donald — Live Response Collection tool by Thomas Kastner
Donald is a tool to collect forensic artifacts from hosts quickly, and securely and with minimal impact to the host.
Donald is heavily inspired by CYLR.
The main features are:
- Quick collection
- Raw file collection process does not use Windows API
- Collection of key artifacts by default.
- Ability to specify custom targets for collection.
- Acquisition of special and in-use files, including alternate data streams, system files, and hidden files.
- Glob and regular expression patterns are available to specify custom targets.
- Data is collected into a zip file.
- Output can be uploaded directly to a SFTP server.
Below is the output of donald:
$ donald -h
Usage of ./donald:
-c string
Add custom collection paths (one entry per line). NOTE: Please see CUSTOM_PATH_TEMPLATE.txt for an example.
-od string
Defines the directory that the zip archive will be created in. (default ".")
-of string
Defines the name of the zip archive created. (default "meiBook.local.zip")
-raw
Use raw NTFS access. Only supported on Windows. (default true)
-replace-paths
Replace the default collection paths with those specified via '-c FILE'.
-root value
Defines the search root path(s). If multiple root paths are given, they are traversed in order. (default "/")
-sftp-addr string
SFTP server address
-sftp-dir string
Defines the output directory on the SFTP server, as it may be a different location than the archive generated on disk. (default ".")
-sftp-file string
Defines the name of the zip archive created on the SFTP server. (default "meiBook.local.zip")
-sftp-pass string
SFTP password
-sftp-user string
SFTP username
All collection paths are case-insensitive. You can easily extend this list through the use of patterns as shown in CUSTOM_PATH_TEMPLATE.txt or by opening a pull request.
The standard list of collected artifacts is as follows.
System Root (ie C:\Windows):
Windows\Tasks\**Windows\Prefetch\**Windows\System32\sru\**Windows\System32\winevt\Logs\**Windows\System32\Tasks\**Windows\System32\Logfiles\W3SVC1\**Windows\Appcompat\Programs\**Windows\SchedLgU.txtWindows\inf\setupapi.dev.logWindows\System32\drivers\etc\hostsWindows\System32\config\SAMWindows\System32\config\SOFTWAREWindows\System32\config\SECURITYWindows\System32\config\SOFTWAREWindows\System32\config\SAM.LOG1Windows\System32\config\SOFTWARE.LOG1Windows\System32\config\SECURITY.LOG1Windows\System32\config\SOFTWARE.LOG1Windows\System32\config\SAM.LOG2Windows\System32\config\SOFTWARE.LOG2Windows\System32\config\SECURITY.LOG2Windows\System32\config\SOFTWARE.LOG2
Program Data (ie C:\ProgramData):
ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\**
Drive Root (ie C:)
$Recycle.Bin\**\$I*$Recycle.Bin\$I*$LogFile$MFT
User Profiles (ie C:\Users\*):
Users\*\NTUSER.DATUsers\*\NTUSER.DAT.LOG1Users\*\NTUSER.DAT.LOG2Users\*\AppData\Local\Microsoft\Windows\UsrClass.datUsers\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2Users\*\AppData\Local\Google\Chrome\User Data\Default\HistoryUsers\*\AppData\Local\Microsoft\Edge\User Data\Default\HistoryUsers\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txtUsers\*\AppData\Roaming\Microsoft\Windows\Recent\**Users\*\AppData\Local\Microsoft\Windows\WebCache\**Users\*\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\**Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\**Users\*\AppData\Local\ConnectedDevicesPlatform\**Users\*\AppData\Local\Microsoft\Windows\Explorer\**
Note: Modern macOS systems have functionality that will prompt the user to approve on a per-application basis, access to sensitive locations on a system. This can be overridden by modifying the System Preferences to give the donald binary and its parent process (such as Terminal) full disk access.
System paths:
/etc/hosts.allow/etc/hosts.deny/etc/hosts/etc/passwd/etc/group/etc/rc.d/**/var/log/**/private/etc/rc.d/**/private/etc/hosts.allow/private/etc/hosts.deny/private/etc/hosts/private/etc/passwd/private/etc/group/private/var/log/**/System/Library/StartupItems/**/System/Library/LaunchAgents/**/System/Library/LaunchDaemons/**/Library/StartupItems/**/Library/LaunchAgents/**/Library/LaunchDaemons/**/.fseventsd/**
Libraries paths:
**/Library/*Support/Google/Chrome/Default/***/Library/*Support/Google/Chrome/Default/History***/Library/*Support/Google/Chrome/Default/Cookies***/Library/*Support/Google/Chrome/Default/Bookmarks***/Library/*Support/Google/Chrome/Default/Extensions/****/Library/*Support/Google/Chrome/Default/Extensions/Last***/Library/*Support/Google/Chrome/Default/Extensions/Shortcuts***/Library/*Support/Google/Chrome/Default/Extensions/Top***/Library/*Support/Google/Chrome/Default/Extensions/Visited*
User paths:
/root/.*history/Users/*/.*history
Other Paths:
**/places.sqlite***/downloads.sqlite*
System Paths:
/etc/hosts.allow/etc/hosts.deny/etc/hosts/etc/passwd/etc/group/etc/crontab/etc/cron.allow/etc/cron.deny/etc/anacrontab/etc/apt/sources.list/etc/apt/trusted.gpg/etc/apt/trustdb.gpg/etc/resolv.conf/etc/fstab/etc/issues/etc/issues.net/etc/insserv.conf/etc/localtime/etc/timezone/etc/pam.conf/etc/rsyslog.conf/etc/xinetd.conf/etc/netgroup/etc/nsswitch.conf/etc/ntp.conf/etc/yum.conf/etc/chrony.conf/etc/chrony/etc/sudoers/etc/logrotate.conf/etc/environment/etc/hostname/etc/host.conf/etc/fstab/etc/machine-id/etc/screen-rc/etc/rc.d/**/etc/cron.daily/**/etc/cron.hourly/**/etc/cron.weekly/**/etc/cron.monthly/**/etc/modprobe.d/**/etc/modprobe-load.d/**/etc/*-release/etc/pam.d/**/etc/rsyslog.d/**/etc/yum.repos.d/**/etc/init.d/**/etc/systemd.d/**/etc/default/**/var/log/**/var/spool/at/**/var/spool/cron/**/var/spool/anacron/cron.daily/var/spool/anacron/cron.hourly/var/spool/anacron/cron.weekly/var/spool/anacron/cron.monthly/boot/grub/grub.cfg/boot/grub2/grub.cfg/sys/firmware/acpi/tables/DSDT
User paths:
/root/.*history/root/.*rc/root/.*_logout/root/.ssh/config/root/.ssh/known_hosts/root/.ssh/authorized_keys/root/.selected_editor/root/.viminfo/root/.lesshist/root/.profile/root/.selected_editor/home/*/.*history/home/*/.ssh/known_hosts/home/*/.ssh/config/home/*/.ssh/autorized_keys/home/*/.viminfo/home/*/.profile/home/*/.*rc/home/*/.*_logout/home/*/.selected_editor/home/*/.wget-hsts/home/*/.gitconfig/home/*/.mozilla/firefox/*.default*/**/*.sqlite*/home/*/.mozilla/firefox/*.default*/**/*.json/home/*/.mozilla/firefox/*.default*/**/*.txt/home/*/.mozilla/firefox/*.default*/**/*.db*/home/*/.config/google-chrome/Default/History*/home/*/.config/google-chrome/Default/Cookies*/home/*/.config/google-chrome/Default/Bookmarks*/home/*/.config/google-chrome/Default/Extensions/**/home/*/.config/google-chrome/Default/Last*/home/*/.config/google-chrome/Default/Shortcuts*/home/*/.config/google-chrome/Default/Top*/home/*/.config/google-chrome/Default/Visited*/home/*/.config/google-chrome/Default/Preferences*/home/*/.config/google-chrome/Default/Login Data*/home/*/.config/google-chrome/Default/Web Data*
In general: some kind of administrative rights on the target (root, sudo, administrator,...).
Donald is a native binary that runs on Windows, Linux, and MacOS as a a self-contained executable. No external dependencies should be required (if so, please file a bug report).
donald.exe
./donald
donald.exe -od "C:\Temp\LRData"
donald.exe -od LRData
donald.exe -sftp-user username -sftp-pass password -sftp-addr 8.8.8.8
donald -od data -of important-data.zip
Donald allows for the specification of custom collection paths with the use of a configuration file provided after -c at the command line. A summary of the format is below, though full details are available within the targets\example.quack provided in the repository.
Collect a custom list of artifacts from a file containing paths. The sample requires a tab delimiter between pattern definition and pattern. Lines starting with # will be ignored:
# Static paths are fixed, case-insensitive paths to compare
# against files found on a system. This is the fastest search
# method available, please use when possible.
static C:\Windows\System32\Config\SAM
# Glob paths leverage glob patterns specified at `https://github.com/gobwas/glob`.
# This is faster than RegEx and should be favored unless more complex patterns
# are required. Useful for scanning for files by name or extension recursively.
# Also useful for collecting a folder recursively.
glob **\malware.exe
# Regex paths leverage the Go Regex capabilities and will search for
# specified patterns across accessible files. This is the slowest option and
# should be saved for unique use cases that are not supported by globbing.
regex .*\Windows\Temp\[a-z]{8}\+*
This can then be supplied to donald for a custom collection of just these paths:
donald.exe -c custom.txt --replace-paths=true
Collection of custom paths in addition to the default paths:
donald -c custom.txt --replace-paths=false
The custom collection path file allows for the specification of files to collect from a target system. The format is tab-delimited, where the first field is a pattern type indicator and the second field is the pattern to collect.
- NOTE: As previously mentioned, all collection paths are case-insensitive.
- NOTE: The path specifier needs to match the platform you are collecting from. For Windows, it must be
\, and/for macOS and Linux. - NOTE: You must use tabs to delimit the patterns. Spaces will not work. This means that spaces are allowed in the second field containing pattern content
There are 4 pattern types, summarized below:
- static
- This format allows for the specification of a specific file at a known path.
- This is the fastest pattern type, as it is performing a string comparison.
- Example:
static C:\Windows\System32\config\SAM
- glob
- This format allows the specification of basic patterns. Most commonly used to collect the contents of a folder, even recursively. Has a few common implementations, demonstrated in the examples below.
- While not as fast as static paths, it allows for some common pattern matching and is faster than leveraging regular expressions.
- Example:
glob C:\Users\*\ntuser.dat- collects the NTUser.dat from each user. - Example:
glob C:\**\malware.exe- collects files namedmalware.exeregardless of what folder they are in, recursively. - Example:
glob C:\Users\*\AppData\Microsoft\Windows\Recent\*.lnk- collects all files ending with.lnk - Example:
glob **\*malware*- collects all files recursively.
- regex
- Allows the specification of advanced patterns through Go's regular expression implementation.
- Example:
regex C:\[0-9]+.exe- collect all numeric-only executables in the root of theC:\drive.
- force
- Same as the static option, though will attempt collection even if the file is not identified in the file enumeration process.
- This is useful in the collection of alternate data streams and special files not generally exposed to directory traversal functions.
- Example:
force C:\$Extend\$UsnJrnl:$J
Donald binaries are available for download, and prebuilt for use on macOS, Linux, and Windows operating systems. The following operating systems were tested:
- Windows 11 Pro 22H2
- macOS 14.1.1
Please help to test Donald on more platforms
To build donald yourself, follow the below steps:
- Install Go on your platform
- Clone this repository
- Run
go getto fetch all dependencies - Run
go buildto build a binary for your platform
Special thanks to the original CyLR authors: