Command Line Examples
Brief overview to Command Line Examples
Collecting all evidence and artifact types:
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile full
Collecting RAM and Page File:
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile memory
Collecting all evidence and artifact types except RAM and Page File:
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile full -!ram -!pgf
Collecting Custom Evidence and Artifact (Chrome History, IIS Logs, Event Logs):
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile custom -chst -iisl -evt -evtx
Collecting Default Selected Evidence and Artifact Types:
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --profile default
Performing Memory Triage:
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --triage-ruleset RuleSetName -tm
Performing FileSystem and Memory Triage:
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD --triage-ruleset RuleSetName -tm -tf
Collecting Full Evidence and Artifact into a predefined case directory:
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD -p full --case-dir "C:\Some\Folder\Case"
Collecting Full Evidence and Artifact into a predefined directory (a new folder will be created for each collection):
TACTICAL.exe --license AAAA-BBBB-CCDD-DDDD -p full --output-dir "C:\Some\Folder"
Collecting an Offline Acquisition:
TACTICAL.exe --offline --license AAAA-BBBB-CCDD-DDDD --profile custom -evt -dnsc -ram -pri --case-dir "X:\Acquisition Directory"
Bulk decryption:
TACTICAL.exe --decrypt --license AAAA-BBBB-CCDD-DDDD --case-dir "X:\Acquisition Directory" --output-dir "X:\Acquisitions Decrypted"
Individual decryption:
TACTICAL.exe --decrypt --license AAAA-BBBB-CCDD-DDDD --case-path "X:\Acquisition Directory\20210502150658-DEMOPC.eppc" --output-dir "X:\Acquisitions Decrypted"
Running TACTICAL via PsExec:
PsExec.exe \\192.168.25.137 -u "WIN1064\John" -p "password" -h -n 60 -accepteula -c -f TACTICAL.exe -l AAAA-BBBB-CCCC-DDDD -nw -p full -ad "\\NET\SHARE\TACTICAL" -tr "MyYaraRules" -tm -cc "Hacked Server"
Last modified 1yr ago