orlikoski / cylr Goto Github PK
View Code? Open in Web Editor NEWCyLR - Live Response Collection Tool
License: GNU General Public License v3.0
CyLR - Live Response Collection Tool
License: GNU General Public License v3.0
I mean, doesn't everyone just have one drive?
Line 14 of CollectionPaths.cs
@"C:\Windows\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup",
Was probably meant to be:
@"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup",
Great tool - but having issues integrating with our SFTP server (SSH on Debian)
Need to be able to tell CyLR what folder/path to upload to -- otherwise the user does not have permissions to write.....
I´m not able to collect UsnJnrl file for Windows system. This artifact is located on $Extend/$UsnJrnl -> $J.
I think CyLR can´t collect alernate data stream?¿
Thanks!
It would be nice to operate on servers that are configured to not use username authentication.
Add option to collect the following:
%systemdrive%\pagefile.sys
%systemdrive%\hiberfil.sys
CyLR.exe will not run and hangs forever when used with mono on a macbook from a bash shell script.
Example:
Create script.sh:
sudo mono CyLR.exe 1> /dev/null
Run script.sh
~/script.sh
I had a case we were working where we'd used CyLR to collect our artefacts, and mid-way through the case we realised a user folder was missing.
Turns out, whilst the physical folder still existed on the system, the user had been deleted from the system - resulting in the registry not listing them, which in turn resulted in CyLR not picking up that path.
To overcome that I modified the way CyLR collects the Users folder to look for all folders within the C:\Users path instead of using the registry. This of course does have the possibility of backfiring on systems that dont use C:\Users for their storage location
string UserPath = SystemDrive + "\\Users\\"; string[] WinUserFolders = Directory.GetDirectories(UserPath); foreach (var User in WinUserFolders) { defaultPaths.Add($@"{User}\NTUSER.DAT"); defaultPaths.Add($@"{User}\NTUSER.DAT.LOG1"); defaultPaths.Add($@"{User}\NTUSER.DAT.LOG2"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\Explorer"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\WebCache\"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Cookies"); // add Chrome cookies defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"); // add Chrome Bookmarks defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Extensions"); // add Chrome extensions defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Shortcuts"); // add Chrome shortcuts defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Cookies"); // Chrome Canary collection defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Local\ConnectedDevicesPlatform"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\Recent"); // defaultPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\"); // is this redundant? defaultPaths.Add($@"{User}\AppData\Roaming\Mozilla\Firefox\Profiles"); }
As with my $Recycle.Bin code, SystemDrive is a variable set elsewhere to "C:". This will need to be declared or replaced with suitable environment variable paths.
When using a config file to collect files within the $Recycle.Bin folder, CyLR ignores any sub-folders and their contents. This is a problem since the Windows Recycle Bin creates a sub-folder for each user under $Recycle.Bin and stores their files within the sub-folder. In multiple tests I have been unable to collect files in these sub-folders.
CyLR will collect any files directly in the $Recycle.Bin folder (these would likely be malicious as there are no legitimate reasons to see files here). I also tested collection from user-generated folders named with a preceding "$", and CyLR was able to collect files recursively from them. Perhaps an attribute issue?
I know there is configuration file -c in which we can spicify drive letter, my question is if I have the image of a PC mounted as G: drive, how do I collect the default Cylr artifacts and for all users?
like most command line programs /? gets you a help listing vs -h . maybe make it validate what is passed as options and if something isn't right show help?
Improve the readme and maybe add a wiki
Clean up the help and documentation
Support things like %SYSTEMROOT% in the -c option
This artifact is not being collected:
%systemroot%\Users%users%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
I'm using https://aws.amazon.com/sftp/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc but I cannot get CyLR to work with it.
It appears that I'm running into the same issue seen here pkg/sftp#305. Do you know if there's any way I can make it work out of the box? I may open a PR if I can figure out how to add an extra flag which will accomplish this.
The log output shows that the NTUSER.DAT is sometimes collected two times
Making my first attempt to actually modified some code. When I run "build_win.ps1" it runs fine. Next I run package_win.ps1 and it throws an error "CyLR\deployments\win-x64\CyLR.exe : The system cannot find the file specified." Isn't that what I am trying to build?
First time with .Net. Should be a blast. Thanks in advance.
When a try to run CyLR with PSEXEC with no arguments, CyLR shows de following error:
Error occured while collecting files:
System.IndexOutOfRangeException: Index was outside the bounds of the array.
at CyLR.read.RawFileSystem.GetSystem(String path) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\read\RawFileSystem.cs:line 65
at CyD:\CyLR.exe exited on HSM25M2 with error code 1.
Thank you.
Any one up for writing an s3 upload to add on? AWS has the code, https://docs.aws.amazon.com/AmazonS3/latest/dev/HLuploadFileDotNet.html. I just have no idea where to put it.
I dont find CyLR script after pulling main git on mac ... any help ? Thanks
Would be nice to have a parameter added when collecting only one file.
The current beta's unit test involves a race condition where the timestamp in the logging tests may increment between the generation of the "expected" and "actual" value.
This would also ideally allow for recursively selecting/finding files based on the specified regular expression.
Hi,
I have just started trying this tool out and have run into a problem. I noticed in the zip file produced by the CyLR.exe The Google Chrome history file is a directory. Not the History file I expected.
I am after the whole Google Chrome Default directory, files and sub-directories, so I tried the following.
D:\tmp\fred>CyLR_win-x64\CyLR.exe -c "C:/Users/fred/AppData/Local/Google/Chrome/User Data/Default"
Error: Could not find file: C:/Users/fred/AppData/Local/Google/Chrome/User Data/Default
Exiting
Error occured while collecting files:
System.ArgumentException: Value does not fall within the expected range.
at CyLR.CollectionPaths.GetPaths(Arguments arguments, List`1 additionalPaths) in /home/travis/build/orlikoski/CyLR/CyLR/src/CollectionPaths.cs:line 167
at CyLR.Program.Main(String[] args) in /home/travis/build/orlikoski/CyLR/CyLR/src/Program.cs:line 57
I am using CyLR Version 2.0.0.0, running as administrator, windows 10 Home ver 1809. The path to the
Google Chrome Default directory on my computer is correct.
Any suggestions on what I have done wrong?
Thanks
Cheers, Barrie
PythLR doesn't fit anymore, find awesome name.
Program should return error codes on failure to be more compatible with other command line tools.
Good afternoon,
I'm trying to use a custom artifacts list which is a stripped down version of the default. If the list contains any folder using the {user.ProfilePath} variable I seem to get an error:
Error occured while collecting files:
System.ArgumentException: Path '{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent' did not have a drive letter!
at CyLR.read.RawFileSystem.GetSystem(String path) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\read\RawFileSystem.cs:line 65
at CyLR.read.RawFileSystem.GetFilesFromPath(String path)+MoveNext() in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\read\RawFileSystem.cs:line 19
at System.Collections.Generic.List`1.AddEnumerable(IEnumerable`1 enumerable)
at System.Collections.Generic.List`1.InsertRange(Int32 index, IEnumerable`1 collection)
at System.Linq.Enumerable.SelectManySingleSelectorIterator`2.ToList()
at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\Program.cs:line 115
at CyLR.Program.Main(String[] args) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\Program.cs:line 87
I've tried various configurations. It works fine if I don't use the {user.ProfilePath} key but always fails with it.
I need to be able to iterate through all the users existing on the Windows machine.
Any way to fix this?
Please investigate why the password doesn't get applied to the archive when the password flag is used.
Coupled with the feature request in issue #33, this could prove to be a powerful way to say, collect any executable/office doc created in the last day. (And since you could pull the $FN filetime from the parsing of the MFT, timestomped files would be collected also?)
Timestamps are squashed at collection. Would be nice to have the original timestamps preserved.
EDIT - To be more specific, I'm talking about the timestamp of the file placed in the archive itself.
Hello,
I'd like to compile the CyLR project. But I'm getting these errors. I did find this Library ICSharpCode.SharpZipLib.dll with project folders, did not seem to help me.
Here are the errors that I'm receiving.
Severity Code Description Project File Line Suppression State
Error CS0006 Metadata file 'C:\VS2015\CyLR\CyLR-master\CyLR\bin\Debug\CyLR.exe' could not be found
CyLRTests G:\Open_Source_DFIR-\CyLR\CyLR-master\CyLRTests\CSC 1 Active
Severity Code Description Project File Line Suppression State
Error CS0246 The type or namespace name 'ZipArchive' could not be found (are you missing a using directive or an assembly reference?)
CyLR C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 10 Active
Severity Code Description Project File Line Suppression State
Error CS0246 The type or namespace name 'ZipArchive' could not be found (are you missing a using directive or an assembly reference?)
CyLR C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 14 Active
Severity Code Description Project File Line Suppression State
Error CS0103 The name 'ZipArchiveMode' does not exist in the current context CyLR
C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 14 Active
Severity Code Description Project File Line Suppression State
Error CS0103 The name 'CompressionLevel' does not exist in the current context CyLR
C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 19 Active
I'm hoping that all that I'm currently missing is the ZipArchive Reference File.
Thanks for any and all help,
Take Care,
-Troy
Allows for more control, especially in instances where the tool might be used as part of a script.
I tried running it and got an error. On x64 win10.
C:\Users\test\Downloads>CyLR.exe
Error occured while collecting files:
System.ArgumentOutOfRangeException: Non-negative number required.
Parameter name: length
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
at System.Array.Copy(Array sourceArray, Int64 sourceIndex, Array destinationArray, Int64 destinationIndex, Int64 length)
at RawDiskLib.RawDiskStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at DiscUtils.Utilities.ReadFully(Stream stream, Byte[] buffer, Int32 offset, Int32 length)
at DiscUtils.Utilities.ReadFully(Stream stream, Int32 count)
at DiscUtils.Ntfs.NtfsFileSystem..ctor(Stream stream)
at CyLR.read.RawFileSystem.GetSystem(String path)
at CyLR.read.RawFileSystem.c__Iterator0.MoveNext()
at System.Linq.Enumerable.d__162.MoveNext() at System.Collections.Generic.List
1..ctor(IEnumerable1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable
1 source)
at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths)
at CyLR.Program.Main(String[] args)
Create a module that will allow CyLR to upload resulting file to a signed URL
sudo ./CyLR -zp test
./CyLR: error while loading shared libraries: libcurl-gnutls.so.4: cannot open shared object file: no such file or directory
./CyLR: /lib64/libcurl-gnutls.so.4: no version information available (required by ./CyLR)
To limit the size of the output archive, it would be cool to be able to exclude files that exceed a certain size, ideally by specifying a size limit, alternatively by specifying an exclude list
Adding more tests will help us have confidence in our releases.
E:$MFT
E:$Recycle.Bin
E:$LogFile
E:\Windows\System32\sru
E:\Windows\inf\setupapi.dev.log
E:\Windows\Appcompat\Programs
E:\Windows\System32\winevt\logs
E:\Windows\Tasks
E:\Windows\System32\Tasks
E:\Windows\Prefetch
E:\Windows\System32\config\SAM
E:\Windows\System32\config\SYSTEM
E:\Windows\System32\config\SOFTWARE
E:\Windows\System32\config\SECURITY
E:\Windows\System32\config\SAM.LOG1
E:\Windows\System32\config\SYSTEM.LOG1
E:\Windows\System32\config\SOFTWARE.LOG1
E:\Windows\System32\config\SECURITY.LOG1
E:\Windows\System32\config\SAM.LOG2
E:\Windows\System32\config\SYSTEM.LOG2
E:\Windows\System32\config\SOFTWARE.LOG2
E:\Windows\System32\config\SECURITY.LOG2
E:\ProgramData\Microsoft\Search\Data\Applications\Windows
E:\Users<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent
E:\Users<USERNAME>\NTUSER.DAT
E:\Users<USERNAME>\NTUSER.DAT.LOG1
E:\Users<USERNAME>\NTUSER.DAT.LOG2
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\Explorer
As CDQR works with almost any OS, it would be helpful to have a "cross-plattform" CyLR or at least a Non-Windows-CyLR.
Basically it could be a script that collects the files for which parsers in [Parser Tracebility Matrix] (https://github.com/rough007/CDQR/blob/master/docs/Parser%20Traceability%20Matrix.xlsx) are defined
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.