Acquire Python Library

3.22 · active · verified Fri Apr 17

The `acquire` Python library (version 3.22) provides an interface to the underlying C++ `acquire` tool, designed for forensic artifact collection from disk images or live systems. It allows developers to programmatically interact with Acquire's core functionalities, enabling automation and integration of digital forensics workflows. The project is actively maintained with regular updates for features and bug fixes.

Common errors

```
FileNotFoundError: [Errno 2] No such file or directory: 'acquire'
```
cause The Python `AcquireBinary` class cannot find the underlying C++ 'acquire' executable.

fix Ensure the 'acquire' C++ executable is installed and available in your system's PATH. If pip installed, it should be automatically. Otherwise, specify its full path: `AcquireBinary(binary_path='/path/to/acquire/binary')`.
```
FileNotFoundError: [Errno 2] No such file or directory: '/path/to/your/image.e01'
```
cause The `source_path` provided to `DiskCollection` does not point to an existing forensic image file.

fix Double-check the `image_path` variable. Ensure it is a correct, absolute, or relative path to an actual forensic image file on your system.
```
PermissionError: [Errno 13] Permission denied: './acquired_artifacts'
```
cause The script does not have sufficient write permissions to create or write to the specified `output_dir`.

fix Change the `output_dir` to a location where the current user has write permissions, or run the script with elevated privileges (e.g., `sudo`).

Warnings

breaking Acquire v3.x (released August 2023) is a major rewrite, introducing significant changes to the Python API compared to v2.x. Existing Python modules built for v2.x will likely not work with v3.x without modification.
Fix: Rewrite Python modules to use the new v3 API, primarily focusing on `acquire.DiskCollection` and `acquire.LiveCollection` classes as entry points.
gotcha The Python `acquire` library is a wrapper around a C++ executable, which must be installed and discoverable (e.g., in your system's PATH). While `pip install acquire` typically handles this, issues can arise if the binary isn't found.
Fix: Ensure the `acquire` C++ binary is in your system's PATH. If `AcquireBinary()` fails, explicitly pass the path to the executable, e.g., `AcquireBinary(binary_path='/opt/acquire/bin/acquire')`.
gotcha When using `DiskCollection`, the `source_path` must point to a valid and accessible forensic image file (e.g., E01, RAW). Using a non-existent or inaccessible path will result in collection failure.
Fix: Verify that `source_path` is correct, the file exists, and the user running the script has read permissions to it. For `LiveCollection`, ensure appropriate system permissions (e.g., root/administrator) are granted.

Install

pip install acquire Install `acquire`

Imports

AcquireBinary
```
from acquire import AcquireBinary
```
DiskCollection
```
from acquire import DiskCollection
```
LiveCollection
```
from acquire import LiveCollection
```
AcquisitionTool
```
from acquire import AcquisitionTool
```
Base class for different acquisition methods.

Quickstart

This quickstart demonstrates how to use `acquire` to perform a disk image collection. It initializes the `AcquireBinary` and then uses `DiskCollection` to gather artifacts from a specified image path to an output directory. Note that the example `image_path` is a placeholder and must be replaced with a valid forensic image for the code to run successfully. Live collection (commented out) is also possible but often requires elevated privileges.

import os
from acquire import AcquireBinary, DiskCollection

# --- Configuration ---
# IMPORTANT: Replace '/path/to/your/image.e01' with an actual path to a forensic image file.
# If you don't have one, this example for DiskCollection will fail.
# For a real run, ensure this path exists and is accessible.
image_path = os.environ.get('ACQUIRE_IMAGE_PATH', '/tmp/example_image.e01')
output_dir = os.environ.get('ACQUIRE_OUTPUT_DIR', './acquired_artifacts')

# Ensure the output directory exists
os.makedirs(output_dir, exist_ok=True)

try:
    # Initialize AcquireBinary. The 'acquire' C++ executable should be in PATH
    # or installed alongside the Python package via pip.
    acq_binary = AcquireBinary()

    # For disk image acquisition
    collection = DiskCollection(
        binary=acq_binary,
        source_path=image_path,
        output_path=output_dir,
        collection_id="my-disk-collection",
        case_id="my-case"
    )
    print(f"Starting collection from disk image: {image_path} to {output_dir}")
    collection.start()
    print("Disk image acquisition complete.")

    # For live acquisition, use LiveCollection:
    # from acquire import LiveCollection
    # live_collection = LiveCollection(binary=acq_binary, output_path=output_dir)
    # live_collection.start() # Note: Live collection often requires elevated privileges.

except Exception as e:
    print(f"An error occurred: {e}")
    print("Please ensure:")
    print("1. The 'acquire' C++ binary is installed and in your system's PATH.")
    print("2. For DiskCollection, ACQUIRE_IMAGE_PATH points to a valid and accessible image file.")
    print("3. The output directory has write permissions.")

view raw JSON →