public static List <string> GetPaths(Arguments arguments, List <string> additionalPaths)
{
var defaultPaths = new List <string>
{
@"%SYSTEMROOT%\System32\drivers\etc\hosts",
@"%SYSTEMROOT%\SchedLgU.Txt",
@"%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup",
@"%SYSTEMROOT%\System32\config",
@"%SYSTEMROOT%\System32\winevt\logs",
@"%SYSTEMROOT%\Prefetch",
@"%SYSTEMROOT%\Tasks",
@"%SYSTEMROOT%\System32\LogFiles\W3SVC1",
@"%SystemDrive%\$MFT"
};
defaultPaths = defaultPaths.Select(Environment.ExpandEnvironmentVariables).ToList();
if (Platform.IsUnixLike())
{
defaultPaths = new List <string>
{
"/root/.bash_history",
"/var/logs"
};
}
var paths = new List <string>(additionalPaths);
if (arguments.CollectionFilePath != ".")
{
if (File.Exists(arguments.CollectionFilePath))
{
paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath).Select(Environment.ExpandEnvironmentVariables));
}
else
{
Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath);
Console.WriteLine("Exiting");
throw new ArgumentException();
}
}
if (arguments.CollectionFiles != null)
{
paths.AddRange(arguments.CollectionFiles);
}
return(paths.Any() ? paths : defaultPaths);
}
public Arguments(string[] args)
{
HelpRequested = args.HasArgument("--help", "-h", "/?");
HelpTopic = HelpRequested ? args.GetArgumentParameter(false, "--help", "-h", "/?") : string.Empty;
//If help has been requested, parse no more arguments
if (!HelpRequested)
{
if (args.HasArgument("-o"))
{
OutputPath = args.GetArgumentParameter(true, "-o");
}
if (args.HasArgument("-u"))
{
UserName = args.GetArgumentParameter(true, "-u");
}
if (args.HasArgument("-p"))
{
UserPassword = args.GetArgumentParameter(true, "-p");
}
if (args.HasArgument("-s"))
{
SFTPServer = args.GetArgumentParameter(true, "-s");
}
var sftpArgs = new[] { UserName, UserPassword, SFTPServer };
UseSftp = sftpArgs.Any(arg => !string.IsNullOrEmpty(arg));
if (UseSftp && sftpArgs.Any(string.IsNullOrEmpty))
{
throw new ArgumentException("The flags -u, -p, and -s must all have values to continue. Please try again.");
}
if (args.HasArgument("-c"))
{
CollectionFilePath = args.GetArgumentParameter(true, "-c");
}
DryRun = args.HasArgument("--dry-run");
if (DryRun)
{
//Disable SFTP in a dry run.
UseSftp = false;
}
ForceNative = args.HasArgument("--force-native") || Platform.IsUnixLike();
}
}
public static List <string> GetPaths(Arguments arguments)
{
var paths = new List <string>
{
@"C:\Windows\System32\config",
@"C:\Windows\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup",
@"C:\Windows\Prefetch",
@"C:\Windows\Tasks",
@"C:\Windows\SchedLgU.Txt",
@"C:\Windows\System32\winevt\logs",
@"C:\Windows\System32\drivers\etc\hosts",
@"C:\$MFT"
};
if (Platform.IsUnixLike())
{
paths = new List <string>
{
"/root/.bash_history",
"/var/logs"
};
}
if (arguments.CollectionFilePath != ".")
{
if (File.Exists(arguments.CollectionFilePath))
{
paths.Clear();
paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath));
}
else
{
Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath);
Console.WriteLine("Exiting");
throw new ArgumentException();
}
}
return(paths);
}
public static List <string> GetPaths(Arguments arguments, List <string> additionalPaths)
{
var defaultPaths = new List <string>
{
@"%SYSTEMROOT%\System32\drivers\etc\hosts",
@"%SYSTEMROOT%\SchedLgU.Txt",
@"%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup",
@"%SYSTEMROOT%\System32\config",
@"%SYSTEMROOT%\System32\winevt\logs",
@"%SYSTEMROOT%\Prefetch",
@"%SYSTEMROOT%\Tasks",
@"%SYSTEMROOT%\System32\LogFiles\W3SVC1",
@"%SystemDrive%\$MFT"
};
defaultPaths = defaultPaths.Select(Environment.ExpandEnvironmentVariables).ToList();
if (Platform.IsUnixLike())
{
defaultPaths = new List <string> {
};
tempPaths = new List <string>
{
"/root/.bash_history",
"/var/log",
"/private/var/log/",
"/.fseventsd",
"/etc/hosts.allow",
"/etc/hosts.deny",
"/etc/hosts",
"/System/Library/StartupItems",
"/System/Library/LaunchAgents",
"/System/Library/LaunchDaemons",
"/Library/LaunchAgents",
"/Library/LaunchDaemons",
"/Library/StartupItems",
"/etc/passwd",
"/etc/group"
};
// Collect file listing
AllFiles = new List <string> {
};
AllFiles.AddRange(RunCommand("/usr/bin/find", "/ -print"));
// Find all *.plist files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("*.plist"))));
// Find all .bash_history files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".bash_history"))));
// Find all .sh_history files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".sh_history"))));
// Find Chrome Preference files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/History"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Cookies"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Bookmarks"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Extensions"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Last"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Shortcuts"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Top"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Visited"))));
// Find FireFox Preference Files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("places.sqlite"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("downloads.sqlite"))));
// Fix any spaces to work with MacOS naming conventions
defaultPaths = tempPaths.ConvertAll(stringToCheck => stringToCheck.Replace(" ", " "));
}
var paths = new List <string>(additionalPaths);
if (arguments.CollectionFilePath != ".")
{
if (File.Exists(arguments.CollectionFilePath))
{
paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath).Select(Environment.ExpandEnvironmentVariables));
}
else
{
Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath);
Console.WriteLine("Exiting");
throw new ArgumentException();
}
}
if (arguments.CollectionFiles != null)
{
paths.AddRange(arguments.CollectionFiles);
}
if (paths.Count == 1)
{
if (paths[0] == "")
{
return(defaultPaths);
}
}
return(paths.Any() ? paths : defaultPaths);
}
/// <summary>
/// Method used to apply default and user specified patterns to files
/// identified on the system.
///
/// All paths and patterns are case insensitive.
/// </summary>
/// <param name="arguments">User arguments provided at execution.</param>
/// <param name="additionalPaths">Additional collection targets from the command line.</param>
/// <param name="Usnjrnl">Whether or not to collect the $J.</param>
/// <param name="logger">A logging object.</param>
/// <returns>
/// List of distinct files to attempt collection of from a system.
/// This list is filtered by the default and custom patterns.
/// </returns>
public static List <string> GetPaths(Arguments arguments, List <string> additionalPaths, bool Usnjrnl, Logger logger)
{
// Init with additional paths provided as a parameter
// Only supports static paths.
var staticPaths = new List <string>(additionalPaths);
// Init vars for glob, regex, and paths to collect
var globPaths = new List <Glob>();
var regexPaths = new List <Regex>();
var collectionPaths = new List <string>();
// Enable case insensitivity
GlobOptions.Default.Evaluation.CaseInsensitive = true;
bool staticCaseInsensitive = true;
// Init base paths to scan for files and folders
var basePaths = new List <string>();
// Get listing of drives to scan based on platform
if (Platform.IsUnixLike())
{
basePaths.Add("/"); // Scan the entire root.
}
else
{
logger.debug("Enumerating volumes on system");
DriveInfo[] allDrives = DriveInfo.GetDrives();
foreach (DriveInfo d in allDrives)
{
basePaths.Add(d.Name.ToString());
}
logger.debug(String.Format("Identified volumes: {0}", String.Join(", ", basePaths)));
}
// Load information from the CollectionFilePath if present and availble
if (arguments.CollectionFilePath != ".")
{
if (File.Exists(arguments.CollectionFilePath))
{
logger.debug("Extracting patterns from custom path file");
using (StreamReader sr = new StreamReader(arguments.CollectionFilePath)){
string line;
while ((line = sr.ReadLine()) != null)
{
// Skip lines starting with comment
if (line.StartsWith("#"))
{
continue;
}
// Skip blank lines
if (line.Length == 0)
{
continue;
}
// Skip paths without tab separator and report to user
if (!line.Contains("\t"))
{
logger.warn(String.Format("Excluding invalid path format \"{0}\"", line));
continue;
}
// Split into config components. Requires a definition and path, delimited by a tab
string[] pathParts = line.Split('\t');
var pathDef = pathParts[0].ToLower();
var pathData = Environment.ExpandEnvironmentVariables(pathParts[1]);
// Append the path to the proper list based on the definition
switch (pathDef)
{
case "static":
staticPaths.Add(pathData);
break;
case "glob":
globPaths.Add(Glob.Parse(pathData));
break;
case "regex":
regexPaths.Add(new Regex(pathData));
break;
case "force":
collectionPaths.Add(pathData);
break;
default:
logger.warn(String.Format("Excluding invalid path format \"{0}\"", line));
break;
}
}
}
}
// Handle conditions where the file is not present.
else
{
logger.error(String.Format("Error: Could not find file: {0}", arguments.CollectionFilePath));
logger.error("Exiting");
logger.TearDown();
throw new ArgumentException();
}
}
// Load information provided at the command line as additional paths
if (arguments.CollectionFiles != null)
{
logger.debug("Adding command line specified files");
staticPaths.AddRange(arguments.CollectionFiles);
}
bool hasMacOSFolders = (Directory.Exists("/private") &&
Directory.Exists("/Applications") &&
Directory.Exists("/Users"));
if (arguments.CollectionFilePath == "." || arguments.CollectDefaults)
{
logger.debug("Enumerating patterns for default artifact collection");
//This section will attempt to collect files or folder locations under each users profile by pulling their ProfilePath from the registry and adding it in front.
//Add "defaultPaths.Add($@"{user.ProfilePath}" without the quotes in front of the file / path to be collected in each users profile.
if (!Platform.IsUnixLike())
{
logger.info("Windows platform detected");
// Define default paths
string systemRoot = Environment.ExpandEnvironmentVariables("%SYSTEMROOT%");
string programData = Environment.ExpandEnvironmentVariables("%PROGRAMDATA%");
string systemDrive = Environment.ExpandEnvironmentVariables("%SystemDrive%");
globPaths.Add(Glob.Parse(systemRoot + @"\Tasks\**"));
globPaths.Add(Glob.Parse(systemRoot + @"\Prefetch\**"));
globPaths.Add(Glob.Parse(systemRoot + @"\System32\sru\**"));
globPaths.Add(Glob.Parse(systemRoot + @"\System32\winevt\Logs\**"));
globPaths.Add(Glob.Parse(systemRoot + @"\System32\Tasks\**"));
globPaths.Add(Glob.Parse(systemRoot + @"\System32\LogFiles\W3SVC1\**"));
globPaths.Add(Glob.Parse(systemRoot + @"\Appcompat\Programs\**"));
globPaths.Add(Glob.Parse(programData + @"\Microsoft\Windows\Start Menu\Programs\Startup\**"));
globPaths.Add(Glob.Parse(systemDrive + @"\$Recycle.Bin\**\$I*"));
globPaths.Add(Glob.Parse(systemDrive + @"\$Recycle.Bin\$I*"));
staticPaths.Add(@"%SYSTEMROOT%\SchedLgU.Txt");
staticPaths.Add(@"%SYSTEMROOT%\inf\setupapi.dev.log");
staticPaths.Add(@"%SYSTEMROOT%\System32\drivers\etc\hosts");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SAM");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SYSTEM");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SOFTWARE");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SECURITY");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SAM.LOG1");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SYSTEM.LOG1");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SOFTWARE.LOG1");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SECURITY.LOG1");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SAM.LOG2");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SYSTEM.LOG2");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SOFTWARE.LOG2");
staticPaths.Add(@"%SYSTEMROOT%\System32\config\SECURITY.LOG2");
// Send static filesystem artifacts to collectionPaths directly
collectionPaths.Add(@"%SystemDrive%\$LogFile");
collectionPaths.Add(@"%SystemDrive%\$MFT");
// Add USN if enabled
if (Usnjrnl)
{
collectionPaths.Add(@"%SystemDrive%\$Extend\$UsnJrnl:$J");
}
// Expand envars for all staticPaths.
staticPaths = staticPaths.Select(Environment.ExpandEnvironmentVariables).ToList();
collectionPaths = collectionPaths.Select(Environment.ExpandEnvironmentVariables).ToList();
// Add user specific paths to static list.
var users = FindUsers();
foreach (var user in users)
{
globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\**"));
globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\WebCache\**"));
globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\**"));
globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Roaming\Mozilla\Firefox\Profiles\**"));
globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Local\ConnectedDevicesPlatform\**"));
globPaths.Add(Glob.Parse($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\Explorer\**"));
staticPaths.Add($@"{user.ProfilePath}\NTUSER.DAT");
staticPaths.Add($@"{user.ProfilePath}\NTUSER.DAT.LOG1");
staticPaths.Add($@"{user.ProfilePath}\NTUSER.DAT.LOG2");
staticPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat");
staticPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1");
staticPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2");
staticPaths.Add($@"{user.ProfilePath}\AppData\Local\Google\Chrome\User Data\Default\History");
staticPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt");
}
}
// Handle macOS platforms
else if (Platform.IsUnixLike() && hasMacOSFolders)
{
logger.info("macOS platform detected");
// Define default paths to collect
var defaultPaths = new List <string>
{
"/etc/hosts.allow",
"/etc/hosts.deny",
"/etc/hosts",
"/private/etc/hosts.allow",
"/private/etc/hosts.deny",
"/private/etc/hosts",
"/etc/passwd",
"/etc/group",
"/private/etc/passwd",
"/private/etc/group",
};
staticPaths.AddRange(defaultPaths);
// Expand envars for all staticPaths.
staticPaths = staticPaths.Select(Environment.ExpandEnvironmentVariables).ToList();
var defaultGlobs = new List <Glob> {
Glob.Parse("**/Library/*Support/Google/Chrome/Default/*"),
Glob.Parse("**/Library/*Support/Google/Chrome/Default/History*"),
Glob.Parse("**/Library/*Support/Google/Chrome/Default/Cookies*"),
Glob.Parse("**/Library/*Support/Google/Chrome/Default/Bookmarks*"),
Glob.Parse("**/Library/*Support/Google/Chrome/Default/Extensions/**"),
Glob.Parse("**/Library/*Support/Google/Chrome/Default/Last*"),
Glob.Parse("**/Library/*Support/Google/Chrome/Default/Shortcuts*"),
Glob.Parse("**/Library/*Support/Google/Chrome/Default/Top*"),
Glob.Parse("**/Library/*Support/Google/Chrome/Default/Visited*"),
Glob.Parse("**/places.sqlite*"),
Glob.Parse("**/downloads.sqlite*"),
Glob.Parse("**/*.plist"),
Glob.Parse("/Users/*/.*history"),
Glob.Parse("/root/.*history"),
Glob.Parse("/System/Library/StartupItems/**"),
Glob.Parse("/System/Library/LaunchAgents/**"),
Glob.Parse("/System/Library/LaunchDaemons/**"),
Glob.Parse("/Library/LaunchAgents/**"),
Glob.Parse("/Library/LaunchDaemons/**"),
Glob.Parse("/Library/StartupItems/**"),
Glob.Parse("/var/log/**"),
Glob.Parse("/private/var/log/**"),
Glob.Parse("/private/etc/rc.d/**"),
Glob.Parse("/etc/rc.d/**"),
Glob.Parse("/.fseventsd/**")
};
globPaths.AddRange(defaultGlobs);
}
// Handle Linux platforms
else if (Platform.IsUnixLike())
{
logger.info("Linux platform detected");
// Define default paths to collect
var defaultPaths = new List <string>
{
// Super user
"/root/.ssh/config",
"/root/.ssh/known_hosts",
"/root/.ssh/authorized_keys",
"/root/.selected_editor",
"/root/.viminfo",
"/root/.lesshist",
"/root/.profile",
"/root/.selected_editor",
// Boot
"/boot/grub/grub.cfg",
"/boot/grub2/grub.cfg",
// Sys
"/sys/firmware/acpi/tables/DSDT",
//etc
"/etc/hosts.allow",
"/etc/hosts.deny",
"/etc/hosts",
"/etc/passwd",
"/etc/group",
"/etc/crontab",
"/etc/cron.allow",
"/etc/cron.deny",
"/etc/anacrontab",
"/var/spool/anacron/cron.daily",
"/var/spool/anacron/cron.hourly",
"/var/spool/anacron/cron.weekly",
"/var/spool/anacron/cron.monthly",
"/etc/apt/sources.list",
"/etc/apt/trusted.gpg",
"/etc/apt/trustdb.gpg",
"/etc/resolv.conf",
"/etc/fstab",
"/etc/issues",
"/etc/issues.net",
"/etc/insserv.conf",
"/etc/localtime",
"/etc/timezone",
"/etc/pam.conf",
"/etc/rsyslog.conf",
"/etc/xinetd.conf",
"/etc/netgroup",
"/etc/nsswitch.conf",
"/etc/ntp.conf",
"/etc/yum.conf",
"/etc/chrony.conf",
"/etc/chrony",
"/etc/sudoers",
"/etc/logrotate.conf",
"/etc/environment",
"/etc/hostname",
"/etc/host.conf",
"/etc/fstab",
"/etc/machine-id",
"/etc/screen-rc",
};
staticPaths.AddRange(defaultPaths);
// Expand envars for all staticPaths.
staticPaths = staticPaths.Select(Environment.ExpandEnvironmentVariables).ToList();
var defaultGlobs = new List <Glob> {
// User profiles
Glob.Parse("/home/*/.*history"),
Glob.Parse("/home/*/.ssh/known_hosts"),
Glob.Parse("/home/*/.ssh/config"),
Glob.Parse("/home/*/.ssh/autorized_keys"),
Glob.Parse("/home/*/.viminfo"),
Glob.Parse("/home/*/.profile"),
Glob.Parse("/home/*/.*rc"),
Glob.Parse("/home/*/.*_logout"),
Glob.Parse("/home/*/.selected_editor"),
Glob.Parse("/home/*/.wget-hsts"),
Glob.Parse("/home/*/.gitconfig"),
// Firefox artifacts
Glob.Parse("/home/*/.mozilla/firefox/*.default*/**/*.sqlite*"),
Glob.Parse("/home/*/.mozilla/firefox/*.default*/**/*.json"),
Glob.Parse("/home/*/.mozilla/firefox/*.default*/**/*.txt"),
Glob.Parse("/home/*/.mozilla/firefox/*.default*/**/*.db*"),
// Chrome artifacts
Glob.Parse("/home/*/.config/google-chrome/Default/History*"),
Glob.Parse("/home/*/.config/google-chrome/Default/Cookies*"),
Glob.Parse("/home/*/.config/google-chrome/Default/Bookmarks*"),
Glob.Parse("/home/*/.config/google-chrome/Default/Extensions/**"),
Glob.Parse("/home/*/.config/google-chrome/Default/Last*"),
Glob.Parse("/home/*/.config/google-chrome/Default/Shortcuts*"),
Glob.Parse("/home/*/.config/google-chrome/Default/Top*"),
Glob.Parse("/home/*/.config/google-chrome/Default/Visited*"),
Glob.Parse("/home/*/.config/google-chrome/Default/Preferences*"),
Glob.Parse("/home/*/.config/google-chrome/Default/Login Data*"),
Glob.Parse("/home/*/.config/google-chrome/Default/Web Data*"),
// Superuser profiles
Glob.Parse("/root/.*history"),
Glob.Parse("/root/.*rc"),
Glob.Parse("/root/.*_logout"),
// var
Glob.Parse("/var/log/**"),
Glob.Parse("/var/spool/at/**"),
Glob.Parse("/var/spool/cron/**"),
// etc
Glob.Parse("/etc/rc.d/**"),
Glob.Parse("/etc/cron.daily/**"),
Glob.Parse("/etc/cron.hourly/**"),
Glob.Parse("/etc/cron.weekly/**"),
Glob.Parse("/etc/cron.monthly/**"),
Glob.Parse("/etc/modprobe.d/**"),
Glob.Parse("/etc/modprobe-load.d/**"),
Glob.Parse("/etc/*-release"),
Glob.Parse("/etc/pam.d/**"),
Glob.Parse("/etc/rsyslog.d/**"),
Glob.Parse("/etc/yum.repos.d/**"),
Glob.Parse("/etc/init.d/**"),
Glob.Parse("/etc/systemd.d/**"),
Glob.Parse("/etc/default/**"),
};
globPaths.AddRange(defaultGlobs);
}
else
{
logger.error("Unsupported platform");
logger.TearDown();
throw new Exception();
}
}
// Perform case operations
if (staticCaseInsensitive)
{
staticPaths = staticPaths.Select(x => x.ToLower()).ToList();
}
// Get file system listing to populate collection paths
logger.debug("Enumerating file systems and matching patterns");
var num_paths_scanned = 0;
foreach (var basePath in basePaths)
{
logger.debug(String.Format("Enumerating volume: {0}", basePath));
foreach (var entry in WalkTree(basePath, logger))
{
num_paths_scanned++;
// Convert to string for ease of comparison
var entryStr = entry.ToString();
string staticEntry = entryStr;
if (staticCaseInsensitive)
{
staticEntry = entryStr.ToLower();
}
// If found in the staticPaths list, add to the collection
if (staticPaths.Contains(staticEntry))
{
collectionPaths.Add(entryStr);
continue;
}
// If not found in the static list, evaluate glob first
// as it is more efficient than regex
bool globFound = false;
foreach (var globPattern in globPaths)
{
try
{
globFound = globPattern.IsMatch(entryStr);
}
catch (System.Exception)
{
logger.error("Unknown globbing error encountered. Please report.");
throw;
}
if (globFound)
{
collectionPaths.Add(entryStr);
break;
}
}
if (globFound)
{
continue;
}
// Lastly evaluate regex
bool regexFound = false;
foreach (var regexPattern in regexPaths)
{
try
{
regexFound = regexPattern.IsMatch(entryStr);
}
catch (System.Exception)
{
logger.error("Unknown regex error encountered. Please report.");
throw;
}
if (regexFound)
{
collectionPaths.Add(entryStr);
break;
}
}
if (regexFound)
{
continue;
}
}
}
// Remove empty strings from custom paths
if (collectionPaths.Any())
{
collectionPaths.RemoveAll(x => string.IsNullOrEmpty(x));
}
logger.info(String.Format("Scanned {0} paths", num_paths_scanned));
logger.info(String.Format("Found {0} paths to collect", collectionPaths.Count));
// Return paths to collect
return(collectionPaths);
}
public static List<string> GetPaths(Arguments arguments, List<string> additionalPaths)
{
var defaultPaths = new List<string>
{
@"%SYSTEMROOT%\SchedLgU.Txt",
@"%SYSTEMROOT%\Tasks",
@"%SYSTEMROOT%\Prefetch",
@"%SYSTEMROOT%\inf\setupapi.dev.log",
@"%SYSTEMROOT%\Appcompat\Programs",
@"%SYSTEMROOT%\System32\drivers\etc\hosts",
@"%SYSTEMROOT%\System32\sru",
@"%SYSTEMROOT%\System32\winevt\logs",
@"%SYSTEMROOT%\System32\Tasks",
@"%SYSTEMROOT%\System32\LogFiles\W3SVC1",
@"%SYSTEMROOT%\System32\config\SAM",
@"%SYSTEMROOT%\System32\config\SYSTEM",
@"%SYSTEMROOT%\System32\config\SOFTWARE",
@"%SYSTEMROOT%\System32\config\SECURITY",
@"%SYSTEMROOT%\System32\config\SAM.LOG1",
@"%SYSTEMROOT%\System32\config\SYSTEM.LOG1",
@"%SYSTEMROOT%\System32\config\SOFTWARE.LOG1",
@"%SYSTEMROOT%\System32\config\SECURITY.LOG1",
@"%SYSTEMROOT%\System32\config\SAM.LOG2",
@"%SYSTEMROOT%\System32\config\SYSTEM.LOG2",
@"%SYSTEMROOT%\System32\config\SOFTWARE.LOG2",
@"%SYSTEMROOT%\System32\config\SECURITY.LOG2",
@"%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows",
@"%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup",
@"%SystemDrive%\$Recycle.Bin",
@"%SystemDrive%\$LogFile",
@"%SystemDrive%\$MFT"
};
defaultPaths = defaultPaths.Select(Environment.ExpandEnvironmentVariables).ToList();
//This section will attempt to collect files or folder locations under each users profile by pulling their ProfilePath from the registry and adding it in front.
//Add "defaultPaths.Add($@"{user.ProfilePath}" without the quotes in front of the file / path to be collected in each users profile.
if (!Platform.IsUnixLike())
{
var users = FindUsers();
foreach (var user in users)
{
defaultPaths.Add($@"{user.ProfilePath}\NTUSER.DAT");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent");
defaultPaths.Add($@"{user.ProfilePath}\NTUSER.DAT");
defaultPaths.Add($@"{user.ProfilePath}\NTUSER.DAT.LOG1");
defaultPaths.Add($@"{user.ProfilePath}\NTUSER.DAT.LOG2");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\Explorer");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Google\Chrome\User Data\Default\History\");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\Microsoft\Windows\WebCache\");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Local\ConnectedDevicesPlatform");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline");
defaultPaths.Add($@"{user.ProfilePath}\AppData\Roaming\Mozilla\Firefox\Profiles\");
}
}
if (Platform.IsUnixLike())
{
defaultPaths = new List<string> { };
tempPaths = new List<string>
{
"/root/.bash_history",
"/var/log",
"/private/var/log/",
"/.fseventsd",
"/etc/hosts.allow",
"/etc/hosts.deny",
"/etc/hosts",
"/System/Library/StartupItems",
"/System/Library/LaunchAgents",
"/System/Library/LaunchDaemons",
"/Library/LaunchAgents",
"/Library/LaunchDaemons",
"/Library/StartupItems",
"/etc/passwd",
"/etc/group",
"/etc/rc.d"
};
// Collect file listing
AllFiles = new List<string> { };
AllFiles.AddRange(RunCommand("/usr/bin/find", "/ -print"));
// Find all *.plist files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("*.plist"))));
// Find all .bash_history files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".bash_history"))));
// Find all .sh_history files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".sh_history"))));
// Find Chrome Preference files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/History"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Cookies"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Bookmarks"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Extensions"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Last"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Shortcuts"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Top"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Visited"))));
// Find FireFox Preference Files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("places.sqlite"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("downloads.sqlite"))));
// Fix any spaces to work with MacOS naming conventions
defaultPaths = tempPaths.ConvertAll(stringToCheck => stringToCheck.Replace(" ", " "));
}
var paths = new List<string>(additionalPaths);
if (arguments.CollectionFilePath != ".")
{
if (File.Exists(arguments.CollectionFilePath))
{
paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath).Select(Environment.ExpandEnvironmentVariables));
}
else
{
Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath);
Console.WriteLine("Exiting");
throw new ArgumentException();
}
}
if (arguments.CollectionFiles != null)
{
paths.AddRange(arguments.CollectionFiles);
}
if (paths.Count == 1)
{
if (paths[0] == "")
{
return defaultPaths;
}
}
return paths.Any() ? paths : defaultPaths;
}
public static List <string> GetPaths(Arguments arguments, List <string> additionalPaths, bool Usnjrnl, bool AntiV)
{
var defaultPaths = new List <string>
{
$@"{Arguments.DriveLet}\Windows\SchedLgU.Txt",
$@"{Arguments.DriveLet}\Windows\Tasks",
$@"{Arguments.DriveLet}\Windows\Prefetch",
$@"{Arguments.DriveLet}\Windows\Appcompat\Programs\install",
$@"{Arguments.DriveLet}\Windows\Appcompat\Programs\Amcache.hve",
$@"{Arguments.DriveLet}\Windows\Appcompat\Programs\Amcache.hve.LOG1",
$@"{Arguments.DriveLet}\Windows\Appcompat\Programs\Amcache.hve.LOG2",
$@"{Arguments.DriveLet}\Windows\Appcompat\Programs\Amcache.hve.tmp.LOG1",
$@"{Arguments.DriveLet}\Windows\Appcompat\Programs\Amcache.hve.tmp.LOG2",
$@"{Arguments.DriveLet}\Windows\Appcompat\Programs\recentfilecache.bcf",
$@"{Arguments.DriveLet}\Windows\System32\drivers\etc\hosts",
$@"{Arguments.DriveLet}\Windows\System32\sru",
$@"{Arguments.DriveLet}\Windows\System32\winevt\logs",
$@"{Arguments.DriveLet}\Windows\System32\Tasks",
$@"{Arguments.DriveLet}\Windows\System32\LogFiles\W3SVC1",
$@"{Arguments.DriveLet}\Windows\System32\config\",
$@"{Arguments.DriveLet}\Windows\System32\config\SAM.LOG1",
$@"{Arguments.DriveLet}\Windows\System32\config\SYSTEM.LOG1",
$@"{Arguments.DriveLet}\Windows\System32\config\SOFTWARE.LOG1",
$@"{Arguments.DriveLet}\Windows\System32\config\SECURITY.LOG1",
$@"{Arguments.DriveLet}\Windows\System32\config\SAM.LOG2",
$@"{Arguments.DriveLet}\Windows\System32\config\SYSTEM.LOG2",
$@"{Arguments.DriveLet}\Windows\System32\config\SOFTWARE.LOG2",
$@"{Arguments.DriveLet}\Windows\System32\config\SECURITY.LOG2",
$@"{Arguments.DriveLet}\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup",
$@"{Arguments.DriveLet}\Windows\System32\dhcp",
$@"{Arguments.DriveLet}\ProgramData\Microsoft\RAC\PublishedData",
$@"{Arguments.DriveLet}\Program Files (x86)\TeamViewer\Connections_incoming.txt",
$@"{Arguments.DriveLet}\Program Files\TeamViewer\Connections_incoming.txt",
$@"{Arguments.DriveLet}\System Volume Information\syscache.hve",
$@"{Arguments.DriveLet}\System Volume Information\syscache.hve.LOG1",
$@"{Arguments.DriveLet}\System Volume Information\syscache.hve.LOG2",
$@"{Arguments.DriveLet}\ProgramData\Microsoft\Network\Downloader\",
$@"{Arguments.DriveLet}\Windows\System32\bits.log",
$@"{Arguments.DriveLet}\Windows\System32\Tasks",
$@"{Arguments.DriveLet}\inetpub\logs\LogFiles",
$@"{Arguments.DriveLet}\Windows\System32\LogFiles\HTTPERR",
$@"{Arguments.DriveLet}\Windows\System32\wbem\Repository",
$@"{Arguments.DriveLet}\Windows.old\SchedLgU.Txt",
$@"{Arguments.DriveLet}\Windows.old\Tasks",
$@"{Arguments.DriveLet}\Windows.old\Prefetch",
$@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\install",
$@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\Amcache.hve",
$@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\Amcache.hve.LOG1",
$@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\Amcache.hve.LOG2",
$@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\Amcache.hve.tmp.LOG1",
$@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\Amcache.hve.tmp.LOG2",
$@"{Arguments.DriveLet}\Windows.old\Appcompat\Programs\recentfilecache.bcf",
$@"{Arguments.DriveLet}\Windows.old\System32\drivers\etc\hosts",
$@"{Arguments.DriveLet}\Windows.old\System32\sru",
$@"{Arguments.DriveLet}\Windows.old\System32\winevt\logs",
$@"{Arguments.DriveLet}\Windows.old\System32\Tasks",
$@"{Arguments.DriveLet}\Windows.old\System32\LogFiles\W3SVC1",
$@"{Arguments.DriveLet}\Windows.old\System32\config\",
$@"{Arguments.DriveLet}\Windows.old\System32\config\SAM.LOG1",
$@"{Arguments.DriveLet}\Windows.old\System32\config\SOFTWARE.LOG1",
$@"{Arguments.DriveLet}\Windows.old\System32\config\SECURITY.LOG1",
$@"{Arguments.DriveLet}\Windows.old\System32\config\SAM.LOG2",
$@"{Arguments.DriveLet}\Windows.old\System32\config\SYSTEM.LOG2",
$@"{Arguments.DriveLet}\Windows.old\System32\config\SOFTWARE.LOG2",
$@"{Arguments.DriveLet}\Windows.old\System32\config\SECURITY.LOG2",
$@"{Arguments.DriveLet}\Windows.old\System32\dhcp",
$@"{Arguments.DriveLet}\Windows.old\System32\bits.log",
$@"{Arguments.DriveLet}\Windows.old\System32\Tasks",
$@"{Arguments.DriveLet}\Windows.old\System32\LogFiles\HTTPERR",
$@"{Arguments.DriveLet}\Windows.old\System32\wbem\Repository",
$@"{Arguments.DriveLet}\ProgramData\AnyDesk",
$@"{Arguments.DriveLet}\Windows\System32\LogFiles\SUM",
$@"{Arguments.DriveLet}\Windows.old\System32\LogFiles\SUM",
$@"{Arguments.DriveLet}\kworking",
$@"{Arguments.DriveLet}\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db",
$@"{Arguments.DriveLet}\Windows\System32\debug\netlogon.log",
$@"{Arguments.DriveLet}\ProgramData\LogMeIn\Logs",
$@"{Arguments.DriveLet}\Program Files (x86)\Splashtop\Splashtop Remote\Server\log",
$@"{Arguments.DriveLet}\Program Files\Splashtop\Splashtop Remote\Server\log",
$@"{Arguments.DriveLet}\Program Files (x86)\Splashtop\Splashtop Remote\Splashtop Gateway\log",
$@"{Arguments.DriveLet}\Program Files\Splashtop\Splashtop Remote\Splashtop Gateway\log",
$@"{Arguments.DriveLet}\ProgramData\Microsoft\Windows Defender\Support",
};
if (Usnjrnl == true)
{
defaultPaths.Add($@"{Arguments.DriveLet}\$Extend\$UsnJrnl:$J");
}
//AntiV switch is used to add antivirus paths to the collection list (WARNING: Collection may become very large!)
if (AntiV == true)
{
//AVG
defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\AVG\Antivirus\log");
defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\AVG\Antivirus\report");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\AVG\Antivirus\log");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\AVG\Antivirus\report");
//Avast
defaultPaths.Add($@"{Arguments.DriveLet}\Documents And Settings\All Users\Application Data\Avast Software\Avast\Log");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Avast Software\Avast\Log");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Avast Software\Avast\Chest\index.xml");
//Avira
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Avira\Antivirus\LOGFILES");
//Bitdefender
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Bitdefender\Endpoint Security\Logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Bitdefender\Desktop\Profiles\Logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ComboFix.txt");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\crs1\Logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\apv2\Logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\crb1\Logs");
//ESET
defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\ESET\ESET NOD32 Antivirus\Logs");
//F-Secure
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\F-Secure\Log");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\F-Secure\Antivirus\ScheduledScanReports");
//Hitman Pro
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\HitmanPro\Logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\HitmanPro.Alert\Logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\HitmanPro.Alert\excalibur.db");
//Malwarebytes
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Malwarebytes\MBAMService\logs\mbamservice.log");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Malwarebytes\MBAMService\ScanResults");
//McAfee
defaultPaths.Add($@"{Arguments.DriveLet}\Users\All Users\Application Data\McAfee\DesktopProtection");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\McAfee\DesktopProtection");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\McAfee\Endpoint Security\Logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\McAfee\Endpoint Security\Logs_Old");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Mcafee\VirusScan");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\McAfee\Endpoint Security\Logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\RogueKiller\logs");
//SentinelOne
defaultPaths.Add($@"{Arguments.DriveLet}\programdata\sentinel\logs");
//Sophos
defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\Sophos");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos File Scanner\Logs\");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos Device Control\logs\");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos Data Control\logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos Anti-Virus\logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos Tamper Protection\logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Sophos\Sophos Network Threat Protection\Logs");
//Symantec
defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV");
defaultPaths.Add($@"{Arguments.DriveLet}\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine");
//TotalAV
defaultPaths.Add($@"{Arguments.DriveLet}\Program Files\TotalAV\logs");
defaultPaths.Add($@"{Arguments.DriveLet}\Program Files (x86)\TotalAV\logs");
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\TotalAV\logs");
//TrendMicro
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Trend Micro");
defaultPaths.Add($@"{Arguments.DriveLet}\Program Files\Trend Micro\Security Agent\Report");
defaultPaths.Add($@"{Arguments.DriveLet}\Program Files (x86)\Trend Micro\Security Agent\Report");
defaultPaths.Add($@"{Arguments.DriveLet}\Program Files\Trend Micro\Security Agent\ConnLog");
defaultPaths.Add($@"{Arguments.DriveLet}\Program Files (x86)\Trend Micro\Security Agent\ConnLog");
//VIPRE
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\VIPRE Business Agent\Logs");
//Webroot
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\WRData\WRLog.log");
//Defender
defaultPaths.Add($@"{Arguments.DriveLet}\ProgramData\Microsoft\Microsoft AntiMalware\Support");
defaultPaths.Add($@"{Arguments.DriveLet}\Windows\Temp\MpCmdRun.log");
defaultPaths.Add($@"{Arguments.DriveLet}\Windows.old\Windows\Temp\MpCmdRun.log");
}
defaultPaths = defaultPaths.Select(Environment.ExpandEnvironmentVariables).ToList();
//This will collect all fixed drive MFT files if you did not select a specific mounted drive to collect from.
//Use with -dl if you only want a specific drive collected rather than all fixed drives on a system.
if (Arguments.DriveLet == "C:")
{
try
{
DriveInfo[] allDrives = DriveInfo.GetDrives();
foreach (DriveInfo d in allDrives)
{
if (d.DriveType == DriveType.Fixed && d.DriveFormat == "NTFS")
{
defaultPaths.Add($@"{d.Name}$MFT");
defaultPaths.Add($@"{d.Name}$LogFile");
}
}
}
catch (FileNotFoundException)
{
//FAIL
}
}
//If -dl switch is used against something other than "C:", only the drive letter variable MFT will be collected.
if (Arguments.DriveLet != "C:")
{
defaultPaths.Add($@"{Arguments.DriveLet}\$MFT");
defaultPaths.Add($@"{Arguments.DriveLet}\$LogFile");
}
//This section will attempt to collect files or folder locations under each users profile by pulling their ProfilePath from the registry and adding it in front.
//Add "defaultPaths.Add($@"{user.ProfilePath}" without the quotes in front of the file / path to be collected in each users profile.
if (!Platform.IsUnixLike())
{
try
{
string UserPath = Arguments.DriveLet + "\\Users\\";
string[] WinUserFolders = Directory.GetDirectories(UserPath);
if (Directory.Exists(UserPath))
{
foreach (var User in WinUserFolders)
{
defaultPaths.Add($@"{User}\NTUSER.DAT");
defaultPaths.Add($@"{User}\NTUSER.DAT.LOG1");
defaultPaths.Add($@"{User}\NTUSER.DAT.LOG2");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\WebCache");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\History");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\Cookies");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\IEDownloadHistory");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\INetCookies");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\History");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Cookies");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Extensions");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\History");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\History");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\History");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Cookies");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Extensions");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\History");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Cookies");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Extensions");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\History");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Cookies");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Extensions");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\History");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Cookies");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Local\ConnectedDevicesPlatform");
defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline");
defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\Recent");
defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Office\Recent");
defaultPaths.Add($@"{User}\AppData\Roaming\Opera");
defaultPaths.Add($@"{User}\AppData\Local\Opera Software\Opera Stable");
defaultPaths.Add($@"{User}\AppData\Roaming\Opera Software\Opera Stable");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Terminal Server Client\Cache");
defaultPaths.Add($@"{User}\AppData\Roaming\Mozilla\Firefox\Profiles");
defaultPaths.Add($@"{User}\AppData\Roaming\TeamViewer");
defaultPaths.Add($@"{User}\AppData\Roaming\winscp.rnd");
defaultPaths.Add($@"{User}\AppData\Roaming\winscp.ini");
defaultPaths.Add($@"{User}\AppData\Local\Putty.rnd");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Edge\User Data");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Internet Explorer");
defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Internet Explorer");
defaultPaths.Add($@"{User}\AppData\Roaming\AnyDesk"); // stores connecting IP and file transfer activity
defaultPaths.Add($@"{User}\AppData\Roaming\FileZilla");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\OneDrive\logs");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\OneDrive\logs");
defaultPaths.Add($@"{User}\Avast Software\Avast\Log");
defaultPaths.Add($@"{User}\AppData\Local\F-Secure\Log");
defaultPaths.Add($@"{User}\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs");
defaultPaths.Add($@"{User}\AppData\Roaming\SUPERAntiSpyware\Logs");
defaultPaths.Add($@"{User}\AppData\Local\Symantec\Symantec Endpoint Protection\Logs");
defaultPaths.Add($@"{User}\AppData\Roaming\VIPRE Business");
defaultPaths.Add($@"{User}\AppData\Roaming\GFI Software\AntiMalware\Logs");
defaultPaths.Add($@"{User}\AppData\Roaming\Sunbelt Software\AntiMalware\Logs");
defaultPaths.Add($@"{User}\AppData\Local\temp\LogMeInLogs");
defaultPaths.Add($@"{User}\AppData\Local\Mega Limited\MEGAsync\logs");
}
}
}
catch (Exception)
{
//FAIL
}
}
if (!Platform.IsUnixLike())
{
try
{
string UserPath = Arguments.DriveLet + "\\Windows.old\\Users\\";
string[] WinUserFolders = Directory.GetDirectories(UserPath);
if (Directory.Exists(UserPath))
{
foreach (var User in WinUserFolders)
{
defaultPaths.Add($@"{User}\NTUSER.DAT");
defaultPaths.Add($@"{User}\NTUSER.DAT.LOG1");
defaultPaths.Add($@"{User}\NTUSER.DAT.LOG2");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\WebCache");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\History");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\Cookies");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\IEDownloadHistory");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\INetCookies");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\History");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Cookies");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Extensions");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Default\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\History");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 1\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\History");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome\User Data\Profile 2\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\History");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Cookies");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Extensions");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Default\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\History");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Cookies");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Extensions");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 1\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\History");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Cookies");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Extensions");
defaultPaths.Add($@"{User}\AppData\Roaming\Google\Chrome\User Data\Profile 2\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\History");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Cookies");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Bookmarks");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions");
defaultPaths.Add($@"{User}\AppData\Local\Google\Chrome SxS\User Data\Default\Shortcuts");
defaultPaths.Add($@"{User}\AppData\Local\ConnectedDevicesPlatform");
defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline");
defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Windows\Recent");
defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Office\Recent");
defaultPaths.Add($@"{User}\AppData\Roaming\Opera");
defaultPaths.Add($@"{User}\AppData\Local\Opera Software\Opera Stable");
defaultPaths.Add($@"{User}\AppData\Roaming\Opera Software\Opera Stable");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Terminal Server Client\Cache");
defaultPaths.Add($@"{User}\AppData\Roaming\Mozilla\Firefox\Profiles");
defaultPaths.Add($@"{User}\AppData\Roaming\TeamViewer");
defaultPaths.Add($@"{User}\AppData\Roaming\winscp.rnd");
defaultPaths.Add($@"{User}\AppData\Roaming\winscp.ini");
defaultPaths.Add($@"{User}\AppData\Local\Putty.rnd");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Edge\User Data");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Internet Explorer");
defaultPaths.Add($@"{User}\AppData\Roaming\Microsoft\Internet Explorer");
defaultPaths.Add($@"{User}\AppData\Roaming\AnyDesk\ad.trace"); // stores connecting IP and file transfer activity
defaultPaths.Add($@"{User}\AppData\Roaming\AnyDesk\Connection_trace.txt");
defaultPaths.Add($@"{User}\AppData\Roaming\FileZilla");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\OneDrive\logs");
defaultPaths.Add($@"{User}\AppData\Local\Microsoft\Windows\OneDrive\logs");
defaultPaths.Add($@"{User}\Avast Software\Avast\Log");
defaultPaths.Add($@"{User}\AppData\Local\F-Secure\Log");
defaultPaths.Add($@"{User}\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs");
defaultPaths.Add($@"{User}\AppData\Roaming\SUPERAntiSpyware\Logs");
defaultPaths.Add($@"{User}\AppData\Local\Symantec\Symantec Endpoint Protection\Logs");
defaultPaths.Add($@"{User}\AppData\Roaming\VIPRE Business");
defaultPaths.Add($@"{User}\AppData\Roaming\GFI Software\AntiMalware\Logs");
defaultPaths.Add($@"{User}\AppData\Roaming\Sunbelt Software\AntiMalware\Logs");
defaultPaths.Add($@"{User}\AppData\Local\temp\LogMeInLogs");
defaultPaths.Add($@"{User}\AppData\Local\Mega Limited\MEGAsync\logs");
}
}
}
catch (Exception)
{
//FAIL
}
}
if (!Platform.IsUnixLike())
{
try
{
string UserPath2k3 = Arguments.DriveLet + "\\Documents and Settings\\";
string[] WinUserFolders2k3 = Directory.GetDirectories(UserPath2k3);
if (Directory.Exists(UserPath2k3))
{
foreach (var User2k3 in WinUserFolders2k3)
{
defaultPaths.Add($@"{User2k3}\NTUSER.DAT");
defaultPaths.Add($@"{User2k3}\NTUSER.DAT.LOG");
defaultPaths.Add($@"{User2k3}\NTUSER.DAT.LOG1");
defaultPaths.Add($@"{User2k3}\NTUSER.DAT.LOG2");
defaultPaths.Add($@"{User2k3}\Recent\");
defaultPaths.Add($@"{User2k3}\PrivacIE\");
defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat");
defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG");
defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG1");
defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG2");
defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Microsoft\Terminal Server Client\");
defaultPaths.Add($@"{User2k3}\Local Settings\History\History.IE5\");
defaultPaths.Add($@"{User2k3}\Local Settings\Microsoft\Windows\WebCache\");
defaultPaths.Add($@"{User2k3}\Local Settings\Microsoft\Windows\History\");
defaultPaths.Add($@"{User2k3}\Local Settings\Application Data\Google\Chrome\User Data\Default\History\");
defaultPaths.Add($@"{User2k3}\Application Data\Opera\");
defaultPaths.Add($@"{User2k3}\Application Data\Mozilla\Firefox\Profiles\");
defaultPaths.Add($@"{User2k3}\Application Data\TeamViewer\");
}
}
}
catch (Exception)
{
//FAIL
}
}
if (Platform.IsUnixLike())
{
defaultPaths = new List <string> {
};
tempPaths = new List <string>
{
"/root/.bash_history",
"/var/log",
"/private/var/log/",
"/.fseventsd",
"/etc/hosts.allow",
"/etc/hosts.deny",
"/etc/hosts",
"/System/Library/StartupItems",
"/System/Library/LaunchAgents",
"/System/Library/LaunchDaemons",
"/Library/LaunchAgents",
"/Library/LaunchDaemons",
"/Library/StartupItems",
"/etc/passwd",
"/etc/group",
"/etc/rc.d"
};
// Collect file listing
AllFiles = new List <string> {
};
AllFiles.AddRange(RunCommand("/usr/bin/find", "/ -print"));
// Find all *.plist files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("*.plist"))));
// Find all .bash_history files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".bash_history"))));
// Find all .sh_history files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains(".sh_history"))));
// Find Chrome Preference files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/History"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Cookies"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Bookmarks"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Extensions"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Last"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Shortcuts"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Top"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("Support/Google/Chrome/Default/Visited"))));
// Find FireFox Preference Files
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("places.sqlite"))));
tempPaths.AddRange(AllFiles.Where((stringToCheck => stringToCheck.Contains("downloads.sqlite"))));
// Fix any spaces to work with MacOS naming conventions
defaultPaths = tempPaths.ConvertAll(stringToCheck => stringToCheck.Replace(" ", " "));
}
var paths = new List <string>(additionalPaths);
if (arguments.CollectionFilePath != ".")
{
if (File.Exists(arguments.CollectionFilePath))
{
paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath).Select(Environment.ExpandEnvironmentVariables));
}
else
{
Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath);
Console.WriteLine("Exiting");
throw new ArgumentException();
}
}
if (arguments.CollectionFiles != null)
{
paths.AddRange(arguments.CollectionFiles);
}
if (paths.Count == 1)
{
if (paths[0] == "")
{
return(defaultPaths);
}
}
return(paths.Any() ? paths : defaultPaths);
}
public static List <string> GetPaths(Arguments arguments, List <string> additionalPaths)
{
var defaultPaths = new List <string>
{
@"%SYSTEMROOT%\System32\drivers\etc\hosts",
@"%SYSTEMROOT%\SchedLgU.Txt",
@"%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup",
@"%SYSTEMROOT%\System32\config",
@"%SYSTEMROOT%\System32\winevt\logs",
@"%SYSTEMROOT%\Prefetch",
@"%SYSTEMROOT%\Tasks",
@"%SYSTEMROOT%\System32\LogFiles\W3SVC1",
@"%SystemDrive%\$MFT"
};
defaultPaths = defaultPaths.Select(Environment.ExpandEnvironmentVariables).ToList();
if (Platform.IsUnixLike())
{
defaultPaths = new List <string>
{
"/root/.bash_history",
"/var/log",
"/private/var/log/",
"/.fseventsd",
"/etc/hosts.allow",
"/etc/hosts.deny",
"/etc/hosts",
"/System/Library/StartupItems",
"/System/Library/LaunchAgents",
"/System/Library/LaunchDaemons",
"/Library/LaunchAgents",
"/Library/LaunchDaemons",
"/Library/StartupItems",
"/etc/passwd",
"/etc/group"
};
// Find all *.plist files
defaultPaths.AddRange(RunCommand("/usr/bin/find", "/ -name \"*.plist\" -print"));
// Find all .bash_history files
defaultPaths.AddRange(RunCommand("/usr/bin/find", "/ -name \".bash_history\" -print"));
// Find all .sh_history files
defaultPaths.AddRange(RunCommand("/usr/bin/find", "/ -name \".sh_history\" -print"));
}
var paths = new List <string>(additionalPaths);
if (arguments.CollectionFilePath != ".")
{
if (File.Exists(arguments.CollectionFilePath))
{
paths.AddRange(File.ReadAllLines(arguments.CollectionFilePath).Select(Environment.ExpandEnvironmentVariables));
}
else
{
Console.WriteLine("Error: Could not find file: {0}", arguments.CollectionFilePath);
Console.WriteLine("Exiting");
throw new ArgumentException();
}
}
if (arguments.CollectionFiles != null)
{
paths.AddRange(arguments.CollectionFiles);
}
return(paths.Any() ? paths : defaultPaths);
}
