Thankyou to everyone that suggested artefacts that Cado Host should collect.

If there are any artefacts you think we are missing, please let us know.

Cado Host collects the following artefacts on Linux and OSX, where available:

  • .bash_history
  • .ssh/known_hosts
  • /.fseventsd
  • /Library/LaunchAgents
  • /Library/LaunchDaemons
  • /Library/Preferences/SystemConfiguration
  • /Library/Receipts/InstallHistory.plist
  • /Library/StartupItems
  • /System/Library/LaunchAgents
  • /System/Library/LaunchDaemons
  • /System/Library/StartupItems
  • /etc/group
  • /etc/hosts
  • /etc/hosts.allow
  • /etc/hosts.deny
  • /etc/httpd/logs/
  • /etc/passwd
  • /etc/rc.d
  • /etc/utmp
  • /private/var/log/
  • /root/.bash_history
  • /var/adm/wtmp
  • /var/db/application_usage.sqlite
  • /var/log
  • /var/run/utmp
  • /var/run/wtmp

Cado Host collects the following artefacts on Windows, where available:

  • Running Processes
  • Active Network Connections
  • $MFT
  • ALLUSERSPROFILE\McAfee\DesktopProtection\AccessProtectionLog.txt
  • APPDATA\LocalLow\Sun\Java\Deployment\cache\6.0
  • APPDATA\Local\Apple Computer\Safari\Cookies\Cookies.binarycookies
  • APPDATA\Local\ConnectedDevicesPlatform
  • APPDATA\Local\Google\Chrome\User Data\Default\Extensions
  • APPDATA\Local\Google\Chrome\User Data\Default\History
  • APPDATA\Local\Google\Chrome\User Data\Default\Web Data
  • APPDATA\Local\Microsoft\Windows\Explorer
  • APPDATA\Local\Microsoft\Windows\FileHistory\Configuration
  • APPDATA\Local\Microsoft\Windows\UsrClass.dat
  • APPDATA\Local\Microsoft\Windows\UsrClass.dat.LOG1
  • APPDATA\Local\Microsoft\Windows\UsrClass.dat.LOG2
  • APPDATA\Local\Microsoft\Windows\WebCache
  • APPDATA\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
  • APPDATA\Roaming\Microsoft\Windows\Recent
  • APPDATA\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
  • APPDATA\Roaming\Mozilla\Firefox\Profiles\
  • APPDATA\Roaming\Opera\Opera\global_history.dat
  • APPDATA\Roaming\Opera\Opera\typed_history.xml
  • NTUSER.DAT
  • NTUSER.DAT.LOG1
  • NTUSER.DAT.LOG2
  • PROGRAMDATA\McAfee\DesktopProtection\AccessProtectionLog.txt
  • PROGRAMDATA\Microsoft\Windows\Start Menu\Programs\Startup
  • SYSTEMROOT\AppCompat\Programs\AmCache.hve
  • SYSTEMROOT\Prefetch
  • SYSTEMROOT\SchedLgU.Txt
  • SYSTEMROOT\System32\Config\AppEvent.evt
  • SYSTEMROOT\System32\Config\SecEvent.evt
  • SYSTEMROOT\System32\Config\SysEvent.evt
  • SYSTEMROOT\System32\LogFiles\W3SVC1
  • SYSTEMROOT\System32\Tasks
  • SYSTEMROOT\System32\config\SAM
  • SYSTEMROOT\System32\config\SAM.LOG1
  • SYSTEMROOT\System32\config\SAM.LOG2
  • SYSTEMROOT\System32\config\SECURITY
  • SYSTEMROOT\System32\config\SECURITY.LOG1
  • SYSTEMROOT\System32\config\SECURITY.LOG2
  • SYSTEMROOT\System32\config\SOFTWARE
  • SYSTEMROOT\System32\config\SOFTWARE.LOG1
  • SYSTEMROOT\System32\config\SOFTWARE.LOG2
  • SYSTEMROOT\System32\config\SYSTEM
  • SYSTEMROOT\System32\config\SYSTEM.LOG1
  • SYSTEMROOT\System32\config\SYSTEM.LOG2
  • SYSTEMROOT\System32\drivers\etc\hosts
  • SYSTEMROOT\System32\sru
  • SYSTEMROOT\System32\winevt\logs
  • SYSTEMROOT\Tasks
  • SYSTEMROOT\inf\setupapi.dev.log
  • SYSTEMROOT\inf\setupapi.log
  • inetpub\logs\LogFiles