Gargamel – A Forensic Evidence Acquirer


Basic example

Assume you want to connect to a computer with the following parameters:

  • address
  • username Jano
  • password nbusr123

The following command will acquire firewall state, network state, logged users, running processes, active network connections, registry, system & application event logs using PsExec method. Evidence will be stored in the testResults directory relative to the location of Gargamel.

gargamel.exe -c -u Jano --psexec -o testResults

Gargamel will ask you for password of the remote user, in our example the password is nbusr123. Note that password will be hidden when typing.

It is also possible to specify the password directly as program argument.

gargamel.exe -c -u Jano --psexec -p nbusr123 -o testResults

Read more…