{"id":13773611,"url":"https://github.com/alpine-sec/SPECTR3","last_synced_at":"2025-05-11T05:35:07.053Z","repository":{"id":171939565,"uuid":"636350744","full_name":"alpine-sec/SPECTR3","owner":"alpine-sec","description":"Forensic tool for acquisition, triage and analysis of remote block devices via iSCSI protocol.","archived":false,"fork":false,"pushed_at":"2024-02-09T16:54:53.000Z","size":1654,"stargazers_count":32,"open_issues_count":0,"forks_count":3,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-04-29T07:25:16.680Z","etag":null,"topics":["acquisition","cybersecurity","forensics","iscsi"],"latest_commit_sha":null,"homepage":"https://www.alpinesec.io","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alpine-sec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"License.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-04T16:51:13.000Z","updated_at":"2024-06-19T02:59:07.761Z","dependencies_parsed_at":"2024-06-19T02:59:06.606Z","dependency_job_id":"74b660f0-0364-46c7-a455-de4dfa09ed4f","html_url":"https://github.com/alpine-sec/SPECTR3","commit_stats":null,"previous_names":["alpine-sec/spectr3"],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alpine-sec%2FSPECTR3","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alpine-sec%2FSPECTR3/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alpine-sec%2FSPECTR3/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alpine-sec%2FSPECTR3/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alpine-sec","download_url":"https://codeload.github.com/alpine-sec/SPECTR3/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253523688,"owners_count":21921815,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acquisition","cybersecurity","forensics","iscsi"],"created_at":"2024-08-03T17:01:17.912Z","updated_at":"2025-05-11T05:35:02.042Z","avatar_url":"https://github.com/alpine-sec.png","language":"C#","funding_links":[],"categories":["IR Tools Collection","Tools"],"sub_categories":["Evidence Collection","Acquisition"],"readme":"\u003ca name=\"readme-top\"\u003e\u003c/a\u003e\n\u003c!-- PROJECT LOGO --\u003e\n\u003cbr /\u003e\n\u003cdiv align=\"center\"\u003e\n  \u003ca href=\"https://github.com/alpine-sec/spectr3\"\u003e\n    \u003cimg width=\"488\" alt=\"Spectr3_2\" src=\"https://user-images.githubusercontent.com/143736/236651153-4bb4553b-52cb-4b28-adcb-7060ad68667f.png\"\u003e\n  \u003c/a\u003e\n\n  \u003ch3 align=\"center\"\u003eSPECTR3: Remote Acquisition Tool\u003c/h3\u003e\n\n  \u003cp align=\"center\"\u003e\n    Acquire, triage and investigate remote evidence via portable iSCSI readonly access\n  \u003c/p\u003e\n\u003c/div\u003e\n\n\u003c!-- TABLE OF CONTENTS --\u003e\n\u003cdetails\u003e\n  \u003csummary\u003eTable of Contents\u003c/summary\u003e\n  \u003col\u003e\n    \u003cli\u003e\n      \u003ca href=\"#about-the-project\"\u003eAbout The Project\u003c/a\u003e\n    \u003c/li\u003e\n    \u003cli\u003e\n      \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e\n      \u003cul\u003e\n        \u003cli\u003e\u003ca href=\"#Command-Line-Options\"\u003eCommand Line Options\u003c/a\u003e\u003c/li\u003e\n        \u003cli\u003e\u003ca href=\"#List-devices-of-the-endpoint\"\u003eList devices of the endpoint\u003c/a\u003e\u003c/li\u003e\n        \u003cli\u003e\u003ca href=\"#Share-a-disk-or-volume-as-an-iSCSI-target\"\u003eShare a disk or volume as an iSCSI target\u003c/a\u003e\u003c/li\u003e\n        \u003cli\u003e\u003ca href=\"#Connect-to-a-SPECTR3-iSCSI-target-with-Windows\"\u003eConnect to a SPECTR3 iSCSI target with Windows\u003c/a\u003e\u003c/li\u003e\n        \u003cli\u003e\u003ca href=\"#Connect-to-a-SPECTR3-iSCSI-target-with-Linux\"\u003eConnect to a SPECTR3 iSCSI target with Linux\u003c/a\u003e\u003c/li\u003e\n        \u003cli\u003e\u003ca href=\"#Connect-to-a-SPECTR3-iSCSI-target-with-OSx\"\u003eConnect to a SPECTR3 iSCSI target with OSx\u003c/a\u003e\u003c/li\u003e\n        \u003cli\u003e\u003ca href=\"#Improved-security-through-IP-ACLs\"\u003eImproved security through IP ACLs\u003c/a\u003e\u003c/li\u003e\n        \u003cli\u003e\u003ca href=\"#Encrypt-connection-over-reverse-SSH\"\u003eEncrypt connection over reverse SSH\u003c/a\u003e\u003c/li\u003e\n        \u003cli\u003e\u003ca href=\"#SPECTR3-for-Linux\"\u003eSPECTR3 for Linux\u003c/a\u003e\u003c/li\u003e\n      \u003c/ul\u003e\n    \u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#examples\"\u003eVideo Examples\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#roadmap\"\u003eRoadmap\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#acknowledgments\"\u003eAcknowledgments\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#scenarios\"\u003eScenarios\u003c/a\u003e\u003c/li\u003e\n  \u003c/ol\u003e\n\u003c/details\u003e\n\n\n\u003c!-- ABOUT THE PROJECT --\u003e\n## About The Project\n\nThis project is based on the great work done by TalAloni with iSCSI Console (windows version) and Fujita with TGT project (linux version) but with a forensic objective more similar to F-Response in its approach to remote acquisition, analysis and triage.\n\nThe goal is to make available to the community a command line, open source and easy to use tool for scenarios where a complete forensic acquisition or a fast remote analysis is needed.\n\nAnd of course... just for fun!\n\n\u003c!-- USAGE EXAMPLES --\u003e\n## Usage\n[**DOWNLOAD EXECUTABLE**](https://github.com/alpine-sec/SPECTR3/releases/latest)\n\nCopy portable executable of **SPECTR3** to the endpoint where you want to perform remote acquisition, triage or forensic analysis, **remember that you will need administrator permissions to access the block devices.**\n\n### Command Line Options\n```\nSPECTR3 v0.7.5 - Remote acquisition and forensic tool by Alpine Security\nUsage: SPECTR3.exe [options]\nOptions:\n  -l, --list\n    List available volumes and disks.\n  -p, --port\n    Set the port number to listen on.\n  -i, --permitip\n    Set the permited ip client to connect.\n  -b, --bindip\n    Set the bind ip where server will listen.\n  -v, --volume\n    Set the volume to share.\n  -d, --disk\n    Set the disk to share.\n  -a, --shareall\n    Share all disks.\n  -t, --timeout\n    Stop the service if the configured number of MINUTES without activity elapses. Ex. -t 60 (60 min)\n  -h, --help\n    Print this help message.\n  --sshuser\n    Set the ssh user to connect.\n  --sshpass\n    Set the ssh password to connect in BASE64. NOTE: if the password is empty, the prompt will ask for the password, in this case it does not need to be entered in BASE64.\n  --sshhost\n    Set the ssh host to connect.\n  --sshport\n    Set the ssh port to connect. Default: 22\n  --daemon\n    Run SPECTR3 as background unattended process. NOTE: Manually kill by PID needed.\n```\n\n### List devices of the endpoint\n```\nC:\\Users\\dev\\Desktop\u003eSPECTR3.exe -l\n- List Physical Disks:\n    + Dsk 0:  Msft Virtual Disk    60GB\n- List Volumes:\n    + Vol 0:  EFI system partition Partition 100MB Healthy\n    + Vol 1:  Microsoft reserved partition Partition 16MB Healthy\n    + Vol 2:  Basic data partition Partition 59.4GB Healthy\n    + Vol 3:  Noname Partition 530MB Healthy\n```\n\n### Share a disk or volume as an iSCSI target\nUse -d if you want share a full disk or -v if only you want to share a volume. Use the index of de volume or disk in -l list. (Allow Access in firewall if popup)\n```\nC:\\Users\\dev\\Desktop\u003eSPECTR3.exe -d 0\n\n  - SPECTR3 Server running at 172.29.10.42:3262\n    + Target IQN: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0\n    + Access Permited from: 0.0.0.0\n  - Press ENTER key to stop sharing and close server ...\n```\nPress ENTER for sharing termination\n\n---\n\n### Connect to a SPECTR3 iSCSI target with Windows\nIn Windows Investigator machines you can use the windows native tool iSCSI Initiator:\n1. Discover targets with \"Discover Portal\" in \"Discovery Tab\":\n\n![win01](https://github.com/alpine-sec/SPECTR3/assets/143736/3950442b-ec66-4989-800f-3704ebb73134)\n\n2. Use Spectr3 server IP and Port:\n\n![win02](https://github.com/alpine-sec/SPECTR3/assets/143736/2229a494-e36c-4072-ad1a-dabd9466964e)\n\n\n3. Connect to target in \"Targets\" tab:\n\n![win03](https://github.com/alpine-sec/SPECTR3/assets/143736/a8b7d39e-4d5c-478a-9254-a6693a4e1f2f)\n\n![win04](https://github.com/alpine-sec/SPECTR3/assets/143736/7ea41776-4068-493c-9d15-60eb5ce39fbf)\n\n\n4. Acquire or analyze with your favorite tool:\n\n![win05](https://github.com/alpine-sec/SPECTR3/assets/143736/66e3a3b7-a629-4389-9641-297fd50624d6)\n\n![win06](https://github.com/alpine-sec/SPECTR3/assets/143736/fde96dee-d5a7-4c41-b94f-f77e5b49166d)\n\n\n```\nC:\\kape\u003e .\\kape.exe --tsource G: --tdest C:\\Triages\\RegistryFiles --target RegistryHives\nKAPE version 1.3.0.2, Author: Eric Zimmerman, Contact: https://www.kroll.com/kape (kape@kroll.com)\n\nKAPE directory: C:\\kape\nCommand line:   --tsource G: --tdest RegistryFiles --target RegistryHives\n\nSystem info: Machine name: STARK, 64-bit: True, User: KERO99 OS: Windows10 (10.0.22621)\n\nUsing Target operations\n  Creating target destination directory C:\\Triages\\RegistryFiles\nFound 2 targets. Expanding targets to file list...\nFound 30 files in 0.173 seconds. Beginning copy...\n\nCopied 30 out of 30 files in 6.5936 seconds. See C:\\Triages\\RegistryFiles\\2023-05-09T15_06_21_5242679_CopyLog.csv for copy details\n\nTotal execution time: 6.5953 seconds\n```\n\n**NOTE**: if you simply want to do a quick view without the annoying permissions inherited from NTFS, you can use Double Commander (https://github.com/doublecmd/doublecmd) or Powershell as administrator for example\n\n5. Disconnect when finish\n\n---\n\n### Connect to a SPECTR3 iSCSI target with Linux\nIn linux distros install open-iscsi with apt or yum.\n1. Discover targets:\n```\nadmuser@lindev:~$ sudo iscsiadm -m discovery -t sendtargets -p 172.29.10.42:3262\n172.29.10.42:3262,-1 iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0\n```\n2. Connect targets:\n```\nadmuser@lindev:~$ sudo iscsiadm -m node -l\nLogging in to [iface: default, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262]\nLogin to [iface: default, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262] successful.\n```\n![image](https://user-images.githubusercontent.com/143736/236651802-0c5699da-3ca3-4cb1-9580-7c55505eed99.png)\n\n3. Acquire or analyze with your favorite tool:\n```\nadmuser@lindev:/tmp$ sudo ewfacquire -u -S 5GiB -t /tmp/windev/windev /dev/sdb\n```\n![image](https://user-images.githubusercontent.com/143736/236651882-fa5280bb-8d26-451d-81a8-01c78fd58b7a.png)\n\n4. Disconnect when finish:\n```\nadmuser@lindev:/tmp$ sudo iscsiadm -m node -u\nLogging out of session [sid: 1, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262]\nLogout of [sid: 1, target: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0, portal: 172.29.10.42,3262] successful.\n```\n5. (Optional) Remove Target from cache. Example:\n```\nadmuser@lindev:~$ sudo iscsiadm -m node -o delete -T iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0\n```\n---\n### Connect to a SPECTR3 iSCSI target with OSx\nIn OSx install KernSafe ISCSI Initiator X.\n\nhttps://www.kernsafe.com/product/macos-iscsi-initiator.aspx\n\n1. Discover targets with \"Discover\" and Discover Menu:\n\n![osx01](https://github.com/alpine-sec/SPECTR3/assets/143736/522dc464-b76e-49e2-b5f2-2a69a8f660c6)\n\n![osx02](https://github.com/alpine-sec/SPECTR3/assets/143736/0211cbbe-712a-4cb0-8716-9b549221b86c)\n\n2. Use Spectr3 server IP and Port:\n\n![osx03](https://github.com/alpine-sec/SPECTR3/assets/143736/0d8af011-1433-4ac6-a677-6d6eb11ac1a3)\n\n![osx04](https://github.com/alpine-sec/SPECTR3/assets/143736/84c80c34-8c84-4f0d-8b26-74b8445d6a96)\n\n3. Connect to target:\n\n![osx06](https://github.com/alpine-sec/SPECTR3/assets/143736/257aaa4f-336e-43b9-87b0-f164071529b5)\n\n![osx07](https://github.com/alpine-sec/SPECTR3/assets/143736/17a9eb9c-fafd-46c1-8646-3854634793e9)\n\n4. Acquire or analyze with your favorite tool:\n\n![osx08](https://github.com/alpine-sec/SPECTR3/assets/143736/f9519e38-874d-4790-9b32-bf66da541038)\n\n5. **Disconnect when finish:**\n\n:warning: Remember to disconnect your ISCSI drives before shutdown :warning:\n\n---\n\n### Improved security through IP ACLs\nUse -i option to improve de security via IP ACL. Only the permited IP will access to target\n```\nC:\\Users\\dev\\Desktop\u003eSPECTR3.exe -d 0 -i 10.10.10.2\n  - SPECTR3 Server running at 172.20.118.42:3262\n    + Access Permited from: 10.10.10.2\n  - Press any key to stop sharing and close server ...\n```\n\n### Encrypt connection over reverse SSH\n\n1. Use --sshhost options. Optionally you can add sshuser, sshpass and sshport via arguments. If you want set password via argument, you need convert it to base64 (perfect for remote execution of SPECTR3):\n\n```\nC:\\Users\\dev\\Desktop\u003eSPECTR3.exe -d 0 --sshhost 172.29.10.41\n  - SSH Username: admuser\n  - SSH Password: *************\n  - SPECTR3 Server running at 127.0.0.1:3262\n    + Target IQN: iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0\n    + Access Permited from: 127.0.0.1\n  - Press ENTER key to stop sharing and close server ...\n  - Connecting to SSH server ...\n    + SSH tunnel successfully connected to 172.29.10.41:22\n    + SSH connection state: Connected\n ```\n\n2. You can see the remote login and the iSCSI port in the remote machine:\n```\nMay 22 08:31:04 lindev sshd[1131]: Accepted password for admuser from 172.29.10.42 port 49928 ssh2\nMay 22 08:31:04 lindev sshd[1131]: pam_unix(sshd:session): session opened for user admuser(uid=1000) by (uid=0)\nMay 22 08:31:04 lindev systemd-logind[692]: New session 4 of user admuser.\n```\n```\nadmuser@lindev:~$ netstat -tulpna | grep 3262\n(Not all processes could be identified, non-owned process info\n will not be shown, you would have to be root to see it all.)\ntcp        0      0 127.0.0.1:3262          0.0.0.0:*               LISTEN      -\ntcp6       0      0 ::1:3262                :::*                    LISTEN      -\n```\n\n3. Show target in localhost and exported port:\n\n```\nadmuser@lindev:~$ sudo iscsiadm -m discovery -t sendtargets -p localhost:3262\n[sudo] password for admuser:\n[localhost]:3262,-1 iqn.2023-05.io.alpine.desktop-j4r9lju:dsk0\n```\n\n4. Connect target as usual.\n\n### SPECTR3 for Linux\nSPECTR3 for linux works as a wrapper for the https://github.com/fujita/tgt project and uses the tgtd and tgtadmin binaries. Both binaries are embedded in the portable version.\n```\nusage: spectr3 [-h] [-V] [-l] [-p PORT] [-i PERMITIP] [-b BINDIP] [-d DEVICE] [-a]\n               [--chapuser CHAPUSER] [--chappass CHAPPASS] [--daemon]\n\nSPECTR3 Linux v0.3 - Remote acquisition and forensic tool by Alpine Security\n\noptions:\n  -h, --help            show this help message and exit\n  -V, --version         show program's version number and exit\n  -l, --list            List available volumes and disks.\n  -p PORT, --port PORT  Set port to listen on.\n  -i PERMITIP, --permitip PERMITIP\n                        Set the permited ip client to connect.\n  -b BINDIP, --bindip BINDIP\n                        Set the bind ip to listen.\n  -d DEVICE, --device DEVICE\n                        Set device to share. Ex: -d sda1 (without /dev/)\n  -a, --shareall        Share all block devices\n  --chapuser CHAPUSER   Set CHAP username. Ex: --chapuser admin\n  --chappass CHAPPASS   Set CHAP password in BASE64 with minimal password size of 12. Ex: --chappass\n                        QWxwaW5lU2VjdXJpdHk=\n  --daemon              Run SPECTR3 as background unattended process. NOTE: Manually kill by PID\n                        needed.\n```\nNOTE: In Centos7/RHEL remember open allow port. Ex: sudo firewall-cmd --zone=public --add-port=3262/tcp\n\nExecution Example:\n```\nadmuser@lintest:~$ sudo ./spectr3 -l\n- List Physical Disks:\n    + sda:  VMware, VMware Virtual S    20.0GiB\n    + sr0:  NECVMWar VMware Virtual SATA CDRW Drive    1.8GiB\n- List Volumes:\n    + sda1:                     1.0MiB\n    + sda2:     ext4    /boot   1.8GiB\n    + sda3:                     18.2GiB\n- List LVM Volumes:\n    + ubuntu-lv:        ext4    /       10.0GiB\n```\n\n```\nadmuser@lintest:~$ sudo ./spectr3 -d sda2\n  - Starting TGTD...\n    + TGTD PID: 38675\n    + TGTD started successfully.\n\n  - Creating target...\n    + Adding device to target...\n    + Setting target ACL...\n    + Setting target readonly...\n\n  - SPECTR3 Server running at 192.168.202.180:3262\n    + Target IQN: iqn.2023-05.io.alpine.lintest:sda2\n    + Target ACL: ALL\n```\n\nCompile linux portable\n```\ncd SPECTR3_LIN\nmake\nsudo pip3 install -r requirements.txt\npyinstaller --onefile spectr3.py --add-binary tgtd:. --add-binary tgtadm:.\n```\n\n\u003c!-- EXAMPLES --\u003e\n## Examples\n\n### Fast EVTX triage with SPECTR3, Hayabusa and Timesketch\n\n[![Watch the video](https://img.youtube.com/vi/E2nB-voOwRk/hqdefault.jpg)](https://youtu.be/E2nB-voOwRk)\n\n ### Remote Acquisition of Windows Server Core with SPECTR3\n\n[![Watch the video](https://img.youtube.com/vi/_6UjkySK3yc/hqdefault.jpg)](https://youtu.be/_6UjkySK3yc)\n\n\u003c!-- SCENARIOS --\u003e\n## Scenarios\n\n![SPECTR3-Basic](https://github.com/alpine-sec/SPECTR3/assets/143736/406037df-7b52-4f67-9e7b-98f4921a7f01)\n\n\u003c!-- ROADMAP --\u003e\n## Roadmap\n\n- [X] Add option to share all drives in different targets\n- [ ] Add option to install as a service\n- [X] Add option to run as daemon in background\n- [X] Tunnelized and encrypted connections\n- [X] Linux Version\n- [ ] Multiplatform easy client\n- [ ] Others cool things...\n\n\u003c!-- ACKNOWLEDGMENTS --\u003e\n## Acknowledgments\n\n* [iScsi Console](https://github.com/TalAloni/iSCSIConsole)\n\n\u003cp align=\"right\"\u003e(\u003ca href=\"#readme-top\"\u003eback to top\u003c/a\u003e)\u003c/p\u003e\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falpine-sec%2FSPECTR3","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falpine-sec%2FSPECTR3","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falpine-sec%2FSPECTR3/lists"}