FGET which is short for “Forensic Get” is a network-capable forensic data acquisition tool. It’s primary function is collecting sets of forensically interesting files from one or more remote windows machines.
FGET starts off by creating a local repository folder @ C:\FGETREPOSITORY\ and from there it will automatically create named sub-folders, one for each machine you run FGET against.
By default, FGET is able to obtain a forensically sound copy of any file on the system, including those that are locked and in use (pagefiles, registry hives, etc). FGET can also be used to fetch NTFS special files that aren’t normally accessible thru the live operating system such as the $MFT, and system restore point data. FGET is also fully capable of bringing back a copy of a deleted file, assuming the file In questions FILERECORD data hasn’t been overwritten or reused.
FGET collects the following set of data for each machine you target:
- Full user list – complete with NTUSER.dat file copies
- Complete contents of the windows prefetch directory
- Complete contents of the windows\system32\config\ directory including registry hives, event logs, and the system SAM database.
All of the above data is collected automatically by simply targeting a machine using “FGET.exe -scan serverbox1”. You can also get a file from a range or list of machines by utilizing the “-range” and “-list” features of FGET.