I've been trawling the net for weeks now trying to find something to fit this particular collection profile but so far, coming up pretty short.
In summary, I'm looking for a tool that I can stage on a WinPE boot drive and create locked down collection profiles for a full forensic E01 AND a logical targeted collection with some specific parameters included.
The logical collection profile ideally would give me the option to exclude either / or file types and folder paths. e.g. I want to collect everything EXCEPT say .dll .log files and exclude the Windows directory entirely.
NUIX Collector has some functionality to allow that by recoding the XML job file that it spits out but other than that I've not seen anything else remotely close to it.
OSForensics has an option to create a USB key and might allow me to pass it certain exclusion based conditions via some creative Python scripts but its a long way off from what I was looking for if I can help it.
Anyone know of any tools that allow that sort of functionality?
TIA
Andy
You should take a look at KAPE. I'm still learning about it, but from what I've seen in my SANS FOR500 class, it looks pretty awesome for targeted collection.
there is such an old but working project
experimentally selected the latest distribution on which the entire assembly is correctly assembled - "Windows 10 Version 1709 Redstone3 build 16299" x32
and inside you will collect with X-WAYS Forensics, if you have one, but maybe it will give a new direction for thinking
You can make your very own Windows PE and put in what you like. This article (written by me) is > 4 years old, but still valid. Only version numbers changed. Last time I made such a Forensic PE for myself was last year - and it works smoothly.
Windows 10 PE for Digital Forensics - Forensic Focus
regards,
Robin
Have you looked at Rocket? www.rocketdatacollections.com