Command Line Options

 

--help / -h

Displays the URL for the latest documentation


 

--no-wait / -nw

By default, TACTICAL will wait for a key press once the requested operation completes. Providing this option will make it terminate immediately without waiting for a key press.

You should always provide this option when running TACTICAL remotely using tools such as PsExec.

Examples:

TACTICAL.exe --profile full --no-wait 

 

--license <Key> / -l <Key>

Provides the license key to use for activating TACTICAL. If not provided, TACTICAL will try to read the Key from License section of TACTICAL.Settings.ini file.

Examples:

TACTICAL.exe --license AAA-BBB-CCC-DDD

TACTICAL.exe -l AAA-BBB-CCC-DDD

 

--app-dir <FolderPath> / -ad <FolderPath>

By default, TACTICAL uses the directory is executed from as its Application Directory. This option tells TACTICAL to use the provided directory for creating/reading/writing the files and folders listed below:

      • TACTICAL.Settings.ini: All application settings are saved into this file.
      • TACTICAL.Log.txt: All application logs.
      • TACTICAL.Error.txt: Only created when an exception occurs.
      • TACTICAL.Rulesets: Folder for Custom Content Profiles (.ccp files).
      • TACTICAL.Profiles: Folder for YARA scripts (.yar files).
      • TACTICAL.Bin: Created by TACTICAL Dongle Edition (a SFX archive) for extracting its contents.

By default, provided folder path will be used for saving case output as well. You can override this behaviour by providing either case-dir or output-dir options.

This option is required for performing Triage using a YARA Ruleset or collecting custom content when TACTICAL is executed remotely via PsExec!

Examples:

TACTICAL.exe --app-dir "\\MACHINE\TACTICAL-DIR"

TACTICAL.exe -ad "\\MACHINE\TACTICAL-DIR" --triage-ruleset MyYaraRules --triage-memory # Uses \\MACHINE\TACTICAL-DIR\TACTICAL.Rulesets\MyYaraRules-memory.yar file

TACTICAL.exe -ad "\\MACHINE\TACTICAL-DIR" --custom-content "Hacked Server" # Uses \\MACHINE\TACTICAL-DIR\TACTICAL.Profiles\Hacked Server.cpp file

 

--profile <Profile> / -p <Profile>

Selects the Collection Profile. Can be one of the following:

      • full: Collects all evidence and artifact types.
      • custom: Evidence and artifact types should be provided separately from command line. See Evidence Types and Artifact Types for more information.
      • memory: Collects RAM and PageFile only.
      • default: Collects only default enabled evidence and artifact types.

Default selected profile is "Custom" which requires each evidence and artifact types to be separately provided from the command line. See Evidence Types and Artifact Types for more information.

You can also exclude Evidence or Artifacts by using "!"

Examples:

TACTICAL.exe --profile full

TACTICAL.exe -p custom -ram -hbr -pf -evt -evtx -iisl -adl -apcl -outlk

TACTICAL.exe --profile full -!ram !pgf

 

--output-dir <DirPath> / -od <DirPath>

Sets the directory in which case directory will be created in. Case directory is in format TIMESTAMP-MACHINENAME. If you want to provide an absolute path, use ---case-dir option instead. Trailing backslash is ignored.

Examples:

TACTICAL.exe --output-dir C:\Cases\Root

TACTICAL.exe -od "C:\Case Folder\Root"

 

--case-dir <CasePath> / -cd <CasePath>

Sets the absolute path of case directory. Provided path will be used as is without creating any folders inside. If you want TACTICAL to automatically create a directory for each case, use ---output-dir option instead. Trailing backslash is ignored.

Examples:

TACTICAL.exe --case-dir "C:\Cases\Final"

TACTICAL.exe -cd "C:\Cases\Final"

 

--custom-content <ProfileName> / -cc <ProfileName>

Provides custom content collection profile name. Custom Content profiles can be found in TACTICAL.Profiles folder in TACTICAL.ProfileName.ccp format. TACTICAL expects only the ProfileName portion in this command line option.

Examples:

TACTICAL.exe --custom-content "Hacked Server"

TACTICAL.exe -cc SomeProfile

 

--triage-ruleset <RuleSetName> / -tr <RuleSetName>

Selects the provided rule set for performing Triage with YARA. If not provided, Default ruleset will be used in case memory or filesystem triage is enabled with either ---triage-memory or ---triage-filesystem options.

Examples:

TACTICAL.exe --triage-ruleset "New Set" --triage-memory

TACTICAL.exe -tr Default -tm

 

--triage-memory / -tm

Enables memory triage. In case ---triage-ruleset is not provided, Default ruleset will be used.

Examples:

TACTICAL.exe --triage-memory

TACTICAL.exe -tm

 

--triage-filesystem / -tf

Enables filesystem triage. In case ---triage-ruleset is not provided, Default ruleset will be used.

Examples:

TACTICAL.exe --triage-filesystem

TACTICAL.exe -tf

 

--offline
Enables offline mode.
TACTICAL.exe --offline

 

--decrypt

Enables decrypt the acquisition.

TACTICAL.exe --decrypt

 

Previous Article                                                                                                                     Next Article