`acquire.acquire.collector`¶

Module Contents¶

Classes¶

`Outcome`	Sortable and serializible string-based enum
`ArtifactType`	Sortable and serializible string-based enum
`Record`
`CollectionReport`
`Collector`

Functions¶

`get_report_summary`	Create a table-view report summary with success/failure/missing/empty counters per module
`get_full_formatted_report`	Create a full list of successful / failed / missing / empty artifacts collected,

Attributes¶

log

acquire.acquire.collector.log¶

class acquire.acquire.collector.Outcome¶

Bases: acquire.utils.StrEnum

Sortable and serializible string-based enum

SUCCESS = 'success'¶

FAILURE = 'failure'¶

MISSING = 'missing'¶

EMPTY = 'empty'¶

class acquire.acquire.collector.ArtifactType¶

Bases: acquire.utils.StrEnum

Sortable and serializible string-based enum

FILE = 'file'¶

SYMLINK = 'symlink'¶

GLOB = 'glob'¶

DIR = 'dir'¶

COMMAND = 'command'¶

PATH = 'path'¶

class acquire.acquire.collector.Record¶

module_name: str¶

outcome: Outcome¶

artifact_type: ArtifactType¶

artifact_value: str¶

details: str | None = None¶

class acquire.acquire.collector.CollectionReport¶

target: dissect.target.Target¶

registry: set[Record]¶

seen_paths: set[str]¶

add_file_collected(module: str, path: dissect.target.helpers.fsutil.TargetPath) → None¶

add_symlink_collected(module: str, path: dissect.target.helpers.fsutil.TargetPath) → None¶

add_symlink_failed(module: str, path: dissect.target.helpers.fsutil.TargetPath) → None¶

add_file_failed(module: str, failed_path: dissect.target.helpers.fsutil.TargetPath) → None¶

add_file_missing(module: str, missing_path: dissect.target.helpers.fsutil.TargetPath) → None¶

add_glob_failed(module: str, failed_pattern: str) → None¶

add_glob_empty(module: str, pattern: str) → None¶

add_dir_collected(module: str, path: dissect.target.helpers.fsutil.TargetPath) → None¶

add_dir_failed(module: str, failed_path: dissect.target.helpers.fsutil.TargetPath) → None¶

add_dir_missing(module: str, missing_path: dissect.target.helpers.fsutil.TargetPath) → None¶

add_path_collected(module: str, path: dissect.target.helpers.fsutil.TargetPath) → None¶

add_path_failed(module: str, failed_path: dissect.target.helpers.fsutil.TargetPath) → None¶

add_path_missing(module: str, missing_path: dissect.target.helpers.fsutil.TargetPath) → None¶

add_command_collected(module: str, command_parts: collections.abc.Sequence[str]) → None¶

add_command_failed(module: str, command_parts: collections.abc.Sequence[str]) → None¶

get_records_per_module_per_outcome(serialize_records: bool = False) → dict[str, dict[str, list[Record]]]¶

get_counts_per_module_per_outcome() → dict[str, dict[str, int]]¶

was_path_seen(path: str | dissect.target.helpers.fsutil.TargetPath) → bool¶

class acquire.acquire.collector.Collector(target: dissect.target.Target, output: acquire.outputs.base.Output, base: str = 'fs', skip_list: set | None = None)¶

METADATA_BASE = '$metadata$'¶

COMMAND_OUTPUT_BASE = '$metadata$/command-output'¶

target¶

output¶

base = 'fs'¶

skip_list¶

report¶

bound_module_name = None¶

filter¶

__enter__() → Collector¶

__exit__(*args, **kwargs) → None¶

bind_module(module: type) → Collector¶

file_filter(filter: collections.abc.Callable[[dissect.target.helpers.fsutil.TargetPath], bool] | None) → Collector¶

bind(module: type) → None¶

unbind() → None¶

close() → None¶

collect(spec: collections.abc.Iterator, module_name: str | None = None, follow: bool = True, volatile: bool = False) → None¶

collect_path(path: str | dissect.target.helpers.fsutil.TargetPath, outpath: str | None = None, module_name: str | None = None, base: str | None = None, volatile: bool = False, seen_paths: set[dissect.target.helpers.fsutil.TargetPath] | None = None) → None¶

Collect a path from the target’s root filesystem, including any intermediary symlinks.

Parameters:

path – The path to collect (this may be a file, directory or symlink).
outpath – A posix style explicit path where to store the collected path. In case path is a directory this will be the new base directory. It is concatenated with base to get the final output path. Windows device path and sysvol parts are normalized. When set, intermediate symlinks of path are not collected. When not set, it will be constructed from the given path.
module_name – When set it indicates the module doing the collection, used for logging and reporting. When not set the :class:Collector’s bound_module will be used.
base – A different base path to use to store the file, it is prepended to the given or generated outpath.
volatile – When this flag is set, the collection of a number of artefacts is performed slightly different. Symlinks at the end of a path will not be collected, empty directories will be collected, files will be collected in a slower but more robust way, any errors while reading the bytes will not fail the collection of the file and all bytes already retrieved will be stored.
seen_paths – A list of normalized path strings, used when calling this function recursively to collect directories to break out of symlink loops.

collect_file_raw(path: str | dissect.target.helpers.fsutil.TargetPath, fs: dissect.target.filesystem.Filesystem, mountpoint: str, outpath: str | None = None, module_name: str | None = None, base: str | None = None, file_accessor: collections.abc.Callable[[BinaryIO, int], BinaryIO] | None = None) → None¶

Collect a single file from one of the target’s filesystems.