dup is a command line tool that was designed for clients with an enterprise license to assist their incident responders in the collection of artifacts from live endpoints. Later, after all data is collected, they can process and analyze those artifacts on a forensic workstation.
Still in the prototype/testing stages, the tool can: (a) generate disk stats, (b) extract and analyze the master boot record data, (c) image a drive, volume or a specific set of clusters, (d) target just the volume shadows and (e) copy files or folders. If targeting NTFS type volumes, the tool can use its NTFS engine to copy files that are locked down by the operating system by accessing their underlying data clusters.
Originally architected for Windows, the tool also has compiled versions for Linux and OS-X to extract artifacts from 'dd' type images of NTFS volumes. The tool makes use of the zlib v.1.2.11 library from Jean-loup Gailly and Mark Adler for general compression.
Below is a screenshot of the menu of various options.
