File Carving with osquery
Osquery has the capability to pull files from endpoints that it is monitoring with file carving.
Simply query the carves
table with your desired filepath and carve=1
, which tells osquery that you want to start this carve.
SELECT * FROM carves WHERE path LIKE '/tmp/files/%%' AND carve=1;
The carving will happen once the scheduler dispatches the request. You can check on the status
of a carve to see if it's completed yet. The status will be one of STARTING, PENDING, SUCCESS, or FAILED.
How to enable file carving
File carving is disabled by default. In order to enable it, you must pass the flag --disable_carver=false
.
Additionally you may want to configure the following flags for your backend.
--carver_compression=true
--carver_block_size=300000
--carver_start_endpoint=/start_uploads
--carver_continue_endpoint=/upload_blocks
--carver_disable_function=false
Excerpted from this blog post:
carver_compression
turns on Zstd compression for the files being returnedcarver_disable_function
allows for using carve as a function