From 8b1202f60f90aa50fa7e14332b9f6b91bba59487 Mon Sep 17 00:00:00 2001 From: Gyatso <218940752+respondersGY@users.noreply.github.com> Date: Thu, 8 Jan 2026 20:54:05 +0100 Subject: [PATCH 1/2] Fix collection of `$Secure:$SII` --- acquire/acquire.py | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index 910e28f4..6c26c54f 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -366,11 +366,29 @@ def _run(cls, target: Target, cli_args: argparse.Namespace, collector: Collector filenames = [ "$MFT", "$Boot", - "$Secure:$SII", "$Secure:$SDS", "$LogFile", ] + sii_fh = fs.ntfs.mft.get("$Secure").index("$SII")._index_stream + + # FIXME: the path of $Secure:$SII is incorrect + # -rw-r--r-- 0 root root 262144 1 Jan 1970 c:/$Secure:$SII + # -rw-r--r-- 0 root root 373293056 27 Aug 12:01 fs/C:/$MFT + # -rw-r--r-- 0 root root 8192 27 Aug 12:01 fs/C:/$Boot + # -rw-r--r-- 0 root root 2460372 27 Aug 12:01 fs/C:/$Secure:$SDS + # -rw-r--r-- 0 root root 67108864 27 Aug 12:01 fs/C:/$LogFile + # -rw-r--r-- 0 root root 41192056 27 Aug 12:03 fs/C:/$Extend/$Usnjrnl:$J + # -rw-r--r-- 0 root root 32 27 Aug 12:03 fs/C:/$Extend/$Usnjrnl:$Max + # -rw-r--r-- 0 root root 1048576 27 Aug 12:01 fs/C:/$Extend/$RmMetadata/$TxfLog/$Tops:$T + # -rw-r--r-- 0 root root 4096 1 Jan 1970 /$fs$/fs0/$Secure:$SII + # -rw-r--r-- 0 root root 262144 23 Dec 06:11 fs/$fs$/fs0/$MFT + # -rw-r--r-- 0 root root 8192 23 Dec 06:11 fs/$fs$/fs0/$Boot + # -rw-r--r-- 0 root root 263812 23 Dec 06:11 fs/$fs$/fs0/$Secure:$SDS + # -rw-r--r-- 0 root root 4620288 23 Dec 06:11 fs/$fs$/fs0/$LogFile + # -rw-r--r-- 0 root root 1048576 23 Dec 06:11 fs/$fs$/fs0/$Extend/$RmMetadata/$TxfLog/$Tops:$T + collector.output.write(fsutil.join(main_mountpoint, "$Secure:$SII"), sii_fh) + for filename in filenames: if main_mountpoint is not None: path = fsutil.join(main_mountpoint, filename) From b25670c44ffdb2e47714dd17d8a3b32d426c8a42 Mon Sep 17 00:00:00 2001 From: Gyatso <218940752+respondersGY@users.noreply.github.com> Date: Fri, 9 Jan 2026 20:12:20 +0100 Subject: [PATCH 2/2] Remove comment --- acquire/acquire.py | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index 6c26c54f..efe72195 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -372,21 +372,6 @@ def _run(cls, target: Target, cli_args: argparse.Namespace, collector: Collector sii_fh = fs.ntfs.mft.get("$Secure").index("$SII")._index_stream - # FIXME: the path of $Secure:$SII is incorrect - # -rw-r--r-- 0 root root 262144 1 Jan 1970 c:/$Secure:$SII - # -rw-r--r-- 0 root root 373293056 27 Aug 12:01 fs/C:/$MFT - # -rw-r--r-- 0 root root 8192 27 Aug 12:01 fs/C:/$Boot - # -rw-r--r-- 0 root root 2460372 27 Aug 12:01 fs/C:/$Secure:$SDS - # -rw-r--r-- 0 root root 67108864 27 Aug 12:01 fs/C:/$LogFile - # -rw-r--r-- 0 root root 41192056 27 Aug 12:03 fs/C:/$Extend/$Usnjrnl:$J - # -rw-r--r-- 0 root root 32 27 Aug 12:03 fs/C:/$Extend/$Usnjrnl:$Max - # -rw-r--r-- 0 root root 1048576 27 Aug 12:01 fs/C:/$Extend/$RmMetadata/$TxfLog/$Tops:$T - # -rw-r--r-- 0 root root 4096 1 Jan 1970 /$fs$/fs0/$Secure:$SII - # -rw-r--r-- 0 root root 262144 23 Dec 06:11 fs/$fs$/fs0/$MFT - # -rw-r--r-- 0 root root 8192 23 Dec 06:11 fs/$fs$/fs0/$Boot - # -rw-r--r-- 0 root root 263812 23 Dec 06:11 fs/$fs$/fs0/$Secure:$SDS - # -rw-r--r-- 0 root root 4620288 23 Dec 06:11 fs/$fs$/fs0/$LogFile - # -rw-r--r-- 0 root root 1048576 23 Dec 06:11 fs/$fs$/fs0/$Extend/$RmMetadata/$TxfLog/$Tops:$T collector.output.write(fsutil.join(main_mountpoint, "$Secure:$SII"), sii_fh) for filename in filenames: