Best way to find a File on Managed Computers

GabeShack
Valued Contributor III

So we just got a copyright violation notice and I need to try to find a specific file on a managed computer. What would the be the best way to do this? I was thinking about using the advance commands to perform a spotlight search however I don't see how to have it notify me of if it finds said file.
Any Ideas?

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools
18 REPLIES 18

donmontalvo
Esteemed Contributor III

I suppose you can create an EA that uses ```
mdfind "name-string"
```

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/mdfind.1.html

--
https://donmontalvo.com

GabeShack
Valued Contributor III

So I guess my goal would be to have it only report if it finds this file. I have to remember how to write a good EA.
Also would that find a file for any user or just the current one?
Thanks for the suggestion though.

Gabe Shackney
Princeton Public Schools

mm2270
Legendary Contributor III

@gshackney, can you be any more specific on exactly what you're looking to locate? Not the file name, but perhaps a file type, if you know what it is? Any other details that are known?

Its possible to create an EA and Smart Group combination that can alert you to any found files, but you'd need to know some specifics on what the file type is or other criteria or it will be difficult.

In truth, to answer your original question on 'best way' Casper Suite would not be my first choice for this. For as great as it is, its not really well suited to this particular task. Something like ARD, for as old as it is, is often better at this kind of thing. But assuming the only real tool you have is Casper Suite, I think with the proper information you can make something that will help.

GabeShack
Valued Contributor III

Well its a mp4, unfortunately i only know the file name. I figured I can send out a request to only look for the file name on all managed machines and have Casper show me positive results.

A little reluctant to state the file name, but honestly if I was better at crafting an extension attribute I would not need the help.
Gabe

Gabe Shackney
Princeton Public Schools

nessts
Valued Contributor II

well you could do something like this #!/bin/bash
result=find / -xdev -name my.mp4
if [ -z $result ]; then result="Not Found"
fi
echo "<result>$result</result>"

mm2270
Legendary Contributor III

No need to state the file name, as I mentioned. I fully understand that since this is a copyright violation situation I would expect that you aren't able to or comfortable with revealing that, and that's OK.
But knowing that its an mp4 and the file name will help a lot. See, mdfind, Spotlight's command line interface, has some pretty advanced functions for finding only specific file types, so you can create something that will exclude any file that is NOT an MP4 and look for any that have the file name as a match.

But in order to get it to work, you first need to find out how Spotlight sees mp4 files. The easiest way to do this is to use mdls, which is a component of Spotlight to view metadata on the command line. Note that you can also usually use the Finder for this, but I prefer mdls because you may also spot some other items that will help narrow down the search.
Use mdls like so-

mdls /path/to/file-or-folder

So if you have an existing legit mp4 on your Mac, you can point to it from Terminal with mdls. I just did this on my Mac on an MP4 file, and it shows that the kMDItemKind metadata lists as "MPEG-4 movie" So we can use that in our search.

mdfind -name 'kMDItemKind == "MPEG-4 movie"'

But we can go further, since this would likely find a lot of movies files that aren't what you're looking for. In the previous mdls command, you'll also see something called kMDItemFSName, which is the name of the file, so we can add that in-

mdfind -name 'kMDItemKind == "MPEG-4 movie" && kMDItemFSName == "File name of movie.mp4"'

THat would give you better results. Additionally, if you know this may only exist in a User's home directory, you can direct Spotlight to only look through home folders and exclude all other locations-

mdfind -onlyin /Users/ -name 'kMDItemKind == "MPEG-4 movie" && kMDItemFSName == "File name of movie"'

Using the above, if it doesn't find anything that matches, it simply returns a null result. If it finds something it returns the full path to the file. Using all this together, we can make an EA that would look like this:

#!/bin/sh

search=$( mdfind -onlyin /Users/ -name 'kMDItemKind == "MPEG-4 movie" && kMDItemFSName == "File name of movie"' )

if [ "$search" != "" ]; then
    echo "<result>Yes
$search</result>"
else
    echo "<result>No</result>"
fi

The above EA would return a simple "No" for anything that doesn't match, but a Yes, followed by a new line and the path to the results, so you would know exactly where on the Mac the file is.

So now, create a Smart Group that would use something like:
Name of SG | like | Yes

Check it to email you on Smart Group change and just monitor any emails associated to that. There are more advanced ways of having the client itself email you directly when it runs the script, but that may not be necessary to do.

Hope the above helps.

stevewood
Honored Contributor II
Honored Contributor II

@nessts way is right on and way more accurate than the mdfind method, but it will take a lot more time during the recon of machines. And, his script is looking for machines that do not have the file. You might try something like this:

#!/bin/sh
findFile="Illegal.mp4"
myFile=`mdfind $findFile`
if [[ -n $myFile ]]; then
    echo "<result>FOUND</result>"
    exit 99
fi
exit 0

That would be your EA, and then you would scope a Smart Group to that EA with a value of FOUND. The -n in the if/then clause is searching for the variable $myFile to not be empty.

Using mdutil will return results quicker than using find over the entire drive, however if Spotlight indexing is disabled, or if it is not up to date, you may return no results using mdutil when in fact the file is there. That's why Todd's method of using find is better, just longer on a recon.

stevewood
Honored Contributor II
Honored Contributor II

Or you could just go with what @mm2270 said. :-)

GabeShack
Valued Contributor III

Maybe I will try both. The annoying part is its possible that this doesn't exist on our machines and was something that came from our guest network traffic.

Thanks for the suggestions and I'll let you know if I get lucky!
Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

mm2270
Legendary Contributor III

it is true that since mdfind uses Spotlight's index, if the index is broken or inaccurate, you won't get the results you expect. Spotlight also doesn't index certain system level locations by design, so if by some chance a file is tucked away deep in a System level location it may not see it. But its fast.
But 'find' can be very slow, so keep that in mind since it would be running during every recon. It is more accurate since it searches across the whole file system live, but I don't know that I'd want to create an EA that uses that myself. I suppose it all depends on how badly and quickly you need to locate this violating movie file.

monaronyc
Contributor

Hi @mm2270, your insight is always much appreciated around here!!! Wondering if the strings above in your post are a little outdated. I tried up to the third one and received no file name specified. The 2 above it worked though. I know this is a post from 2013. We're in Sierra now. Think something may have changed since then?

mm2270
Legendary Contributor III

Hey @monaronyc As far as I know, mdfind hasn't really changed in Sierra, but I would need to do some testing to see for sure. So if I'm understanding you, it can find the file as long as you don't include the -onlyin option with the path to the /Users/ directory? Is that right?

monaronyc
Contributor

@mm2270 Correct! I tweaked it for my environment and im not getting any results back from the JSS. Here's mine:

#!/bin/sh

search=$( mdfind -onlyin /Users/ -name 'kMDItemKind == "Microsoft Word Macro-Enabled template (.dotm)" && kMDItemFSName == "HCCleanup.dotm"' )

if [ "$search" != "" ]; then
    echo "<result>Yes
$search</result>"
else
    echo "<result>No</result>"
fi

And what I like about this script is that it tells you the actual path of where the files is when it works.

monaronyc
Contributor

Hi @stevewood I know this post is a little outdated, but was wondering if there was a way to add some kind of a string to your script above to show maybe where the file was found on the local workstation. Like to have it display the actual path. Is that possible?

stevewood
Honored Contributor II
Honored Contributor II

@monaronyc sure, just echo out the search. So in what I have above, if you are doing an Extension Attribute you'd change the result to:

echo "<result>${myFile}</result>"

monaronyc
Contributor

@stevewood EXCELLENT! trying now. Oh and one thing... when we test this in ARD, we get an Error 99. Should we be concerned? And it doesn't matter what level of OS we shoot it to. Just thought i'd mention it. But it does work. We get the FOUND and path return.

stevewood
Honored Contributor II
Honored Contributor II

@monaronyc my testing was on my local machine, so I cannot speak to ARD. YMMV with this. Sorry.

nickconway
New Contributor

I know this is super old but how would I tweak it to find certain .jpg files?

Thanks
Nick