Enhanced sydi collector tools & the awdit collector

Published Updated
Cover image for: Enhanced sydi collector tools & the awdit collector

The SYDI project is an Open Source project aimed at helping network administrators document their network. It uses a series of VBScript files to collect system data which is captured in XML and then transcoded into a variety of other formats. The project's homepage has a lot more information. We've been working with SYDI to capture data for our IT management tool, awdit (currently in beta), and in the process have come across and resolved a few issues in the stock SYDI scripts. In the interests of keeping it open, we've patched our changes back into a fork of SYDI on GitHub, and are freely releasing our native client for personal and internal business use.

Updated SYDI server collector script

Users can download the updated SYDI server collector script here. We've taken version 2.3 and patched in better support for date handling alongside an upload function to send data to awdit. However, we've come up with an option that works much better for us...

SYDI-compatible awdit collector scripts for x86 and x64

The awdit collector for Windows tool collects data and can save or upload it in SYDI XML format, much like the original SYDI script. However, our native binary versions have the following benefits over the original VBScript:

  • Much faster, multithreaded collection of data
  • Native, secure, digitally signed .exe format which is smaller and easier to run, with an optional x64 binary for even faster operation on newer machines
  • Dates from installed software are better normalised to easily readable formats (although there is still a lot of variation to be found in the registry)
  • Where dates aren't present in the registry, we provide an approximate date from the installed file, and prefix the date value with a tilde (~) to indicate the value is approximate
  • XML output is nicely formatted
  • A number of quirks on virtualised systems have been ironed out
  • Application architecture is reported in a new architecture attribute in `regapplication` or `msiapplication` tags
  • Install locale and language settings are reported in a new `language` attribute
  • Product keys are more reliably collected
  • Simplified arguments which are also displayed when double-clicking the file in Explorer
  • New TSR (terminate and stay resident) mode where the collector can be left running and can automatically generate new XML every few days as configured
  • No nasty spyware, malware, calling home, etc.

None of the changes made have broken compatibility with the original scripts or XSLT, so the new client can be used in environments previously running the VBScript version. At it's simplest, you could use the awdit collector to dump XML on your machine like so:

$ awdit-collector-win-x86.exe --file=my-machine.xml

Downloads

Please do send us your feedback on this script -- we#d love to hear it!

  • awdit Collector for Windows (x86, x64 version 0.61)

Running the collector over a network

There are a number of approaches for running the awdit or SYDI collector scripts over a network. Using the TSR mode can work well on servers, or advanced users can use group policy to schedule periodic launches of the tool. We'll be sharing some best practises that we've learnt. In the meantime, we detail what is possibly the simplest approach below. Group Policy Editor can be used on a domain to force all domain clients to run the relevant script file as part of their logon process.

  1. Open Group Policy Editor on your domain controller and load up your default domain policy (or create a new domain policy if that is more appropriate)
  2. Expand User Configuration | Windows Settings | Scripts (logon/logoff) and double-click the Logon option in the right-hand pane.
  3. Click the Add button and either browse to or paste in the path to the run-sydi-network.vbs file in the Script Name box.

About the author

Aidan founded Reincubate in 2008 after building the world's first iPhone data recovery tool, iPhone Backup Extractor. He’s led Reincubate to win the UK’s highest business honour twice, has spoken at Google on entrepreneurship, and is a graduate of the Entrepreneurs’ Organisation’s Leadership Academy.

His work has been cited in over 20 academic papers on forensics and mobile data, including "iPhone 3GS Forensics: Logical Analysis Using Apple iTunes Backup Utility" (Bader, M & Baggli, I, 2010), "iOS Forensic Investigative Methods" (Zdziarski, J, 2013), "Overcoming Forensic Implications with Enhancing Security in iOS" (Gangula, MR, 2019), and "Direct Message Extraction for Automatic Emotional Inference and Drug Detection" (Fong, G, 2019).

Earlier in his career, he served as CTO at Wiggle through to its $230m breakout exit. Aidan is an occasional investor, and published "So, you want to work in tech?" in 2016.

Reincubate's CEO at Buckingham Palace

Pictured left are members of Reincubate’s team meeting HM Queen Elizabeth Ⅱ at Buckingham Palace, after being awarded the UK’s highest business award for our work with Apple technology.

Our position on privacy and security

Can we improve this article?

We love hearing from users: why not drop us an email, leave a comment, or tweet @reincubate?

© 2008 - 2020 Reincubate Ltd. All rights reserved. Registered in England and Wales #5189175, VAT GB151788978. Reincubate® is a registered trademark. Privacy policy & terms. We recommend 2FA. Built with in London.