├── DFLinux.sh
├── README.md
└── avml


/DFLinux.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | output_dir="/tmp/ExtractedInfo"
  4 | mkdir -p $output_dir
  5 | logfile="$output_dir/extraction.log"
  6 | password="YOUR_PASSPHRASE"
  7 | 
  8 | write_output() {
  9 |     command=$1
 10 |     filename=$2
 11 |     if $command > "$output_dir/$filename" 2>&1; then
 12 |         echo "Successfully executed: $command" >> "$logfile"
 13 |     else
 14 |         echo "Failed to execute: $command" >> "$logfile"
 15 |     fi
 16 | }
 17 | 
 18 | tput civis
 19 | 
 20 | if [ -f /etc/os-release ]; then
 21 |     . /etc/os-release
 22 |     if [ -n "$ID" ]; then
 23 |         distro="$ID"
 24 |         read -p "Install additional dependencies for proper extraction? (y/n): " install_dependencies
 25 |         if [ "$install_dependencies" == "y" ]; then
 26 |             echo "Installing Dependencies." > "$logfile"
 27 |             (while :; do for c in / - \\ \|; do printf "\e[1;33m\r[$c] Installing Dependencies...\e[0m"; sleep .1; done; done) &
 28 |             case "$distro" in
 29 |                 "ubuntu" | "debian" | "linuxmint" | "elementary")
 30 |                     sudo apt-get update &> /dev/null
 31 |                     sudo apt-get install -y util-linux net-tools zip unzip &> /dev/null
 32 |                     ;;
 33 |                 "centos" | "rhel" | "fedora")
 34 |                     sudo yum update &> /dev/null
 35 |                     sudo yum install -y util-linux net-tools zip unzip &> /dev/null
 36 |                     ;;
 37 |                 "opensuse")
 38 |                     sudo zypper refresh &> /dev/null
 39 |                     sudo zypper install -y util-linux net-tools zip unzip &> /dev/null
 40 |                     ;;
 41 |                 *)
 42 |                     exit 1
 43 |                     ;;
 44 |             esac
 45 |         elif [ "$install_dependencies" == "n" ]; then
 46 |             echo "Skipping Dependency Installation." > "$logfile"
 47 |         else
 48 |             echo "Invalid input. Please enter 'y' or 'n'."
 49 |             exit 1
 50 |         fi
 51 |     else
 52 |         echo "Unable to determine distribution." >> "$logfile"
 53 |         exit 1
 54 |     fi
 55 | else
 56 |     echo "Unable to determine distribution." >> "$logfile"
 57 |     exit 1
 58 | fi
 59 | 
 60 | if [ "$install_dependencies" == "y" ]; then
 61 |   echo "Successfully Installed Dependencies." >> "$logfile"
 62 |   { printf "\e[1;32m\r[+] Successfully Installed Dependencies.\e[0m"; kill $! && wait $!; } 2>/dev/null
 63 | else
 64 |   { printf "\e[1;32m\r[+] Skipped Installing Dependencies.\e[0m"; kill $! && wait $!; } 2>/dev/null
 65 | fi
 66 | 
 67 | printf "\n\n"
 68 | 
 69 | (while :; do for c in / - \\ \|; do printf "\e[1;33m\r[$c] Extracting Data...\e[0m"; sleep .1; done; done) &
 70 | echo "Forensic data extraction started at $(date)" >> "$logfile"
 71 | 
 72 | # System Information Extraction
 73 | write_output "uptime -p" "system_uptime.txt"
 74 | write_output "uptime -s" "system_startup_time.txt"
 75 | write_output "date" "current_system_date.txt"
 76 | write_output "date +%s" "current_unix_timestamp.txt"
 77 | write_output "env" "system_environment_variables.txt"
 78 | write_output "lsmod" "system_modules.txt"
 79 | write_output "lsof" "open_files.txt"
 80 | write_output "cat /etc/passwd" "system_users.txt"
 81 | write_output "cat /etc/group" "system_groups.txt"
 82 | write_output "cat /proc/cpuinfo" "system_cpuinfo.txt"
 83 | write_output "cat /etc/sudoers" "system_sudoers_file.txt"
 84 | write_output "cat /etc/fstab" "system_filesystem_table.txt"
 85 | write_output "ps aux" "running_processes.txt"
 86 | 
 87 | if command -v hwclock &>/dev/null; then
 88 |     write_output "hwclock -r" "hardware_clock_readout.txt"
 89 | else
 90 |     echo "hwclock command not found" >> "$logfile"
 91 | fi
 92 | 
 93 | # Operating System Installation Date
 94 | write_output "df -P /" "root_filesystem_info.txt"
 95 | write_output "ls -l /var/log/installer" "os_installer_log.txt"
 96 | filesystem_name=$(df / | awk 'NR==2 {print $1}')
 97 | write_output "tune2fs -l $filesystem_name" "root_partition_filesystem_details.txt" # Check for correct root partition
 98 | 
 99 | # Network Information
100 | write_output "ifconfig" "network_configuration.txt"
101 | write_output "ip addr" "ip_address_info.txt"
102 | write_output "netstat -i" "network_interfaces.txt"
103 | 
104 | # Installed Programs
105 | write_output "dpkg -l" "dpkg_installed_packages.txt" # Replaced 'apt' with 'dpkg -l'
106 | write_output "rpm -qa" "rpm_installed_packages.txt"
107 | 
108 | # Hardware Information
109 | write_output "lspci" "pci_device_list.txt"
110 | write_output "lshw -short" "hardware_summary_report.txt"
111 | write_output "dmidecode" "dmi_bios_info.txt"
112 | 
113 | # System Logs and Usage
114 | write_output "journalctl" "system_journal_logs.txt"
115 | write_output "cat /var/log/syslog" "system_syslog.txt"
116 | write_output "cat /var/log/auth.log" "system_auth_logs.txt"
117 | write_output "ls -lah /var/log/" "var_log_directory_listing.txt"
118 | write_output "last" "last_logged_on_users.txt"
119 | 
120 | for user_home in /home/*; do
121 |     username=$(basename "$user_home")
122 | 
123 |     if [ -f "$user_home/.bash_history" ]; then
124 |         write_output "cat $user_home/.bash_history" "bash_command_history_$username.txt"
125 |     else
126 |         echo "No .bash_history for $username" >> "$output_dir/bash_command_history_$username.txt"
127 |     fi
128 | 
129 |     if [ -f "$user_home/.zsh_history" ]; then
130 |         write_output "cat $user_home/.zsh_history" "zsh_command_history_$username.txt"
131 |     else
132 |         echo "No .zsh_history for $username" >> "$output_dir/zsh_command_history_$username.txt"
133 |     fi
134 | 
135 |     write_output "cat $user_home/.local/share/recently-used.xbel" "recently_used_files_$username.txt"
136 | done
137 | 
138 | if crontab -l &>/dev/null; then
139 |     write_output "crontab -l" "scheduled_cron_jobs_root.txt"
140 | else
141 |     echo "No crontab for root" >> "$output_dir/scheduled_cron_jobs_root.txt"
142 | fi
143 | 
144 | { printf "\e[1;32m\r[+] Successfully Extracted Data.\e[0m"; kill $! && wait $!; } 2>/dev/null
145 | printf "\n\n"
146 | 
147 | echo "Forensic data extraction completed at $(date)" >> "$logfile"
148 | 
149 | (while :; do for c in / - \\ \|; do printf "\e[1;33m\r[$c] Hashing Executable Files...\e[0m"; sleep .1; done; done) &
150 | 
151 | echo "Started Hashing Executable Files." >> "$logfile"
152 | find / -type f -xdev -executable -not \( -path '/proc/*' -o -path '/sys/*' \) -exec md5sum {} \; 2>/dev/null > "$output_dir/executables_MD5_hashes.txt"
153 | 
154 | { printf "\e[1;32m\r[+] Successfully Hashed Executable Files.\e[0m"; kill $! && wait $!; } 2>/dev/null
155 | printf "\n\n"
156 | 
157 | echo "Successfully Completed Hashing Executable Files." >> "$logfile"
158 | 
159 | (while :; do for c in / - \\ \|; do printf "\e[1;33m\r[$c] Dumping Memory...\e[0m"; sleep .1; done; done) &
160 | 
161 | echo "Started Dumping Memory." >> "$logfile"
162 | sudo ./avml memory.dmp
163 | sudo mv memory.dmp $output_dir
164 | 
165 | { printf "\e[1;32m\r[+] Successfully Dumped Memory.\e[0m"; kill $! && wait $!; } 2>/dev/null
166 | printf "\n\n"
167 | 
168 | echo "Successfully Completed Dumping Memory." >> "$logfile"
169 | 
170 | (while :; do for c in / - \\ \|; do printf "\e[1;33m\r[$c] Encrypting & Compressing Data...\e[0m"; sleep .1; done; done) &
171 | 
172 | echo "Started Encrypting & Compressing Data." >> "$logfile"
173 | host_name=$(hostname)
174 | $(cd $output_dir && zip -P $password -m "$output_dir/$host_name.zip" *.txt &> /dev/null)
175 | 
176 | { printf "\e[1;32m\r[+] Successfully Encrypted & Compressed Data.\e[0m"; kill $! && wait $!; } 2>/dev/null
177 | printf "\n\n"
178 | 
179 | echo "Successfully Encrypted & Compressed Data." >> "$logfile"
180 | 
181 | echo "Data extraction complete. Check the $output_dir directory for output." >> "$logfile"
182 | printf "\e[1;32m[+] Data extraction complete. Check the $output_dir directory for output.\e[0m"
183 | printf "\n"
184 | 
185 | tput cnorm
186 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Digital Forensics Script for Linux
 2 | 
 3 | This repository contains an advanced Bash script designed for conducting digital forensics on Linux systems. The script automates the collection of a wide range of system and user data, making it a valuable tool for IT professionals, system administrators, and digital forensic investigators.
 4 | 
 5 | ## Features
 6 | 
 7 | - **System Information**: Collects basic system information including uptime, startup time, hardware clock readouts, environment variables, and many more.
 8 | - **Operating System Details**: Extract information about the operating system installation, including installer logs and file system details.
 9 | - **Network Information**: Gathers network configuration, IP addresses, and network interface details.
10 | - **Installed Programs**: Lists all installed packages using both `rpm` and `dpkg`.
11 | - **Hardware Information**: Retrieves detailed information about PCI devices, hardware summaries, and BIOS data.
12 | - **System Logs**: Captures system journal logs, authentication logs, syslog and the contents of the `/var/log` directory.
13 | - **User Data**: Extracts user-specific data like recently used files and bash command history and zsh command history.
14 | - **Memory Dump**: Performs a memory dump for detailed analysis.
15 | - **Process Information**: Captures information about current running processes.
16 | - **User Login History**: Records user login history and scheduled tasks.
17 | - **Secure Output Handling**: Compresses and encrypts the gathered data for security.
18 | 
19 | ## Usage
20 | 
21 | 1. **Set Permissions**: Ensure the script is executable:
22 |    ```bash
23 |    git clone https://github.com/vm32/Digital-Forensics-Script-for-Linux
24 |    cd Digital-Forensics-Script-for-Linux
25 |    chmod +x DFLinux.sh avml
26 |    sudo ./DFLinux.sh
27 |    ```
28 |    Output: Check the specified output directory for the collected data.
29 | 
30 | ## Requirements
31 | - The script is intended for use on Linux systems.
32 | - Please make sure you have the necessary permissions to execute the script and access system files.
33 | - The scripts requires certain additional packages for proper extraction. You will be asked for installing the additional dependencies on the execution of script.
34 | 
35 | ## Security and Privacy
36 | - The script compresses and encrypts the output data. Replace `YOUR_PASSPHRASE` in the script with a secure passphrase of your choice. Ensure you handle and store the collected data responsibly, adhering to relevant laws and regulations.
37 | 
38 | ## Linux Distribution Compatibility
39 | 
40 | The advanced digital forensics Bash script is designed to be compatible with most major Linux distributions. Below is a breakdown of compatibility across different types of distributions:
41 | 
42 | ### Debian-based distributions (e.g., Ubuntu, Linux Mint)
43 | - Utilizes `dpkg` for listing installed packages, which is specific to Debian-based systems.
44 | 
45 | ### Red Hat-based distributions (e.g., Fedora, CentOS, RHEL)
46 | - Includes `rpm -qa` for listing installed RPM packages, catering to Red Hat-based systems.
47 | 
48 | ### Arch Linux and derivatives (e.g., Manjaro)
49 | - The script does not include a specific command for `pacman`, but this can be added (`write_output "pacman -Q" "pacman_installed_packages.txt"`).
50 | - Other commands should function as expected, assuming necessary tools are installed.
51 | 
52 | ### Other distributions
53 | - Compatibility depends on the availability of specific tools and commands used in the script.
54 | - Modifications may be needed based on the distribution's package management system and available utilities.
55 | 
56 | ### Additional Notes
57 | - The script uses traditional networking tools like `ifconfig` and `netstat`. Some newer distributions might prefer `ip` and `ss`, requiring modifications to those commands.
58 | - Root access is generally required for many of the script's operations.
59 | - It is recommended to test the script in a controlled environment on your specific distribution to ensure compatibility and make any necessary adjustments.
60 | 
61 | # Output
62 | You can see the results of this script in `/tmp/ExtractedInfo/` which will consists password protected data zip with memory dump and extraction log file. <br><br>
63 | `/tmp` is a standard temporary directory in Linux, used for storing temporary files. It is chosen because it is generally writable by all users and is cleared on reboot, which suits temporary data storage.<br>
64 | 
65 | ![DFIR](https://github.com/SanketBaraiya/Digital-Forensics-Script-for-Linux/assets/56958135/844806bf-8eec-49c4-8dd4-b5962cff1c22)
66 | 
67 | In summary, while the script should work on most major Linux distributions with minimal modifications, slight adjustments may be required for specific distributions, particularly those not based on Debian or Red Hat.
68 | ## Star History
69 | 
70 | [![Star History Chart](https://api.star-history.com/svg?repos=vm32/Digital-Forensics-Script-for-Linux&type=Date)](https://star-history.com/#vm32/Digital-Forensics-Script-for-Linux&Date)
71 | 


--------------------------------------------------------------------------------
/avml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vm32/Digital-Forensics-Script-for-Linux/eabb9cfca8992debabb7c0af72227d29e8702bba/avml


--------------------------------------------------------------------------------