unix_collector

A comprehensive live forensic collection script for UNIX-like systems, designed to gather critical system information for forensic investigations and incident response.

As a single shell script, unix_collector is easy to upload and execute, without the need for untarring, compiling, installation, or an internet connection to download additional components. The script can be run either as a normal user or as root, though it performs more effectively when executed as root, as this allows it to access a wider range of system files and artifacts.

🖥️ Supported Platforms

UNIX Collector supports a wide range of UNIX-like operating systems with automatic platform detection:

Operating Systems

• 
• 
• 
• 
• 
• 
• 
• 
• 

Container & Virtualization Platforms

• 
• 
• 
• 
• 
• 
• 
• 
• 

Specialized Platforms

• 
• 

Linux Distributions

• 
• 
• 
• 
• 
• 
• 
• 

Note: The script automatically detects the platform and adjusts collection methods accordingly. For systems not explicitly listed, use the --platform=generic option for best-effort collection.

Features

🔍 What It Collects

The script gathers 360+ distinct forensic artifacts to help identify potential system compromises:

Category	Artifact Count	Key Artifacts
System Information	~30	Kernel version, hardware inventory, BIOS/UEFI, timezone, installation date
Storage & Filesystems	~40	Disk partitions, RAID arrays, LVM volumes, ZFS datasets, mount points
Process Analysis	~30	Running processes, command lines, file handles, deleted binaries, memory maps, unowned files, dead processes
Persistence Mechanisms	~35	Cron jobs, at tasks, systemd timers, rc scripts, kernel modules
Network Configuration	~20	Interfaces, routing tables, connections, firewall rules, ARP cache
User & Authentication	~15	User accounts, groups, SSH configs, sudo rules, Kerberos tickets
System Logs	~10	/var/log, audit logs, boot logs, security events, dmesg
Virtual Systems	~45	VMware ESXi (25), VirtualBox (10), KVM/libvirt (7), others (3)
Container Platforms	~45	Docker (13), Podman (11), LXC (12), Containerd (2), Proxmox (3)
File Hashes	3	MD5, SHA1, SHA256 for all collected binaries
Configuration Files	~20	/etc configs, systemd units, network settings
Additional Data	~15	Home directories, temp files, installed packages, compiler tools
Remote Access Tools	~20	TeamViewer, AnyDesk, RustDesk, VNC variants, SSH tunnels, RDP tools
Application Artifacts	~40	Confluence, Tomcat, Jenkins, WordPress, Elastic Stack, etc.
Web Browsers	~50	History, bookmarks, cookies, saved passwords, extensions, downloads, preferences

System & Hardware

• Complete hardware inventory and system information
• Kernel version, modules, and taint status
• BIOS/UEFI settings and boot configuration
• Storage devices, partitions, and RAID configurations

Files & Processes

• Full filesystem timeline with inode and MAC times
• Running processes with command lines and file descriptors
• Process memory maps and deleted binaries detection
• SUID/SGID binaries with cryptographic hashes
• Open files and network connections per process

Users & Authentication

• User accounts, groups, and password policies
• SSH keys and configurations
• Sudo rules and PAM settings
• Login history and active sessions
• Kerberos tickets and authentication tokens

Persistence Mechanisms

• Cron jobs, at tasks, and systemd timers
• Init scripts and startup items
• Kernel modules and drivers
• System services and daemons

Network & Communications

• Network interfaces and routing tables
• Active connections and listening ports
• Firewall rules and packet filters
• DNS configuration and host mappings
• ARP cache and neighbor tables

Logs & Audit Trails

• System logs (/var/log, /var/adm)
• Authentication logs and security events
• Audit daemon logs and rules
• Boot and kernel messages
• Application-specific logs

Container & Virtualization

• Docker/Podman containers, images, and volumes
• Virtual machine inventories and configurations
• Container runtime configs and logs
• Hypervisor settings and resource allocations

Additional Artifacts

• Installed software and patch levels
• Configuration files from /etc
• Temporary files and caches
• User home directories
• Browser artifacts and history
• Scheduled tasks and services

Remote Access & Administration

• Remote access tool configurations and logs
• TeamViewer, AnyDesk, RustDesk installations and logs
• VNC server configurations (TightVNC, TigerVNC, RealVNC, UltraVNC)
• Chrome Remote Desktop artifacts
• SSH tunneling and port forwarding scripts
• RDP/XRDP configurations and logs
• NoMachine, Splashtop, Parsec gaming remote logs
• Apache Guacamole web-based remote desktop settings
• ConnectWise/ScreenConnect support tool artifacts
• LogMeIn and GoToMyPC configurations
• X2Go session data
• Remmina connection profiles
• DWService remote support logs
• Remote tool systemd service definitions
• Desktop entries for remote applications
• Detection of potential backdoor SSH scripts

Web Browser Artifacts

• Chromium-based: Google Chrome, Chromium, Microsoft Edge, Brave, Opera, Vivaldi
• Mozilla Firefox: Including ESR and Developer editions
• Safari: macOS systems
• Privacy Browsers: Tor Browser (limited collection)

🚀 Quick Start

Installation

# Download the script (single file, no dependencies)
wget https://raw.githubusercontent.com/op7ic/unix_collector/main/unix_collector.sh

# Make it executable
chmod +x unix_collector.sh

Basic Usage

# Run with auto-detection (recommended: run as root for full collection)
sudo ./unix_collector.sh

# Run as normal user (limited collection)
./unix_collector.sh

# Specify platform manually
sudo ./unix_collector.sh --platform=Linux

💡 Tip: While the script can run as a normal user, running as root provides access to more comprehensive forensic artifacts including system logs, process memory maps, and privileged configuration files.

Available Platform Options

• solaris - Sun/Oracle Solaris
• aix - IBM AIX
• mac - macOS/Darwin
• linux - Generic Linux
• hpux - HP-UX
• android - Android devices
• generic - Unknown UNIX systems

Example deployment and collection

# 1. Transfer script to target system
scp unix_collector.sh user@target:/tmp/

# 2. SSH to target
ssh user@target

# 3. Run collector
cd /tmp && sudo ./unix_collector.sh --quiet

# 4. Transfer results back
scp collector-*.tar.xz analyst@forensics:/cases/

# 5. Extract and analyze
tar -xf collector-*.tar.xz

📋 Key Features

• 🔧 Self-Contained: Single shell script with no external dependencies
• 🌐 Air-Gap Ready: No internet connection required for operation
• 🛡️ Non-Invasive: Read-only operations preserve evidence integrity
• 🔍 Comprehensive: Collects 250+ types of forensic artifacts
• ⚡ Efficient: Configurable file size limits prevent resource exhaustion
• 🔐 Hash Verification: Multiple algorithms (MD5, SHA1, SHA256) for evidence validation
• 📊 Timeline Analysis: Complete filesystem timeline with inode and timestamp data exported both to body and csv files

💾 Output Format

Archive Structure

The script creates a timestamped archive: collector-hostname-DD-MM-YYYY.tar[.xz|.bz2|.gz]

Compression is automatically selected based on available tools:

1. XZ (smallest size, if available)
2. BZIP2 (good compression)
3. GZIP (fastest)
4. TAR (no compression, fallback in case other tools don't exist)

Directory Organization

collector-hostname-DD-MM-YYYY/
├── general/           # System information, kernel, hardware
├── software/          # Installed packages and patches
├── logs/             # System and application logs
├── homedir/          # User home directories
├── procfiles/        # Process information from /proc
├── tmpfiles/         # Temporary file preservation
├── setuid/           # SUID/SGID binaries
├── hashes/           # File hashes (MD5/SHA1/SHA256)
├── network/          # Network configuration and connections
├── hardware/         # Hardware information
├── auditd/           # Audit configuration (Linux)
├── virtual/          # Virtualization platform data
├── containers/       # Container runtime information
└── collector-*.txt   # Collection metadata

💻 System Requirements

Minimal Requirements

• Shell: Any POSIX-compliant shell (/bin/sh)
• Privileges: Can run as normal user; root/sudo recommended for comprehensive collection
• Tools: Basic UNIX utilities (find, tar, grep) - standard on all UNIX systems
• Space: Enough space on the disk so logs and other files can be copied into single location (alternatively run from mounted disk or network partition). (varies by system size)

⚡ Performance & Limits

Configurable Limits

• File Size Cap: 500MB default (prevents collecting large databases/media)
• Smart Filtering: Excludes virtual disk images (vmdk, vhd, ova)
• Efficient Collection: Uses rsync when available for faster copying

Expected Run Times

• Small Systems (<10GB used): 5-10 minutes
• Medium Systems (10-100GB): 15-30 minutes
• Large Systems (100GB+): 30-60 minutes
• Timeline Generation: Adds 5-30 minutes depending on filesystem size

Resource Usage

• CPU: Low to moderate (mainly during hashing)
• Memory: Minimal (<100MB typical)
• Disk I/O: Read-intensive during collection
• Network: None required

🎯 Use Cases

• 🚨 Incident Response: Rapid forensic triage during security incidents
• 🔍 Compromise Assessment: Identify indicators of system compromise
• 🛡️ Threat Hunting: Collect artifacts for proactive threat detection
• 📊 Security Audits: Document system state for compliance and analysis
• 🔬 Forensic Investigations: Preserve evidence for detailed analysis
• 💾 System Baseline: Create reference snapshots for change detection
• 🏢 Enterprise Security: Deploy across internal networks for centralized collection
• 📱 IoT/Embedded Analysis: Investigate compromised embedded devices

Contributing

Contributions are welcome! Please feel free to submit issues, feature requests, or pull requests on the GitHub repository.

License

This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.

Acknowledgments

• Inspired by the collective knowledge of Portcullis Security Team
• Based on concepts from unix-privesc-check by pentestmonkey
• Special thanks to Ian Ventura-Whiting (Fizz) and Tim Brown (timb_machine) for inspiration
• Mike Trewartha

---