https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
s

SK

12/21/2020, 8:29 AM
Goodday all, what kind of query can I use on Windows to get any results from device_file or device_hash or device_partitions? According to the schema on the website they are not available on Windows but they are available under 4.5.1.
Figured it out, here some examples for Windows, first get the id for the disk partition from 
disk_info
select * from device_partitions where device = '\\.\PHYSICALDRIVE0';
select * from device_file where device = '\\.\PHYSICALDRIVE0' and partition = 4;
select * from device_hash where device = '\\.\PHYSICALDRIVE0' and partition = 4 and inode=0;
Or 
block_devices
on Linux systems instead of 
disk_info
4 Views
Powered by