Acquire

Acquire is a specialized tool that enables the rapid collection of forensic artifacts from disk images or live systems. It efficiently stores these artifacts in a lightweight container, facilitating easy access and analysis.

This makes Acquire an excellent tool for various purposes, including speeding up the process of digital forensic triage.

It utilizes dissect to extract information from the raw disk whenever feasible. Acquire collects artifacts based on specific modules.

These modules represent paths or globs within a filesystem that acquisition attempts are designed to gather. Multiple modules can be executed at the same time, and these modules are grouped together within a profile.

The profiles associated with --profile include full, default, minimal, and none. Depending on the operating system that is detected, different artifacts are collected accordingly.

To use the acquire command in its most straightforward form, type the following in your terminal: user@dissect~$ sudo acquire

The tool needs administrative access to directly read raw disk data instead of depending on the operating system for file access.

There are several options available to use the operating system as a backup solution. For instance, you can utilize the commands --fallback or --force-fallback.

For additional information, please refer to the documentation for further insights and details.

This project is a part of the Dissect framework and requires the use of Python. For details about the supported Python versions, please refer to the documentation.