Command Line Examples
Collecting all evidence and artifact types:
1
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile full
Copied!
Collecting RAM and Page File:
1
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile memory
Copied!
Collecting all evidence and artifact types except RAM and Page File:
1
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile full -!ram -!pgf
Copied!
Collecting Custom Evidence and Artifact (Chrome History, IIS Logs, Event Logs):
1
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile custom -chst -iisl -evt -evtx
Copied!
Collecting Default Selected Evidence and Artifact Types:
1
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile default
Copied!
Performing Memory Triage:
1
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --triage-ruleset RuleSetName -tm
Copied!
Performing FileSystem and Memory Triage:
1
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --triage-ruleset RuleSetName -tm -tf
Copied!
Collecting Full Evidence and Artifact into a predefined case directory:
1
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD -p full --case-dir "C:\Some\Folder\Case"
Copied!
Collecting Full Evidence and Artifact into a predefined directory (a new folder will be created for each collection):
1
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD -p full --output-dir "C:\Some\Folder"
Copied!
Collecting an Offline Acquisition:
1
TACTICAL.exe --offline --license AAAA-BBBB-CCDD-DDDD --profile custom -evt -dnsc -ram -pri --case-dir "X:\Acquisition Directory"
Copied!
Bulk decryption:
1
TACTICAL.exe --decrypt --license AAAA-BBBB-CCDD-DDDD --case-dir "X:\Acquisition Directory" --output-dir "X:\Acquisitions Decrypted"
Copied!
Individual decryption:
1
TACTICAL.exe --decrypt --license AAAA-BBBB-CCDD-DDDD --case-path "X:\Acquisition Directory\20210502150658-DEMOPC.eppc" --output-dir "X:\Acquisitions Decrypted"
Copied!
Running TACTICAL via PsExec:
1
PsExec.exe \\192.168.25.137 -u "WIN1064\John" -p "password" -h -n 60 -accepteula -c -f TACTICAL.exe -l AAAA-BBBB-CCCC-DDDD -nw -p full -ad "\\NET\SHARE\TACTICAL" -tr "MyYaraRules" -tm -cc "Hacked Server"
Copied!
Last modified 1mo ago
Copy link