Search & Acquire by File Type Solutions

For some time I have been deeply obsessed with the features noted in this post:

• EnScript to Export files based on Extension v1.1 - Computer Forensics, Malware Analysis & Digital Investigations blog

It’s a brilliant EnCase script that sorts through a collected image then outputs copies of the files, based on file-type filter, to folders named by those file-types.  Lance Mueller’s more recent script even does some hashing to look for duplicates.

For a system administrator performing incident response on a Windows system, or even a rapid file-recovery, this could be a very useful tool.

Unfortunately I don’t use EnCase nor am I aware of a tool to convert EnCase scripts into a “standalone” tool.

I suppose with time (something in short supply) I am more than up to the task of writing my own Windows script to do the process.  I may still do so.

However, after trawling the InterWeb-al sea-floor I’ve finally been able to identify a few applications that will handle the task, though require a bit of user intervention depending on the tool.

Closest Match: PhotoRec & PhotoRec Sorter

The closest tool I’ve yet found (and already knew about) is using PhotoRec to recover the supported file formats.  Once that collection is built, then you can toss PhotoRec Sorter at the collection and thus re-output the collected files into individual folders based on their type.   Pretty nice.

I suppose you would then have to do manual MD5 checking on any apparent duplicates.

This tool would be particularly useful when working on “static” image captures of a system.

First Runner Up: SMF

• SMF – Search my Files - (freeware) - Funk.eu

It took, me almost a month to find this utility (also created with Auto It). I’m not sure why.

It is am amazingly developed and refined work of love by the developer. It supports advanced filter parameters as well as file-hashing.

The zip download contains a single exe file which when run creates two folders to be used for search result databases and such.  It is “portable” if you keep it all together.

What I like about it is that by feeding it a single or collection of targeted file extensions, it will VERY rapidly search and find them. Delimit the extensions by using the “;” character with no spaces between.

Output will require sorting by extension and then a select-all of that particular file type.  Then you can paste the results into a folder manually named (by you) of that matching extension name.

It also allows you to search based on advanced file attributes including “access time”.  Handy when inspecting a disk image for recently created/accessed/modified time parameters.

Too many options and features to discuss here.  Check it out.

SMF – Search my Files is off the hizzle fo' shizzle dizzle!

Second Runner up: SearchMyFiles-NirSoft edition

• SearchMyFiles - (freeware) – NirSoft

Single, very tiny EXE file and highly portable.  Rapid searching of drive, folder, subfolders, etc.

Again, it also supports searching for multiple extensions at once:

Files Wildcard: Specifies the wildcard for scanning the files. You can specify multiple wildcards delimited by semicolon or by comma, for example: *.exe;*.dll;*.ocx or *.exe,*.dll,*.ocx.

It also supports filtering based on file attributes, as well as other advanced combos.

It isn’t as advanced as SMF-Funk edition but for what it lacks in comparable features it more than makes up for in simplicity and ease-of-use.

In the Pack

These additional utilities can also provide searching by multiple file types.  They can get the job done. However I just didn’t find them quite as appealing for various reasons as I did the winners selected above.  You may feel differently and they are all worth downloading and seeing if they could meet your need

• File Find for Windows – Forensic Innovations, Inc. – (trialware/$) - This is really an amazing program specifically designed to support the searching needs of forensic examiners.  The trial download is limited to 30-days, with a nag-screen, and only will display up to 100 results per search.  That’s enough to prove the value of this tool. You can search for files by their File Type, Contents, Operating System Platform, Data Storage Method, File Attributes, and much, much more.  Check out their highly descriptive/illustrated page for more product data.

• Everything Search Engine - (freeware) – Really fast and powerful search tool.  Not marked higher as it is “installed” and runs indexing the system or mapped drive. It could be used against a mounted image you are inspecting (or, gasp, “installed” on the target system directly). However, I wouldn’t recommend it in that fashion.  I do have it running on my home XP system in lieu of Windows Search 4.0 and really love it. It also supports searching multiple extension file types at once:

  2.6 How do I search for a file type?

  To search for a file type, type the file extension into the search edit,
  ie to search for the mp3 file type, type *.mp3 into the search edit.
  To search for more than one type of file type use a | to separate file types,
  ie *.bmp|*.jpg will search for files with the extension bmp or jpg.

• Locate32 - (freeware) – It also is database-based to speed indexing and finding of information.  It also supports searching for multiple file types at once.  Comes in both x64/x32 bit supported versions (nice) and supports almost all known versions of Windows, including CLI support. (handy).

• Agent Ransack - (freeware) – Can be made “portable” and handles some pretty advanced parameters for searching locations.

• Finder 2.1-- (freeware) – dkellner – Supports advanced search terms and arguments.  Nice interface. Portable.

In all but the first case (PhotoRec Sorter), you will need to create your own output folders manually, based on extensions you are searching for.  Then (depending on the application’s requirements) make one or more text-files to keep your custom file type lists in. Simply copy/paste them as needed into the application, run your search, then sort, copy, and paste the results into the respective folder.  Not elegant but it could get the job done. Also, some of the applications listed support exporting the results in some kind of report format for documentation needs.

Related file handling tools

These tools are directly related but could provide useful tools for either searching a system during an incident response, or obtaining information that could make a more effective and narrowed search of a system.

• UserProfilesView v1.00 - (freeware) – NirSoft - “UserProfilesView displays the list of all user profiles that you currently have in your system. For each user profile, the following information is displayed: Domain\User Name, Profile Path, Last Load Time, Registry File Size, User SID, and more.”

• MyEventViewer v1.22 - (freeware) – NirSoft - “MyEventViewer is a simple alternative to the standard event viewer of Windows. As oppose to Windows event viewer, MyEventViewer allows you to watch multiple event logs in one list, as well as the event description and data are displayed in the main window, instead of opening a new one.”

• RecentFilesView v1.09 - (freeware) – NirSoft – “Each time that you open a file from Windows Explorer or from a standard open/save dialog-box, the name of the file that you opened is recorded by the operating system. Some of the names are saved into the 'Recent' folder. Other are saved into the Registry.  This utility display the list of all recently opened files, and allows you to delete unwanted filename entries.”

• eXpress FreshFiles Finder - (freeware) - Provides a list of the most recently updated files on your target system.  Good for first-pass analyzing a system in an incident response scenario. Install the application, copy the created program folder to your USB stick, then uninstall. 

• FolderWorks - (freeware) - ShadWorld.  Another related tool that for counting files and categorizing them by extensions or file types.  No files are actually copied or moved.  Solely useful for documentation and assessment work on a system.

• UserAssist - (freeware) – Didier Stevens (see also Update: UserAssist Tool Version 2.4.3) - “The UserAssist utility displays a table of programs executed on a Windows machine, complete with running count and last execution date and time.”

• RegRipper - (freeware) – Harlan Carvey, Windows forensic expert and Registry digger extraordinaire has created an excellent tool for parsing out various Windows Registry hives. Using information gleaned from the reports, one can then get a better focus on pursuing leads for incident response elements on the target system.

Cheers.

--Claus V.