Investigation Package data
Caution
Be aware that some of the information collected in investigation packages from the users' workstations qualifies as personal data.
Make sure you perform your due diligence to safeguard sensitive user information and inform your users about the collection in compliance with local laws on user data privacy.
An Investigation package compiles in a downloadable archive the following logs and data:
Bitdefender Endpoint Security Tools (BEST) product logs
Windows Event Logs
System Info
Registry hive files from:
%SystemRoot%\System32\Config: SOFTWARE, SYSTEM, DEFAULT, DRIVERS, SAM, SECURITY(including.LOG1and.LOG2files)%SystemDrive%\Users: NTUSER.DAT, NTUSER.DAT.LOG1, NTUSER.DAT.LOG2
amcache (
%SystemRoot%\AppCompat\Programs\Amcache.hve)shimcache (
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache)prefetch (
C:\WINDOWS\Prefetch)Net info:
ActiveNetConnections (
C:\WINDOWS\system32\netstat.exe -abno)AddressResolutionProtocolCache (
C:\WINDOWS\system32\arp.exe -a)DnsCache (
C:\WINDOWS\system32\ipconfig.exe /displaydns)SmbInboundSessions (
C:\WINDOWS\system32\net.exe session)SmbOutboundSessions:
HKEY_USERS\S-1-5-21-1272178354-3831401975-2086234833-500\NetworkHKEY_USERS\S-1-5-21-1272178354-3831401975-2086234833-1001\NetworkHKEY_USERS\S-1-5-21-1272178354-3831401975-2086234833-504\Network
FirewallLogs:
C:\WINDOWS\system32\cmd.exe /C "for /f "tokens=2 delims= " %F in ('Get-NetFirewallProfile ^| findstr FileName') do cmd /C xcopy /F /Y /Q "%F" "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\..\" & cmd /C move "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\..\pfirewall.log" "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\Network Connections\pfirewall.log""
Temp Dir Files (Listing with details for all users and system):
dir /a /n /q /r /s
ScheduledTasks (
C:\WINDOWS\system32\schtasks.exe /query /v /fo CSV)Powershell history (if enabled)
Webcache (
%LOCALAPPDATA%\Microsoft\Windows\WebCache)WdSupportLogs:
C:\WINDOWS\system32\cmd.exe /C ""%ProgramFiles%\Windows Defender\mpcmdrun.exe" -GetFiles & copy "%programdata%\Microsoft\Windows Defender\Support\MPSupportFiles.cab" "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CollectedData\913d3b5c-9d98-447d-a554-40a381104d01\WdSupportLogs""
Users and Groups (Listing of all local users and groups):
net user;net localgroupGroups membership listing:
for /f "delims=" %x in ('net localgroup ^|find ""') do net localgroup "%x"Current logged-in users:
query user
SRUDB:
C:\Windows\System32\sru
Background Activity Moderator:
HKLM\SYSTEM\ControlSet001\Services\bam
wbem repository:
%windir%System32\Wbem\Repository
Forensic data collection report in CSV format:
CSV header: | Timestamp | Name | Command | Command Execution Status | Command Exit Code | Destination Path |
Note
The forensic data gathering operation will skip items that are locked or do not exist. Depending on the operating system version and system configuration, some items could be missing or be uncollectable.
An archive will be created with two folders:
SupportTool (contains basic logs from the BEST client)
ForensicArtefacts
Contents of ForensicArtefacts are a CSV file with the header "Current Time,Command Name,Command Line,Status,Error,Output file" and the below folders:
Autoruns and services
Command | Output file |
|---|---|
| systemctl unit files.txt |
| systemds service files description.txt |
| loaded systemd units.txt |
| list of rc folders.txt |
| list of init files.txt |
| list of cron folders.txt |
Copy all files and folders from the list files above
| all users rc files.txt |
Copy files from "all users rc files.txt" | Format for file "<user> <*rc>" |
Network info
Command | Output file |
|---|---|
| iptables -t nat -L.txt |
| iptables -vnL.txt |
| sockstat.txt |
| arp.txt |
| route.txt |
| dev.txt |
If netstat is installed:
Command | Output file |
|---|---|
| netstat -p.txt |
| netstat -s.txt |
| netstat -ie.txt |
| netstat -tulpn.txt |
If not installed, then a backup command set:
Command | Output file |
|---|---|
| snmp counters.txt |
| programs and coresponding sockets.txt |
| all tcp and udp v6 connections.txt |
If ifconfig is installed then:
| ifconfig.txt |
If not installed, then:
| interfaces counters and ip addresses.txt |
Various system info bits
Command | Output file |
|---|---|
| active users.txt |
| users and when logged in.txt |
| uname -a.txt |
| last logged users and if remotely + ip address.txt |
| lshw.txt |
| dmesg.txt |
If lsb_release is installed:
| lsb_release.txt |
If not installed:
| os-release.txt |
Certificates
If one of the below folders exists the contents of the folder will be copied in the Certificates folder:
/etc/ssl/certs
/etc/pki/tls/certs
/etc/pki/CA/certs
Various files and info
Command | Output file |
|---|---|
| all users bash history files.txt |
Copy files from "all users rc files.txt" | Format for file "<user> <.bash_history>" |
The below files will be copied in the folder:
/etc/host*
/etc/passwd
/etc/group
/etc/login.defs
/etc/sudoers*
/etc/shells
/etc/apt/sources.list*
/var/log/syslog
/var/log/messages
/var/log/auth.log
/var/log/secure
/var/log/boot.log
/var/log/utmp
/var/log/wtmp
/var/log/kern.log
/var/log/faillog
/var/log/cron
File listings
Command | Output file |
|---|---|
| recursive listing.txt |
| recursivetree.txt |
| recursivetree2.txt |
| sha256sum for files under 5M.txt |
Installed packages
The following commands will only be executed if the tool exists:
Command | Output file |
|---|---|
| apt list.txt |
| dpkg list.txt |
| dnf list.txt |
| yum list.txt |
| rpm list.txt |
| zypper list.txt |
Service specific logs
apache logs
If apache logs are located directly in "/var/log/" then all files starting with "httpd-access.log" or "httpd-error.log" will be copied in the "Service specific logs" folder.
If apache does not have log files in "/var/log/" and any of the below folders exist then they will be copied in the "Service specific logs" folder.
/var/log/httpd
/var/log/apache2
nginx logs
Command
Output file
grep "_log " /etc/nginx/nginx.conf | awk '{print $2}'| tr -d \;nginx log paths.txt
Copy all files that corespond to the ones in "nginx log paths.txt"
Their specific filename in nginx folder
vpn logs (openvpn, wireguard, ipsec/openswan etc)
Command
Output file
cat /var/log/syslog* | grep -i vpnvpn logs.txt
An archive with the below content will be created:
a set of generic BEST logs (support tool archive)
Autoruns:
LaunchAgents
/Library/LaunchAgents/*
/System/Library/LaunchAgents/*
%%users.homedir%%/Library/LaunchAgents/*
LaunchDaemons
/Library/LaunchDaemons/*
/System/Library/LaunchDaemons/*
StartupItems
/Library/StartupItems/*
/System/Library/StartupItems/*
crontabs
LoginItems
Browser artefacts:
Preferences
History
Downloads
Extensions
Bookmarks
Info.plist
Process list
Network info:
open/listening connections (netstat -blant)
open/listening connections (netstat -blant)
/private/etc/pf.anchors
/private/etc/pf.conf
/private/etc/hosts
/private/var/run/resolv.conf
/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
System Info
system_profiler
.bash_history & .bash_sessions (all users)
/private/var/log/asl
/private/var/log/install.log
Recursive file listings for:
/Aplications
/Library
/System/Library/Caches
../Library/Caches (all users)
../Desktop (all users)
../Documents (all users)
../Downloads (all users)