Sunday, August 11, 2019

CyLR — Live Response Collection tool

CyLR — Live Response Collection tool by Alan Orlikoski and Jason Yegge
Windows exe found at:


CyLR was first brought to my attention from the SANS "FOR500: Windows Forensic Analysis"
Used for collection and artifact processing.

This tool looks in:

Windows Default
  • System Level Artifacts
    • %SYSTEMROOT%\SchedLgU.Txt
    • %SYSTEMROOT%\Tasks
    • %SYSTEMROOT%\Prefetch
    • %SYSTEMROOT%\Appcompat\Programs
    • %SYSTEMROOT%\System32\drivers\etc\hosts
    • %SYSTEMROOT%\System32\winevt\logs
    • %SYSTEMROOT%\System32\Tasks
    • %SYSTEMROOT%\System32\LogFiles\W3SVC1
    • %SYSTEMROOT%\System32\config\"REGISTRY HIVES"
    • %SystemDrive%$Recycle.Bin
    • %SystemDrive%$LogFile
    • %SystemDrive%$MFT
  • Artifacts For All Users
    • {user.ProfilePath}\NTUSER.DAT and \AppData

*Among other places and other locations for linux and macOS shown on the github page

Simulating Collecting on Remote System

The above diagram simulates as an admin remoting into a Desktop, running CyLR and sending the results to a SFTP server for retrieval


Open Start menu.
Type Apps.
Click on Apps & features.
Under “Apps & features,” click the Manage optional features link. 
Apps & features settings.
Click the Add a feature button. Manage optional features on Windows 10.
Select the OpenSSH Server option.
Select Install

May need to start service 

 Control Panel > System and Security > Administrative Tools and open Services.
Start OpenSSH SSH Server service

May need to Set up Firewall exceptions
Allow incoming connections to SSH server in Windows Firewall:
  • Either run the following PowerShell command (Windows 8 and 2012 or newer only), as the Administrator: 
    New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -DirectionInbound -Protocol TCP -Action Allow -LocalPort 22
  • or go to Control Panel > System and Security > Windows Firewall1 > Advanced Settings > Inbound Rules and add a new rule for port 22.

May need to generate a keypair
 In WinSCP can select advanced settings > Authenitcation > Tools Generate New Key Pair with PuTTYgen
Or can use OpenSSH-Win64 "ssh-keygen.exe"


$s = New-PSSession -Computername DESKTOP-REMOTE -Credential Win10
s$ is the variable.  For the creation of a powershell session to the remote host.  Ideally using admin credentials

Prompt for credentials

3. COPYING CyLR to remote host in session with powershell:

Copy-Item –Path C:\USERS\Win10\Desktop\CyLR_win-x64\CyLR.exe –Destination 'C:\' ToSession $s

Using the previously created "$s" session to copy to the C: drive of the target

4. Enter session with powershell:
Enter-PSSession -Session $s
5. Run CyLR and point to SFTP server's IP address:
C:\CyLR.exe -u SFTP_Server -p password -s
Using the parameter to point to the SFTP server.  *Not recommended to use "password" as password



5. Verifying results on the SFTP server

RESULTS include:


Contains "NTUSER.dat registry hive for each user

In conclusion:
I think CyLR is a neat tool and can potentially be used by a IR shop to collect relative artifacts.  May try it on a Mac and/or Linux host and see what it retrieves.

Also looking to try out Eric Zimmerman's KAPE(Kroll Artifact Parser and Extractor) tool to simulate a remote collection.



Sectechno. (2018, October 10). CyLR - Live Response Collection Tool. Retrieved from

Orlikoski. (2019, March 18). Orlikoski/CyLR. Retrieved from

No comments:

Post a Comment