acquire.acquire.acquire¶
Module Contents¶
Classes¶
Enum where members are also (and must be) ints |
|
Functions¶
A decorator that sets property __local__ on a module class to mark it for local target only |
|
Attributes¶
- acquire.acquire.acquire.version = '0.0.dev'¶
- acquire.acquire.acquire.CONFIG¶
- acquire.acquire.acquire.VERSION¶
- acquire.acquire.acquire.ACQUIRE_BANNER¶
- acquire.acquire.acquire.MODULES¶
- acquire.acquire.acquire.MODULE_LOOKUP¶
- acquire.acquire.acquire.CLI_ARGS_MODULE = 'cli-args'¶
- acquire.acquire.acquire.log¶
- acquire.acquire.acquire.log_file_handler¶
- acquire.acquire.acquire.misc_windows_user_homes(target: dissect.target.Target) Iterator[dissect.target.helpers.fsutil.TargetPath]¶
- acquire.acquire.acquire.misc_unix_user_homes(target: dissect.target.Target) Iterator[dissect.target.helpers.fsutil.TargetPath]¶
- acquire.acquire.acquire.misc_osx_user_homes(target: dissect.target.Target) Iterator[dissect.target.helpers.fsutil.TargetPath]¶
- acquire.acquire.acquire.MISC_MAPPING¶
- acquire.acquire.acquire.from_user_home(target: dissect.target.Target, path: str) Iterator[str]¶
- acquire.acquire.acquire.iter_ntfs_filesystems(target: dissect.target.Target) Iterator[tuple[dissect.target.filesystems.ntfs.NtfsFilesystem, str | None, str, str]]¶
- acquire.acquire.acquire.iter_esxi_filesystems(target: dissect.target.Target) Iterator[tuple[dissect.target.filesystem.Filesystem, str, str, str | None]]¶
- acquire.acquire.acquire.local_module(cls: type[object]) object¶
A decorator that sets property __local__ on a module class to mark it for local target only
- class acquire.acquire.acquire.ExecutionOrder¶
Bases:
enum.IntEnumEnum where members are also (and must be) ints
- TOP = 0¶
- DEFAULT = 1¶
- BOTTOM = 2¶
- class acquire.acquire.acquire.Module¶
- DESC¶
- SPEC = []¶
- EXEC_ORDER¶
- classmethod run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) None¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.Sys¶
Bases:
Module- DESC = 'Sysfs files (live systems only)'¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.Proc¶
Bases:
Module- DESC = 'Procfs files (live systems only)'¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.NTFS¶
Bases:
Module- DESC = 'NTFS filesystem metadata'¶
- classmethod collect_usnjrnl(collector: acquire.collector.Collector, fs: dissect.target.filesystem.Filesystem, name: str) None¶
- class acquire.acquire.acquire.Registry¶
Bases:
Module- DESC = 'registry hives'¶
- HIVES = ['drivers', 'sam', 'security', 'software', 'system', 'default']¶
- SPEC = [('dir', 'sysvol/windows/system32/config/txr'), ('dir',...¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.Netstat¶
Bases:
Module- DESC = 'netstat output'¶
- SPEC = [('command', (['powershell.exe', 'netstat', '-a', '-n', '-o'], 'netstat'))]¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.WinProcesses¶
Bases:
Module- DESC = 'Windows process list'¶
- SPEC = [('command', (['tasklist', '/V', '/fo', 'csv'], 'win-processes'))]¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.WinProcEnv¶
Bases:
Module- DESC = 'Process environment variables'¶
- SPEC = [('command', (['PowerShell', '-command', 'Get-Process | ForEach-Object...¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.WinArpCache¶
Bases:
Module- DESC = 'ARP Cache'¶
- EXEC_ORDER¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.WinRDPSessions¶
Bases:
Module- DESC = 'Windows Remote Desktop session information'¶
- EXEC_ORDER¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.WinMemDump¶
Bases:
Module- DESC = 'Windows full memory dump'¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.WinMemFiles¶
Bases:
Module- DESC = 'Windows memory files'¶
- SPEC = [('file', 'sysvol/pagefile.sys'), ('file', 'sysvol/hiberfil.sys'), ('file',...¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.EventLogs¶
Bases:
Module- DESC = 'event logs'¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.Tasks¶
Bases:
Module- SPEC = [('dir', 'sysvol/windows/tasks'), ('dir', 'sysvol/windows/system32/tasks'), ('dir',...¶
- class acquire.acquire.acquire.ActiveDirectory¶
Bases:
Module- DESC = 'Active Directory data (policies, scripts, etc.)'¶
- SPEC = [('dir', 'sysvol/windows/sysvol/domain')]¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.NTDS¶
Bases:
Module- SPEC = [('dir', 'sysvol/windows/NTDS')]¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.ETL¶
Bases:
Module- DESC = 'interesting ETL files'¶
- SPEC = [('glob', 'sysvol/Windows/System32/WDI/LogFiles/*.etl')]¶
- class acquire.acquire.acquire.Recents¶
Bases:
Module- DESC = 'Windows recently used files artifacts'¶
- SPEC = [('dir', 'AppData/Roaming/Microsoft/Windows/Recent'), ('dir',...¶
- class acquire.acquire.acquire.Startup¶
Bases:
Module- DESC = 'Windows Startup folder'¶
- SPEC = [('dir', 'sysvol/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup'), ('dir',...¶
- acquire.acquire.acquire.recyclebin_filter(path: dissect.target.helpers.fsutil.TargetPath) bool¶
- class acquire.acquire.acquire.RecycleBin¶
Bases:
Module- DESC = 'recycle bin metadata and data files'¶
- class acquire.acquire.acquire.Drivers¶
Bases:
Module- DESC = 'installed drivers'¶
- SPEC = [('glob', 'sysvol/windows/system32/drivers/*.sys')]¶
- class acquire.acquire.acquire.Exchange¶
Bases:
Module- DESC = 'interesting Exchange configuration files'¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.IIS¶
Bases:
Module- DESC = 'IIS logs'¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.Prefetch¶
Bases:
Module- DESC = 'Windows Prefetch files'¶
- SPEC = [('dir', 'sysvol/windows/prefetch')]¶
- class acquire.acquire.acquire.Appcompat¶
Bases:
Module- DESC = 'Windows Amcache and RecentFileCache'¶
- SPEC = [('dir', 'sysvol/windows/appcompat')]¶
- class acquire.acquire.acquire.PCA¶
Bases:
Module- DESC = 'Windows Program Compatibility Assistant'¶
- SPEC = [('dir', 'sysvol/windows/pca')]¶
- class acquire.acquire.acquire.Syscache¶
Bases:
Module- DESC = 'Windows Syscache hive and log files'¶
- SPEC = [('file', 'sysvol/System Volume Information/Syscache.hve'), ('glob', 'sysvol/System Volume...¶
- class acquire.acquire.acquire.WindowsNotifications¶
Bases:
Module- DESC = 'Windows Push Notifications Database files.'¶
- SPEC = [('file', 'AppData/Local/Microsoft/Windows/Notifications/appdb.dat'), ('file',...¶
- class acquire.acquire.acquire.BITS¶
Bases:
Module- DESC = 'Background Intelligent Transfer Service (BITS) queue/log DB'¶
- SPEC = [('glob', 'sysvol/Documents and Settings/All Users/Application...¶
- class acquire.acquire.acquire.WBEM¶
Bases:
Module- DESC = 'Windows WBEM (WMI) database files'¶
- SPEC = [('dir', 'sysvol/windows/system32/wbem/Repository')]¶
- class acquire.acquire.acquire.DHCP¶
Bases:
Module- DESC = 'Windows Server DHCP files'¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.DNS¶
Bases:
Module- DESC = 'Windows Server DNS files'¶
- SPEC = [('glob', 'sysvol/windows/system32/config/netlogon.*'), ('dir', 'sysvol/windows/system32/dns')]¶
- class acquire.acquire.acquire.WinDnsClientCache¶
Bases:
Module- DESC = 'The contents of Windows DNS client cache'¶
- SPEC = [('command', (['powershell.exe', '-Command', 'Get-DnsClientCache | ConvertTo-Csv...¶
- EXEC_ORDER¶
- class acquire.acquire.acquire.PowerShell¶
Bases:
Module- DESC = 'Windows PowerShell Artefacts'¶
- SPEC = [('dir', 'AppData/Roaming/Microsoft/Windows/PowerShell')]¶
- class acquire.acquire.acquire.ThumbnailCache¶
Bases:
Module- DESC = 'Windows thumbnail db artifacts'¶
- SPEC = [('glob', 'AppData/Local/Microsoft/Windows/Explorer/thumbcache_*')]¶
- class acquire.acquire.acquire.Misc¶
Bases:
Module- DESC = 'miscellaneous Windows artefacts'¶
- SPEC = [('file', 'sysvol/windows/PFRO.log'), ('file', 'sysvol/windows/setupapi.log'), ('file',...¶
- class acquire.acquire.acquire.AV¶
Bases:
Module- DESC = 'various antivirus logs'¶
- SPEC = [('dir', 'sysvol/Documents and Settings/All Users/Application Data/AVG/Antivirus/log'), ('dir',...¶
- class acquire.acquire.acquire.QuarantinedFiles¶
Bases:
Module- DESC = 'files quarantined by various antivirus products'¶
- SPEC = [('dir', 'sysvol/ProgramData/Microsoft/Windows Defender/Quarantine'), ('dir', 'sysvol/Documents...¶
- class acquire.acquire.acquire.History¶
Bases:
Module- DESC = 'browser history from IE, Edge, Firefox, and Chrome'¶
- DIR_COMBINATIONS¶
- COMMON_DIR_COMBINATIONS¶
- SPEC = [('dir', 'AppData/Local/Microsoft/Internet Explorer/Recovery'), ('dir',...¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.RemoteAccess¶
Bases:
Module- DESC = "common remote access tools' log files"¶
- SPEC = [('glob', 'sysvol/Program Files/TeamViewer/*.log'), ('glob', 'sysvol/Program Files...¶
- class acquire.acquire.acquire.WebHosting¶
Bases:
Module- DESC = 'Web hosting software log files'¶
- SPEC = [('dir', '/usr/local/cpanel/logs'), ('file', '.lastlogin')]¶
- class acquire.acquire.acquire.WER¶
Bases:
Module- DESC = 'WER (Windows Error Reporting) related files'¶
- classmethod get_spec_additions(target: dissect.target.Target, cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.Etc¶
Bases:
Module- SPEC = [('dir', '/etc'), ('dir', '/usr/local/etc')]¶
- class acquire.acquire.acquire.Boot¶
Bases:
Module- SPEC = [('glob', '/boot/config*'), ('glob', '/boot/efi*'), ('glob', '/boot/grub*'), ('glob',...¶
- acquire.acquire.acquire.private_key_filter(path: dissect.target.helpers.fsutil.TargetPath) bool¶
- class acquire.acquire.acquire.Home¶
Bases:
Module- SPEC = [('glob', '.*[akz]sh*'), ('glob', '*/.*[akz]sh*'), ('glob', '.*history'), ('glob',...¶
- class acquire.acquire.acquire.SSH¶
Bases:
Module- SPEC = [('glob', '.ssh/*'), ('glob', '/etc/ssh/*'), ('glob', 'sysvol/ProgramData/ssh/*')]¶
- classmethod run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) None¶
- class acquire.acquire.acquire.Var¶
Bases:
Module- SPEC = [('dir', '/var/log'), ('dir', '/var/spool/at'), ('dir', '/var/spool/cron'), ('dir',...¶
- class acquire.acquire.acquire.BSD¶
Bases:
Module- SPEC = [('file', '/bin/freebsd-version'), ('dir', '/usr/ports')]¶
- class acquire.acquire.acquire.OSX¶
Bases:
Module- DESC = 'OS-X specific files and directories'¶
- SPEC = [('dir', '/.fseventsd'), ('dir', '/Library/Extensions'), ('dir', '/System/Library/Extensions'),...¶
- class acquire.acquire.acquire.OSXApplicationsInfo¶
Bases:
Module- DESC = 'OS-X info.plist from all installed applications'¶
- SPEC = [('glob', '/Applications/*/Contents/Info.plist'), ('glob', 'Applications/*/Contents/Info.plist')]¶
- class acquire.acquire.acquire.ESXi¶
Bases:
Module- DESC = 'ESXi interesting files'¶
- SPEC = [('dir', '/scratch/log'), ('dir', '/locker/packages/var'), ('dir', '/scratch/cache'), ('dir',...¶
- class acquire.acquire.acquire.ActivitiesCache¶
Bases:
Module- DESC = "user's activities caches"¶
- SPEC = [('dir', 'AppData/Local/ConnectedDevicesPlatform')]¶
- class acquire.acquire.acquire.FileHashes¶
Bases:
Module- DESC = 'file hashes'¶
- DEFAULT_HASH_FUNCS = ()¶
- DEFAULT_EXTENSIONS = ('bat', 'cmd', 'com', 'dll', 'exe', 'installlog', 'installutil', 'js', 'lnk', 'ps1', 'sys', 'tlb', 'vbs')¶
- DEFAULT_PATHS = ('sysvol/Windows/',)¶
- MAX_FILE_SIZE_BYTES¶
- DEFAULT_FILE_FILTERS = ()¶
- classmethod run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) None¶
- classmethod get_specs(cli_args: argparse.Namespace) Iterator[tuple]¶
- class acquire.acquire.acquire.OpenHandles¶
Bases:
Module- DESC = 'Open handles'¶
- classmethod run(target: dissect.target.Target, cli_args: argparse.Namespace, collector: acquire.collector.Collector) None¶
- acquire.acquire.acquire.print_disks_overview(target: dissect.target.Target) None¶
- acquire.acquire.acquire.print_volumes_overview(target: dissect.target.Target) None¶
- acquire.acquire.acquire.print_acquire_warning(target: dissect.target.Target) None¶
- acquire.acquire.acquire.acquire_target(target: dissect.target.Target, args: argparse.Namespace, output_ts: str | None = None) list[str]¶
- acquire.acquire.acquire.upload_files(paths: list[pathlib.Path], upload_plugin: acquire.uploaders.plugin.UploaderPlugin, no_proxy: bool = False) None¶
- acquire.acquire.acquire.PROFILES¶
- acquire.acquire.acquire.VOLATILE¶
- acquire.acquire.acquire.main() None¶
- acquire.acquire.acquire.load_child(target: dissect.target.Target, child_path: pathlib.Path) None¶
- acquire.acquire.acquire.acquire_children_and_targets(target: dissect.target.Target, args: argparse.Namespace) None¶
- acquire.acquire.acquire.sort_files(files: list[str | pathlib.Path]) list[pathlib.Path]¶