DFIR_Linux_Collector

Stand-alone collecting tools for Gnu/Linux

• Very low impact on the host
• No use of host binaries (anti hooking)
  • all binaries are included in the executable
• Export in json format (log) / raw (dump ram) and Text format
• Dump ram with avml (ref to compatilibilty https://github.com/microsoft/avml#tested-distributions)
• The result is a compressed archive and a checksum file

Compatibility

Distribution	Version	Ok	Error	Comments
Ubuntu	12 - 20	✔️	---	---
Debian	> 8	✔️	---	---
Fedora	30	✔️	---	---
CentOS	7	✔️	---	---
CentOS	6	---	✖️	Kernel too old

The other distributions are not yet tested, still in progress ...

Quick start

git clone https://github.com/xophidia/DFIR_Linux_Collector.git
cd DFIR_Linux_Collector
./setup.sh

sudo ./DFIR_linux_collector 
Verifying archive integrity...  100%   MD5 checksums are OK. All good.
Uncompressing orc  100%  



    ██████╗ ██╗      ██████╗
    ██╔══██╗██║     ██╔════╝
    ██║  ██║██║     ██║      
    ██║  ██║██║     ██║     
    ██████╔╝███████╗╚██████╗
    ╚═════╝ ╚══════╝ ╚═════╝
                        
     DFIR Linux Collector



    Case Number : 10 
    Description : linux_host
    Examiner Name : Xophidia
    Hostname : 10_01

    Dump generic artifacts
    +  uname ....................[success]
    +  env ......................[success]
    +  uptime ...................[success]
    +  lsmod ....................[success]
    +  passwd ...................[success]
    +  auth .....................[success]
    +  syslog ...................[success]
    +  date .....................[success]
    +  who ......................[success]
    +  cpuinfo ..................[success]
    +  group ....................[success]
    +  lsof .....................[success]
    +  mount ....................[success]
    +  sudoers ..................[success]


    Dump network artifacts
    +  ip .......................[success]
    +  netstat ..................[success]
    +  arp ......................[success]

    
    Dump process artifacts
    +  ps .......................[success]

    
    Dump user artifacts
    +  c_ssh ....................[success]
    +  firefox ..................[success]
    +  c_git ....................[success]
    +  chromium .................[success]
    +  google-chrome ............[success]
    +  command_history ..........[success]

    Dump artefacts / linux distribution
    +  Debian-like artifacts 
    +  installer debug ..........[success]
    +  installer syslog .........[success]

Artifacts

🔘 Generic

Command / file	Json	Text	Raw
env	✔️	---	---
uptime	✔️	---	---
uname -a	✔️	---	---
lsmod	✔️	---	---
/etc/passwd	✔️	---	---
/etc/group	✔️	---	---
date	✔️	---	---
who	✔️	---	---
cpuinfo	✔️	---	---
lsof	---	✔️	---
sudoers	✔️	---	---
mount	✔️	---	---
fstab	✔️	---	---
last	✔️	---	---

🔘 Ssh

Command / file	Json	Text	Raw
authorized_keys	✔️	---	---
known_hosts	✔️	---	---

🔘 Network

Command / file	Json	Text	Raw
ip	✔️	---	---
netstat	✔️	---	---
arp	✔️	---	---

🔘 Processus

Command / file	Json	Text	Raw
ps	✔️	---	---

🔘 Browser

Command / file	Json	Text	Raw
Firefox	✔️	---	---
Google Chrome	✔️	---	---
Chromium	✔️	---	---

🔘 Log

Command / file	Json	Text	Raw
auth.log	---	✔️	---
syslog	✔️	---	---

🔘 Home

Command / file	Json	Text	Raw
.gitconfig	✔️	---	---
.command_history (bash + zsh)	✔️	---	✔️
.viminfo	---	✔️	---

🔘 Desktop

Command / file	Json	Text	Raw
trash	---	---	✔️

🔘 Files

Command / file	Json	Text	Raw	Csv
hashes MD5	✔️	✔️	---	---
file perm	✔️	---	---	---
timeline	---	---	---	✔️

🔘 Dump

Command / file	Json	Text	Raw
avml	---	---	✔️
LiME	✖️	✖️	✖️
/boot/System.map-$(uname -r)	---	---	✔️
/boot/vmlinuz	---	---	✔️

🔘 Antivirus

Command / file	Json	Text	Raw
ClamAV	✔️	---	---

License

All the code of the project is licensed under the GNU Lesser General Public License

Contributors

xophidia https://github.com/xophidia
Dupss https://github.com/dupss
leludo84 https://github.com/leludo84