first commit

2025-11-10 14:20:27 -06:00
commit cd3cea12be
4 changed files with 585 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,36 @@
+# SneakySleuth
+## “Be the sleuth — gather facts from remote Linux hosts.”
+Collect forensic artifacts from a remote Linux host (Debian/RHEL aware) via SSH/SFTP.
+
+Features:
+- SSH auth via private key or password
+- SFTP file download and remote command capture (stdout -> files)
+- Optional sudo support (provide sudo password or require key-based sudo)
+- Default artifact lists for Debian-style and RHEL-style systems (easily extended)
+- Creates a local case directory like: ./case_123_20251110T1320Z/
+- Writes a manifest.json and checksums.sha256 for integrity and audit
+- Detailed logging
+
+Requirements:
+- Python 3.8+
+- Paramiko (`pip install paramiko`)
+- (optional) colorama for nicer console coloring, but not required
+
+NOTES & CAUTION:
+- Some artifacts (e.g., /etc/shadow) are extremely sensitive. Only collect when permitted.
+- Sudo password is sent only over the SSH channel to the remote host (not stored).
+
+## Examples:
+```bash
+# Basic SSH Key based 
+python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user ubuntu --key ~/.ssh/id_rsa
+
+# Prompt for Password
+python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user admin --password --sudo
+
+# collect an extra file and run an extra command ad-hoc
+python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user root --key ~/.ssh/id_rsa --extra-file /etc/hosts --extra-cmd "ss -tunap"
+
+# collect sensitive files (/etc/shadow etc...)
+python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user root --key ~/.ssh/id_rsa --collect-sensitive
+```