FastFinder

A lightweight tool for threat hunting, live forensics, and triage on Windows and Linux platforms. FastFinder is designed for endpoint enumeration and suspicious file finding based on various criteria.

Features

• File path/name matching
• MD5/SHA1/SHA256 checksum matching
• Simple string content match (grep)
• Complex content condition(s) based on YARA rules
• Support for Windows and Linux platforms
• Compiles to a standalone package with configuration and rules in a single binary

Usage

usage: fastfinder [-h|--help] [-c|--configuration "<value>"] [-b|--build "<value>"] [-o|--output "<value>"] [-n|--no-window] [-u|--no-userinterface] [-v|--verbosity <integer>] [-t|--triage]

 Incident Response - Fast suspicious file finder

Configuration

• Input path: Match files based on simple string and YARA rules
• Content match: Search for literal strings, YARA patterns, and checksums
• Options:
  • Content match depends on path match: Filter content searches by paths
  • Find in hard drives, removable drives, network drives, and CD-ROM drives
  • Copy matching files with base64 encoding
• Advanced parameters:
  • Yara RC4 key: Cipher/decrypt YARA rules using an RC4 key
  • Max scan file size: Ignore files larger than a specified size
  • Clean memory if file greater than size: Release memory after scanning large files

Search Options

• Wildcard characters: ? and \\*
• Regular expressions: Enclose paths with slashes
• Environment variables: Use %TEMP% or other environment variables in path searches

Notes

• Input paths are case-insensitive
• Content search strings (grep) are case-sensitive
• Backslashes should not be escaped except for regular expressions

Examples

Available examples directory contains real-world malwares, suspect behaviors, and vulnerability scans.