Shulou(Shulou.com)06/01 Report--

This article mainly explains "what is the difference between TScopy and RawCopy". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what is the difference between TScopy and RawCopy".

About TScopy

During event response (IR), researchers usually need to access or analyze files on the file system. Sometimes these files are locked by the operating system (OS) because they are in use, which is embarrassing. TScopy allows users running with administrator privileges to access locked files by parsing the original location in the file system and copying files without asking the operating system.

Of course, there are many other tools in the community that can perform similar tasks, such as RawCopy, and our TScopy is based on this tool. However, RawCopy also has some disadvantages, which is why we developed TScopy and improved tool performance and integration scalability.

TScopy is a Python script that can be used to parse the NTFS $MFT file to locate and copy specific files. By analyzing the master file table (MFT), the script bypasses the operating system lock on the file. The previous RawCopy was written in AutoIT and was difficult to modify, so we decided to port RawCopy to Python.

TScopy is designed to be run as a stand-alone program or imported as a python module.

The difference between TScopy and RawCopy

TScopy is written in Python and is organized into classes to make it easier to maintain and read than AutoIT. AutoIT may be marked as a malicious component by anti-virus products, because many malware are already using it to achieve attacks.

The main difference between TScopy and RawCopy is that multiple files can be copied at each execution and the file structure can be cached. TScopy provides the option to download a single file, multiple comma-separated files, directory contents, wildcard paths (single files or directories), and recursive directories. TScopy caches the location of each directory and file as it iterates through the full path of the target file. It then uses this cache to optimize the search for any other files to ensure that future file copies are performed faster. This is a significant advantage over RawCopy, where RawCopy iterates over the entire path of each file.

Tool download

Researchers can use the following commands to clone the source code of the project locally:

Git clone https://github.com/trustedsec/tscopy.gitTScopy operation option.\ TScopy_x64.exe-h usage: TScopy_x64.exe-r-o c:\ test-f c:\ users\ tscopy\ ntuser.dat Description: Copies only the ntuser.dat file to the c:\ test directory TScopy_x64.exe-o c:\ test-f c:\ Windows\ system32\ config Description: Copies all files in the config directory but does not copy the directories under it. TScopy_x64.exe-r-o c:\ test-f c:\ Windows\ system32\ config Description: Copies all files and subdirectories in the config directory. TScopy_x64.exe-r-o c:\ test-f c:\ users\ *\ ntuser*,c:\ Windows\ system32\ config Description: Uses Wildcards and listings to copy any file beginning with ntuser under users accounts and recursively copies the registry hives. Copy protected files by parsing the MFT. Must be run with Administrator privileges optional arguments:-h,-- help show this help message and exit-f FILE,-- file FILE Full path of the file or directory to be copied. Filenames can be grouped in a comma', 'seperated list. Wildcard'*'is accepted. -o OUTPUTDIR,-- outputdir OUTPUTDIR Directory to copy files too. Copy will keep paths-I-- ignore_saved_ref_nums Script stores the Reference numbers and path info to speed up internal run. This option will ignore and not save the stored MFT reference numbers and path-r,-- recursive Recursively copies directory. Note this only works with directories.

There is also a hidden "--debug" option that enables debug mode output.

Sample use of tools

The following command copies the SYSTEM registry information to e:\ outputdir, and the new file path is "e:\ outputdir\ windows\ system32\ config\ SYSTEM":

TScopy_x64.exe-f c:\ windows\ system32\ config\ SYSTEM-o e:\ outputdir

The following command copies the SYSTEM registry information to e:\ outputdir, but ignores previously cached files and does not save the current cache to disk:

TScopy_x64.exe-f c:\ windows\ system32\ config\ SYSTEM,c:\ windows\ system32\ config\ SOFTWARE-o e:\ outputdir

The following command copies the SYSTEM and SOFTWARE registry information to e:\ outputdir:

TScopy_x64.exe-f c:\ windows\ system32\ config\-o e:\ outputdir

The following command copies the directory configuration contents to e:\ outputdir:

TScopy_x64.exe-r-f c:\ windows\ system32\ config\-o e:\ outputdir

The following command recursively copies the directory configuration contents to e:\ outputdir:

TScopy_x64.exe-f c:\ users\ *\ ntuser.dat-o e:\ outputdir

The following command copies each user's NTUSER.DAT file to e:\ outputdir:

TScopy_x64.exe-f c:\ users\ *\ ntuser.dat*-o e:\ outputdir

For each user, copy all files starting with NTUSER.DAT to e:\ outputdir:

TScopy_x64.exe-f c:\ users\ *\ AppData\ Roaming\ Microsoft\ Windows\ Recent,c:\ windows\ system32\ config,c:\ users\ *\ AppData\ Roaming\ Microsoft\ Windows\ PowerShell\ PSReadLine\ ConsoleHost_history.txt-o e:\ outputdir Thank you for reading. This is the content of "what's the difference between TScopy and RawCopy". After studying this article, I believe you have a deeper understanding of the difference between TScopy and RawCopy. The specific use situation still needs to be verified by practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.