<!-- Put the link to this slide here so people can follow slide: https://hackmd.io/p/template-Talk-slide --> # File Carving with osquery and Fleet --- ## File Carving - What is file carving? - Ability to **grab** file(s) from a remote endpoint to a server for deeper analysis - Major Wins/Use Cases: - For Incident Responders, removes the need to manually obtain files from a remote machine - Enables Remote Forensics --- ## How does File Carving work? - Requirements - Needs a server to store the carved files (in this case Fleet is our server which stores it in it's MySQL db). Optionally one can use S3 - osquery configuration: When enrolling hosts in Fleet, this is by default enabled and configured --- ## How does File Carving work? - Two Steps: - Write a special query: osquery on receiving this, starts the carving process (essentially tars up the file(s)) and sends the bits to our server - Retrieve: We will use `fleetctl` to retrieve the carved files --- ## File Carving: Configuration - We will use Fleet as the carve server - When enrolling hosts using Fleet (fleetd/UI), carving is enabled by default - Query `osquery_flags` table to check the carver related configs - Of interest: `disable_carver`, `carver_start_endpoint`, `carver_continue_endpoint`, `carver_block_size` --- ## File Carving: Writing a query (step 1) ```SQL SELECT * FROM carves WHERE carve = 1 AND path = "/path/to/file" ``` * When passing the `carve = 1` alongwith the `path` to the `carves` table, we instruct osquery to begin carving for that file * We can check the status of carves with `select * from carves` --- ## File Carving: Retrieval (step 2) - Since we are using Fleet as the carve server, we will be using `fleetctl` - List carves: `fleetctl get carves` - This list all the carves alongwith an ID - Retreive carve: `fleetctl get carve --outfile carve.tar <carve_id>` Note: carves expire after 24 hours (default settings)