acquire
Advanced tools
A tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container
acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container.
This makes acquire an excellent tool to, among others, speedup the process of digital forensic triage.
It uses dissect to gather that information from the raw disk, if possible.
acquire gathers artifacts based on modules. These modules are paths or globs on a filesystem which acquire attempts to gather.
Multiple modules can be executed at once, which have been collected together inside a profile.
These profiles (used with --profile) are full, default, minimal and none.
Depending on what operating system gets detected, different artifacts are collected.
The most basic usage of acquire is as follows:
user@dissect~$ sudo acquire
The tool requires administrative access to read raw disk data instead of using the operating system for file access.
However, there are some options available to use the operating system as a fallback option. (e.g --fallback or --force-fallback)
For more information, please see the documentation.
This project is part of the Dissect framework and requires Python.
Information on the supported Python versions can be found in the Getting Started section of the documentation.
acquire is available on PyPI.
pip install acquire
This project uses tox to build source and wheel distributions. Run the following command from the root folder to build
these:
tox -e build
The build artifacts can be found in the dist/ directory.
tox is also used to run linting and unit tests in a self-contained environment. To run both linting and unit tests
using the default installed Python version, run:
tox
For a more elaborate explanation on how to build and test the project, please see the documentation.
The Dissect project encourages any contribution to the codebase. To make your contribution fit into the project, please refer to the development guide.
Dissect is released as open source by Fox-IT (https://www.fox-it.com) part of NCC Group Plc (https://www.nccgroup.com).
Developed by the Dissect Team (dissect@fox-it.com) and made available at https://github.com/fox-it/acquire.
License terms: AGPL3 (https://www.gnu.org/licenses/agpl-3.0.html). For more information, see the LICENSE file.
FAQs
A tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container
We found that acquire demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Socket CEO Feross Aboukhadijeh joins Insecure Agents to discuss CVE remediation and why supply chain attacks require a different security approach.
Security News
Tailwind Labs laid off 75% of its engineering team after revenue dropped 80%, as LLMs redirect traffic away from documentation where developers discover paid products.
Security News
The planned feature introduces a review step before releases go live, following the Shai-Hulud attacks and a rocky migration off classic tokens that disrupted maintainer workflows.