Remote artefact acquisition is a cornerstone of Digital Forensics and Incident Response (DFIR). When you can't physically access a compromised host - or when preserving the live state of a system matters - bash becomes an indispensable tool for pulling critical forensic data across the network without the overhead of a full disk image.
This guide covers practical, field-tested bash techniques for collecting volatile and non-volatile artefacts from remote Linux and macOS systems, preserving integrity, and managing transfer securely.