mstoeck3/collector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
collector/collector.sh
overcuriousity afa0454f74 commit
2025-05-10 21:07:26 +02:00

259 lines
8.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Forensic Collector
# Version 0.1
# Chain of custody and integrity verification
#Copyright [yyyy] [name of copyright owner]
#Licensed under the Apache License, Version 2.0 (the "License");
#you may not use this file except in compliance with the License.
#You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
#Unless required by applicable law or agreed to in writing, software
#distributed under the License is distributed on an "AS IS" BASIS,
#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#See the License for the specific language governing permissions and
#limitations under the License.
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# header
echo -e "${GREEN}=========================================="
echo " FORENSIC COLLECTOR"
echo
echo
echo
echo "\"Experten, die keine KI verwenden, werden aussterben."
echo " Ja, und Experten wie meine Frau, die KI verwenden,"
echo " werden die anderen Experten ersetzen.\""
echo -e "${YELLOW} - Dirk Labudde, 29.10.2024${NC}"
echo -e "==========================================${NC}"
echo
START_TIME=$(date -u +%Y-%m-%dT%H:%M:%SZ)
HOSTNAME=$(hostname)
OS_INFO=$(uname -a)
WGET_VERSION=$(wget --version | head -n1)
USERNAME=$(whoami)
echo -e "${YELLOW}Öffentliche IP wird abgerufen...${NC}"
EXTERNAL_IP=$(curl -s https://api.ipify.org)
if [ -z "$EXTERNAL_IP" ]; then
EXTERNAL_IP="Fehler beim Abruf der öffentlichen IP-Adresse."
echo -e "${RED}WARNUNG: Die öffentliche IP-Adresse konnte nicht abgerufen werden.${NC}"
echo -e "&{RED}Prüfen Sie die Netzwerkverbindung.${NC}"
else
echo -e "${GREEN}Öffentliche IP: $EXTERNAL_IP${NC}"
echo -e "${RED}Hinweis:${NC}"
echo -e "${YELLOW}Diese IP-Adresse wird bei der Sicherung der Webseite im Webserver-${NC}"
echo -e "${YELLOW}oder Firewall-Log des Ziels auffallen.${NC}"
echo -e "${NC}Die Nutzung von VPN oder TOR ist zu empfehlen.${NC}"
fi
echo -e "\n${YELLOW}Eingabe der Ziel-URI:${NC}"
read -p "URI: " TARGET_URL
# Validation
if [[ ! $TARGET_URL =~ ^https?:// ]]; then
echo -e "${RED}FEHLER: Geben Sie eine valide URI ein, beginnend mit http:// oder https://${NC}"
exit 1
fi
echo -e "\n${YELLOW}Angabe des Geschäftszeichens (optional):${NC}"
read -p "Geschäftszeichen: " CASE_NUMBER
echo -e "\n${YELLOW}MAximale Rekursion eingeben (Enter=default=unlimitiert):${NC}"
read -p "Rekursion (default: unlimitiert): " MAX_DEPTH
if [ -z "$MAX_DEPTH" ]; then
MAX_DEPTH="unlimitiert"
DEPTH_PARAM=""
else
DEPTH_PARAM="--level=$MAX_DEPTH"
fi
HOSTNAME_FROM_URL=$(echo "$TARGET_URL" | sed -E 's/^https?:\/\///' | sed 's/\/.*$//' | sed 's/:.*$//')
DATE_STR=$(date +%Y%m%d_%H%M%S)
if [ -z "$CASE_NUMBER" ]; then
OUTPUT_DIR="${DATE_STR}_${HOSTNAME_FROM_URL}"
else
OUTPUT_DIR="${DATE_STR}_${CASE_NUMBER}_${HOSTNAME_FROM_URL}"
fi
mkdir -p "$OUTPUT_DIR"
cd "$OUTPUT_DIR" || exit 1
WEBSITE_DIR="website"
mkdir -p "$WEBSITE_DIR"
# Log file for wget output
WGET_LOG="wget.log"
# Initialize report
REPORT_FILE="forensic_report.txt"
cat > "$REPORT_FILE" << EOF
FORENSIC COLLECTOR
===================================
CASE INFORMATION
-----------------
CASE NUMBER: ${CASE_NUMBER:-N/A}
PRESERVATION TARGET: $TARGET_URL
PRESERVATION TIMESTAMP (UTC): $START_TIME
OUTPUT FOLDER: $OUTPUT_DIR
HOST SYSTEM INFORMATION
-------------------
USERNAME: $USERNAME
HOSTNAME: $HOSTNAME
OPERATING SYSTEM: $OS_INFO
wget-version: $WGET_VERSION
PUBLIC IP ADDRESS: $EXTERNAL_IP
PARAMETERS
-----------------
MAX RECURSION: $MAX_DEPTH
EXTRACTED TARGET DOMAIN: $HOSTNAME_FROM_URL
EOF
WGET_CMD="wget --recursive --page-requisites --html-extension --convert-links \
--restrict-file-names=windows --domains=$HOSTNAME_FROM_URL \
--user-agent='Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' \
--wait=1 --random-wait --timeout=30 --tries=3 \
--no-parent --timestamping --backup-converted \
$DEPTH_PARAM --directory-prefix='$WEBSITE_DIR' '$TARGET_URL' 2>&1 | tee '$WGET_LOG'"
# wget-command documentation
echo "wget-method:" >> "$REPORT_FILE"
echo "----------------------------------------" >> "$REPORT_FILE"
echo "$WGET_CMD" >> "$REPORT_FILE"
echo "----------------------------------------" >> "$REPORT_FILE"
echo >> "$REPORT_FILE"
echo -e "\n${YELLOW}Beginne Sicherungsmaßnahme...${NC}"
echo -e "${GREEN}Methode:${NC} $WGET_CMD"
echo
# Execute wget (eval is used to properly handle the command with variables)
eval "$WGET_CMD"
WGET_EXIT_CODE=$?
if [ $WGET_EXIT_CODE -ne 0 ]; then
echo -e "${RED}WARNUNG: wget mit Fehlerstatus (exit code: $WGET_EXIT_CODE). Prüfen Sie $WGET_LOG für Details.${NC}"
echo "ERROR NOTICE: wget execution produced runtime errors. Exit code: $WGET_EXIT_CODE" >> "$REPORT_FILE"
echo "wget.log contains runtime logs." >> "$REPORT_FILE"
fi
echo -e "\n${YELLOW}Kalkulation der Sicherungsstatistiken...${NC}"
TOTAL_FILES=$(find "$WEBSITE_DIR" -type f | wc -l)
TOTAL_SIZE=$(du -sh "$WEBSITE_DIR" | cut -f1)
FILE_TYPES=$(find "$WEBSITE_DIR" -type f -name "*.*" | sed 's/.*\.//' | sort | uniq -c | sort -rn)
echo "Preservation Statistics:" >> "$REPORT_FILE"
echo "-------------------" >> "$REPORT_FILE"
echo "Total File Count: $TOTAL_FILES" >> "$REPORT_FILE"
echo "Total Filesize: $TOTAL_SIZE" >> "$REPORT_FILE"
echo "Filetype-Distribution:" >> "$REPORT_FILE"
echo "$FILE_TYPES" >> "$REPORT_FILE"
echo >> "$REPORT_FILE"
if [ -s "$WGET_LOG" ]; then
echo "wget Error Log:" >> "$REPORT_FILE"
echo "----------------" >> "$REPORT_FILE"
cat "$WGET_LOG" >> "$REPORT_FILE"
echo >> "$REPORT_FILE"
fi
# Generate hash list
echo -e "\n${YELLOW}Generiere Hashwerte...${NC}"
HASH_FILE="file_hashes.sha256"
echo "File Hash List (SHA-256)" > "$HASH_FILE"
echo "========================" >> "$HASH_FILE"
echo "Generated on: $(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$HASH_FILE"
echo >> "$HASH_FILE"
find "$WEBSITE_DIR" -type f -print0 | while IFS= read -r -d '' file; do
sha256sum "$file" >> "$HASH_FILE"
done
# Hash the report file itself
sha256sum "$REPORT_FILE" >> "$HASH_FILE"
sha256sum "$HASH_FILE" >> "$HASH_FILE"
echo "Hash Verification:" >> "$REPORT_FILE"
echo "------------------" >> "$REPORT_FILE"
echo "Hash Algorithm: SHA-256" >> "$REPORT_FILE"
echo "Hash File: $HASH_FILE" >> "$HASH_FILE"
echo "Report File Hash: $(sha256sum "$REPORT_FILE" | cut -d' ' -f1)" >> "$REPORT_FILE"
echo >> "$REPORT_FILE"
# Create final archive
echo -e "\n${YELLOW}Erstelle Archiv...${NC}"
ARCHIVE_NAME="../${OUTPUT_DIR}.tar.gz"
tar -czf "$ARCHIVE_NAME" .
ARCHIVE_HASH=$(sha256sum "$ARCHIVE_NAME" | cut -d' ' -f1)
END_TIME=$(date -u +%Y-%m-%dT%H:%M:%SZ)
echo "Preservation Completion:" >> "$REPORT_FILE"
echo "------------------------" >> "$REPORT_FILE"
echo "End Time (UTC): $END_TIME" >> "$REPORT_FILE"
echo "Archive Name: ${OUTPUT_DIR}.tar.gz" >> "$REPORT_FILE"
echo "Archive Hash (SHA-256): $ARCHIVE_HASH" >> "$REPORT_FILE"
SUMMARY_FILE="../${OUTPUT_DIR}_summary.txt"
cat > "$SUMMARY_FILE" << EOF
FORENSISCHE SICHERUNG - ZUSAMMENFASSUNG
=============================
Archiv: ${OUTPUT_DIR}.tar.gz
Archivhash (SHA-256): $ARCHIVE_HASH
Geschäftszeichen: ${CASE_NUMBER:-N/A}
Ziel-URL: $TARGET_URL
Beginn der Sicherung: $START_TIME
Ende der Sicherung: $END_TIME
Anzahl der Dateien: $TOTAL_FILES
Gesamtvolumen: $TOTAL_SIZE
Das Archiv enthält:
1. Komplettsicherung im Ordner 'website/'
2. Dokumentation der technischen Sicherung (forensic_report.txt)
3. SHA-256-Hashwerte aller Dateien
4. wget-Log
Zur Verifizierung der Integrität: sha256sum ${OUTPUT_DIR}.tar.gz
Hashwert: $ARCHIVE_HASH
EOF
cd ..
rm -rf "$OUTPUT_DIR"
# Display completion information
echo -e "\n${GREEN}=========================================="
echo " SICHERUNG ABGESCHLOSSEN"
echo -e "==========================================${NC}"
echo
echo -e "${GREEN}Archiv erstellt:${NC} ${OUTPUT_DIR}.tar.gz"
echo -e "${GREEN}Archivhash:${NC} $ARCHIVE_HASH"
echo -e "${GREEN}Zusammenfassung:${NC} ${OUTPUT_DIR}_summary.txt"
echo
echo -e "${YELLOW}Zugriff auf die Webseitensicherung:${NC}"
echo "1. Extraktion des Archivs: tar -xzf ${OUTPUT_DIR}.tar.gz"
echo "2. Navigieren Sie zu: ${OUTPUT_DIR}/website/"
echo "3. Öffnen Sie index.html in einem Browser"
echo
echo -e "${RED}ACHTUNG!${NC}"
echo -e "${RED}Das Öffnen der Offlinesicherung schließt nicht aus, dass Javascript aus dem Internet nachgeladen wird!${NC}"
echo -e "${RED}Es wird dringend empfohlen, dies nur in einem Airgapped-System zu versuchen.${NC}"
echo
echo -e "${YELLOW}Verifizierung der Integrität:${NC}"
echo "sha256sum ${OUTPUT_DIR}.tar.gz"
echo "Erwartungswert: $ARCHIVE_HASH"
echo
Reference in New Issue View Git Blame Copy Permalink