Raw Files
A raw Windows filelisting by parsing the NTFS file system using the
ntfs crate to recursively walk the files
and directories on the system. If hashing or PE parsing is enabled this will
also read the file contents. Raw Files also supports decompressing compressed
files with the WofCompression alternative data stream (ADS) attribute.
Since a filelisting can be extremely large every 100k entries artemis will
output the data and then continue.
Other Parsers:
- Any tool that parse the NTFS file system
References:
TOML Collection
system = "windows"
[output]
name = "ntfs_collection"
directory = "./tmp"
format = "json"
compress = false
endpoint_id = "6c51b123-1522-4572-9f2a-0bd5abd81b82"
collection_id = 1
output = "local"
[[artifacts]]
artifact_name = "rawfiles"
[artifacts.rawfiles]
drive_letter = 'C'
start_path = "C:\\"
depth = 20
recover_indx = false
# Optional
metadata = true # Get PE metadata
# Optional
md5 = false
# Optional
sha1 = false
# Optional
sha256 = false
# Optional
metadata = false
# Optional
path_regex = ""
# Optional
filename_regex = ""
Collection Options
drive_letterDrive letter to use to parse the NTFS file system. This configuration is requiredstart_pathDirectory to start walking the filesystem. This configuration is requireddepthHow many directories to descend from thestart_path. Must be a postive number. Max value is 255. This configuration is requiredrecover_indxBoolean value to carve deleted entries from the$INDXattribute. Can show evidence of deleted filesmetadataGet PE data fromPEfiles. This configuration is optional. Default is falsemd5Boolean value to enable MD5 hashing on all files. This configuration is optional. Default is falsesha1Boolean value to enable SHA1 hashing on all files. This configuration is optional. Default is falsesha256Boolean value to enable SHA256 hashing on all files. This configuration is optional. Default is falsepath_regexOnly descend into paths (directories) that match the provided regex. This configuration is optional. Default is no Regexfile_regexOnly return entres that match the provided regex. This configuration is optional. Default is no Regex
Output Structure
An array of WindowsRawFileInfo entries
export interface RawFileInfo {
/**Full path to file or directory */
full_path: string;
/**Directory path */
directory: string;
/**Filename */
filename: string;
/**Extension of file if any */
extension: string;
/**Created timestamp in UNIXEPOCH seconds */
created: number;
/**Modified timestamp in UNIXEPOCH seconds */
modified: number;
/**Changed timestamp in UNIXEPOCH seconds */
changed: number;
/**Accessed timestamp in UNIXEPOCH seconds */
accessed: number;
/**Filename created timestamp in UNIXEPOCH seconds */
filename_created: number;
/**Filename modified timestamp in UNIXEPOCH seconds */
filename_modified: number;
/**Filename accessed timestamp in UNIXEPOCH seconds */
filename_accessed: number;
/**Filename changed timestamp in UNIXEPOCH seconds */
filename_changed: number;
/**Size of file in bytes */
size: number;
/**Size of file if compressed */
compressed_size: number;
/**Compression type used on file */
compression_type: string;
/**Inode entry */
inode: number;
/**Sequence number for entry */
sequence_number: number;
/**Parent MFT reference for entry */
parent_mft_references: number;
/**Attributes associated with entry */
attributess: string[];
/**MD5 of file. Optional */
md5: string;
/**SHA1 of file. Optional */
sha1: string;
/**SHA256 of file. Optional */
sha256: string;
/**Is the entry a file */
is_file: boolean;
/**Is the entry a directory */
is_directory: boolean;
/** Is the entry carved from $INDX */
is_indx: boolean;
/**USN entry */
usn: number;
/**SID number associated with entry */
sid: number;
/**SID string associated with entry*/
user_sid: string;
/**Group SID associated with enry */
group_sid: string;
/**Drive letter */
drive: string;
/**ADS info associated with entry */
ads_info: AdsInfo[];
/**Depth the file from provided start point*/
depth: number;
/**PE binary metadata. Optional */
binary_info: PeInfo[];
}
/**
* Alternative Data Streams (ADS) are a NTFS feature to embed data in another data stream
*/
export interface AdsInfo {
/**Name of the ADS entry */
name: string;
/**Size of the ADS entry */
size: number;
}