bash 11 lines · 1 tab

Forensic collection script for volatile host evidence

Kai Nakamura Apr 2026
1 tab
#!/usr/bin/env bash
set -euo pipefail

OUT="/tmp/incident-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$OUT"

date -u > "$OUT/time.txt"
ps auxww > "$OUT/processes.txt"
ss -tunap > "$OUT/network.txt"
last -n 50 > "$OUT/logins.txt"
journalctl -n 500 --no-pager > "$OUT/journal.txt"
1 file · bash Explain with highlit

During incidents I want a repeatable evidence collection script that preserves volatile context before a system changes again. Time, network state, processes, and recent logs usually matter immediately. Good collection is quiet, timestamped, and resistant to operator improvisation under stress.

Share this code

Here's the card — post it anywhere.

Forensic collection script for volatile host evidence — share card
Link copied