iter_ntfs_filesystems acquire.acquire.acquire.iter_esxi_filesystems acquire.acquire.acquire.register_module acquire.acquire.acquire.module_arg acquire.acquire.acquire.local_module acquire.acquire.acquire.recyclebin_filter acquire.acquire.acquire.private_key_filter acquire.acquire.acquire.print_disks_overview acquire.acquire.acquire.print_volumes_overview acquire.acquire.acquire.print_acquire_warning acquire.acquire.acquire.acquire_target acquire.acquire.acquire.upload_files acquire.acquire.acquire.main acquire.acquire.acquire.load_child acquire.acquire.acquire.acquire_children_and_targets acquire.acquire.acquire.sort_files Attributes ~~~~~~~~~~ .. autoapisummary:: acquire.acquire.acquire.version acquire.acquire.acquire.CONFIG acquire.acquire.acquire.VERSION acquire.acquire.acquire.ACQUIRE_BANNER acquire.acquire.acquire.MODULES acquire.acquire.acquire.MODULE_LOOKUP acquire.acquire.acquire.CLI_ARGS_MODULE acquire.acquire.acquire.log acquire.acquire.acquire.log_file_handler acquire.acquire.acquire.MISC_MAPPING acquire.acquire.acquire.PROFILES acquire.acquire.acquire.VOLATILE .. py:data:: version :value: '0.0.dev' .. py:data:: CONFIG .. py:data:: VERSION .. py:data:: ACQUIRE_BANNER .. py:data:: MODULES .. py:data:: MODULE_LOOKUP .. py:data:: CLI_ARGS_MODULE :value: 'cli-args' .. py:data:: log .. py:data:: log_file_handler .. py:function:: misc_windows_user_homes(target: dissect.target.Target) -> Iterator[dissect.target.helpers.fsutil.TargetPath] .. py:function:: misc_unix_user_homes(target: dissect.target.Target) -> Iterator[dissect.target.helpers.fsutil.TargetPath] .. py:function:: misc_osx_user_homes(target: dissect.target.Target) -> Iterator[dissect.target.helpers.fsutil.TargetPath] .. py:data:: MISC_MAPPING .. py:function:: from_user_home(target: dissect.target.Target, path: str) -> Iterator[str] .. py:function:: iter_ntfs_filesystems(target: dissect.target.Target) -> Iterator[tuple[dissect.target.filesystems.ntfs.NtfsFilesystem, Optional[str], str, str]] .. py:function:: iter_esxi_filesystems(target: dissect.target.Target) -> Iterator[tuple[dissect.target.filesystem.Filesystem, str, str, Optional[str]]] .. py:function:: register_module(*args, **kwargs) -> Callable[[type[Module]], type[Module]] .. py:function:: module_arg(*args, **kwargs) -> Callable[[type[Module]], type[Module]] .. py:function:: local_module(cls: type[object]) -> object A decorator that sets property `__local__` on a module class to mark it for local target only .. py:class:: ExecutionOrder Bases: :py:obj:`enum.IntEnum` Enum where members are also (and must be) ints .. py:attribute:: TOP :value: 0 .. py:attribute:: DEFAULT :value: 1 .. py:attribute:: BOTTOM :value: 2 .. py:class:: Module .. py:attribute:: DESC .. py:attribute:: SPEC :value: [] .. py:attribute:: EXEC_ORDER .. py:method:: run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) -> None :classmethod: .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: Sys Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Sysfs files (live systems only)' .. py:attribute:: EXEC_ORDER .. py:class:: Proc Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Procfs files (live systems only)' .. py:attribute:: EXEC_ORDER .. py:class:: NTFS Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'NTFS filesystem metadata' .. py:method:: collect_usnjrnl(collector: acquire.collector.Collector, fs: dissect.target.filesystem.Filesystem, name: str) -> None :classmethod: .. py:class:: Registry Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'registry hives' .. py:attribute:: HIVES :value: ['drivers', 'sam', 'security', 'software', 'system', 'default'] .. py:attribute:: SPEC :value: [('dir', 'sysvol/windows/system32/config/txr'), ('dir',... .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: Netstat Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'netstat output' .. py:attribute:: SPEC :value: [('command', (['powershell.exe', 'netstat', '-a', '-n', '-o'], 'netstat'))] .. py:attribute:: EXEC_ORDER .. py:class:: WinProcesses Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows process list' .. py:attribute:: SPEC :value: [('command', (['tasklist', '/V', '/fo', 'csv'], 'win-processes'))] .. py:attribute:: EXEC_ORDER .. py:class:: WinProcEnv Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Process environment variables' .. py:attribute:: SPEC :value: [('command', (['PowerShell', '-command', 'Get-Process | ForEach-Object... .. py:attribute:: EXEC_ORDER .. py:class:: WinArpCache Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'ARP Cache' .. py:attribute:: EXEC_ORDER .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: WinRDPSessions Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows Remote Desktop session information' .. py:attribute:: EXEC_ORDER .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: WinMemDump Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows full memory dump' .. py:attribute:: EXEC_ORDER .. py:class:: WinMemFiles Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows memory files' .. py:attribute:: SPEC :value: [('file', 'sysvol/pagefile.sys'), ('file', 'sysvol/hiberfil.sys'), ('file',... .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: EventLogs Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'event logs' .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: Tasks Bases: :py:obj:`Module` .. py:attribute:: SPEC :value: [('dir', 'sysvol/windows/tasks'), ('dir', 'sysvol/windows/system32/tasks'), ('dir',... .. py:class:: ActiveDirectory Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Active Directory data (policies, scripts, etc.)' .. py:attribute:: SPEC :value: [('dir', 'sysvol/windows/sysvol/domain')] .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: NTDS Bases: :py:obj:`Module` .. py:attribute:: SPEC :value: [('dir', 'sysvol/windows/NTDS')] .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: ETL Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'interesting ETL files' .. py:attribute:: SPEC :value: [('glob', 'sysvol/Windows/System32/WDI/LogFiles/*.etl')] .. py:class:: Recents Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows recently used files artifacts' .. py:attribute:: SPEC :value: [('dir', 'AppData/Roaming/Microsoft/Windows/Recent'), ('dir',... .. py:class:: Startup Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows Startup folder' .. py:attribute:: SPEC :value: [('dir', 'sysvol/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup'), ('dir',... .. py:function:: recyclebin_filter(path: dissect.target.helpers.fsutil.TargetPath) -> bool .. py:class:: RecycleBin Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'recycle bin metadata and data files' .. py:class:: Drivers Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'installed drivers' .. py:attribute:: SPEC :value: [('glob', 'sysvol/windows/system32/drivers/*.sys')] .. py:class:: Exchange Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'interesting Exchange configuration files' .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: IIS Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'IIS logs' .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: Prefetch Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows Prefetch files' .. py:attribute:: SPEC :value: [('dir', 'sysvol/windows/prefetch')] .. py:class:: Appcompat Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows Amcache and RecentFileCache' .. py:attribute:: SPEC :value: [('dir', 'sysvol/windows/appcompat')] .. py:class:: PCA Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows Program Compatibility Assistant' .. py:attribute:: SPEC :value: [('dir', 'sysvol/windows/pca')] .. py:class:: Syscache Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows Syscache hive and log files' .. py:attribute:: SPEC :value: [('file', 'sysvol/System Volume Information/Syscache.hve'), ('glob', 'sysvol/System Volume... .. py:class:: WindowsNotifications Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows Push Notifications Database files.' .. py:attribute:: SPEC :value: [('file', 'AppData/Local/Microsoft/Windows/Notifications/appdb.dat'), ('file',... .. py:class:: BITS Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Background Intelligent Transfer Service (BITS) queue/log DB' .. py:attribute:: SPEC :value: [('glob', 'sysvol/Documents and Settings/All Users/Application... .. py:class:: WBEM Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows WBEM (WMI) database files' .. py:attribute:: SPEC :value: [('dir', 'sysvol/windows/system32/wbem/Repository')] .. py:class:: DHCP Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows Server DHCP files' .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: DNS Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows Server DNS files' .. py:attribute:: SPEC :value: [('glob', 'sysvol/windows/system32/config/netlogon.*'), ('dir', 'sysvol/windows/system32/dns')] .. py:class:: WinDnsClientCache Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'The contents of Windows DNS client cache' .. py:attribute:: SPEC :value: [('command', (['powershell.exe', '-Command', 'Get-DnsClientCache | ConvertTo-Csv... .. py:attribute:: EXEC_ORDER .. py:class:: PowerShell Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows PowerShell Artefacts' .. py:attribute:: SPEC :value: [('dir', 'AppData/Roaming/Microsoft/Windows/PowerShell')] .. py:class:: ThumbnailCache Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Windows thumbnail db artifacts' .. py:attribute:: SPEC :value: [('glob', 'AppData/Local/Microsoft/Windows/Explorer/thumbcache_*')] .. py:class:: Misc Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'miscellaneous Windows artefacts' .. py:attribute:: SPEC :value: [('file', 'sysvol/windows/PFRO.log'), ('file', 'sysvol/windows/setupapi.log'), ('file',... .. py:class:: AV Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'various antivirus logs' .. py:attribute:: SPEC :value: [('dir', 'sysvol/Documents and Settings/All Users/Application Data/AVG/Antivirus/log'), ('dir',... .. py:class:: QuarantinedFiles Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'files quarantined by various antivirus products' .. py:attribute:: SPEC :value: [('dir', 'sysvol/ProgramData/Microsoft/Windows Defender/Quarantine'), ('dir', 'sysvol/Documents... .. py:class:: History Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'browser history from IE, Edge, Firefox, and Chrome' .. py:attribute:: DIR_COMBINATIONS .. py:attribute:: COMMON_DIR_COMBINATIONS .. py:attribute:: SPEC :value: [('dir', 'AppData/Local/Microsoft/Internet Explorer/Recovery'), ('dir',... .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: RemoteAccess Bases: :py:obj:`Module` .. py:attribute:: DESC :value: "common remote access tools' log files" .. py:attribute:: SPEC :value: [('glob', 'sysvol/Program Files/TeamViewer/*.log'), ('glob', 'sysvol/Program Files... .. py:class:: WebHosting Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Web hosting software log files' .. py:attribute:: SPEC :value: [('dir', '/usr/local/cpanel/logs'), ('file', '.lastlogin')] .. py:class:: WER Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'WER (Windows Error Reporting) related files' .. py:method:: get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: Etc Bases: :py:obj:`Module` .. py:attribute:: SPEC :value: [('dir', '/etc'), ('dir', '/usr/local/etc')] .. py:class:: Boot Bases: :py:obj:`Module` .. py:attribute:: SPEC :value: [('glob', '/boot/config*'), ('glob', '/boot/efi*'), ('glob', '/boot/grub*'), ('glob',... .. py:function:: private_key_filter(path: dissect.target.helpers.fsutil.TargetPath) -> bool .. py:class:: Home Bases: :py:obj:`Module` .. py:attribute:: SPEC :value: [('glob', '.*[akz]sh*'), ('glob', '*/.*[akz]sh*'), ('glob', '.*history'), ('glob',... .. py:class:: SSH Bases: :py:obj:`Module` .. py:attribute:: SPEC :value: [('glob', '.ssh/*'), ('glob', '/etc/ssh/*'), ('glob', 'sysvol/ProgramData/ssh/*')] .. py:method:: run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) -> None :classmethod: .. py:class:: Var Bases: :py:obj:`Module` .. py:attribute:: SPEC :value: [('dir', '/var/log'), ('dir', '/var/spool/at'), ('dir', '/var/spool/cron'), ('dir',... .. py:class:: BSD Bases: :py:obj:`Module` .. py:attribute:: SPEC :value: [('file', '/bin/freebsd-version'), ('dir', '/usr/ports')] .. py:class:: OSX Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'OS-X specific files and directories' .. py:attribute:: SPEC :value: [('dir', '/.fseventsd'), ('dir', '/Library/Extensions'), ('dir', '/System/Library/Extensions'),... .. py:class:: OSXApplicationsInfo Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'OS-X info.plist from all installed applications' .. py:attribute:: SPEC :value: [('glob', '/Applications/*/Contents/Info.plist'), ('glob', 'Applications/*/Contents/Info.plist')] .. py:class:: Bootbanks Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'ESXi bootbanks' .. py:class:: ESXi Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'ESXi interesting files' .. py:attribute:: SPEC :value: [('dir', '/scratch/log'), ('dir', '/locker/packages/var'), ('dir', '/scratch/cache'), ('dir',... .. py:class:: VMFS Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'ESXi VMFS metadata files' .. py:class:: ActivitiesCache Bases: :py:obj:`Module` .. py:attribute:: DESC :value: "user's activities caches" .. py:attribute:: SPEC :value: [('dir', 'AppData/Local/ConnectedDevicesPlatform')] .. py:class:: FileHashes Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'file hashes' .. py:attribute:: DEFAULT_HASH_FUNCS :value: () .. py:attribute:: DEFAULT_EXTENSIONS :value: ('bat', 'cmd', 'com', 'dll', 'exe', 'installlog', 'installutil', 'js', 'lnk', 'ps1', 'sys', 'tlb', 'vbs') .. py:attribute:: DEFAULT_PATHS :value: ('sysvol/Windows/',) .. py:attribute:: MAX_FILE_SIZE_BYTES .. py:attribute:: DEFAULT_FILE_FILTERS :value: () .. py:method:: run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) -> None :classmethod: .. py:method:: get_specs(cli_args: argparse.Namespace) -> Iterator[tuple] :classmethod: .. py:class:: OpenHandles Bases: :py:obj:`Module` .. py:attribute:: DESC :value: 'Open handles' .. py:method:: run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) -> None :classmethod: .. py:function:: print_disks_overview(target: dissect.target.Target) -> None .. py:function:: print_volumes_overview(target: dissect.target.Target) -> None .. py:function:: print_acquire_warning(target: dissect.target.Target) -> None .. py:function:: acquire_target(target: dissect.target.Target, args: argparse.Namespace, output_ts: Optional[str] = None) -> list[str] .. py:function:: upload_files(paths: list[pathlib.Path], upload_plugin: acquire.uploaders.plugin.UploaderPlugin, no_proxy: bool = False) -> None .. py:class:: WindowsProfile .. py:attribute:: MINIMAL .. py:attribute:: DEFAULT .. py:attribute:: FULL .. py:class:: LinuxProfile .. py:attribute:: MINIMAL .. py:attribute:: DEFAULT .. py:attribute:: FULL .. py:class:: BsdProfile .. py:attribute:: MINIMAL .. py:attribute:: DEFAULT .. py:attribute:: FULL .. py:class:: ESXiProfile .. py:attribute:: MINIMAL .. py:attribute:: DEFAULT .. py:attribute:: FULL .. py:class:: OSXProfile .. py:attribute:: MINIMAL .. py:attribute:: DEFAULT .. py:attribute:: FULL .. py:data:: PROFILES .. py:class:: VolatileProfile .. py:attribute:: DEFAULT .. py:attribute:: EXTENSIVE .. py:data:: VOLATILE .. py:function:: main() -> None .. py:function:: load_child(target: dissect.target.Target, child_path: pathlib.Path) -> None .. py:function:: acquire_children_and_targets(target: dissect.target.Target, args: argparse.Namespace) -> None .. py:function:: sort_files(files: list[Union[str, pathlib.Path]]) -> list[pathlib.Path]