Intro
When it comes to cybersecurity, there are times when it becomes necessary to locate specific files on a system. This could be for an incident investigation, or as a result of a request from HR. Regardless of the reason, the ability to quickly and accurately find files is crucial for effective cybersecurity operations.
Usefulness
In addition to simply locating files by name, it is also important to have access to additional properties and metadata associated with those files. This information can be useful for legal purposes, further investigations, or any number of other uses. For example, knowing when a file was last accessed, modified, or created can provide valuable insight into its usage history. Knowing the location of the file can also provide useful context for incident response teams, enabling them to quickly identify any potential sources of compromise.
File hashes can be useful for finding files on a system because they provide a unique identifier that can be used to quickly locate files. By generating a hash value for a file, investigators can search for that value on a host, allowing them to quickly identify files that match that hash.
However, hashes of files are not always available unfortunately, so it is important to have alternate methods to use to locate files on a system.
Script
The following script allows for an array of file names to track down recursively throughout the system starting at the root of the drive. If anything is found, the output containing the files that were found and their properties will be placed at C:\temp\files_found_$env:COMPUTERNAME_$(Get-Date -Format 'yyyyMMdd_HHmm').csv.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
$filesToFind = @("file1.txt", "file2.xlsx", "file3.jpg")
$outputFile = "C:\temp\files_found_$env:COMPUTERNAME_$(Get-Date -Format 'yyyyMMdd_HHmm').csv"
# Function to make size calculations pretty
function Get-FormattedByteSize {
[CmdletBinding()]
param (
[Parameter(ValueFromPipeline=$true)]
[double]$ByteSize
)
$SizeUnits = @("bytes", "KB", "MB", "GB", "TB", "PB")
$ByteSize | ForEach-Object {
$UnitIndex = 0
$Size = [math]::Round($_, 2)
while ($Size -ge 1KB) {
$Size = $Size / 1KB
$UnitIndex++
}
"{0:N2} {1}" -f $Size, $SizeUnits[$UnitIndex]
}
}
$results = @()
Get-PSDrive -PSProvider FileSystem -ErrorAction SilentlyContinue |
ForEach-Object {
$root = $_.Root
Get-ChildItem -Path $root -Recurse -Force -ErrorAction SilentlyContinue |
Where-Object { $filesToFind -contains $_.Name } |
ForEach-Object {
$item = $_
$hash = (Get-FileHash -Path $item.FullName -ErrorAction SilentlyContinue).Hash
$properties = Get-ItemProperty -Path $item.FullName -ErrorAction SilentlyContinue
$results += [PSCustomObject]@{
Name = $item.Name
Path = $item.FullName
Size = Get-FormattedByteSize -ByteSize $item.Length -ErrorAction SilentlyContinue
SHA256 = $hash
CreationTime = $properties.CreationTime
LastWriteTime = $properties.LastWriteTime
LastAccessTime = $properties.LastAccessTime
}
}
}
$results | Export-Csv -Path $outputFile -NoTypeInformation
Conclusion
Having multiple methods for finding files on a system is essential for effective incident response and investigations. While hash values can be a powerful tool, they are not always available, and other methods must be used in order to identify and locate files. By having a range of techniques available, investigators can more effectively respond.