Windows exe found at:
https://github.com/orlikoski/CyLR/releases
and
https://github.com/orlikoski/CyLR
CyLR was first brought to my attention from the SANS "FOR500: Windows Forensic Analysis"
course.
Used for collection and artifact processing.
FOR ARTIFACTS COLLECTION
This tool looks in:
Windows Default
- System Level Artifacts
- %SYSTEMROOT%\SchedLgU.Txt
- %SYSTEMROOT%\Tasks
- %SYSTEMROOT%\Prefetch
- %SYSTEMROOT%\Appcompat\Programs
- %SYSTEMROOT%\System32\drivers\etc\hosts
- %SYSTEMROOT%\System32\winevt\logs
- %SYSTEMROOT%\System32\Tasks
- %SYSTEMROOT%\System32\LogFiles\W3SVC1
- %SYSTEMROOT%\System32\config\"REGISTRY HIVES"
- %PROGRAMDATA%
- %SystemDrive%$Recycle.Bin
- %SystemDrive%$LogFile
- %SystemDrive%$MFT
- Artifacts For All Users
- {user.ProfilePath}\NTUSER.DAT and \AppData
*Among other places and other locations for linux and macOS shown on the github page
Simulating Collecting on Remote System
 |
| The above diagram simulates as an admin remoting into a Desktop, running CyLR and sending the results to a SFTP server for retrieval |
1. SETTING UP THE SFTP SERVICE IN WINDOWS
Open Start menu.
Type Apps.
Click on Apps & features.
Under “Apps & features,” click the Manage optional features link.
Open Start menu.
Type Apps.
Click on Apps & features.
Under “Apps & features,” click the Manage optional features link.
Apps & features settings.
Click the Add a feature button. Manage optional features on Windows 10.
Select the OpenSSH Server option.
Click the Add a feature button. Manage optional features on Windows 10.
Select the OpenSSH Server option.
Select Install
May need to start service
Control Panel > System and Security > Administrative Tools and open Services.
Start OpenSSH SSH Server service
May need to Set up Firewall exceptions
Allow incoming connections to SSH server in Windows Firewall:
- Either run the following PowerShell command (Windows 8 and 2012 or newer only), as the Administrator:
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -DirectionInbound -Protocol TCP -Action Allow -LocalPort 22 - or go to Control Panel > System and Security > Windows Firewall1 > Advanced Settings > Inbound Rules and add a new rule for port 22.
May need to generate a keypair
In WinSCP can select advanced settings > Authenitcation > Tools Generate New Key Pair with PuTTYgen
Or can use OpenSSH-Win64 "ssh-keygen.exe"
2. COPYING CyLR.exe TO REMOTE DESKTOP
$s = New-PSSession -Computername DESKTOP-REMOTE -Credential Win10
 |
| s$ is the variable. For the creation of a powershell session to the remote host. Ideally using admin credentials |
 |
| Prompt for credentials |
3. COPYING CyLR to remote host in session with powershell:
Copy-Item –Path C:\USERS\Win10\Desktop\CyLR_win-x64\CyLR.exe –Destination 'C:\' ToSession $s
 |
| Using the previously created "$s" session to copy to the C: drive of the target |
4. Enter session with powershell:
Enter-PSSession -Session $s
5. Run CyLR and point to SFTP server's IP address:
C:\CyLR.exe -u SFTP_Server -p password -s 192.168.28.128
Enter-PSSession -Session $s
C:\CyLR.exe -u SFTP_Server -p password -s 192.168.28.128
 |
| Using the parameter to point to the SFTP server. *Not recommended to use "password" as password |
RUNNING
RESULTS include:
 |
| Contains "NTUSER.dat registry hive for each user |
In conclusion:
I think CyLR is a neat tool and can potentially be used by a IR shop to collect relative artifacts. May try it on a Mac and/or Linux host and see what it retrieves.
Also looking to try out Eric Zimmerman's KAPE(Kroll Artifact Parser and Extractor) tool to simulate a remote collection.
https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape
--Bryan
Referenced:
Sectechno. (2018, October 10). CyLR - Live Response Collection Tool. Retrieved from http://www.sectechno.com/cylr-live-response-collection-tool/
Orlikoski. (2019, March 18). Orlikoski/CyLR. Retrieved from https://github.com/orlikoski/CyLR
