As many long time readers of this blog know, one of my goals has been to put together a Live Response tool collection that helps IT professionals/Incident Responders/GeekSquad employees/etc. be able to quickly perform some volatile data collection in an automated fashion. The topic of today’s post is to create a small walk-through guide of how to accomplish this collection from start to finish on a Windows system.
The first step is to ensure that you have downloaded the latest copy of the Live Response zip file. I updated the zip file today (2 April 2014) with PEStudio 8.17 (http://www.winitor.com/) in order to perform some malware information gathering on-site if needed. (Marc has put a TON of work into his tool and if you are performing any type of malware analysis and you are not using it, you should add it to your toolset collection immediately!)
LiveResponseCollection-Cedarpelta.zip — download here
MD5: 7bc32091c1e7d773162fbdc9455f6432
SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63
Updated: September 5, 2019
Once you have the zip file downloaded, you should extract it to either the system you want to gather the information from or (my preference) an external USB device. Once you have extracted the file, navigate to the Windows_Live_Response folder. Inside this folder you will see a bunch of folders that contain the tools that we are going to leverage, as well as the file «Windows_Live_Response.bat».
|
| Contents of Windows Live Response folder |
You have two options with this, you can either click the batch script which will run it with «normal» privileges (on Windows Vista and newer, this means not as an Administrator, on XP it runs with Admin privileges). You can also right click on the batch script and choose the «Run as Administrator» option.
|
| Choosing to run script with Admin privileges on Windows 8 Pro device |
If the script is run with the elevated privileges, a memory dump will automatically be created using the Belkasoft Ram Capture tool, Prefetch files will be copied, Last Activity View will run, netstat -anb will run, and an nmap scan of your default gateway will occur. If the script does not run with the elevated privileges, those items will not run (the script determines if it has elevated privileges or not).
The script will automatically create a folder within the «Windows_Live_Collection» folder that contains the computer name and the time that the collection occurred. This is to help users establish baseline activity as well as if you run the script multiple times on the same system.
|
| Computer name and date are the name of the automatically created folder! |
Once the script is complete, you are prompted to press any key to continue.
|
| Waiting to continue… |
This helps ensure that the script has actually completed, rather than not displaying everything and potentially having the drive moved during the middle of the collection. The files are saved in the following folder structure:
|
| Folder structure of Windows Live Response collection |
«ForensicImages» — This folder contains the memory dump (if made) which is stored in the «Memory» folder, and a «DiskImage» folder for storing the disk image if you so desire.
|
| Contents of «ForensicImages» folder |
«LiveResponseData» — This folder stores the output of the tools and script, under the sub-folders:
- «BasicInfo» — Information about the system
- «NetworkInfo» — Information about the network
- «PersistenceMechanisms» — Things that are set to run on the system (possible hiding location(s) of some malware
- «Prefetch» — Prefetch information (for more on this, please read my earlier blog post HERE)
- «UserInfo» — Information about the user(s)
|
| Contents of «LiveResponseData» folder |
Lastly, there is a file named «Processing_Details_and_Hashes.txt». This file lists the md5 and SHA256 hashes each of the files in the LiveResponseData as well as the entire memory capture (if created). The script saves most of the results as text files, so you can import them into whatever tool you desire to view the results. You can also just use notepad and open up the files as well, the methodology of analysis is completely up to you.
|
| Partial list of hashes in «Processing_Details_and_Hashes.txt» file created by Windows Live Response collection |
Hopefully this small walk-through helps guide you through the steps that I take in order to leverage the Live Response tools on engagements. If during the usage of the tool you notice something is amiss or would like a feature(s) added, please let me know. I don’t want to include anything in here that a user has to pay for, so please make sure the tool is completely free. If it is a commercially available tool, perhaps we can come up with a solution to produce something similar with a built-in command or another freely available solution.
Камиль Камалетдинов, младший эксперт по реагированию на инциденты Центра киберустойчивости Angara SOC, подготовил обзор самых полезных утилит для triage. В материале практические инструменты и небольшой опрос для вас в самом конце.
В отличие от более известных на рынке тестирований на проникновение и багхантинга, в этом материалы мы хотим рассказать, с помощью каких инструментов работают компьютерные криминалисты. Форензика — это довольно новое направление в расследовании инцидентов, но уже востребованное, так как у компаний растет запрос на расследования и предотвращение инцидентов. Немного цифр за 1-й квартал 2023 года, которые иллюстрируют динамику роста различных типов компьютерных атак (подробнее здесь).
Основа цифровой криминалистики — это работа с данными, полученными в результате их сбора с конечного устройства, на котором возникли те или иные события, в которых нужно разобраться, установить все возможные на текущий момент обстоятельства, произошедшие в результате кибератаки и какие последствия наступили в конечном итоге.
В результате быстрого развития технологий количество данных на наших устройствах растет, что подтверждается исследованием ученых из Астонского Университета, которые занимаются изучением проблемы оптимизации хранения данных в связи с их быстрыми темпами роста. Эта тенденция также оказывает влияние на сферу кибербезопасности, потому что количество и качество данных, собранных с конечных устройств, определяют масштаб и сложность нашей работы.
Именно для этого был разработан инструмент Forensic Triage Tool, потому что снимать полную копию устройства займет большое количество времени, а снятие triage занимает примерно от 5 до 30 минут в (зависимости от устройства и количества информации на нем) и содержит в себе достаточное количество данных для расследования инцидента.
При выборе инструментов для triage я сформулировал такие критерии:
-
инструмент должен работать на разных операционных системах (Windows,Linux,MacOSX)
-
инструмент не требует полноценной установки на конечное устройство
-
инструмент удобен для хранения и перемещения на конечные устройства, не занимает много памяти
-
инструмент возможно конфигурировать и модифицировать
-
есть поддержка разработчика и популярность в среде специалистов.
Итак, по этим критериям я выбрал такие инструменты:
-
Cedarpelta
-
Velociraptor
-
UAC
-
Cat‑scale
Все эти инструменты подобраны для систем OS Windows, OS Linux и MAC OS X.
Cedarpelta от BRIMOR Labs
Инструмент Cedarpelta от BRIMOR Labs широко известен в среде специалистов по компьютерной криминалистике и реагированию на инциденты, потому что:
-
Запускается на всех наиболее известных ОС (Win/Lin/MAC OS)
-
Работает стабильно (редкий случай, когда может возникнуть ошибка в процессе запуска/работы)
-
Имеет понятный графический интерфейс.
-
При большом желании его можно модифицировать (работает на основе.bat и отдельных утилит)
-
Собирает «самое необходимое» из коробки.
Cedarpelta часто фигурирует в различных пособиях и известных книгах по реагированию на инциденты, найти инструкции и видео‑уроки по использованию не сложно и сам по себе инструмент интуитивно понятный.
Рассмотрим Cedarpelta поближе:
Думаю, что варианты «снятия копии» и их отличия описаны довольно понятно в графическом интерфейсе программы.
Для запуска нужно нажать кнопку: Run Selected Windows Live Response
Что собирает и как выглядит результат работы?
OS Windows
OS Linux
MAC OS X
Сразу отмечу, что у triage, вне зависимости от системы, с которой он собирался, интуитивно понятная файловая структура, все собранные артефакты имеют информативное наименование, что ускоряет анализ собранных данных.
Как запустить Cedarpelta?
Windows: Запускается через исполняемый файл .exe или через cmd
Linux: Запускается командой из терминала: ./Triage_Mac_Live_Response.sh
OS X: Запускается командой из терминала: ./Triage_Mac_Live_Response.sh.
Из минусов:
-
Небольшое количество собираемых артефактов
-
Добавить новые инструменты в Cedarpelta возможно, но потребует больше времени
-
Отсутствует возможность выбрать отдельные артефакты для сбора
-
Скорость работы чуть дольше, чем у остальных утилит (собирает много хэшей).
Velociraptor от Velocidex
Velocidex
Данный инструмент не так широко известен в сообществе ИБ-специалистов, как Cedarpelta, и, на мой взгляд, это большое недопущение.
Velociraptor — очень гибкое в использовании решение, работает как в виде клиент-серверной модели, так и offline collector, но об этом чуть позже.
Это кроссплатформенный инструмент с возможностью конфигурирования как самого инструмента, так и возможностью создавать свои инструменты на базе Velociraptor, к примеру, «вытащить» из системы определенный файл, проверить его на VirusTotal или посчитать хэши для определенных файлов, и это лишь малые возможности данной утилиты.
Velocidex создали целое комьюнити для специалистов, в котором можно получить помощь по любым вопросам, связанным с модернизацией и эксплуатацией инструмента.
Суть самого Velociraptor в созданном для него языке запросов VQL (Velociraptor Query Language), при помощи которого можно создавать свои запросы и кастомные инструменты.
Данная утилита обладает большим количеством возможностей и конфигураций, поэтому расскажем о них в следующей статье. Здесь покажем, как запустить Velociraptor и создать offline collector для наших целей.
Запуск утилиты:
Предварительно скачиваем исполняемый файл, который будет запускать сервер Velociraptor, используя windows CLI, запускаем инструмент такой командой: velociraptor-v0.6.9-windows-386.exe gui
**Команда gui обозначает упрощенный запуск
После запуска данной команды мы увидим, что в окне браузера появился web интерфейс сервера Velociraptor:
Следующим шаг — перейдем в раздел server и нажмем build offline collector:
Мы увидим список артефактов для сбора, теперь попробуем создать простой сборщик на основе того, что есть из коробки:
Выбираем Windows.KapeFiles.targets, в нем отмечаем нужный нам параметр, по которому будем собирать артефакты, для этого чаще всего используют Basic collection:
Нажимаем на ключ и видим конфигурационное меню артефакта:
Тут мы можем задавать и выбирать определённые настройки для артефакта, в данном случае к артефакту windows.kapefiles.targets будет применен параметр сборки Basic Collection, в котором определено, что именно собирать из системы в наш triage.
Список артефактов собираемых с Basic Collection:
Выбираем нужные параметры:
Нажимаем Launch и ожидаем как сформируется исполняемый файл сборщика:
Скачиваем сборщик и запускаем, данное окно появится, когда сборщик будет готов:
Запускаем так же через Windows CLI и ожидаем окончания сборки triage:
Что же получилось собрать? В данном случае покажем результаты сбора кастомным сборщиком
Windows
Linux / Mac OSX
Общая структура triage схожа для всех ОС и в целом копирует данные, придерживаясь правил их расположения в системе и удобном виде для загрузки их в Velociraptor для последующего анализа. К сожалению, должным образом не получится настроить свою собственную структуру собираемых данных, так задумано разработчиком для корректной работы утилиты.
Минусы:
-
Неудобная структура собираемых данных
-
Есть ограничения для более старых ОС, может не запуститься offline collector.
-
Triage чаще всего имеет большой размер, требуется много места (в зависимости от того, как вы сделали offline collector)
-
Если система работает некорректно, имеет поврежденный жесткий диск, архив, в который создан triage, может оказаться поврежденным при сборке (очень редко).
UAC (Linux и MAC OSX)
Более простая утилита для снятия triage, в частности, с систем linux и mac osx, но тем не менее достаточно полезная и удобная в применении. Инструмент UAC поддерживается разработчиком, а также поддерживается любой UNIX подобной операционной системой. **Из git hub разработчика.
Как запустить UAC?
Linux/MAC OSX :
Собрать все артефакты и сохранить их в /tmp: ./uac -p full /tmp
Так же есть альтернативные способы запуска, предусмотренные разработчиком для различных сценариев сбора важных нам данных. Данную утилиту возможно модифицировать, в том числе добавлять свои инструменты в UAC, автор предоставил wiki по инструменту со всеми возможными инструкциями: https://tclahr.github.io/uac-docs/.
MAC OS X
Linux
Минусы:
-
Нет инструмента для Windows
-
Небольшое количество собираемых артефактов из коробки
Cat-scale от WithSecure Labs (Linux, MAC OS X)
Следующий инструмент, который мы рассмотрим, — это Cat-scale. Данная утилита очень удобна в применении и работает на всех основных UNIX-подобных системах.
В целом об этом инструменте известно следующее:
-
разработан на bash и использует внутренние системные инструменты, которые помогают собрать нужную нам информацию из системы
-
поддерживается разработчиком и имеет возможность модификации
-
очень прост в эксплуатации и чем-то схож с UAC
Более подробную информацию про Cat-scale и что он собирает можно узнать по следующей ссылке: https://labs.f-secure.com/tools/cat-scale-linux-incident-response-collection/
Как запустить Cat-scale:
Linux: ./Cat-Scale.sh
Mac OS X: ./Cat-Scale.sh
Что получилось собрать при помощи Cat-scale?
Linux/MAC OSX
В целом, структура собранного Linux и MAC OS X схожи и практически не отличаются. Единственные минусы данной утилиты — это отсутствие версии для ОС Windows и относительно небольшой выбор собираемых артефактов.
В целом, выбор утилит для сбора криминалистических данных довольно широк и не ограничивается инструментами, описанными в нашем материале. Но возможности этих четырех — Cedarpelta, Velociraptor, UAC и Cat‑scale — закрывают большинство базовых задач в нашей практике расследования киберинцидентов. Мы предлагаем пройти небольшой опрос по инструментам для triage, интересно узнать ваше мнение.
Только зарегистрированные пользователи могут участвовать в опросе. Войдите, пожалуйста.
Какими инструментами для triage вы чаще всего пользуетесь:
Проголосовали 3 пользователя. Воздержались 5 пользователей.
Только зарегистрированные пользователи могут участвовать в опросе. Войдите, пожалуйста.
О каких инструментах в следующих раз написать подробнее?
Проголосовали 7 пользователей. Воздержались 2 пользователя.
Acknowledgment These are the Terms of Service governing the use of this Service and the agreement that operates between You and the Company. These Terms of Service set out the rights and obligations of all users regarding the use of the Service. Your access to and use of the Service is conditioned on Your acceptance of and compliance with these Terms of Service. These Terms of Service apply to all visitors, users and others who access or use the Service. By accessing or using the Service You agree to be bound by these Terms of Service. If You disagree with any part of these Terms of Service then You may not access the Service. Your access to and use of the Service is also conditioned on Your acceptance of and compliance with the Privacy Policy of the Company. Our Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your personal information when You use the Application or the Website and tells You about Your privacy rights and how the law protects You. Please read Our Privacy Policy carefully before using Our Service. Copyright Policy We respect the intellectual property rights of others. It is Our policy to respond to any claim that Content posted on the Service infringes a copyright or other intellectual property infringement of any person. If You are a copyright owner, or authorized on behalf of one, and You believe that the copyrighted work has been copied in a way that constitutes copyright infringement that is taking place through the Service, You must submit Your notice in writing to the attention of our copyright agent via email [email protected] and include in Your notice a detailed description of the alleged infringement. Your Feedback to Us You assign all rights, title and interest in any Feedback You provide the Company. If for any reason such assignment is ineffective, You agree to grant the Company a non-exclusive, perpetual, irrevocable, royalty free, worldwide right and license to use, reproduce, disclose, sub-license, distribute, modify and exploit such Feedback without restriction.Links to Other Websites Our Service may contain links to third-party web sites or services that are not owned or controlled by the Company. The Company has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party web sites or services. You further acknowledge and agree that the Company shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any such content, goods or services available on or through any such web sites or services. We strongly advise You to read the terms and conditions and privacy policies of any third-party web sites or services that You visit. Termination We may terminate or suspend Your Account immediately, without prior notice or liability, for any reason whatsoever, including without limitation if You breach these Terms of Service. Upon termination, Your right to use the Service will cease immediately. If You wish to terminate Your Account, You may simply discontinue using the Service. Governing Law The laws of the Country, excluding its conflicts of law rules, shall govern this Terms and Your use of the Service. Your use of the Application may also be subject to other local, state, national, or international laws.Disputes Resolution If You have any concern or dispute about the Service, You agree to first try to resolve the dispute informally by contacting the Company. For European Union (EU) Users If You are a European Union consumer, you will benefit from any mandatory provisions of the law of the country in which you are resident in. United States Legal Compliance You represent and warrant that (i) You are not located in a country that is subject to the United States government embargo, or that has been designated by the United States government as a “terrorist supporting” country, and (ii) You are not listed on any United States government list of prohibited or restricted parties. Contact Us If you have any questions about these Terms of Service, You can contact us: • By visiting this page on our website: https://www.eyehatemalwares.com/about • By sending us an email: [email protected]
CyLR
CyLR — Live Response Collection tool by Alan Orlikoski and Jason Yegge
Please Read
Open Letter to the users of Skadi, CyLR, and CDQR
Videos and Media
- OSDFCON 2017
Slides: Walk-through different techniques that are required to provide
forensics results for Windows and *nix environments (Including CyLR and CDQR)
What is CyLR
The CyLR tool collects forensic artifacts from hosts with NTFS file systems
quickly, securely and minimizes impact to the host.
The main features are:
- Quick collection (it’s really fast)
- Raw file collection process does not use Windows API
- Collection of key artifacts by default.
- Ability to specify custom targets for collection.
- Acquisition of special and in-use files, including alternate data streams,
system files, and hidden files. - Glob and regular expression patterns are available to specify custom targets.
- Data is collected into a zip file, allowing the user to modify the compression
level, set an archive password, and file name. - Specification of a SFTP destination for the file archive.
CyLR uses .NET Core and runs natively on Windows, Linux, and MacOS. Self
contained applications for the following are included in releases for
version 2.0 and higher.
- Windows x86
- Windows x64
- Linux x64
- MacOS x64
SYNOPSIS
Below is the output of CyLR:
$ CyLR -h
CyLR Version 2.2.0.0
Usage: CyLR [Options]... [Files]...
The CyLR tool collects forensic artifacts from hosts with NTFS file systems
quickly, securely and minimizes impact to the host.
The available options are:
-od
Defines the directory that the zip archive will be created in.
Defaults to current working directory.
Usage: -od <directory path>
-of
Defines the name of the zip archive will be created. Defaults to
host machine's name.
Usage: -of <archive name>
-c
Optional argument to provide custom list of artifact files and
directories (one entry per line). NOTE: Please see
CUSTOM_PATH_TEMPLATE.txt for sample.
Usage: -c <path to config file>
-d
Same as '-c' but will collect default paths included in CyLR in
addition to those specified in the provided config file.
Usage: -d <path to config file>
-u
SFTP username
Usage: -u <sftp-username>
-p
SFTP password
Usage: -p <password>
-s
SFTP Server resolvable hostname or IP address and port. If no port
is given then 22 is used by default. Format is <server name>:<port>
Usage: -s <ip>:<port>
-os
Defines the output directory on the SFTP server, as it may be a
different location than the ZIP generate on disk. Can be full or
relative path.
Usage: -os <directory path>
-zp
If specified, the resulting zip file will be password protected
with this password.
Usage: -zp <password>
-zl
Uses a number between 1-9 to change the compression level
of the archive file. Defaults to 3
Usage: -zl <0-9>
--no-sftpcleanup
Disables the removal of the .zip file used for collection after
uploading to the SFTP server. Only applies if SFTP option is enabled.
Usage: --no-sftpcleanup
--dry-run
Collect artifacts to a virtual zip archive, but does not send
or write to disk.
--force-native
Uses the native file system instead of a raw NTFS read. Unix-like
environments always use this option.
--usnjrnl
Enables collecting $UsnJrnl
-l
Sets the file path to write log messages to. Defaults to ./CyLR.log
Usage: -l CyLR_run.log
-q
Disables logging to the console and file.
Usage: -q
-v
Increases verbosity of the console log. By default the console
only shows information or greater events and the file log shows
all entries. Disabled when `-q` is used.
Usage: -v
Default Collection Paths
CyLR tool collects forensic artifacts from hosts with NTFS file systems
quickly, securely and minimizes impact to the host. All collection paths are
case-insensitive.
Note: See CollectionPaths.cs for a full list of default files collected and
for the underlying patterns used for collection. You can easily extend this list
through the use of patterns as shown in CUSTOM_PATH_TEMPLATE.txt or by opening
a pull request.
The standard list of collected artifacts are as follows.
Windows
System Root (ie C:\Windows):
%SYSTEMROOT%\Tasks\**%SYSTEMROOT%\Prefetch\**%SYSTEMROOT%\System32\sru\**%SYSTEMROOT%\System32\winevt\Logs\**%SYSTEMROOT%\System32\Tasks\**%SYSTEMROOT%\System32\Logfiles\W3SVC1\**%SYSTEMROOT%\Appcompat\Programs\**%SYSTEMROOT%\SchedLgU.txt%SYSTEMROOT%\inf\setupapi.dev.log%SYSTEMROOT%\System32\drivers\etc\hosts%SYSTEMROOT%\System32\config\SAM%SYSTEMROOT%\System32\config\SOFTWARE%SYSTEMROOT%\System32\config\SECURITY%SYSTEMROOT%\System32\config\SOFTWARE%SYSTEMROOT%\System32\config\SAM.LOG1%SYSTEMROOT%\System32\config\SOFTWARE.LOG1%SYSTEMROOT%\System32\config\SECURITY.LOG1%SYSTEMROOT%\System32\config\SOFTWARE.LOG1%SYSTEMROOT%\System32\config\SAM.LOG2%SYSTEMROOT%\System32\config\SOFTWARE.LOG2%SYSTEMROOT%\System32\config\SECURITY.LOG2%SYSTEMROOT%\System32\config\SOFTWARE.LOG2
Program Data (ie C:\ProgramData):
%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\**
Drive Root (ie C:\)
%SYSTEMDRIVE%\$Recycle.Bin\**\$I*%SYSTEMDRIVE%\$Recycle.Bin\$I*%SYSTEMDRIVE%\$LogFile%SYSTEMDRIVE%\$MFT
User Profiles (ie C:\Users\*):
C:\Users\*\NTUser.DATC:\Users\*\NTUser.DAT.LOG1C:\Users\*\NTUser.DAT.LOG2C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\**C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txtC:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\**C:\Users\*\AppData\Local\Microsoft\Windows\WebCache\**C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\**C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.datC:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2C:\Users\*\AppData\Local\ConnectedDevicesPlatform\**C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History\**C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History\**
macOS
Note: Modern macOS systems have functionality that will prompt the user to
approve on a per-application basis, access to sensitive locations on a system.
This can be overridden through modifying the System Preferences to give the CyLR
binary and it’s parent process (such as Terminal) full disk access.
System paths:
/etc/hosts.allow/etc/hosts.deny/etc/hosts/etc/passwd/etc/group/etc/rc.d/**/var/log/**/private/etc/rc.d/**/private/etc/hosts.allow/private/etc/hosts.deny/private/etc/hosts/private/etc/passwd/private/etc/group/private/var/log/**/System/Library/StartupItems/**/System/Library/LaunchAgents/**/System/Library/LaunchDaemons/**/Library/StartupItems/**/Library/LaunchAgents/**/Library/LaunchDaemons/**/.fseventsd/**
Libraries paths:
**/Library/*Support/Google/Chrome/Default/***/Library/*Support/Google/Chrome/Default/History***/Library/*Support/Google/Chrome/Default/Cookies***/Library/*Support/Google/Chrome/Default/Bookmarks***/Library/*Support/Google/Chrome/Default/Extensions/****/Library/*Support/Google/Chrome/Default/Extensions/Last***/Library/*Support/Google/Chrome/Default/Extensions/Shortcuts***/Library/*Support/Google/Chrome/Default/Extensions/Top***/Library/*Support/Google/Chrome/Default/Extensions/Visited*
User paths:
/root/.*history/Users/*/.*history
Other Paths:
**/places.sqlite***/downloads.sqlite*
Linux
System Paths:
/etc/hosts.allow/etc/hosts.deny/etc/hosts/etc/passwd/etc/group/etc/crontab/etc/cron.allow/etc/cron.deny/etc/anacrontab/etc/apt/sources.list/etc/apt/trusted.gpg/etc/apt/trustdb.gpg/etc/resolv.conf/etc/fstab/etc/issues/etc/issues.net/etc/insserv.conf/etc/localtime/etc/timezone/etc/pam.conf/etc/rsyslog.conf/etc/xinetd.conf/etc/netgroup/etc/nsswitch.conf/etc/ntp.conf/etc/yum.conf/etc/chrony.conf/etc/chrony/etc/sudoers/etc/logrotate.conf/etc/environment/etc/hostname/etc/host.conf/etc/fstab/etc/machine-id/etc/screen-rc/etc/rc.d/**/etc/cron.daily/**/etc/cron.hourly/**/etc/cron.weekly/**/etc/cron.monthly/**/etc/modprobe.d/**/etc/modprobe-load.d/**/etc/*-release/etc/pam.d/**/etc/rsyslog.d/**/etc/yum.repos.d/**/etc/init.d/**/etc/systemd.d/**/etc/default/**/var/log/**/var/spool/at/**/var/spool/cron/**/var/spool/anacron/cron.daily/var/spool/anacron/cron.hourly/var/spool/anacron/cron.weekly/var/spool/anacron/cron.monthly/boot/grub/grub.cfg/boot/grub2/grub.cfg/sys/firmware/acpi/tables/DSDT
User paths:
/root/.*history/root/.*rc/root/.*_logout/root/.ssh/config/root/.ssh/known_hosts/root/.ssh/authorized_keys/root/.selected_editor/root/.viminfo/root/.lesshist/root/.profile/root/.selected_editor/home/*/.*history/home/*/.ssh/known_hosts/home/*/.ssh/config/home/*/.ssh/autorized_keys/home/*/.viminfo/home/*/.profile/home/*/.*rc/home/*/.*_logout/home/*/.selected_editor/home/*/.wget-hsts/home/*/.gitconfig/home/*/.mozilla/firefox/*.default*/**/*.sqlite*/home/*/.mozilla/firefox/*.default*/**/*.json/home/*/.mozilla/firefox/*.default*/**/*.txt/home/*/.mozilla/firefox/*.default*/**/*.db*/home/*/.config/google-chrome/Default/History*/home/*/.config/google-chrome/Default/Cookies*/home/*/.config/google-chrome/Default/Bookmarks*/home/*/.config/google-chrome/Default/Extensions/**/home/*/.config/google-chrome/Default/Last*/home/*/.config/google-chrome/Default/Shortcuts*/home/*/.config/google-chrome/Default/Top*/home/*/.config/google-chrome/Default/Visited*/home/*/.config/google-chrome/Default/Preferences*/home/*/.config/google-chrome/Default/Login Data*/home/*/.config/google-chrome/Default/Web Data*
DEPENDENCIES
In general: some kind of administrative rights on the target (root, sudo,
administrator,…).
CyLR now uses .NET Core and now runs natively on Windows, Linux, and MacOS as
a .NET Core app or a self contained executable through the
warp packer
As a note, the package script will download the warp packer to generate a
single binary with the CyLR resources and full CLR runtime for portability.
This means that the binary will unpack in a temporary location for execution.
According to the warp documentation, these locations are:
Packages cache location:
- Linux:
$HOME/.local/share/warp/packages - macOS:
$HOME/Library/Application Support/warp/packages - Windows:
%LOCALAPPDATA%\warp\packages
Runners cache location:
- Linux:
$HOME/.local/share/warp/runners - macOS:
$HOME/Library/Application Support/warp/runners - Windows:
%LOCALAPPDATA%\warp\runners
These caches are only created on first execution or when the packed binary is
updated.
EXAMPLES
Standard collection
Linux/macOS collection
Collect artifacts and store data in «C:\Temp\LRData»
CyLR.exe -od "C:\Temp\LRData"
Collect artifacts and store data in «.\LRData»
Disable log file
Collect artifacts and send data to SFTP server 8.8.8.8
CyLR.exe -u username -p password -s 8.8.8.8
Collect to another folder and filename
CyLR -od data -of important-data.zip
Collect USN $J Journal
Collect custom list of artifacts from a file containing paths
The sample custom.txt, requires a tab delimiter between pattern
definition and pattern. Lines starting with # will be ignored:
# Static paths are fixed, case-insensitive paths to compare
# against files found on a system. This is the fastest search
# method available, please use when possible.
#
static C:\Windows\System32\Config\SAM
#
# Glob paths leverage glob patterns specified at
# `https://github.com/dazinator/DotNet.Glob`. This is faster than RegEx and
# should be favored unless more complex patterns are required. Useful for
# scanning for files by name or extension recursively. Also useful for
# collecting a folder recursively.
#
glob **\malware.exe
#
# Regex paths leverage the .NET Regex capabilities and will search for
# specified patterns across accessible files. This is the slowest option and
# should be saved for unique use cases that are not supported by globbing.
#
regex .*\Windows\Temp\[a-z]{8}\+*
This can then be supplied to CyLR for a custom collection of just these paths:
Collection of custom paths in addition to the default paths
Custom collection paths
CyLR allows for the specification of custom collection paths with the use of
a configuration file provided after -c or -d at the command line. A brief
summary of the format is below, though full details are available within the
CUSTOM_PATH_TEMPLATE.txt provided in the repository.
The custom collection path file allows for the specification of files to collect
from a target system. The format is tab delimited, where the first field is a
pattern type indicator and the second field is the pattern to collect.
- NOTE: As previously mentioned, all collection paths are case-insensitive.
- NOTE: The path specifier needs to match the platform you are collecting
from. For Windows, it must be\and/for macOS and Linux. - NOTE: You must use tabs to delimit the patterns. Spaces will not
work. This means that spaces are allowed in the second field containing
pattern content
Pattern Types
There are 4 pattern types, summarized below:
- static
- This format allows for the specification of a specific file at a known path.
- This is the fastest pattern type, as it is performing a string comparison.
- Example:
static C:\Windows\System32\config\SAM
- glob
- This format allows the specification of basic patterns. Most commonly used
to collect the contents of a folder, even recursively. Has a few common
implementations, demonstrated in the examples below. - While not as fast as static paths, it allows for some common pattern
matching and is faster than leveraging regular expressions. - Example:
glob C:\Users\*\ntuser.dat— collects the NTUser.dat from each user. - Example:
glob C:\**\malware.exe— collects files namedmalware.exe
regardless of what folder they are in, recursively. - Example:
glob C:\Users\*\AppData\Microsoft\Windows\Recent\*.lnk—
collects all files ending with.lnk - Example:
glob **\*malware*— collects all files recursively. - More details at github.com/dazinator/DotNet.Glob
- This format allows the specification of basic patterns. Most commonly used
- regex
- Allows the specification of advanced patterns through .NET’s regular
expression implementation. - Example:
regex C:\[0-9]+.exe— collect all numeric-only executables in
the root of theC:\drive.
- Allows the specification of advanced patterns through .NET’s regular
- force
- Same as the static option, though will attempt collection even if the file
is not identified in the file enumeration process. - This is useful in the collection of alternate data streams and special
files not generally exposed to directory traversal functions. - Example:
force C:\$Extend\$UsnJrnl:$J
- Same as the static option, though will attempt collection even if the file
Building
CyLR binaries are available for download, prebuilt for use on macOS, Linux, and
Windows operating systems. The following operating systems were tested against:
- Windows 10, build 1909
- macOS 10.14.16
- Debian 10
- Ubuntu 18.04
- CentOS 8.1
- RedHat 8.1
To build CyLR yourself, follow the below steps:
- Install dotnet core on your platform
- Clone this repository
- Run the following scripts in order:
- Linux/macOS:
./scripts/test.shor Windows:.\scripts\test_win.ps1 - Linux/macOS:
./scripts/build.shor Windows:.\scripts\build_win.ps1 - Linux/macOS:
./scripts/package.shor Windows:.\scripts\package_win.ps1
- Linux/macOS:
As a note, the package script will download the warp packer to generate a
single binary with the CyLR resources and full CLR runtime for portability.
This means that the binary will unpack in a temporary location for execution.
According to the warp documentation, these locations are:
Packages cache location:
- Linux:
$HOME/.local/share/warp/packages - macOS:
$HOME/Library/Application Support/warp/packages - Windows:
%LOCALAPPDATA%\warp\packages
Runners cache location:
- Linux:
$HOME/.local/share/warp/runners - macOS:
$HOME/Library/Application Support/warp/runners - Windows:
%LOCALAPPDATA%\warp\runners
These caches are only created on first execution or when the packed binary is
updated.
AUTHORS
- Jason Yegge
- Alan Orlikoski
In this article, we will gather information utilizing the quick incident response tools which are recorded beneath. All these tools are a few of the greatest tools available freely online. Through these, you can enhance your Cyber Forensics skills.
Table of Contents
- Live Response Collection-Cederpelta Build
- CDIR(Cyber Defense Institute Incident Response) Collector
- Fast IR Collector
- Panorama
- Triage-Incident Response
- IREC -IR Evidence Collector | Binalyze
- DG Wingman
Introduction
Incident Response
- Incident response, organized strategy for taking care of security occurrences, breaks, and cyber attacks.
- IR plan permits you to viably recognize, limit the harm, and decrease the expense of a cyber attack while finding and fixing the reason to forestall future assaults.
Data Collection
- Data collection is the process to securely gather and safeguard your client’s electronically stored information (ESI) from PCs, workstations, workers, cloud stores, email accounts, tablets, cell phones, or PDAs.
Proof of Concept
Live Response Collection-Cederpelta Build
Live Response Collection -cedarpelta, an automated live response tool, collects volatile data, and create a memory dump. .This tool is created by BriMor Labs.
You can download the tool from here.
The live response is a zone that manages gathering data from a live machine to distinguish if an occurrence has happened. Such information incorporates artifacts, for example, process lists, connection information, files stored, registry information, etc.
It supports Windows, OSX/ mac OS, and *nix based operating systems. This instrument is kind of convenient to utilize on the grounds that it clarifies quickly which choice does what.
Let’s begin by exploring how the tool works:
The live response collection can be done by the following data gathering scripts
- Secure-Complete: Picking this choice will create a memory dump, collects volatile information, and also creates a full disk image. All the information collected will be compressed and protected by a password.
- Secure-Memory Dump: Picking this choice will create a memory dump and collects volatile data. All the information collected will be compressed and protected by a password.
- Secure- Triage: Picking this choice will only collect volatile data. All the information collected will be compressed and protected by a password.
- Complete: Picking this choice will create a memory dump, collects volatile information, and also creates a full disk image.
- Memory dump: Picking this choice will create a memory dump and collects volatile data.
- Triage: Picking this choice will only collect volatile data.
The process of data collection will begin soon after you decide on the above options. This might take a couple of minutes.
After, the process is over it creates an output folder with the name of your computer alongside the date at the same destination where the executable file is stored.
The output folder consists of the following data segregated in different parts.
These are few records gathered by the tool. You can check the individual folder according to your proof necessity. It collects RAM data, Network info, Basic system info, system files, user info, and much more.
CDIR (Cyber Defense Institute Incident Response) Collector
CDIR (Cyber Defense Institute Incident Response) Collector is a data acquisition tool for the Windows operating system. The tool is created by Cyber Defense Institute, Tokyo Japan. The tool collects RAM, Registry data, NTFS data, Event logs, Web history, and many more.
You can download the tool from here.
Let’s begin by exploring how the tool works:
There are three options
- To initiate the memory dump process (1: ON)
- To stop the memory dump process and (2: OFF)
- Exit (0: EXIT)
After successful installation of the tool, to create a memory dump select 1 that is to initiate the memory dump process (1:ON)
Soon after the process is completed, an output folder is created with the name of your computer alongside the date at the same destination where the executable file is stored.
Fast IR Collector
Fast IR Collector is a forensic analysis tool for Windows and Linux OS. It gathers the artifacts from the live machine and records the yield in the .csv or .json document. Windows and Linux OS. This tool is created by SekoiaLab.
You can download the tool from here.
Let’s begin by exploring how the tool works:
You just need to run the executable file of the tool as administrator and it will automatically start the process of collecting data.
Results are stored in the folder by the named output within the same folder where the executable file is stored.
Panorama
Panorama is a tool that creates a fast report of the incident on the Windows system.
You can download the tool from here.
Let’s begin by exploring how the tool works:
- Run the Panorama.exe on the system.
- Choose “Report” to create a fast incident overview.
The browser will automatically launch the report after the process is completed.
The report data is distributed in a different section as a system, network, USB, security, and others.
Triage
Triage is an incident response tool that automatically collects information for the Windows operating system. Triage-ir is a script written by Michael Ahrendt.
You can simply select the data you want to collect using the checkboxes given right under each tab. Triage IR requires the Sysinternals toolkit for successful execution.
Download here.
Let’s begin by exploring how the tool works:
- Run the executable file of the tool.
- Select “Yes” when shows the prompt to introduce the Sysinternal toolkit.
Click on “Run” after picking the data to gather. The process of data collection will take a couple of minutes to complete.
The data is collected in the folder by the name of your computer alongside the date at the same destination as the executable file of the tool.
IREC – IR Evidence Collector | Binalyze
IREC is a forensic evidence collection tool that is easy to use the tool. It is an all-in-one tool, user-friendly as well as malware resistant. This tool is created by Binalyze. A paid version of this tool is also available.
Download the tool from here.
Let’s begin by exploring how the tool works:
You can collect data by two means:
- Collect evidence: This is for an in-depth investigation.
- RAM and Page file: This is for memory only investigation
Here we will choose, “collect evidence.” for in-depth evidence. Click start to proceed further.
The process has been begun after effectively picking the collection profile.
The process is completed. You can analyze the data collected from the output folder.
The output will be stored in a folder named cases that will comprise of a folder named by PC name and date at the same destination as the executable file of the tool.
Here is the HTML report of the evidence collection. The HTML report is easy to analyze, the data collected is classified into various sections of evidence. You can also generate the PDF of your report.
DG Wingman
DG Wingman is a free windows tool for forensic artifacts collection and analysis. The tool is by DigitalGuardian. This tool collects artifacts of importance such as registry logs, system logs, browser history, and many more. Also allows you to execute commands as per the need for data collection.
You can download the tool from here.
Let’s begin by exploring how the tool works:
- Run the executable file of the tool.
- Use the command wingman.exe/h, this gives you a rundown of commands along with their capacities.
For example, in the incident, we need to gather the registry logs. We will use the command
wingman.exe -r
All the registry entries are collected successfully.
These are the amazing tools for first responders. And they even speed up your work as an incident responder. These tools come handy as they facilitate us with both data analyses, fast first responding with additional features.
Author: Vishva Vaghela is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here