Targeted Server For...
 
Notifications
Clear all

Targeted Server Forensic Collection

6 Posts
4 Users
0 Likes
682 Views
(@z899090)
Posts: 9
Active Member
Topic starter
 

Hi

Is there any other tool or scripts apart from Nuix collector which can be used on a live server (Windows 2012 r2) that can filter by extension, date and keyword to cull the data prior to collection? I need to extract only specific files based on keyword or date range from a file server.

Thanks

 
Posted : 13/09/2018 3:06 pm
(@trewmte)
Posts: 1877
Noble Member
 

You can try PowerShell and use or adapt the scripts from PowerForensics - PowerShell Digital Forensics
- https://powerforensics.readthedocs.io/en/latest/
- https://github.com/Invoke-IR/PowerForensics

 
Posted : 13/09/2018 5:37 pm
(@z899090)
Posts: 9
Active Member
Topic starter
 

Thanks thats quite helpful! Apart from powershell is there a commercial or opensource tool that can do this?

 
Posted : 13/09/2018 10:18 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

When you say Keyword, are you referring to keywords in the file name, or keywords in the content of the file?

Which file types are you interested in? Word DOCX, EMails, PDFs, JPG EXIF?

Office files like DOCX are compressed. So you can't just do a simple grep type operation and hope to match clear ASCII / Unicode text.

What about files in other files. e.g. Files in a VM image, or a Zip file or Email attachments?

What about deleted files and shadow copy files? How deep do you want to go?

 
Posted : 14/09/2018 4:16 am
(@z899090)
Posts: 9
Active Member
Topic starter
 

This will only be limited to loose files i.e doc, docx, pdf and xls, xlsx, xlsxm.

By keyword i mean searching file name and date range, ideally if there is a way to search keyword within the body of the file that would be better.

Basically what i need is to run a keyword AND/OR date range search across the file server and copy the results onto to an external drive keeping the folder structure and metadata intact.

 
Posted : 14/09/2018 8:27 am
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

Would it be better to collect those file extensions first then KWS after on your forensic machine? If you do this on a server, you are putting CPU/RAM of the server to work to do your culling. If you can target collect and process onsite after, it may be more effective and efficient.

Then you can use any tool to image and process.

 
Posted : 14/09/2018 1:11 pm
Share: