I have created a X-Tension for X-Ways Forensics called "Multiple File Finder".
It can search for filenames and/or path names and add the matching files to a specific report table.
The X-Tension can be used in the dialog "Refine Volume Snapshot" and via the directory browser context menu.
X-Ways Forensics can filter names and folders, but not multiple specific filenames in specific folders.
Here is a simple example what you can do with the Multiple File Finder X-Tension:
Quote::
Find files with the name "SYSTEM", "SOFTWARE" or "SAM" in the path "\Windows\System32\config\"
AND
find files with the name "NTUSER.DAT", which are located in a path containing "\Documents and Settings\"
AND
ignore files in the system-default user folders
AND
add these files to the report table "Windows Registry".
The definition file could look like this:
Code::
[Default]
ReportTable=Windows Registry[Item]
Path=Sm:\Windows\System32\config\
Name=R:^(SYSTEM|SOFTWARE|SAM)$
ReportTable={DEFAULT}[Item]
Path=S:\Documents and Settings\
Path=RN:\\(All Users|Default User|LocalService|NetworkService)\\$
Name=Sm:NTUSER.DAT
ReportTable={DEFAULT}[Item]
Path=S:\Dokumente und Einstellungen\
Path=RN:\\(All Users|Default User|LocalService|NetworkService)\\$
Name=Sm:NTUSER.DAT
ReportTable={DEFAULT}
The definition format for the search expressions is similar the format of an INI file. The X-Tension supports simple text as search term as well as regular expressions. The available data fields and options are described in detail (in English and German).
DOWNLOAD:
The latest beta version of the X-Tension can be downloaded at
http://www.gaijin.at/en/tecbetatest.php?dir=/xwf
For questions, feedback or a feature request please feel free to contact me.
↧