{"id":13773623,"url":"https://github.com/op7ic/unix_collector","last_synced_at":"2025-05-11T05:35:01.061Z","repository":{"id":43190961,"uuid":"468045607","full_name":"op7ic/unix_collector","owner":"op7ic","description":"unix_collector is a live response collection script for Incident Response on UNIX-like systems using native binaries.","archived":false,"fork":false,"pushed_at":"2023-06-23T21:07:30.000Z","size":236,"stargazers_count":24,"open_issues_count":4,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-02-14T19:32:21.967Z","etag":null,"topics":["blueteam","computer-forensics","dfir","dfir-automation","forensic-analysis","forensics","freebsd","linux","live-response","openbsd","posix","script","shell","solaris","unix"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/op7ic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2022-03-09T18:23:37.000Z","updated_at":"2024-01-11T06:15:42.000Z","dependencies_parsed_at":"2024-01-13T10:13:01.215Z","dependency_job_id":"2e61a128-89a0-463c-b790-9b2d3b64a453","html_url":"https://github.com/op7ic/unix_collector","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/op7ic%2Funix_collector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/op7ic%2Funix_collector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/op7ic%2Funix_collector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/op7ic%2Funix_collector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/op7ic","download_url":"https://codeload.github.com/op7ic/unix_collector/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253523688,"owners_count":21921815,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blueteam","computer-forensics","dfir","dfir-automation","forensic-analysis","forensics","freebsd","linux","live-response","openbsd","posix","script","shell","solaris","unix"],"created_at":"2024-08-03T17:01:18.133Z","updated_at":"2025-05-11T05:34:56.037Z","avatar_url":"https://github.com/op7ic.png","language":"Shell","funding_links":[],"categories":["Tools"],"sub_categories":["Acquisition"],"readme":"# unix_collector\n\nA shell script for basic forensic collection of various artefacts from UNIX systems. ```unix_collector``` is a script that runs on various Unix systems and attempts to collect artefacts which could be analysed in attempt to identify potential system compromise. ```unix_collector``` is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root. It does a better job when running as root because it can read more files of course.\n\n\n[![Imgur](https://i.imgur.com/6xMcGIg.gif)](#)\n\n# Available platforms\n\n* Sun Solaris\n* Linux\n* IBM AIX\n* HPUX\n* MacOS\n* Debian\n* Ubuntu\n* CentOS\n* Red Hat\n* Android\n* Vmware ESXi\n* FreeBSD\n* NetScaler\n* OpenBSD\n* Any IoT platform that is based on Linux/Unix\n* Probably others as well.\n\n# Features\n\n* Runs everything from a single script\n* No installation or external libraries needed\n* Enumerate basic host information such as kernel version, processes, hostname and save details in output directory.\n* Enumerate files written to the disk and create basic timeline using 'stat' command.\n* Enumerate network information and save details in output directory.\n* Enumerate patch and installed software information and save details in output directory.\n* Enumerate process list and other process information and save details in output directory.\n* Enumerate application lists, plist/apk for iOS/Android save them in output directory.\n* Enumerate virtual controller information (ESXi,VMBox,VIRT) and save details in output directory.\n* Hash files in various folders such as /home/ /opt/ /usr/ and save details in output directory.\n* Hash files which are marked as SGID or SUID and save details in output directory.\n* Copy various files such as cron job, plist or other files into output directory.\n* Copy SUID/SGID binaries into output directory.\n* Copy home and tmp directories into output directory.\n* Copy specific /proc/ files into output directory.\n* Copy system logs (i.e /var/log or /var/adm/) into output directory.\n* Copy /dev/shm into output directory.\n* Gather information about containers.\n* Where copy or hashing operation happens, files over 500MB will be skipped. This default behaviour can be modified inside the script by changing RSYNC_MAX_FILESIZE, TAR_MAX_FILESIZE and HASH_MAX_FILESIZE global variables.\n* TAR entire output directory and use hostname as file name with current date.\n\n# Requirements\n\n* Enough space on the disk so logs and other files can be copied into single location (alternatively run from mounted disk or network partition).\n* sh\n\n# Examples \n\nExecute ```unix_collector``` without specifying any operating system version (script will guess OS type):\n\n```chmod +x ./unix_collector.sh \u0026\u0026 ./unix_collector.sh```\n\nExecute ```unix_collector``` on AIX while specifying platform:\n\n```chmod +x ./unix_collector.sh \u0026\u0026 ./unix_collector.sh --platform=aix```\n\nExecute ```unix_collector``` on MacOS while specifying platform:\n\n```chmod +x ./unix_collector.sh \u0026\u0026 ./unix_collector.sh --platform=mac```\n\n# Sample Output\n```\n\n  _   _ _   _ _____  __   ____ ___  _     _     _____ ____ _____ ___  ____\n | | | | \\ | |_ _\\ \\/ /  / ___/ _ \\| |   | |   | ____/ ___|_   _/ _ \\|  _ \\\n | | | |  \\| || | \\  /  | |  | | | | |   | |   |  _|| |     | || | | | |_) |\n | |_| | |\\  || | /  \\  | |__| |_| | |___| |___| |__| |___  | || |_| |  _ \u003c\n  \\___/|_| \\_|___/_/\\_\\  \\____\\___/|_____|_____|_____\\____| |_| \\___/|_| \\_\\\n\nA live forensic collection script for UNIX-like systems. Version: 1.7 by op7ic\n\n\nPLATFORM: GNU/Linux\n\nBASIC INFORMATION [0%  ]:\n  \u003e UNIX Collector\n  \u003e UNIX Collector Date\n  \u003e UNIX Collector User\n  \u003e UNIX Collector Platform\nGENERAL INFORMATION [15%  ]:\n  \u003e Hostname\n  \u003e Kernel\n  \u003e Version\n  \u003e Check for tainted kernel\n  \u003e SSH settings\n  \u003e File timeline\n  \u003e Release\n  \u003e Kerberos ticket list\n  \u003e Full OS Info\n  \u003e Process list\n  \u003e Cron and other scheduler files\n  \u003e Kernel Modules\n  \u003e At scheduler\n  \u003e Kernel settings\n  \u003e Environment\n  \u003e ulimit\n  \u003e Auditd\n  \u003e spool files\nINSTALLED SOFTWARE AND PATCHES [25% ]:\n  \u003e Installed software (this could take a few mins)\n  \u003e Installed patches\n  \u003e Compiler tools (NFS skip)\nLOG, HOME and PROC FILE COLLECTION [50% ]:\n  \u003e Copying logs\n  \u003e Copying home dirs\n  \u003e Copying proc dirs\n  \u003e Copying /tmp/ and /var/tmp/ dirs where possible\nSUID/SGID SEARCH [60% ]:\n  \u003e Finding all SUID/SGID binaries\nHASH BINARIES [65% ]:\n  \u003e Hashing all SUID/SGID binaries\n  \u003e Hashing all HOME dirs\n  \u003e Hashing all /bin/ /sbin/ /usr/ /opt/ /tmp/ dirs\nNETWORK INFORMATION [90% ]:\n  \u003e Interface configuration\n  \u003e IP addr\n  \u003e IP forwarding\n  \u003e Routing\n  \u003e Netstat\n  \u003e ARP cache\n  \u003e Hosts\n  \u003e DNS\n  \u003e TCP wrappers\n  \u003e RPC\n  \u003e IP Tables\n  \u003e IP Tables (IPv6)\nFINISHING [100%]:\n  \u003e Removing empty files\n  \u003e Removing oversize file list\n  \u003e Creating TAR file\n  \u003e Removing temporary directory\n```\n\n# License\n\nThe unix_collector project uses the [GNU General Public License v3.0](LICENSE) software license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fop7ic%2Funix_collector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fop7ic%2Funix_collector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fop7ic%2Funix_collector/lists"}