|
| 1 | +[]() |
| 2 | +# _FastFinder_ - Incident Response - Fast suspicious file finder |
| 3 | + |
| 4 | +## What is this project designed for? |
| 5 | +_FastFinder_ is a lightweight tool made for threat hunting, live forensics and triage on Windows Platform. It is |
| 6 | +focused on enpoint enumeration and suspicious file finding based on various criterias: |
| 7 | +* file path / name; |
| 8 | +* simple string content match |
| 9 | +* complex content condition(s) based on YARA |
| 10 | + |
| 11 | +### Installation |
| 12 | +Compiled release of this software are available. If you want to compile |
| 13 | +from sources, it could be a little bit tricky cause it's stronly depends of |
| 14 | +_go-yara_ and CGO compilation. Anyway, you'll find a detailed documentation [here](README.windows-compilation.md) |
| 15 | + |
| 16 | +### Usage |
| 17 | +``` |
| 18 | +fastfinder [-h|--help] -c|--string "<value>" |
| 19 | +
|
| 20 | +Arguments: |
| 21 | +
|
| 22 | + -h --help Print help information |
| 23 | + -c --configuration fastfind configuration file |
| 24 | +``` |
| 25 | + |
| 26 | +Depending on where you are looking for files, _FastFinder_ could be used with admin OR simple user rights. |
| 27 | + |
| 28 | +### Scan and export file match according to your needs |
| 29 | +a configuration file example is available [here](configuration.yaml.example) in this repository |
| 30 | +``` |
| 31 | +input: |
| 32 | + path: [] # match file path AND / OR file name based on simple string ('?' and '*' wildcards are available for simple string) OR regular expression (regex have to be enclosed by "/<regex>/") |
| 33 | + content: |
| 34 | + grep: [] # match literal string value inside file contente |
| 35 | + yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions) |
| 36 | +options: |
| 37 | + findInHardDrives: true # enumerate hard drive content |
| 38 | + findInRemovableDrives: true # enumerate removable drive content |
| 39 | + findInNetworkDrives: true # enumerate network drive content |
| 40 | +output: |
| 41 | + base64Files: true # base64 matched content before copy |
| 42 | + filesCopyPath: '' # empty value will copy matched files in the fastfinder.exe folder |
| 43 | +``` |
| 44 | + |
| 45 | +## About this project and future versions |
| 46 | +I initially created this project to automate the creation of fastfind on a wide computer network. |
| 47 | +It fulfills the needs I have today, nevertheless if you have complementary ideas, do not hesitate |
| 48 | +to ask for, I will see to implement them if they can be useful for everyone. |
| 49 | +On the other hand, pull request will be studied carefully. |
0 commit comments