Did a specific file exist on this machine in the past or does it still exist on this machine?
This common question comes up frequently in cases of IP theft, discovery and other matters. One way to answer this question is to search the $MFT file for any references to the specific filename. If the filename is fairly unique then a positive hit on that name generally means the file was present.
Simply determining that a filename existed on an endpoint in the past is significant for some investigations.
This artifact applies a YARA search for a set of filenames of interest on the $MFT file. For any hit, the artifact then identified the MFT entry where the hit was found and attempts to resolve that to an actual filename.
name: Windows.Forensics.FilenameSearch
description: |
Did a specific file exist on this machine in the past or does it
still exist on this machine?
This common question comes up frequently in cases of IP theft,
discovery and other matters. One way to answer this question is to
search the $MFT file for any references to the specific filename. If
the filename is fairly unique then a positive hit on that name
generally means the file was present.
Simply determining that a filename existed on an endpoint in the
past is significant for some investigations.
This artifact applies a YARA search for a set of filenames of
interest on the $MFT file. For any hit, the artifact then identified
the MFT entry where the hit was found and attempts to resolve that
to an actual filename.
parameters:
- name: yaraRule
default: |
rule Hit {
strings:
$a = "my secret file.txt" nocase wide ascii
condition:
any of them
}
type: yara
- name: Device
default: "C:"
sources:
- query: |
SELECT String.Offset AS Offset,
String.HexData AS HexData,
parse_ntfs(device=Device,
mft=String.Offset / 1024) AS MFT
FROM yara(
rules=yaraRule, files=Device + "/$MFT",
end=10000000000,
number=1000,
accessor="ntfs")