Collected Artifacts
Cado Host collects a number of artifacts by default, based on the operating system. Note that you can configure additonal files and folders to be collected by defining the --additional_files parameter when running Cado Host. See the --additional_files
Command Line Parameters for more details.
Volatile Data
Cado Host collects the following volatile data available at the time Cado Host is executed
- Data about running processes
- Memory of running proccesses on a per-process basis (note - memory collection on Windows is disabled by default; see Command Line Parameters )
- Netstat data of active connections
- The contents of open files - for example running binaries
Linux and OSX
Cado Host collects the following artifacts on Linux and OSX, when available:
- .bash_history
- .ssh/known_hosts
- /.fseventsd
- /Library/LaunchAgents
- /Library/LaunchDaemons
- /Library/Preferences/SystemConfiguration
- /Library/Receipts/InstallHistory.plist
- /Library/StartupItems
- /System/Library/LaunchAgents
- /System/Library/LaunchDaemons
- /System/Library/StartupItems
- /etc/group
- /etc/hosts
- /etc/hosts.allow
- /etc/hosts.deny
- /etc/httpd/logs/
- /etc/passwd
- /etc/rc.d
- /etc/utmp
- /private/var/log/
- /root/.bash_history
- /var/adm/wtmp
- /var/db/application_usage.sqlite
- /var/log
- /var/run/utmp
- /var/run/wtmp
Windows
Cado Host collects the following artifacts on Windows, when available:
- Running Processes
- Active Network Connections
- $MFT
- ALLUSERSPROFILE\McAfee\DesktopProtection\AccessProtectionLog.txt
- APPDATA\LocalLow\Sun\Java\Deployment\cache\6.0
- APPDATA\Local\Apple Computer\Safari\Cookies\Cookies.binarycookies
- APPDATA\Local\ConnectedDevicesPlatform
- APPDATA\Local\Google\Chrome\User Data\Default\Extensions
- APPDATA\Local\Google\Chrome\User Data\Default\History
- APPDATA\Local\Google\Chrome\User Data\Default\Web Data
- APPDATA\Local\Microsoft\Windows\Explorer
- APPDATA\Local\Microsoft\Windows\FileHistory\Configuration
- APPDATA\Local\Microsoft\Windows\UsrClass.dat
- APPDATA\Local\Microsoft\Windows\UsrClass.dat.LOG1
- APPDATA\Local\Microsoft\Windows\UsrClass.dat.LOG2
- APPDATA\Local\Microsoft\Windows\WebCache
- APPDATA\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
- APPDATA\Roaming\Microsoft\Windows\Recent
- APPDATA\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
- APPDATA\Roaming\Mozilla\Firefox\Profiles\
- APPDATA\Roaming\Opera\Opera\global_history.dat
- APPDATA\Roaming\Opera\Opera\typed_history.xml
- NTUSER.DAT
- NTUSER.DAT.LOG1
- NTUSER.DAT.LOG2
- PROGRAMDATA\McAfee\DesktopProtection\AccessProtectionLog.txt
- PROGRAMDATA\Microsoft\Windows\Start Menu\Programs\Startup
- SYSTEMROOT\AppCompat\Programs\AmCache.hve
- SYSTEMROOT\Prefetch
- SYSTEMROOT\SchedLgU.Txt
- SYSTEMROOT\System32\Config\AppEvent.evt
- SYSTEMROOT\System32\Config\SecEvent.evt
- SYSTEMROOT\System32\Config\SysEvent.evt
- SYSTEMROOT\System32\LogFiles\W3SVC1
- SYSTEMROOT\System32\Tasks
- SYSTEMROOT\System32\config\SAM
- SYSTEMROOT\System32\config\SAM.LOG1
- SYSTEMROOT\System32\config\SAM.LOG2
- SYSTEMROOT\System32\config\SECURITY
- SYSTEMROOT\System32\config\SECURITY.LOG1
- SYSTEMROOT\System32\config\SECURITY.LOG2
- SYSTEMROOT\System32\config\SOFTWARE
- SYSTEMROOT\System32\config\SOFTWARE.LOG1
- SYSTEMROOT\System32\config\SOFTWARE.LOG2
- SYSTEMROOT\System32\config\SYSTEM
- SYSTEMROOT\System32\config\SYSTEM.LOG1
- SYSTEMROOT\System32\config\SYSTEM.LOG2
- SYSTEMROOT\System32\drivers\etc\hosts
- SYSTEMROOT\System32\sru
- SYSTEMROOT\System32\winevt\logs
- SYSTEMROOT\Tasks
- SYSTEMROOT\inf\setupapi.dev.log
- SYSTEMROOT\inf\setupapi.log
- inetpub\logs\LogFiles