Code Monkey home page Code Monkey logo

dfir_linux_collector's Introduction

DFIR_Linux_Collector

GitHub last commit GitHub release-date

Stand-alone collecting tools for Gnu/Linux

  • Very low impact on the host
  • No use of host binaries (anti hooking)
    • all binaries are included in the executable
  • Export in json format (log) / raw (dump ram) and Text format
  • Dump ram with avml (ref to compatilibilty https://github.com/microsoft/avml#tested-distributions)
  • The result is a compressed archive and a checksum file

Compatibility

Distribution Version Ok Error Comments
Ubuntu 12 - 20 ✔️ --- ---
Debian > 8 ✔️ --- ---
Fedora 30 ✔️ --- ---
CentOS 7 ✔️ --- ---
CentOS 6 --- ✖️ Kernel too old

The other distributions are not yet tested, still in progress ...

Quick start

git clone https://github.com/xophidia/DFIR_Linux_Collector.git
cd DFIR_Linux_Collector
./setup.sh

sudo ./DFIR_linux_collector 
Verifying archive integrity...  100%   MD5 checksums are OK. All good.
Uncompressing orc  100%  



    ██████╗ ██╗      ██████╗
    ██╔══██╗██║     ██╔════╝
    ██║  ██║██║     ██║      
    ██║  ██║██║     ██║     
    ██████╔╝███████╗╚██████╗
    ╚═════╝ ╚══════╝ ╚═════╝
                        
     DFIR Linux Collector



    Case Number : 10 
    Description : linux_host
    Examiner Name : Xophidia
    Hostname : 10_01

    Dump generic artifacts
    +  uname ....................[success]
    +  env ......................[success]
    +  uptime ...................[success]
    +  lsmod ....................[success]
    +  passwd ...................[success]
    +  auth .....................[success]
    +  syslog ...................[success]
    +  date .....................[success]
    +  who ......................[success]
    +  cpuinfo ..................[success]
    +  group ....................[success]
    +  lsof .....................[success]
    +  mount ....................[success]
    +  sudoers ..................[success]


    Dump network artifacts
    +  ip .......................[success]
    +  netstat ..................[success]
    +  arp ......................[success]

    
    Dump process artifacts
    +  ps .......................[success]

    
    Dump user artifacts
    +  c_ssh ....................[success]
    +  firefox ..................[success]
    +  c_git ....................[success]
    +  chromium .................[success]
    +  google-chrome ............[success]
    +  command_history ..........[success]

    Dump artefacts / linux distribution
    +  Debian-like artifacts 
    +  installer debug ..........[success]
    +  installer syslog .........[success]

Artifacts

🔘 Generic

Command / file Json Text Raw
env ✔️ --- ---
uptime ✔️ --- ---
uname -a ✔️ --- ---
lsmod ✔️ --- ---
/etc/passwd ✔️ --- ---
/etc/group ✔️ --- ---
date ✔️ --- ---
who ✔️ --- ---
cpuinfo ✔️ --- ---
lsof --- ✔️ ---
sudoers ✔️ --- ---
mount ✔️ --- ---
fstab ✔️ --- ---
last ✔️ --- ---

🔘 Ssh

Command / file Json Text Raw
authorized_keys ✔️ --- ---
known_hosts ✔️ --- ---

🔘 Network

Command / file Json Text Raw
ip ✔️ --- ---
netstat ✔️ --- ---
arp ✔️ --- ---

🔘 Processus

Command / file Json Text Raw
ps ✔️ --- ---

🔘 Browser

Command / file Json Text Raw
Firefox ✔️ --- ---
Google Chrome ✔️ --- ---
Chromium ✔️ --- ---

🔘 Log

Command / file Json Text Raw
auth.log --- ✔️ ---
syslog ✔️ --- ---

🔘 Home

Command / file Json Text Raw
.gitconfig ✔️ --- ---
.command_history (bash + zsh) ✔️ --- ✔️
.viminfo --- ✔️ ---

🔘 Desktop

Command / file Json Text Raw
trash --- --- ✔️

🔘 Files

Command / file Json Text Raw Csv
hashes MD5 ✔️ ✔️ --- ---
file perm ✔️ --- --- ---
timeline --- --- --- ✔️

🔘 Dump

Command / file Json Text Raw
avml --- --- ✔️
LiME ✖️ ✖️ ✖️
/boot/System.map-$(uname -r) --- --- ✔️
/boot/vmlinuz --- --- ✔️

🔘 Antivirus

Command / file Json Text Raw
ClamAV ✔️ --- ---

License

All the code of the project is licensed under the GNU Lesser General Public License

Contributors

:godmode: xophidia https://github.com/xophidia
:godmode: Dupss https://github.com/dupss
:godmode: leludo84 https://github.com/leludo84

dfir_linux_collector's People

Contributors

dupss avatar xophidia avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.