<< Click to Display Table of Contents >> Raynet One > 1.1 > User Guide > Technical overview > File scan specification  Unix file scan specification

The file scanning portion of the Zero Touch Unix Device Scan instrument uses common Unix utilities like find, ls, grep, base64, md5sum, dd and others, based on platform and availability. It focuses on a lightweight approach to gather file evidence from a remote target system.

 

Since the find Unix utility is recursive by default, the query results are aswell.

 

The logic of the returned file list is influenced by the mentioned Unix utilities. Please see their respective documentations to find out more.

 

Patterns are specified in the glob format.

Unix file scan specification parameters

CaptureFileContentLimit (64bit integer)

Exclude files from the result by providing the maximum file size in bytes. If a value of 0 was specified, then the value of the ZTUnixDeviceScanInstrument setting FileScanContentSizeLimit is used. The default value for FileScanContentSizeLimit is 1024 bytes, the minimum values is 0 bytes, and the maximum value is 1,024,000,000 bytes.

 

Only applied if IsCaptureFileContent is true.

 

Default: 0

 

CaptureFileContentTruncate (64bit integer)

Specifies the maximum size limit of captured file content. The excess remainder is cut off.

 

Only applied if IsCaptureFileContent is true.

 

Default: 0

 

ExcludeFilenamePattern

Exclude files by giving a name or a pattern.

 

Example: *.lib.so

No default.

 

ExcludeSubDirectoryPattern

Exclude sub-directories during a search by giving a name or a pattern.

 

No default.

 

IncludeFilenamePattern

Selects files by giving a name or a pattern.

 

No default.

 

IncludeSubDirectoryPattern

Selects sub-directories during a search by giving a name or a pattern.

 

No default.

 

IsExecutablesOnly

Only include executables in the result.

 

Default: false

 

IsCaptureFileContentChecksum

Enable generating the MD5 checksum for the file content. The MD5 checksum computation is run on the same machine the files are queried from.

 

Default: false

 

IsCaptureFileContent

Enable capturing file content. The captured content in the results is base64-encoded.

 

Default: false

 

TargetDirectory

Specify the directory to search.

 

Default: /

 

Unix file scan specification example

[

  {

    "TargetDirectory": "/etc",

    "IncludeSubDirectoryPattern": "sma",

    "ExcludeSubDirectoryPattern": null,

    "IncludeFilenamePattern": "*.txt",

    "ExcludeFilenamePattern": null,

    "IsExecutablesOnly": false,

    "IsCaptureFileContentChecksum": false,

    "IsCaptureFileContent": true,

    "CaptureFileContentLimit": 1024

  },

  {

    "TargetDirectory": "/etc",

    "IncludeSubDirectoryPattern": null,

    "ExcludeSubDirectoryPattern": null,

    "IncludeFilenamePattern": "hosts",

    "ExcludeFilenamePattern": null,

    "IsExecutablesOnly": false,

    "IsCaptureFileContentChecksum": false,

    "IsCaptureFileContent": true,

    "CaptureFileContentTruncate": 100

  }

]

 

This is an example for a set of two file scan specifications in the format required for the ZT Unix Device Scan instrument. The first file scan specification captures all files, less than 1KB in size, whose filenames end on .txt in the sub-directory sma of the directory /etc. The second specification captures the first 100 bytes of the file /etc/hosts.