CyLR — Live Response Collection Tool

The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host. The main features are:

  • Quick collection (it’s really fast)
  • Raw file collection process does not use Windows API
  • Optimized to store the collected artifacts in memory (minimizing or removing entirely the need to write additional artifacts on the host disk)
  • Built in SFTP capability
CyLR — Live Response Collection Tool

CyLR — Live Response Collection Tool

The advantage with using CylR is that it is collecting the required forensics data rapidly that can be a part of live response. some of the options are:

  • ‘–help’ — Show help message and exit.
  • ‘-od’ — Defines the directory that the zip archive will be created in. Defaults to current working directory. (applies to SFTP and local storage options)
  • ‘-of’ — Defines the name of the zip archive will be created. Defaults to host machine’s name.
  • ‘-zp’ — If specified, the resulting zip file will be password protected with this password.
  • SFTP Options
    • ‘-u’ — SFTP username
    • ‘-p’ — SFTP password
    • ‘-s’ — SFTP Server resolvable hostname or IP address and port. If no port is given then 22 is used by default. The format is :. Usage: -s″
  • ‘-c’ — Optional argument to provide custom list of artifact files and directories (one entry per line).

After Collecting the artifact it will be possible to process the data with Cold Disk Quick. Response (CDQR).

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments