36 lines
1.5 KiB
Markdown
36 lines
1.5 KiB
Markdown
# SneakySleuth
|
|
## “Be the sleuth — gather facts from remote Linux hosts.”
|
|
Collect forensic artifacts from a remote Linux host (Debian/RHEL aware) via SSH/SFTP.
|
|
|
|
Features:
|
|
- SSH auth via private key or password
|
|
- SFTP file download and remote command capture (stdout -> files)
|
|
- Optional sudo support (provide sudo password or require key-based sudo)
|
|
- Default artifact lists for Debian-style and RHEL-style systems (easily extended)
|
|
- Creates a local case directory like: ./case_123_20251110T1320Z/
|
|
- Writes a manifest.json and checksums.sha256 for integrity and audit
|
|
- Detailed logging
|
|
|
|
Requirements:
|
|
- Python 3.8+
|
|
- Paramiko (`pip install paramiko`)
|
|
- (optional) colorama for nicer console coloring, but not required
|
|
|
|
NOTES & CAUTION:
|
|
- Some artifacts (e.g., /etc/shadow) are extremely sensitive. Only collect when permitted.
|
|
- Sudo password is sent only over the SSH channel to the remote host (not stored).
|
|
|
|
## Examples:
|
|
```bash
|
|
# Basic SSH Key based
|
|
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user ubuntu --key ~/.ssh/id_rsa
|
|
|
|
# Prompt for Password
|
|
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user admin --password --sudo
|
|
|
|
# collect an extra file and run an extra command ad-hoc
|
|
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user root --key ~/.ssh/id_rsa --extra-file /etc/hosts --extra-cmd "ss -tunap"
|
|
|
|
# collect sensitive files (/etc/shadow etc...)
|
|
python3 remote_forensics_collect.py 10.0.0.5 --case 123 --user root --key ~/.ssh/id_rsa --collect-sensitive
|
|
``` |