A script with a workflow straight from the BTFM.
Performs triage/autopsy utilizing mostly built-in utilities on a linux based system and logs all the information in seperate log files according to information type.
-
autorun-info.log
- List systemwide cron jobs
- Lists files in the /etc/init.d directory
-
chkrootkit.log
- Runs the
chkrootkitcommand (must be installed)
- Runs the
-
file-info.log
- Lists files/folders in the root directory
- Lists all files over 100MB
- Lists mounted drives
-
net-info.log
- List processes that are listening
- Shows routing table
- Shows the contents of /etc/hosts
- Shows the arp table
-
service-info.log
- Lists running services
- Lists loaded modules
- List files that are open locally
- Lists files that are open over the network
- Lists unlinked processes
-
sys-info.log
- Shows the server hostname
- Record current time for server
- Record the server uptime
-
user-info.log
- Shows users that are currently logged in
- Shows users that have logged in remotely
- Shows failed logins
- Shows the /etc/passwd file
- Shows /etc/group, and /etc/sudoers files
- Shows accounts with uid 0
- Shows root authorized ssh keys
- Shows root user's .bash_history file
If you like this script consider starring this repo.
Be sure to install the lsof and chkrootkit commands through an available package manager. (apt, pacman, yay .. etc)
Using apt: sudo apt install lsof chkrootkit
Pull this repo: git clone https://github.com/Codex-Major/Linux-Live-Triage
Make the script excutable: cd Linux-Live-Triage; sudo chmod +x ./triage.sh
Run the script: sudo ./triage.sh