FastFinder is a lightweight tool made for threat hunting, live forensics and triage on both Windows and Linux Platforms. It is focused on endpoint enumeration and suspicious file finding based on various criterias:
Compiled release of this software are available. If you want to compile from sources, it could be a little bit tricky because it strongly depends of go-yara and CGO compilation. Anyway, you’ll find a detailed documentation for windows and for linux
_ _ _ _ _
|_ /\ /` | | | |\ | | \ |_ |) | /~~\ ./ | | | | | |/ |_ | \
2021-2022 | Jean-Pierre GARNIER | @codeyourweb
https://github.com/codeyourweb/fastfinder
usage: fastfinder [-h|–help] [-c|–configuration “”] [-b|–build
“”] [-o|–output “”] [-n|–no-window]
[-u|–no-userinterface] [-v|–verbosity ]
[-t|–triage]
Incident Response – Fast suspicious file finder
Arguments:
-h –help Print help information
-c –configuration Fastfind configuration file. Default:
-b –build Output a standalone package with configuration and
rules in a single binary
-o –output Save fastfinder logs in the specified file
-n –no-window Hide fastfinder window
-u –no-userinterface Hide advanced user interface
-v –verbosity File log verbosity
| 4: Only alert
| 3: Alert and errors
| 2: Alerts,errors and I/O operations
| 1: Full verbosity)
. Default: 3
-t –triage Triage mode (infinite run – scan every new file in
the input path directories). Default: false
Depending on where you are looking for files, FastFinder could be used with admin OR simple user rights.
configuration examples are available there
input:
path: [] # match file path AND / OR file name based on simple string
content:
grep: [] # match literal string value inside file content
yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions)
checksum: [] # parse for md5/sha1/sha256 in file content
options:
contentMatchDependsOnPathMatch: true # if true, paths are a pre-filter for content searchs. If false, paths and content both generate matchs
findInHardDrives: true # enumerate hard drive content
findInRemovableDrives: true # enumerate removable drive content
findInNetworkDrives: true # enumerate network drive content
findInCDRomDrives: true # enumerate physical CD-ROM and mounted iso / vhd…
output:
copyMatchingFiles: true # create a copy of every matching file
base64Files: true # base64 matched content before copy
filesCopyPath: ” # empty value will copy matched files in the fastfinder.exe folder
advancedparameters:
yaraRC4Key: ” # yara rules can be (un)/ciphered using the specified RC4 key
maxScanFilesize: 2048 # ignore files up to maxScanFileSize Mb (default: 2048)
cleanMemoryIfFileGreaterThanSize: 512 # clean fastfinder internal memory after heavy file scan (default: 512Mb)
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…