Data Collection Commands

Data collection commands are used to get data on objects that were not included in the report during the regular data collection. To collect data on a specific object, add a data collection command to the script manually. To do this, enter the commands on the FixIt! tool tab.

Below, you will find a list of all the commands. To view the list in the service, click commands Commands on the FixIt! tool tab.

Command

Description

inspect-fs [-r] [-p] <Path>

Collect information about the file or directory.

If the -r option is specified, data on the specified directory will be collected, as well as data on each file and subdirectory recursively.

If the -p option is specified, then the parser of the file system (FAT/NTFS) will be used to retrieve the file list whenever possible. This is only valid for directories.

The files go to the ARTEFACTS directory.

Example:

inspect-fs -r "C:\Malware"

File names can be entered using a mask.

menu_bar_openDetails

A mask specifies the common part of a file name. At that:

the asterisk “*” character replaces any, possibly empty, sequence of characters;

the question mark “?” replaces only one character;

other mask characters do not replace anything and represent the exact same character.

Examples:

report*.pdf defines all PDF documents whose names start with the word “report”. For example, report-february.pdf, report121209.pdf, etc.;

*.exe defines all EXE files, for example, setup.exe, iTunes.exe, etc.

photo????09.jpg defines all JPG images whose names start with the word "photo” and end with "09" and contain exactly four other characters in the middle. For example, photo121209.jpg, photoJohn09.jpg, photo----09.jpg, etc.

inspect-reg <SID> <Key path>

Collect information about the registry key.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

Example:

inspect-reg HKLM "SOFTWARE\Malware"

inspect-proc --pid <PID> /--imagename <Name> /--imagepath <Path> / --cmdline <Command line>

Collect information about the processes.

The files go to the ARTEFACTS directory.

Example:

inspect-proc --imagename win32calc.exe

inspect-disk <Disk ID> <Sector> <Number>

Collect information about the disk sectors.

The files go to the ARTEFACTS directory.

Example:

inspect-disk 0 10 2

inspect-drv --imagebase <Image base> / --imagesize <Image size> /--imagename <Name> /--imagepath <Path>

Collect information about the drivers with a specified base, size, name, or path to a file.

The files go to the ARTEFACTS directory.

Example:

inspect-drv --imagebase 0xfffff8064e540000