CyLR

CyLR — Live Response Collection tool by Alan Orlikoski and Jason Yegge

Please Read

Open Letter to the users of Skadi, CyLR, and CDQR

Videos and Media

• OSDFCON 2017 Slides: Walk-through different techniques that are required to provide forensics results for Windows and *nix environments (Including CyLR and CDQR)

What is CyLR

The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.

The main features are:

• Quick collection (it's really fast)
• Raw file collection process does not use Windows API
• Collection of key artifacts by default.
• Ability to specify custom targets for collection.
• Acquisition of special and in-use files, including alternate data streams, system files, and hidden files.
• Glob and regular expression patterns are available to specify custom targets.
• Data is collected into a zip file, allowing the user to modify the compression level, set an archive password, and file name.
• Specification of a SFTP destination for the file archive.

CyLR uses .NET Core and runs natively on Windows, Linux, and MacOS. Self contained applications for the following are included in releases for version 2.0 and higher.

• Windows x86
• Windows x64
• Linux x64
• MacOS x64

SYNOPSIS

Below is the output of CyLR:

$ CyLR -h
CyLR Version 2.2.0.0

Usage: CyLR [Options]... [Files]...

The CyLR tool collects forensic artifacts from hosts with NTFS file systems
quickly, securely and minimizes impact to the host.

The available options are:
-od
        Defines the directory that the zip archive will be created in.
        Defaults to current working directory.
        Usage: -od <directory path>
-of
        Defines the name of the zip archive will be created. Defaults to
        host machine's name.
        Usage: -of <archive name>
-c
        Optional argument to provide custom list of artifact files and
        directories (one entry per line). NOTE: Please see
        CUSTOM_PATH_TEMPLATE.txt for sample.
        Usage: -c <path to config file>
-d
        Same as '-c' but will collect default paths included in CyLR in
        addition to those specified in the provided config file.
        Usage: -d <path to config file>
-u
        SFTP username
        Usage: -u <sftp-username>
-p
        SFTP password
        Usage: -p <password>
-s
        SFTP Server resolvable hostname or IP address and port. If no port
        is given then 22 is used by default.  Format is <server name>:<port>
        Usage: -s <ip>:<port>
-os
        Defines the output directory on the SFTP server, as it may be a
        different location than the ZIP generate on disk. Can be full or
        relative path.
        Usage: -os <directory path>
-zp
        If specified, the resulting zip file will be password protected
        with this password.
        Usage: -zp <password>
-zl
        Uses a number between 1-9 to change the compression level
        of the archive file. Defaults to 3
        Usage: -zl <0-9>
--no-sftpcleanup
        Disables the removal of the .zip file used for collection after
        uploading to the SFTP server. Only applies if SFTP option is enabled.
        Usage: --no-sftpcleanup
--dry-run
        Collect artifacts to a virtual zip archive, but does not send
        or write to disk.
--force-native
        Uses the native file system instead of a raw NTFS read. Unix-like
        environments always use this option.
--usnjrnl
        Enables collecting $UsnJrnl
-l
        Sets the file path to write log messages to. Defaults to ./CyLR.log
        Usage: -l CyLR_run.log
-q
        Disables logging to the console and file.
        Usage: -q
-v
        Increases verbosity of the console log. By default the console
        only shows information or greater events and the file log shows
        all entries. Disabled when `-q` is used.
        Usage: -v

Default Collection Paths

CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host. All collection paths are case-insensitive.

Note: See CollectionPaths.cs for a full list of default files collected and for the underlying patterns used for collection. You can easily extend this list through the use of patterns as shown in CUSTOM_PATH_TEMPLATE.txt or by opening a pull request.

The standard list of collected artifacts are as follows.

Windows

System Root (ie C:\Windows):

• %SYSTEMROOT%\Tasks\**
• %SYSTEMROOT%\Prefetch\**
• %SYSTEMROOT%\System32\sru\**
• %SYSTEMROOT%\System32\winevt\Logs\**
• %SYSTEMROOT%\System32\Tasks\**
• %SYSTEMROOT%\System32\Logfiles\W3SVC1\**
• %SYSTEMROOT%\Appcompat\Programs\**
• %SYSTEMROOT%\SchedLgU.txt
• %SYSTEMROOT%\inf\setupapi.dev.log
• %SYSTEMROOT%\System32\drivers\etc\hosts
• %SYSTEMROOT%\System32\config\SAM
• %SYSTEMROOT%\System32\config\SOFTWARE
• %SYSTEMROOT%\System32\config\SECURITY
• %SYSTEMROOT%\System32\config\SOFTWARE
• %SYSTEMROOT%\System32\config\SAM.LOG1
• %SYSTEMROOT%\System32\config\SOFTWARE.LOG1
• %SYSTEMROOT%\System32\config\SECURITY.LOG1
• %SYSTEMROOT%\System32\config\SOFTWARE.LOG1
• %SYSTEMROOT%\System32\config\SAM.LOG2
• %SYSTEMROOT%\System32\config\SOFTWARE.LOG2
• %SYSTEMROOT%\System32\config\SECURITY.LOG2
• %SYSTEMROOT%\System32\config\SOFTWARE.LOG2

Program Data (ie C:\ProgramData):

• %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\**

Drive Root (ie C:\)

• %SYSTEMDRIVE%\$Recycle.Bin\**\$I*
• %SYSTEMDRIVE%\$Recycle.Bin\$I*
• %SYSTEMDRIVE%\$LogFile
• %SYSTEMDRIVE%\$MFT

User Profiles (ie C:\Users\*):

• C:\Users\*\NTUser.DAT
• C:\Users\*\NTUser.DAT.LOG1
• C:\Users\*\NTUser.DAT.LOG2
• C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\**
• C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
• C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\**
• C:\Users\*\AppData\Local\Microsoft\Windows\WebCache\**
• C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\**
• C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat
• C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
• C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
• C:\Users\*\AppData\Local\ConnectedDevicesPlatform\**
• C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History\**
• C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History\**

macOS

Note: Modern macOS systems have functionality that will prompt the user to approve on a per-application basis, access to sensitive locations on a system. This can be overridden through modifying the System Preferences to give the CyLR binary and it's parent process (such as Terminal) full disk access.

System paths:

• /etc/hosts.allow
• /etc/hosts.deny
• /etc/hosts
• /etc/passwd
• /etc/group
• /etc/rc.d/**
• /var/log/**
• /private/etc/rc.d/**
• /private/etc/hosts.allow
• /private/etc/hosts.deny
• /private/etc/hosts
• /private/etc/passwd
• /private/etc/group
• /private/var/log/**
• /System/Library/StartupItems/**
• /System/Library/LaunchAgents/**
• /System/Library/LaunchDaemons/**
• /Library/StartupItems/**
• /Library/LaunchAgents/**
• /Library/LaunchDaemons/**
• /.fseventsd/**

Libraries paths:

• **/Library/*Support/Google/Chrome/Default/*
• **/Library/*Support/Google/Chrome/Default/History*
• **/Library/*Support/Google/Chrome/Default/Cookies*
• **/Library/*Support/Google/Chrome/Default/Bookmarks*
• **/Library/*Support/Google/Chrome/Default/Extensions/**
• **/Library/*Support/Google/Chrome/Default/Extensions/Last*
• **/Library/*Support/Google/Chrome/Default/Extensions/Shortcuts*
• **/Library/*Support/Google/Chrome/Default/Extensions/Top*
• **/Library/*Support/Google/Chrome/Default/Extensions/Visited*

User paths:

• /root/.*history
• /Users/*/.*history

Other Paths:

• **/places.sqlite*
• **/downloads.sqlite*

Linux

System Paths:

• /etc/hosts.allow
• /etc/hosts.deny
• /etc/hosts
• /etc/passwd
• /etc/group
• /etc/crontab
• /etc/cron.allow
• /etc/cron.deny
• /etc/anacrontab
• /etc/apt/sources.list
• /etc/apt/trusted.gpg
• /etc/apt/trustdb.gpg
• /etc/resolv.conf
• /etc/fstab
• /etc/issues
• /etc/issues.net
• /etc/insserv.conf
• /etc/localtime
• /etc/timezone
• /etc/pam.conf
• /etc/rsyslog.conf
• /etc/xinetd.conf
• /etc/netgroup
• /etc/nsswitch.conf
• /etc/ntp.conf
• /etc/yum.conf
• /etc/chrony.conf
• /etc/chrony
• /etc/sudoers
• /etc/logrotate.conf
• /etc/environment
• /etc/hostname
• /etc/host.conf
• /etc/fstab
• /etc/machine-id
• /etc/screen-rc
• /etc/rc.d/**
• /etc/cron.daily/**
• /etc/cron.hourly/**
• /etc/cron.weekly/**
• /etc/cron.monthly/**
• /etc/modprobe.d/**
• /etc/modprobe-load.d/**
• /etc/*-release
• /etc/pam.d/**
• /etc/rsyslog.d/**
• /etc/yum.repos.d/**
• /etc/init.d/**
• /etc/systemd.d/**
• /etc/default/**
• /var/log/**
• /var/spool/at/**
• /var/spool/cron/**
• /var/spool/anacron/cron.daily
• /var/spool/anacron/cron.hourly
• /var/spool/anacron/cron.weekly
• /var/spool/anacron/cron.monthly
• /boot/grub/grub.cfg
• /boot/grub2/grub.cfg
• /sys/firmware/acpi/tables/DSDT

User paths:

• /root/.*history
• /root/.*rc
• /root/.*_logout
• /root/.ssh/config
• /root/.ssh/known_hosts
• /root/.ssh/authorized_keys
• /root/.selected_editor
• /root/.viminfo
• /root/.lesshist
• /root/.profile
• /root/.selected_editor
• /home/*/.*history
• /home/*/.ssh/known_hosts
• /home/*/.ssh/config
• /home/*/.ssh/autorized_keys
• /home/*/.viminfo
• `