├── images
├── first
├── pf.PNG
└── KULQlzAg.png
├── Wizard.7z
├── README.md
├── LICENSE
└── Power-Forensic-V2.0.sh
/images/first:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/Wizard.7z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/archanchoudhury/Power-Forensics/HEAD/Wizard.7z
--------------------------------------------------------------------------------
/images/pf.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/archanchoudhury/Power-Forensics/HEAD/images/pf.PNG
--------------------------------------------------------------------------------
/images/KULQlzAg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/archanchoudhury/Power-Forensics/HEAD/images/KULQlzAg.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # 🔴Power-Forensics
4 | Power-Forensics is the Best Friend for Incident Responders to perform IR and collect evidences for Linux based host. This is a simple shell script and easy to use.
5 |
6 | ## ☸Features:
7 | Once ran, it creates the following files
8 | - SUID.log
9 | - bash.log
10 | - connwithprocess.log
11 | - cronalluser.log
12 | - croncurrentuser.log
13 | - crondaily.log
14 | - cronhourly.log
15 | - cronweekly.log
16 | - currentloggeduser.log
17 | - diskusage.log
18 | - establishedconn.log
19 | - files.log
20 | - free.log
21 | - livecon.log
22 | - process.log
23 | - processtree.log
24 | - systemcommand.log
25 | - uptime.log
26 | - userprofile.log
27 | - memory.mem: This is the memory Dump File
28 |
29 | It has also the capability to process the volatile data using Volatility. But it will make some changes to the machine.
30 |
31 |
32 | # 🤝Contributing
33 | We welcome your contributions. Please feel free to fork the code, play with it, make some patches and send us pull requests.
34 |
35 | # 🔼Enhancements:
36 | - Create and test for all other Linux flavours, currently it is only tested for Ubuntu
37 | - Any other data set to be collected.
38 |
39 | # 🙏Support
40 | - Please [open an issue on GitHub](https://github.com/archanchoudhury/Power-Forensics/issues/new) if you'd like to report a bug or request a feature.
41 | - For real DFIR Training, subscribe to my [YouTube Channel](https://www.youtube.com/c/BlackPerl)
42 | - If you like to support my creation, 
43 |
44 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Creative Commons Legal Code
2 |
3 | CC0 1.0 Universal
4 |
5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
12 | HEREUNDER.
13 |
14 | Statement of Purpose
15 |
16 | The laws of most jurisdictions throughout the world automatically confer
17 | exclusive Copyright and Related Rights (defined below) upon the creator
18 | and subsequent owner(s) (each and all, an "owner") of an original work of
19 | authorship and/or a database (each, a "Work").
20 |
21 | Certain owners wish to permanently relinquish those rights to a Work for
22 | the purpose of contributing to a commons of creative, cultural and
23 | scientific works ("Commons") that the public can reliably and without fear
24 | of later claims of infringement build upon, modify, incorporate in other
25 | works, reuse and redistribute as freely as possible in any form whatsoever
26 | and for any purposes, including without limitation commercial purposes.
27 | These owners may contribute to the Commons to promote the ideal of a free
28 | culture and the further production of creative, cultural and scientific
29 | works, or to gain reputation or greater distribution for their Work in
30 | part through the use and efforts of others.
31 |
32 | For these and/or other purposes and motivations, and without any
33 | expectation of additional consideration or compensation, the person
34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
35 | is an owner of Copyright and Related Rights in the Work, voluntarily
36 | elects to apply CC0 to the Work and publicly distribute the Work under its
37 | terms, with knowledge of his or her Copyright and Related Rights in the
38 | Work and the meaning and intended legal effect of CC0 on those rights.
39 |
40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
41 | protected by copyright and related or neighboring rights ("Copyright and
42 | Related Rights"). Copyright and Related Rights include, but are not
43 | limited to, the following:
44 |
45 | i. the right to reproduce, adapt, distribute, perform, display,
46 | communicate, and translate a Work;
47 | ii. moral rights retained by the original author(s) and/or performer(s);
48 | iii. publicity and privacy rights pertaining to a person's image or
49 | likeness depicted in a Work;
50 | iv. rights protecting against unfair competition in regards to a Work,
51 | subject to the limitations in paragraph 4(a), below;
52 | v. rights protecting the extraction, dissemination, use and reuse of data
53 | in a Work;
54 | vi. database rights (such as those arising under Directive 96/9/EC of the
55 | European Parliament and of the Council of 11 March 1996 on the legal
56 | protection of databases, and under any national implementation
57 | thereof, including any amended or successor version of such
58 | directive); and
59 | vii. other similar, equivalent or corresponding rights throughout the
60 | world based on applicable law or treaty, and any national
61 | implementations thereof.
62 |
63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
65 | irrevocably and unconditionally waives, abandons, and surrenders all of
66 | Affirmer's Copyright and Related Rights and associated claims and causes
67 | of action, whether now known or unknown (including existing as well as
68 | future claims and causes of action), in the Work (i) in all territories
69 | worldwide, (ii) for the maximum duration provided by applicable law or
70 | treaty (including future time extensions), (iii) in any current or future
71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
72 | including without limitation commercial, advertising or promotional
73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
74 | member of the public at large and to the detriment of Affirmer's heirs and
75 | successors, fully intending that such Waiver shall not be subject to
76 | revocation, rescission, cancellation, termination, or any other legal or
77 | equitable action to disrupt the quiet enjoyment of the Work by the public
78 | as contemplated by Affirmer's express Statement of Purpose.
79 |
80 | 3. Public License Fallback. Should any part of the Waiver for any reason
81 | be judged legally invalid or ineffective under applicable law, then the
82 | Waiver shall be preserved to the maximum extent permitted taking into
83 | account Affirmer's express Statement of Purpose. In addition, to the
84 | extent the Waiver is so judged Affirmer hereby grants to each affected
85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
88 | maximum duration provided by applicable law or treaty (including future
89 | time extensions), (iii) in any current or future medium and for any number
90 | of copies, and (iv) for any purpose whatsoever, including without
91 | limitation commercial, advertising or promotional purposes (the
92 | "License"). The License shall be deemed effective as of the date CC0 was
93 | applied by Affirmer to the Work. Should any part of the License for any
94 | reason be judged legally invalid or ineffective under applicable law, such
95 | partial invalidity or ineffectiveness shall not invalidate the remainder
96 | of the License, and in such case Affirmer hereby affirms that he or she
97 | will not (i) exercise any of his or her remaining Copyright and Related
98 | Rights in the Work or (ii) assert any associated claims and causes of
99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 |
102 | 4. Limitations and Disclaimers.
103 |
104 | a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 | surrendered, licensed or otherwise affected by this document.
106 | b. Affirmer offers the Work as-is and makes no representations or
107 | warranties of any kind concerning the Work, express, implied,
108 | statutory or otherwise, including without limitation warranties of
109 | title, merchantability, fitness for a particular purpose, non
110 | infringement, or the absence of latent or other defects, accuracy, or
111 | the present or absence of errors, whether or not discoverable, all to
112 | the greatest extent permissible under applicable law.
113 | c. Affirmer disclaims responsibility for clearing rights of other persons
114 | that may apply to the Work or any use thereof, including without
115 | limitation any person's Copyright and Related Rights in the Work.
116 | Further, Affirmer disclaims responsibility for obtaining any necessary
117 | consents, permissions or other rights required for any use of the
118 | Work.
119 | d. Affirmer understands and acknowledges that Creative Commons is not a
120 | party to this document and has no duty or obligation with respect to
121 | this CC0 or use of the Work.
122 |
--------------------------------------------------------------------------------
/Power-Forensic-V2.0.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # *------------------------------------------------------------------------------------------------------*
3 | # * *
4 | # * Script name:Power-Forensics.sh Version:2.0 By:Archan Choudhury 23/09/2021 *
5 | # * *
6 | # * Creates the following files *
7 | # * 1. SUID.log *
8 | # * 2. bash.log *
9 | # * 3. connwithprocess.log *
10 | # * 4. cronalluser.log *
11 | # * 5. croncurrentuser.log *
12 | # * 6. crondaily.log *
13 | # * 7. cronhourly.log *
14 | # * 8. cronweekly.log *
15 | # * 9. currentloggeduser.log *
16 | # * 10. diskusage.log *
17 | # * 11. establishedconn.log *
18 | # * 12. files.log *
19 | # * 13. free.log *
20 | # * 14. livecon.log *
21 | # * 15. process.log *
22 | # * 16. processtree.log *
23 | # * 17. systemcommand.log *
24 | # * 18. uptime.log *
25 | # * 19. userprofile.log *
26 | # * 20. memory.mem: This is the memory Dump File *
27 | # *------------------------------------------------------------------------------------------------------*
28 |
29 | echo -e '\e[1;37;44m ___ _ ____ __ __ _____ ___ _ \e[0m'
30 | echo -e '\e[1;37;44m| __ \ / __ \ | | | | | ___| | __ \ \e[0m' '\e[1;37;41m _____ ___ _ _____ ___ _ _______ _ ______ _______ \e[0m'
31 | echo -e '\e[1;37;44m| | \ \ / / \ \ | | | | | | | | \ \ \e[0m' '\e[1;37;41m | ___| ____ | __ \ | ____| | \ | | | _____| | | | _____| | _____|\e[0m'
32 | echo -e '\e[1;37;44m| | | | | | | | | | | | | |__ | |__| | \e[0m' '\e[1;37;41m | | / __ \ | | \ \ | | | |\ \ | | | | | | | | | | \e[0m'
33 | echo -e '\e[1;37;44m| |__/ / | | | | | | | | | __| | __ / \e[0m' '\e[1;37;41m | |__ | | | | | |__| | | |__ | | \ \ | | | |_____ | | | | | |_____ \e[0m'
34 | echo -e '\e[1;37;44m| |__ / | | | | | \__/ | | | | | \ \ \e[0m' '\e[1;37;41m | __| | | | | | __ / | __| | | \ \| | |_____ | | | | | |_____ |\e[0m'
35 | echo -e '\e[1;37;44m| | \ \__/ / | ___ | | |___ | | | | \e[0m' '\e[1;37;41m | | | |__| | | | \ \ | |___ | | \ \ | _____| | | | | |____ _____| |\e[0m'
36 | echo -e '\e[1;37;44m|_| \ ___/ |__/ \__| |_____| |_| |_| \e[0m' '\e[1;37;41m |_| \____/ |_| |_| |_____| |_| \ \| |_______| |_| |______| |_______|\e[0m'
37 | echo -e '\e[1;37;44m \e[0m' '\e[1;37;41m \e[0m'
38 |
39 | echo -e '\e[1;33m *------------------------------------------------------------------------------------------------------*\e[0m'
40 | echo -e '\e[1;33m * *\e[0m'
41 | echo -e '\e[1;33m * Version:2.0 Created By:Archan Choudhury 12/09/2021 *\e[0m'
42 | echo -e '\e[1;33m * *\e[0m'
43 | echo -e '\e[1;33m * Creates the following files *\e[0m'
44 | echo -e '\e[1;33m * 1. SUID.log *\e[0m'
45 | echo -e '\e[1;33m * 2. bash.log *\e[0m'
46 | echo -e '\e[1;33m * 3. connwithprocess.log *\e[0m'
47 | echo -e '\e[1;33m * 4. cronalluser.log *\e[0m'
48 | echo -e '\e[1;33m * 5. croncurrentuser.log *\e[0m'
49 | echo -e '\e[1;33m * 6. crondaily.log *\e[0m'
50 | echo -e '\e[1;33m * 7. cronhourly.log *\e[0m'
51 | echo -e '\e[1;33m * 8. cronweekly.log *\e[0m'
52 | echo -e '\e[1;33m * 9. currentloggeduser.log *\e[0m'
53 | echo -e '\e[1;33m * 10. diskusage.log *\e[0m'
54 | echo -e '\e[1;33m * 11. establishedconn.log *\e[0m'
55 | echo -e '\e[1;33m * 12. files.log *\e[0m'
56 | echo -e '\e[1;33m * 13. free.log *\e[0m'
57 | echo -e '\e[1;33m * 14. livecon.log *\e[0m'
58 | echo -e '\e[1;33m * 15. process.log *\e[0m'
59 | echo -e '\e[1;33m * 16. processtree.log *\e[0m'
60 | echo -e '\e[1;33m * 17. systemcommand.log *\e[0m'
61 | echo -e '\e[1;33m * 18. uptime.log *\e[0m'
62 | echo -e '\e[1;33m * 19. userprofile.log *\e[0m'
63 | echo -e '\e[1;33m * 20. memory.mem: This is the memory Dump File *\e[0m'
64 | echo -e '\e[1;33m *------------------------------------------------------------------------------------------------------*\e[0m'
65 |
66 | echo -e '\e[1;335m "----------------------------------------------------------------------------------------------------"\e[0m'
67 | echo -e '\e[1;335m " PRESS 1 to CONTINUE "\e[0m'
68 | echo -e '\e[1;335m "----------------------------------------------------------------------------------------------------"\e[0m'
69 |
70 | read optionx
71 |
72 | if [ "$optionx" == '1' ];then
73 |
74 | #clear console
75 | clear
76 |
77 | #just echo welcome messages
78 | echo "----------------------------------------------------------------------------------------------------"
79 | echo "This is information provided by $0 . Program starts now."
80 | echo "----------------------------------------------------------------------------------------------------"
81 |
82 | echo "Hello, $USER"
83 | echo
84 |
85 | #print today's date
86 |
87 | echo "----------------------------------------------------------------------------------------------------"
88 | echo "Today's date is `date`, this is week `date +"%V"`."
89 | echo "----------------------------------------------------------------------------------------------------"
90 |
91 | echo
92 |
93 | #create an evidence directory
94 |
95 | echo "----------------------------------------------------------------------------------------------------"
96 | echo "Creating evidence directory"
97 | echo "----------------------------------------------------------------------------------------------------"
98 |
99 |
100 | sudo mkdir evidence
101 |
102 | echo "Acquistion Process Begins"
103 |
104 | #list of currently loged user via w command.
105 |
106 | echo "----------------------------------------------------------------------------------------------------"
107 | echo "These users are currently connected:"
108 | echo "----------------------------------------------------------------------------------------------------"
109 |
110 |
111 | w | cut -d " " -f 1 - | grep -v USER | sort -u | sudo tee ./evidence/currentloggeduser.log
112 |
113 | echo
114 |
115 | #info about system with command uname and keys -m and -s
116 |
117 | echo "----------------------------------------------------------------------------------------------------"
118 | echo "This is `uname -s` running on a `uname -m` processor." | sudo tee ./evidence/systemcommand.log
119 | echo "----------------------------------------------------------------------------------------------------"
120 |
121 | echo
122 |
123 | #info about uptime, using uptime command
124 |
125 | echo "----------------------------------------------------------------------------------------------------"
126 | echo "This is the uptime information:"
127 | echo "----------------------------------------------------------------------------------------------------"
128 |
129 | uptime | sudo tee ./evidence/uptime.log
130 |
131 | echo
132 |
133 | #info about free memory via free command
134 |
135 | echo "----------------------------------------------------------------------------------------------------"
136 | echo "Free memory:"
137 | echo "----------------------------------------------------------------------------------------------------"
138 |
139 |
140 | free | sudo tee ./evidence/free.log
141 |
142 | echo
143 |
144 | #info about disk usage
145 |
146 | echo "----------------------------------------------------------------------------------------------------"
147 | echo "Disk usage:"
148 | echo "----------------------------------------------------------------------------------------------------"
149 |
150 | df -kh | sudo tee ./evidence/diskusage.log
151 |
152 | echo
153 |
154 | #info about live network connection
155 |
156 | echo "----------------------------------------------------------------------------------------------------"
157 | echo "Live Connection"
158 | echo "----------------------------------------------------------------------------------------------------"
159 |
160 | sudo netstat -nao | sudo tee ./evidence/livecon.log
161 |
162 | echo
163 |
164 | #info about Running Processes
165 |
166 | echo "----------------------------------------------------------------------------------------------------"
167 | echo "Running Processes"
168 | echo "----------------------------------------------------------------------------------------------------"
169 |
170 |
171 | ps -aux | sudo tee ./evidence/process.log
172 |
173 | echo
174 |
175 | #info about Process Tree listing
176 |
177 | echo "----------------------------------------------------------------------------------------------------"
178 | echo "Process Tree listing"
179 | echo "----------------------------------------------------------------------------------------------------"
180 |
181 |
182 | pstree | sudo tee ./evidence/processtree.log
183 |
184 | echo
185 |
186 | #info about probable suspicious network connection
187 |
188 | echo "----------------------------------------------------------------------------------------------------"
189 | echo "Probable suspicious Network connection"
190 | echo "----------------------------------------------------------------------------------------------------"
191 |
192 | sudo netstat -antp | sudo tee ./evidence/connwithprocess.log
193 |
194 | echo
195 |
196 | #info about established network connection
197 |
198 | echo "----------------------------------------------------------------------------------------------------"
199 | echo "Scanning Established network connection"
200 | echo "----------------------------------------------------------------------------------------------------"
201 |
202 | netstat -la | grep “LISTEN” “ESTABLISHED” | sudo tee ./evidence/establishedconn.log
203 |
204 | echo
205 |
206 | #info about last Bash history
207 |
208 | echo "----------------------------------------------------------------------------------------------------"
209 | echo "capturing last bash history"
210 | echo "----------------------------------------------------------------------------------------------------"
211 |
212 | cat .bash_history | sudo tee ./evidence/bash.log
213 |
214 | echo
215 |
216 | #info cron jobs running for the current user
217 |
218 | echo "----------------------------------------------------------------------------------------------------"
219 | echo "Cron jobs running for the current user"
220 | echo "----------------------------------------------------------------------------------------------------"
221 |
222 | crontab -l | sudo tee ./evidence/croncurrentuser.log
223 |
224 | echo
225 |
226 | #info for cron jobs running for another user
227 |
228 | echo "----------------------------------------------------------------------------------------------------"
229 | echo "Cron jobs running for another user"
230 | echo "----------------------------------------------------------------------------------------------------"
231 |
232 | crontab -u ubuntu -l | sudo tee ./evidence/cronalluser.log
233 |
234 | echo
235 |
236 | #info for scheduled cron jobs
237 | echo "----------------------------------------------------------------------------------------------------"
238 | echo "Daliy Cron job"
239 | echo "----------------------------------------------------------------------------------------------------"
240 | ls -la /etc/cron.daily | sudo tee ./evidence/crondaily.log
241 |
242 | echo
243 | echo "----------------------------------------------------------------------------------------------------"
244 | echo "Hourly Cron Jobs"
245 | echo "----------------------------------------------------------------------------------------------------"
246 |
247 | ls -la /etc/cron.hourly | sudo tee ./evidence/cronhourly.log
248 |
249 | echo
250 |
251 | echo "----------------------------------------------------------------------------------------------------"
252 | echo "Weekly Cron Jobs"
253 | echo "----------------------------------------------------------------------------------------------------"
254 |
255 | ls -la /etc/cron.weekly | sudo tee ./evidence/cronweekly.log
256 |
257 | echo
258 |
259 | #info about user profile present in the system
260 |
261 | echo "----------------------------------------------------------------------------------------------------"
262 | echo "Checking user profile present in the system"
263 | echo "----------------------------------------------------------------------------------------------------"
264 |
265 | cat etc/passwd | sudo tee ./evidence/userprofile.log
266 |
267 | echo
268 |
269 | #info about file created in last 1 week
270 |
271 | echo "----------------------------------------------------------------------------------------------------"
272 | echo "Files created in last 1 week"
273 | echo "----------------------------------------------------------------------------------------------------"
274 |
275 | find / -mtime -o -ctime -7 | sudo tee ./evidence/files.log
276 |
277 | echo
278 |
279 | #info to find all SUID files owned by the root
280 |
281 | echo "----------------------------------------------------------------------------------------------------"
282 | echo "Find all SUID files owned by the root"
283 | echo "----------------------------------------------------------------------------------------------------"
284 |
285 | sudo find / -perm -4000 -user root -type f | sudo tee ./evidence/SUID.log
286 |
287 | echo
288 |
289 | #Volatile Memory/RAM Capture Process
290 |
291 |
292 | echo "----------------------------------------------------------------------------------------------------"
293 | echo " Identifying the OS flavour "
294 | echo "----------------------------------------------------------------------------------------------------"
295 | head /etc/*release | grep "NAME"
296 | echo "----------------------------------------------------------------------------------------------------"
297 | echo " You are seeing the OS, please choose the appropriate one from below to proceed "
298 | echo " Press 1 for CentOS. "
299 | echo " Press 2 for Ubuntu. "
300 | echo " Press 3 to EXIT. "
301 | echo "----------------------------------------------------------------------------------------------------"
302 | read option1
303 |
304 | if [ "$option1" == '1' ];then
305 | echo "----------------------------------------------------------------------------------------------------"
306 | echo " Press 1 to start the process of memory aquisition. "
307 | echo "----------------------------------------------------------------------------------------------------"
308 | read option2
309 | if [ "$option2" == '1' ];then
310 | sudo yum install kernel-devel
311 | echo "----------------------------------------------------------------------------------------------------"
312 | echo " Kernel Version has been installed "
313 | echo "----------------------------------------------------------------------------------------------------"
314 |
315 | var1=$(ls /usr/src/kernels/ | grep "3.*")
316 | varx=$(ls /lib/modules/ | grep "3.*")
317 | cd /lib/modules/$varx
318 | sudo ln -sfn /usr/src/kernels/$var1 build
319 | echo "----------------------------------------------------------------------------------------------------"
320 | echo " Build link mapping has been changed "
321 | echo "----------------------------------------------------------------------------------------------------"
322 |
323 | cd /home/centos
324 | git clone https://github.com/504ensicsLabs/LiME
325 | echo "----------------------------------------------------------------------------------------------------"
326 | echo " Downloaded the required tool "
327 | echo "----------------------------------------------------------------------------------------------------"
328 |
329 | cd /home/centos/LiME/src/
330 | sudo yum install gcc
331 | sudo yum update gcc
332 | make
333 | var2=$(ls /home/centos/LiME/src | grep "lime-3*")
334 | echo "----------------------------------------------------------------------------------------------------"
335 | echo " Kernal Load has been completed, memory dump is in preogress. "
336 | echo "----------------------------------------------------------------------------------------------------"
337 |
338 | sudo insmod /home/centos/LiME/src/$var2 path=/home/centos/memory.mem format=lime
339 | echo "----------------------------------------------------------------------------------------------------"
340 | echo " Memory Dump has been completed. Check /home/centos location "
341 | echo "----------------------------------------------------------------------------------------------------"
342 | fi
343 |
344 | elif [ "$option1" == '2' ];then
345 | echo "----------------------------------------------------------------------------------------------------"
346 | echo " Press 1 to start the process of memory aquisition. "
347 | echo "----------------------------------------------------------------------------------------------------"
348 | read option2
349 | if [ "$option2" == '1' ];then
350 | wget https://github.com/microsoft/avml/releases/download/v0.3.0/avml
351 | sudo chmod 755 avml
352 | echo "----------------------------------------------------------------------------------------------------"
353 | echo " Memory Dump is in progress now.. "
354 | echo "----------------------------------------------------------------------------------------------------"
355 | sudo ./avml memory.raw
356 | echo "----------------------------------------------------------------------------------------------------"
357 | echo " Memory Capture is completed now. "
358 | echo "----------------------------------------------------------------------------------------------------"
359 | fi
360 | else
361 | exit
362 | fi
363 |
364 | echo "----------------------------------------------------------------------------------------------------"
365 | echo " Press 1 to start processing the memory image "
366 | echo " Press 2 to quit. "
367 | echo "----------------------------------------------------------------------------------------------------"
368 | read option3
369 |
370 | if [ "$option3" == '1' ];then
371 | if [ "$option1" == '2' ];then
372 | echo "----------------------------------------------------------------------------------------------------"
373 | echo " Downloading the forensic tool "
374 | echo "----------------------------------------------------------------------------------------------------"
375 |
376 | cd /home/ubuntu/
377 | git clone https://github.com/volatilityfoundation/volatility.git
378 | cd /home/ubuntu/volatility
379 | echo "----------------------------------------------------------------------------------------------------"
380 | echo " Forensic tool has been installed "
381 | echo "----------------------------------------------------------------------------------------------------"
382 | cd /home/ubuntu/volatility/tools/linux
383 | sudo apt-get update
384 | sudo apt install make
385 | sudo apt install gcc
386 | sudo apt install dwarfdump
387 | sudo apt install zip
388 | sudo apt install python
389 | echo "----------------------------------------------------------------------------------------------------"
390 | echo " Removing Dependencises and creating profile "
391 | echo "----------------------------------------------------------------------------------------------------"
392 | make
393 | var3=$(ls /home/ubuntu/volatility/tools/linux | grep "module.dwarf")
394 | var4=$(ls /boot | grep "System.map*")
395 | cd ../..
396 | sudo zip volatility/plugins/overlays/linux/Ubuntu.zip tools/linux/module.dwarf /boot/$var4
397 | echo "----------------------------------------------------------------------------------------------------"
398 | echo " Required Linux Profile has been created "
399 | echo "----------------------------------------------------------------------------------------------------"
400 | cd /home/ubuntu/volatility
401 | python vol.py --info | grep "Ubuntu"
402 |
403 | echo "----------------------------------------------------------------------------------------------------"
404 | echo " Newly created Linux Profile is visible above, copy it and supply as input "
405 | echo "----------------------------------------------------------------------------------------------------"
406 |
407 | read option4
408 | mkdir /home/ubuntu/output
409 | sudo python vol.py -f /home/ubuntu/memory.raw --profile=$option4 linux_pslist > /home/ubuntu/output/pslist.txt
410 | echo "----------------------------------------------------------------------------------------------------"
411 | echo " Process List has been extracted from memory "
412 | echo "----------------------------------------------------------------------------------------------------"
413 | sudo python vol.py -f /home/ubuntu/memory.raw --profile=$option4 linux_psscan > /home/ubuntu/output/psscan.txt
414 | echo "----------------------------------------------------------------------------------------------------"
415 | echo " Process scan has been comepleted "
416 | echo "----------------------------------------------------------------------------------------------------"
417 | sudo python vol.py -f /home/ubuntu/memory.raw --profile=$option4 linux_netstat > /home/ubuntu/output/netstat.txt
418 | echo "----------------------------------------------------------------------------------------------------"
419 | echo " Live network connection has been extracted from memory "
420 | echo "----------------------------------------------------------------------------------------------------"
421 | echo "----------------------------------------------------------------------------------------------------"
422 | echo " Press 1 to run Yara Scan "
423 | echo " Press 2 to exit "
424 | echo "----------------------------------------------------------------------------------------------------"
425 |
426 | read option5
427 | if [ "$option5" == '1' ];then
428 | echo "----------------------------------------------------------------------------------------------------"
429 | echo " Supply the parameter "
430 | echo "----------------------------------------------------------------------------------------------------"
431 | read option6
432 | python vol.py -f /home/ubuntu/memory.mem --profile=$option4 linux_yarascan -Y "$option6"> /home/ubuntu/output/yara_output.txt
433 | else
434 | cd /home/ubuntu/
435 | sudo zip -r ForensicData.zip output evidence
436 | echo "----------------------------------------------------------------------------------------------------"
437 | echo " Send ForensicData.zip file to IR Team "
438 | echo "----------------------------------------------------------------------------------------------------"
439 | exit
440 | fi
441 |
442 | elif [ "$option1" == '1' ];then
443 | echo "----------------------------------------------------------------------------------------------------"
444 | echo " Downloading the forensic tool "
445 | echo "----------------------------------------------------------------------------------------------------"
446 |
447 | cd /home/centos/
448 | git clone https://github.com/volatilityfoundation/volatility.git
449 | cd /home/centos/volatility
450 | python setup.py install
451 | echo "----------------------------------------------------------------------------------------------------"
452 | echo " Forensic tool has been installed "
453 | echo "----------------------------------------------------------------------------------------------------"
454 |
455 | cd /home/centos/volatility/tools/linux
456 | make clean
457 | sudo yum install libdwarf-tools
458 | sudo yum install build-essential
459 | echo "----------------------------------------------------------------------------------------------------"
460 | echo " Removing Dependencises and creating profile "
461 | echo "----------------------------------------------------------------------------------------------------"
462 |
463 | make
464 | var3=$(ls /home/centos/volatility/tools/linux | grep "module.dwarf")
465 | var4=$(ls /boot | grep "System.map*")
466 | cd ../..
467 | sudo yum install zip
468 | sudo zip volatility/plugins/overlays/linux/CentOS.zip tools/linux/module.dwarf /boot/$var4
469 | echo "----------------------------------------------------------------------------------------------------"
470 | echo " Required Linux Profile has been created "
471 | echo "----------------------------------------------------------------------------------------------------"
472 |
473 | cd /home/centos/volatility
474 | sudo python setup.py install
475 | echo "----------------------------------------------------------------------------------------------------"
476 | echo " Linux Profile has been loaded "
477 | echo "----------------------------------------------------------------------------------------------------"
478 |
479 | python vol.py --info | grep "CentOS"
480 |
481 | echo "----------------------------------------------------------------------------------------------------"
482 | echo " Newly created Linux Profile is visible above, copy it and supply as input "
483 | echo "----------------------------------------------------------------------------------------------------"
484 | read option4
485 | mkdir /home/centos/output
486 | python vol.py -f /home/centos/memory.mem --profile=$option4 linux_pslist > /home/centos/output/pslist.txt
487 | echo "----------------------------------------------------------------------------------------------------"
488 | echo " Process List has been extracted from memory "
489 | echo "----------------------------------------------------------------------------------------------------"
490 | python vol.py -f /home/centos/memory.mem --profile=$option4 linux_psscan > /home/centos/output/psscan.txt
491 | echo "----------------------------------------------------------------------------------------------------"
492 | echo " Process scan has been comepleted "
493 | echo "----------------------------------------------------------------------------------------------------"
494 | python vol.py -f /home/centos/memory.mem --profile=$option4 linux_netstat > /home/centos/output/netstat.txt
495 | echo "----------------------------------------------------------------------------------------------------"
496 | echo " Live network connection has been extracted from memory "
497 | echo "----------------------------------------------------------------------------------------------------"
498 |
499 | echo "----------------------------------------------------------------------------------------------------"
500 | echo " Press 1 to run Yara Scan "
501 | echo " Press 2 to exit "
502 | echo "----------------------------------------------------------------------------------------------------"
503 |
504 | read option5
505 | if [ "$option5" == '1' ];then
506 | echo "----------------------------------------------------------------------------------------------------"
507 | echo " Supply the parameter "
508 | echo "----------------------------------------------------------------------------------------------------"
509 | read option6
510 | python vol.py -f /home/centos/memory.mem --profile=$option4 linux_yarascan -Y "$option6"> /home/centos/output/yara_output.txt
511 | else
512 | exit
513 | fi
514 | else
515 | exit
516 | fi
517 | else
518 | exit
519 |
520 | fi
521 | fi
522 |
--------------------------------------------------------------------------------