Join Us!

Targeted Server For...
 
Notifications
Clear all

Targeted Server Forensic Collection  

  RSS
Z899090
(@z899090)
New Member

Hi

Is there any other tool or scripts apart from Nuix collector which can be used on a live server (Windows 2012 r2) that can filter by extension, date and keyword to cull the data prior to collection? I need to extract only specific files based on keyword or date range from a file server.

Thanks

Quote
Posted : 13/09/2018 4:06 pm
trewmte
(@trewmte)
Community Legend

You can try PowerShell and use or adapt the scripts from PowerForensics - PowerShell Digital Forensics
- https://powerforensics.readthedocs.io/en/latest/
- https://github.com/Invoke-IR/PowerForensics

ReplyQuote
Posted : 13/09/2018 6:37 pm
Z899090
(@z899090)
New Member

Thanks thats quite helpful! Apart from powershell is there a commercial or opensource tool that can do this?

ReplyQuote
Posted : 13/09/2018 11:18 pm
Passmark
(@passmark)
Active Member

When you say Keyword, are you referring to keywords in the file name, or keywords in the content of the file?

Which file types are you interested in? Word DOCX, EMails, PDFs, JPG EXIF?

Office files like DOCX are compressed. So you can't just do a simple grep type operation and hope to match clear ASCII / Unicode text.

What about files in other files. e.g. Files in a VM image, or a Zip file or Email attachments?

What about deleted files and shadow copy files? How deep do you want to go?

ReplyQuote
Posted : 14/09/2018 5:16 am
Z899090
(@z899090)
New Member

This will only be limited to loose files i.e doc, docx, pdf and xls, xlsx, xlsxm.

By keyword i mean searching file name and date range, ideally if there is a way to search keyword within the body of the file that would be better.

Basically what i need is to run a keyword AND/OR date range search across the file server and copy the results onto to an external drive keeping the folder structure and metadata intact.

ReplyQuote
Posted : 14/09/2018 9:27 am
jpickens
(@jpickens)
Active Member

Would it be better to collect those file extensions first then KWS after on your forensic machine? If you do this on a server, you are putting CPU/RAM of the server to work to do your culling. If you can target collect and process onsite after, it may be more effective and efficient.

Then you can use any tool to image and process.

ReplyQuote
Posted : 14/09/2018 2:11 pm
Share: