Wednesday, August 1, 2012

BigFix Hash sha1 searching

How-to find a file by size and hash.

        1. Check if OS is WinXP or Win7.
        2. For WinXP look at all files in an beyond "C:\Documents and Settings".
        3. Match file size.
        4. Matches sha1.
        5. For Win7 look at all files in "C:\Users" and beyond.

        Evaluation time depends on number of user profiles.

*BigFix script*
if (name of operating system as lowercase = "winxp") then ((name of it, pathname of it, sha1 of it, size of it) as string) of it whose (size of it=36840 and sha1 of it="f019b5e3d321b16539019477f12a09524615aee1") of (descendants of folder "C:\Documents and Settings") else if (name of operating system as lowercase = "win7") then ((name of it, pathname of it, sha1 of it, size of it) as string) of it whose (size of it=36840 and sha1 of it="f019b5e3d321b16539019477f12a09524615aee1") of (descendants of folder "C:\Users") else "This is not XP or Win7 box."


Change these entries to the file you want to find.


*Output*
<file>,     <path>,     <sha1>,     <size>
name.exe, C:\Documents and Settings\Administrator\Desktop\name.exe, f019b5e3d321b16539019477f12a09524615aee1, 36840


Notes:
Bigfix does not do md5 so you have to use sha1.
There should be no false-positives in your results.
Do NOT do the entire C:\ directory.  It will eat up your cycles. (You've been warned. So if you go ahead and do it anyway, do it at night when nobody is logged on.)
If you know the exact folder to look in then you can make the script much faster by getting rid of the "descendants of folder" part.

No comments:

Post a Comment