{"id":13540359,"url":"https://github.com/orlikoski/CDQR","last_synced_at":"2025-04-02T07:30:58.387Z","repository":{"id":3481664,"uuid":"49660976","full_name":"orlikoski/CDQR","owner":"orlikoski","description":"The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices","archived":false,"fork":false,"pushed_at":"2022-06-25T16:20:38.000Z","size":74096,"stargazers_count":336,"open_issues_count":5,"forks_count":50,"subscribers_count":30,"default_branch":"main","last_synced_at":"2025-03-29T03:21:33.216Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/orlikoski.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-01-14T16:48:48.000Z","updated_at":"2025-02-13T10:35:09.000Z","dependencies_parsed_at":"2022-07-29T03:48:22.375Z","dependency_job_id":null,"html_url":"https://github.com/orlikoski/CDQR","commit_stats":null,"previous_names":[],"tags_count":34,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orlikoski%2FCDQR","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orlikoski%2FCDQR/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orlikoski%2FCDQR/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orlikoski%2FCDQR/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/orlikoski","download_url":"https://codeload.github.com/orlikoski/CDQR/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246774335,"owners_count":20831517,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:47.532Z","updated_at":"2025-04-02T07:30:53.380Z","avatar_url":"https://github.com/orlikoski.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"e1fc1d87056438f82268742dc2ba08f5\"\u003e\u003c/a\u003e事件响应\u0026\u0026取证\u0026\u0026内存取证\u0026\u0026数字取证","Python (1887)","Python","\u003ca id=\"ecb63dfb62722feb6d43a9506515b4e3\"\u003e\u003c/a\u003e新添加","Forensics","Synopsis"],"sub_categories":["\u003ca id=\"1fc5d3621bb13d878f337c8031396484\"\u003e\u003c/a\u003e取证\u0026\u0026Forensics\u0026\u0026数字取证\u0026\u0026内存取证","Steganography","Table of Contents"],"readme":"## NAME\n\nCDQR — Cold Disk Quick Response tool by Alan Orlikoski\n\nFor latest release click [here](https://github.com/orlikoski/CDQR/releases/latest)\n\n## Please Read\n[Open Letter to the users of Skadi, CyLR, and CDQR](https://docs.google.com/document/d/1L6CBvFd7d1Qf4IxSJSdkKMTdbBuWzSzUM3u_h5ZCegY/edit?usp=sharing)\n\n## Videos and Media\n* [OSDFCON 2017](http://www.osdfcon.org/presentations/2017/Asif-Matadar_Rapid-Incident-Response.pdf) Slides: Walk-through different techniques that are required to provide forensics results for Windows and *nix environments (Including CyLR and CDQR)\n\n## What is CDQR?\nThe CDQR tool uses Plaso to parse forensic artifacts and/or disk images with specific parsers and create easy to analyze custom reports. The parsers were chosen based triaging best practices and the custom reports group like items together to make analysis easier. The design came from the Live Response Model of investigating the important artifacts first. This is meant to be a starting point for investigations, not the complete investigation.\n\nIn addition to processing entire forensic images it also parses extracted forensic artifact(s) as an individual file or collection of files inside of a folder structure (or inside a .zip file).\n\nIt creates up to 18 Reports (.csv files) based on triaging best practices and the parsing option selected\n* 18 Reports for DATT: \n ```\n Appcompat, Amcache, Bash, Event Logs, File System, MFT, UsnJrnl, Internet History, Prefetch, Registry, Scheduled Tasks, Persistence, System Information, AntiVirus, Firewall, Mac, Linux, and Android\n ```\n* 14 Reports for Win: \n ```\n Appcompat, Amcache, Bash, Event Logs, File System, MFT, UsnJrnl, Internet History, Prefetch, Registry, Scheduled Tasks, Persistence, System Information, AntiVirus, Firewall\n ```\n* 8 Reports for Mac and Lin: \n ```\n File System, Internet History, System Information, AntiVirus, Firewall, Mac, and Linux\n ```\n* 7 Reports for Android: \n ```\n File System, Internet History, Persistence, System Information, AntiVirus, Firewall, and Android\n ```\n\n\n## Important Notes\n* Make sure account has permissions to create files and directories when running (when in doubt, run as administrator)\n* Ensure line endings are correct for the OS it is running on\n\n## DESCRIPTION\n\nThis program uses [Plaso](https://github.com/log2timeline/plaso/wiki) and a streamlined list of its parsers to quickly analyze a forenisic image file (dd, E01, .vmdk, etc) or group of forensic artifacts. The results are output in either ElasticSearch, JSON (line delimited), or the following report files in CSV format:\n* 18 Reports for DATT: \n ```\n Appcompat, Amcache, Bash, Event Logs, File System, MFT, UsnJrnl, Internet History, Prefetch, Registry, Scheduled Tasks, Persistence, System Information, AntiVirus, Firewall, Mac, Linux, and Android\n ```\n* 14 Reports for Win: \n ```\n Appcompat, Amcache, Bash, Event Logs, File System, MFT, UsnJrnl, Internet History, Prefetch, Registry, Scheduled Tasks, Persistence, System Information, AntiVirus, Firewall\n ```\n* 8 Reports for Mac and Lin: \n ```\n File System, Internet History, System Information, AntiVirus, Firewall, Mac, and Linux\n ```\n* 7 Reports for Android: \n ```\n File System, Internet History, Persistence, System Information, AntiVirus, Firewall, and Android\n ```\n\n## ARGUMENTS \u0026 OPTIONS\n```\npositional arguments:\n src_location Source File location: Y:/Case/Tag009/sample.E01\n dst_location Destination Folder location. If nothing is supplied\n then the default is 'Results'\n\noptional arguments:\n -h, --help show this help message and exit\n -p PARSER, --parser PARSER\n Choose parser to use. If nothing chosen then 'win' is\n used. The parsing options are: win, mft_usnjrnl, lin,\n mac, datt\n --nohash Do not hash all the files as part of the processing of\n the image\n --mft Process the MFT file (disabled by default except for\n DATT)\n --usnjrnl Process the USNJRNL file (disabled by default except\n for DATT)\n --max_cpu Use the maximum number of cpu cores to process the\n image\n --export Creates zipped, line delimited json export file\n --artifact_filters ARTIFACT_FILTERS\n Plaso passthrough: Names of forensic artifact\n definitions, provided on the command command line\n (comma separated). Forensic artifacts are stored in\n .yaml files that are directly pulled from the artifact\n definitions project. You can also specify a custom\n artifacts yaml file (see\n --custom_artifact_definitions). Artifact definitions\n can be used to describe and quickly collect data of\n interest, such as specific files or Windows Registry\n keys.\n --artifact_filters_file ARTIFACT_FILTERS_FILE\n Plaso passthrough: Names of forensic artifact\n definitions, provided in a file with one artifact name\n per line. Forensic artifacts are stored in .yaml files\n that are directly pulled from the artifact definitions\n project. You can also specify a custom artifacts yaml\n file (see --custom_artifact_definitions). Artifact\n definitions can be used to describe and quickly\n collect data of interest, such as specific files or\n Windows Registry keys.\n --artifact_definitions ARTIFACT_DEFINITIONS\n Plaso passthrough: Path to a directory containing\n artifact definitions, which are .yaml files. Artifact\n definitions can be used to describe and quickly\n collect data of interest, such as specific files or\n Windows Registry keys.\n --custom_artifact_definitions CUSTOM_ARTIFACT_DEFINITIONS\n Plaso passthrough: Path to a file containing custom\n artifact definitions, which are .yaml files. Artifact\n definitions can be used to describe and quickly\n collect data of interest, such as specific files or\n Windows Registry keys.\n --file_filter FILE_FILTER, -f FILE_FILTER\n Plaso passthrough: List of files to include for\n targeted collection of files to parse, one line per\n file path, setup is /path|file - where each element\n can contain either a variable set in the preprocessing\n stage or a regular expression.\n --es_kb ES_KB Outputs Kibana format to elasticsearch database.\n Requires index name. Example: '--es_kb my_index'\n --es_kb_server ES_KB_SERVER\n Kibana Format Only: Exports to remote (default is\n 127.0.0.1) elasticsearch database. Requires Server\n name or IP address Example: '--es_kb_server\n myserver.elk.go' or '--es_kb_server 192.168.1.10'\n --es_kb_port ES_KB_PORT\n Kibana Format Only: Port (default is 9200) for remote\n elasticsearch database. Requires port number Example:\n '--es_kb_port 9200 '\n --es_kb_user ES_KB_USER\n Kibana Format Only: Username (default is none) for\n remote elasticsearch database. Requires port number\n Example: '--es_kb_user skadi '\n --es_ts ES_TS Outputs TimeSketch format to elasticsearch database.\n Requires index/timesketch name. Example: '--es_ts\n my_name'\n --plaso_db Process an existing Plaso DB file. Example:\n artifacts.plaso\n -z Indicates the input file is a zip file and needs to be\n decompressed\n --no_dependencies_check\n Re-enables the log2timeline the dependencies check. It\n is skipped by default\n --process_archives Extract and inspect contents of archives found inside\n of artifacts or disk images\n -v, --version show program's version number and exit\n -y Accepts all defaults on prompted questions in the\n program.\n```\n\n## DEPENDENCIES\n\n1. 64-bit Windows, Linux, or Mac Operating System (OS)\n2. The appropriate version of Plaso for the OS https://github.com/log2timeline/plaso/releases\n3. [Python v3.x](https://www.python.org/downloads/) (if using cdqr.py source code)\n\n## EXAMPLES\n\n```\ncdqr.py c:\\mydiskimage.vmdk myresults\n```\n```\ncdqr.exe -p win c:\\images\\badlaptop.e01\n```\n```\ncdqr.exe -p datt --max_cpu C:\\artifacts\\tag009\n```\n```\ncdqr.exe -p datt --max_cpu C:\\artifacts\\tag009\\$MFT --export\n```\n```\ncdqr.exe -z --max_cpu C:\\artifacts\\tag009\\artifacts.zip\n```\n```\ncdqr.exe -z --max_cpu C:\\artifacts\\tag009\\artifacts.zip --es myindexname\n```\n\n\n## AUTHOR\n\nAlan Orlikoski\n* [GitHub](https://github.com/orlikoski)\n* [Twitter](https://twitter.com/AlanOrlikoski)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forlikoski%2FCDQR","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Forlikoski%2FCDQR","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forlikoski%2FCDQR/lists"}