search

google / grr

GRR Rapid Response: remote live forensics for incident response
https://grr-doc.readthedocs.io/
Apache License 2.0
4.76k stars 764 forks source link

Enhanced File Information #33

Open destijl opened 9 years ago

destijl commented 9 years ago

From sean.gillespie.32 on October 06, 2014 14:51:35

Can the following features be added to file data?

  1. Support for all 8 timestamps associated with NTFS for Windows hosts since all of the timestamps are used for determining what actions have been taken or if there are any anomalies.
  2. Support for filemagic file identification. This would allow rapid identification of interesting files in listings as well as specific searches such as rar files in system directories.
  3. Support for PEHeader parsing. Imports, Exports, and VersionInfo are extremely useful for detecting malicious files.

These should all be pretty light weight client actions that would have a lower impact when used than acquiring all of the files before processing them.

Original issue: http://code.google.com/p/grr/issues/detail?id=120

pidydx commented 9 years ago

Submitted pull request for testing that enables crtime in TSK when available, file magic file identification, and PEHeader parsing. Future work for similar basic info parsing for ELF and Mach-O is being explored.

pidydx commented 9 years ago

MetaFS will likely be the best way to handle 2 and 3 and pytsk needs fixes/updates to handle 1