fastfinder: Fast suspicious file finder

by do son · February 18, 2022

FastFinder – Incident Response – Fast suspicious file finder

FastFinder is a lightweight tool made for threat hunting, live forensics, and triage on both Windows and Linux Platforms. It is focused on endpoint enumeration and suspicious file finding based on various criteria:

file-path / name
md5 / sha1 / sha256 checksum
simple string content match
complex content condition(s) based on YARA

Use

Depending on where you are looking for files, FastFinder could be used with admin OR simple user rights.

Scan and export file match according to your needs

configuration examples are available there

input:

    path: [] # match file path AND / OR file name based on simple string 

    content:

        grep: [] # match literal string value inside file content

        yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions) 

        checksum: [] # parse for md5/sha1/sha256 in file content 

options:

    contentMatchDependsOnPathMatch: true # if true, paths are a pre-filter for content searchs. If false, paths and content both generate matchs

    findInHardDrives: true	# enumerate hard drive content

    findInRemovableDrives: true # enumerate removable drive content 

    findInNetworkDrives: true # enumerate network drive content

    findInCDRomDrives: true # enumerate physical CD-ROM and mounted iso / vhd...

output:

    copyMatchingFiles: true # create a copy of every matching file

    base64Files: true # base64 matched content before copy

    filesCopyPath: '' # empty value will copy matched files in the fastfinder.exe folder

Note for input path:

‘?’ for simple char and ‘\*’ for multiple chars, wildcards are available for simple string
environment variables are also available
regular expressions are allowed, they should be enclosed by //
input path is always case INSENSITIVE
input content grep strings are always case SENSITIVE
backslashes haven’t to be escaped on simple string pattern (see example)