Hello. I want to search all files who’s filename is different from the Orignal filename listed in the description. I have an example where a cryptojacker renames Xmrig.exe to sysupdate.exe. Inspection of the file show the original filename. I want to search the rest of the system
I think you might be misunderstanding what the “Original Name” column is - it is only used to display the untranslated name of the file, not any previous names the file had. See Autopsy User Documentation: Machine Translation
Thank you for your reply. Maybe I didn’t But when an attacker changes the name of a file, the description still has the original executable name in it. So I want to search and find where actual file name <> descriptions of untranslated Original Filename metadata. I already see this result when I inspect the file in Autopsy or client on Description in file properties. Just need to figure out how to flag all files that might have been dropped onto a system and then disguised with a name such as sysupdate.exe. Here is the example. The attacker placed a miner on the system and renamed it Sysupdate. Here is autopsy info on this file:
$FILE_NAME Attribute Values: Flags: Archive Name: sysupdate.exe Parent MFT Entry: 336516 Sequence: 1
and on the text tab
StringFileInfo
000004b0
CompanyName
www.xmrig.com
FileDescription
XMRig miner
FileVersion
6.4.0
LegalCopyright
Copyright © 2016-2020 xmrig.com
OriginalFilename xmrig.exe
Could you possibly attach a screenshot to show where you’re seeing this?
If it’s in File Metadata under “From The Sleuth Kit istat Tool:” there’s not going to be a way to search for it since we just run istat on demand to populate that section.
Sorry for the late reply. I am testing a custom python script I made to do this. I will post more later.