orlikoski / cylr Goto Github PK
View Code? Open in Web Editor NEWCyLR - Live Response Collection Tool
License: GNU General Public License v3.0
CyLR - Live Response Collection Tool
License: GNU General Public License v3.0
I´m not able to collect UsnJnrl file for Windows system. This artifact is located on $Extend/$UsnJrnl -> $J.
I think CyLR can´t collect alernate data stream?¿
Thanks!
Improve the readme and maybe add a wiki
Allows for more control, especially in instances where the tool might be used as part of a script.
Timestamps are squashed at collection. Would be nice to have the original timestamps preserved.
EDIT - To be more specific, I'm talking about the timestamp of the file placed in the archive itself.
Clean up the help and documentation
PythLR doesn't fit anymore, find awesome name.
Program should return error codes on failure to be more compatible with other command line tools.
It would be nice to operate on servers that are configured to not use username authentication.
When a try to run CyLR with PSEXEC with no arguments, CyLR shows de following error:
Error occured while collecting files:
System.IndexOutOfRangeException: Index was outside the bounds of the array.
at CyLR.read.RawFileSystem.GetSystem(String path) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\read\RawFileSystem.cs:line 65
at CyD:\CyLR.exe exited on HSM25M2 with error code 1.
Thank you.
The log output shows that the NTUSER.DAT is sometimes collected two times
Making my first attempt to actually modified some code. When I run "build_win.ps1" it runs fine. Next I run package_win.ps1 and it throws an error "CyLR\deployments\win-x64\CyLR.exe : The system cannot find the file specified." Isn't that what I am trying to build?
First time with .Net. Should be a blast. Thanks in advance.
Great tool - but having issues integrating with our SFTP server (SSH on Debian)
Need to be able to tell CyLR what folder/path to upload to -- otherwise the user does not have permissions to write.....
Would be nice to have a parameter added when collecting only one file.
I know there is configuration file -c in which we can spicify drive letter, my question is if I have the image of a PC mounted as G: drive, how do I collect the default Cylr artifacts and for all users?
E:$MFT
E:$Recycle.Bin
E:$LogFile
E:\Windows\System32\sru
E:\Windows\inf\setupapi.dev.log
E:\Windows\Appcompat\Programs
E:\Windows\System32\winevt\logs
E:\Windows\Tasks
E:\Windows\System32\Tasks
E:\Windows\Prefetch
E:\Windows\System32\config\SAM
E:\Windows\System32\config\SYSTEM
E:\Windows\System32\config\SOFTWARE
E:\Windows\System32\config\SECURITY
E:\Windows\System32\config\SAM.LOG1
E:\Windows\System32\config\SYSTEM.LOG1
E:\Windows\System32\config\SOFTWARE.LOG1
E:\Windows\System32\config\SECURITY.LOG1
E:\Windows\System32\config\SAM.LOG2
E:\Windows\System32\config\SYSTEM.LOG2
E:\Windows\System32\config\SOFTWARE.LOG2
E:\Windows\System32\config\SECURITY.LOG2
E:\ProgramData\Microsoft\Search\Data\Applications\Windows
E:\Users<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent
E:\Users<USERNAME>\NTUSER.DAT
E:\Users<USERNAME>\NTUSER.DAT.LOG1
E:\Users<USERNAME>\NTUSER.DAT.LOG2
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\Explorer
Line 14 of CollectionPaths.cs
@"C:\Windows\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup",
Was probably meant to be:
@"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup",
like most command line programs /? gets you a help listing vs -h . maybe make it validate what is passed as options and if something isn't right show help?
Any one up for writing an s3 upload to add on? AWS has the code, https://docs.aws.amazon.com/AmazonS3/latest/dev/HLuploadFileDotNet.html. I just have no idea where to put it.
This artifact is not being collected:
%systemroot%\Users%users%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Please investigate why the password doesn't get applied to the archive when the password flag is used.
Support things like %SYSTEMROOT% in the -c option
I mean, doesn't everyone just have one drive?
I dont find CyLR script after pulling main git on mac ... any help ? Thanks
sudo ./CyLR -zp test
./CyLR: error while loading shared libraries: libcurl-gnutls.so.4: cannot open shared object file: no such file or directory
./CyLR: /lib64/libcurl-gnutls.so.4: no version information available (required by ./CyLR)
Coupled with the feature request in issue #33, this could prove to be a powerful way to say, collect any executable/office doc created in the last day. (And since you could pull the $FN filetime from the parsing of the MFT, timestomped files would be collected also?)
This would also ideally allow for recursively selecting/finding files based on the specified regular expression.
Create a module that will allow CyLR to upload resulting file to a signed URL
The current beta's unit test involves a race condition where the timestamp in the logging tests may increment between the generation of the "expected" and "actual" value.
Hi,
I have just started trying this tool out and have run into a problem. I noticed in the zip file produced by the CyLR.exe The Google Chrome history file is a directory. Not the History file I expected.
I am after the whole Google Chrome Default directory, files and sub-directories, so I tried the following.
D:\tmp\fred>CyLR_win-x64\CyLR.exe -c "C:/Users/fred/AppData/Local/Google/Chrome/User Data/Default"
Error: Could not find file: C:/Users/fred/AppData/Local/Google/Chrome/User Data/Default
Exiting
Error occured while collecting files:
System.ArgumentException: Value does not fall within the expected range.
at CyLR.CollectionPaths.GetPaths(Arguments arguments, List`1 additionalPaths) in /home/travis/build/orlikoski/CyLR/CyLR/src/CollectionPaths.cs:line 167
at CyLR.Program.Main(String[] args) in /home/travis/build/orlikoski/CyLR/CyLR/src/Program.cs:line 57
I am using CyLR Version 2.0.0.0, running as administrator, windows 10 Home ver 1809. The path to the
Google Chrome Default directory on my computer is correct.
Any suggestions on what I have done wrong?
Thanks
Cheers, Barrie
CyLR.exe will not run and hangs forever when used with mono on a macbook from a bash shell script.
Example:
Create script.sh:
sudo mono CyLR.exe 1> /dev/null
Run script.sh
~/script.sh
To limit the size of the output archive, it would be cool to be able to exclude files that exceed a certain size, ideally by specifying a size limit, alternatively by specifying an exclude list
When using a config file to collect files within the $Recycle.Bin folder, CyLR ignores any sub-folders and their contents. This is a problem since the Windows Recycle Bin creates a sub-folder for each user under $Recycle.Bin and stores their files within the sub-folder. In multiple tests I have been unable to collect files in these sub-folders.
CyLR will collect any files directly in the $Recycle.Bin folder (these would likely be malicious as there are no legitimate reasons to see files here). I also tested collection from user-generated folders named with a preceding "$", and CyLR was able to collect files recursively from them. Perhaps an attribute issue?
Good afternoon,
I'm trying to use a custom artifacts list which is a stripped down version of the default. If the list contains any folder using the {user.ProfilePath} variable I seem to get an error:
Error occured while collecting files:
System.ArgumentException: Path '{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent' did not have a drive letter!
at CyLR.read.RawFileSystem.GetSystem(String path) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\read\RawFileSystem.cs:line 65
at CyLR.read.RawFileSystem.GetFilesFromPath(String path)+MoveNext() in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\read\RawFileSystem.cs:line 19
at System.Collections.Generic.List`1.AddEnumerable(IEnumerable`1 enumerable)
at System.Collections.Generic.List`1.InsertRange(Int32 index, IEnumerable`1 collection)
at System.Linq.Enumerable.SelectManySingleSelectorIterator`2.ToList()
at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\Program.cs:line 115
at CyLR.Program.Main(String[] args) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\Program.cs:line 87
I've tried various configurations. It works fine if I don't use the {user.ProfilePath} key but always fails with it.
I need to be able to iterate through all the users existing on the Windows machine.
Any way to fix this?
Add option to collect the following:
%systemdrive%\pagefile.sys
%systemdrive%\hiberfil.sys
As CDQR works with almost any OS, it would be helpful to have a "cross-plattform" CyLR or at least a Non-Windows-CyLR.
Basically it could be a script that collects the files for which parsers in [Parser Tracebility Matrix] (https://github.com/rough007/CDQR/blob/master/docs/Parser%20Traceability%20Matrix.xlsx) are defined
I'm using https://aws.amazon.com/sftp/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc but I cannot get CyLR to work with it.
It appears that I'm running into the same issue seen here pkg/sftp#305. Do you know if there's any way I can make it work out of the box? I may open a PR if I can figure out how to add an extra flag which will accomplish this.
Hello,
I'd like to compile the CyLR project. But I'm getting these errors. I did find this Library ICSharpCode.SharpZipLib.dll with project folders, did not seem to help me.
Here are the errors that I'm receiving.
Severity Code Description Project File Line Suppression State
Error CS0006 Metadata file 'C:\VS2015\CyLR\CyLR-master\CyLR\bin\Debug\CyLR.exe' could not be found
CyLRTests G:\Open_Source_DFIR-\CyLR\CyLR-master\CyLRTests\CSC 1 Active
Severity Code Description Project File Line Suppression State
Error CS0246 The type or namespace name 'ZipArchive' could not be found (are you missing a using directive or an assembly reference?)
CyLR C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 10 Active
Severity Code Description Project File Line Suppression State
Error CS0246 The type or namespace name 'ZipArchive' could not be found (are you missing a using directive or an assembly reference?)
CyLR C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 14 Active
Severity Code Description Project File Line Suppression State
Error CS0103 The name 'ZipArchiveMode' does not exist in the current context CyLR
C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 14 Active
Severity Code Description Project File Line Suppression State
Error CS0103 The name 'CompressionLevel' does not exist in the current context CyLR
C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 19 Active
I'm hoping that all that I'm currently missing is the ZipArchive Reference File.
Thanks for any and all help,
Take Care,
-Troy
I tried running it and got an error. On x64 win10.
C:\Users\test\Downloads>CyLR.exe
Error occured while collecting files:
System.ArgumentOutOfRangeException: Non-negative number required.
Parameter name: length
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
at System.Array.Copy(Array sourceArray, Int64 sourceIndex, Array destinationArray, Int64 destinationIndex, Int64 length)
at RawDiskLib.RawDiskStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at DiscUtils.Utilities.ReadFully(Stream stream, Byte[] buffer, Int32 offset, Int32 length)
at DiscUtils.Utilities.ReadFully(Stream stream, Int32 count)
at DiscUtils.Ntfs.NtfsFileSystem..ctor(Stream stream)
at CyLR.read.RawFileSystem.GetSystem(String path)
at CyLR.read.RawFileSystem.c__Iterator0.MoveNext()
at System.Linq.Enumerable.d__162.MoveNext() at System.Collections.Generic.List
1..ctor(IEnumerable1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable
1 source)
at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths)
at CyLR.Program.Main(String[] args)
I had a case we were working where we'd used CyLR to collect our artefacts, and mid-way through the case we realised a user folder was missing.
Turns out, whilst the physical folder still existed on the system, the user had been deleted from the system - resulting in the registry not listing them, which in turn resulted in CyLR not picking up that path.
To overcome that I modified the way CyLR collects the Users folder to look for all folders within the C:\Users path instead of using the registry. This of course does have the possibility of backfiring on systems that dont use C:\Users for their storage location
string UserPath = SystemDrive + "\\Users\\"; string[] WinUserFolders = Directory.GetDirectories(UserPath); foreach (var User in WinUserFolders) { defaultPaths.Add($@"{User}\NTUSER.DAT"); defaultPaths.Add($@"{User}\NTUSER.DAT.LOG1"); defaultPaths.Add($@"{User}\NTUSER.DAT.LOG2"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\Explorer"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\WebCache\"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Cookies"); // add Chrome cookies defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"); // add Chrome Bookmarks defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Extensions"); // add Chrome extensions defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Shortcuts"); // add Chrome shortcuts defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Cookies"); // Chrome Canary collection defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Local\ConnectedDevicesPlatform"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\Recent"); // defaultPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\"); // is this redundant? defaultPaths.Add($@"{User}\AppData\Roaming\Mozilla\Firefox\Profiles"); }
As with my $Recycle.Bin code, SystemDrive is a variable set elsewhere to "C:". This will need to be declared or replaced with suitable environment variable paths.
Adding more tests will help us have confidence in our releases.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.