search

EricZimmerman / KapeFiles

This repository serves as a place for community created Targets and Modules for use with KAPE.
MIT License
651 stars 193 forks source link

Use variable inside a regex in FileMask #490

Closed vtgdias closed 3 years ago

vtgdias commented 3 years ago

KAPE version

v1.0.0.0

Is it possible to use regex inside FileMask (target tkape files)?

I ve tried some variations like:

FileMask: regex:.{%keyword%}..(pdf|xls|xlsx|csv|bmp|cdr|gif|jpg2|mj2jpeg|jpg|pcx|png|svg|tiff|webp|doc|docx|dotx|odt|rtf)

FileMask: regex:.%keyword%..(pdf|xls|xlsx|csv|bmp|cdr|gif|jpg2|mj2jpeg|jpg|pcx|png|svg|tiff|webp|doc|docx|dotx|odt|rtf)

FileMask: regex:"." + %keyword% + "..(pdf|xls|xlsx|csv|bmp|cdr|gif|jpg2|mj2jpeg|jpg|pcx|png|svg|tiff|webp|doc|docx|dotx|odt|rtf)"

FileMask: regex:.(%keyword%)..(pdf|xls|xlsx|csv|bmp|cdr|gif|jpg2|mj2jpeg|jpg|pcx|png|svg|tiff|webp|doc|docx|dotx|odt|rtf)

but none seens to work. Kape runs without problem but no files is found (using in a controlled environment with few files to match regex).

If this isn't available, is there another way of achieving the same result? Could be implemented?

EricZimmerman commented 3 years ago

No. Variables inside regex are not supported.

Just pull all the extensions and filter afterwards

EricZimmerman commented 3 years ago

This becomes problematic because if people use some funky keyword with regex in it I then have to worry about escaping those etc.

What is the use case here.

vtgdias commented 3 years ago

Hi Eric,

I work as a forensic analyst for the State Police of Rio de Janeiro. I am trying to create a target that pulls files based on a keyword, as we constantly have to look for files in an 'on site investigation', to seize only what is related to the investigation. ex: files that have names using some keyword, mostly based on financial records (nota_fiscal.pdf). Seize all files with certain extensions sometimes could generate TB of data.

I thought of creating a target tkape file for that but perhaps there is another way using KAPE´s features.

tks in advance

On Tue, May 25, 2021 at 5:54 PM Eric @.***> wrote:

This becomes problematic because if people use some funky keyword with regex in it I then have to worry about escaping those etc.

What is the use case here.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/KapeFiles/issues/490#issuecomment-848257340, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB2CM4YEKX54TPJPFGEGC3TPQFAXANCNFSM45QF5EAQ .

-- Atenciosamente, Vinicius T. G. Dias

"A password should be like a toothbrush. Use it every day; change it regularly; and DON'T share it with friends" - USENET ''The quieter you become, the more you are able to hear "When mountains speak, wise men listen" - John Muir