From d4add8bb6d6d4ae00945096617d394d702cae1a7 Mon Sep 17 00:00:00 2001
From: 0xAlcidius <89665332+0xAlcidius@users.noreply.github.com>
Date: Tue, 7 Oct 2025 15:36:29 +0200
Subject: [PATCH 1/3] Added Hitman Pro logs to --edr

---
 acquire/acquire.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/acquire/acquire.py b/acquire/acquire.py
index e7180557..ffb06994 100644
--- a/acquire/acquire.py
+++ b/acquire/acquire.py
@@ -1214,6 +1214,12 @@ class EDR(Module):
     SPEC = (
         # Carbon Black
         ("path", "sysvol/ProgramData/CarbonBlack/Logs"),
+        
+        # Sophos Hitman pro
+        ("glob", "sysvol/ProgramData/HitmanPro/Logs/**"),
+        ("glob", "sysvol/ProgramData/HitmanPro.Alert/Logs/**"),
+        ("glob", "sysvol/ProgramData/HitmanPro/*.db"),
+        ("glob", "sysvol/ProgramData/HitmanPro.Alert/*.db"),
     )
 
 

From 8f8d7b50dc6ffb529eda62fd4c24f546db0b1178 Mon Sep 17 00:00:00 2001
From: 0xAlcidius <89665332+0xAlcidius@users.noreply.github.com>
Date: Tue, 7 Oct 2025 15:49:53 +0200
Subject: [PATCH 2/3] moved to --av and changed to path

---
 acquire/acquire.py | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/acquire/acquire.py b/acquire/acquire.py
index ffb06994..df5d2c2b 100644
--- a/acquire/acquire.py
+++ b/acquire/acquire.py
@@ -1177,6 +1177,12 @@ class AV(Module):
         ("path", "sysvol/ProgramData/Microsoft/Windows Defender/Scans/History/Service/Detection.log"),
         # Microsoft Safety Scanner
         ("path", "sysvol/Windows/Debug/msert.log"),
+
+        # Sophos Hitman pro
+        ("path", "sysvol/ProgramData/HitmanPro/Logs/"),
+        ("path", "sysvol/ProgramData/HitmanPro.Alert/Logs/"),
+        ("path", "sysvol/ProgramData/HitmanPro/excalibur.db"),
+        ("path", "sysvol/ProgramData/HitmanPro.Alert/excalibur.db"),
     )
 
 
@@ -1214,12 +1220,6 @@ class EDR(Module):
     SPEC = (
         # Carbon Black
         ("path", "sysvol/ProgramData/CarbonBlack/Logs"),
-        
-        # Sophos Hitman pro
-        ("glob", "sysvol/ProgramData/HitmanPro/Logs/**"),
-        ("glob", "sysvol/ProgramData/HitmanPro.Alert/Logs/**"),
-        ("glob", "sysvol/ProgramData/HitmanPro/*.db"),
-        ("glob", "sysvol/ProgramData/HitmanPro.Alert/*.db"),
     )
 
 

From 9767d8801ab339971f9ca607cda578681fa8076e Mon Sep 17 00:00:00 2001
From: 0xAlcidius <89665332+0xAlcidius@users.noreply.github.com>
Date: Tue, 7 Oct 2025 15:50:58 +0200
Subject: [PATCH 3/3] removed space

---
 acquire/acquire.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/acquire/acquire.py b/acquire/acquire.py
index df5d2c2b..9c196e46 100644
--- a/acquire/acquire.py
+++ b/acquire/acquire.py
@@ -1177,7 +1177,6 @@ class AV(Module):
         ("path", "sysvol/ProgramData/Microsoft/Windows Defender/Scans/History/Service/Detection.log"),
         # Microsoft Safety Scanner
         ("path", "sysvol/Windows/Debug/msert.log"),
-
         # Sophos Hitman pro
         ("path", "sysvol/ProgramData/HitmanPro/Logs/"),
         ("path", "sysvol/ProgramData/HitmanPro.Alert/Logs/"),