orlikoski / cylr Goto Github PK

I know there is configuration file -c in which we can spicify drive letter, my question is if I have the image of a PC mounted as G: drive, how do I collect the default Cylr artifacts and for all users?

The log output shows that the NTUSER.DAT is sometimes collected two times

Add option to collect the following:

%systemdrive%\pagefile.sys
%systemdrive%\hiberfil.sys

Hi,
I have just started trying this tool out and have run into a problem. I noticed in the zip file produced by the CyLR.exe The Google Chrome history file is a directory. Not the History file I expected.

I am after the whole Google Chrome Default directory, files and sub-directories, so I tried the following.

D:\tmp\fred>CyLR_win-x64\CyLR.exe -c "C:/Users/fred/AppData/Local/Google/Chrome/User Data/Default"
Error: Could not find file: C:/Users/fred/AppData/Local/Google/Chrome/User Data/Default
Exiting
Error occured while collecting files:
System.ArgumentException: Value does not fall within the expected range.
at CyLR.CollectionPaths.GetPaths(Arguments arguments, List`1 additionalPaths) in /home/travis/build/orlikoski/CyLR/CyLR/src/CollectionPaths.cs:line 167
at CyLR.Program.Main(String[] args) in /home/travis/build/orlikoski/CyLR/CyLR/src/Program.cs:line 57

I am using CyLR Version 2.0.0.0, running as administrator, windows 10 Home ver 1809. The path to the
Google Chrome Default directory on my computer is correct.

Any suggestions on what I have done wrong?

Thanks

Cheers, Barrie

Hello,

I'd like to compile the CyLR project. But I'm getting these errors. I did find this Library ICSharpCode.SharpZipLib.dll with project folders, did not seem to help me.

Here are the errors that I'm receiving.

Severity Code Description Project File Line Suppression State
Error CS0006 Metadata file 'C:\VS2015\CyLR\CyLR-master\CyLR\bin\Debug\CyLR.exe' could not be found
CyLRTests G:\Open_Source_DFIR-\CyLR\CyLR-master\CyLRTests\CSC 1 Active

Severity Code Description Project File Line Suppression State
Error CS0246 The type or namespace name 'ZipArchive' could not be found (are you missing a using directive or an assembly reference?)
CyLR C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 10 Active

Severity Code Description Project File Line Suppression State
Error CS0246 The type or namespace name 'ZipArchive' could not be found (are you missing a using directive or an assembly reference?)
CyLR C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 14 Active

Severity Code Description Project File Line Suppression State
Error CS0103 The name 'ZipArchiveMode' does not exist in the current context CyLR
C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 14 Active

Severity Code Description Project File Line Suppression State
Error CS0103 The name 'CompressionLevel' does not exist in the current context CyLR
C:\VS2015\CyLR\CyLR-master\CyLR\src\archive\NativeArchive.cs 19 Active

I'm hoping that all that I'm currently missing is the ZipArchive Reference File.

Thanks for any and all help,

Take Care,

-Troy

Timestamps are squashed at collection. Would be nice to have the original timestamps preserved.

EDIT - To be more specific, I'm talking about the timestamp of the file placed in the archive itself.

Create a module that will allow CyLR to upload resulting file to a signed URL

like most command line programs /? gets you a help listing vs -h . maybe make it validate what is passed as options and if something isn't right show help?

sudo ./CyLR -zp test

./CyLR: error while loading shared libraries: libcurl-gnutls.so.4: cannot open shared object file: no such file or directory

./CyLR: /lib64/libcurl-gnutls.so.4: no version information available (required by ./CyLR)

When using a config file to collect files within the $Recycle.Bin folder, CyLR ignores any sub-folders and their contents. This is a problem since the Windows Recycle Bin creates a sub-folder for each user under $Recycle.Bin and stores their files within the sub-folder. In multiple tests I have been unable to collect files in these sub-folders.

CyLR will collect any files directly in the $Recycle.Bin folder (these would likely be malicious as there are no legitimate reasons to see files here). I also tested collection from user-generated folders named with a preceding "$", and CyLR was able to collect files recursively from them. Perhaps an attribute issue?

I had a case we were working where we'd used CyLR to collect our artefacts, and mid-way through the case we realised a user folder was missing.

Turns out, whilst the physical folder still existed on the system, the user had been deleted from the system - resulting in the registry not listing them, which in turn resulted in CyLR not picking up that path.

To overcome that I modified the way CyLR collects the Users folder to look for all folders within the C:\Users path instead of using the registry. This of course does have the possibility of backfiring on systems that dont use C:\Users for their storage location

           string UserPath = SystemDrive + "\\Users\\";
           string[] WinUserFolders = Directory.GetDirectories(UserPath);
           foreach (var User in WinUserFolders)
           {
               defaultPaths.Add($@"{User}\NTUSER.DAT");
               defaultPaths.Add($@"{User}\NTUSER.DAT.LOG1");
               defaultPaths.Add($@"{User}\NTUSER.DAT.LOG2");
               defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat");
               defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1");
               defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2");
               defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\Explorer");
               defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\WebCache\");
               defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\History");
               defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Cookies"); // add Chrome cookies
               defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"); // add Chrome Bookmarks
               defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Extensions"); // add Chrome extensions
               defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Shortcuts"); // add Chrome shortcuts
               defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\History");
               defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Cookies"); // Chrome Canary collection
               defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Bookmarks");
               defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions");
               defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Shortcuts");
               defaultPaths.Add($@"{User}\AppData\Local\ConnectedDevicesPlatform");
               defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline");
               defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\Recent");
               // defaultPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\"); // is this redundant?
               defaultPaths.Add($@"{User}\AppData\Roaming\Mozilla\Firefox\Profiles");
           }

As with my $Recycle.Bin code, SystemDrive is a variable set elsewhere to "C:". This will need to be declared or replaced with suitable environment variable paths.

Good afternoon,

I'm trying to use a custom artifacts list which is a stripped down version of the default. If the list contains any folder using the {user.ProfilePath} variable I seem to get an error:

Error occured while collecting files:
System.ArgumentException: Path '{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent' did not have a drive letter!
   at CyLR.read.RawFileSystem.GetSystem(String path) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\read\RawFileSystem.cs:line 65
   at CyLR.read.RawFileSystem.GetFilesFromPath(String path)+MoveNext() in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\read\RawFileSystem.cs:line 19
   at System.Collections.Generic.List`1.AddEnumerable(IEnumerable`1 enumerable)
   at System.Collections.Generic.List`1.InsertRange(Int32 index, IEnumerable`1 collection)
   at System.Linq.Enumerable.SelectManySingleSelectorIterator`2.ToList()
   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
   at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\Program.cs:line 115
   at CyLR.Program.Main(String[] args) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\Program.cs:line 87

I've tried various configurations. It works fine if I don't use the {user.ProfilePath} key but always fails with it.

I need to be able to iterate through all the users existing on the Windows machine.

Any way to fix this?

Please investigate why the password doesn't get applied to the archive when the password flag is used.

Program should return error codes on failure to be more compatible with other command line tools.

Clean up the help and documentation

When a try to run CyLR with PSEXEC with no arguments, CyLR shows de following error:

Error occured while collecting files:
System.IndexOutOfRangeException: Index was outside the bounds of the array.
at CyLR.read.RawFileSystem.GetSystem(String path) in C:\Users\travis\build\orlikoski\CyLR\CyLR\src\read\RawFileSystem.cs:line 65
at CyD:\CyLR.exe exited on HSM25M2 with error code 1.

Thank you.

I mean, doesn't everyone just have one drive?

Making my first attempt to actually modified some code. When I run "build_win.ps1" it runs fine. Next I run package_win.ps1 and it throws an error "CyLR\deployments\win-x64\CyLR.exe : The system cannot find the file specified." Isn't that what I am trying to build?

First time with .Net. Should be a blast. Thanks in advance.

Any one up for writing an s3 upload to add on? AWS has the code, https://docs.aws.amazon.com/AmazonS3/latest/dev/HLuploadFileDotNet.html. I just have no idea where to put it.

To limit the size of the output archive, it would be cool to be able to exclude files that exceed a certain size, ideally by specifying a size limit, alternatively by specifying an exclude list

Line 14 of CollectionPaths.cs

@"C:\Windows\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup",

Was probably meant to be:

@"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup",

E:$MFT
E:$Recycle.Bin
E:$LogFile
E:\Windows\System32\sru
E:\Windows\inf\setupapi.dev.log
E:\Windows\Appcompat\Programs
E:\Windows\System32\winevt\logs
E:\Windows\Tasks
E:\Windows\System32\Tasks
E:\Windows\Prefetch
E:\Windows\System32\config\SAM
E:\Windows\System32\config\SYSTEM
E:\Windows\System32\config\SOFTWARE
E:\Windows\System32\config\SECURITY
E:\Windows\System32\config\SAM.LOG1
E:\Windows\System32\config\SYSTEM.LOG1
E:\Windows\System32\config\SOFTWARE.LOG1
E:\Windows\System32\config\SECURITY.LOG1
E:\Windows\System32\config\SAM.LOG2
E:\Windows\System32\config\SYSTEM.LOG2
E:\Windows\System32\config\SOFTWARE.LOG2
E:\Windows\System32\config\SECURITY.LOG2
E:\ProgramData\Microsoft\Search\Data\Applications\Windows
E:\Users<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent
E:\Users<USERNAME>\NTUSER.DAT
E:\Users<USERNAME>\NTUSER.DAT.LOG1
E:\Users<USERNAME>\NTUSER.DAT.LOG2
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\Explorer

Allows for more control, especially in instances where the tool might be used as part of a script.

CyLR.exe will not run and hangs forever when used with mono on a macbook from a bash shell script.

Example:
Create script.sh:
sudo mono CyLR.exe 1> /dev/null

Run script.sh
~/script.sh

As CDQR works with almost any OS, it would be helpful to have a "cross-plattform" CyLR or at least a Non-Windows-CyLR.
Basically it could be a script that collects the files for which parsers in [Parser Tracebility Matrix] (https://github.com/rough007/CDQR/blob/master/docs/Parser%20Traceability%20Matrix.xlsx) are defined

The current beta's unit test involves a race condition where the timestamp in the logging tests may increment between the generation of the "expected" and "actual" value.

I downloaded the lastest version, run it as admin, but needs extra libraries to run properly

This artifact is not being collected:
%systemroot%\Users%users%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

This would also ideally allow for recursively selecting/finding files based on the specified regular expression.

Support things like %SYSTEMROOT% in the -c option

Adding more tests will help us have confidence in our releases.

Great tool - but having issues integrating with our SFTP server (SSH on Debian)

Need to be able to tell CyLR what folder/path to upload to -- otherwise the user does not have permissions to write.....

I'm using https://aws.amazon.com/sftp/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc but I cannot get CyLR to work with it.

It appears that I'm running into the same issue seen here pkg/sftp#305. Do you know if there's any way I can make it work out of the box? I may open a PR if I can figure out how to add an extra flag which will accomplish this.

Coupled with the feature request in issue #33, this could prove to be a powerful way to say, collect any executable/office doc created in the last day. (And since you could pull the $FN filetime from the parsing of the MFT, timestomped files would be collected also?)

PythLR doesn't fit anymore, find awesome name.

I´m not able to collect UsnJnrl file for Windows system. This artifact is located on $Extend/$UsnJrnl -> $J.
I think CyLR can´t collect alernate data stream?¿
Thanks!

I dont find CyLR script after pulling main git on mac ... any help ? Thanks

Improve the readme and maybe add a wiki

Would be nice to have a parameter added when collecting only one file.

I tried running it and got an error. On x64 win10.

C:\Users\test\Downloads>CyLR.exe
Error occured while collecting files:
System.ArgumentOutOfRangeException: Non-negative number required.
Parameter name: length
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
at System.Array.Copy(Array sourceArray, Int64 sourceIndex, Array destinationArray, Int64 destinationIndex, Int64 length)
at RawDiskLib.RawDiskStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at DiscUtils.Utilities.ReadFully(Stream stream, Byte[] buffer, Int32 offset, Int32 length)
at DiscUtils.Utilities.ReadFully(Stream stream, Int32 count)
at DiscUtils.Ntfs.NtfsFileSystem..ctor(Stream stream)
at CyLR.read.RawFileSystem.GetSystem(String path)
at CyLR.read.RawFileSystem.c__Iterator0.MoveNext()
at System.Linq.Enumerable.d__162.MoveNext() at System.Collections.Generic.List1..ctor(IEnumerable1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable1 source)
at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths)
at CyLR.Program.Main(String[] args)

It would be nice to operate on servers that are configured to not use username authentication.