v1.3.1

CyberDefenseInstitute · Jun 5, 2018 · 0ea2de0 · 0ea2de0
1 parent 2012707
commit 0ea2de0
Show file tree

Hide file tree

Showing 15 changed files with 284 additions and 68 deletions.
diff --git a/CDIR/CDIR.cpp b/CDIR/CDIR.cpp
diff --git a/CDIR/CDIR.rc b/CDIR/CDIR.rc
diff --git a/CDIR/CDIR.vcxproj b/CDIR/CDIR.vcxproj
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
@@ -23,33 +23,33 @@
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>CDIR</RootNamespace>
     <ProjectName>cdir-collector</ProjectName>
-    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+    <WindowsTargetPlatformVersion>10.0.17134.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v140_xp</PlatformToolset>
+    <PlatformToolset>v141</PlatformToolset>
     <CharacterSet>MultiByte</CharacterSet>
     <UseOfMfc>Static</UseOfMfc>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v140</PlatformToolset>
+    <PlatformToolset>v141</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v140</PlatformToolset>
+    <PlatformToolset>v141</PlatformToolset>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v140</PlatformToolset>
+    <PlatformToolset>v141</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>

diff --git a/CDIR/ConfigParser.cpp b/CDIR/ConfigParser.cpp
@@ -22,15 +22,16 @@ ConfigParser::ConfigParser(string path)
 				string key = l.substr(0, idx);
 				string val = l.substr(idx+1);
 
-				// trim string
+				// trim key string
 				key = trim(key);
-				val = trim(val);
+
 				if (CONFIGLIST.find(key) != CONFIGLIST.end()) {
 					Value value;
 					value.type = CONFIGLIST[key];
 					switch (CONFIGLIST[key]) {
 					case TYPE_BOOL:
 						value.ptr = new bool;
+						val = trim(val);
 						*((bool*)value.ptr) = [=]() {
 							if (_stricmp("true", val.c_str()) == 0) {
 								return true;
@@ -56,11 +57,13 @@ ConfigParser::ConfigParser(string path)
 						break;
 					case TYPE_INT:
 						value.ptr = new int;
+						val = trim(val);
 						*((int*)value.ptr) = atoi(val.c_str());
 						break;
 					case TYPE_STRING:
 						value.ptr = new string;
-						*((string*)value.ptr) = val;
+						for (idx = 0; idx < val.size() && isspace(val[idx]); idx++);
+						*((string*)value.ptr) = val.substr(idx);
 						break;
 					}
 					m[key] = value;

diff --git a/CDIR/ConfigParser.h b/CDIR/ConfigParser.h
@@ -32,12 +32,17 @@ struct c_ignorecase:std::binary_function<string, string, bool> {
 static map<string, TYPE_ID, c_ignorecase> CONFIGLIST = {
 	{"MemoryDump", TYPE_BOOL},
 	{"MFT", TYPE_BOOL},
+	{"Secure", TYPE_BOOL},
 	{"UsnJrnl", TYPE_BOOL},
 	{"EventLog", TYPE_BOOL},
 	{"Prefetch", TYPE_BOOL},
 	{"Registry", TYPE_BOOL},
+	{"WMI", TYPE_BOOL},
+	{"SRUM", TYPE_BOOL },
+	{"Web", TYPE_BOOL },
 	{"Output", TYPE_STRING},
-	{"Web", TYPE_BOOL},
+	{"Target", TYPE_STRING},
+	{"MemoryDumpCmdline", TYPE_STRING},
 	{"host", TYPE_STRING},
 	{"port", TYPE_INT},
 	{"path", TYPE_STRING}

diff --git a/CDIR/cdir.ini b/CDIR/cdir.ini
@@ -1,9 +1,16 @@
-;MemoryDump = false
+;MemoryDump = true
 MFT = true
+Secure = true
 UsnJrnl = true
 EventLog = true
 Prefetch = true
 Registry = true
+WMI = true
+SRUM = true
 Web = true
+;Target = G:\
+;MemoryDumpCmdline = DumpIt.exe /Q /N /T DMP /O RAM.dmp
+;MemoryDumpCmdline = RamCapture64.exe RAM.raw
+;MemoryDumpCmdline = MagnetRAMCapture.exe /accepteula /go .\RAM.raw
 ;Output = E:\
 ;Output = \\hostname\sharename\
diff --git a/CDIR/libressl-2.4.1-windows/x86/libcrypto-38.dll b/CDIR/libressl-2.4.1-windows/x86/libcrypto-38.dll
diff --git a/CDIR/libressl-2.4.1-windows/x86/libssl-39.dll b/CDIR/libressl-2.4.1-windows/x86/libssl-39.dll
diff --git a/CDIR/libressl-2.4.1-windows/x86/libtls-11.dll b/CDIR/libressl-2.4.1-windows/x86/libtls-11.dll
diff --git a/CDIR/util.cpp b/CDIR/util.cpp
@@ -142,4 +142,4 @@ vector<pair<string, int>> findfiles(string filepath, bool error) {
 	}
 
 	return paths;
-}
+}
diff --git a/CDIR/util.h b/CDIR/util.h
@@ -15,4 +15,4 @@ string dirname(string &, char delim = '\\');
 string msg(string jp, string en, WORD lang = GetUserDefaultLangID());
 string join(vector<string>, string);
 string hexdump(const unsigned char*, size_t);
-vector<pair<string, int>> findfiles(string, bool error=true);
+vector<pair<string, int>> findfiles(string, bool error=true);
diff --git a/NTFSParserDLL/NTFSParserDLL.vcxproj b/NTFSParserDLL/NTFSParserDLL.vcxproj
@@ -22,24 +22,25 @@
     <ProjectGuid>{5E42B778-F231-4797-B7FD-7D5BCA9738D0}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>NTFSParserDLL</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0.17134.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v140</PlatformToolset>
+    <PlatformToolset>v141</PlatformToolset>
     <CharacterSet>NotSet</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v140</PlatformToolset>
+    <PlatformToolset>v141</PlatformToolset>
     <CharacterSet>NotSet</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v140_xp</PlatformToolset>
+    <PlatformToolset>v141</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>NotSet</CharacterSet>
   </PropertyGroup>
@@ -74,6 +75,10 @@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <LinkIncremental>false</LinkIncremental>
+    <ExecutablePath>C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin;$(ExecutablePath)</ExecutablePath>
+    <IncludePath>C:\Program Files\Microsoft SDKs\Windows\v7.1\Include;$(IncludePath)</IncludePath>
+    <LibraryPath>C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib;$(LibraryPath)</LibraryPath>
+    <ExcludePath>C:\Program Files\Microsoft SDKs\Windows\v7.1\Include;$(ExcludePath)</ExcludePath>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <LinkIncremental>false</LinkIncremental>

diff --git a/NTFSParserDLL/NTFS_FileRecord.h b/NTFSParserDLL/NTFS_FileRecord.h
@@ -826,8 +826,10 @@ CNTFSVolume::CNTFSVolume(_TCHAR volume)
 	Version = 0;
 	ClearAttrRawCB();
 
-	if (!OpenVolume(volume))
+	if (!OpenVolume(volume)) {
+		fprintf(stderr, "Volume open error: %c\n", volume);
 		return;
+	}
 
 	// Verify NTFS volume version (must >= 3.0)
 

diff --git a/README.md b/README.md
@@ -5,12 +5,22 @@
 cdir-collectorは初動対応時のデータ保全を支援するためのツールです。Windows PC上の以下のデータを取得することが可能です。
 
 * メモリ
-* MFT
-* UsnJrnl
+* NTFS
+  * $MFT
+  * $SECURE:$SDS
+  * $UsnJrnl:$J
 * プリフェッチ
 * イベントログ
 * レジストリ
-* Web(履歴、クッキー)
+  * Amcache.hve
+  * SAM, SECURITY, SOFTWARE, SYSTEM
+  * NTUser.dat, UsrClass.dat
+* WMI
+* SRUM
+* Web
+  * Default_History (Chrome)
+  * default_cookies.sqlite, default_places.sqlite (Firefox)
+  * WebCacheV01.dat (IE, Edge)
 
 ## ダウンロード
 
@@ -20,7 +30,7 @@ https://github.com/CyberDefenseInstitute/CDIR/releases
 
 ## ビルド
 
-ソースコードはVisual Studio 2015で読み込みビルドすることができます。cdir-collectorの構成ファイルは以下の通りです。
+ソースコードはVisual Studio 2017で読み込みビルドすることができます。cdir-collectorの構成ファイルは以下の通りです。
 
 * cdir.ini
 * cdir-collector.exe

diff --git a/README_en.md b/README_en.md
@@ -5,12 +5,22 @@
 cdir-collector is a collection tool for first response. it collects the following data on Windows.
 
 * RAM
-* MFT
-* UsnJrnl
+* NTFS
+  * $MFT
+  * $SECURE:$SDS
+  * $UsnJrnl:$J
 * Prefetch
 * EventLog
 * Registry
-* Web(History, Cookie)
+  * Amcache.hve
+  * SAM, SECURITY, SOFTWARE, SYSTEM
+  * NTUser.dat, UsrClass.dat
+* WMI
+* SRUM
+* Web
+  * Default_History (Chrome)
+  * default_cookies.sqlite, default_places.sqlite (Firefox)
+  * WebCacheV01.dat (IE, Edge)
 
 ## Download
 
@@ -20,7 +30,7 @@ https://github.com/CyberDefenseInstitute/CDIR/releases
 
 ## Build
 
-If you want to customise and build binary from source code, try to use Visual Studio 2015. 
+If you want to customise and build binary from source code, try to use Visual Studio 2017. 
 
 Component of cdir-collector: 
 * cdir.ini
-Original file line number
+Diff line change
@@ Expand Up @@
     	}
     	return paths;
-    }
+    }