interACT Commands

interACT has been built specifically for DFIR capability in $ Product. The full list of current commands can be listed by typing ‘help’ at the command prompt, and is below the following important 'hint':

cat: To display the content of a file.

cd: To change the current working directory.

curl: To make HTTP requests.

del, delete, or rm: For deleting a file or folder.

dir or ls: Will list the files and folders in a chosen directory.

exec or execute: This allows you to execute a process on the asset using the native shell and return results via stdout/stderr.

find: Allows searching of a file or directory.

get: To pull a file from the asset down to the console

hash: Will display the hash value of a file.

head: To get the first 10 lines of a file displayed.

help: Will display any help messages and switches that you can apply to commands available to you at your current position.

hex: Will display the hex-encoded output of the first 100 bytes of a file.

image: To read a disk or volume and write its contents out as a .dd file. This can also be done from the UI but remains here in interACT for those who prefer to image from the command line.

kill: Is the command to terminate a process.

mkdir: Will make or create a directory

osquery: Gives the user access to osquery queries within the interACT session

pslist: Will display the running process list.

put: Allows the user to push a file from the library to the asset.

pwd: Displays the present working directory.

volumes: Will list the mounted volumes.

yara: Scan files or processes with YARA rules.

zip: This command compresses or decompresses a file or folder.

Flags

From AIR v4.5, users can speed up workflows by using the following flags for files they want to download using the ‘get’ command in interACT:

• Compression: ‘-zip’

• Password protection: ‘-zip-password’

• File name change: ‘-name’