#!/bin/bash # This is a quick hack for demonstration purpose only. It needs # to be adapted to your environment. This script works on Linux. # YMMV elsewhere. rem_host="192.168.27.23" ssh="ssh forensics@${rem_host}" # get uname -a, uptime, and Debian or RedHat version info echo -e `uname -a` "\n" `uptime` "\n" `[ -s /etc/debian_version ] && echo Debian $(cat /etc/debian_version) || cat /etc/redhat-release` | ${ssh} "dd of=/var/tmp/incidents/sysinfo" # save process information ps auwwx | ${ssh} "dd of=/var/tmp/incidents/processes_bsd" ps -eflyc | ${ssh} "dd of=/var/tmp/incidents/processes_sysv" # save list of open files lsof | ${ssh} "dd of=/var/tmp/incidents/lsof" # save networking information netstat -A INET -anv | ${ssh} "dd of=/var/tmp/incidents/netstat_infos" lsof -Pni | ${ssh} "dd of=/var/tmp/incidents/lsofnet_infos" # save loaded modules # use modinfo on Solaris, modstat on OpenBSD lsmod | ${ssh} "dd of=/var/tmp/incidents/modules" # wtmp info from last # snagging /var/log/[wu]tmp* might not be bad idea last | ${ssh} "dd of=/var/tmp/incidents/last" # info from process accounting # snagging /var/account/* might not be a bad idea # lastcomm is used here, dump-acct can work too # system accounting (sar) if enable can be useful too. files are usually ing # /var/log/sysstat lastcomm | ${ssh} "dd of=/var/tmp/incidents/last" # save /etc and logs tar cvjf - /etc /var/log/* | ${ssh} "dd of=/var/tmp/incidents/files_and_logs.tar.bz2" # use mount to determine currently mounted drives to image. This might need # tweaking depending on your system, so that it only picks up the drives you want. # Is compressing with bzip2 ok for forensics in your world? Since you're applying # a transform before taking an md5sum, it's possible it could cause an issue. Consult # LE or Legal. # # This doesn't handle swap if swap lives on a drive that isn't in the list that # mount generates. Use 'swapon -s'. # # bzip2 can run on whichever machine is faster, or it can be used before the # data goes over the network. If your network is fast enough, bziping on the remote # host is a good idea to conserve space. Software compression can take more time than # it takes to move uncompressed data across a network, if the network is fast enough. # In these situations compress only if you're worried about space, or compress after # the transfer is done. for drive in `mount |grep '^\/dev.* (rw'|awk '{print $1}'|sed 's/[0-9]\+$//'|sort|uniq` do drive_name=`basename ${drive}` dd if=${drive} |${ssh} "bzip2 -9c|dd of=/var/tmp/incidents/${drive_name}.raw.bz2" done