Command Line Examples

Collecting all evidence and artifact types
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile full
 
Collecting RAM and Page File
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile memory
 
Collecting all evidence and artifact types except RAM and Page File
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile full -!ram -!pgf
 
Collecting Custom Evidence and Artifact(Chrome History, IIS Logs, Event Logs)
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile custom -chst -iisl -evt -evtx
 
Collecting Default Selected Evidence and Artifact Types
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile default
 
Performing Memory Triage
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --triage-ruleset RuleSetName -tm
 
Performing FileSystem and Memory Triage
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --triage-ruleset RuleSetName -tm -tf
 
Collecting Full Evidence and Artifact into a predefined case directory
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD -p full --case-dir "C:\Some\Folder\Case"
 
Collecting Full Evidence and Artifact into a predefined directory (a new folder will be created for each collection)
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD -p full --output-dir "C:\Some\Folder"
 
Collecting Offline Acquisition:
TACTICAL.exe --offline --license AAAA-BBBB-CCDD-DDDD --profile custom -evt -dnsc -ram -pri --case-dir "X:\Acquisition Directory"

 

Bulk decryption:
TACTICAL.exe --decrypt --license AAAA-BBBB-CCDD-DDDD --case-dir "X:\Acquisition Directory" --output-dir "X:\Acquisitions Decrypted"

 

Individual decryption:
TACTICAL.exe --decrypt --license AAAA-BBBB-CCDD-DDDD --case-path "X:\Acquisition Directory\20210502150658-DEMOPC.eppc" --output-dir "X:\Acquisitions Decrypted"
 
Running TACTICAL via PsExec
PsExec.exe \\192.168.25.137 -u "WIN1064\John" -p "password" -h -n 60 -accepteula -c -f TACTICAL.exe -l AAAA-BBBB-CCCC-DDDD -nw -p full -ad "\\NET\SHARE\TACTICAL" -tr "MyYaraRules" -tm -cc "Hacked Server"

 

Previous Article                                                                                                                     Next Article