Linux Live IR Collection via CyLR

on

  

 CyLR — Live Response Collection tool by Alan Orlikoski and Jason Yegge

(1) 

Create test users on Linux to analyze

- testuser1 is a regular creation

testuser2 under the home directory with its own folders

testuser3 with an expiration date

(2) 

Download CyLR  - https://github.com/orlikoski/CyLR/releases

Extract Cylr

(3) 

Run ./CyLR

(4) 

Check out collected files

(5) 

Analyze log files

(6) 

Analyze more

What does CyLR collect from a Linux OS:

System Path:

  • /etc/hosts.allow
  • /etc/hosts.deny
  • /etc/hosts
  • /etc/passwd
  • /etc/group
  • /etc/crontab
  • /etc/cron.allow
  • /etc/cron.deny
  • /etc/anacrontab
  • /etc/apt/sources.list
  • /etc/apt/trusted.gpg
  • /etc/apt/trustdb.gpg
  • /etc/resolv.conf
  • /etc/fstab
  • /etc/issues
  • /etc/issues.net
  • /etc/insserv.conf
  • /etc/localtime
  • /etc/timezone
  • /etc/pam.conf
  • /etc/rsyslog.conf
  • /etc/xinetd.conf
  • /etc/netgroup
  • /etc/nsswitch.conf
  • /etc/ntp.conf
  • /etc/yum.conf
  • /etc/chrony.conf
  • /etc/chrony
  • /etc/sudoers
  • /etc/logrotate.conf
  • /etc/environment
  • /etc/hostname
  • /etc/host.conf
  • /etc/fstab
  • /etc/machine-id
  • /etc/screen-rc
  • /etc/rc.d/**
  • /etc/cron.daily/**
  • /etc/cron.hourly/**
  • /etc/cron.weekly/**
  • /etc/cron.monthly/**
  • /etc/modprobe.d/**
  • /etc/modprobe-load.d/**
  • /etc/*-release
  • /etc/pam.d/**
  • /etc/rsyslog.d/**
  • /etc/yum.repos.d/**
  • /etc/init.d/**
  • /etc/systemd.d/**
  • /etc/default/**
  • /var/log/**
  • /var/spool/at/**
  • /var/spool/cron/**
  • /var/spool/anacron/cron.daily
  • /var/spool/anacron/cron.hourly
  • /var/spool/anacron/cron.weekly
  • /var/spool/anacron/cron.monthly
  • /boot/grub/grub.cfg
  • /boot/grub2/grub.cfg
  • /sys/firmware/acpi/tables/DSDT
User paths:
  • /root/.*history
  • /root/.*rc
  • /root/.*_logout
  • /root/.ssh/config
  • /root/.ssh/known_hosts
  • /root/.ssh/authorized_keys
  • /root/.selected_editor
  • /root/.viminfo
  • /root/.lesshist
  • /root/.profile
  • /root/.selected_editor
  • /home/*/.*history
  • /home/*/.ssh/known_hosts
  • /home/*/.ssh/config
  • /home/*/.ssh/autorized_keys
  • /home/*/.viminfo
  • /home/*/.profile
  • /home/*/.*rc
  • /home/*/.*_logout
  • /home/*/.selected_editor
  • /home/*/.wget-hsts
  • /home/*/.gitconfig
  • /home/*/.mozilla/firefox/*.default*/**/*.sqlite*
  • /home/*/.mozilla/firefox/*.default*/**/*.json
  • /home/*/.mozilla/firefox/*.default*/**/*.txt
  • /home/*/.mozilla/firefox/*.default*/**/*.db*
  • /home/*/.config/google-chrome/Default/History*
  • /home/*/.config/google-chrome/Default/Cookies*
  • /home/*/.config/google-chrome/Default/Bookmarks*
  • /home/*/.config/google-chrome/Default/Extensions/**
  • /home/*/.config/google-chrome/Default/Last*
  • /home/*/.config/google-chrome/Default/Shortcuts*
  • /home/*/.config/google-chrome/Default/Top*
  • /home/*/.config/google-chrome/Default/Visited*
  • /home/*/.config/google-chrome/Default/Preferences*
  • /home/*/.config/google-chrome/Default/Login Data*
  • /home/*/.config/google-chrome/Default/Web Data*



by dfirist@gmail.com

Comments

Post a Comment