Linux-Live-Triage

A script with a workflow straight from the BTFM.

Performs triage/autopsy utilizing mostly built-in utilities on a linux based system and logs all the information in seperate log files according to information type.

• autorun-info.log

  • List systemwide cron jobs
  • Lists files in the /etc/init.d directory

• chkrootkit.log

  • Runs the chkrootkit command (must be installed)

• file-info.log

  • Lists files/folders in the root directory
  • Lists all files over 100MB
  • Lists mounted drives

• net-info.log

  • List processes that are listening
  • Shows routing table
  • Shows the contents of /etc/hosts
  • Shows the arp table

• service-info.log

  • Lists running services
  • Lists loaded modules
  • List files that are open locally
  • Lists files that are open over the network
  • Lists unlinked processes

• sys-info.log

  • Shows the server hostname
  • Record current time for server
  • Record the server uptime

• user-info.log

  • Shows users that are currently logged in
  • Shows users that have logged in remotely
  • Shows failed logins
  • Shows the /etc/passwd file
  • Shows /etc/group, and /etc/sudoers files
  • Shows accounts with uid 0
  • Shows root authorized ssh keys
  • Shows root user's .bash_history file

If you like this script consider starring this repo.

Requirements:

Be sure to install the lsof and chkrootkit commands through an available package manager. (apt, pacman, yay .. etc)

Using apt: sudo apt install lsof chkrootkit

Usage:

Pull this repo: git clone https://github.com/Codex-Major/Linux-Live-Triage

Make the script excutable: cd Linux-Live-Triage; sudo chmod +x ./triage.sh

Run the script: sudo ./triage.sh