Run and store plugin records during acquisition

[Matthijsy]

Certain Dissect plugins can't really work on a limited set of acquired data, such as walkfs. If you run walkfs on a full disk you get a nice overview of all files, however if you do this on an acquire collect it will list you the files within the collect instead of the original system.

It would be great to have a way to run walkfs (and other plugins probably) during acquisition. Then we can store the results within a record file in the output. This would allow you to do an actual walkfs of the system, instead of the content of the acquisition.

Furthermore, this would also require a change in dissect.target, since you would like to return the results of this predefined recordsfile if it exists, instead of actually running the plugin again. This way running target-query -f walkfs -t <fulldisk> and target-query -f walkfs -t <acquire collect> will return the same results.

[Schamper]

Ideally we collect all data required to run the plugins offline, but in some specific cases that's indeed not possible.

Do you have some more examples other than walkfs? In that specific case, we aim to solve that with ASDF. I can't seem to find a public issue for that at the moment, but in short it allows us to collect all filesystem/disk metadata you could realistically need while maintaining the same small acquisition footprint.

[Matthijsy]

Yes, also the capability_binaries, suid_binaries and yara plugins have this problem. Could that also be solved by ASDF?

[Schamper]

yara would be the only plugin really having this problem, all those others will be solved with ASDF as they all function on metadata, rather than file content.