Aralez is capable of collecting a wide variety of data types essential for investigations. From standard user files to specialized NTFS artifacts, Aralez ensures comprehensive data collection to meet the needs of digital forensics, malware analysis, and threat hunting.
Standard Files #
Description #
Standard files include user-generated and system files such as documents, logs, executables, and more.
Technical Details #
- Files are collected based on directory paths and file patterns using glob matching (e.g.,
*.docx,*.log,*.exe). - Recursive searches can be enabled to include files in subdirectories.
Use Cases #
- Retrieve documents for user activity analysis.
- Collect logs for troubleshooting or forensic investigation.
- Analyze executables for malware detection.
Important: Some specific system files like $Boot, can be collected as well.
File Slacks #
Description #
File slacks are the unused portions of disk clusters left after a file’s logical data ends. They can contain residual data from deleted files or hidden malicious payloads.
Technical Details #
- File slacks exist within the physical storage space allocated to a file.
- These regions may hold fragments of overwritten or deleted data.
Use Cases #
- Recover residual data from deleted files.
- Detect malicious code or configurations hidden in slack space.
Important: FileSlacks are automatically collected with the file with .FileSlack extension.
Alternate Data Streams (ADS) #
Description #
Alternate Data Streams (ADS) are hidden streams in NTFS files that allow additional data to be stored alongside the main file content.
Technical Details #
- ADS is not visible through standard file listings.
- Often used to hide metadata, configurations, or malicious payloads.
Use Cases #
- Analyze system logs.
- Identify malware or hidden data attached to legitimate files.
- Analyze supplementary data used by attackers to evade detection.
Important: to collect an ADS, you should specify the filename and the name of the ADS after diaeresis.
Example:
entries:
ads_file:
- root_path: "\\$Extend"
objects: ["$UsnJrnl:$J"]In this case, $UsnJrnl is the filename and $J, the name of the ADS.
Indexes #
Description #
Indexes in NTFS are specialized data structures used to organize and store metadata about files and directories efficiently. These indexes are essential for quick file lookups and directory traversal.
Technical Details #
- NTFS uses INDEX_ALLOCATION attribute to manage directory entries.
- Indexes store metadata such as file names, timestamps, and attributes, even for deleted or hidden files.
- When a directory grows large, additional entries are stored in
INDEX_ALLOCATION, allowing NTFS to handle massive directories without performance degradation.
Use Cases #
- Forensic Investigations: Analyze directory metadata to identify files that were recently added, modified, or deleted.
- Hidden Data Detection: Recover information about files that have been hidden or removed but leave traces in indexes.
- Timeline Reconstruction: Use timestamp metadata to build activity timelines for forensic analysis.
Indexes play a critical role in understanding how NTFS organizes and retrieves files, making them indispensable for detailed forensic investigations.
Important: Indexes of elements are collected automatically with .idx extension.