#!/bin/bash # ======================================== # Ubuntu Forensic Artifact Collector Script # Course: IT 432 – Week 8 Lab # Description: This script collects at least 20 volatile and non-volatile forensic artifacts # from an Ubuntu system and saves them into separate files inside a directory. # ======================================== # ------------------------------- # Create Output Directory # ------------------------------- OUTPUT_DIR="forensic_artifacts" mkdir -p "$OUTPUT_DIR" # ------------------------------- # 1. Collect Script Start Date & Time # ------------------------------- # Captures the timestamp at the start of collection date > "$OUTPUT_DIR/01_script_start_time.txt" # ------------------------------- # 2. Current System Date & Time # ------------------------------- # Redundant but required for specific artifact date > "$OUTPUT_DIR/02_system_date_time.txt" # ------------------------------- # 3. IP Address Information # ------------------------------- # Shows IP configuration for all network interfaces ip addr show > "$OUTPUT_DIR/03_ip_address.txt" # ------------------------------- # 4. ARP Cache # ------------------------------- # Lists current ARP table entries arp -a > "$OUTPUT_DIR/04_arp_cache.txt" # ------------------------------- # 5. Routing Table # ------------------------------- # Displays kernel IP routing table netstat -rn > "$OUTPUT_DIR/05_routing_table.txt" # ------------------------------- # 6. Running Processes # ------------------------------- # Lists all running processes with full format ps -ef > "$OUTPUT_DIR/06_running_processes.txt" # ------------------------------- # 7. Running Services # ------------------------------- # Lists all services running under user session ps -au > "$OUTPUT_DIR/07_running_services.txt" # ------------------------------- # 8. Open Files # ------------------------------- # Lists open files by all users/processes lsof -n > "$OUTPUT_DIR/08_open_files.txt" # ------------------------------- # 9. Open Ports # ------------------------------- # Displays all active network connections netstat -anp > "$OUTPUT_DIR/09_open_ports.txt" # ------------------------------- # 10. Logged On Users # ------------------------------- # Shows who is currently logged into the system w > "$OUTPUT_DIR/10_logged_on_users.txt" # ------------------------------- # 11. Command History # ------------------------------- # Displays user's command history from current shell session history > "$OUTPUT_DIR/11_command_history.txt" # ------------------------------- # 12. Connected Devices (USB) # ------------------------------- # Lists USB devices connected to the system lsusb > "$OUTPUT_DIR/12_connected_usb_devices.txt" # ------------------------------- # 13. Time Zone Settings # ------------------------------- # Shows system time zone configuration timedatectl > "$OUTPUT_DIR/13_time_zone_info.txt" # ------------------------------- # 14. User Accounts # ------------------------------- # Lists all user accounts from the passwd file cat /etc/passwd > "$OUTPUT_DIR/14_user_accounts.txt" # ------------------------------- # 15. Scheduled Tasks (Cron Jobs) # ------------------------------- # Lists cron jobs for the current user crontab -l > "$OUTPUT_DIR/15_scheduled_tasks.txt" 2>/dev/null # ------------------------------- # 16. Directory Listings # ------------------------------- # Recursively lists all files and directories under /home ls -alRu /home > "$OUTPUT_DIR/16_directory_listings.txt" # ------------------------------- # 17. System Configuration (CPU Info) # ------------------------------- # Displays CPU architecture and configuration lscpu > "$OUTPUT_DIR/17_cpu_info.txt" # ------------------------------- # 18. Environment Variables # ------------------------------- # Lists all environment variables env > "$OUTPUT_DIR/18_environment_variables.txt" # ------------------------------- # 19. OS and Kernel Information # ------------------------------- # Displays OS type and kernel version uname -a > "$OUTPUT_DIR/19_os_kernel_info.txt" # ------------------------------- # 20. System Logs – syslog # ------------------------------- # Shows general system log cat /var/log/syslog > "$OUTPUT_DIR/20_syslog.txt" 2>/dev/null # ------------------------------- # 21. System Logs – auth.log # ------------------------------- # Displays authentication events cat /var/log/auth.log > "$OUTPUT_DIR/21_auth_log.txt" 2>/dev/null # ------------------------------- # 22. System Logs – dmesg (Kernel Ring Buffer) # ------------------------------- # Shows boot-time and hardware info from kernel dmesg > "$OUTPUT_DIR/22_dmesg_log.txt" # ------------------------------- # 23. Login History # ------------------------------- # Lists successful user logins last > "$OUTPUT_DIR/23_login_history.txt" # ------------------------------- # 24. Loaded Kernel Modules # ------------------------------- # Lists all kernel modules currently loaded lsmod > "$OUTPUT_DIR/24_loaded_kernel_modules.txt" # ------------------------------- # 25. Filesystem Information # ------------------------------- # Shows all mounted filesystems mount > "$OUTPUT_DIR/25_filesystem_info.txt" # ------------------------------- # 26. Disk Partition Info # ------------------------------- # Displays disk partitions and sizes fdisk -l > "$OUTPUT_DIR/26_disk_partition_info.txt" 2>/dev/null # ------------------------------- # 27. Trash / Recycle Bin # ------------------------------- # Lists files in user's trash gio list trash:/// > "$OUTPUT_DIR/27_trash_contents.txt" 2>/dev/null # ------------------------------- # 28. Collect Script End Date & Time # ------------------------------- # Captures the timestamp at the end of collection date > "$OUTPUT_DIR/28_script_end_time.txt" # ------------------------------- # Completion Message # ------------------------------- echo "✔️ Artifact collection complete." echo "📁 All data saved to: $OUTPUT_DIR"