small feedback about file carving (I still need a bit more time to play around with it to go into deeper feedback): If I run

fleetctl get carves --help

, I don't see any help text for: • --stdout / --outfile (so I don't know those options exist) • and I know the docs exist and mention tar out, but it took me a minute to figure out that carves would be in a tar archive

Good points. You actually get the help text you expected with

fleetctl get carve --help

. The other thing I'm not sure we mention is that compression can be enabled on the osquery side and it will be zstandard compression on top of the tar archive.

oh wait facepalm

You just don't get the text with

fleetctl get carves

Oooh interesting, that's pretty confusing as an end user of fleetctl

My idea was the plural gets metadata for the carves while the singular gets the actual carve contents. They each have different flags. Happy to work with you to find something that is more intuitive.

Ah, okay. I've only done a pretty cursory exploration of carving. I'll have a think about it after I play around with it some more.

Great, please let me know!