orlikoski
commented
5 years ago The process is fairly straight forward. Use a tool like FTK imager to extract the high value artifacts into a single folder and then run CDQR against that folder.
Closed 7MinSec closed 5 years ago
orlikoski
commented
5 years ago The process is fairly straight forward. Use a tool like FTK imager to extract the high value artifacts into a single folder and then run CDQR against that folder.
7MinSec
commented
5 years ago Thanks, I read through some of the other open questions on CDQR/CYLR and basically did the text file route where I took the collection paths you mention on the main CYLR tool page, and subbed out the variables for those appropriate to my mounted H:\ drive of the dead box image, then called cylr with the -c option. Does that seem a reasonable route to go?
orlikoski
commented
5 years ago That's the more advanced way of doing it and can be scripted very easily. One thing to consider is that CyLR supports input redirects as input for collection paths.
This makes it possible to skip using -c option in order to make it one command that can be placed into a script.
For example:
echo "C:\Temp\" "%SYSTEMROOT%\system32\winevt\" | CyLR.exe
7MinSec
commented
5 years ago Sorry I forgot to write back but this worked great - thanks!
Hi there,
I'm attempting to run CDQR against an .E01 image on an external hard drive. However, I started an analysis job and it's been running for over 24 hours. Is there a guide somewhere to manually gathering just the necessary artifacts from a dead box image and then running CDQR against that?
Thanks, Brian