LCDI Collector
Written by Chapin Bryce
Since system files are accessed by the script, please launch all consoles as administrator to ensure Python has the privileges needed.
This was written and tested with Python 2.7 x64 on Windows 7 x64. Please report all bugs in the issues tab on http://Github.com/lcdi/lcdic
python lcdic_gui.py
- Follow the GUi steps to begin using the tool!
python.exe lcdic.py -h
usage: lcdic.py [-h] [-c CONFIG] [-r RULE] C: /path/to/output list
LCDI Collector, a script to automate targeted collections. See config.ini to
set optional information and configurations
positional arguments:
C: Path to the root of the targeted volume
/path/to/output Path to the root of the output directory, will create
if it does not exist
list Select OS. type `list` for list of supports OS's
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
Path to custom config file. Default is
config/config.ini
-r RULE, --rule RULE Yara Search Term (single string keyword) or Path to
custom Yara rules file. Sample located in
config/yara.rules
Created by Chapin Bryce
In Example...
python lcdic.py E: \output\path [OS TYPE] -c [Config File] -r [YARA Rules]
- Where
E:
is the mounted drive to collect from- Can be mounted with F-response (not tested)
- Can be mounted with FTK Imager
- Can be a local directory of a non-system partition
- Where
\output\path
is the path to the output- Can be a full or relative path
- Where
[OS TYPE]
is the OS to collect- To get a list of supported OS's, type
list
- To get a list of supported OS's, type
See requirements.txt
- Ubuntu (Tested on 13)
- Windows 7
- Windows XP
- Copy out $MFT, $Logfile, $J - Uses RawCopy
- Grab USB related files
- Create file listing of collected files, the time, and the hash
- Collect files based on file extensions
- Allow the collection of specific users
- User Selection
- Document Collection (See Below)
- Examiner Specified Extensions in Config.ini
- Documents (docx, xlsx, pdf, pptx, txt, rtf, tiff)
- Images (png, jpg)
- Audio (mp3, m4a, wma)
- Video (m4v, wmv, mov)
- Archives (zip, tar, 7z)
- Executables (exe, bat, sh, pf)
- Compression of Tar Output
- Yara Searching
- Windows 10
- Windows 8
- Windows Vista
- Windows 98
- Windows 95
- OSX 10.9
- OSX 10.8
- OSX 10.7
- OSX 10.6
- OSX 10.5
- OpenSUSE
- Debian
- OpenBSD
- CentOS
- Red Hat
- Verification & Validation
- Remote connection
- Add dependencies into libs folder for simple redistribution
- Different image sizes and compressions (benchmarks)