Kali Linux

FastFinder : Incident Response – Fast Suspicious File Finder

FastFinder is a lightweight tool made for threat hunting, live forensics and triage on both Windows and Linux Platforms. It is focused on endpoint enumeration and suspicious file finding based on various criterias:

  • file path / name
  • md5 / sha1 / sha256 checksum
  • simple string content match
  • complex content condition(s) based on YARA

Ready for battle!

  • fastfinder has been tested in real cases in multiple CERT, CSIRT and SOC use cases
  • examples directory now include real malwares / suspect behaviors or vulnerability scan examples

Installation

Compiled release of this software are available. If you want to compile from sources, it could be a little bit tricky because it strongly depends of go-yara and CGO compilation. Anyway, you’ll find a detailed documentation for windows and for linux

Usage

_ _ _ _ _
|_ /\ /` | | | |\ | | \ |_ |) | /~~\ ./ | | | | | |/ |_ | \
2021-2022 | Jean-Pierre GARNIER | @codeyourweb
https://github.com/codeyourweb/fastfinder
usage: fastfinder [-h|–help] [-c|–configuration “”] [-b|–build
“”] [-o|–output “”] [-n|–no-window]
[-u|–no-userinterface] [-v|–verbosity ]
[-t|–triage]
Incident Response – Fast suspicious file finder
Arguments:
-h –help Print help information
-c –configuration Fastfind configuration file. Default:
-b –build Output a standalone package with configuration and
rules in a single binary
-o –output Save fastfinder logs in the specified file
-n –no-window Hide fastfinder window
-u –no-userinterface Hide advanced user interface
-v –verbosity File log verbosity
| 4: Only alert
| 3: Alert and errors
| 2: Alerts,errors and I/O operations
| 1: Full verbosity)
. Default: 3
-t –triage Triage mode (infinite run – scan every new file in
the input path directories). Default: false

Depending on where you are looking for files, FastFinder could be used with admin OR simple user rights.

Scan and export file match according to your needs

configuration examples are available there

input:
path: [] # match file path AND / OR file name based on simple string
content:
grep: [] # match literal string value inside file content
yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions)
checksum: [] # parse for md5/sha1/sha256 in file content
options:
contentMatchDependsOnPathMatch: true # if true, paths are a pre-filter for content searchs. If false, paths and content both generate matchs
findInHardDrives: true # enumerate hard drive content
findInRemovableDrives: true # enumerate removable drive content
findInNetworkDrives: true # enumerate network drive content
findInCDRomDrives: true # enumerate physical CD-ROM and mounted iso / vhd…
output:
copyMatchingFiles: true # create a copy of every matching file
base64Files: true # base64 matched content before copy
filesCopyPath: ” # empty value will copy matched files in the fastfinder.exe folder
advancedparameters:
yaraRC4Key: ” # yara rules can be (un)/ciphered using the specified RC4 key
maxScanFilesize: 2048 # ignore files up to maxScanFileSize Mb (default: 2048)
cleanMemoryIfFileGreaterThanSize: 512 # clean fastfinder internal memory after heavy file scan (default: 512Mb)

Search everywhere or in specified paths:

  • use ‘?’ in paths for simple char wildcard (eg. powershe??.exe)
  • use ‘\*’ in paths for multiple chars wildcard (eg. \*.exe)
  • regular expressions are also available , just enclose paths with slashes (eg. /[0-9]{8}\.exe/)
  • environment variables can also be used (eg. %TEMP%\myfile.exe)

Important notes

  • input path are always case INSENSITIVE
  • content search on string (grep) are always case SENSITIVE
  • backslashes SHOULD NOT be escaped (except with regular expressions) For more informations, take a look at the examples
R K

Recent Posts

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

6 hours ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

7 hours ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

1 day ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

1 day ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

2 days ago

Comments in Bash Scripts

What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…

1 week ago