-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathGetThis.html
644 lines (606 loc) · 51.7 KB
/
GetThis.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />
<title>GetThis — DFIR ORC documentation</title>
<link rel="stylesheet" type="text/css" href="_static/pygments.css" />
<link rel="stylesheet" type="text/css" href="_static/solar.css" />
<link rel="stylesheet" type="text/css" href="_static/css/custom.css" />
<script data-url_root="./" id="documentation_options" src="_static/documentation_options.js"></script>
<script src="_static/jquery.js"></script>
<script src="_static/underscore.js"></script>
<script src="_static/_sphinx_javascript_frameworks_compat.js"></script>
<script src="_static/doctools.js"></script>
<script src="_static/sphinx_highlight.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="GetSamples" href="GetSamples.html" />
<link rel="prev" title="FastFind" href="FastFind.html" /><link href='http://fonts.googleapis.com/css?family=Source+Code+Pro|Open+Sans:300italic,400italic,700italic,400,300,700' rel='stylesheet' type='text/css'>
<link href="_static/solarized-dark.css" rel="stylesheet">
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="GetSamples.html" title="GetSamples"
accesskey="N">next</a>
<li class="right" >
<a href="FastFind.html" title="FastFind"
accesskey="P">previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" accesskey="U">Embedded Tool Suite</a> »</li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="index.html">
<img class="logo" src="_static/logo.jpg" alt="Logo"/>
</a></p>
<h3><a href="index.html">Table of Contents</a></h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="tuto.html">Tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="intro_to_data_collection.html">Design and Architecture</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">Configuration</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="embedded_tool_suite.html">Embedded Tool Suite</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="info_tools.html">Common Options & Properties</a></li>
<li class="toctree-l2"><a class="reference internal" href="FatInfo.html">FatInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="FastFind.html">FastFind</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">GetThis</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSamples.html">GetSamples</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSectors.html">GetSectors</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSInfo.html">NTFSInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSUtil.html">NTFSUtil</a></li>
<li class="toctree-l2"><a class="reference internal" href="ObjInfo.html">ObjInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="RegInfo.html">RegInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="USNInfo.html">USNInfo</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" />
<input type="submit" value="Go" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<section id="getthis">
<h1>GetThis<a class="headerlink" href="#getthis" title="Permalink to this heading">¶</a></h1>
<section id="description">
<h2>Description<a class="headerlink" href="#description" title="Permalink to this heading">¶</a></h2>
<p>GetThis was originally developed to assist with malicious sample collection but quickly evolved into a general purpose file collection tool.</p>
<p>GetThis is using the same MFT parser as <a class="reference internal" href="NTFSInfo.html"><span class="doc">NTFSInfo</span></a>, but specifically targeted to sample collection.
For details on the MFT parser used in GetThis, please refer to <a class="reference internal" href="fs_implem_details.html"><span class="doc">MFT parser configuration for details</span></a>.</p>
<p>While enumerating the specified file systems, GetThis searches for specific file indicators to collect. Once a potential sample is identified, it creates a copy of this file in the output directory (or archive). This tool also has the ability to collect information about Alternate Data Streams, Extended Attributes and “any” NTFS attribute. Various conditions and patterns can be defined to restrict the search to interesting matches. The complete search algorithm is detailed in <a class="reference internal" href="configuring_ntfs_opt.html"><span class="doc">Configuring Attributes of ntfs_find and ntfs_exclude Elements</span></a>.</p>
<p>GetThis has the ability to bypass file system locks and permissions and therefore allows collection of</p>
<ul class="simple">
<li><p>in-use registry files,</p></li>
<li><p>Pagefile, Hyberfil,</p></li>
<li><p>event log files,</p></li>
<li><p>files with restrictive ACLs,</p></li>
<li><p>files opened with exclusive rights (i.e. non-shared),</p></li>
<li><p>malware using file-level API hooking.</p></li>
</ul>
<p>The copy is made by locating file extents (a.k.a. segments) on disk directly via the volume handle to avoid sharing violation and strict DACLs issues.</p>
<p>To prevent interference from anti-virus software, it is recommended to store the samples in a password-protected archive. The encryption occurs <em>in memory</em> when the data is extracted from the disk, before any temporary file is created (i.e. clear text samples do not hit the disk).
To use this feature, please refer to this documentation: <a class="reference internal" href="configuring_tool_output.html#cfg-tool-output-pwd"><span class="std std-ref">Password (only for zip and 7z Format)</span></a>.</p>
</section>
<section id="output">
<h2>Output<a class="headerlink" href="#output" title="Permalink to this heading">¶</a></h2>
<p>When collecting a sample, GetThis creates a file in the output directory (or archive) with the logic below to compute its file name:</p>
<ul class="simple">
<li><p>White space characters are replaced with underscore (_).</p></li>
<li><p>(Deprecated) In case a XOR pattern was provided, a prefix is added to the file name with <em>XOR_<XORPATTERN></em> to be able to unXOR the sample later.</p></li>
<li><p>The file name is prefixed with the File Reference Number (a.k.a. FRN) of the <strong>parent</strong> of the file. This helps identifying samples from the same folder, while preserving a reasonable length for the sample names.</p></li>
<li><p>One of the keywords <code class="docutils literal notranslate"><span class="pre">data</span></code>, <code class="docutils literal notranslate"><span class="pre">strings</span></code> or <code class="docutils literal notranslate"><span class="pre">raw</span></code> is appended at the end of the sample name, depending on what is retrieved. If the resulting file name already exists in the output directory, the suffix <code class="docutils literal notranslate"><span class="pre">_1_data</span></code> is added (and then <code class="docutils literal notranslate"><span class="pre">_2_data</span></code> and so on).</p></li>
</ul>
<p>For example, when the full-path name of a sample is <code class="docutils literal notranslate"><span class="pre">C:\Windows\System32\kernel32.dll</span></code>, the collected sample is named: <code class="docutils literal notranslate"><span class="pre">0000000000000026_kernel32.dll_data</span></code> (where 0000000000000026 is the FRN for <code class="docutils literal notranslate"><span class="pre">C:\windows\system32</span></code>).
The same sample collected with the deprecated XOR pattern <code class="docutils literal notranslate"><span class="pre">0x0BADF00D</span></code> is named <code class="docutils literal notranslate"><span class="pre">XOR_0BADFOOD_0000000000000026_kernel32.dll_data</span></code>.</p>
<p>Along with the sample, GetThis collects information about the location of a matching NTFS record, the file it describes and hashes to help identify the collected content. To fully grasp the NTFS attributes collected and represented in the columns in cases more complicated than files, please refer to <a class="reference internal" href="configuring_ntfs_opt.html"><span class="doc">Configuring Attributes of ntfs_find and ntfs_exclude Elements</span></a>.</p>
<p>This information is, by default, stored in a CSV file named <code class="docutils literal notranslate"><span class="pre">GetThis.csv</span></code>, which is organized as follows:</p>
<table class="docutils align-left">
<thead>
<tr class="row-odd"><th class="head"><p>ColumnName</p></th>
<th class="head"><p>Description</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><p>ComputerName</p></td>
<td><p>Name of the computer</p></td>
</tr>
<tr class="row-odd"><td><p>VolumeID</p></td>
<td><p>Id of the volume</p></td>
</tr>
<tr class="row-even"><td><p>ParentFRN</p></td>
<td><p>FRN of the parent directory</p></td>
</tr>
<tr class="row-odd"><td><p>FRN</p></td>
<td><p>FRN of this entry</p></td>
</tr>
<tr class="row-even"><td><p>FullName</p></td>
<td><p>Full path name for this entry</p></td>
</tr>
<tr class="row-odd"><td><p>SampleName</p></td>
<td><p>Name of the corresponding sample</p></td>
</tr>
<tr class="row-even"><td><p>SizeInBytes</p></td>
<td><p>File size in bytes</p></td>
</tr>
<tr class="row-odd"><td><p>MD5</p></td>
<td><p>Cryptographic MD5 hash</p></td>
</tr>
<tr class="row-even"><td><p>SHA1</p></td>
<td><p>Cryptographic SHA1 hash</p></td>
</tr>
<tr class="row-odd"><td><p>FindMatch</p></td>
<td><p>The content of the ntfs_find conditions (or /sample command line option) which were satisfied for the element to be collected</p></td>
</tr>
<tr class="row-even"><td><p>ContentType</p></td>
<td><p>Type can be <code class="docutils literal notranslate"><span class="pre">data</span></code> or <code class="docutils literal notranslate"><span class="pre">raw</span></code> or <code class="docutils literal notranslate"><span class="pre">strings</span></code>.</p></td>
</tr>
<tr class="row-odd"><td><p>CreationDate</p></td>
<td><p>File creation date (yyyy-MM-dd hh:mm:ss.SSS)</p></td>
</tr>
<tr class="row-even"><td><p>LastModificationDate</p></td>
<td><p>File last write date (yyyy-MM-dd hh:mm:ss.SSS)</p></td>
</tr>
<tr class="row-odd"><td><p>LastAccessDate</p></td>
<td><p>File last read access date (yyyy-MM-dd hh:mm:ss.SSS)</p></td>
</tr>
<tr class="row-even"><td><p>LastAttrChangeDate</p></td>
<td><p>File last attribute change date (yyyy-MM-dd hh:mm:ss.SSS)</p></td>
</tr>
<tr class="row-odd"><td><p>FileNameCreationDate</p></td>
<td><p>File name (hard link) creation date (yyyy-MM-dd hh:mm:ss.SSS)</p></td>
</tr>
<tr class="row-even"><td><p>FileNameLastModificationDate</p></td>
<td><p>File name (hard link) last modification date (yyyy-MM-dd hh:mm:ss.SSS)</p></td>
</tr>
<tr class="row-odd"><td><p>FileNameLastAccessDate</p></td>
<td><p>File name (hard link) last read access date (yyyy-MM-dd hh:mm:ss.SSS)</p></td>
</tr>
<tr class="row-even"><td><p>FileNameLastAttrModificationDate</p></td>
<td><p>File name (hard link) last attribute change date (yyyy-MM-dd hh:mm:ss.SSS)</p></td>
</tr>
<tr class="row-odd"><td><p>AttrType</p></td>
<td><p>Type of the collected NTFS attribute</p></td>
</tr>
<tr class="row-even"><td><p>AttrName</p></td>
<td><p>Name of the collected NTFS attribute</p></td>
</tr>
<tr class="row-odd"><td><p>AttrID</p></td>
<td><p>ID of the collected NTFS attribute</p></td>
</tr>
<tr class="row-even"><td><p>SnapshotID</p></td>
<td><p>Snapshot associated with this entry</p></td>
</tr>
<tr class="row-odd"><td><p>SHA256</p></td>
<td><p>Cryptographic SHA256 hash</p></td>
</tr>
<tr class="row-even"><td><p>SSDeep</p></td>
<td><p>Fuzzy hash SSDeep</p></td>
</tr>
<tr class="row-odd"><td><p>YaraRules</p></td>
<td><p>List of the yara rules matching with the sample</p></td>
</tr>
</tbody>
</table>
<p>An output for logging purposes can be used with the syntax found in <a class="reference internal" href="configuring_console_output.html"><span class="doc">Configuring Console Output</span></a>.</p>
</section>
<section id="usage">
<h2>Usage<a class="headerlink" href="#usage" title="Permalink to this heading">¶</a></h2>
<p>GetThis can be used in two mutually exclusive manners, etiher with command-line parameters or with an XML configuration file.
The XML syntax is to be preferred as it provides a better access to GetThis functionalities, especially the limit settings and yara rules.</p>
<p>A typical command-line parameter syntax looks like the following:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe GetThis /sample=git.exe /out=git.7z <span class="s2">"C:\Program Files\git\bin"</span> /nolimits
</pre></div>
</div>
<p id="getthis-xml-example">A typical XML configuration file looks like the following:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><getthis></span>
<span class="w"> </span><span class="nt"><location></span>%SystemDrive%\<span class="nt"></location></span>
<span class="w"> </span><span class="nt"><yara</span><span class="w"> </span><span class="na">block=</span><span class="s">"20M"</span><span class="w"> </span><span class="na">overlap=</span><span class="s">"2M"</span><span class="w"> </span><span class="na">timeout=</span><span class="s">"20"</span><span class="w"> </span><span class="na">source=</span><span class="s">"GetThisSample.yara"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"><samples</span><span class="w"> </span><span class="na">MaxPerSampleBytes=</span><span class="s">"50MB"</span><span class="w"> </span><span class="na">MaxSampleCount=</span><span class="s">"15000"</span><span class="w"> </span><span class="na">MaxTotalBytes=</span><span class="s">"1024MB"</span><span class="w"> </span><span class="nt">></span>
<span class="w"> </span><span class="nt"><sample</span><span class="w"> </span><span class="na">name=</span><span class="s">"git"</span><span class="w"> </span><span class="na">MaxPerSampleBytes=</span><span class="s">"50MB"</span><span class="w"> </span><span class="na">MaxSampleCount=</span><span class="s">"150"</span><span class="w"> </span><span class="na">MaxTotalBytes=</span><span class="s">"150MB"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><ntfs_find</span><span class="w"> </span><span class="na">path=</span><span class="s">"\Program Files\git\bin\git.exe"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></sample></span>
<span class="w"> </span><span class="nt"><sample</span><span class="w"> </span><span class="na">name=</span><span class="s">"WSTCODEC"</span><span class="w"> </span><span class="na">MaxPerSampleBytes=</span><span class="s">"50MB"</span><span class="w"> </span><span class="na">MaxSampleCount=</span><span class="s">"150"</span><span class="w"> </span><span class="na">MaxTotalBytes=</span><span class="s">"150MB"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><ntfs_find</span><span class="w"> </span><span class="na">path=</span><span class="s">"\Windows\System32\DRIVERS\WSTCODEC.SYS"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></sample></span>
<span class="w"> </span><span class="nt"><sample</span><span class="w"> </span><span class="na">name=</span><span class="s">"notdll"</span><span class="w"> </span><span class="na">MaxPerSampleBytes=</span><span class="s">"80MB"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><ntfs_find</span><span class="w"> </span><span class="na">name_match=</span><span class="s">"\*.dll"</span><span class="w"> </span><span class="na">yara_rule=</span><span class="s">"is_not_dll"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></sample></span>
<span class="w"> </span><span class="nt"></samples></span>
<span class="nt"></getthis></span>
</pre></div>
</div>
<p>In this example, all samples collected using the <code class="docutils literal notranslate"><span class="pre"><ntfs_find</span> <span class="pre">path="\Program</span> <span class="pre">Files\Git\bin\git.exe"</span> <span class="pre">/></span></code> indicator will be added to a 7zip folder named “git”, modulo the restrictions set in the attributes, which are documented below.</p>
<p>The XML configuration file is supplied to GetThis with the <code class="docutils literal notranslate"><span class="pre">/config</span></code> option:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe GetThis /config=<span class="p"><</span>TypicalConfig<span class="p">></span>.xml
</pre></div>
</div>
<section id="getthis-element">
<h3><code class="docutils literal notranslate"><span class="pre">getthis</span></code> Element<a class="headerlink" href="#getthis-element" title="Permalink to this heading">¶</a></h3>
<p><em>optional=no, default=N/A</em></p>
<p>Root element.</p>
<section id="attributes">
<h4>Attributes<a class="headerlink" href="#attributes" title="Permalink to this heading">¶</a></h4>
<ul class="simple">
<li><dl class="simple">
<dt><strong>nolimits</strong> <em>(optional=yes, default=Inactive)</em>, <code class="docutils literal notranslate"><span class="pre">/nolimits</span></code> option:</dt><dd><p>Specifies that there should be no limit when collecting the samples. The option <code class="docutils literal notranslate"><span class="pre">/nolimits</span></code> takes no value. In an XML file, the attribute is written <code class="docutils literal notranslate"><span class="pre">nolimits=""</span></code>.</p>
</dd>
</dl>
</li>
</ul>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Limits must be explicitly set, either by using <code class="docutils literal notranslate"><span class="pre">nolimits</span></code> or by using a meaningful combination of attributes of <code class="docutils literal notranslate"><span class="pre">samples</span></code>. Details are provided <a class="reference internal" href="#getthis-limits"><span class="std std-ref">below</span></a>.</p>
</div>
<ul class="simple">
<li><p><strong>resurrect</strong> <em>(optional=yes, default=no)</em>, <code class="docutils literal notranslate"><span class="pre">/ResurrectRecords=<yes|no|resident></span></code> Option</p></li>
</ul>
<p>The MFT parser can be configured to include deleted records. This option can provide information about recently deleted file system entries.
This can, by design, incur unpredictable results (as we are using unreliable or partially deleted information).
One can generally assume that resident attributes for those entries are valid unlike nonresident attributes that are most likely quickly invalidated after the entry deletion.
Use the option value <code class="docutils literal notranslate"><span class="pre">resident</span></code> to limit parsed deleted entries to resident ones.</p>
<table class="docutils align-left">
<thead>
<tr class="row-odd"><th class="head"><p>Value</p></th>
<th class="head"><p>Description</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><p><em>yes</em></p></td>
<td><p>Enable deleted records recovery</p></td>
</tr>
<tr class="row-odd"><td><p><em>resident</em></p></td>
<td><p>Enabled deleted resident records only recovery</p></td>
</tr>
<tr class="row-even"><td><p><em>no</em></p></td>
<td><p>Do not try to recover deleted records</p></td>
</tr>
</tbody>
</table>
<ul class="simple">
<li><dl class="simple">
<dt><strong>reportall</strong> <em>(optional=yes, default=Inactive)</em>, <code class="docutils literal notranslate"><span class="pre">/reportall</span></code> option:</dt><dd><p>When using limits, GetThis potentially does not collect files that would have been collected otherwise. Nevertheless, the <code class="docutils literal notranslate"><span class="pre">reportall</span></code> option can be added so that the output CSV file contains information about all matching data from the disk, and not just the collected ones. When using the command line, this switch can be activated with the option <code class="docutils literal notranslate"><span class="pre">/reportall</span></code>, which takes no value. In an XML file, the attribute is written <code class="docutils literal notranslate"><span class="pre">reportall=""</span></code>.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>flushregistry</strong> <em>(optional=yes, default=Inactive)</em>, <code class="docutils literal notranslate"><span class="pre">/flushregistry</span></code> option:</dt><dd><p>GetThis is collecting data as it lies on the disk. If the file is <strong>currently being written</strong> or if part of the “current” state of the data is present in an application or in NTFS cache structures, then the collected data may be incorrect, incomplete or appear corrupted. GetThis is <strong>not</strong> an appropriate tool to collect volatile information with high fidelity. You <em>must</em> expect that collection of pagefiles, registry hives, etc., can lead to corrupt or incomplete files. When using this attribute, GetThis calls <code class="docutils literal notranslate"><span class="pre">RegFlushKey</span></code> for both <code class="docutils literal notranslate"><span class="pre">HKEY_USERS</span></code> and <code class="docutils literal notranslate"><span class="pre">HKEY_LOCAL_MACHINE</span></code> and can help retrieve more reliable hives. In an XML file, use <code class="docutils literal notranslate"><span class="pre">flushregistry=""</span></code>.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>hash</strong> <em>(optional=yes, default=”MD5,SHA1”)</em>, <code class="docutils literal notranslate"><span class="pre">/hash="<Hash1,...>"</span></code> option:</dt><dd><p>Comma-separated list of hashes to compute for the collected samples. MD5 and SHA1 cannot be suppressed. There is only one other possible hash algorithm for the time being: SHA256.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>fuzzyhash</strong> <em>(optional=yes, default=None)</em>, <code class="docutils literal notranslate"><span class="pre">/fuzzyhash="<FHash1,...>"</span></code> option:</dt><dd><p>Comma-separated list of fuzzy hashes to compute for the collected samples. Possible values is SSDeep.</p>
</dd>
</dl>
</li>
</ul>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>The <code class="docutils literal notranslate"><span class="pre">hash</span></code> and <code class="docutils literal notranslate"><span class="pre">fuzzyhash</span></code> options are ignored when using <code class="docutils literal notranslate"><span class="pre">/XOR</span></code>.</p>
</div>
</section>
</section>
<section id="output-element-out-path-option">
<h3><code class="docutils literal notranslate"><span class="pre">output</span></code> Element, <code class="docutils literal notranslate"><span class="pre">/out=<Path></span></code> Option<a class="headerlink" href="#output-element-out-path-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=.\GetThis.7z</em></p>
<p>This element can also be specified from the command line. For details on the <code class="docutils literal notranslate"><span class="pre">output</span></code> element syntax, please refer to the <a class="reference internal" href="configuring_tool_output.html"><span class="doc">output documentation</span></a>.</p>
<p>A XOR pattern can be provided to be applied to the collected sample (whether it is in a folder or in an archive), the syntax is the following:</p>
<ul class="simple">
<li><p>XML element:</p></li>
</ul>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><output</span><span class="w"> </span><span class="na">XOR=</span><span class="s">"0x0BADF00D"</span><span class="nt">></span>
<span class="w"> </span>PathToDirOrArchive
<span class="nt"></output></span>
</pre></div>
</div>
<ul class="simple">
<li><p>Command-line option:</p></li>
</ul>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>/out=PathToDirOrArchive /XOR=0x0BADF00D
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The <code class="docutils literal notranslate"><span class="pre">/XOR</span></code> option is <strong>DEPRECATED</strong>. To prevent interference from anti-viruses, one should use a password-protected archive.</p>
</div>
</section>
<section id="location-element">
<h3><code class="docutils literal notranslate"><span class="pre">location</span></code> Element<a class="headerlink" href="#location-element" title="Permalink to this heading">¶</a></h3>
<p><em>optional=no, default=N/A</em></p>
<p>Selectively collect samples in specific folders inside volumes. For this purpose, one can use any syntax described in <a class="reference internal" href="configuring_locations.html"><span class="doc">Configuring Locations</span></a>.</p>
<p>When using the command line, this element must be provided as a comma-separated list, as an argument at the end of the command:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe GetThis /sample=git.exe /out=git.7z <span class="p"><</span>Location1<span class="p">></span>, <Location2>
</pre></div>
</div>
</section>
<section id="yara-element-or-yara-path-option">
<h3><code class="docutils literal notranslate"><span class="pre">yara</span></code> Element or <code class="docutils literal notranslate"><span class="pre">/yara=<Path></span></code> Option<a class="headerlink" href="#yara-element-or-yara-path-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=N/A</em></p>
<p>Used to specify yara rules. Please refer to <a class="reference internal" href="configuring_yara.html"><span class="doc">Configuring the Yara Scanner</span></a> for details on the <code class="docutils literal notranslate"><span class="pre">yara</span></code> element.
The option should indicate the path to a file containing yara rules.</p>
</section>
<section id="samples-element">
<h3><code class="docutils literal notranslate"><span class="pre">samples</span></code> Element<a class="headerlink" href="#samples-element" title="Permalink to this heading">¶</a></h3>
<p><em>optional=no, default=N/A</em></p>
<p>Describes the samples to collect.</p>
<section id="id1">
<h4>Attributes<a class="headerlink" href="#id1" title="Permalink to this heading">¶</a></h4>
<section id="specifying-limits">
<span id="getthis-limits"></span><h5>Specifying Limits<a class="headerlink" href="#specifying-limits" title="Permalink to this heading">¶</a></h5>
<p>To help control the amount of data collected, GetThis requires limits to be specified to the number and size of samples that can be collected.
Those can be specified using three attributes:</p>
<ul class="simple">
<li><dl class="simple">
<dt><strong>MaxSampleCount</strong> <em>(optional=yes, default=N/A)</em>, <code class="docutils literal notranslate"><span class="pre">/MaxSampleCount="<Integer>"</span></code> Option:</dt><dd><p>Maximum number of matching files to be collected. This value is an integer.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>MaxPerSampleBytes</strong> <em>(optional=yes, default=N/A)</em>, <code class="docutils literal notranslate"><span class="pre">/MaxPerSampleBytes="<Integer>"</span></code> Option:</dt><dd><p>Collects matching files smaller than the specified size. The expected value is an integer that can be followed by one of these units: <em>B, KB, MB, GB</em>.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>MaxTotalBytes</strong> <em>(optional=yes, default=N/A)</em>, <code class="docutils literal notranslate"><span class="pre">/MaxTotalBytes="<Integer>"</span></code> Option:</dt><dd><p>Matching files are collected until their uncompressed cumulated file size reaches the specified value. The expected value is an integer that can be followed by one of these units: <em>B, KB, MB, GB</em>.</p>
</dd>
</dl>
</li>
</ul>
<p>Limits can be set globally on the <code class="docutils literal notranslate"><span class="pre">samples</span></code> element or locally on the <code class="docutils literal notranslate"><span class="pre">sample</span></code> element, documented below. When limits are evaluated, the closest attributes are taken into account first, and then the more general ones. If any criterion is not met, then the sample is not collected; otherwise, the sample is collected, and all the evaluated attributes take it into account for future restrictions.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>The tool does not run unless limits are explicitly waived (using <code class="docutils literal notranslate"><span class="pre">nolimits</span></code>) or a combination of the <code class="docutils literal notranslate"><span class="pre">samples</span></code> attributes that determine the maximum size of the collection.</p>
</div>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><samples</span><span class="w"> </span><span class="na">MaxPerSampleBytes=</span><span class="s">"500MB"</span><span class="w"> </span><span class="na">MaxSampleCount=</span><span class="s">"150"</span><span class="w"> </span><span class="nt">></span>
<span class="w"> </span><span class="nt"><sample</span><span class="w"> </span><span class="na">name=</span><span class="s">"git"</span><span class="w"> </span><span class="na">MaxPerSampleBytes=</span><span class="s">"50MB"</span><span class="w"> </span><span class="nt">></span>
<span class="w"> </span><span class="nt"><ntfs_find</span><span class="w"> </span><span class="na">path=</span><span class="s">"\Program Files\Git\bin\git.exe"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></sample></span>
<span class="w"> </span><span class="nt"><sample</span><span class="w"> </span><span class="na">name=</span><span class="s">"WSTCODEC"</span><span class="w"> </span><span class="na">MaxSampleCount=</span><span class="s">"15"</span><span class="w"> </span><span class="nt">></span>
<span class="w"> </span><span class="nt"><ntfs_find</span><span class="w"> </span><span class="na">path=</span><span class="s">"\Windows\System32\DRIVERS\WSTCODEC.SYS"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></sample></span>
<span class="nt"></samples></span>
</pre></div>
</div>
<p>In this example, GetThis does not collect more than 150 files, but stops collecting the <em>WSTCODEC</em> group when 15 of them are found.
Additionally, a single match in the <em>git</em> group cannot be larger than 50 MB and no single file bigger than 500 MB is collected.</p>
<p>When examining <a class="reference internal" href="#getthis-xml-example"><span class="std std-ref">the XML file example at the top of this section</span></a>, one can notice that</p>
<blockquote>
<div><ul class="simple">
<li><p>the restriction imposed on the size of an individual sample is bound to 80 MB by the last <code class="docutils literal notranslate"><span class="pre">sample</span></code> element and 50 MB by the global <code class="docutils literal notranslate"><span class="pre">samples</span></code> element. This still bounds any sample to 50 MB.</p></li>
<li><p>every time a sample is collected for the first <code class="docutils literal notranslate"><span class="pre">sample</span></code> element, its size is added to the total number of bytes collected for in the context of this <code class="docutils literal notranslate"><span class="pre">sample</span></code> element, but is also added to the number of bytes collected in the context of the global <code class="docutils literal notranslate"><span class="pre">samples</span></code> element.</p></li>
</ul>
</div></blockquote>
</section>
<section id="retrieved-content-the-content-attribute">
<h5>Retrieved Content: the Content Attribute<a class="headerlink" href="#retrieved-content-the-content-attribute" title="Permalink to this heading">¶</a></h5>
<p>The <code class="docutils literal notranslate"><span class="pre">content</span></code> attribute allows to define an algorithm to retrieve the data to be collected.</p>
<p>In more details, GetThis relies on the MFT parser to find NTFS attributes matching constraints defined by <code class="docutils literal notranslate"><span class="pre">ntfs_find</span></code> and <code class="docutils literal notranslate"><span class="pre">ntfs_exclude</span></code> elements. The default data getting collected from a matching NTFS attribute is specified in <a class="reference internal" href="configuring_ntfs_opt.html"><span class="doc">Configuring Attributes of ntfs_find and ntfs_exclude Elements</span></a>. The <code class="docutils literal notranslate"><span class="pre">content</span></code> attribute can be used to influence the way in which the collection of this data is realized. However, it does not influence which NTFS attribute is being collected: the <code class="docutils literal notranslate"><span class="pre">content</span></code> requirement is applied to alternate data streams and extended attributes in the same way as it is applied to the default <code class="docutils literal notranslate"><span class="pre">$DATA</span></code> stream of files.</p>
<table class="docutils align-left">
<thead>
<tr class="row-odd"><th class="head"><p>Value</p></th>
<th class="head"><p>Description</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><p>data</p></td>
<td><p>(Default value) Collects the data for the attribute</p></td>
</tr>
<tr class="row-odd"><td><p>strings</p></td>
<td><p>Collects only the strings (ASCII & Unicode) with min and max ranges. It is possible to specify a minimum and maximum length with the syntax <code class="docutils literal notranslate"><span class="pre">content="strings:min=<Int>,max=<Int>"</span></code>. By default, the minimum is set to 3 and the maximum to 1024.</p></td>
</tr>
<tr class="row-even"><td><p>raw</p></td>
<td><p>Collects the data “as is” from the disk (i.e. compressed if data is NTFS compressed)</p></td>
</tr>
</tbody>
</table>
<p>The syntax is as follows:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><samples</span><span class="w"> </span><span class="na">content=</span><span class="s">"data"</span><span class="w"> </span><span class="nt">></span>
<span class="w"> </span><span class="nt"><sample</span><span class="w"> </span><span class="na">name=</span><span class="s">"git"</span><span class="w"> </span><span class="na">content=</span><span class="s">"strings"</span><span class="w"> </span><span class="nt">></span>
<span class="w"> </span><span class="nt"><ntfs_find</span><span class="w"> </span><span class="na">path=</span><span class="s">"\Program Files\Git\bin\git.exe"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></sample></span>
<span class="w"> </span><span class="nt"><sample</span><span class="w"> </span><span class="na">name=</span><span class="s">"WSTCODEC"</span><span class="w"> </span><span class="na">content=</span><span class="s">"strings:min=5,max=512"</span><span class="w"> </span><span class="nt">></span>
<span class="w"> </span><span class="nt"><ntfs_find</span><span class="w"> </span><span class="na">path=</span><span class="s">"\Windows\System32\DRIVERS\WSTCODEC.SYS"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></sample></span>
<span class="nt"></samples></span>
</pre></div>
</div>
<p>For the first element, strings of the samples get collected, with the default parameters.
The output does not contain any formatting, just one line per string found. Empty lines represent buffers with no valid strings found.
The second element results in the collection of the strings of at least 5 and at most 512 ASCII/Unicode characters of matching samples.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>The output is UTF-8 encoded.</p>
</div>
<p>Depending on the content specified, the retrieved samples are suffixed as follows:</p>
<ul class="simple">
<li><p><strong>_data</strong> for the complete data of the attribute,</p></li>
<li><p><strong>_strings</strong> when only strings are copied,</p></li>
<li><p><strong>_raw</strong> when raw data is collected.</p></li>
</ul>
<p>When using the command line, this switch can be activated with the option <code class="docutils literal notranslate"><span class="pre">/content</span></code>.</p>
</section>
</section>
</section>
<section id="ntfs-exclude-element">
<h3><code class="docutils literal notranslate"><span class="pre">ntfs_exclude</span></code> Element<a class="headerlink" href="#ntfs-exclude-element" title="Permalink to this heading">¶</a></h3>
<p><em>optional=yes, default=N/A</em></p>
<p>This element allows to exclude NTFS attributes <strong>from all the searches configured in the XML file</strong>.
The complete specification of the search algorithm and the syntax to use are detailed in <a class="reference internal" href="configuring_ntfs_opt.html"><span class="doc">Configuring Attributes of ntfs_find and ntfs_exclude Elements</span></a>.
While the most classical use of this element is path-related, a lot more precise NTFS constraints can be configured.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>The scope of an <code class="docutils literal notranslate"><span class="pre">ntfs_exclude</span></code> element is the whole configuration file.</p>
</div>
</section>
<section id="sample-element-sample-filename-option">
<h3><code class="docutils literal notranslate"><span class="pre">sample</span></code> Element, <code class="docutils literal notranslate"><span class="pre">/sample=<FileName></span></code> Option<a class="headerlink" href="#sample-element-sample-filename-option" title="Permalink to this heading">¶</a></h3>
<p><em>optional=no, default=N/A</em></p>
<p>This element regroups <code class="docutils literal notranslate"><span class="pre">ntfs_find</span></code> elements.</p>
<p>This element can have the same attributes as <code class="docutils literal notranslate"><span class="pre">samples</span></code>: <code class="docutils literal notranslate"><span class="pre">MaxSampleCount</span></code>, <code class="docutils literal notranslate"><span class="pre">MaxPerSampleBytes</span></code>, <code class="docutils literal notranslate"><span class="pre">MaxTotalBytes</span></code> and <code class="docutils literal notranslate"><span class="pre">content</span></code>.
Within a given <code class="docutils literal notranslate"><span class="pre">sample</span></code> element, the same restrictions apply.</p>
<p>The samples matching this group can be stored in a single folder inside the output archive (or folder).
The folder name is specified using the <code class="docutils literal notranslate"><span class="pre">name</span></code> attribute. This can be leveraged during triage.</p>
<p>When used as an option on the command line, the supported values are:</p>
<ul class="simple">
<li><p><strong>/sample=<FileName.txt></strong> for to look for a file named FileName.txt,</p></li>
<li><p><strong>/sample=<FileName.txt:AnADS></strong> for to look for a file named FileName.txt that has a $DATA attribute named “AnADS” (aka Alternate Data Stream) , and</p></li>
<li><p><strong>/sample=<FileName.txt#AnEA></strong> for to look for a file named FileName.txt that has a $EA attribute (a.k.a Extended Attribute) with a value called “AnEA”.</p></li>
</ul>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>When using the <strong>option</strong>, a <strong>file name</strong>, rather than a file path, is required.</p>
</div>
</section>
<section id="ntfs-find-element">
<h3><code class="docutils literal notranslate"><span class="pre">ntfs_find</span></code> Element<a class="headerlink" href="#ntfs-find-element" title="Permalink to this heading">¶</a></h3>
<p><em>optional=no, default=N/A</em></p>
<p>It is this element which specifies a set of rules to identify the NTFS attributes to be collected.
The complete specification of the search algorithm and the syntax to use are detailed in <a class="reference internal" href="configuring_ntfs_opt.html"><span class="doc">Configuring Attributes of ntfs_find and ntfs_exclude Elements</span></a>.
While the most classical use of this element is path-related, it is possible to search for alternate data streams, extended attributes, streams with specific hashes, etc.</p>
</section>
<section id="additional-command-line-usage">
<h3>Additional Command-line Usage<a class="headerlink" href="#additional-command-line-usage" title="Permalink to this heading">¶</a></h3>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>The <code class="docutils literal notranslate"><span class="pre">/extract</span></code> option is <strong>DEPRECATED</strong>. It is documented for the sake of completeness.</p>
</div>
<p>GetThis supports cabinet extraction with support for XOR pattern recognition.</p>
<p>Syntax is:</p>
<ul class="simple">
<li><p>Output file specification: <code class="docutils literal notranslate"><span class="pre">/extract=PathToCab.7z</span></code></p></li>
<li><p>Output Directory: <code class="docutils literal notranslate"><span class="pre">/out=c:\temp</span></code></p></li>
</ul>
<p>The typical extraction syntax is:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe GetThis /extract=c:\Data\Samples.cab /out=c:\temp
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>There is no need to specify a XOR pattern. If the content is XORed by GetThis, names are prefixed by <code class="docutils literal notranslate"><span class="pre">XOR_XORPATTERN</span></code>. In this case, the <code class="docutils literal notranslate"><span class="pre">XOR_PATTERN</span></code> is used to XOR file content before being written to output directory.</p>
</div>
</section>
</section>
<section id="typical-usage-examples">
<h2>Typical Usage Examples<a class="headerlink" href="#typical-usage-examples" title="Permalink to this heading">¶</a></h2>
<section id="samples-with-wildcards">
<h3>Samples with Wildcards<a class="headerlink" href="#samples-with-wildcards" title="Permalink to this heading">¶</a></h3>
<p>The typical command line to collect all samples matching “ker*.dll” on the system drive would be:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe GetThis /nolimits /sample=ker*.dll /out=<span class="nv">%TEMP%</span> <span class="nv">%SystemDrive%</span>\
</pre></div>
</div>
<p>Equivalent XML Syntax:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><getthis</span><span class="w"> </span><span class="na">nolimits=</span><span class="s">""</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><output></span>%TEMP%<span class="nt"></output></span>
<span class="w"> </span><span class="nt"><location></span>%SystemDrive%\<span class="nt"></location></span>
<span class="w"> </span><span class="nt"><samples></span>
<span class="w"> </span><span class="nt"><sample></span>
<span class="w"> </span><span class="nt"><ntfs_find</span><span class="w"> </span><span class="na">name_match=</span><span class="s">"ker*.dll"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></sample></span>
<span class="w"> </span><span class="nt"></samples></span>
<span class="nt"></getthis></span>
</pre></div>
</div>
</section>
<section id="samples-from-an-alternate-data-stream">
<h3>Samples from an Alternate Data Stream<a class="headerlink" href="#samples-from-an-alternate-data-stream" title="Permalink to this heading">¶</a></h3>
<p>The typical command line to collect all samples, residing in an <strong>Alternate Data Stream</strong> named <code class="docutils literal notranslate"><span class="pre">calc.exe</span></code> in any file of the file system is:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe GetThis /nolimits /sample=*:calc.exe /out=<span class="nv">%TEMP%</span> <span class="nv">%SystemDrive%</span>\
</pre></div>
</div>
<p>Equivalent XML Syntax:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><getthis</span><span class="w"> </span><span class="na">nolimits=</span><span class="s">""</span><span class="w"> </span><span class="nt">></span>
<span class="w"> </span><span class="nt"><output></span>%TEMP%<span class="nt"></output></span>
<span class="w"> </span><span class="nt"><location></span>%SystemDrive%\<span class="nt"></location></span>
<span class="w"> </span><span class="nt"><samples></span>
<span class="w"> </span><span class="nt"><sample</span><span class="w"> </span><span class="na">name=</span><span class="s">"calc"</span><span class="w"> </span><span class="nt">></span>
<span class="w"> </span><span class="nt"><ntfs_find</span><span class="w"> </span><span class="na">ads=</span><span class="s">"calc.exe"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></sample></span>
<span class="w"> </span><span class="nt"></samples></span>
<span class="nt"></getthis></span>
</pre></div>
</div>
<p>The syntax for <em>Alternate Data Stream</em> sample collection is typically:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe GetThis /sample=HostFileName.txt:Malware*.exe
</pre></div>
</div>
<p>In this example, GetThis looks for any <strong>ADS</strong> matching Malware*.exe in a record named <code class="docutils literal notranslate"><span class="pre">HostFileName.txt</span></code>.</p>
</section>
<section id="samples-from-an-extended-attribute">
<h3>Samples from an Extended Attribute<a class="headerlink" href="#samples-from-an-extended-attribute" title="Permalink to this heading">¶</a></h3>
<p>The syntax for <strong>Extended Attribute</strong> sample collection is typically:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe GetThis /sample=HostFileName.txt#Malware*.exe
</pre></div>
</div>
<p>Equivalent XML Syntax:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><getthis</span><span class="w"> </span><span class="na">nolimits=</span><span class="s">""</span><span class="w"> </span><span class="nt">></span>
<span class="w"> </span><span class="nt"><output></span>%TEMP%<span class="nt"></output></span>
<span class="w"> </span><span class="nt"><location></span>%SystemDrive%\temp<span class="nt"></location></span>
<span class="w"> </span><span class="nt"><samples></span>
<span class="w"> </span><span class="nt"><sample</span><span class="w"> </span><span class="na">name=</span><span class="s">"Malware"</span><span class="w"> </span><span class="nt">></span>
<span class="w"> </span><span class="nt"><ntfs_find</span><span class="w"> </span><span class="na">name=</span><span class="s">"HostFileName.txt"</span><span class="w"> </span><span class="na">ea_match=</span><span class="s">"Malware*.exe"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></sample></span>
<span class="w"> </span><span class="nt"></samples></span>
<span class="nt"></getthis></span>
</pre></div>
</div>
<p>In this example, GetThis looks for any extended attribute matching Malware*.exe in a record named <code class="docutils literal notranslate"><span class="pre">HostFileName.txt</span></code>.</p>
</section>
</section>
</section>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="GetSamples.html" title="GetSamples"
>next</a>
<li class="right" >
<a href="FastFind.html" title="FastFind"
>previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" >Embedded Tool Suite</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2019, ANSSI. The contents of this documentation is available under the Open License version 2.0 as published by Etalab (French task force for Open Data). The name DFIR ORC and the associated logo belong to ANSSI, no use is permitted without its express approval. Le contenu de cette documentation est disponible sous license Open License version 2.0 telle que publiée par Etalab (organisation francaise pour Open Data). Le nom DFIR ORC et le logo associé appartiennent à l'ANSSI, tout usage doit être expressément autorisé par l'ANSSI..
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 5.3.0.Theme is <a href="http://github.com/vimalkvn/solar-theme">Solar</a>
</div>
<script type="text/javascript">
$(document).ready(function() {
$(".toggle > *").hide();
$(".toggle .header").show();
$(".toggle .header").click(function() {
$(this).parent().children().not(".header").toggle(400);
$(this).parent().children(".header").toggleClass("open");
})
});
</script>
</body>
</html>