DFIR Tool for Linux System to collect and gather all kind of data in case of compromised system.
- Code DEAD option
- Fully support RedHat
- Fully Support BSD
- Fully Support MacOS
- Code External Module part
- Add More Commands
- Audit-Risk
- Plain Text Passwords
- SSH Keys
- Users & Groups
- Passwd and shadow files
- Groups
- Temp users
- Sudoers
- System Configuration
- Network settings
- OS Release
- Disks
- User Activities (For each users)
- Bash history
- Recently changed files
- Log System
- All kind of logs
- SSH, Apache, etc
- Persistence Mechanism
- Services
- Processes
- Crontab
- Network Connection
- TMP folder backup
Use Root privilege to start the script
chmod +x dfir-extractux.sh
sudo ./dfir-extractux.shDisplay Help menu
sudo ./dfir-extractux.sh -h
Syntax: dfir-extractux.sh [ -h | -l | -d ]
options:
-h Print this help.
-l LIVE - Use this option of you are working directly on the system
-d DEAD - Use this option of you are working on a mounted disk
Use this option if you are working on a live aquisition machine.
This folder can be your USB key or a shared folder.
Save all the output in a single place.
You can then chose the option to extract everything or a specific module.
You can save all the result inside a password protected zip file.
If you want to pass this step, just CRTL+C the programm and you'll get your folder not zipped.
