fastfinder: Fast suspicious file finder

by do son · Published · Updated

suspicious file finder

FastFinder – Incident Response – Fast suspicious file finder

FastFinder is a lightweight tool made for threat hunting, live forensics, and triage on both Windows and Linux Platforms. It is focused on endpoint enumeration and suspicious file finding based on various criteria:

  • file-path / name
  • md5 / sha1 / sha256 checksum
  • simple string content match
  • complex content condition(s) based on YARA

Use

Depending on where you are looking for files, FastFinder could be used with admin OR simple user rights.

Scan and export file match according to your needs

configuration examples are available there

input:

    path: [] # match file path AND / OR file name based on simple string 

    content:

        grep: [] # match literal string value inside file content

        yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions) 

        checksum: [] # parse for md5/sha1/sha256 in file content 

options:

    contentMatchDependsOnPathMatch: true # if true, paths are a pre-filter for content searchs. If false, paths and content both generate matchs

    findInHardDrives: true	# enumerate hard drive content

    findInRemovableDrives: true # enumerate removable drive content 

    findInNetworkDrives: true # enumerate network drive content

    findInCDRomDrives: true # enumerate physical CD-ROM and mounted iso / vhd...

output:

    copyMatchingFiles: true # create a copy of every matching file

    base64Files: true # base64 matched content before copy

    filesCopyPath: '' # empty value will copy matched files in the fastfinder.exe folder

 

Note for input path:

  • ‘?’ for simple char and ‘\*’ for multiple chars, wildcards are available for simple string
  • environment variables are also available
  • regular expressions are allowed, they should be enclosed by //
  • input path is always case INSENSITIVE
  • input content grep strings are always case SENSITIVE
  • backslashes haven’t to be escaped on simple string pattern (see example)

Download

Copyright (c) 2021 Jean-Pierre GARNIER

Tags: suspicious file finder