Skip to content

TonyCrespoMe/CyLR

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

274 Commits
CyLR
CyLR
 
 
CyLRTests
CyLRTests
 
 
Icons
Icons
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
.travis.yml
.travis.yml
 
 
CyLR.sln
CyLR.sln
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CyLR

CyLR — Live Response Collection tool by Alan Orlikoski and Jason Yegge

Videos and Media

  • OSDFCON 2017 Slides: Walk-through different techniques that are required to provide forensics results for Windows and *nix environments (Including CyLR and CDQR)

What is CyLR?

The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.

The main features are:

  • Quick collection (it's really fast)
  • Raw file collection process does not use Windows API
  • Optimized to store the collected artifacts in memory (minimizing or removing entirely the need to write additional artifacts on the host disk)
  • Built in SFTP capability

SYNOPSIS

CyLR.exe [--help] [-od] [-of] [-u] [-p] [-s] [-c] [-zp]

DESCRIPTION

CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.

The standard list of collected artifacts are:

Windows Default

  • System Level Artifacts
    • %SYSTEMROOT%\SchedLgU.Txt
    • %SYSTEMROOT%\Tasks
    • %SYSTEMROOT%\Prefetch
    • %SYSTEMROOT%\inf\setupapi.dev.log
    • %SYSTEMROOT%\Appcompat\Programs
    • %SYSTEMROOT%\System32\drivers\etc\hosts
    • %SYSTEMROOT%\System32\sru
    • %SYSTEMROOT%\System32\winevt\logs
    • %SYSTEMROOT%\System32\Tasks
    • %SYSTEMROOT%\System32\LogFiles\W3SVC1
    • %SYSTEMROOT%\System32\config\SAM
    • %SYSTEMROOT%\System32\config\SYSTEM
    • %SYSTEMROOT%\System32\config\SOFTWARE
    • %SYSTEMROOT%\System32\config\SECURITY
    • %SYSTEMROOT%\System32\config\SAM.LOG1
    • %SYSTEMROOT%\System32\config\SYSTEM.LOG1
    • %SYSTEMROOT%\System32\config\SOFTWARE.LOG1
    • %SYSTEMROOT%\System32\config\SECURITY.LOG1
    • %SYSTEMROOT%\System32\config\SAM.LOG2
    • %SYSTEMROOT%\System32\config\SYSTEM.LOG2
    • %SYSTEMROOT%\System32\config\SOFTWARE.LOG2
    • %SYSTEMROOT%\System32\config\SECURITY.LOG2
    • %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows
    • %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %SystemDrive%$Recycle.Bin
    • %SystemDrive%$LogFile
    • %SystemDrive%$MFT
  • Artifacts For All Users
    • {user.ProfilePath}\NTUSER.DAT
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
    • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent
    • {user.ProfilePath}\NTUSER.DAT
    • {user.ProfilePath}\NTUSER.DAT.LOG1
    • {user.ProfilePath}\NTUSER.DAT.LOG2
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\Explorer
    • {user.ProfilePath}\AppData\Local\Google\Chrome\User Data\Default\History\
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\WebCache\
    • {user.ProfilePath}\AppData\Local\ConnectedDevicesPlatform
    • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
    • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
    • {user.ProfilePath}\AppData\Roaming\Mozilla\Firefox\Profiles\

Mac and Linux Default

  • "/var/log",
  • "/private/var/log/",
  • "/.fseventsd",
  • "/etc/hosts.allow",
  • "/etc/hosts.deny",
  • "/etc/hosts",
  • "/System/Library/StartupItems",
  • "/System/Library/LaunchAgents",
  • "/System/Library/LaunchDaemons",
  • "/Library/LaunchAgents",
  • "/Library/LaunchDaemons",
  • "/Library/StartupItems",
  • "/etc/passwd",
  • "/etc/group"
  • All plist files
  • All .bash_history files
  • All .sh_history files
  • Chrome Preference files
  • FireFox Preference Files

ARGUMENTS

OPTIONS

  • '--help' — Show help message and exit.
  • '-od' — Defines the directory that the zip archive will be created in. Defaults to current working directory. (applies to SFTP and local storage options)
  • '-of' — Defines the name of the zip archive will be created. Defaults to host machine's name.
  • '-zp' — If specified, the resulting zip file will be password protected with this password.
  • SFTP Options
    • '-u' — SFTP username
    • '-p' — SFTP password
    • '-s' — SFTP Server resolvable hostname or IP address and port. If no port is given then 22 is used by default. The format is :. Usage: -s 8.8.8.8:22"
  • '-c' — Optional argument to provide custom list of artifact files and directories (one entry per line). NOTE: Must use full path including drive letter on each line. MFT can be collected by "C:$MFT" or "D:$MFT" and so on. Usage: -c

DEPENDENCIES

in general: some kind of administrative rights on the target (root, sudo, administrator,...).

Windows

  1. NTFS file system
  2. .NET 4.5.2 or higher

Linux/macOS

mono for macOS or Linux

EXAMPLES

Standard collection CyLR.exe

Linux/macOS collection mono CyLR.exe

Collect artifacts and store data in "C:\Temp\LRData" CyLR.exe -o "C:\Temp\LRData"

Collect artifacts and store data in ".\LRData" CyLR.exe -o LRData

Collect artifacts and send data to SFTP server 8.8.8.8 CyLR.exe -u username -p password -s 8.8.8.8

Collect artifacts, send data to SFTP server 8.8.8.8, and keep all artifacts in memory CyLR.exe -u username -p password -s 8.8.8.8 -m

AUTHORS

About

CyLR - Live Response Collection Tool

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

13 tags

Packages

No packages published

Languages

  • C# 100.0%