small feedback about file carving I still need a bit more ti osquery #fleet

small feedback about file carving (I still need a ...

nyanshak

12/14/2020, 6:50 PM

small feedback about file carving (I still need a bit more time to play around with it to go into deeper feedback): If I run

fleetctl get carves --help

, I don't see any help text for: • --stdout / --outfile (so I don't know those options exist) • and I know the docs exist and mention tar out, but it took me a minute to figure out that carves would be in a tar archive

zwass

12/14/2020, 6:53 PM

Good points. You actually get the help text you expected with

fleetctl get carve --help

. The other thing I'm not sure we mention is that compression can be enabled on the osquery side and it will be zstandard compression on top of the tar archive.

nyanshak

12/14/2020, 6:54 PM

oh wait facepalm

nyanshak

12/14/2020, 6:55 PM

I think I was looking at the wrong help output

nyanshak

12/14/2020, 6:55 PM

but yes, compression help text would be good (for outfile)

zwass

12/14/2020, 6:55 PM

You just don't get the text with

fleetctl get carves

nyanshak

12/14/2020, 6:56 PM

Oooh interesting, that's pretty confusing as an end user of fleetctl

zwass

12/14/2020, 6:57 PM

My idea was the plural gets metadata for the carves while the singular gets the actual carve contents. They each have different flags. Happy to work with you to find something that is more intuitive.

nyanshak

12/14/2020, 6:58 PM

Ah, okay. I've only done a pretty cursory exploration of carving. I'll have a think about it after I play around with it some more.

zwass

12/14/2020, 7:04 PM

Great, please let me know!

2 Views

Open in Slack

Previous Next