1.5 KiB
1.5 KiB
SneakySleuth
“Be the sleuth — gather facts from remote Linux hosts.”
Collect forensic artifacts from a remote Linux host (Debian/RHEL aware) via SSH/SFTP.
Features:
- SSH auth via private key or password
- SFTP file download and remote command capture (stdout -> files)
- Optional sudo support (provide sudo password or require key-based sudo)
- Default artifact lists for Debian-style and RHEL-style systems (easily extended)
- Creates a local case directory like: ./case_123_20251110T1320Z/
- Writes a manifest.json and checksums.sha256 for integrity and audit
- Detailed logging
Requirements:
- Python 3.8+
- Paramiko (
pip install paramiko) - (optional) colorama for nicer console coloring, but not required
NOTES & CAUTION:
- Some artifacts (e.g., /etc/shadow) are extremely sensitive. Only collect when permitted.
- Sudo password is sent only over the SSH channel to the remote host (not stored).
Examples:
# Basic SSH Key based
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user ubuntu --key ~/.ssh/id_rsa
# Prompt for Password
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user admin --password --sudo
# collect an extra file and run an extra command ad-hoc
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user root --key ~/.ssh/id_rsa --extra-file /etc/hosts --extra-cmd "ss -tunap"
# collect sensitive files (/etc/shadow etc...)
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user root --key ~/.ssh/id_rsa --collect-sensitive