Build Your Own Simple Data Collection Tool From Endpoint

After a cyber incident, data must be collected to investigate and protect evidence. Collecting data is sensitive process, should not cause the target to collapse and data corruption. Therefore, We need to make minimum changes on the target system while collecting data.

It is necessary to automate the collection process to avoid situations like data corruption, system downing. Check these situations before collecting:

Is automation tested before?
Does it cause performance problems?
What to do if the system crashes?

Also a basic tool should be able to collect these data:

System time and date
Operating system
General system information
Users and groups list
Network details
Network connections
Services and software list
Drivers
Files
Active processes
Browser history
System configurations
ARP table, DNS cache

NOTE: If file transfer is necessary, hash information should also be sent to confirm that the file has not changed during the transfer. If you want to try what is written here in a SOC environment, you can register to the simulation for free on letsdefend.io.

We wanted to build my own automation and designed TCP client-server structure with Python.

Firstly, we found a code sample that can connect as admin and client

Then, created TCP socket for data acquisition on admin field

We prepared the Python codes (data.py) that listened to the client side (main.py) and create the data in line with the commands received.

If commands reaching the listener starts with “!”, it sending to getValue() function in the data.py file.

If the requested data is supported by the target, data collection begins. Requested data and commands executed for requested data.

Data	Command
System date and time	date
Operating system	cat /etc/issue
Kernel version	uname -a
Uptime	w
Users	cat /etc/passwd
Groups	cat /etc/group
Network connections	netstat -anp
Drivers	lsmod
Network interfaces	ifconfig -a
Routing table	netstat -rn