Automated Data Collection Where available, the Red Team should leverage the use of tools and scripts to capture and consolidate engagement data. Automated data collection alone will never be sufficient to capture the details required of a well written final report however, it can be useful in capturing the raw data needed to validate activities, reproduce results, and support recommendations. Automated collection, if employed properly, complements the Red Team workflow and enables the operator to continue operations with the manual capture of data pertinent to the activity performed. Terminal Logs All Red Team engagement systems should have automated collection of raw terminal/console data. Each command should be prefixed with the operator's IP address and UTC timestamp. While there are many methods of automating this tagging and collection (TMUX, Script, Screen, etc, it's more important that data is accurately captured than be captured in a different manner. Simply saving these tagged logs to a location such as / root/logs/terminal/ can significantly simplify the consolidation of terminal logs. Commercial Tools Most commercial tools used for penetration testing or Red Teaming inherently have some level of logging capability. Some have the ability to redirect log outputs to a specific location, while others require the operator to trigger log generation. In either case, it is recommended that these logs be captured and stored in a location such as / root/logs/commercial_tool/. Custom Tools Any capable Red Team will have custom tools either generated for all events or created fora specific engagement. These tools should leverage the ability to create logs during execution. When building these tools, the Red Team should consider capturing all data required of the Operator Log and quite possibly creating log entries in the process. Each data point should be captured in the same YYYYMMDD_HHMM_IP_Description format (for example, 20170308_151312_UTC.terminal.log.raw ).
