Forensic collection script for volatile host evidence

7552 views

                  #!/usr/bin/env bash
set -euo pipefail

OUT="/tmp/incident-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$OUT"

date -u > "$OUT/time.txt"
ps auxww > "$OUT/processes.txt"
ss -tunap > "$OUT/network.txt"
last -n 50 > "$OUT/logins.txt"
journalctl -n 500 --no-pager > "$OUT/journal.txt"

During incidents I want a repeatable evidence collection script that preserves volatile context before a system changes again. Time, network state, processes, and recent logs usually matter immediately. Good collection is quiet, timestamped, and resistant to operator improvisation under stress.

Kai Nakamura

More from Kai Nakamura

Forensic collection script for volatile host evidence

0 Comments

More from Kai Nakamura