# Dissect

### Overview

[`Dissect`](https://github.com/fox-it/dissect) is a digital forensics & incident response Python toolset that allows access and parsing of forensic artefacts from various disk and file formats.

**Dissect supported targets**

`Dissect` supports the [following targets](https://docs.dissect.tools/en/latest/overview/):

* Raw disk images and evidence containers (`.E01`).
* Virtual disks (`.vmdk`, `.vhdx`, etc.).
* Virtual machine descriptor files (`.vmx`, `.vmcx`, etc.). By using a VM descriptor file, `dissect` will load the all the virtual disks associated with the VM.
* Local live systems (`\\.\PhysicalDrive0`, `/dev/sda`, etc.).
* `.tar` archives created by `acquire`
* Directories, such as `KAPE` or `velociraptor` (`KapeTargets`) collection outputs.

**Dissect tools**

`Dissect` is composed of the following tools:

* [`acquire`](https://docs.dissect.tools/en/latest/tools/acquire.html): to gather forensic artifacts from disk images or the live system.
* [`target-fs`](https://docs.dissect.tools/en/latest/tools/target-fs.html): to interact with the filesystem of a target, using a set of familiar Unix commands.
* [`target-mount`](https://docs.dissect.tools/en/latest/tools/target-mount.html): to mount the filesystem of a target to an arbitrary directory on the analysis machine (similar to the `mount` utility).
* [`target-query`](https://docs.dissect.tools/en/latest/tools/target-query.html): to parse data and artefacts from the specified target, mostly as `records` outputs.
* [`target-reg`](https://docs.dissect.tools/en/latest/tools/target-reg.html): to tool query the registry of Windows targets.
* [`rdump`](https://docs.dissect.tools/en/latest/tools/rdump.html): to interact and manipulate `dissect`'s `records` outputs.

**Installation**

The `dissect` toolset can be easily installed through `Python3`'s `pip`:

```bash
python3 -m pip install dissect
python3 -m pip install acquire
```

### acquire

`acquire` can be used to extract artifacts either from the local system or the specified targets, and place the collected artefacts in a `tar` archive (or output folder).

`acquire` supports three levels of profiles, that specify the artefacts that will be collected depending on the target operating system: `minimal`, `default`, and `full`.

```bash
# OUTPUT_TYPE: tar or dir

acquire -p <minimal | default | full> -o <OUTPUT_FOLDER> [-ot <OUTPUT_TYPE>] <TARGET | local>
```

### target-fs

`target-fs` can be used to interact with the filesystem of a target, to list or copy individual or multiple files from the target to the analysis destination.

```bash
target-fs <TARGET> <ls | cat | walk> <TARGET_DIR | TARGET_FILE>

target-fs <TARGET> cp <TARGET_DIR | TARGET_FILE> -o <OUTPUT_DIR>
```

### target-query

`target-query` can be used to parse artefacts from the target, often (but not always) resulting in `dissect`'s `records` outputs. `target-query`'s `records` can be converted to `CSV` or `JSON` outputs as well as filtered with `rdump`.

Multiple artefacts sources are implemented, as `target-query`'s `function`. The implemented functions can be listed using `target-query -l`. The following notable functions are implemented:

* Windows operating systems: `activitiescache`, `amcache`, `lnk`, `evt` / `evtx`, `powershell_history`, `prefetch`, `recyclebin`, `registry` (`bam`, `shimcache`, etc.), `shellbags`, `shimcache`, `sru`, `ual`, `userassist`, etc.
* Filesystem: `mft`, `usnjrnl`, `walkfs`
* Linux / Unix operating systems: `bashhistory`, `cronjobs`, `dpkg`, `audit`, `btmp`, `lastlog`, `messages`, `services`, `ssh.authorized_keys`, `ssh.known_hosts`, `suid`
* Web browsers: `browser.history` (Chrome, Firefox, Edge, and Internet Explorer histories)
* remote access applications: `remoteaccess.remoteaccess` (AnyDesk and TeamViewer logs)
* Yara scans: `yara`

```bash
# Example: target-query windows_vm.vmdk -f mft
target-query -f <FUNCTION> <TARGET>

# Retrieves basic information about the target operating system.
target-query -f hostname,domain,version,ips <TARGET>

# Outputs the records as JSON (only for functions that return records).
target-query -s --json -f <FUNCTION> <TARGET>

# Uses rdump to transform the records outputs as CSV or JSON.
# --multi-timestamp: deduplicate a record if it contains multiple timestamps to create a timeline.
target-query [--multi-timestamp] -f <FUNCTION> <TARGET> | rdump <--csv | --json | --jsonlines> [--fields <FIELDS_FOR_OUTPUT>]

# Example Linux functions.
target-query --multi-timestamp -f bashhistory,browser.history,capability_binaries,cronjobs,dpkg,audit,btmp,lastlog,messages,wtmp,services,ssh.authorized_keys,ssh.known_hosts,ssh.private_keys,suid <TARGET>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.qazeer.io/dfir/tools/dissect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.