DFIR_Linux_Collector/bootstrap.sh at main · xophidia/DFIR_Linux_Collector · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!./bin/busybox.static sh

export PATH=$PWD/bin:$PWD/sbin:$PWD/usr/bin:$PWD/usr/sbin
export -n LD_LIBRARY_PATH
export OUTPUT="output"

echo "Preparing environment ..."
# Changement path du linker pour les binaires liés dynamiquement (ex: python3)
# https://www.it-swarm-fr.com/fr/linux/plusieurs-bibliotheques-glibc-sur-un-seul-hote/957545379/
#patcher également toutes les commandes utilisée (anti RK)
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /usr/bin/lsof 2>/dev/null
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /bin/bash 2>/dev/null
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /sbin/iptables 2>/dev/null
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /usr/bin/sudo 2>/dev/null
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /usr/bin/find 2>/dev/null
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /usr/bin/xargs 2>/dev/null
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /usr/bin/gawk 2>/dev/null
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /usr/bin/jq 2>/dev/null
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /usr/bin/sed 2>/dev/null
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /usr/bin/tput 2>/dev/null
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /sbin/arp 2>/dev/null
chroot ./ /usr/bin/patchelf --set-interpreter $PWD/lib/ld-musl-x86_64.so.1 /bin/netstat 2>/dev/null
mkdir output


echo "Launching tools ..."
export LD_LIBRARY_PATH=$PWD/lib:$PWD/usr/lib:$PWD/usr/lib/sudo


if [ "$1" = "rescue" ]; then
    echo "**** Mode rescue. ****"
    echo "Les commandes que vous tapez sont sécurisées."
    bash
    echo "Fin mode rescue."
else
    bash ./dlc.sh 2>&1 | tee $OUTPUT/dlc.log
fi


echo ""
echo "Archive creation ..."

tar -czvf $USER_PWD/DLC_Collect-$HOSTNAME-`date +%F`.tgz output/

echo ""
echo "Making checksums ..."
echo "MD5 => $(md5sum "$USER_PWD/DLC_Collect-$HOSTNAME-`date +%F`.tgz" | cut -f 1 -d " ")" >> $USER_PWD/DLC_Collect-$HOSTNAME-`date +%F`_Checksums.txt
echo "SHA1 => $(sha1sum "$USER_PWD/DLC_Collect-$HOSTNAME-`date +%F`.tgz" | cut -f 1 -d " ")" >> $USER_PWD/DLC_Collect-$HOSTNAME-`date +%F`_Checksums.txt