LEAF: Linux Evidence Acquisition Framework
Linux Evidence Acquisition Framework (LEAF)
Linux Evidence Acquisition Framework (LEAF) acquires artifacts and evidence from Linux EXT4 systems, accepting user input to customize the functionality of the tool for easier scalability. Offering several modules and parameters as input, LEAF is able to use smart analysis to extract Linux artifacts and output them to an ISO image file.
Process Ubuntu 20.04/Debian file systems for forensic artifacts, extract important data, and export information to an ISO9660 file. Compatible with the EXT4 file system and common locations on Ubuntu 20.04 operating system. See the help page for more information.
Install
- Install Python requirements:
- Python 3 (preferably 3.8 or higher) (apt install python3)
- pip 3 (apt install pip3)
- Download required modules
- Clone the repo git clone https://github.com/alex-cart/LEAF.git
- Install modules from requirements.txt (pip3 install -r requirements.txt)
- If you get an installation error, try sudo -H pip3 install -r requirements.txt
Use
Example
To use default arguments [this will use default input file (./target_locations), users (all users), categories (all categories), and output location (./LEAF_output/). Cloned data will not be stored in a local directory, verbose mode is off, and yara scanning is disabled]:
LEAF_main.pyAll arguments:
LEAF_main.py -i /home/alice/Desktop/customfile1.txt -o /home/alice/Desktop/ExampleOutput/ -c logs startup services apache -u alice bob charlie -s -v -y /path/to/yara_rule1.yar -yr /path2/to/yara_rules/ -yd /home/frank -g /etc/To specify usernames, categories, and yara files:
LEAF_main.py -u alice bob charlie -c applications executions users -y /home/alice/Desktop/yara1.yar /home/alice/Desktop/yara2.yarTo include custom input file(s) and categories:
LEAF_main.py -i /home/alice/Desktop/customfile1.txt /home/alice/Desktop/customfile2.txt -c apache xampp
Author: Alexandra Cartwright
Source: https://github.com/alex-cart/
