Skip to main content

Investigation Package data

Caution

Be aware that some of the information collected in investigation packages from the users' workstations qualifies as personal data.

Make sure you perform your due diligence to safeguard sensitive user information and inform your users about the collection in compliance with local laws on user data privacy.

An Investigation package compiles in a downloadable archive the following logs and data:

  • Bitdefender Endpoint Security Tools (BEST) product logs

  • Windows Event Logs

  • System Info

  • Registry hive files from:

    • %SystemRoot%\System32\Config: SOFTWARE, SYSTEM, DEFAULT, DRIVERS, SAM, SECURITY (including .LOG1 and .LOG2 files)

    • %SystemDrive%\Users: NTUSER.DAT, NTUSER.DAT.LOG1, NTUSER.DAT.LOG2

  • amcache (%SystemRoot%\AppCompat\Programs\Amcache.hve)

  • shimcache (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache)

  • prefetch (C:\WINDOWS\Prefetch)

  • Net info:

    • ActiveNetConnections (C:\WINDOWS\system32\netstat.exe -abno)

    • AddressResolutionProtocolCache (C:\WINDOWS\system32\arp.exe -a)

    • DnsCache (C:\WINDOWS\system32\ipconfig.exe /displaydns)

    • SmbInboundSessions (C:\WINDOWS\system32\net.exe session)

    • SmbOutboundSessions:

      • HKEY_USERS\S-1-5-21-1272178354-3831401975-2086234833-500\Network

      • HKEY_USERS\S-1-5-21-1272178354-3831401975-2086234833-1001\Network

      • HKEY_USERS\S-1-5-21-1272178354-3831401975-2086234833-504\Network

    • FirewallLogs:

      • C:\WINDOWS\system32\cmd.exe /C "for /f "tokens=2 delims= " %F in ('Get-NetFirewallProfile ^| findstr FileName') do cmd /C xcopy /F /Y /Q "%F" "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\..\" & cmd /C move "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\..\pfirewall.log" "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\Network Connections\pfirewall.log""

  • Temp Dir Files (Listing with details for all users and system):

    • dir /a /n /q /r /s

  • ScheduledTasks (C:\WINDOWS\system32\schtasks.exe /query /v /fo CSV)

  • Powershell history (if enabled)

  • Webcache (%LOCALAPPDATA%\Microsoft\Windows\WebCache)

  • WdSupportLogs:

    • C:\WINDOWS\system32\cmd.exe /C ""%ProgramFiles%\Windows Defender\mpcmdrun.exe" -GetFiles & copy "%programdata%\Microsoft\Windows Defender\Support\MPSupportFiles.cab" "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\WdSupportLogs""

  • Users and Groups (Listing of all local users and groups):

    • net user; net localgroup

    • Groups membership listing: for /f "delims=" %x in ('net localgroup ^|find ""') do net localgroup "%x"

    • Current logged-in users: query user

  • SRUDB:

    • C:\Windows\System32\sru

  • Background Activity Moderator:

    • HKLM\SYSTEM\ControlSet001\Services\bam

  • wbem repository:

    • %windir%System32\Wbem\Repository

  • Forensic data collection report in CSV format:

    • CSV header: | Timestamp | Name | Command | Command Execution Status | Command Exit Code | Destination Path |

Note

The forensic data gathering operation will skip items that are locked or do not exist. Depending on the operating system version and system configuration, some items could be missing or be uncollectable.

An archive will be created with two folders:

  • SupportTool (contains basic logs from the BEST client)

  • ForensicArtefacts

Contents of ForensicArtefacts are a CSV file with the header "Current Time,Command Name,Command Line,Status,Error,Output file" and the below folders:

Autoruns and services

Command

Output file

systemctl list-unit-files

systemctl unit files.txt

systemctl -t service - all

systemds service files description.txt

systemctl

loaded systemd units.txt

ls -d /etc/rc*

list of rc folders.txt

ls -d /etc/init.d/*

list of init files.txt

ls -dR /etc/cron.*

list of cron folders.txt

Copy all files and folders from the list files above

ls -1 $(getent passwd | cut -d : -f 6 | sed 's:$:/.*rc:')

all users rc files.txt

Copy files from "all users rc files.txt"

Format for file "<user> <*rc>"

Network info

Command

Output file

iptables -t nat -L

iptables -t nat -L.txt

iptables -vnL

iptables -vnL.txt

cat /proc/net/sockstat

sockstat.txt

cat /proc/net/arp

arp.txt

cat /proc/net/route

route.txt

cat /proc/net/dev

dev.txt

If netstat is installed:

Command

Output file

netstat -p

netstat -p.txt

netstat -s

netstat -s.txt

netstat -ie

netstat -ie.txt

netstat -tulpn

netstat -tulpn.txt

If not installed, then a backup command set:

Command

Output file

cat /proc/net/snmp*

snmp counters.txt

ss -p

programs and coresponding sockets.txt

ss -tulpn -4;ss -tulpn -6

all tcp and udp v6 connections.txt

If ifconfig is installed then:

ifconfig -a

ifconfig.txt

If not installed, then:

ip a s; ip -s link

interfaces counters and ip addresses.txt

Various system info bits

Command

Output file

w

active users.txt

lastlog

users and when logged in.txt

uname -a

uname -a.txt

last -adFi

last logged users and if remotely + ip address.txt

lshw -short

lshw.txt

dmesg

dmesg.txt

If lsb_release is installed:

lsb_release -a

lsb_release.txt

If not installed:

cat /etc/os-release

os-release.txt

Certificates

If one of the below folders exists the contents of the folder will be copied in the Certificates folder:

  • /etc/ssl/certs

  • /etc/pki/tls/certs

  • /etc/pki/CA/certs

Various files and info

Command

Output file

getent passwd | cut -d : -f 6 | sed 's:$:/.bash_history:'

all users bash history files.txt

Copy files from "all users rc files.txt"

Format for file "<user> <.bash_history>"

The below files will be copied in the folder:

  • /etc/host*

  • /etc/passwd

  • /etc/group

  • /etc/login.defs

  • /etc/sudoers*

  • /etc/shells

  • /etc/apt/sources.list*

  • /var/log/syslog

  • /var/log/messages

  • /var/log/auth.log

  • /var/log/secure

  • /var/log/boot.log

  • /var/log/utmp

  • /var/log/wtmp

  • /var/log/kern.log

  • /var/log/faillog

  • /var/log/cron

File listings

Command

Output file

ls -laR /

recursive listing.txt

tree / -d -L 2

recursivetree.txt

find / -maxdepth 2 -type d -print | sed -e "s;[^/]*/;|___;g;s;___|; |;g"

recursivetree2.txt

find / \( -type d -path /dev -o -path /sys -o -path /proc \) -prune -o -type f -size -5M -size +0M -exec sha256sum "{}" +

sha256sum for files under 5M.txt

Installed packages

The following commands will only be executed if the tool exists:

Command

Output file

apt list --installed

apt list.txt

dpkg -l

dpkg list.txt

dnf list installed

dnf list.txt

yum list installed

yum list.txt

rpm -qa

rpm list.txt

zypper search -i

zypper list.txt

Service specific logs

  • apache logs

    If apache logs are located directly in "/var/log/" then all files starting with "httpd-access.log" or "httpd-error.log" will be copied in the "Service specific logs" folder.

    If apache  does not have log files in  "/var/log/" and any of the below folders exist then they will be copied in the "Service specific logs" folder.

    • /var/log/httpd

    • /var/log/apache2

  • nginx logs

    Command

    Output file

    grep "_log " /etc/nginx/nginx.conf | awk '{print $2}'| tr -d \;

    nginx log paths.txt

    Copy all files that corespond to  the ones in "nginx log paths.txt"

    Their specific filename in nginx folder

  • vpn logs (openvpn, wireguard, ipsec/openswan etc)

    Command

    Output file

    cat /var/log/syslog* | grep -i vpn

    vpn logs.txt

An archive with the below content will be created:

  • a set of generic BEST logs (support tool archive)

  • Autoruns:

    • LaunchAgents

      • /Library/LaunchAgents/*

      • /System/Library/LaunchAgents/*

      • %%users.homedir%%/Library/LaunchAgents/*

    • LaunchDaemons

      • /Library/LaunchDaemons/*

      • /System/Library/LaunchDaemons/*

    • StartupItems

      • /Library/StartupItems/*

      • /System/Library/StartupItems/*

    • crontabs

    • LoginItems

  • Browser artefacts:

    • Preferences

    • History

    • Downloads

    • Extensions

    • Bookmarks

    • Info.plist

  • Process list

  • Network info:

    • open/listening connections (netstat -blant)

    • open/listening connections (netstat -blant)

    • /private/etc/pf.anchors

    • /private/etc/pf.conf

    • /private/etc/hosts

    • /private/var/run/resolv.conf

    • /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist

    • /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist

  • System Info

    • system_profiler

    • .bash_history &amp; .bash_sessions (all users)

    • /private/var/log/asl

    • /private/var/log/install.log

  • Recursive file listings for:

    • /Aplications

    • /Library

    • /System/Library/Caches

    • ../Library/Caches (all users)

    • ../Desktop (all users)

    • ../Documents (all users)

    • ../Downloads (all users)