# SneakySleuth
## “Be the sleuth — gather facts from remote Linux hosts.”
Collect forensic artifacts from a remote Linux host (Debian/RHEL aware) via SSH/SFTP.

Features:
- SSH auth via private key or password
- SFTP file download and remote command capture (stdout -> files)
- Optional sudo support (provide sudo password or require key-based sudo)
- Default artifact lists for Debian-style and RHEL-style systems (easily extended)
- Creates a local case directory like: ./case_123_20251110T1320Z/
- Writes a manifest.json and checksums.sha256 for integrity and audit
- Detailed logging

Requirements:
- Python 3.8+
- Paramiko (`pip install paramiko`)
- (optional) colorama for nicer console coloring, but not required

NOTES & CAUTION:
- Some artifacts (e.g., /etc/shadow) are extremely sensitive. Only collect when permitted.
- Sudo password is sent only over the SSH channel to the remote host (not stored).

## Examples:
```bash
# Basic SSH Key based 
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user ubuntu --key ~/.ssh/id_rsa

# Prompt for Password
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user admin --password --sudo

# collect an extra file and run an extra command ad-hoc
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user root --key ~/.ssh/id_rsa --extra-file /etc/hosts --extra-cmd "ss -tunap"

# collect sensitive files (/etc/shadow etc...)
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user root --key ~/.ssh/id_rsa --collect-sensitive
```