Skip to content

zam89/LFAC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits

screenshot

screenshot

 
 

LFAC.sh

LFAC.sh

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

Linux Forensic Artifacts Collector - LFAC

LFAC Logo

Script to automate Linux logs & artifacts collection. It uses built-in tools to automate the collection of systems artifacts. It was created to facilitate data collection, and depend less on remote tools/agents during incident response engagements.

Features

  • Collecting logs from:
    • user & root .bash_history
    • user & root cron/crontab
    • ifconfig/ip addr
    • netstat
    • ps aux
    • /var/log
    • /tmp
  • Checking mechanism - to see if net-tools is installed. if not, script will install it. hopefully.. *sigh*
  • Tested on Ubuntu 20.04, Debian 10 & RedHat 8.4.

Dependencies

  • net-tools - networking utilities for Linux

    • How to Run

    • Copy LFAC.sh your host machine
    • Give execution permission by running chmod +x LFAC.sh
    • Then run the script as below:
      $ sudo ./LFAC.sh
    • Wait until it finished collecting the logs
    • The compressed logs should located at /opt/ dir named as <'hostname'>.tar.gz

    Screenshot

    Ubuntu 20.04 Debian 10 RHEL 8.4

    Changelogs

    • Beta (09 Jul 2021): Beta version of the script by Fikri Ramli.
    • 1.0 (13 Jul 2021): Improved logs copies arrangement & applied file compressing.
    • 1.1 (21 Jul 2021): Improved logs copies arrangement. Tested on Ubuntu 20.04, Debian 10 & RedHat 8.4.
    • 1.2 (22 Jul 2021): Improved .bash_history copy method for each user and better folder naming convention.
    • 1.3 (02 Sep 2021): Collect user accounts context logs (passwd, shadow,group and sudoers); stored in accounts folder, timezone & btmp.
    • 1.4 (21 Sep 2021): Adjusting file compression structure.
    • 1.5 (05 Oct 2021): Distro checking for net-tools availability. Collect ifconfig/ip addr info. Added ASCII art; cause, why not? :)
    • 1.5.1 (15 Oct 2021): Disable wtmp & btmp dump logs; it only read first log when tried to * filename. Correcting net-tools installing method for RHEL.
    • 1.5.2 (17 Oct 2021): Added lastlog, search deleted binaries which still running, search hidden dirs & files, search hidden & non-hidden executables on system. Removed btmp (as it only records failed login attempts.) Added utmp log. More refined utmpdump method.

    To-Do-List (In Future)

    • Changing from ifconfig to ip addr - since ifconfig going to deprecated
    • Probably add more artifacts to be collected in future

    Credit

    • This script was developed together with Fikri Ramli - /

    License

    MIT License. Copyright (c) 2021 Mohd Khairulazam. See License.

    About

    Script to automate Linux logs & artifacts collection

    Topics

    linux forensics dfir digital-forensics forensics-tools

    Resources

    Readme

    License

    MIT license
    Activity

    Stars

    2 stars

    Watchers

    0 watching

    Forks

    0 forks
    Report repository

    Releases

    No releases published

    Packages

    No packages published

    Languages