![]() Lastentrychange ( standardinformation element)įile last attribute change date (yyyy-MM-dd hh:mm:ss.SSS)įile name (hard link) creation date (yyyy-MM-dd hh:mm:ss.SSS) Lastaccess ( standardinformation element)įile last read access date (yyyy-MM-dd hh:mm:ss.SSS) Lastmodification ( standardinformation element)įile last write date (yyyy-MM-dd hh:mm:ss.SSS) In both CSV and XML outputs, the following information is retrieved for a file system match:įile creation date (yyyy-MM-dd hh:mm:ss.SSS) This element has an attribute description that reports the rule which matched. In the XML file, each file system match is enclosed inside a filefind_match element. The output XML file is separated in three sections: filesystem, registry and object. Here is a sample XML output from the tool: It can also output up to two CSV files: one for the file system matches and one for the object matches. Upon successful execution, FastFind outputs the result of its findings in an XML file, with one element per file system, registry or Windows object match. ![]() Windows Server 2012 NTFS volumes (Win32, 圆4),įastFind is using the same MFT parser as NTFSInfo but specifically targets indicator lookup.įor details on the MFT parser, please refer to MFT parser configuration for details. ![]() It is currently supported by the following Windows versions: it only searches for specific known threats).įastFind is a standalone executable: it does not require any installation prior to execution. Look up Windows object directory for known objects (Pipes, Events, …).įind traces of any other system compromise (i.e. Look up registry hives from known signature (keys, values, …), and Look up mounted file systems for known files using multiple indicators, To achieve this goal, FastFind uses an XML configuration file embedded as a resource to specify the indicators to look for.įastFind can leverage a collection of indicators to enable sophisticated indicator search. Since FastFind aims to analyze thousands of systems, it requires minimal interaction. The purpose of FastFind is to check for the presence of known indicators on large installed bases.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |