What's New?

Fixed Collection Issues

  • Fixed an issue with the Chrome History collection on Windows endpoints
  • Fixed an issue with duplicate collections of NTUSER.DAT and UsrClass.dat
Assets 6

@orlikoski orlikoski released this Dec 31, 2018

What's New?

Collect UsnJrnl Added

The $UsnJrnl file is now collected by default. There was a new option --no-usnjrnl added that will skip that file during collection. This was done due to the amount of time it takes to collect that single file.

Thanks to @davidrudduck for finding the solution to this

Assets 6

@orlikoski orlikoski released this Oct 31, 2018 · 11 commits to master since this release

What's New?

Converted to .Net Core!!

Removed the dependence on .NET Framework, for Windows, or Mono, for Linux and MacOS, to execute CyLR on endpoints.

CyLR now consists of multiple downloadable versions, per release, that are native to each OS. These are all self contained and portable binary packages with no external dependencies.

These portable, self contained applications are included in this release.

  • Windows x86
  • Windows x64
  • Linux x64
  • MacOS x64

MacOS and Linux are single binary files named, "CyLR", while the Windows version contains the binary file, "CyLR.exe", along with multiple supporting files required to run.

NOTE ON WINDOWS VERSION

The flexibility provided by the removal of the .NET Framework requirement offsets the negative aspect of the multiple files required. That said, the development team is actively pursuing a single binary file Windows solution that will be added once the CoreRT project supports all the libraries used by CyLR

Assets 6

@orlikoski orlikoski released this Aug 23, 2018 · 118 commits to master since this release

What's New

  • Windows Default Collection Improvements
    • SANS FOR500 recommended Windows artifacts
    • Now collects standard list of artifacts from User folders

New Default Windows Artifacts

  • System Level Artifacts
    • %SYSTEMROOT%\SchedLgU.Txt
    • %SYSTEMROOT%\Tasks
    • %SYSTEMROOT%\Prefetch
    • %SYSTEMROOT%\inf\setupapi.dev.log
    • %SYSTEMROOT%\Appcompat\Programs
    • %SYSTEMROOT%\System32\drivers\etc\hosts
    • %SYSTEMROOT%\System32\sru
    • %SYSTEMROOT%\System32\winevt\logs
    • %SYSTEMROOT%\System32\Tasks
    • %SYSTEMROOT%\System32\LogFiles\W3SVC1
    • %SYSTEMROOT%\System32\config\SAM
    • %SYSTEMROOT%\System32\config\SYSTEM
    • %SYSTEMROOT%\System32\config\SOFTWARE
    • %SYSTEMROOT%\System32\config\SECURITY
    • %SYSTEMROOT%\System32\config\SAM.LOG1
    • %SYSTEMROOT%\System32\config\SYSTEM.LOG1
    • %SYSTEMROOT%\System32\config\SOFTWARE.LOG1
    • %SYSTEMROOT%\System32\config\SECURITY.LOG1
    • %SYSTEMROOT%\System32\config\SAM.LOG2
    • %SYSTEMROOT%\System32\config\SYSTEM.LOG2
    • %SYSTEMROOT%\System32\config\SOFTWARE.LOG2
    • %SYSTEMROOT%\System32\config\SECURITY.LOG2
    • %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows
    • %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %SystemDrive%$Recycle.Bin
    • %SystemDrive%$LogFile
    • %SystemDrive%$MFT
  • Artifacts For All Users
    • {user.ProfilePath}\NTUSER.DAT
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
    • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent
    • {user.ProfilePath}\NTUSER.DAT
    • {user.ProfilePath}\NTUSER.DAT.LOG1
    • {user.ProfilePath}\NTUSER.DAT.LOG2
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\Explorer
    • {user.ProfilePath}\AppData\Local\Google\Chrome\User Data\Default\History\
    • {user.ProfilePath}\AppData\Local\Microsoft\Windows\WebCache\
    • {user.ProfilePath}\AppData\Local\ConnectedDevicesPlatform
    • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
    • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
    • {user.ProfilePath}\AppData\Roaming\Mozilla\Firefox\Profiles\
Assets 3

@orlikoski orlikoski released this Apr 6, 2018 · 131 commits to master since this release

What's New

  • Updated default collection items and aligned with Skadi 2018.1
Assets 3

@orlikoski orlikoski released this Dec 26, 2017 · 134 commits to master since this release

What's New

Improved Mac and Linux default collection list

  • Added /etc/rc.d to default collection
Assets 3

@orlikoski orlikoski released this Nov 27, 2017 · 142 commits to master since this release

What's New

Improved Mac and Linux default collection list

  • Added Chrome and Firefox Browser and Downloads artifacts
  • Optimized collection which significantly reduced the time needed to collect default artifacts

Safari artifacts were already collected and did not need to be added

Assets 3

@orlikoski orlikoski released this Sep 11, 2017 · 149 commits to master since this release

What's New

Significantly improved Mac and Linux default collection list to the following

  • "/var/log",
  • "/private/var/log/",
  • "/.fseventsd",
  • "/etc/hosts.allow",
  • "/etc/hosts.deny",
  • "/etc/hosts",
  • "/System/Library/StartupItems",
  • "/System/Library/LaunchAgents",
  • "/System/Library/LaunchDaemons",
  • "/Library/LaunchAgents",
  • "/Library/LaunchDaemons",
  • "/Library/StartupItems",
  • "/etc/passwd",
  • "/etc/group"
  • All plist files
  • All .bash_history files
  • All .sh_history files
Assets 3

@orlikoski orlikoski released this Sep 10, 2017 · 153 commits to master since this release

  • Fixes the -zp option for passwords on zip archives.
Assets 3

@orlikoski orlikoski released this May 14, 2017 · 166 commits to master since this release

  • Fixed some potential issues surrounding file permissions and improving logging in some failure cases.
Assets 3