Question 1

How to add custom artifacts to CyLR collection?

Accepted Answer

Use a tab-delimited configuration file with -c or -d flags, specifying patterns as static, glob, or regex. The README provides a template in CUSTOM_PATH_TEMPLATE.txt with examples for different pattern types.

Question 2

CyLR vs KAPE: which is better for Windows forensics?

Accepted Answer

CyLR excels in cross-platform support and minimal host impact via raw NTFS reads, while KAPE offers more Windows-specific artifacts and modular processing. Choose CyLR for mixed environments, KAPE for deep Windows focus.

Question 3

Does CyLR collect memory dumps or only files?

Accepted Answer

CyLR focuses on file system artifacts like logs, registries, and browser history; it does not collect memory dumps. You'll need separate tools like WinPMEM for memory forensics alongside CyLR.

Question 4

How to bypass macOS permissions for CyLR?

Accepted Answer

Grant full disk access in System Preferences to both the CyLR binary and its parent process (e.g., Terminal). The README notes this is necessary for collecting sensitive locations on modern macOS.

Question 5

What's the difference between -c and -d flags in CyLR?

Accepted Answer

-c collects only custom paths from the config file, while -d collects both custom paths and CyLR's default artifacts. Use -d when you want to supplement, not replace, the standard collection.

Question 6

Can CyLR run without administrative privileges?

Accepted Answer

No, CyLR requires administrative rights (root, sudo, or administrator) to access system files and artifacts, as stated in the DEPENDENCIES section for raw filesystem reads.

CyLR

What is CyLR?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions