Generic.Forensic.LocalHashes.Glob

This artifact maintains a local (client side) database of file hashes. It is then possible to query this database using the Generic.Forensic.LocalHashes.Query artifact

Maintaining hashes client side allows Velociraptor to answer the query - which machine has this hash on our network extremely quickly. Velociraptor only needs to lookup the each client’s local database of file hashes.

Maintaining this database case be done using this artifact or using the Windows.Forensics.LocalHashes.Usn artifact.

This artifact simply crawls the filesystem hashing files as specified by the glob expression, and adds them to the local hash database. You can rate limit this artifact using the ops/sec setting to perform a slow update of the local file hash database.

name: Generic.Forensic.LocalHashes.Glob
description: |
  This artifact maintains a local (client side) database of file
  hashes. It is then possible to query this database using the
  Generic.Forensic.LocalHashes.Query artifact

  Maintaining hashes client side allows Velociraptor to answer the
  query - which machine has this hash on our network extremely
  quickly. Velociraptor only needs to lookup the each client's local
  database of file hashes.

  Maintaining this database case be done using this artifact or using
  the Windows.Forensics.LocalHashes.Usn artifact.

  This artifact simply crawls the filesystem hashing files as
  specified by the glob expression, and adds them to the local hash
  database. You can rate limit this artifact using the ops/sec setting
  to perform a slow update of the local file hash database.

parameters:
  - name: HashGlob
    description: Search for files according to this glob and hash them.
    default: C:/Users/**/*.exe

  - name: HashDb
    description: Name of the local hash database
    default: hashdb.sqlite

  - name: SuppressOutput
    description: If this is set, the artifact does not return any rows to the server but will still update the local database.
    type: bool

sources:
  - query: |
      LET hash_db <= SELECT OSPath
      FROM Artifact.Generic.Forensic.LocalHashes.Init(HashDb=HashDb)

      LET path <= hash_db[0].OSPath

      LET _ <= log(message="Will use local hash database " + path)

      // Crawl the files and calculate their hashes
      LET files = SELECT OSPath, Size, hash(path=OSPath).MD5 AS Hash
      FROM glob(globs=HashGlob)
      WHERE Mode.IsRegular

      LET insertion = SELECT OSPath, Hash, Size, {
         SELECT * FROM sqlite(file=path,
            query="INSERT into hashes (path, md5, timestamp, size) values (?,?,?,?)",
            args=[OSPath.String, Hash, now(), Size])
      } AS Insert
      FROM files
      WHERE Insert OR TRUE

      SELECT OSPath, Hash, Size
      FROM insertion
      WHERE NOT SuppressOutput