target-dump

With target-dump you can export records of a specific function used in target-query to a file.

The basic structure of a target-dump command is as follows:

$ target-dump -f <comma_seperated_functions> <path_to_target>

Furthermore, the tool can apply certain compression algorithms to the dump, to create small archives of the output.

Usage

target-dump - CLI interface

dissect.target

target-dump [-f FUNCTION] [-xf EXCLUDED_FUNCTIONS] [-l [LIST]] [--dry-run]
            [-c {bzip2,gzip,lz4,zstandard}] [--restart] [-s {jsonlines,msgpack}] -o OUTPUT
            [--limit LIMIT] [-K KEYCHAIN_FILE] [-Kv KEYCHAIN_VALUE] [-L LOADER]
            [--child CHILD] [--children] [--list-children] [--recursive] [-v] [--version]
            [-q] [--plugin-path PLUGIN_PATH [PLUGIN_PATH ...]]
            [TARGET ...]

target-dump positional arguments

  • TARGET - targets to load (default: None)

target-dump options

  • -f FUNCTION, --function FUNCTION - one or more comma separated functions to execute (default: None)

  • -xf EXCLUDED_FUNCTIONS, --excluded-functions EXCLUDED_FUNCTIONS - functions to exclude from execution (default: )

  • -l LIST, --list LIST - list (matching) available plugins and loaders (default: None)

  • --dry-run - do not execute the functions, but just print which functions would be executed

  • -c COMPRESSION, --compression COMPRESSION - compression method (default: Compression.NONE)

  • --restart - restart the session and overwrite the state file if it exists

  • -s SERIALIZATION, --serialization SERIALIZATION - serialization method (default: Serialization.JSONLINES)

  • -o OUTPUT, --output OUTPUT - output directory (default: .)

  • --limit LIMIT - limit number of records produced (default: None)

  • -K KEYCHAIN_FILE, --keychain-file KEYCHAIN_FILE - keychain file in CSV format (default: None)

  • -Kv KEYCHAIN_VALUE, --keychain-value KEYCHAIN_VALUE - passphrase, recovery key or key file path value (default: None)

  • -L LOADER, --loader LOADER - select a specific loader (i.e. vmx, raw) (default: None)

  • --child CHILD - load child of target by path of index (see –list-children) (default: None)

  • --children - include children

  • --list-children - list all children indices and paths, then exit (default: False)

  • --recursive - make –list-children behave recursively

  • -v, --verbose - increase output verbosity (default: 0)

  • --version - print version

  • -q, --quiet - do not output logging information

  • --plugin-path PLUGIN_PATH - a file or directory containing plugins and extensions (default: None)