search

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
389 stars 42 forks source link

GetThis ntfs_exclude strange behaviours #25

Closed sydurand closed 4 years ago

sydurand commented 4 years ago

Hello,

I use the last version of DFIR-Orc.

In one of my configuration file I use the following configuration :

<?xml version="1.0"?>
<getthis reportall="">
    <output compression="normal"/>
    <location altitude="highest" shadows="yes">%SystemDrive%</location>
    <samples MaxTotalBytes="1GB" MaxPerSampleBytes="650MB">

        <sample name="INF" MaxPerSampleBytes="1MB">
            <ntfs_find name_match="*.inf"/>
            <ntfs_exclude path_match="\Windows\*"/>
            <ntfs_exclude path_match="\Program Files\*"/>
            <ntfs_exclude path_match="\Program Files (x86)\*"/>
        </sample>

        <sample name="Prefetch" MaxPerSampleBytes="20MB">
            <ntfs_find path_match="\Windows\Prefetch\*.pf"/>
            <ntfs_find path_match="\Windows\Prefetch\layout.ini"/>
        </sample>

        <sample name="SuperFetch" MaxPerSampleBytes="20MB">
            <ntfs_find name_match="Ag*.db"/>
        </sample>

        <sample name="Lnk" MaxPerSampleBytes="20MB">
            <ntfs_find name_match="*.lnk"/>
        </sample>
...
    </samples>
</getthis>

But the ntfs_exclude directives present in "INF" sample section seems to be applied globally (cf. log extract below). Is it a normal behaviour ? If yes how I can exclude paths only in for a specific sample section ?

Best Regards,

Samples looked after:

   Sample: INF (max 1048576 bytes per sample) (copy data)

      Name matches *.inf

   Sample: Prefetch (max 20971520 bytes per sample) (copy data)

      Path matches \Windows\Prefetch\*.pf
      Path matches \Windows\Prefetch\layout.ini

   Sample: SuperFetch (max 20971520 bytes per sample) (copy data)

      Name matches Ag*.db

   Sample: Lnk (max 20971520 bytes per sample) (copy data)

      Name matches *.lnk

Samples excluded:

      Path matches \Windows\*
      Path matches \Program Files\*
      Path matches \Program Files (x86)\*
sydurand commented 4 years ago

I read the documentation and the ntfs_exclude is applied at the whole configuration file sadly.

sc-anssi commented 4 years ago

Hi Sylvain, Yes you'll have to use another instance of GetThis (and configuration file) to collect your *.inf files with the proper exclusions you wanted.

tags are merely a way to apply specific limits and sort samples in the resulting archive.