This script is designed to perform a forensic triage on Ubuntu-style Linux operating systems. It collects various types of system information, logs, and other relevant data that can be used for initial forensic analysis.
- Date and Time: Current date and time of the system.
- Uptime: System uptime.
- Hostname: System's hostname.
- Kernel Version: Version of the Linux kernel.
- System Information: Hardware and system information.
- Current Users: Users currently logged into the system.
- Logged in Users: List of users currently logged in.
- Last Logins: History of user logins.
- User List: List of all user accounts on the system.
- User Groups: List of all user groups and their members.
- Sudoers Configuration: Contents of the sudoers file.
- Running Processes: List of all running processes.
- Top Processes: Snapshot of the top processes by resource usage.
- Network Interfaces: Configuration and status of network interfaces.
- Active Connections: List of active network connections and listening ports.
- ARP Cache: ARP cache entries.
- Routing Table: System's routing table.
- Firewall Rules (iptables): Current iptables rules.
- Firewall Rules (ufw): Current ufw rules.
- Mounted File Systems: Information about mounted file systems.
- Disk Usage: Disk usage summary for user directories.
- Open Files: List of all open files on the system.
- Recently Modified Files: List of recently modified files in critical directories.
- Large Files: List of large files on the system.
- System Log:
/var/log/syslog - Authentication Log:
/var/log/auth.log - Kernel Log:
/var/log/kern.log - Message Buffer Log:
/var/log/dmesg - Secure Log:
/var/log/secure - Failed Login Log:
/var/log/faillog
- Cron Jobs: List of scheduled cron jobs for all users.
- Cron Directories: Contents of cron directories.
- Network Configuration: Network interfaces configuration (
/etc/network/interfaces). - Hosts File: System hosts file (
/etc/hosts). - DNS Resolver Configuration: DNS resolver configuration (
/etc/resolv.conf). - Services: Status of all services on the system.
- Loaded Kernel Modules: List of currently loaded kernel modules.
- Systemd Services: List and status of systemd services.
- Apache Logs: Logs from Apache web server.
- Nginx Logs: Logs from Nginx web server.
- MySQL Logs: Logs from MySQL database.
- PostgreSQL Logs: Logs from PostgreSQL database.
- PAM Configuration: Pluggable Authentication Modules (PAM) configuration.
- Failed Login Attempts: Detailed logs of failed login attempts.
- SSH Configuration: Contents of SSH configuration files.
-
Save the script to a file, e.g.,
forensics_triage.sh. -
Make the script executable:
chmod +x triage.sh
-
Run the script with sudo to ensure it has the necessary permissions:
sudo ./triage.sh
The script saves the collected data in a directory named forensics_YYYYMMDDHHMMSS located in /tmp, where YYYYMMDDHHMMSS is the timestamp of when the script was run. All collected data is stored in this directory for further analysis.
This script is intended for use in a controlled forensic investigation environment. Use it responsibly and ensure you have appropriate permissions to collect and analyze system data.