±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34489
New Yesterday: 5 Visitors: 169

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Targeted Server Forensic Collection

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Targeted Server Forensic Collection

Post Posted: Thu Sep 13, 2018 9:06 am

Hi

Is there any other tool or scripts apart from Nuix collector which can be used on a live server (Windows 2012 r2) that can filter by extension, date and keyword to cull the data prior to collection? I need to extract only specific files based on keyword or date range from a file server.

Thanks  

Z899090
Newbie
 
 
  

Re: Targeted Server Forensic Collection

Post Posted: Thu Sep 13, 2018 11:37 am

You can try PowerShell and use or adapt the scripts from PowerForensics - PowerShell Digital Forensics
- powerforensics.readthe...en/latest/
- github.com/Invoke-IR/PowerForensics
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

trewmte
Senior Member
 
 
  

Re: Targeted Server Forensic Collection

Post Posted: Thu Sep 13, 2018 4:18 pm

Thanks thats quite helpful! Apart from powershell is there a commercial or opensource tool that can do this?  

Z899090
Newbie
 
 
  

Re: Targeted Server Forensic Collection

Post Posted: Thu Sep 13, 2018 10:16 pm

When you say Keyword, are you referring to keywords in the file name, or keywords in the content of the file?

Which file types are you interested in? Word DOCX, EMails, PDFs, JPG EXIF?

Office files like DOCX are compressed. So you can't just do a simple grep type operation and hope to match clear ASCII / Unicode text.

What about files in other files. e.g. Files in a VM image, or a Zip file or Email attachments?

What about deleted files and shadow copy files? How deep do you want to go?  

Passmark
Senior Member
 
 
  

Re: Targeted Server Forensic Collection

Post Posted: Fri Sep 14, 2018 2:27 am

This will only be limited to loose files i.e doc, docx, pdf and xls, xlsx, xlsxm.

By keyword i mean searching file name and date range, ideally if there is a way to search keyword within the body of the file that would be better.

Basically what i need is to run a keyword AND/OR date range search across the file server and copy the results onto to an external drive keeping the folder structure and metadata intact.  

Z899090
Newbie
 
 
  

Re: Targeted Server Forensic Collection

Post Posted: Fri Sep 14, 2018 7:11 am

Would it be better to collect those file extensions first then KWS after on your forensic machine? If you do this on a server, you are putting CPU/RAM of the server to work to do your culling. If you can target collect and process onsite after, it may be more effective and efficient.

Then you can use any tool to image and process.  

jpickens
Senior Member
 
 

Page 1 of 1