public static List <string> GetPaths(Arguments arguments, List <string> additionalPaths) { var defaultPaths = new List <string> { @"%SYSTEMROOT%\System32\drivers\etc\hosts", @"%SYSTEMROOT%\SchedLgU.Txt", @"%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup", @"%SYSTEMROOT%\System32\config", @"%SYSTEMROOT%\System32\winevt\logs", @"%SYSTEMROOT%\Prefetch", @"%SYSTEMROOT%\Tasks", @"%SYSTEMROOT%\System32\LogFiles\W3SVC1", @"%SystemDrive%\$MFT" }; defaultPaths = defaultPaths.Select(Environment.ExpandEnvironmentVariables).ToList(); if (Platform.IsUnixLike()) { defaultPaths = new List <string> { "/root/.bash_history", "/var/logs" }; } var paths = new List <string>(additionalPaths); if (arguments.CollectionFilePath != ".") { if (File.Exists(arguments.CollectionFilePath)) { paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath).Select(Environment.ExpandEnvironmentVariables)); } else { Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath); Console.WriteLine("Exiting"); throw new ArgumentException(); } } if (arguments.CollectionFiles != null) { paths.AddRange(arguments.CollectionFiles); } return(paths.Any() ? paths : defaultPaths); }
public Arguments(string[] args) { HelpRequested = args.HasArgument("--help", "-h", "/?"); HelpTopic = HelpRequested ? args.GetArgumentParameter(false, "--help", "-h", "/?") : string.Empty; //If help has been requested, parse no more arguments if (!HelpRequested) { if (args.HasArgument("-o")) { OutputPath = args.GetArgumentParameter(true, "-o"); } if (args.HasArgument("-u")) { UserName = args.GetArgumentParameter(true, "-u"); } if (args.HasArgument("-p")) { UserPassword = args.GetArgumentParameter(true, "-p"); } if (args.HasArgument("-s")) { SFTPServer = args.GetArgumentParameter(true, "-s"); } var sftpArgs = new[] { UserName, UserPassword, SFTPServer }; UseSftp = sftpArgs.Any(arg => !string.IsNullOrEmpty(arg)); if (UseSftp && sftpArgs.Any(string.IsNullOrEmpty)) { throw new ArgumentException("The flags -u, -p, and -s must all have values to continue. Please try again."); } if (args.HasArgument("-c")) { CollectionFilePath = args.GetArgumentParameter(true, "-c"); } DryRun = args.HasArgument("--dry-run"); if (DryRun) { //Disable SFTP in a dry run. UseSftp = false; } ForceNative = args.HasArgument("--force-native") || Platform.IsUnixLike(); } }
public static List <string> GetPaths(Arguments arguments) { var paths = new List <string> { @"C:\Windows\System32\config", @"C:\Windows\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup", @"C:\Windows\Prefetch", @"C:\Windows\Tasks", @"C:\Windows\SchedLgU.Txt", @"C:\Windows\System32\winevt\logs", @"C:\Windows\System32\drivers\etc\hosts", @"C:\$MFT" }; if (Platform.IsUnixLike()) { paths = new List <string> { "/root/.bash_history", "/var/logs" }; } if (arguments.CollectionFilePath != ".") { if (File.Exists(arguments.CollectionFilePath)) { paths.Clear(); paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath)); } else { Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath); Console.WriteLine("Exiting"); throw new ArgumentException(); } } return(paths); }
public static List <string> GetPaths(Arguments arguments, List <string> additionalPaths) { var defaultPaths = new List <string> { @"%SYSTEMROOT%\System32\drivers\etc\hosts", @"%SYSTEMROOT%\SchedLgU.Txt", @"%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup", @"%SYSTEMROOT%\System32\config", @"%SYSTEMROOT%\System32\winevt\logs", @"%SYSTEMROOT%\Prefetch", @"%SYSTEMROOT%\Tasks", @"%SYSTEMROOT%\System32\LogFiles\W3SVC1", @"%SystemDrive%\$MFT" }; defaultPaths = defaultPaths.Select(Environment.ExpandEnvironmentVariables).ToList(); if (Platform.IsUnixLike()) { defaultPaths = new List <string> { }; tempPaths = new List <string> { "/root/.bash_history", "/var/log", "/private/var/log/", "/.fseventsd", "/etc/hosts.allow", "/etc/hosts.deny", "/etc/hosts", "/System/Library/StartupItems", "/System/Library/LaunchAgents", "/System/Library/LaunchDaemons", "/Library/LaunchAgents", "/Library/LaunchDaemons", "/Library/StartupItems", "/etc/passwd", "/etc/group" }; // Collect file listing AllFiles = new List <string> { }; AllFiles.AddRange(RunCommand("/usr/bin/find", "/ -print")); // Find all *.plist files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("*.plist")))); // Find all .bash_history files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".bash_history")))); // Find all .sh_history files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".sh_history")))); // Find Chrome Preference files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/History")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Cookies")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Bookmarks")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Extensions")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Last")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Shortcuts")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Top")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Visited")))); // Find FireFox Preference Files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("places.sqlite")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("downloads.sqlite")))); // Fix any spaces to work with MacOS naming conventions defaultPaths = tempPaths.ConvertAll(stringToCheck => stringToCheck.Replace(" ", " ")); } var paths = new List <string>(additionalPaths); if (arguments.CollectionFilePath != ".") { if (File.Exists(arguments.CollectionFilePath)) { paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath).Select(Environment.ExpandEnvironmentVariables)); } else { Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath); Console.WriteLine("Exiting"); throw new ArgumentException(); } } if (arguments.CollectionFiles != null) { paths.AddRange(arguments.CollectionFiles); } if (paths.Count == 1) { if (paths[0] == "") { return(defaultPaths); } } return(paths.Any() ? paths : defaultPaths); }
/// <summary> /// Method used to apply default and user specified patterns to files /// identified on the system. /// /// All paths and patterns are case insensitive. /// </summary> /// <param name="arguments">User arguments provided at execution.</param> /// <param name="additionalPaths">Additional collection targets from the command line.</param> /// <param name="Usnjrnl">Whether or not to collect the $J.</param> /// <param name="logger">A logging object.</param> /// <returns> /// List of distinct files to attempt collection of from a system. /// This list is filtered by the default and custom patterns. /// </returns> public static List <string> GetPaths(Arguments arguments, List <string> additionalPaths, bool Usnjrnl, Logger logger) { // Init with additional paths provided as a parameter // Only supports static paths. var staticPaths = new List <string>(additionalPaths); // Init vars for glob, regex, and paths to collect var globPaths = new List <Glob>(); var regexPaths = new List <Regex>(); var collectionPaths = new List <string>(); // Enable case insensitivity GlobOptions.Default.Evaluation.CaseInsensitive = true; bool staticCaseInsensitive = true; // Init base paths to scan for files and folders var basePaths = new List <string>(); // Get listing of drives to scan based on platform if (Platform.IsUnixLike()) { basePaths.Add("/"); // Scan the entire root. } else { logger.debug("Enumerating volumes on system"); DriveInfo[] allDrives = DriveInfo.GetDrives(); foreach (DriveInfo d in allDrives) { basePaths.Add(d.Name.ToString()); } logger.debug(String.Format("Identified volumes: {0}", String.Join(", ", basePaths))); } // Load information from the CollectionFilePath if present and availble if (arguments.CollectionFilePath != ".") { if (File.Exists(arguments.CollectionFilePath)) { logger.debug("Extracting patterns from custom path file"); using (StreamReader sr = new StreamReader(arguments.CollectionFilePath)){ string line; while ((line = sr.ReadLine()) != null) { // Skip lines starting with comment if (line.StartsWith("#")) { continue; } // Skip blank lines if (line.Length == 0) { continue; } // Skip paths without tab separator and report to user if (!line.Contains("\t")) { logger.warn(String.Format("Excluding invalid path format \"{0}\"", line)); continue; } // Split into config components. Requires a definition and path, delimited by a tab string[] pathParts = line.Split('\t'); var pathDef = pathParts[0].ToLower(); var pathData = Environment.ExpandEnvironmentVariables(pathParts[1]); // Append the path to the proper list based on the definition switch (pathDef) { case "static": staticPaths.Add(pathData); break; case "glob": globPaths.Add(Glob.Parse(pathData)); break; case "regex": regexPaths.Add(new Regex(pathData)); break; case "force": collectionPaths.Add(pathData); break; default: logger.warn(String.Format("Excluding invalid path format \"{0}\"", line)); break; } } } } // Handle conditions where the file is not present. else { logger.error(String.Format("Error: Could not find file: {0}", arguments.CollectionFilePath)); logger.error("Exiting"); logger.TearDown(); throw new ArgumentException(); } } // Load information provided at the command line as additional paths if (arguments.CollectionFiles != null) { logger.debug("Adding command line specified files"); staticPaths.AddRange(arguments.CollectionFiles); } bool hasMacOSFolders = (Directory.Exists("/private") && Directory.Exists("/Applications") && Directory.Exists("/Users")); if (arguments.CollectionFilePath == "." || arguments.CollectDefaults) { logger.debug("Enumerating patterns for default artifact collection"); //This section will attempt to collect files or folder locations under each users profile by pulling their ProfilePath from the registry and adding it in front. //Add "defaultPaths.Add($@"{user.ProfilePath}" without the quotes in front of the file / path to be collected in each users profile. if (!Platform.IsUnixLike()) { logger.info("Windows platform detected"); // Define default paths string systemRoot = Environment.ExpandEnvironmentVariables("%SYSTEMROOT%"); string programData = Environment.ExpandEnvironmentVariables("%PROGRAMDATA%"); string systemDrive = Environment.ExpandEnvironmentVariables("%SystemDrive%"); globPaths.Add(Glob.Parse(systemRoot + @"\Tasks\**")); globPaths.Add(Glob.Parse(systemRoot + @"\Prefetch\**")); globPaths.Add(Glob.Parse(systemRoot + @"\System32\sru\**")); globPaths.Add(Glob.Parse(systemRoot + @"\System32\winevt\Logs\**")); globPaths.Add(Glob.Parse(systemRoot + @"\System32\Tasks\**")); globPaths.Add(Glob.Parse(systemRoot + @"\System32\LogFiles\W3SVC1\**")); globPaths.Add(Glob.Parse(systemRoot + @"\Appcompat\Programs\**")); globPaths.Add(Glob.Parse(programData + @"\Microsoft\Windows\Start Menu\Programs\Startup\**")); globPaths.Add(Glob.Parse(systemDrive + @"\$Recycle.Bin\**\$I*")); globPaths.Add(Glob.Parse(systemDrive + @"\$Recycle.Bin\$I*")); staticPaths.Add(@"%SYSTEMROOT%\SchedLgU.Txt"); staticPaths.Add(@"%SYSTEMROOT%\inf\setupapi.dev.log"); staticPaths.Add(@"%SYSTEMROOT%\System32\drivers\etc\hosts"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SAM"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SYSTEM"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SOFTWARE"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SECURITY"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SAM.LOG1"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SYSTEM.LOG1"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SOFTWARE.LOG1"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SECURITY.LOG1"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SAM.LOG2"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SYSTEM.LOG2"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SOFTWARE.LOG2"); staticPaths.Add(@"%SYSTEMROOT%\System32\config\SECURITY.LOG2"); // Send static filesystem artifacts to collectionPaths directly collectionPaths.Add(@"%SystemDrive%\$LogFile"); collectionPaths.Add(@"%SystemDrive%\$MFT"); // Add USN if enabled if (Usnjrnl) { collectionPaths.Add(@"%SystemDrive%\$Extend\$UsnJrnl:$J"); } // Expand envars for all staticPaths. staticPaths = staticPaths.Select(Environment.ExpandEnvironmentVariables).ToList(); collectionPaths = collectionPaths.Select(Environment.ExpandEnvironmentVariables).ToList(); // Add user specific paths to static list. var users = FindUsers(); foreach (var user in users) { globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\**")); globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\WebCache\**")); globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\**")); globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Roaming\Mozilla\Firefox\Profiles\**")); globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Local\ConnectedDevicesPlatform\**")); globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\Explorer\**")); staticPaths.Add($@"{user.ProfilePath}\NTUSER.DAT"); staticPaths.Add($@"{user.ProfilePath}\NTUSER.DAT.LOG1"); staticPaths.Add($@"{user.ProfilePath}\NTUSER.DAT.LOG2"); staticPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat"); staticPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1"); staticPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2"); staticPaths.Add($@"{user.ProfilePath}\AppData\Local\Google\Chrome\User Data\Default\History"); staticPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt"); } } // Handle macOS platforms else if (Platform.IsUnixLike() && hasMacOSFolders) { logger.info("macOS platform detected"); // Define default paths to collect var defaultPaths = new List <string> { "/etc/hosts.allow", "/etc/hosts.deny", "/etc/hosts", "/private/etc/hosts.allow", "/private/etc/hosts.deny", "/private/etc/hosts", "/etc/passwd", "/etc/group", "/private/etc/passwd", "/private/etc/group", }; staticPaths.AddRange(defaultPaths); // Expand envars for all staticPaths. staticPaths = staticPaths.Select(Environment.ExpandEnvironmentVariables).ToList(); var defaultGlobs = new List <Glob> { Glob.Parse("**/Library/*Support/Google/Chrome/Default/*"), Glob.Parse("**/Library/*Support/Google/Chrome/Default/History*"), Glob.Parse("**/Library/*Support/Google/Chrome/Default/Cookies*"), Glob.Parse("**/Library/*Support/Google/Chrome/Default/Bookmarks*"), Glob.Parse("**/Library/*Support/Google/Chrome/Default/Extensions/**"), Glob.Parse("**/Library/*Support/Google/Chrome/Default/Last*"), Glob.Parse("**/Library/*Support/Google/Chrome/Default/Shortcuts*"), Glob.Parse("**/Library/*Support/Google/Chrome/Default/Top*"), Glob.Parse("**/Library/*Support/Google/Chrome/Default/Visited*"), Glob.Parse("**/places.sqlite*"), Glob.Parse("**/downloads.sqlite*"), Glob.Parse("**/*.plist"), Glob.Parse("/Users/*/.*history"), Glob.Parse("/root/.*history"), Glob.Parse("/System/Library/StartupItems/**"), Glob.Parse("/System/Library/LaunchAgents/**"), Glob.Parse("/System/Library/LaunchDaemons/**"), Glob.Parse("/Library/LaunchAgents/**"), Glob.Parse("/Library/LaunchDaemons/**"), Glob.Parse("/Library/StartupItems/**"), Glob.Parse("/var/log/**"), Glob.Parse("/private/var/log/**"), Glob.Parse("/private/etc/rc.d/**"), Glob.Parse("/etc/rc.d/**"), Glob.Parse("/.fseventsd/**") }; globPaths.AddRange(defaultGlobs); } // Handle Linux platforms else if (Platform.IsUnixLike()) { logger.info("Linux platform detected"); // Define default paths to collect var defaultPaths = new List <string> { // Super user "/root/.ssh/config", "/root/.ssh/known_hosts", "/root/.ssh/authorized_keys", "/root/.selected_editor", "/root/.viminfo", "/root/.lesshist", "/root/.profile", "/root/.selected_editor", // Boot "/boot/grub/grub.cfg", "/boot/grub2/grub.cfg", // Sys "/sys/firmware/acpi/tables/DSDT", //etc "/etc/hosts.allow", "/etc/hosts.deny", "/etc/hosts", "/etc/passwd", "/etc/group", "/etc/crontab", "/etc/cron.allow", "/etc/cron.deny", "/etc/anacrontab", "/var/spool/anacron/cron.daily", "/var/spool/anacron/cron.hourly", "/var/spool/anacron/cron.weekly", "/var/spool/anacron/cron.monthly", "/etc/apt/sources.list", "/etc/apt/trusted.gpg", "/etc/apt/trustdb.gpg", "/etc/resolv.conf", "/etc/fstab", "/etc/issues", "/etc/issues.net", "/etc/insserv.conf", "/etc/localtime", "/etc/timezone", "/etc/pam.conf", "/etc/rsyslog.conf", "/etc/xinetd.conf", "/etc/netgroup", "/etc/nsswitch.conf", "/etc/ntp.conf", "/etc/yum.conf", "/etc/chrony.conf", "/etc/chrony", "/etc/sudoers", "/etc/logrotate.conf", "/etc/environment", "/etc/hostname", "/etc/host.conf", "/etc/fstab", "/etc/machine-id", "/etc/screen-rc", }; staticPaths.AddRange(defaultPaths); // Expand envars for all staticPaths. staticPaths = staticPaths.Select(Environment.ExpandEnvironmentVariables).ToList(); var defaultGlobs = new List <Glob> { // User profiles Glob.Parse("/home/*/.*history"), Glob.Parse("/home/*/.ssh/known_hosts"), Glob.Parse("/home/*/.ssh/config"), Glob.Parse("/home/*/.ssh/autorized_keys"), Glob.Parse("/home/*/.viminfo"), Glob.Parse("/home/*/.profile"), Glob.Parse("/home/*/.*rc"), Glob.Parse("/home/*/.*_logout"), Glob.Parse("/home/*/.selected_editor"), Glob.Parse("/home/*/.wget-hsts"), Glob.Parse("/home/*/.gitconfig"), // Firefox artifacts Glob.Parse("/home/*/.mozilla/firefox/*.default*/**/*.sqlite*"), Glob.Parse("/home/*/.mozilla/firefox/*.default*/**/*.json"), Glob.Parse("/home/*/.mozilla/firefox/*.default*/**/*.txt"), Glob.Parse("/home/*/.mozilla/firefox/*.default*/**/*.db*"), // Chrome artifacts Glob.Parse("/home/*/.config/google-chrome/Default/History*"), Glob.Parse("/home/*/.config/google-chrome/Default/Cookies*"), Glob.Parse("/home/*/.config/google-chrome/Default/Bookmarks*"), Glob.Parse("/home/*/.config/google-chrome/Default/Extensions/**"), Glob.Parse("/home/*/.config/google-chrome/Default/Last*"), Glob.Parse("/home/*/.config/google-chrome/Default/Shortcuts*"), Glob.Parse("/home/*/.config/google-chrome/Default/Top*"), Glob.Parse("/home/*/.config/google-chrome/Default/Visited*"), Glob.Parse("/home/*/.config/google-chrome/Default/Preferences*"), Glob.Parse("/home/*/.config/google-chrome/Default/Login Data*"), Glob.Parse("/home/*/.config/google-chrome/Default/Web Data*"), // Superuser profiles Glob.Parse("/root/.*history"), Glob.Parse("/root/.*rc"), Glob.Parse("/root/.*_logout"), // var Glob.Parse("/var/log/**"), Glob.Parse("/var/spool/at/**"), Glob.Parse("/var/spool/cron/**"), // etc Glob.Parse("/etc/rc.d/**"), Glob.Parse("/etc/cron.daily/**"), Glob.Parse("/etc/cron.hourly/**"), Glob.Parse("/etc/cron.weekly/**"), Glob.Parse("/etc/cron.monthly/**"), Glob.Parse("/etc/modprobe.d/**"), Glob.Parse("/etc/modprobe-load.d/**"), Glob.Parse("/etc/*-release"), Glob.Parse("/etc/pam.d/**"), Glob.Parse("/etc/rsyslog.d/**"), Glob.Parse("/etc/yum.repos.d/**"), Glob.Parse("/etc/init.d/**"), Glob.Parse("/etc/systemd.d/**"), Glob.Parse("/etc/default/**"), }; globPaths.AddRange(defaultGlobs); } else { logger.error("Unsupported platform"); logger.TearDown(); throw new Exception(); } } // Perform case operations if (staticCaseInsensitive) { staticPaths = staticPaths.Select(x => x.ToLower()).ToList(); } // Get file system listing to populate collection paths logger.debug("Enumerating file systems and matching patterns"); var num_paths_scanned = 0; foreach (var basePath in basePaths) { logger.debug(String.Format("Enumerating volume: {0}", basePath)); foreach (var entry in WalkTree(basePath, logger)) { num_paths_scanned++; // Convert to string for ease of comparison var entryStr = entry.ToString(); string staticEntry = entryStr; if (staticCaseInsensitive) { staticEntry = entryStr.ToLower(); } // If found in the staticPaths list, add to the collection if (staticPaths.Contains(staticEntry)) { collectionPaths.Add(entryStr); continue; } // If not found in the static list, evaluate glob first // as it is more efficient than regex bool globFound = false; foreach (var globPattern in globPaths) { try { globFound = globPattern.IsMatch(entryStr); } catch (System.Exception) { logger.error("Unknown globbing error encountered. Please report."); throw; } if (globFound) { collectionPaths.Add(entryStr); break; } } if (globFound) { continue; } // Lastly evaluate regex bool regexFound = false; foreach (var regexPattern in regexPaths) { try { regexFound = regexPattern.IsMatch(entryStr); } catch (System.Exception) { logger.error("Unknown regex error encountered. Please report."); throw; } if (regexFound) { collectionPaths.Add(entryStr); break; } } if (regexFound) { continue; } } } // Remove empty strings from custom paths if (collectionPaths.Any()) { collectionPaths.RemoveAll(x => string.IsNullOrEmpty(x)); } logger.info(String.Format("Scanned {0} paths", num_paths_scanned)); logger.info(String.Format("Found {0} paths to collect", collectionPaths.Count)); // Return paths to collect return(collectionPaths); }
public static List<string> GetPaths(Arguments arguments, List<string> additionalPaths) { var defaultPaths = new List<string> { @"%SYSTEMROOT%\SchedLgU.Txt", @"%SYSTEMROOT%\Tasks", @"%SYSTEMROOT%\Prefetch", @"%SYSTEMROOT%\inf\setupapi.dev.log", @"%SYSTEMROOT%\Appcompat\Programs", @"%SYSTEMROOT%\System32\drivers\etc\hosts", @"%SYSTEMROOT%\System32\sru", @"%SYSTEMROOT%\System32\winevt\logs", @"%SYSTEMROOT%\System32\Tasks", @"%SYSTEMROOT%\System32\LogFiles\W3SVC1", @"%SYSTEMROOT%\System32\config\SAM", @"%SYSTEMROOT%\System32\config\SYSTEM", @"%SYSTEMROOT%\System32\config\SOFTWARE", @"%SYSTEMROOT%\System32\config\SECURITY", @"%SYSTEMROOT%\System32\config\SAM.LOG1", @"%SYSTEMROOT%\System32\config\SYSTEM.LOG1", @"%SYSTEMROOT%\System32\config\SOFTWARE.LOG1", @"%SYSTEMROOT%\System32\config\SECURITY.LOG1", @"%SYSTEMROOT%\System32\config\SAM.LOG2", @"%SYSTEMROOT%\System32\config\SYSTEM.LOG2", @"%SYSTEMROOT%\System32\config\SOFTWARE.LOG2", @"%SYSTEMROOT%\System32\config\SECURITY.LOG2", @"%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows", @"%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup", @"%SystemDrive%\$Recycle.Bin", @"%SystemDrive%\$LogFile", @"%SystemDrive%\$MFT" }; defaultPaths = defaultPaths.Select(Environment.ExpandEnvironmentVariables).ToList(); //This section will attempt to collect files or folder locations under each users profile by pulling their ProfilePath from the registry and adding it in front. //Add "defaultPaths.Add($@"{user.ProfilePath}" without the quotes in front of the file / path to be collected in each users profile. if (!Platform.IsUnixLike()) { var users = FindUsers(); foreach (var user in users) { defaultPaths.Add($@"{user.ProfilePath}\NTUSER.DAT"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent"); defaultPaths.Add($@"{user.ProfilePath}\NTUSER.DAT"); defaultPaths.Add($@"{user.ProfilePath}\NTUSER.DAT.LOG1"); defaultPaths.Add($@"{user.ProfilePath}\NTUSER.DAT.LOG2"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\Explorer"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Google\Chrome\User Data\Default\History\"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\WebCache\"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\ConnectedDevicesPlatform"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline"); defaultPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Mozilla\Firefox\Profiles\"); } } if (Platform.IsUnixLike()) { defaultPaths = new List<string> { }; tempPaths = new List<string> { "/root/.bash_history", "/var/log", "/private/var/log/", "/.fseventsd", "/etc/hosts.allow", "/etc/hosts.deny", "/etc/hosts", "/System/Library/StartupItems", "/System/Library/LaunchAgents", "/System/Library/LaunchDaemons", "/Library/LaunchAgents", "/Library/LaunchDaemons", "/Library/StartupItems", "/etc/passwd", "/etc/group", "/etc/rc.d" }; // Collect file listing AllFiles = new List<string> { }; AllFiles.AddRange(RunCommand("/usr/bin/find", "/ -print")); // Find all *.plist files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("*.plist")))); // Find all .bash_history files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".bash_history")))); // Find all .sh_history files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".sh_history")))); // Find Chrome Preference files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/History")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Cookies")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Bookmarks")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Extensions")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Last")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Shortcuts")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Top")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Visited")))); // Find FireFox Preference Files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("places.sqlite")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("downloads.sqlite")))); // Fix any spaces to work with MacOS naming conventions defaultPaths = tempPaths.ConvertAll(stringToCheck => stringToCheck.Replace(" ", " ")); } var paths = new List<string>(additionalPaths); if (arguments.CollectionFilePath != ".") { if (File.Exists(arguments.CollectionFilePath)) { paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath).Select(Environment.ExpandEnvironmentVariables)); } else { Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath); Console.WriteLine("Exiting"); throw new ArgumentException(); } } if (arguments.CollectionFiles != null) { paths.AddRange(arguments.CollectionFiles); } if (paths.Count == 1) { if (paths[0] == "") { return defaultPaths; } } return paths.Any() ? paths : defaultPaths; }
public static List <string> GetPaths(Arguments arguments, List <string> additionalPaths, bool Usnjrnl, bool AntiV) { var defaultPaths = new List <string> { $@"{Arguments.DriveLet}\Windows\SchedLgU.Txt", $@"{Arguments.DriveLet}\Windows\Tasks", $@"{Arguments.DriveLet}\Windows\Prefetch", $@"{Arguments.DriveLet}\Windows\Appcompat\Programs\install", $@"{Arguments.DriveLet}\Windows\Appcompat\Programs\Amcache.hve", $@"{Arguments.DriveLet}\Windows\Appcompat\Programs\Amcache.hve.LOG1", $@"{Arguments.DriveLet}\Windows\Appcompat\Programs\Amcache.hve.LOG2", $@"{Arguments.DriveLet}\Windows\Appcompat\Programs\Amcache.hve.tmp.LOG1", $@"{Arguments.DriveLet}\Windows\Appcompat\Programs\Amcache.hve.tmp.LOG2", $@"{Arguments.DriveLet}\Windows\Appcompat\Programs\recentfilecache.bcf", $@"{Arguments.DriveLet}\Windows\System32\drivers\etc\hosts", $@"{Arguments.DriveLet}\Windows\System32\sru", $@"{Arguments.DriveLet}\Windows\System32\winevt\logs", $@"{Arguments.DriveLet}\Windows\System32\Tasks", $@"{Arguments.DriveLet}\Windows\System32\LogFiles\W3SVC1", $@"{Arguments.DriveLet}\Windows\System32\config\", $@"{Arguments.DriveLet}\Windows\System32\config\SAM.LOG1", $@"{Arguments.DriveLet}\Windows\System32\config\SYSTEM.LOG1", $@"{Arguments.DriveLet}\Windows\System32\config\SOFTWARE.LOG1", $@"{Arguments.DriveLet}\Windows\System32\config\SECURITY.LOG1", $@"{Arguments.DriveLet}\Windows\System32\config\SAM.LOG2", $@"{Arguments.DriveLet}\Windows\System32\config\SYSTEM.LOG2", $@"{Arguments.DriveLet}\Windows\System32\config\SOFTWARE.LOG2", $@"{Arguments.DriveLet}\Windows\System32\config\SECURITY.LOG2", $@"{Arguments.DriveLet}\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup", $@"{Arguments.DriveLet}\Windows\System32\dhcp", $@"{Arguments.DriveLet}\ProgramData\Microsoft\RAC\PublishedData", $@"{Arguments.DriveLet}\Program Files (x86)\TeamViewer\Connections_incoming.txt", $@"{Arguments.DriveLet}\Program Files\TeamViewer\Connections_incoming.txt", $@"{Arguments.DriveLet}\System Volume Information\syscache.hve", $@"{Arguments.DriveLet}\System Volume Information\syscache.hve.LOG1", $@"{Arguments.DriveLet}\System Volume Information\syscache.hve.LOG2", $@"{Arguments.DriveLet}\ProgramData\Microsoft\Network\Downloader\", $@"{Arguments.DriveLet}\Windows\System32\bits.log", $@"{Arguments.DriveLet}\Windows\System32\Tasks", $@"{Arguments.DriveLet}\inetpub\logs\LogFiles", $@"{Arguments.DriveLet}\Windows\System32\LogFiles\HTTPERR", $@"{Arguments.DriveLet}\Windows\System32\wbem\Repository", $@"{Arguments.DriveLet}\Windows.old\SchedLgU.Txt", $@"{Arguments.DriveLet}\Windows.old\Tasks", $@"{Arguments.DriveLet}\Windows.old\Prefetch", $@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\install", $@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\Amcache.hve", $@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\Amcache.hve.LOG1", $@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\Amcache.hve.LOG2", $@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\Amcache.hve.tmp.LOG1", $@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\Amcache.hve.tmp.LOG2", $@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\recentfilecache.bcf", $@"{Arguments.DriveLet}\Windows.old\System32\drivers\etc\hosts", $@"{Arguments.DriveLet}\Windows.old\System32\sru", $@"{Arguments.DriveLet}\Windows.old\System32\winevt\logs", $@"{Arguments.DriveLet}\Windows.old\System32\Tasks", $@"{Arguments.DriveLet}\Windows.old\System32\LogFiles\W3SVC1", $@"{Arguments.DriveLet}\Windows.old\System32\config\", $@"{Arguments.DriveLet}\Windows.old\System32\config\SAM.LOG1", $@"{Arguments.DriveLet}\Windows.old\System32\config\SOFTWARE.LOG1", $@"{Arguments.DriveLet}\Windows.old\System32\config\SECURITY.LOG1", $@"{Arguments.DriveLet}\Windows.old\System32\config\SAM.LOG2", $@"{Arguments.DriveLet}\Windows.old\System32\config\SYSTEM.LOG2", $@"{Arguments.DriveLet}\Windows.old\System32\config\SOFTWARE.LOG2", $@"{Arguments.DriveLet}\Windows.old\System32\config\SECURITY.LOG2", $@"{Arguments.DriveLet}\Windows.old\System32\dhcp", $@"{Arguments.DriveLet}\Windows.old\System32\bits.log", $@"{Arguments.DriveLet}\Windows.old\System32\Tasks", $@"{Arguments.DriveLet}\Windows.old\System32\LogFiles\HTTPERR", $@"{Arguments.DriveLet}\Windows.old\System32\wbem\Repository", $@"{Arguments.DriveLet}\ProgramData\AnyDesk", $@"{Arguments.DriveLet}\Windows\System32\LogFiles\SUM", $@"{Arguments.DriveLet}\Windows.old\System32\LogFiles\SUM", $@"{Arguments.DriveLet}\kworking", $@"{Arguments.DriveLet}\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db", $@"{Arguments.DriveLet}\Windows\System32\debug\netlogon.log", $@"{Arguments.DriveLet}\ProgramData\LogMeIn\Logs", $@"{Arguments.DriveLet}\Program Files (x86)\Splashtop\Splashtop Remote\Server\log", $@"{Arguments.DriveLet}\Program Files\Splashtop\Splashtop Remote\Server\log", $@"{Arguments.DriveLet}\Program Files (x86)\Splashtop\Splashtop Remote\Splashtop Gateway\log", $@"{Arguments.DriveLet}\Program Files\Splashtop\Splashtop Remote\Splashtop Gateway\log", $@"{Arguments.DriveLet}\ProgramData\Microsoft\Windows Defender\Support", }; if (Usnjrnl == true) { defaultPaths.Add($@"{Arguments.DriveLet}\$Extend\$UsnJrnl:$J"); } //AntiV switch is used to add antivirus paths to the collection list (WARNING: Collection may become very large!) if (AntiV == true) { //AVG defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\AVG\Antivirus\log"); defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\AVG\Antivirus\report"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\AVG\Antivirus\log"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\AVG\Antivirus\report"); //Avast defaultPaths.Add($@"{Arguments.DriveLet}\Documents And Settings\All Users\Application Data\Avast Software\Avast\Log"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Avast Software\Avast\Log"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Avast Software\Avast\Chest\index.xml"); //Avira defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Avira\Antivirus\LOGFILES"); //Bitdefender defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Bitdefender\Endpoint Security\Logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Bitdefender\Desktop\Profiles\Logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ComboFix.txt"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\crs1\Logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\apv2\Logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\crb1\Logs"); //ESET defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\ESET\ESET NOD32 Antivirus\Logs"); //F-Secure defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\F-Secure\Log"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\F-Secure\Antivirus\ScheduledScanReports"); //Hitman Pro defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\HitmanPro\Logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\HitmanPro.Alert\Logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\HitmanPro.Alert\excalibur.db"); //Malwarebytes defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Malwarebytes\MBAMService\logs\mbamservice.log"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Malwarebytes\MBAMService\ScanResults"); //McAfee defaultPaths.Add($@"{Arguments.DriveLet}\Users\All Users\Application Data\McAfee\DesktopProtection"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\McAfee\DesktopProtection"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\McAfee\Endpoint Security\Logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\McAfee\Endpoint Security\Logs_Old"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Mcafee\VirusScan"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\McAfee\Endpoint Security\Logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\RogueKiller\logs"); //SentinelOne defaultPaths.Add($@"{Arguments.DriveLet}\programdata\sentinel\logs"); //Sophos defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\Sophos"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos File Scanner\Logs\"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos Device Control\logs\"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos Data Control\logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos Anti-Virus\logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos Tamper Protection\logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos Network Threat Protection\Logs"); //Symantec defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV"); defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"); //TotalAV defaultPaths.Add($@"{Arguments.DriveLet}\Program Files\TotalAV\logs"); defaultPaths.Add($@"{Arguments.DriveLet}\Program Files (x86)\TotalAV\logs"); defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\TotalAV\logs"); //TrendMicro defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Trend Micro"); defaultPaths.Add($@"{Arguments.DriveLet}\Program Files\Trend Micro\Security Agent\Report"); defaultPaths.Add($@"{Arguments.DriveLet}\Program Files (x86)\Trend Micro\Security Agent\Report"); defaultPaths.Add($@"{Arguments.DriveLet}\Program Files\Trend Micro\Security Agent\ConnLog"); defaultPaths.Add($@"{Arguments.DriveLet}\Program Files (x86)\Trend Micro\Security Agent\ConnLog"); //VIPRE defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\VIPRE Business Agent\Logs"); //Webroot defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\WRData\WRLog.log"); //Defender defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Microsoft\Microsoft AntiMalware\Support"); defaultPaths.Add($@"{Arguments.DriveLet}\Windows\Temp\MpCmdRun.log"); defaultPaths.Add($@"{Arguments.DriveLet}\Windows.old\Windows\Temp\MpCmdRun.log"); } defaultPaths = defaultPaths.Select(Environment.ExpandEnvironmentVariables).ToList(); //This will collect all fixed drive MFT files if you did not select a specific mounted drive to collect from. //Use with -dl if you only want a specific drive collected rather than all fixed drives on a system. if (Arguments.DriveLet == "C:") { try { DriveInfo[] allDrives = DriveInfo.GetDrives(); foreach (DriveInfo d in allDrives) { if (d.DriveType == DriveType.Fixed && d.DriveFormat == "NTFS") { defaultPaths.Add($@"{d.Name}$MFT"); defaultPaths.Add($@"{d.Name}$LogFile"); } } } catch (FileNotFoundException) { //FAIL } } //If -dl switch is used against something other than "C:", only the drive letter variable MFT will be collected. if (Arguments.DriveLet != "C:") { defaultPaths.Add($@"{Arguments.DriveLet}\$MFT"); defaultPaths.Add($@"{Arguments.DriveLet}\$LogFile"); } //This section will attempt to collect files or folder locations under each users profile by pulling their ProfilePath from the registry and adding it in front. //Add "defaultPaths.Add($@"{user.ProfilePath}" without the quotes in front of the file / path to be collected in each users profile. if (!Platform.IsUnixLike()) { try { string UserPath = Arguments.DriveLet + "\\Users\\"; string[] WinUserFolders = Directory.GetDirectories(UserPath); if (Directory.Exists(UserPath)) { foreach (var User in WinUserFolders) { defaultPaths.Add($@"{User}\NTUSER.DAT"); defaultPaths.Add($@"{User}\NTUSER.DAT.LOG1"); defaultPaths.Add($@"{User}\NTUSER.DAT.LOG2"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\WebCache"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\History"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\Cookies"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\IEDownloadHistory"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\INetCookies"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Cookies"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Extensions"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\History"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Cookies"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Extensions"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\History"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Cookies"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Extensions"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\History"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Cookies"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Extensions"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Cookies"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Local\ConnectedDevicesPlatform"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\Recent"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Office\Recent"); defaultPaths.Add($@"{User}\AppData\Roaming\Opera"); defaultPaths.Add($@"{User}\AppData\Local\Opera Software\Opera Stable"); defaultPaths.Add($@"{User}\AppData\Roaming\Opera Software\Opera Stable"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Terminal Server Client\Cache"); defaultPaths.Add($@"{User}\AppData\Roaming\Mozilla\Firefox\Profiles"); defaultPaths.Add($@"{User}\AppData\Roaming\TeamViewer"); defaultPaths.Add($@"{User}\AppData\Roaming\winscp.rnd"); defaultPaths.Add($@"{User}\AppData\Roaming\winscp.ini"); defaultPaths.Add($@"{User}\AppData\Local\Putty.rnd"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Edge\User Data"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Internet Explorer"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Internet Explorer"); defaultPaths.Add($@"{User}\AppData\Roaming\AnyDesk"); // stores connecting IP and file transfer activity defaultPaths.Add($@"{User}\AppData\Roaming\FileZilla"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\OneDrive\logs"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\OneDrive\logs"); defaultPaths.Add($@"{User}\Avast Software\Avast\Log"); defaultPaths.Add($@"{User}\AppData\Local\F-Secure\Log"); defaultPaths.Add($@"{User}\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs"); defaultPaths.Add($@"{User}\AppData\Roaming\SUPERAntiSpyware\Logs"); defaultPaths.Add($@"{User}\AppData\Local\Symantec\Symantec Endpoint Protection\Logs"); defaultPaths.Add($@"{User}\AppData\Roaming\VIPRE Business"); defaultPaths.Add($@"{User}\AppData\Roaming\GFI Software\AntiMalware\Logs"); defaultPaths.Add($@"{User}\AppData\Roaming\Sunbelt Software\AntiMalware\Logs"); defaultPaths.Add($@"{User}\AppData\Local\temp\LogMeInLogs"); defaultPaths.Add($@"{User}\AppData\Local\Mega Limited\MEGAsync\logs"); } } } catch (Exception) { //FAIL } } if (!Platform.IsUnixLike()) { try { string UserPath = Arguments.DriveLet + "\\Windows.old\\Users\\"; string[] WinUserFolders = Directory.GetDirectories(UserPath); if (Directory.Exists(UserPath)) { foreach (var User in WinUserFolders) { defaultPaths.Add($@"{User}\NTUSER.DAT"); defaultPaths.Add($@"{User}\NTUSER.DAT.LOG1"); defaultPaths.Add($@"{User}\NTUSER.DAT.LOG2"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\WebCache"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\History"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\Cookies"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\IEDownloadHistory"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\INetCookies"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Cookies"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Extensions"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\History"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Cookies"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Extensions"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\History"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Cookies"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Extensions"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\History"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Cookies"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Extensions"); defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\History"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Cookies"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Bookmarks"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions"); defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Shortcuts"); defaultPaths.Add($@"{User}\AppData\Local\ConnectedDevicesPlatform"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\Recent"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Office\Recent"); defaultPaths.Add($@"{User}\AppData\Roaming\Opera"); defaultPaths.Add($@"{User}\AppData\Local\Opera Software\Opera Stable"); defaultPaths.Add($@"{User}\AppData\Roaming\Opera Software\Opera Stable"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Terminal Server Client\Cache"); defaultPaths.Add($@"{User}\AppData\Roaming\Mozilla\Firefox\Profiles"); defaultPaths.Add($@"{User}\AppData\Roaming\TeamViewer"); defaultPaths.Add($@"{User}\AppData\Roaming\winscp.rnd"); defaultPaths.Add($@"{User}\AppData\Roaming\winscp.ini"); defaultPaths.Add($@"{User}\AppData\Local\Putty.rnd"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Edge\User Data"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Internet Explorer"); defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Internet Explorer"); defaultPaths.Add($@"{User}\AppData\Roaming\AnyDesk\ad.trace"); // stores connecting IP and file transfer activity defaultPaths.Add($@"{User}\AppData\Roaming\AnyDesk\Connection_trace.txt"); defaultPaths.Add($@"{User}\AppData\Roaming\FileZilla"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\OneDrive\logs"); defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\OneDrive\logs"); defaultPaths.Add($@"{User}\Avast Software\Avast\Log"); defaultPaths.Add($@"{User}\AppData\Local\F-Secure\Log"); defaultPaths.Add($@"{User}\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs"); defaultPaths.Add($@"{User}\AppData\Roaming\SUPERAntiSpyware\Logs"); defaultPaths.Add($@"{User}\AppData\Local\Symantec\Symantec Endpoint Protection\Logs"); defaultPaths.Add($@"{User}\AppData\Roaming\VIPRE Business"); defaultPaths.Add($@"{User}\AppData\Roaming\GFI Software\AntiMalware\Logs"); defaultPaths.Add($@"{User}\AppData\Roaming\Sunbelt Software\AntiMalware\Logs"); defaultPaths.Add($@"{User}\AppData\Local\temp\LogMeInLogs"); defaultPaths.Add($@"{User}\AppData\Local\Mega Limited\MEGAsync\logs"); } } } catch (Exception) { //FAIL } } if (!Platform.IsUnixLike()) { try { string UserPath2k3 = Arguments.DriveLet + "\\Documents and Settings\\"; string[] WinUserFolders2k3 = Directory.GetDirectories(UserPath2k3); if (Directory.Exists(UserPath2k3)) { foreach (var User2k3 in WinUserFolders2k3) { defaultPaths.Add($@"{User2k3}\NTUSER.DAT"); defaultPaths.Add($@"{User2k3}\NTUSER.DAT.LOG"); defaultPaths.Add($@"{User2k3}\NTUSER.DAT.LOG1"); defaultPaths.Add($@"{User2k3}\NTUSER.DAT.LOG2"); defaultPaths.Add($@"{User2k3}\Recent\"); defaultPaths.Add($@"{User2k3}\PrivacIE\"); defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat"); defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG"); defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG1"); defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG2"); defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Microsoft\Terminal Server Client\"); defaultPaths.Add($@"{User2k3}\Local Settings\History\History.IE5\"); defaultPaths.Add($@"{User2k3}\Local Settings\Microsoft\Windows\WebCache\"); defaultPaths.Add($@"{User2k3}\Local Settings\Microsoft\Windows\History\"); defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Google\Chrome\User Data\Default\History\"); defaultPaths.Add($@"{User2k3}\Application Data\Opera\"); defaultPaths.Add($@"{User2k3}\Application Data\Mozilla\Firefox\Profiles\"); defaultPaths.Add($@"{User2k3}\Application Data\TeamViewer\"); } } } catch (Exception) { //FAIL } } if (Platform.IsUnixLike()) { defaultPaths = new List <string> { }; tempPaths = new List <string> { "/root/.bash_history", "/var/log", "/private/var/log/", "/.fseventsd", "/etc/hosts.allow", "/etc/hosts.deny", "/etc/hosts", "/System/Library/StartupItems", "/System/Library/LaunchAgents", "/System/Library/LaunchDaemons", "/Library/LaunchAgents", "/Library/LaunchDaemons", "/Library/StartupItems", "/etc/passwd", "/etc/group", "/etc/rc.d" }; // Collect file listing AllFiles = new List <string> { }; AllFiles.AddRange(RunCommand("/usr/bin/find", "/ -print")); // Find all *.plist files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("*.plist")))); // Find all .bash_history files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".bash_history")))); // Find all .sh_history files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".sh_history")))); // Find Chrome Preference files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/History")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Cookies")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Bookmarks")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Extensions")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Last")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Shortcuts")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Top")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Visited")))); // Find FireFox Preference Files tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("places.sqlite")))); tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("downloads.sqlite")))); // Fix any spaces to work with MacOS naming conventions defaultPaths = tempPaths.ConvertAll(stringToCheck => stringToCheck.Replace(" ", " ")); } var paths = new List <string>(additionalPaths); if (arguments.CollectionFilePath != ".") { if (File.Exists(arguments.CollectionFilePath)) { paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath).Select(Environment.ExpandEnvironmentVariables)); } else { Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath); Console.WriteLine("Exiting"); throw new ArgumentException(); } } if (arguments.CollectionFiles != null) { paths.AddRange(arguments.CollectionFiles); } if (paths.Count == 1) { if (paths[0] == "") { return(defaultPaths); } } return(paths.Any() ? paths : defaultPaths); }
public static List <string> GetPaths(Arguments arguments, List <string> additionalPaths) { var defaultPaths = new List <string> { @"%SYSTEMROOT%\System32\drivers\etc\hosts", @"%SYSTEMROOT%\SchedLgU.Txt", @"%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup", @"%SYSTEMROOT%\System32\config", @"%SYSTEMROOT%\System32\winevt\logs", @"%SYSTEMROOT%\Prefetch", @"%SYSTEMROOT%\Tasks", @"%SYSTEMROOT%\System32\LogFiles\W3SVC1", @"%SystemDrive%\$MFT" }; defaultPaths = defaultPaths.Select(Environment.ExpandEnvironmentVariables).ToList(); if (Platform.IsUnixLike()) { defaultPaths = new List <string> { "/root/.bash_history", "/var/log", "/private/var/log/", "/.fseventsd", "/etc/hosts.allow", "/etc/hosts.deny", "/etc/hosts", "/System/Library/StartupItems", "/System/Library/LaunchAgents", "/System/Library/LaunchDaemons", "/Library/LaunchAgents", "/Library/LaunchDaemons", "/Library/StartupItems", "/etc/passwd", "/etc/group" }; // Find all *.plist files defaultPaths.AddRange(RunCommand("/usr/bin/find", "/ -name \"*.plist\" -print")); // Find all .bash_history files defaultPaths.AddRange(RunCommand("/usr/bin/find", "/ -name \".bash_history\" -print")); // Find all .sh_history files defaultPaths.AddRange(RunCommand("/usr/bin/find", "/ -name \".sh_history\" -print")); } var paths = new List <string>(additionalPaths); if (arguments.CollectionFilePath != ".") { if (File.Exists(arguments.CollectionFilePath)) { paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath).Select(Environment.ExpandEnvironmentVariables)); } else { Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath); Console.WriteLine("Exiting"); throw new ArgumentException(); } } if (arguments.CollectionFiles != null) { paths.AddRange(arguments.CollectionFiles); } return(paths.Any() ? paths : defaultPaths); }