Windows file scan specification

<< Click to Display Table of Contents >>

Raynet One > 1.1 > User Guide > Technical overview > File scan specification 

Windows file scan specification

The Zero Touch Windows Device Scan uses WMI and the CIM_DataFile object in the CIMv2 namespace, in a lightweight approach to search the target system for file evidence.

 

If generating MD5 checksums, capturing file content, or capturing PE header information was requested, then Windows file sharing is used to read the file content.

 

For the file scan specification properties Drive, Extension, FileName, Name, and Path, you can use wildcards as allowed for the LIKE-operator. The query is submitted as WQL where the equals (=) and LIKE-operators are case-insensitive. If the value contains any of the characters [, % or _, then the search uses the LIKE operator, otherwise the search uses the equals-operator. Please note that the above characters cannot be escaped, thus the LIKE operator is forced.

 

Queries of the CIM_DataFile object with Path filtering are optimized by the Windows operating system (Win32 Find(First|Next)File). Not specifying critical optimization properties can cause spikes in execution time, as the system defaults to looking at the entire set of files on all drives. Most noteworthy, the use of LIKE-template operators is known to be least optimized.

 

For more information about the data set queried against, check Microsoft’s documentation of the CIM_DataFile object.

 

If the system detects the need to query file contents, it will attempt to connect to the device’s disks through SMB.

 

Filtering by maximum file content size is only performed if the system detects the need to query file contents. Otherwise, the ContentSizeLimit parameter has no effect.

 

Files are grouped by the calculated hash based on the whole content of the file. Since we read entire files into memory for hash computation and inventory purposes, the scope of the filesystem should be selected carefully. Inaccuracy of the hashing function can result in two different files being grouped as one. Carefully choose the File scan content size limit parameter of the instrument settings to reject too big files from the get-go.

 

If the result data-set contains no files, the list of inventoried files attached to the device is not replaced.

Windows file scan specification parameters

ContentSizeLimit (32bit integer)

Exclude files from the result by providing the maximum file size in bytes. If a value of 0 was specified, then the value of the ZTWindowsDeviceScanInstrument’s setting FileScanContentSizeLimit is used anyway (it is a fast pre-filter). The default value for FileScanContentSizeLimit is 1024 bytes, the minimum value is 0 bytes, and the maximum value is 1024,000,000 bytes.

 

Default: 0

 

ContentSizeTruncate (32bit integer)

Limit the size of captured file content by providing a maximum capture size. The excess remainder is cut off.

If this value is zero, file contents are not stored.

 

Default: 0

 

Drive

Selects the drive, by providing the drive letter. A colon is appended if not found at the end of the string.

 

No default.

 

Extension

Selects files by providing a file extension, without the leading dot-character.

 

Example: bat

No default.

 

FileName

Selects files by providing a name without path separators, extension and drive.

 

Example: data

No default.

 

IsMD5

Enable generating the MD5 checksum for the file content. The MD5 checksum is only shown in the web interface if generated. The MD5 checksum computation is performed on the runner.

 

Default: false

 

IsContent

Enable capturing file content. The captured content in the results is base64-encoded. Thus, it is displayed in base64 format on the web interface. It is only shown on the web interface if captured.

 

File contents are stored only if a valid maximum file size is given (the ContentSizeTruncate field).

 

Default: false

 

IsCaptureFileProperties

Enable capture of the CIM_DataFile properties Manufacturer, Version and InstallDate. These are usually present only via certain installation methods for the files.

 

Default: false

 

IsCaptureExecutableHeaderProperties

Enable parsing the Portable-Executable header information of executable files and libraries to capture in addition the header checksum, major image version, minor image version, major linker version, minor linker version major OS version, minor OS version, major sub-system version and minor sub-system version.

 

Default: false

 

Name

Selects files by providing a full file path.

 

Avoid using any wildcards with this field, as supported by the LIKE-operator, because the resulting queries are tendentially slow. Consider narrowing down the result set size to exact values for the other specification properties.

 

Example: C:\Temp\data.txt

No default.

 

Path

Selects files by providing a path, for example: "\\Temp\\".

 

The path string has to accept leading and trailing backslashes, either by explicitly stating them or by inclusion using the LIKE-pattern operators (%, _).

 

No default.

 

Windows file scan specification example

[

  {

    "Drive""c",

    "Extension"null,

    "Path""\\Temp\\",

    "Name"null,

    "IsMD5"true,

    "IsContent"false,

    "ContentSizeLimit": 0

  },

  {

    "Drive"null,

    "Extension"null,

    "Path""\\Temp\\",

    "Name"null,

    "IsMD5"true,

    "IsContent"true,

    "ContentSizeLimit": 10240000,

    "IsCaptureExecutableHeaderProperties"true,

    "IsCaptureFileProperties"true

  }

]

 

This is an example for a set of two file scan specifications in the format required for the Zero Touch Windows Device Scan instrument. The first file scan specification captures the MD5 checksum for all files in the directory C:\Temp. The second specification captures the file content and PE header info of all files up to 10MB, in the directories named Temp on all drives.