View Categories

Usage

This section provides a detailed guide on how to use Aralez, the Windows triage tool, including available options, commands, and example workflows to maximize its utility.

Basic Command #

The tool can be executed with the following syntax:

aralez.exe [OPTIONS]

The OPTIONS parameter allows you to customize the behavior of the tool, such as enabling debug mode, displaying configuration details, or modifying the embedded configuration.

Important: Aralez should be executed with administrator privilege with PowerShell or CMD on Windows.

Options #
--debug #

Description: Activates debug mode to provide detailed logs and verbose output during execution. This option is useful for troubleshooting and monitoring the internal workings of the tool.

Example Usage:

aralez.exe --debug

Behavior: Outputs additional runtime information, including executed tasks, configuration details, and potential issues on the console.

--show_config #

Description: Displays the current embedded configuration file in YAML format without executing any tasks.

Example Usage:

aralez.exe --show_config

Behavior: Loads the embedded configuration and prints it to the console for review or debugging.

--change_config #

Structure: –change_config CONFIG_FILE –output OUTPUT_FILE

Description: Updates the embedded configuration in the executable using CONFIG_FILE and saves the updated version to OUTPUT_FILE.

Important: If the new config is not valid, an error will be raised and the config won’t be updated.

Required Parameters:

  • CONFIG_FILE: Path to the new configuration file (in YAML format).
  • OUTPUT_FILE: Path where the new executable will be saved.

Example Usage:

aralez.exe --change_config new_config.yml --output new_aralez.exe

Behavior: Creates a new_aralez.exe binary with the updated configuration embedded, leaving the original executable untouched.

--check_config #

Description: Validates the current configuration file for correctness and potential errors.

Example Usage:

aralez.exe --check_config

Behavior: Loads and parses the configuration file, checking for syntax or logical errors. Prints the validation result to the console.

Workflows #

Running a Data Collection Task #

Scenario: You want to collect system and file data with the default configuration.

Steps:

  • Ensure the configuration is correctly set up. Display the config of Aralez and check the content.
aralez.exe --show_config
  • Check the config before executing Aralez
aralez.exe --check_config
  • Run Aralez without additional flags:
aralez.exe

Output:

  • Collected data is saved in the directory specified in the configuration file.
  • The directory is compressed into a ZIP archive for convenience.
Updating and Validating Configuration #

Scenario: You need to modify the configuration for a specific use case.

Steps:

  • Edit or create a new custom_config.yml file.
  • Embed the new configuration into a custom executable:
aralez.exe --change_config custom_config.yml --output custom_aralez.exe

If the configuration file is valid, custom_aralez.exe will be created.

Output:

  • If the configuration file is valid, custom_aralez.exe will be created with the updated configuration.
Debugging Task Execution #

Scenario: You encounter unexpected behavior during a task and want detailed logs.

Steps:

  • Run the tool in debug mode:
aralez.exe --debug

Output:

  • Detailed information about task progression, including configuration parsing, data collection, and errors are displayed to the console.