CyLR v2.2 releases: Live Response Collection

CyLR

What is CyLR?

The CyLR tool collects forensic artefacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.

The main features are:

• Quick collection (it’s really fast)
• Raw file collection process does not use Windows API
• Optimized to store the collected artefacts in memory (minimizing or removing entirely the need to write additional artefacts on the host disk)
• Built-in SFTP capability

CyLR tool collects forensic artefacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.

The standard list of collected artifacts are:

Windows Default

• System Level Artifacts
  • %SYSTEMROOT%\SchedLgU.Txt
  • %SYSTEMROOT%\Tasks
  • %SYSTEMROOT%\Prefetch
  • %SYSTEMROOT%\inf\setupapi.dev.log
  • %SYSTEMROOT%\Appcompat\Programs
  • %SYSTEMROOT%\System32\drivers\etc\hosts
  • %SYSTEMROOT%\System32\sru
  • %SYSTEMROOT%\System32\winevt\logs
  • %SYSTEMROOT%\System32\Tasks
  • %SYSTEMROOT%\System32\LogFiles\W3SVC1
  • %SYSTEMROOT%\System32\config\SAM
  • %SYSTEMROOT%\System32\config\SYSTEM
  • %SYSTEMROOT%\System32\config\SOFTWARE
  • %SYSTEMROOT%\System32\config\SECURITY
  • %SYSTEMROOT%\System32\config\SAM.LOG1
  • %SYSTEMROOT%\System32\config\SYSTEM.LOG1
  • %SYSTEMROOT%\System32\config\SOFTWARE.LOG1
  • %SYSTEMROOT%\System32\config\SECURITY.LOG1
  • %SYSTEMROOT%\System32\config\SAM.LOG2
  • %SYSTEMROOT%\System32\config\SYSTEM.LOG2
  • %SYSTEMROOT%\System32\config\SOFTWARE.LOG2
  • %SYSTEMROOT%\System32\config\SECURITY.LOG2
  • %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows
  • %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  • %SystemDrive%$Recycle.Bin
  • %SystemDrive%$LogFile
  • %SystemDrive%$MFT
• Artifacts For All Users
  • {user.ProfilePath}\NTUSER.DAT
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
  • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent
  • {user.ProfilePath}\NTUSER.DAT
  • {user.ProfilePath}\NTUSER.DAT.LOG1
  • {user.ProfilePath}\NTUSER.DAT.LOG2
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\Explorer
  • {user.ProfilePath}\AppData\Local\Google\Chrome\User Data\Default\History\
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\WebCache\
  • {user.ProfilePath}\AppData\Local\ConnectedDevicesPlatform
  • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
  • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
  • {user.ProfilePath}\AppData\Roaming\Mozilla\Firefox\Profiles\

Mac and Linux Default

• “/var/log”,
• “/private/var/log/”,
• “/.fseventsd”,
• “/etc/hosts.allow”,
• “/etc/hosts.deny”,
• “/etc/hosts”,
• “/System/Library/StartupItems”,
• “/System/Library/LaunchAgents”,
• “/System/Library/LaunchDaemons”,
• “/Library/LaunchAgents”,
• “/Library/LaunchDaemons”,
• “/Library/StartupItems”,
• “/etc/passwd”,
• “/etc/group”
• All plist files
• All .bash_history files
• All .sh_history files
• Chrome Preference files
• FireFox Preference Files

Changelog v2.2.0

This version includes numerous modifications and introduction of new features,
highlighted below:

Added

• Logging is available, to destinations including the console, a log file, and
  embedded within the resulting archive. The log name is specified with -l
  and verbosity is adjusted with -v to increase or -q to silence.
• Added CUSTOM_PATH_TEMPLATE.txt with documentation on how to specify custom
  paths for collection.
• Implemented enumeration of files system contents in the same manner cross
  platform
• Through new FS enumeration, eliminated extra scanning/duplicate collection
  of data within symbolic link directories. Eliminated dependency on the
  find binary.
• Enabled the use of globbing patterns within paths. This includes patterns
  such as:
  • **/*.plist
  • /home/*/.*sh_history
  • \Windows\Temp\[a-z0-9][a-z0-9][a-z0-9][a-z0-9]\*
  • **/Library/*Support/Google/Chrome/Default/History*
• Enabled the use of regular expressions within paths. This includes full line
  and substring patterns, such as:
  • .*mawlare.*
  • ^C:\Windows\Temp\[A-Za-z0-9]{8}\.*$
  • ^C:\Windows\System32\Config\(SOFTWARE|SYSTEM|SAM|SECURITY).*$
• Added functionality to allow the user to select whether the existence of a
  custom collection list (-c) should be in addition to versus in place of
  the default artifact list. Continues to default to the replacement option
  where it will only collect specified files.
• Modified config file to support specification of path pattern type. Can be
  one of static, glob, or regex. Format should be a tab delimited text
  file with one pattern type and path per line. A line starting with a pound
  character will be ignored.
• Provided status messages to summarize the number of files scanned and paths
  staged for collection.
• Increased documentation of source code.

Removed

• Removed collection of Windows Search path due to large size on some systems
  (%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows).
  Please use -c to re-include as needed.

Changed

• Edited build scripts to point to C:\Program Files\7z instead of x86 folder
• Improved the default collection paths for Linux platforms.
• Modified the USNJrnl collection argument to default to disabled collection.
• Improved SFTP handling to collect to a local zip file and attempt the
  upload three times, with a 30 second delay between attempts.
• Semantic changes to packaging and build scripts to avoid alias use.
• Added packaging script check to see if packaging tool was local before
  re-downloading.
• Updated argument usage information.
• Added tests to increase coverage of Arguments.cs
• Updated to use travis-ci.com

Download

Use

'--help' — Show help message and exit.

'-od' — Defines the directory that the zip archive will be created in. Defaults to current working directory. (applies to SFTP and local storage options)

'-of' — Defines the name of the zip archive will be created. Defaults to host machine's name.

'-zp' — If specified, the resulting zip file will be password protected with this password.

SFTP Options

'-u' — SFTP username

'-p' — SFTP password

'-s' — SFTP Server resolvable hostname or IP address and port. If no port is given then 22 is used by default. The format is :. Usage: -s 8.8.8.8:22"

'-c' — Optional argument to provide custom list of artifact files and directories (one entry per line). NOTE: Must use full path including drive letter on each line. MFT can be collected by "C:$MFT" or "D:$MFT" and so on. Usage: -c

Copyright (C) 2017 Alan Orlikoski and Jason Yegge

Source: https://github.com/orlikoski/