Skip to main content

/ Forensic Acquisition and Investigation Host CLI Documentation

Usage

cado-host [-h] [--verbose] [--version] {version,capture,upload} ...

Options

  • -h, --help
    Show the help message and exits.
  • --verbose
    Enable verbose output.
  • --version Returns the current version of / Forensic Acquisition and Investigation Host.

Commands

capture

Capture and triage files based on chosen configuration.

Options

  • -c {default,light,max}, --collection_mode {default,light,max}
    Selects the collection mode which changes how / Forensic Acquisition and Investigation Host will search for files:

    • default
      Searches and collects the default set files of files as outlined here.
    • light
      Searches and collects files smaller than 10MB.
    • max
      Searches and collects a larger set of files regardless of size. This will slow capture down significantly.

  • -a [ADDITIONAL_FILES ...], --additional_files [ADDITIONAL_FILES ...]
    List multiple files or folders to collect, separated by spaces.

    tip

    Note: Folders should NOT have trailing slashes. File and folder paths must be separated by spaces and enclosed in double quotes. For example:

    cado-host.exe capture --additional_files "C:\tools\secretfile.txt" "C:\SuperSecretFolder"

  • -ap ADDITIONAL_FILES_PATH, --additional_files_path ADDITIONAL_FILES_PATH
    Path to a local file containing a list of files or folders to collect, one per line.

  • --only_additional_files
    Only collect files and folders specified in --additional_files.

  • --groups [GROUPS ...]
    Collect a specific group of files. Use --list_groups to see available groups. If no groups are specified, all groups will be collected.

  • --list_groups
    List all available groups of files that can be collected.

  • -o OUTPUT_PATH, --output_path OUTPUT_PATH
    Path where / Forensic Acquisition and Investigation Host will save the collection.

Kubernetes Specific Options

  • --target_container TARGET_CONTAINER
    Selects a target container in a Kubernetes cluster.

  • --skip_root_check
    Skips the root permissions check when collecting a Kubernetes container.

    warning

    Note: This should only be used when you are sure that the sysadmin profile is available. See the Kubernetes docs for more information.

Windows Specific Options

  • --dd DRIVE, --default_drive DRIVE
    Specifies the default drive on a Windows system.

  • --include_memory
    Acquires process memory, this can be slow on Windows systems as it will acquire process memory regardless of size.

Linux Specific Options

  • --skip_memory
    Skips memory collection for a faster capture.

  • --include_large_memory
    Includes open files and memory even if it exceeds 1MB in size. This will slow capture down significantly.

upload

Upload an existing / Forensic Acquisition and Investigation Host capture file, or other files. This will clean up the uploaded resource locally by default.

tip

When using cado-host upload to upload single files to the platform, please use --no_cleanup to ensure Cado Host doesn't delete the file after upload.

Options

  • --presigned_data PRESIGNED_DATA
    Encoded upload credentials generated by the platform.

  • --capture_path CAPTURE_PATH
    Path of the file to upload and import into the Platform.

  • --no_cleanup
    Disable self-cleanup after triage upload.

  • --skip_ssl_verify
    Explicitly allow Cado Host to skip SSL verification when uploading to cloud storage. This is insecure.

    warning

    Note: This should only be used as a last resort, useful when proxies in enterprise deployments require the use of a custom self-signed certificate.