Incident Response - Fast suspicious file finder
FastFinder is a lightweight tool made for threat hunting, live forensics and triage on both Windows and Linux Platforms. It is focused on endpoint enumeration and suspicious file finding based on various criterias:
Compiled release of this software are available. If you want to compile from sources, it could be a little bit tricky because it strongly depends of go-yara and CGO compilation. Anyway, you'll find a detailed documentation for windows and for linux
___ __ ___ ___ __ ___ __
|__ /\ /__` | |__ | |\ | | \ |__ |__)
| /~~\ .__/ | | | | \| |__/ |___ | \
2021-2022 | Jean-Pierre GARNIER | @codeyourweb
https://github.com/codeyourweb/fastfinder
usage: fastfinder [-h|--help] [-c|--configuration "<value>"] [-b|--build
"<value>"] [-o|--output "<value>"] [-n|--no-window]
[-u|--no-userinterface] [-v|--verbosity <integer>]
[-t|--triage]
Incident Response - Fast suspicious file finder
Arguments:
-h --help Print help information
-c --configuration Fastfind configuration file. Default:
-b --build Output a standalone package with configuration and
rules in a single binary
-o --output Save fastfinder logs in the specified file
-n --no-window Hide fastfinder window
-u --no-userinterface Hide advanced user interface
-v --verbosity File log verbosity
| 4: Only alert
| 3: Alert and errors
| 2: Alerts,errors and I/O operations
| 1: Full verbosity)
. Default: 3
-t --triage Triage mode (infinite run - scan every new file in
the input path directories). Default: false
Depending on where you are looking for files, FastFinder could be used with admin OR simple user rights.
configuration examples are available there
input:
path: [] # match file path AND / OR file name based on simple string
content:
grep: [] # match literal string value inside file content
yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions)
checksum: [] # parse for md5/sha1/sha256 in file content
options:
contentMatchDependsOnPathMatch: true # if true, paths are a pre-filter for content searchs. If false, paths and content both generate matchs
findInHardDrives: true # enumerate hard drive content
findInRemovableDrives: true # enumerate removable drive content
findInNetworkDrives: true # enumerate network drive content
findInCDRomDrives: true # enumerate physical CD-ROM and mounted iso / vhd...
output:
copyMatchingFiles: true # create a copy of every matching file
base64Files: true # base64 matched content before copy
filesCopyPath: '' # empty value will copy matched files in the fastfinder.exe folder
advancedparameters:
yaraRC4Key: '' # yara rules can be (un)/ciphered using the specified RC4 key
maxScanFilesize: 2048 # ignore files up to maxScanFileSize Mb (default: 2048)
cleanMemoryIfFileGreaterThanSize: 512 # clean fastfinder internal memory after heavy file scan (default: 512Mb)
I initially created this project to automate fast system oriented IOC detection on a wide computer network. It fulfills the needs I have today. Nevertheless if you have complementary ideas, do not hesitate to ask for, I will see to implement them if they can be useful for everyone. On the other hand, pull request will be studied carefully.
I don't plan to add any additional features right now. The next release will be focused on: