{"id":99,"date":"2024-11-14T18:56:22","date_gmt":"2024-11-14T17:56:22","guid":{"rendered":"https:\/\/aralez.co\/index.php\/docs\/documentation\/3-core-functionality\/supported-data-types\/"},"modified":"2024-11-17T20:46:30","modified_gmt":"2024-11-17T19:46:30","password":"","slug":"supported-data-types","status":"publish","type":"docs","link":"https:\/\/aralez.co\/index.php\/docs\/supported-data-types\/","title":{"rendered":"Supported Data Types"},"content":{"rendered":"\n<p>Aralez is capable of collecting a wide variety of data types essential for investigations. From standard user files to specialized NTFS artifacts, Aralez ensures comprehensive data collection to meet the needs of digital forensics, malware analysis, and threat hunting.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\">Standard Files<\/h4>\n\n\n\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h6 class=\"wp-block-heading\">Description<\/h6>\n\n\n\n<p>Standard files include user-generated and system files such as documents, logs, executables, and more.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\">Technical Details<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Files are collected based on directory paths and file patterns using glob matching (e.g., <code>*.docx<\/code>, <code>*.log<\/code>, <code>*.exe<\/code>).<\/li>\n\n\n\n<li>Recursive searches can be enabled to include files in subdirectories.<\/li>\n<\/ul>\n\n\n\n<h6 class=\"wp-block-heading\">Use Cases<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Retrieve documents for user activity analysis.<\/li>\n\n\n\n<li>Collect logs for troubleshooting or forensic investigation.<\/li>\n\n\n\n<li>Analyze executables for malware detection.<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>Important<\/strong>: Some specific system files like $Boot, can be collected as well.<\/em><\/p>\n<\/blockquote>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\">File Slacks<\/h4>\n\n\n\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h6 class=\"wp-block-heading\">Description<\/h6>\n\n\n\n<p>File slacks are the unused portions of disk clusters left after a file\u2019s logical data ends. They can contain residual data from deleted files or hidden malicious payloads.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\">Technical Details<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>File slacks exist within the physical storage space allocated to a file.<\/li>\n\n\n\n<li>These regions may hold fragments of overwritten or deleted data.<\/li>\n<\/ul>\n\n\n\n<h6 class=\"wp-block-heading\">Use Cases<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Recover residual data from deleted files.<\/li>\n\n\n\n<li>Detect malicious code or configurations hidden in slack space.<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>Important<\/strong>: FileSlacks are automatically collected with the file with <span class=\"highlight\">.FileSlack<\/span> extension.<\/em><\/p>\n<\/blockquote>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\">Alternate Data Streams (ADS)<\/h4>\n\n\n\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h6 class=\"wp-block-heading\">Description<\/h6>\n\n\n\n<p>Alternate Data Streams (ADS) are hidden streams in NTFS files that allow additional data to be stored alongside the main file content.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\">Technical Details<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ADS is not visible through standard file listings.<\/li>\n\n\n\n<li>Often used to hide metadata, configurations, or malicious payloads.<\/li>\n<\/ul>\n\n\n\n<h6 class=\"wp-block-heading\">Use Cases<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Analyze system logs.<\/li>\n\n\n\n<li>Identify malware or hidden data attached to legitimate files.<\/li>\n\n\n\n<li>Analyze supplementary data used by attackers to evade detection.<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>Important<\/strong>: to collect an ADS, you should specify the filename and the name of the ADS after diaeresis.<\/em><\/p>\n<\/blockquote>\n\n\n\n<p>Example:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" data-code=\"entries:\n  ads_file:\n    - root_path: &quot;\\\\$Extend&quot;\n      objects: [&quot;$UsnJrnl:$J&quot;]\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #88C0D0\">entries:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">ads_file:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">    <\/span><span style=\"color: #88C0D0\">-<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">root_path:<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #EBCB8B\">\\\\<\/span><span style=\"color: #D8DEE9\">$Extend<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">      <\/span><span style=\"color: #88C0D0\">objects:<\/span><span style=\"color: #D8DEE9FF\"> [<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9\">$UsnJrnl<\/span><span style=\"color: #A3BE8C\">:<\/span><span style=\"color: #D8DEE9\">$J<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\">]<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>In this case, <span class=\"highlight\">$UsnJrnl<\/span> is the filename and <span class=\"highlight\">$J<\/span>, the name of the ADS.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Indexes<\/strong><\/h4>\n\n\n\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h6 class=\"wp-block-heading\">Description<\/h6>\n\n\n\n<p>Indexes in NTFS are specialized data structures used to organize and store metadata about files and directories efficiently. These indexes are essential for quick file lookups and directory traversal.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\">Technical Details<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NTFS uses <strong>INDEX_ALLOCATION<\/strong> attribute to manage directory entries.<\/li>\n\n\n\n<li>Indexes store metadata such as file names, timestamps, and attributes, even for deleted or hidden files.<\/li>\n\n\n\n<li>When a directory grows large, additional entries are stored in <code>INDEX_ALLOCATION<\/code>, allowing NTFS to handle massive directories without performance degradation.<\/li>\n<\/ul>\n\n\n\n<h6 class=\"wp-block-heading\">Use Cases<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Forensic Investigations<\/strong>: Analyze directory metadata to identify files that were recently added, modified, or deleted.<\/li>\n\n\n\n<li><strong>Hidden Data Detection<\/strong>: Recover information about files that have been hidden or removed but leave traces in indexes.<\/li>\n\n\n\n<li><strong>Timeline Reconstruction<\/strong>: Use timestamp metadata to build activity timelines for forensic analysis.<\/li>\n<\/ul>\n\n\n\n<p>Indexes play a critical role in understanding how NTFS organizes and retrieves files, making them indispensable for detailed forensic investigations.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>Important<\/strong>: Indexes of elements are collected automatically with .idx extension. <\/em><\/p>\n<\/blockquote>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Aralez is capable of collecting a wide variety of data types essential for investigations. From standard user files to specialized NTFS artifacts, Aralez ensures comprehensive data collection to meet the needs of digital forensics, malware analysis, and threat hunting. Standard Files Description Standard files include user-generated and system files such as documents, logs, executables, and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"doc_category":[10],"doc_tag":[],"class_list":["post-99","docs","type-docs","status-publish","hentry","doc_category-3-core-functionality"],"blocksy_meta":[],"aioseo_notices":[],"year_month":"2026-04","word_count":474,"total_views":0,"reactions":{"happy":0,"normal":0,"sad":0},"author_info":{"name":"ab","author_nicename":"admin5116","author_url":"https:\/\/aralez.co\/index.php\/author\/admin5116\/"},"doc_category_info":[{"term_name":"3. Core Functionality","term_url":"https:\/\/aralez.co\/index.php\/docs-category\/3-core-functionality\/"}],"doc_tag_info":[],"_links":{"self":[{"href":"https:\/\/aralez.co\/index.php\/wp-json\/wp\/v2\/docs\/99","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aralez.co\/index.php\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/aralez.co\/index.php\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/aralez.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aralez.co\/index.php\/wp-json\/wp\/v2\/comments?post=99"}],"version-history":[{"count":9,"href":"https:\/\/aralez.co\/index.php\/wp-json\/wp\/v2\/docs\/99\/revisions"}],"predecessor-version":[{"id":473,"href":"https:\/\/aralez.co\/index.php\/wp-json\/wp\/v2\/docs\/99\/revisions\/473"}],"wp:attachment":[{"href":"https:\/\/aralez.co\/index.php\/wp-json\/wp\/v2\/media?parent=99"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/aralez.co\/index.php\/wp-json\/wp\/v2\/doc_category?post=99"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/aralez.co\/index.php\/wp-json\/wp\/v2\/doc_tag?post=99"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}