test

#!/bin/bash

# ========================================
# Ubuntu Forensic Artifact Collector Script
# Course: IT 432 – Week 8 Lab
# Description: This script collects at least 20 volatile and non-volatile forensic artifacts 
# from an Ubuntu system and saves them into separate files inside a directory.
# ========================================

# -------------------------------
# Create Output Directory
# -------------------------------
OUTPUT_DIR="forensic_artifacts"
mkdir -p "$OUTPUT_DIR"

# -------------------------------
# 1. Collect Script Start Date & Time
# -------------------------------
# Captures the timestamp at the start of collection
date > "$OUTPUT_DIR/01_script_start_time.txt"

# -------------------------------
# 2. Current System Date & Time
# -------------------------------
# Redundant but required for specific artifact
date > "$OUTPUT_DIR/02_system_date_time.txt"

# -------------------------------
# 3. IP Address Information
# -------------------------------
# Shows IP configuration for all network interfaces
ip addr show > "$OUTPUT_DIR/03_ip_address.txt"

# -------------------------------
# 4. ARP Cache
# -------------------------------
# Lists current ARP table entries
arp -a > "$OUTPUT_DIR/04_arp_cache.txt"

# -------------------------------
# 5. Routing Table
# -------------------------------
# Displays kernel IP routing table
netstat -rn > "$OUTPUT_DIR/05_routing_table.txt"

# -------------------------------
# 6. Running Processes
# -------------------------------
# Lists all running processes with full format
ps -ef > "$OUTPUT_DIR/06_running_processes.txt"

# -------------------------------
# 7. Running Services
# -------------------------------
# Lists all services running under user session
ps -au > "$OUTPUT_DIR/07_running_services.txt"

# -------------------------------
# 8. Open Files
# -------------------------------
# Lists open files by all users/processes
lsof -n > "$OUTPUT_DIR/08_open_files.txt"

# -------------------------------
# 9. Open Ports
# -------------------------------
# Displays all active network connections
netstat -anp > "$OUTPUT_DIR/09_open_ports.txt"

# -------------------------------
# 10. Logged On Users
# -------------------------------
# Shows who is currently logged into the system
w > "$OUTPUT_DIR/10_logged_on_users.txt"

# -------------------------------
# 11. Command History
# -------------------------------
# Displays user's command history from current shell session
history > "$OUTPUT_DIR/11_command_history.txt"

# -------------------------------
# 12. Connected Devices (USB)
# -------------------------------
# Lists USB devices connected to the system
lsusb > "$OUTPUT_DIR/12_connected_usb_devices.txt"

# -------------------------------
# 13. Time Zone Settings
# -------------------------------
# Shows system time zone configuration
timedatectl > "$OUTPUT_DIR/13_time_zone_info.txt"

# -------------------------------
# 14. User Accounts
# -------------------------------
# Lists all user accounts from the passwd file
cat /etc/passwd > "$OUTPUT_DIR/14_user_accounts.txt"

# -------------------------------
# 15. Scheduled Tasks (Cron Jobs)
# -------------------------------
# Lists cron jobs for the current user
crontab -l > "$OUTPUT_DIR/15_scheduled_tasks.txt" 2>/dev/null

# -------------------------------
# 16. Directory Listings
# -------------------------------
# Recursively lists all files and directories under /home
ls -alRu /home > "$OUTPUT_DIR/16_directory_listings.txt"

# -------------------------------
# 17. System Configuration (CPU Info)
# -------------------------------
# Displays CPU architecture and configuration
lscpu > "$OUTPUT_DIR/17_cpu_info.txt"

# -------------------------------
# 18. Environment Variables
# -------------------------------
# Lists all environment variables
env > "$OUTPUT_DIR/18_environment_variables.txt"

# -------------------------------
# 19. OS and Kernel Information
# -------------------------------
# Displays OS type and kernel version
uname -a > "$OUTPUT_DIR/19_os_kernel_info.txt"

# -------------------------------
# 20. System Logs – syslog
# -------------------------------
# Shows general system log
cat /var/log/syslog > "$OUTPUT_DIR/20_syslog.txt" 2>/dev/null

# -------------------------------
# 21. System Logs – auth.log
# -------------------------------
# Displays authentication events
cat /var/log/auth.log > "$OUTPUT_DIR/21_auth_log.txt" 2>/dev/null

# -------------------------------
# 22. System Logs – dmesg (Kernel Ring Buffer)
# -------------------------------
# Shows boot-time and hardware info from kernel
dmesg > "$OUTPUT_DIR/22_dmesg_log.txt"

# -------------------------------
# 23. Login History
# -------------------------------
# Lists successful user logins
last > "$OUTPUT_DIR/23_login_history.txt"

# -------------------------------
# 24. Loaded Kernel Modules
# -------------------------------
# Lists all kernel modules currently loaded
lsmod > "$OUTPUT_DIR/24_loaded_kernel_modules.txt"

# -------------------------------
# 25. Filesystem Information
# -------------------------------
# Shows all mounted filesystems
mount > "$OUTPUT_DIR/25_filesystem_info.txt"

# -------------------------------
# 26. Disk Partition Info
# -------------------------------
# Displays disk partitions and sizes
fdisk -l > "$OUTPUT_DIR/26_disk_partition_info.txt" 2>/dev/null

# -------------------------------
# 27. Trash / Recycle Bin
# -------------------------------
# Lists files in user's trash
gio list trash:/// > "$OUTPUT_DIR/27_trash_contents.txt" 2>/dev/null

# -------------------------------
# 28. Collect Script End Date & Time
# -------------------------------
# Captures the timestamp at the end of collection
date > "$OUTPUT_DIR/28_script_end_time.txt"

# -------------------------------
# Completion Message
# -------------------------------
echo "✔️ Artifact collection complete."
echo "📁 All data saved to: $OUTPUT_DIR"