CyLR 3.0

What's New

This version includes numerous modifications and introduction of new features,
highlighted below:

Added

• Logging is available, to destinations including the console, a log file, and
  embedded within the resulting archive. The log name is specified with -l
  and verbosity is adjusted with -v to increase or -q to silence.
• Added CUSTOM_PATH_TEMPLATE.txt with documentation on how to specify custom
  paths for collection.
• Implemented enumeration of files system contents in the same manner cross
  platform
• Through new FS enumeration, eliminated extra scanning/duplicate collection
  of data within symbolic link directories. Eliminated dependency on the
  find binary.
• Enabled the use of globbing patterns within paths. This includes patterns
  such as:
  • **/*.plist
  • /home/*/.*sh_history
  • \Windows\Temp\[a-z0-9][a-z0-9][a-z0-9][a-z0-9]\*
  • **/Library/*Support/Google/Chrome/Default/History*
• Enabled the use of regular expressions within paths. This includes full line
  and substring patterns, such as:
  • .*mawlare.*
  • ^C:\Windows\Temp\[A-Za-z0-9]{8}\.*$
  • ^C:\Windows\System32\Config\(SOFTWARE|SYSTEM|SAM|SECURITY).*$
• Added functionality to allow the user to select whether the existence of a
  custom collection list (-c) should be in addition to versus in place of
  the default artifact list. Continues to default to the replacement option
  where it will only collect specified files.
• Modified config file to support specification of path pattern type. Can be
  one of static, glob, or regex. Format should be a tab delimited text
  file with one pattern type and path per line. A line starting with a pound
  character will be ignored.
• Provided status messages to summarize the number of files scanned and paths
  staged for collection.
• Increased documentation of source code.

Removed

• Removed collection of Windows Search path due to large size on some systems
  (%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows).
  Please use -c to re-include as needed.

Changed

• Edited build scripts to point to C:\Program Files\7z instead of x86 folder
• Improved the default collection paths for Linux platforms.
• Modified the USNJrnl collection argument to default to disabled collection.
• Improved SFTP handling to collect to a local zip file and attempt the
  upload three times, with a 30 second delay between attempts.
• Semantic changes to packaging and build scripts to avoid alias use.
• Added packaging script check to see if packaging tool was local before
  re-downloading.
• Updated argument usage information.
• Added tests to increase coverage of Arguments.cs
• Updated to use travis-ci.com

CyLR 2.1.0

What's new

• Updated the dotnet to 2.2.104
• Updated wrapper to 0.3.0
• Created Single Binary for Windows-x64

CyLR 2.0.2

What's New?

Fixed Collection Issues

• Fixed an issue with the Chrome History collection on Windows endpoints
• Fixed an issue with duplicate collections of NTUSER.DAT and UsrClass.dat

CyLR 2.0.1

What's New?

Collect UsnJrnl Added

The $UsnJrnl file is now collected by default. There was a new option --no-usnjrnl added that will skip that file during collection. This was done due to the amount of time it takes to collect that single file.

Thanks to @davidrudduck for finding the solution to this

CyLR 2.0.0

What's New?

Converted to .Net Core!!

Removed the dependence on .NET Framework, for Windows, or Mono, for Linux and MacOS, to execute CyLR on endpoints.

CyLR now consists of multiple downloadable versions, per release, that are native to each OS. These are all self contained and portable binary packages with no external dependencies.

These portable, self contained applications are included in this release.

• Windows x86
• Windows x64
• Linux x64
• MacOS x64

MacOS and Linux are single binary files named, "CyLR", while the Windows version contains the binary file, "CyLR.exe", along with multiple supporting files required to run.

NOTE ON WINDOWS VERSION

The flexibility provided by the removal of the .NET Framework requirement offsets the negative aspect of the multiple files required. That said, the development team is actively pursuing a single binary file Windows solution that will be added once the CoreRT project supports all the libraries used by CyLR

CyLR 1.5.0

What's New

• Windows Default Collection Improvements
  • SANS FOR500 recommended Windows artifacts
  • Now collects standard list of artifacts from User folders

New Default Windows Artifacts

• System Level Artifacts
  • %SYSTEMROOT%\SchedLgU.Txt
  • %SYSTEMROOT%\Tasks
  • %SYSTEMROOT%\Prefetch
  • %SYSTEMROOT%\inf\setupapi.dev.log
  • %SYSTEMROOT%\Appcompat\Programs
  • %SYSTEMROOT%\System32\drivers\etc\hosts
  • %SYSTEMROOT%\System32\sru
  • %SYSTEMROOT%\System32\winevt\logs
  • %SYSTEMROOT%\System32\Tasks
  • %SYSTEMROOT%\System32\LogFiles\W3SVC1
  • %SYSTEMROOT%\System32\config\SAM
  • %SYSTEMROOT%\System32\config\SYSTEM
  • %SYSTEMROOT%\System32\config\SOFTWARE
  • %SYSTEMROOT%\System32\config\SECURITY
  • %SYSTEMROOT%\System32\config\SAM.LOG1
  • %SYSTEMROOT%\System32\config\SYSTEM.LOG1
  • %SYSTEMROOT%\System32\config\SOFTWARE.LOG1
  • %SYSTEMROOT%\System32\config\SECURITY.LOG1
  • %SYSTEMROOT%\System32\config\SAM.LOG2
  • %SYSTEMROOT%\System32\config\SYSTEM.LOG2
  • %SYSTEMROOT%\System32\config\SOFTWARE.LOG2
  • %SYSTEMROOT%\System32\config\SECURITY.LOG2
  • %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows
  • %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  • %SystemDrive%$Recycle.Bin
  • %SystemDrive%$LogFile
  • %SystemDrive%$MFT
• Artifacts For All Users
  • {user.ProfilePath}\NTUSER.DAT
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
  • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent
  • {user.ProfilePath}\NTUSER.DAT
  • {user.ProfilePath}\NTUSER.DAT.LOG1
  • {user.ProfilePath}\NTUSER.DAT.LOG2
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\Explorer
  • {user.ProfilePath}\AppData\Local\Google\Chrome\User Data\Default\History\
  • {user.ProfilePath}\AppData\Local\Microsoft\Windows\WebCache\
  • {user.ProfilePath}\AppData\Local\ConnectedDevicesPlatform
  • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
  • {user.ProfilePath}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
  • {user.ProfilePath}\AppData\Roaming\Mozilla\Firefox\Profiles\

CyLR 1.4.0

What's New

• Updated default collection items and aligned with Skadi 2018.1

CyLR 1.3.6

What's New

Improved Mac and Linux default collection list

• Added /etc/rc.d to default collection

CyLR 1.3.5

What's New

Improved Mac and Linux default collection list

• Added Chrome and Firefox Browser and Downloads artifacts
• Optimized collection which significantly reduced the time needed to collect default artifacts

Safari artifacts were already collected and did not need to be added

CyLR v1.3.4

What's New

Significantly improved Mac and Linux default collection list to the following

• "/var/log",
• "/private/var/log/",
• "/.fseventsd",
• "/etc/hosts.allow",
• "/etc/hosts.deny",
• "/etc/hosts",
• "/System/Library/StartupItems",
• "/System/Library/LaunchAgents",
• "/System/Library/LaunchDaemons",
• "/Library/LaunchAgents",
• "/Library/LaunchDaemons",
• "/Library/StartupItems",
• "/etc/passwd",
• "/etc/group"
• All plist files
• All .bash_history files
• All .sh_history files