Windows Gather Forensic Imaging
This module will perform byte-for-byte imaging of remote disks and volumes
Rank
- Normal
Authors
- Wesley McGrew < wesley [at] mcgrewsecurity.com >
Development
Similar Modules
- post/windows/gather/forensics/duqu_check
- post/windows/gather/forensics/enum_drives
- post/windows/gather/forensics/nbd_server
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/gather/forensics/imager
msf post(imager) > set DEVICE [STRING]
msf post(imager) > set SESSION [INTEGER]
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/gather/forensics/imager
msf post(imager) > set DEVICE [STRING]
msf post(imager) > set SESSION [INTEGER]
Module Options
| BLOCKSIZE | Block size, in bytes (multiples of 512) (default: 1048576) |
| COUNT | Image only this many blocks (0 - read till end) (default: 0) |
| DEVICE | Device to image (use enum_drives for possible names) |
| OUTFILE | Output filename without extension (default: image) |
| SESSION | The session to run this module on. |
| SKIP | Skip this many blocks before beginning (default: 0) |
| SPLIT | Split image size, in bytes (default: 1610612736) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |