FastFinder - Incident Response - Fast suspicious file finder

What is this project designed for?

FastFinder is a lightweight tool made for threat hunting, live forensics and triage on Windows Platform. It is focused on enpoint enumeration and suspicious file finding based on various criterias:

• file path / name
• simple string content match
• complex content condition(s) based on YARA

Installation

Compiled release of this software are available. If you want to compile from sources, it could be a little bit tricky cause it's stronly depends of go-yara and CGO compilation. Anyway, you'll find a detailed documentation here

Usage

fastfinder [-h|--help] -c|--string "<value>"

Arguments:

  -h  --help    Print help information
  -c  --configuration  fastfind configuration file

Depending on where you are looking for files, FastFinder could be used with admin OR simple user rights.

Scan and export file match according to your needs

a configuration file example is available here in this repository

input:
    path: [] # match file path AND / OR file name based on simple string 
    content:
        grep: [] # match literal string value inside file contente
        yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions) 
options:
    findInHardDrives: true	# enumerate hard drive content
    findInRemovableDrives: true # enumerate removable drive content 
    findInNetworkDrives: true # enumerate network drive content
output:
    base64Files: true # base64 matched content before copy
    filesCopyPath: '' # empty value will copy matched files in the fastfinder.exe folder

Note for input path:

• '?' for simple char and '\*' for multiple chars wildcards are available for simple string
• environment variables are also available
• regular expression are allowed , they should be enclosed by //
• input path are always case INSENSITIVE
• input content grep strings are always case SENSITIVE
• backslashes haven't to be escaped on simple string pattern (see example)

About this project and future versions

I initially created this project to automate the creation of fastfind on a wide computer network. It fulfills the needs I have today, nevertheless if you have complementary ideas, do not hesitate to ask for, I will see to implement them if they can be useful for everyone. On the other hand, pull request will be studied carefully.