Home

BlueLinuxTriage

A comprehensive and optimized Bash script for performing forensic triage on Linux systems.

---

Table of Contents

• Introduction
• Features
• Prerequisites
• Usage
• Script Overview
  • System Information Collection
  • User Information Collection
  • Process Information Collection
  • Network Information Collection
  • File System Information Collection
  • Log Files Collection
  • Scheduled Tasks Collection
  • System Configuration Collection
  • Application-Specific Logs Collection
  • SSH Configuration Collection
• Changes and Optimizations
• Error Handling
• Output
• Cleanup
• Contributing
• License

---

Introduction

In incident response and forensic investigations, timely and comprehensive data collection is crucial. This script automates the process of gathering essential forensic data from a Linux system, aiding investigators in analyzing system states, user activities, network configurations, and more.

Features

• Collects comprehensive system information.
• Gathers user and group details, including sudoers configuration.
• Retrieves running processes and top resource-consuming processes.
• Captures detailed network configurations and active connections.
• Collects file system details and recently modified files.
• Copies critical log files for analysis.
• Retrieves scheduled tasks from cron.
• Captures system configurations, including services and kernel modules.
• Collects logs from common applications like Apache, Nginx, MySQL, and PostgreSQL.
• Gathers SSH configuration details.
• Provides error handling and logs any issues encountered during execution.
• Compresses the collected data into a zip archive for easy transfer.

Prerequisites

• Root Privileges: The script must be run as the root user to access all necessary files and commands.
• Bash Shell: The script is written in Bash and requires a Bash-compatible shell.
• Required Commands: Some sections of the script depend on specific commands. While the script checks for their existence, having them installed will provide more comprehensive data:
  • lshw
  • getent
  • ip
  • ifconfig
  • ss
  • netstat
  • ufw
  • service
  • systemctl
  • lsof
  • zip

Usage

1. Clone or Download the Script:

   git clone https://github.com/your-repo/linux-forensic-triage.git

2. Navigate to the Script Directory:

   cd linux-forensic-triage

3. Make the Script Executable:

   chmod +x forensic_triage.sh

4. Run the Script as Root:

   sudo ./forensic_triage.sh

5. Monitor Execution:

   The script outputs progress to the console and logs all actions to a log file in the output directory.

6. Retrieve Collected Data:

   Upon completion, the script saves all collected data in a timestamped directory under /tmp and creates a zip archive of this directory for easy transfer.

Script Overview

System Information Collection

• Date and Time
• Uptime
• Hostname
• Kernel Version
• Detailed System Information: Uses lshw to list hardware components.

User Information Collection

• Current Users: Users currently logged in.
• Logged in Users: List of users and their login times.
• Last Logins: Historical login data.
• User List: Contents of /etc/passwd.
• User Groups: Group information from getent group.
• Sudoers Configuration: Contents of /etc/sudoers and /etc/sudoers.d/*.

Process Information Collection

• Running Processes: Detailed list from ps aux.
• Top Processes: Snapshot from top command.

Network Information Collection

• Network Interfaces: Details from ip addr show or ifconfig.
• Active Connections: Socket statistics from ss or netstat.
• ARP Cache: ARP table entries.
• Routing Table: Network routing information.
• Firewall Rules:
  • iptables: Current iptables rules.
  • ufw: Status of UFW firewall.

File System Information Collection

• Mounted File Systems: Disk usage statistics.
• Disk Usage: Space used by directories under /home.
• Open Files: List of open files from lsof.
• Recently Modified Files: Files modified within the last day in /etc, /var, and /home.

Log Files Collection

• Copies critical system logs:
  • /var/log/syslog
  • /var/log/auth.log
  • /var/log/dmesg
  • /var/log/kern.log
  • /var/log/secure
  • /var/log/faillog

Scheduled Tasks Collection

• Cron Jobs: Retrieves scheduled cron tasks for all users and lists cron directories.

System Configuration Collection

• Network Configuration: Contents of /etc/network/interfaces.
• Hosts File: Contents of /etc/hosts.
• DNS Configuration: Contents of /etc/resolv.conf.
• Services: Status of all services using service --status-all.
• Loaded Kernel Modules: Output from lsmod.
• Systemd Services: List of all systemd services.

Application-Specific Logs Collection

• Apache Logs: Copies logs from /var/log/apache2.
• Nginx Logs: Copies logs from /var/log/nginx.
• MySQL Logs: Copies logs from /var/log/mysql.
• PostgreSQL Logs: Copies logs from /var/log/postgresql.

SSH Configuration Collection

• SSH Server Config: Contents of /etc/ssh/sshd_config.
• SSH Client Config: Contents of /etc/ssh/ssh_config.
• Root Authorized Keys: Contents of /root/.ssh/authorized_keys.

Changes and Optimizations

• Root User Check: Ensures the script is run with the necessary permissions.
• Structured Code with Functions: Each major collection task is encapsulated in a function.
• Error Handling:
  • Introduced a centralized log_error function.
  • Checks for the existence of commands and files before usage.
  • Collects errors in an array and logs them at the end.
• Command Availability Checks: Verifies that necessary commands are available and logs missing ones.
• Directory and File Existence Checks: Prevents errors by checking for the existence of files and directories.
• Optimized File Searches: Limited the scope of the find command to specific directories.
• Improved Logging:
  • Uses tee for real-time logging to both the console and the log file.
  • Redirects unnecessary error messages to keep logs clean.
• Efficient Data Collection:
  • Collects only essential data to minimize performance impact.
  • Uses head with top to limit output.

Error Handling

• Error Logging: All errors encountered during execution are recorded in an errors.log file within the output directory.
• Graceful Degradation: The script continues execution even if certain commands or files are unavailable, ensuring maximum data collection possible.

Output

• Output Directory: All collected data is stored in a timestamped directory under /tmp.
• Log File: A comprehensive log of all actions and outputs is saved as forensics.log in the output directory.
• Compressed Archive: The output directory is compressed into a zip file for easy transfer:
  • Example: /tmp/forensics_YYYYMMDDHHMMSS.zip

Cleanup

• Optional Deletion: The script includes commented code to delete the output directory after zipping. Uncomment the rm -rf "$OUTPUT_DIR" line if you wish to enable this behavior.

Contributing

Contributions are welcome! Please follow these steps:

1. Fork the Repository: Click on the 'Fork' button to create a personal copy.

2. Clone the Fork:

   git clone https://github.com/your-username/linux-forensic-triage.git

3. Create a New Branch:

   git checkout -b feature/your-feature-name

4. Make Changes: Implement your enhancements or fixes.

5. Commit Changes:

   git commit -am 'Add new feature'

6. Push to the Branch:

   git push origin feature/your-feature-name

7. Submit a Pull Request: Open a pull request to merge your changes into the main repository.

License

This project is licensed under the MIT License - see the LICENSE file for details.

---

Disclaimer: Use this script responsibly and ensure compliance with all applicable laws and regulations. Unauthorized access or data collection may be illegal and unethical.