Kaspersky Anti Targeted Attack Platform
7.0
English

Contents

Creating a disk image retrieval task

You can retrieve a disk image from selected Kaspersky Endpoint Agent for Windows host. To do so, you must create an NTFS disk image retrieval task.

The resulting file can be saved only to a shared network resource.

To create a disk image retrieval task:

  1. Select the Tasks section in the application web interface window.

    This opens the task table.

  2. Click the Add button and select Disk image in the Get data drop-down list.

    This opens the task creation window.

  3. Configure the following settings:
    1. Share path—path to a shared network resource.

      You need to specify the path in the Universal Naming Convention (UNC) format: \\server\share\path.

      If the last folder with the specified name is absent, Kaspersky Endpoint Agent will create one. If creation is unsuccessful, an error will be displayed in the web interface of Kaspersky Anti Targeted Attack Platform.

    2. User name—user name of the account used to access the shared network resource.
    3. Password—password of the account used to access the shared network resource.
    4. Under Disk type, select one of the following options:
      • Logical.
      • Physical.
    5. If you selected Logical, enter a% SystemDrive% variable or a drive letter without the colon and slash in the Volume field.
    6. If you selected Physical, enter the disk number in the Physical drive field.
    7. Select the Split file into parts check box if you want the file to be divided into multiple parts when saved.
    8. If you selected the check box, in the Part size, GB field, specify the minimum size of one part of the saved file.

      The minimum part size must be more than one gigabyte.

    9. Description is the task description. This field is optional.
    10. Host—the IP address or name of the host to which you want to assign the task.
  4. Click Add.

The disk image retrieval task will be created. The task runs automatically after it is created.

The application places an archive containing a file or files in the EWF or RAW format in a network share. You can convert files from the RAW format to the EWF format.

If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.14 and later.

Users with the Security auditor role cannot create tasks.

Users with the Security officer role do not have access to tasks.

See also

Managing tasks

Viewing the task table

Viewing information about a task

Creating a get file task

Creating a forensic collection task

Creating a registry key retrieval task

Creating an NTFS metafile retrieval task

Creating a process memory dump retrieval task

Creating a RAM dump retrieval task

Creating a process termination task

Creating a task to scan hosts using YARA rules

Creating a service management task

Creating an application execution task

Creating a file deletion task

Creating a file quarantine task

Creating a quarantined file recovery task

Creating a copy of a task

Deleting tasks

Filtering tasks by creation time

Filtering tasks by type

Filtering tasks by name

Filtering tasks by file name and path

Filtering tasks by description

Filtering tasks by server name

Filtering tasks based on the name of the user that created the task

Filtering tasks by processing status

Clearing a task filter
Page top
[Topic 240363]

Converting a file from RAW to EWF format

Kaspersky Endpoint Security saves the disk image in the RAW format. Files can also be compressed into an archive. A special Python script allows converting files from the RAW format to the EWF format. The script constantly looks for RAW files in the specified folder. If such files are detected, the script automatically converts the files to the EWF format.

convert_to_ewf_monitor.py script

For the script to work, the following software must be installed on the computer:

  • The libewf library for accessing Expert Witness Compression Format (EWF) files.

    The libewf library is open source software.

    It is recommended to place the library files and the script file in the same folder.

  • The Python interpreter.

To enable the conversion of disk image files:

  1. Start the command line interpreter.
  2. Change to the folder where the script is located.
  3. Run the following command:

    py convert_to_ewf_monitor.py --source <full path to the source files folder> [additional settings]

    EWF conversion script parameters

    Parameter

    Description

    --source <full path to folder>

    The full path to the folder in which the script looks for source files. The script also looks for files in subfolders at the specified path. This is a mandatory parameter.

    --destination <full path to folder>

    The full path to the folder where the script saves converted files. The folder structure is preserved. By default, the script saves converted files in the folder specified in the source parameter.

    --delete

    Delete source files after successful conversion. If the conversion fails, the script skips deleting the source files and you can try again.

    --ewftool <full path to folder>

    The full path to the ewfacquirestream.exe file. The path must include the file name. By default, the script attempts to locate the ewfacquirestream.exe file in the folder where the script is located.

    --name_mask <regular expressions>

    Regular expressions to find source files to convert. You can use this option if you need to convert individual files. By default, the script looks for files using the ^diskdump_ regular expression.

    --convert_single_dump

    Find a single file to convert. After successful conversion of the single file, the script exits.

    --workers_num <number of files>

    The maximum number of source files that the script can convert at the same time. You can use this setting to optimize the performance of the script. By default, the script can convert up to four files at a time.

    --log_level <log level>

    Logging level. By default, the script uses the DEBUG logging level.

    --log_path <full path to folder>

    The full path for saving log files. The path must include the file name of the log file. By default, the script displays events on the interpreter console.

Example:

PS D:\Folder\Script\> py convert_to_ewf_monitor.py --source E:/Folder --destination E:/EWF --delete --log_path E:/Folder/Logs.txt

Page top

[Topic 248750]