Comments (15)
That's the most sad code I've had to write in a long while, but it works now.
from cylr.
Just a thought on a possible way to tackle this:
Use PowerForensics.Ntfs.FileRecord from github.com/Invoke-IR/PowerForensics (or something similar for rapidly parsing the MFT) to get a list of file entries, and then process the list against the file collection list.
from cylr.
Do you mean running PowerForensics as separate tool and then piping the output of that into CyLR? That sounds like a good approach.
I am not against the idea of adding something like a regex search to the tool, but I feel like that opens the door to a ton of complexity and is probably best solved by a specialist tool that focuses on complex searching, and then piping that into CyLR for extraction.
Perhaps the best approach here is to ensure that CyLR is highly compatible with other tools. Supporting powershell and *nix "pipe" operations seems like a good thing to have that we don't currently do.
from cylr.
The more I think about it, the more I agree with you. Implementing robust regular expression support may be outside of the scope of the project, and one of the things I appreciate about the tool is its simplicity and the fact that it is extremely quick. The more functionality you add, the more time it takes to process.
What I currently do is dynamically build a collections list in PowerShell, write it to a file, and pass it to CyLR. This approach works well.
from cylr.
Does #36 get closer to what you'd like to have?
from cylr.
That should work for the use case of collecting a single file.
from cylr.
#31 actually addresses that. Once both of those PRs go through, CyLR will support
CyLR.exe C:\SomeFile.txt
and #36 will let you do
Get-ChildItem | Select-Object -ExpandProperty Name | CyLR.exe
which would let you collect all files in the current directory.
from cylr.
So, to do a full regex search:
Get-ChildItem -recurse | Select-Object -ExpandProperty Name | sls ".log" | CyLR.exe
This would grab any ".log" files underneath the current directory.
from cylr.
The Unix equivalent being (when I finally manage to get mkbundle to work properly):
ls -R | grep \.log | CyLR
from cylr.
Ahh yes, I actually just downloaded your fork and tried it. That works very well. The only concern I see with it though is that it appears "Console.IsInputRedirected" only exists in .NET 4.5 and up. Any way to make it compatible with .NET 4.0 as well?
from cylr.
Possibly solved with this code snippet from SO? Includes a cross-platform snippet for using with Mono as well.
http://stackoverflow.com/questions/3453220/how-to-detect-if-console-in-stdin-has-been-redirected
from cylr.
Oh, good catch. We're trying to target mono, which makes that a touch more difficult. I'll see what I can do.
from cylr.
Not at all related to this issue but Happy New Year, and really appreciate this project and your efforts.
from cylr.
Thanks! It's been a fun project to work on.
from cylr.
I'm going to close this issue for now. I'm still open to discussion on this point, but at the moment I think searching for artefacts is best handled by other, better tools, and if it isn't, lets write those tools!.
from cylr.
Related Issues (20)
- Challenges with running Cylr from a shared network drive or directing the output to a shared network drive HOT 1
- Cylr.log and other file generated had to be integrated with the zip archive that is created HOT 3
- Publishing the App for Mac and Linux HOT 3
- Cylr on Windows Server 2003 HOT 1
- Executing Cylr on Windows 2008 and Windows 8 HOT 1
- FR - Ability to run CyLR Remotely HOT 1
- No CyLR.exe upon download HOT 1
- Possibilities to include memory acquisition features? HOT 2
- Version 3.0.0.0??? HOT 2
- Problem of collecting some folders due to a permissions issue HOT 3
- Drive letter choices HOT 3
- Scanning of unwanted paths HOT 2
- SFTP transfer issues
- Collecting forensic evidence
- CyLR Collecting Issue
- Possibilities to output collection to bodyfile instead of zip HOT 1
- [Windows] Add support for "C:\Windows\Installer\" path
- Mac: Unable to enumerate and Access is denied error (despite enabling full disk access) HOT 6
- Mac acquisition: missing some key directories and information
- Exception in windows 10 if users left in ProfileList
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cylr.