A tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container
Project description
Acquire
acquire
is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container.
This makes acquire
an excellent tool to, among others, speedup the process of digital forensic triage.
It uses dissect
to gather that information from the raw disk, if possible.
acquire
gathers artifacts based on modules. These modules are paths or globs on a filesystem which acquire attempts to gather.
Multiple modules can be executed at once, which have been collected together inside a profile.
These profiles (used with --profile
) are full
, default
, minimal
and none
.
Depending on what operating system gets detected, different artifacts are collected.
The most basic usage of acquire
is as follows:
user@dissect~$ sudo acquire
The tool requires administrative access to read raw disk data instead of using the operating system for file access.
However, there are some options available to use the operating system as a fallback option. (e.g --fallback
or --force-fallback
)
For more information, please see the documentation.
Requirements
This project is part of the Dissect framework and requires Python.
Information on the supported Python versions can be found in the Getting Started section of the documentation.
Installation
acquire
is available on PyPI.
pip install acquire
Build and test instructions
This project uses tox
to build source and wheel distributions. Run the following command from the root folder to build
these:
tox -e build
The build artifacts can be found in the dist/
directory.
tox
is also used to run linting and unit tests in a self-contained environment. To run both linting and unit tests
using the default installed Python version, run:
tox
For a more elaborate explanation on how to build and test the project, please see the documentation.
Contributing
The Dissect project encourages any contribution to the codebase. To make your contribution fit into the project, please refer to the development guide.
Copyright and license
Dissect is released as open source by Fox-IT (https://www.fox-it.com) part of NCC Group Plc (https://www.nccgroup.com).
Developed by the Dissect Team (dissect@fox-it.com) and made available at https://github.com/fox-it/acquire.
License terms: AGPL3 (https://www.gnu.org/licenses/agpl-3.0.html). For more information, see the LICENSE file.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file acquire-3.17.tar.gz
.
File metadata
- Download URL: acquire-3.17.tar.gz
- Upload date:
- Size: 90.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.1 CPython/3.12.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 597beb1f138449dfcd6154f18c716a6f141f59488423f88e0f142b2fb0924056 |
|
MD5 | 3d0bf88a7d757a1a28e62193841eaea7 |
|
BLAKE2b-256 | 7c8ebce334c4054ede825311ec8225c53b1182418cf670e1202e9517a2183d1e |
Provenance
The following attestation bundles were made for acquire-3.17.tar.gz
:
Publisher:
dissect-ci.yml
on fox-it/acquire
-
Statement type:
https://in-toto.io/Statement/v1
- Predicate type:
https://docs.pypi.org/attestations/publish/v1
- Subject name:
acquire-3.17.tar.gz
- Subject digest:
597beb1f138449dfcd6154f18c716a6f141f59488423f88e0f142b2fb0924056
- Sigstore transparency entry: 149494214
- Sigstore integration time:
- Predicate type:
File details
Details for the file acquire-3.17-py3-none-any.whl
.
File metadata
- Download URL: acquire-3.17-py3-none-any.whl
- Upload date:
- Size: 83.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.1 CPython/3.12.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9d528291130969b1d6fe485680b4ce9f2f20a7dbd19ab79e55c024e915e1fc40 |
|
MD5 | 2e100dc5bb3cbb55ce291a326c8850f7 |
|
BLAKE2b-256 | 8dcb3c1f116077e2c7ce0f4394539e17eb5d93869289f18a8010bb3f82f43e99 |
Provenance
The following attestation bundles were made for acquire-3.17-py3-none-any.whl
:
Publisher:
dissect-ci.yml
on fox-it/acquire
-
Statement type:
https://in-toto.io/Statement/v1
- Predicate type:
https://docs.pypi.org/attestations/publish/v1
- Subject name:
acquire-3.17-py3-none-any.whl
- Subject digest:
9d528291130969b1d6fe485680b4ce9f2f20a7dbd19ab79e55c024e915e1fc40
- Sigstore transparency entry: 149494216
- Sigstore integration time:
- Predicate type: