Optimizing Performance

Aralez is designed to handle the collection of large amounts of data efficiently, but its performance can vary depending on configuration choices, the size of the target system, and the complexity of tasks. This page provides best practices and strategies to optimize Aralez’s performance, with a focus on path searches and task configuration.

Key Areas to Optimize #

Efficient Path Searches #

Path searches are a critical component of Aralez’s workflow. The tool scans directories and matches files or directories using glob patterns. To enhance performance during path searches, consider the following:

Target Key Directories #

Focus on directories with high forensic value (e.g., \\Users, \\Windows\\System32) instead of scanning the entire system.

Limit the Search Scope #

• Use precise root_path values to reduce unnecessary scanning of unrelated directories.
• Avoid using recursive patterns like "**" or "**\\" unless absolutely necessary. These patterns can significantly increase execution time by searching through all subdirectories.

Example:

entries:
  logs:
    - root_path: "\\Windows\\System32\\LogFiles"
      objects: ["*.log"]  # Target only log files in a specific directory

Use Specific Patterns in objects #

• Define specific file patterns (e.g., *.evtx) to avoid matching files that are irrelevant to your use case.

Example:

entries:
  event_logs:
    - root_path: "\\Windows\\System32\\winevt\\Logs"
      objects: ["*.evtx"]  # Matches only event log files

Leverage Exclusions #

• Use the exclude_drives field to skip unnecessary drives or paths that are not relevant to the task.

Example:

tasks:
  all_drives_artifacts:
    type: "collect"
    priority: 2
    drive: "*"
    exclude_drives: ["C"]  # Excludes drive C from the search

Task Prioritization #

Properly prioritizing tasks can improve overall performance by ensuring critical operations are executed first.

• Assign low values to tasks that are essential and must run early.
• Assign high values to non-critical or optional tasks.

Example:

tasks:
  mft_collection:
    type: "collect"
    priority: 1  # Critical task executed first
    entries:
      mft:
        - root_path: "\\"
          objects: ["$MFT"]

  logs_collection:
    type: "collect"
    priority: 2  # Less critical task executed after MFT collection
    entries:
      logs:
        - root_path: "\\Windows\\Logs"
          objects: ["*.log"]

Limit File Size #

Restricting the size of files collected can improve performance, especially when targeting directories with large files.

• Use the max_size field to skip files exceeding a specific size limit.

Example:

entries:
  suspicious_files:
    - root_path: "\\Users\\*\\Downloads"
      objects: ["*.exe", "*.dll"]
      max_size: 10485760  # Skip files larger than 10 MB

Disable Unnecessary Tasks #

Temporarily disable tasks that are not required for the current run. This reduces processing time and resource usage.

Example:

tasks:
  unused_task:
    type: "collect"
    priority: 100
    disabled: true  # This task will be skipped during execution
    entries:
      irrelevant_files:
        - root_path: "\\Temp"
          objects: ["*"]

Dynamic Path Handling #

• Use environment variables (e.g., %USERPROFILE%) to dynamically target user-specific directories without unnecessary scanning.

Example:

entries:
  user_files:
    - root_path: "%USERPROFILE%\\Documents"
      objects: ["*.docx", "*.pdf"]

Monitoring and Logging #

Enable debug mode (--debug) to identify bottlenecks and optimize specific parts of your configuration.

Command:

aralez.exe --debug

• Review the debug logs to identify tasks or directories consuming the most time.
• Refine your configuration based on this analysis.