-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathFatInfo.html
503 lines (467 loc) · 30.4 KB
/
FatInfo.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />
<title>FatInfo — DFIR ORC documentation</title>
<link rel="stylesheet" type="text/css" href="_static/pygments.css" />
<link rel="stylesheet" type="text/css" href="_static/solar.css" />
<link rel="stylesheet" type="text/css" href="_static/css/custom.css" />
<script data-url_root="./" id="documentation_options" src="_static/documentation_options.js"></script>
<script src="_static/jquery.js"></script>
<script src="_static/underscore.js"></script>
<script src="_static/_sphinx_javascript_frameworks_compat.js"></script>
<script src="_static/doctools.js"></script>
<script src="_static/sphinx_highlight.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="FastFind" href="FastFind.html" />
<link rel="prev" title="Configuring Tool Output" href="configuring_tool_output.html" /><link href='http://fonts.googleapis.com/css?family=Source+Code+Pro|Open+Sans:300italic,400italic,700italic,400,300,700' rel='stylesheet' type='text/css'>
<link href="_static/solarized-dark.css" rel="stylesheet">
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="FastFind.html" title="FastFind"
accesskey="N">next</a>
<li class="right" >
<a href="configuring_tool_output.html" title="Configuring Tool Output"
accesskey="P">previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" accesskey="U">Embedded Tool Suite</a> »</li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="index.html">
<img class="logo" src="_static/logo.jpg" alt="Logo"/>
</a></p>
<h3><a href="index.html">Table of Contents</a></h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="tuto.html">Tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="intro_to_data_collection.html">Design and Architecture</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">Configuration</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="embedded_tool_suite.html">Embedded Tool Suite</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="info_tools.html">Common Options & Properties</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">FatInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="FastFind.html">FastFind</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetThis.html">GetThis</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSamples.html">GetSamples</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSectors.html">GetSectors</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSInfo.html">NTFSInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSUtil.html">NTFSUtil</a></li>
<li class="toctree-l2"><a class="reference internal" href="ObjInfo.html">ObjInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="RegInfo.html">RegInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="USNInfo.html">USNInfo</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" />
<input type="submit" value="Go" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<section id="fatinfo">
<h1>FatInfo<a class="headerlink" href="#fatinfo" title="Permalink to this heading">¶</a></h1>
<section id="description">
<h2>Description<a class="headerlink" href="#description" title="Permalink to this heading">¶</a></h2>
<p>FatInfo is intended to collect details on data stored on FAT mounted volumes and raw disk images.
Basically, the tool enumerates the file system entries and outputs user-chosen details to collect in one or more CSV files.</p>
</section>
<section id="output">
<h2>Output<a class="headerlink" href="#output" title="Permalink to this heading">¶</a></h2>
<p>FatInfo can output data into a CSV file, a folder or an archive. When provided with a folder or an archive, it creates one file per FAT volume instead of a unique file, and creates a file named volstats.csv in the output archive or directory.</p>
<p>Each CSV file contains the following information on files and folders present on the FAT system:</p>
<ul class="simple">
<li><dl class="simple">
<dt><strong>Volume Identification:</strong></dt><dd><ul>
<li><p><strong>ComputerName:</strong> Name of the computer</p></li>
<li><p><strong>VolumeID:</strong> Id of the volume</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>Standard Information:</strong></dt><dd><ul>
<li><p><strong>File:</strong> Name of the file</p></li>
<li><p><strong>ParentName:</strong> Name of the parent folder</p></li>
<li><p><strong>FullName:</strong> Full-path name</p></li>
<li><p><strong>Extension:</strong> Optional file name extension (split path)</p></li>
<li><p><strong>Attributes:</strong> FAT file system attributes</p></li>
<li><p><strong>SizeInBytes:</strong> File size in bytes</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>Date Information:</strong></dt><dd><ul>
<li><p><strong>CreationDate:</strong> File creation date <em>“mm/dd/yyyy hh:mm:ss.000”</em></p></li>
<li><p><strong>LastModificationDate:</strong> File last write date <em>“mm/dd/yyyy hh:mm:ss.000”</em></p></li>
<li><p><strong>LastAccessDate:</strong> File last read access date</p></li>
</ul>
</dd>
</dl>
</li>
<li><p><strong>RecordInUse:</strong> Boolean which indicates if this record was in use or free (i.e. deleted)</p></li>
<li><p><strong>Short Name</strong> (8.3) if any</p></li>
<li><dl class="simple">
<dt><strong>Cryptographic/Authenticode Information:</strong></dt><dd><ul>
<li><p><strong>MD5:</strong> Cryptographic MD5 hash (in hex)</p></li>
<li><p><strong>SHA1:</strong> Cryptographic SHA1 hash (in hex)</p></li>
<li><p><strong>SHA256:</strong> Cryptographic SHA256 hash (in hex)</p></li>
<li><p><strong>PeMD5:</strong> Authenticode (PE) file MD5 hash</p></li>
<li><p><strong>PeSHA1:</strong> Authenticode (PE) file SHA1 hash</p></li>
<li><p><strong>PeSHA256:</strong> Authenticode (PE) file SHA256 hash</p></li>
<li><dl class="simple">
<dt><strong>AuthenticodeStatus:</strong> Status of the authenticode signature for the file. Possible values are:</dt><dd><ul>
<li><p><strong>Unknown:</strong> Status failed to be determined</p></li>
<li><p><strong>Empty string:</strong> File is not a PE</p></li>
<li><p><strong>SignedVerified:</strong> File is signed and the signature verified</p></li>
<li><p><strong>CatalogSignedVerified:</strong> File hash is listed in a catalog</p></li>
<li><p><strong>SignedNotVerified:</strong> File signature does <strong>not</strong> verify</p></li>
<li><p><strong>NotSigned:</strong> No signature or catalog could be found for this file</p></li>
</ul>
</dd>
</dl>
</li>
<li><p><strong>AuthenticodeSigner:</strong> Signer’s certificate (value of the first occurrence of the attributes szOID_COMMON_NAME, szOID_ORGANIZATIONAL_UNIT_NAME, szOID_ORGANIZATION_NAME, or szOID_RSA_emailAddr)</p></li>
<li><p><strong>AuthenticodeSignerThumbprint:</strong> Signer’s certificate hash</p></li>
<li><p><strong>AuthenticodeCA:</strong> Signer’s root CA certificate (value of the first occurrence of the attributes szOID_COMMON_NAME, szOID_ORGANIZATIONAL_UNIT_NAME, szOID_ORGANIZATION_NAME, or szOID_RSA_emailAddr)</p></li>
<li><p><strong>AuthenticodeCAThumbprint:</strong> Signer’s root CA certificate hash</p></li>
<li><p><strong>SecurityDirectory:</strong> Base64 encoded security directory of the PE file (if present)</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>Version Information:</strong></dt><dd><ul>
<li><p><strong>FileOS:</strong> VersionInfo OS tag</p></li>
<li><p><strong>FileType:</strong> VersionInfo type</p></li>
<li><p><strong>Version:</strong> VersionInfo file version</p></li>
<li><p><strong>CompanyName:</strong> VersionInfo company name</p></li>
<li><p><strong>ProductName:</strong> VersionInfo product name</p></li>
<li><p><strong>OriginalFileName:</strong> VersionInfo original file name</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>PE Header Related Information:</strong></dt><dd><ul>
<li><p><strong>Platform:</strong> PE Header platform</p></li>
<li><p><strong>TimeStamp:</strong> PE Header timestamp</p></li>
<li><p><strong>SubSystem:</strong> PE Header SubSystem</p></li>
</ul>
</dd>
</dl>
</li>
<li><p><strong>FirstBytes:</strong> First 16 bytes (in hex) of the file content.</p></li>
</ul>
<p>An output for logging purposes can be used with the syntax found in <a class="reference internal" href="configuring_console_output.html"><span class="doc">Configuring Console Output</span></a>.</p>
</section>
<section id="usage">
<h2>Usage<a class="headerlink" href="#usage" title="Permalink to this heading">¶</a></h2>
<p>FatInfo can be used from command line or with an XML configuration file. Both provide (mostly) identical access to FatInfo functionality even if the configuration files allow for more complexity.</p>
<ul class="simple">
<li><dl class="simple">
<dt>Example of command-line parameters:</dt><dd><p>This syntax is intended for simple user-friendly usage.</p>
</dd>
</dl>
</li>
</ul>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe FatInfo F: /out=c:\TEMP\FAT.csv /logfile=c:\TEMP\FatInfo.log /Dates,File,ParentName,SizeInBytes
</pre></div>
</div>
<ul class="simple">
<li><dl class="simple">
<dt>Example of XML configuration file:</dt><dd><p>XML configuration files can be easier for detailed and more complex usage of FatInfo.</p>
</dd>
</dl>
</li>
</ul>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><fatinfo></span>
<span class="w"> </span><span class="nt"><output></span>c:\TEMP\CompleteUSN.csv<span class="nt"></output></span>
<span class="w"> </span><span class="nt"><logging</span><span class="w"> </span><span class="na">file=</span><span class="s">"c:\TEMP\FatInfo.log"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"><location></span>F:\<span class="nt"></location></span>
<span class="w"> </span><span class="nt"><columns></span>
<span class="w"> </span><span class="nt"><default></span>Dates<span class="nt"></default></span>
<span class="w"> </span><span class="nt"><default></span>File<span class="nt"></default></span>
<span class="w"> </span><span class="nt"><default></span>ParentName<span class="nt"></default></span>
<span class="w"> </span><span class="nt"><default></span>SizeInBytes<span class="nt"></default></span>
<span class="w"> </span><span class="nt"></columns></span>
<span class="nt"></fatinfo></span>
</pre></div>
</div>
<p>The XML configuration file is provided by using the parameter <code class="docutils literal notranslate"><span class="pre">/config</span></code>:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe FatInfo /config=c:\TEMP\FatInfoConfig.xml
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>All output-related parameters (in the configuration file and in the command line) can use environment variables.</p>
</div>
<section id="fatinfo-element">
<h3><code class="docutils literal notranslate"><span class="pre">fatinfo</span></code> Element<a class="headerlink" href="#fatinfo-element" title="Permalink to this heading">¶</a></h3>
<p><em>optional=no, default=N/A</em></p>
<p>Root element.</p>
<section id="attributes">
<h4>Attributes<a class="headerlink" href="#attributes" title="Permalink to this heading">¶</a></h4>
<ul class="simple">
<li><dl class="simple">
<dt><strong>resurrect</strong> <em>(optional=yes, default=”true”)</em>, <code class="docutils literal notranslate"><span class="pre">/ResurrectRecords</span></code> option:</dt><dd><p>Configures the parser to include deleted records. This can, by design, yield unpredictable results (as we are using unreliable or partially deleted information). One can generally assume that resident attributes for those entries are valid, unlike non-resident attributes that are most likely quickly invalidated after the entry deletion. Deactivating this feature in XML can be done by writing <code class="docutils literal notranslate"><span class="pre">resurrect="no"</span></code>.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>computer</strong> <em>(optional=yes, default=”Name of the machine on which the tool runs”)</em>, <code class="docutils literal notranslate"><span class="pre">/Computer=<ComputerName></span></code> option:</dt><dd><p>Substitutes the content of the ComputerName column with a provided string.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>popsysobj</strong> <em>(optional=yes, default=False)</em>, <code class="docutils literal notranslate"><span class="pre">/PopSysObj</span></code>:</dt><dd><p>Probes available system objects and looks for hidden FAT filesystem. This can lead to unexpected behavior.</p>
</dd>
</dl>
</li>
</ul>
</section>
</section>
<section id="output-element-out-path-option">
<h3><code class="docutils literal notranslate"><span class="pre">output</span></code> Element, <code class="docutils literal notranslate"><span class="pre">/out=<Path></span></code> Option<a class="headerlink" href="#output-element-out-path-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=FatInfo.csv</em></p>
<p>For details on the <code class="docutils literal notranslate"><span class="pre">output</span></code> element syntax, please refer to the <a class="reference internal" href="configuring_tool_output.html"><span class="doc">output documentation</span></a>.</p>
</section>
<section id="location-element">
<h3><code class="docutils literal notranslate"><span class="pre">location</span></code> Element<a class="headerlink" href="#location-element" title="Permalink to this heading">¶</a></h3>
<p><em>optional=no, default=N/A</em></p>
<p>Specifies the parsed system. For details on the syntax, please refer to the <a class="reference internal" href="configuring_locations.html"><span class="doc">configuring locations documentation</span></a>.</p>
<p>When using the command line, this element must be provided in the form of a comma-separated list, as an argument at the end of the command:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe FatInfo <span class="p"><</span>Location1<span class="p">></span>,<Location2>
</pre></div>
</div>
</section>
<section id="columns-element-column1-option">
<h3><code class="docutils literal notranslate"><span class="pre">columns</span></code> Element, <code class="docutils literal notranslate"><span class="pre">/<Column1>,...</span></code> Option<a class="headerlink" href="#columns-element-column1-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=Default (Alias defined below)</em></p>
<p>Information to collect in the output. Column selection is specified using a comma-separated list of included columns.</p>
<p>The following examples output the file name, its parent full-path, and its MD5 hash:</p>
<ul>
<li><p>Command-line parameter:</p>
<blockquote>
<div><div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>/File,ParentName,MD5
</pre></div>
</div>
</div></blockquote>
</li>
<li><p>XML elements:</p>
<blockquote>
<div><div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><columns></span>
<span class="w"> </span><span class="nt"><default></span>File,ParentName,MD5<span class="nt"></default></span>
<span class="nt"></columns></span>
</pre></div>
</div>
</div></blockquote>
</li>
</ul>
<p>More than one column selection can be specified, for example:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>/File,ParentName,SizeInBytes /SHA1,MD5
</pre></div>
</div>
<p>Or in XML form:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><columns></span>
<span class="w"> </span><span class="nt"><default></span>File,ParentName,SizeInBytes<span class="nt"></default></span>
<span class="w"> </span><span class="nt"><default></span>SHA1,MD5<span class="nt"></default></span>
<span class="nt"></columns></span>
</pre></div>
</div>
<p>This allows groups of columns to be specified in a more convenient way.</p>
<p>Aliases for a set of related columns can be used, to simplify the syntax.</p>
<p>For instance, using the alias “Default” adds the following columns in the output CSV file:</p>
<blockquote>
<div><ul class="simple">
<li><p>File, ParentName,</p></li>
<li><p>Extension, Attributes, SizeInBytes,</p></li>
<li><p>CreationDate, LastModificationDate, LastAccessDate, and</p></li>
<li><p>RecordInUse</p></li>
</ul>
</div></blockquote>
<p>As an example, the following configuration yields all the columns regrouped under the alias, and MD5.</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><columns></span>
<span class="w"> </span><span class="nt"><default></span>Default<span class="nt"></default></span>
<span class="w"> </span><span class="nt"><default></span>MD5<span class="nt"></default></span>
<span class="nt"></columns></span>
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The command <code class="docutils literal notranslate"><span class="pre">DFIR-Orc.exe</span> <span class="pre">FatInfo</span> <span class="pre">/?</span></code> will print all column definitions along with the definition of aliases.</p>
</div>
</section>
<section id="add-or-omit-element-columnselection-criteria-value-option">
<h3><code class="docutils literal notranslate"><span class="pre">add</span></code> or <code class="docutils literal notranslate"><span class="pre">omit</span></code> Element, <code class="docutils literal notranslate"><span class="pre">/(+|-)<ColumnSelection>:criteria=<value></span></code> Option<a class="headerlink" href="#add-or-omit-element-columnselection-criteria-value-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=N/A</em></p>
<p>FatInfo allows to selectively add or remove column content, depending on whether a specific criterion is met for a file. This can help reduce resource consumption for some columns (e.g. MD5, AuthenticodeStatus).</p>
<p>The available criteria for FatInfo column filters are</p>
<ul class="simple">
<li><p><strong>HasVersionInfo:</strong> if file has a VERSION_INFO resource</p></li>
<li><p><strong>HasPE:</strong> if file has a valid PE header</p></li>
<li><p><strong>ExtBinary:</strong> if file has an executable extension (like .exe, .dll, .scr, .sys, …)</p></li>
<li><p><strong>ExtArchive:</strong> if the file has a archive extension (like .zip, .cab, …)</p></li>
<li><p><strong>Ext=.Ext1,.Ext2,…:</strong> if file has extension in .Ext1,.Ext2,…</p></li>
<li><p><strong>SizeLT=<Size>, SizeGT=<Size>:</strong> if file is smaller or bigger than a specified size. Note that size can be expressed in KB (i.e. SizeGT=25K…) or in MB (i.e. SizeLT=5M etc…).</p></li>
</ul>
<p>A filter is typically defined by three elements:</p>
<ol class="arabic simple">
<li><p>Add or omit</p></li>
<li><p>Criteria</p></li>
<li><p>Affected Column</p></li>
</ol>
<p>Example 1:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>/+SHA1:SizeLT=1M
</pre></div>
</div>
<p>This only computes a value put in the column SHA1 if the file size is smaller than 1 MB.</p>
<p>Equivalent XML syntax:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><columns></span>
<span class="w"> </span><span class="nt"><add</span><span class="w"> </span><span class="na">SizeLT=</span><span class="s">"1M"</span><span class="nt">></span>SHA1<span class="nt"></add></span>
<span class="nt"></columns></span>
</pre></div>
</div>
<p>Example 2:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>/-MD5:ExtArchive
</pre></div>
</div>
<p>This does not compute MD5 if the file has an archive extension (.cab, .zip).</p>
<p>Equivalent XML syntax:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><columns></span>
<span class="w"> </span><span class="nt"><omit</span><span class="w"> </span><span class="na">ExtArchive=</span><span class="s">""</span><span class="nt">></span>MD5<span class="nt"></omit></span>
<span class="nt"></columns></span>
</pre></div>
</div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>It is important to note that the following rules are applied when defining columns:</p>
<ol class="arabic simple">
<li><p>All rules are evaluated for each file record. Among other things, this implies that some resource-consuming criteria (like HasPE) can impact the overall performance.</p></li>
<li><p>The last rule to match for a file determines if a column is evaluated (when “add” is used) or not (when “omit” is used). This implies that the order in which they appear matters.</p></li>
</ol>
</div>
<p>For example, the following filters</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><columns></span>
<span class="w"> </span><span class="nt"><add</span><span class="w"> </span><span class="na">SizeLT=</span><span class="s">"1M"</span><span class="nt">></span>SHA1<span class="nt"></add></span>
<span class="w"> </span><span class="nt"><omit</span><span class="w"> </span><span class="na">ExtArchive=</span><span class="s">""</span><span class="nt">></span>SHA1<span class="nt"></omit></span>
<span class="nt"></columns></span>
</pre></div>
</div>
<p>imply that if a file is smaller than 1MB but has an .zip extension, then its SHA1 is not computed. However, if the order was to be reversed, its SHA1 would be computed and added to the CSV file, since the last matching rule would be the <code class="docutils literal notranslate"><span class="pre">add</span></code> filter.</p>
</section>
</section>
<section id="typical-usage-examples">
<h2>Typical Usage Examples<a class="headerlink" href="#typical-usage-examples" title="Permalink to this heading">¶</a></h2>
<section id="quick-discovery-of-volume-content">
<h3>Quick Discovery of Volume Content<a class="headerlink" href="#quick-discovery-of-volume-content" title="Permalink to this heading">¶</a></h3>
<p>To quickly enumerate the file system entries of FAT volumes attached to a system, the typical command line would be</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe FatInfo /default /out=VolumeEntries.csv *
</pre></div>
</div>
<p>The equivalent XML syntax would be</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><fatinfo></span>
<span class="w"> </span><span class="nt"><output></span>VolumeEntries.csv<span class="nt"></output></span>
<span class="w"> </span><span class="nt"><location></span>*<span class="nt"></location></span>
<span class="w"> </span><span class="nt"><columns></span>
<span class="w"> </span><span class="nt"><default></span>Default<span class="nt"></default></span>
<span class="w"> </span><span class="nt"></columns></span>
<span class="nt"></fatinfo></span>
</pre></div>
</div>
<p>This syntax extracts all required information from the FAT records and does not require any extra information to be pulled from the disk. This is the subset of information that can be systematically collected on systems.</p>
</section>
<section id="getting-detailed-information-on-binaries">
<h3>Getting Detailed Information on Binaries<a class="headerlink" href="#getting-detailed-information-on-binaries" title="Permalink to this heading">¶</a></h3>
<p>To obtain detailed information about binaries, based on the presence of version information, the typical syntax would be</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe FatInfo /Default /+Details:HasVersionInfo /out=Details.csv F:
</pre></div>
</div>
<p>Equivalent XML Syntax:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><fatinfo</span><span class="w"> </span><span class="na">walker=</span><span class="s">"MFT"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><output></span>Details.csv<span class="nt"></output></span>
<span class="w"> </span><span class="nt"><location></span>F:\<span class="nt"></location></span>
<span class="w"> </span><span class="nt"><columns></span>
<span class="w"> </span><span class="nt"><default></span>Default<span class="nt"></default></span>
<span class="w"> </span><span class="nt"><add</span><span class="w"> </span><span class="na">HasVersionInfo=</span><span class="s">""</span><span class="nt">></add></span>
<span class="w"> </span><span class="nt"></columns></span>
<span class="nt"></fatinfo></span>
</pre></div>
</div>
</section>
<section id="getting-windows-pe-binaries-details">
<h3>Getting Windows PE Binaries Details<a class="headerlink" href="#getting-windows-pe-binaries-details" title="Permalink to this heading">¶</a></h3>
<p>To obtain detailed information about files that contain code, based on the presence of a valid PE Header, and excluding computing cryptographic hashes for big files, the typical syntax would be</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe FatInfo /Default /+Hashes,Details:HasPE /-Hashes:SizeGT=1MB F:
</pre></div>
</div>
<p>Equivalent XML Syntax:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><fatinfo</span><span class="w"> </span><span class="na">walker=</span><span class="s">"MFT"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><output></span>%TEMP%\test.csv<span class="nt"></output></span>
<span class="w"> </span><span class="nt"><location></span>F:\<span class="nt"></location></span>
<span class="w"> </span><span class="nt"><columns></span>
<span class="w"> </span><span class="nt"><default></span>Default<span class="nt"></default></span>
<span class="w"> </span><span class="nt"><add</span><span class="w"> </span><span class="na">HasPE=</span><span class="s">""</span><span class="nt">></span>Hashes,Details<span class="nt"></add></span>
<span class="w"> </span><span class="nt"><omit</span><span class="w"> </span><span class="na">SizeGT=</span><span class="s">"1M"</span><span class="nt">></span>Hashes<span class="nt"></omit></span>
<span class="w"> </span><span class="nt"></columns></span>
<span class="nt"></fatinfo></span>
</pre></div>
</div>
</section>
</section>
</section>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="FastFind.html" title="FastFind"
>next</a>
<li class="right" >
<a href="configuring_tool_output.html" title="Configuring Tool Output"
>previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" >Embedded Tool Suite</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2019, ANSSI. The contents of this documentation is available under the Open License version 2.0 as published by Etalab (French task force for Open Data). The name DFIR ORC and the associated logo belong to ANSSI, no use is permitted without its express approval. Le contenu de cette documentation est disponible sous license Open License version 2.0 telle que publiée par Etalab (organisation francaise pour Open Data). Le nom DFIR ORC et le logo associé appartiennent à l'ANSSI, tout usage doit être expressément autorisé par l'ANSSI..
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 5.3.0.Theme is <a href="http://github.com/vimalkvn/solar-theme">Solar</a>
</div>
<script type="text/javascript">
$(document).ready(function() {
$(".toggle > *").hide();
$(".toggle .header").show();
$(".toggle .header").click(function() {
$(this).parent().children().not(".header").toggle(400);
$(this).parent().children(".header").toggleClass("open");
})
});
</script>
</body>
</html>