forked from ozpingux/BasicLinuxForensicScript
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathBasicForensicLinuxScript.sh
301 lines (271 loc) · 14.3 KB
/
BasicForensicLinuxScript.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
#!/bin/bash
#Script to extract activities and relevant information from the system
#Creation of a folder where the hashes and files to be extracted will be stored
output_dir="/tmp/ExtractedInfo/"
mkdir /tmp/ExtractedInfo/
mkdir /tmp/ExtractedInfo/hash/
#Permissions to folder and extraction script
chmod -R +x /tmp/BasicForensicLinuxScript.sh
#Days the server has been on
uptime -p > /tmp/ExtractedInfo/days_On0.txt
uptime -s > /tmp/ExtractedInfo/days_On01.txt
#Date of extraction
date > /tmp/ExtractedInfo/fechaextraccion0.txt
date +%s > /tmp/ExtractedInfo/fechaextraccion00.txt
hwclock -r > /tmp/ExtractedInfo/hwfechaextraccion000.txt
#Operating System Installation Date
df -P / > /tmp/ExtractedInfo/date_so0.txt
ls -l /var/log/installer > /tmp/ExtractedInfo/install0.txt
ls -lah /var/log/installer > /tmp/ExtractedInfo/install00.txt
tune2fs -l > /tmp/ExtractedInfo/date_so00.txt
ls -lct /etc | tail -1 | awk '{print $6, $7, $8}' > /tmp/ExtractedInfo/date_so010.txt
#IP Addresses and Network Interfaces
ifconfig > /tmp/ExtractedInfo/ifconfig_0.txt
ifconfig -a > /tmp/ExtractedInfo/ifconfig_0.txt
ip addr > /tmp/ExtractedInfo/ifconfig_1.txt
cat /etc/sysconfig/network > /tmp/ExtractedInfo/networkcong0.txt
cat /etc/sysconfig/network-scripts/ifcfg-interface-name > /tmp/ExtractedInfo/networkcong001.txt
ip link show > /tmp/ExtractedInfo/networkcong002.txt
netstat -i > /tmp/ExtractedInfo/net_interfaces0.txt
#Programs installed in the operating system
rpm -qa > /tmp/ExtractedInfo/packages.txt
rpm -Va > /tmp/ExtractedInfo/packages02.txt
yum list installed > /tmp/ExtractedInfo/packages02.txt
apt list --installed > /tmp/ExtractedInfo/packages03.txt
apt list --upgradeable > /tmp/ExtractedInfo/packages04.txt
dpkg --list > /tmp/ExtractedInfo/packages05.txt
#Hardware and serial information
lspci > /tmp/ExtractedInfo/pci001.txt
lscpu > /tmp/ExtractedInfo/cpu0.txt
lshw -short > /tmp/ExtractedInfo/hwinfo0.txt
hwinfo --short > /tmp/ExtractedInfo/hwinfo001.txt
dmidecode > /tmp/ExtractedInfo/hwinfo002.txt
mount | column -t > /tmp/ExtractedInfo/hwmounts0.txt
cat /proc/cpuinfo > /tmp/ExtractedInfo/cpu00.txt
cat /proc/meminfo > /tmp/ExtractedInfo/meminfo_0.txt
cat /proc/version > /tmp/ExtractedInfo/versions0.txt
#Weight of the /var/log folder and each file in the /var/log/ folder
ls -lah /var/log/ > /tmp/ExtractedInfo/varlog_listing0.txt
ls -la /var/log/ > /tmp/ExtractedInfo/varlog_listing00.txt
stat /var/log/*.* > /tmp/ExtractedInfo/varlog_dates0.txt
#File and directory enumeration in temporary folders
ls -lah /tmp/ > /tmp/ExtractedInfo/temp_list0.txt
ls -lah /var/tmp/ > /tmp/ExtractedInfo/temp_list00.txt
#File and directory enumeration in binary folder
ls -lah /usr/bin/ > /tmp/ExtractedInfo/binusr_tree0.txt
ls -lah /bin/ > /tmp/ExtractedInfo/bin_tree0.txt
ls -lah /bin/ > /tmp/ExtractedInfo/bin0.txt
# Journal Data
journalctl > /tmp/ExtractedInfo/journal_data.txt
#USB History
cat /var/log/kern.log | grep usb > /tmp/ExtractedInfo/USBHistory-1.txt
cat /var/log/syslog | grep usb > /tmp/ExtractedInfo/USBHistory-2.txt
# Recent History
for user_home in /home/*; do
usb_history_file="$user_home/.local/share/recently-used.xbel"
if [ -f "$usb_history_file" ]; then
cp "$usb_history_file" "$output_dir/usb_history_$user_home.txt"
fi
done
# File Recent History
for user_home in /home/*; do
recent_history_file="$user_home/.recently-used.xbel"
if [ -f "$recent_history_file" ]; then
cp "$recent_history_file" "$output_dir/recent_history_$user_home.txt"
fi
done
# Wi-Fi History
cat /etc/NetworkManager/system-connections/* > /tmp/ExtractedInfo/wifi_connectionHistory.txt
nmcli con show > /tmp/ExtractedInfo/wifi_connectionHistory-2.txt
nmcli -f TYPE,TIMESTAMP,NAME con show > /tmp/ExtractedInfo/wifi_connectionTime.txt
#tree -df / > /tmp/ExtractedInfo/treefiles0.txt
#System user enumeration
users > /tmp/ExtractedInfo/users.txt
#Last server logins
lastlog > /tmp/ExtractedInfo/lastlog0.txt
last > /tmp/ExtractedInfo/last0.txt
last -Faiwx > /tmp/ExtractedInfo/last01.txt
lastb > /tmp/ExtractedInfo/lastb0.txt
#Who is logged in to the server
who > /tmp/ExtractedInfo/who0.txt
w > /tmp/ExtractedInfo/w0.txt
#Ports on the server listening
netstat -lntp > /tmp/ExtractedInfo/netstat0.txt
#Open Connections
netstat -oanp > /tmp/ExtractedInfo/netstat00.txt
netstat -oanp | grep ESTAB > /tmp/ExtractedInfo/netstat000.txt
netstat -anp > /tmp/ExtractedInfo/netstatanp0.txt
lsof -i > /tmp/ExtractedInfo/connection0.txt
lsof -V > /tmp/ExtractedInfo/OpenFiles.txt
netstat -lntp > /tmp/ExtractedInfo/netstat.txt
#Host Resolutions - Local DNS
cat /etc/hosts > /tmp/ExtractedInfo/hosts0.txt
#List of DNS servers
cat /etc/resolv.conf > /tmp/ExtractedInfo/resolv0.txt
#Open processes in the system and their execution paths
ps aux > /tmp/ExtractedInfo/psaux0.txt
ps -fea > /tmp/ExtractedInfo/top0.txt
ls -lah /etc/init.d/ > /tmp/ExtractedInfo/initetc0.txt
ps -ej > /tmp/ExtractedInfo/psaux00.txt
ps -auxwe > /tmp/ExtractedInfo/psaux_paths0.txt
ps -l > /tmp/ExtractedInfo/process_list0.txt
pstree -Aup > /tmp/ExtractedInfo/pstree0.txt
tree -df /etc/init.d/ > /tmp/ExtractedInfo/initetc00.txt
#History of commands executed by the active user
history > /tmp/ExtractedInfo/history0.txt
#History of commands executed by all system users
grep -e "$pattern" /home/*/.bash_history > /tmp/ExtractedInfo/AllHistoryCommands.txt
getent passwd | cut -d : -f 6 | sed 's:$:/.bash_history:' | xargs -d '\n' grep -s -H -e "$pattern" > /tmp/ExtractedInfo/AllHistoryCommands.txt
cat /root/.bash_history > /tmp/ExtractedInfo/historyroot00.txt
#List of users created in the system
cat /etc/passwd > /tmp/ExtractedInfo/users0.txt
#System group list
cat /etc/group > /tmp/ExtractedInfo/groups.txt
#Processes running as jobs
jobs > /tmp/ExtractedInfo/jobs0.txt
#Known SSH hosts
cat ~/.ssh/known_hosts > /tmp/ExtractedInfo/knownhosts0.txt
#ARP table visualization
arp -a > /tmp/ExtractedInfo/arp0.txt
arp -v > /tmp/ExtractedInfo/arp00.txt
#List of connected USB devices
lsusb > /tmp/ExtractedInfo/lsusb0.txt
lsblk > /tmp/ExtractedInfo/lsblk0.txt
#List of modules loaded by the Kernel
dmesg > /tmp/ExtractedInfo/dmesg0.txt
dmesg | grep -i promisc > /tmp/ExtractedInfo/dmesg02.txt
#List of disks and system partitions
fdisk -l > /tmp/ExtractedInfo/fdisk0.txt
df -h > /tmp/ExtractedInfo/dfdisk0.txt
#Default gateway
netstat -rn > /tmp/ExtractedInfo/netstat0000.txt
#routing table
route -n > /tmp/ExtractedInfo/route0.txt
ip route list > /tmp/ExtractedInfo/route_list0.txt
insmod > /tmp/ExtractedInfo/insmod0.txt
#List of modules loaded by the Kernel
lsmod > /tmp/ExtractedInfo/lsmod0.txt
#List of top10 processes with high memory consumption
ps auxf | sort -nr -k 4 | head -10 > /tmp/ExtractedInfo/tophighprocess0.txt
#System memory status
vmstat > /tmp/ExtractedInfo/virtualmem0.txt
free -m > /tmp/ExtractedInfo/freemem00.txt
#Kernel and operating system version
uname -ra > /tmp/ExtractedInfo/kernelversion0.txt
uname -srv > /tmp/ExtractedInfo/kernelversion00.txt
cat /proc/version > /tmp/ExtractedInfo/osversion.txt
cat /etc/redhat-release > /tmp/ExtractedInfo/osversion00.txt
#operating system and hostname information
hostnamectl > /tmp/ExtractedInfo/hostname0.txt
#List of running system services
systemctl list-units --type=service > /tmp/ExtractedInfo/systemctl0.txt
systemctl list-units –type=service –state=active > /tmp/ExtractedInfo/systemctl00.txt
systemctl list-units --type=service --state=running > /tmp/ExtractedInfo/systemctl000.txt
systemctl list-units --type=service > /tmp/ExtractedInfo/systemctl0.txt
service --status-all > /tmp/ExtractedInfo/daemons0.txt
systemctl list-units --type service > /tmp/ExtractedInfo/daemons01.txt
systemctl list-units --type mount > /tmp/ExtractedInfo/daemons02.txt
#extraction of system profiles - customize according to user's folder
cat /etc/profile > /tmp/ExtractedInfo/profile00.txt
cat /root/.bash_profile > /tmp/ExtractedInfo/bashprofile0.txt
cat /root/.bash_login > /tmp/ExtractedInfo/bashlogin0.txt
cat /root/.profile > /tmp/ExtractedInfo/rootprofile.txt
cat /root/.bashrc > /tmp/ExtractedInfo/bashrcroot0.txt
cat /root/.bash_logout > /tmp/ExtractedInfo/bashlogoutroot0.txt
#List of users in the privileged sudoers file
cat /etc/sudoers > /tmp/ExtractedInfo/sudoers0.txt
#List of tasks scheduled in the system
crontab -l > /tmp/ExtractedInfo/crontab000.txt
#List of network interfaces - customize according to the operating system
cat /etc/network/interfaces > /tmp/ExtractedInfo/interfaces0.txt
#Search for executables and scripts
find / -name \*.bin > /tmp/ExtractedInfo/Executablefinder-BIN.txt
find / -name \*.exe > /tmp/ExtractedInfo/Executablefinder-EXE.txt
find / -name \*.sh > /tmp/ExtractedInfo/Executablefinder-SH.txt
find / -name \*.py > /tmp/ExtractedInfo/Executablefinder-PY.txt
find / -name \*.pl > /tmp/ExtractedInfo/Executablefinder-pl.txt
find / -name \*.csh > /tmp/ExtractedInfo/Executablefinder-csh.txt
find / -name \*.ksh > /tmp/ExtractedInfo/Executablefinder-ksh.txt
find / -name \*.tcsh > /tmp/ExtractedInfo/Executablefinder-tcsh.txt
find / -name \*.zsh > /tmp/ExtractedInfo/Executablefinder-zsh.txt
find / -name \*.rb > /tmp/ExtractedInfo/Executablefinder-rb.txt
find / -name \*.awk > /tmp/ExtractedInfo/Executablefinder-awk.txt
find / -name \*.ps1 > /tmp/ExtractedInfo/Executablefinder-ps1.txt
find / -name \*.js > /tmp/ExtractedInfo/Executablefinder-js.txt
find / -name \*.php > /tmp/ExtractedInfo/Executablefinder-php.txt
find / -name \*.vbs > /tmp/ExtractedInfo/Executablefinder-vbs.txt
find / -name \*.bat > /tmp/ExtractedInfo/Executablefinder-bat.txt
find / -name \*.cmd > /tmp/ExtractedInfo/Executablefinder-cmd.txt
#Search for files or links redirected to dev-null
lsof -w /dev/null > /tmp/ExtractedInfo/redireccion_null0.txt
find /var/log -type f -printf "%P,%A+,%T+,%C+,%u,%g,%M,%s\n" > /tmp/ExtractedInfo/VarLogTimeline.txt
# Another User Traces Create a folder to store the extracted information
mkdir /tmp/ExtractedInfo/user_traces
# Get a list of all users on the system
cut -d: -f1 /etc/passwd > /tmp/ExtractedInfo/user_traces/user_list.txt
# Iterate through each user and extract their traces
while read -r user; do
# Create a folder for the user
mkdir "/tmp/ExtractedInfo/user_traces/$user"
# Extract the user's command history
cp "/home/$user/.bash_history" "/tmp/ExtractedInfo/user_traces/$user/command_history.txt"
# Extract the user's SSH history
cp "/home/$user/.ssh/known_hosts" "/tmp/ExtractedInfo/user_traces/$user/ssh_history.txt"
# Extract the user's login history
last -n 100 "$user" > "/tmp/ExtractedInfo/user_traces/$user/login_history.txt"
# Extract the users active processes
ps -u "$user" > "/tmp/ExtractedInfo/user_traces/$user/active_processes.txt"
# Extract the user's open network connections
netstat -antp | grep "$user" > "/tmp/ExtractedInfo/user_traces/$user/network_connections.txt"
# Extract the user's file access history
find "/home/$user" -type f -exec stat {} \; > "/tmp/ExtractedInfo/user_traces/$user/file_access_history.txt"
done < "/tmp/ExtractedInfo/user_traces/user_list.txt"
# Compress the user traces folder
tar -czvf /tmp/ExtractedInfo/user_traces.tar.gz -C /tmp/ExtractedInfo/user_traces .
# Cleanup: Remove the temporary folder
rm -rf /tmp/ExtractedInfo/user_traces
#Internet History
# Create a folder to store the extracted information
mkdir /tmp/internet_traces
# Get a list of all users on the system
cut -d: -f1 /etc/passwd > /tmp/internet_traces/user_list.txt
# Iterate through each user and extract their internet history, traces, and DNS cache
while read -r user; do
# Create a folder for the user
mkdir "/tmp/internet_traces/$user"
# Extract Chrome history
cp "/home/$user/.config/google-chrome/Default/History" "/tmp/internet_traces/$user/chrome_history"
# Extract Firefox history
cp "/home/$user/.mozilla/firefox/*.default-release/places.sqlite" "/tmp/internet_traces/$user/firefox_history.sqlite"
# Extract Chrome bookmarks
cp "/home/$user/.config/google-chrome/Default/Bookmarks" "/tmp/internet_traces/$user/chrome_bookmarks"
# Extract Firefox bookmarks
cp "/home/$user/.mozilla/firefox/*.default-release/bookmarkbackups" "/tmp/internet_traces/$user/firefox_bookmarks"
# Extract Chrome cookies
cp "/home/$user/.config/google-chrome/Default/Cookies" "/tmp/internet_traces/$user/chrome_cookies"
# Extract Firefox cookies
cp "/home/$user/.mozilla/firefox/*.default-release/cookies.sqlite" "/tmp/internet_traces/$user/firefox_cookies.sqlite"
# Extract the user's download history
ls -liah /home/$user/Downloads > /tmp/internet_traces/$user/download_history/user_downloads.txt
# Extract DNS cache
cp "/home/$user/.config/google-chrome/Default/Network\ Action\ Predictor" "/tmp/internet_traces/$user/chrome_dns_cache"
cp "/home/$user/.mozilla/firefox/*.default-release/Network\ Cache" "/tmp/internet_traces/$user/firefox_dns_cache"
cp "/home/$user/.cache/mozilla/firefox/*.default-release/cache2/entries/*" "/tmp/internet_traces/$user/dns_cache_entries/"
done < "/tmp/internet_traces/user_list.txt"
# Compress the internet traces folder
tar -czvf /tmp/internet_traces.tar.gz -C /tmp/internet_traces .
# Cleanup: Remove the temporary folder
rm -rf /tmp/internet_traces
#Time stamps of extracted files
ls -liah /tmp/ExtractedInfo/*.txt > /tmp/ExtractedInfo/time_evidence0.txt
ls -lah /tmp/ExtractedInfo/*.txt > /tmp/ExtractedInfo/time_evidence00.txt
stat /tmp/ExtractedInfo/*.txt > /tmp/ExtractedInfo/time_evidence000.txt
ls -liah /tmp/ExtractedInfo/user_traces.tar.gz > /tmp/ExtractedInfo/time_evidence-user_traces-1.txt
stat /tmp/ExtractedInfo/user_traces.tar.gz > /tmp/ExtractedInfo/time_evidence-user_traces-2.txt
#Hash checksum calculation sha256 for integrity of each extracted file
sha256sum /tmp/ExtractedInfo/*.txt > /tmp/ExtractedInfo/hash/hashes.txt
sha256sum /tmp/*.tar.gz > /tmp/ExtractedInfo/hash/hashes_compressed.txt
echo "--------------------------------------------------------------------------"
echo "The txt file with all the hashes has been saved to /tmp/ExtractedInfo/hash/hashes.txt"
echo "--------------------------------------------------------------------------"
echo -e "\e[1;31m!!!!!!!!!!!!!!!!!!Extraction Completed!!!!!!!!!!!!!!!!!!!\e[0m"