Acquire Python Library

3.22 verified Fri Apr 17 auth: no python

The `acquire` Python library (version 3.22) provides an interface to the underlying C++ `acquire` tool, designed for forensic artifact collection from disk images or live systems. It allows developers to programmatically interact with Acquire's core functionalities, enabling automation and integration of digital forensics workflows. The project is actively maintained with regular updates for features and bug fixes.

pip install acquire

Common errors

error FileNotFoundError: [Errno 2] No such file or directory: 'acquire' ↓

cause The Python `AcquireBinary` class cannot find the underlying C++ 'acquire' executable.

fix

Ensure the 'acquire' C++ executable is installed and available in your system's PATH. If pip installed, it should be automatically. Otherwise, specify its full path: AcquireBinary(binary_path='/path/to/acquire/binary').

error FileNotFoundError: [Errno 2] No such file or directory: '/path/to/your/image.e01' ↓

cause The `source_path` provided to `DiskCollection` does not point to an existing forensic image file.

fix

Double-check the image_path variable. Ensure it is a correct, absolute, or relative path to an actual forensic image file on your system.

error PermissionError: [Errno 13] Permission denied: './acquired_artifacts' ↓

cause The script does not have sufficient write permissions to create or write to the specified `output_dir`.

fix

Change the output_dir to a location where the current user has write permissions, or run the script with elevated privileges (e.g., sudo).

Warnings

breaking Acquire v3.x (released August 2023) is a major rewrite, introducing significant changes to the Python API compared to v2.x. Existing Python modules built for v2.x will likely not work with v3.x without modification. ↓

fix Rewrite Python modules to use the new v3 API, primarily focusing on `acquire.DiskCollection` and `acquire.LiveCollection` classes as entry points.

gotcha The Python `acquire` library is a wrapper around a C++ executable, which must be installed and discoverable (e.g., in your system's PATH). While `pip install acquire` typically handles this, issues can arise if the binary isn't found. ↓

fix Ensure the `acquire` C++ binary is in your system's PATH. If `AcquireBinary()` fails, explicitly pass the path to the executable, e.g., `AcquireBinary(binary_path='/opt/acquire/bin/acquire')`.

gotcha When using `DiskCollection`, the `source_path` must point to a valid and accessible forensic image file (e.g., E01, RAW). Using a non-existent or inaccessible path will result in collection failure. ↓

fix Verify that `source_path` is correct, the file exists, and the user running the script has read permissions to it. For `LiveCollection`, ensure appropriate system permissions (e.g., root/administrator) are granted.

Imports

AcquireBinary
```
from acquire import AcquireBinary
```
DiskCollection
```
from acquire import DiskCollection
```
LiveCollection
```
from acquire import LiveCollection
```
AcquisitionTool
```
from acquire import AcquisitionTool
```
Base class for different acquisition methods.

Quickstart

This quickstart demonstrates how to use `acquire` to perform a disk image collection. It initializes the `AcquireBinary` and then uses `DiskCollection` to gather artifacts from a specified image path to an output directory. Note that the example `image_path` is a placeholder and must be replaced with a valid forensic image for the code to run successfully. Live collection (commented out) is also possible but often requires elevated privileges.

import os
from acquire import AcquireBinary, DiskCollection

# --- Configuration ---
# IMPORTANT: Replace '/path/to/your/image.e01' with an actual path to a forensic image file.
# If you don't have one, this example for DiskCollection will fail.
# For a real run, ensure this path exists and is accessible.
image_path = os.environ.get('ACQUIRE_IMAGE_PATH', '/tmp/example_image.e01')
output_dir = os.environ.get('ACQUIRE_OUTPUT_DIR', './acquired_artifacts')

# Ensure the output directory exists
os.makedirs(output_dir, exist_ok=True)

try:
    # Initialize AcquireBinary. The 'acquire' C++ executable should be in PATH
    # or installed alongside the Python package via pip.
    acq_binary = AcquireBinary()

    # For disk image acquisition
    collection = DiskCollection(
        binary=acq_binary,
        source_path=image_path,
        output_path=output_dir,
        collection_id="my-disk-collection",
        case_id="my-case"
    )
    print(f"Starting collection from disk image: {image_path} to {output_dir}")
    collection.start()
    print("Disk image acquisition complete.")

    # For live acquisition, use LiveCollection:
    # from acquire import LiveCollection
    # live_collection = LiveCollection(binary=acq_binary, output_path=output_dir)
    # live_collection.start() # Note: Live collection often requires elevated privileges.

except Exception as e:
    print(f"An error occurred: {e}")
    print("Please ensure:")
    print("1. The 'acquire' C++ binary is installed and in your system's PATH.")
    print("2. For DiskCollection, ACQUIRE_IMAGE_PATH points to a valid and accessible image file.")
    print("3. The output directory has write permissions.")