Menu Close

SecOps Request: Filename Search

Background

We recently received a request from SecOps to search for the presence of dozens of specific filenames on multiple users’ hard drives.

The following script leverages mdfind to search for a file by name; use mdfind -interpret to search for the contents of a file.

Add to declare -a files=( … ) as needed; generous amounts of testing / validation will be required.

(Note: "UBF8T346G9.OneDriveSyncClientSuite" was included to validate the script is actually working.)


Script

#!/bin/bash
####################################################################################################
#
# ABOUT
#
#    Filename Search
#
####################################################################################################
#
# HISTORY
#
#    Version 1.0, 14-Nov-2018, Dan K. Snelson
#        Original version
#
####################################################################################################

echo " "
echo "***********************"
echo "*** Filename Search ***"
echo "***********************"
echo " "

authorizationKey="${4}"
# Check for a specified value in Parameter 4
if [[ "${authorizationKey}" != "]Iy9;;A)nV{KDl[WHj[VE*-Cs{" ]]; then

    echo "Error: Incorrect Authorization Key; exiting."
    exit 1

else

    echo "Correct Authorization Key; proceeding …"

fi



declare -a files=("UBF8T346G9.OneDriveSyncClientSuite"
"File I don't want to Security to find.rtf"
"Nothing to worry about.txt"
"Filename-goes-here.pdf"
"Add as many as needed.docx"
"Spaces are OK.ppt"
)

#set -x

for file in "${files[@]}"
do
    printf "\nSearching for: \"$file\" ...\n"
    IFS='%'
    testFile=( `/usr/bin/mdfind -name "${file}"` )
    # testFile=( `/usr/bin/mdfind -interpret "${file}"` )   # Search for contents of file; see man mdfind
    if [[ -z "${testFile}" ]]; then
        echo "\"$file\" NOT found"
    else
        printf "Found: \"$file\"; printing metadata for "${testFile}" ...\n\n"
        /usr/bin/mdls "${testFile}"
    fi
    printf "\n============================================================\n"
    unset IFS
done

#set +x

exit 0
Posted in Scripts, SecOps

Related Posts