linux explorer: live forensics toolbox for Linux endpoints

Linux Explorer

Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask.

Alt Text

Capabilities

ps

  • View full process list
  • Inspect process memory map & fetch memory strings easily
  • Dump process memory in one click
  • Automatically search hash in public services

users

  • users list

find

  • Search for suspicious files by name/regex

netstat

  • Whois

logs

  • syslog
  • auth.log(user authentication log)
  • ufw.log(firewall log)
  • bash history

anti-rootkit

  • chkrootkit

yara

  • Scan a file or directory using YARA signatures by @Neo23x0
  • Scan a running process memory address space
  • Upload your own YARA signature

Installation

Requirements

  • Python 2.7
  • YARA
  • chkrootkit

Install

git clone https://github.com/intezer/linux_expl0rer
pip install -r requirements.txt

Setup VT/OTX api keys
nano config.py
Edit the following lines:

VT_APIKEY = ‘<key>’
OTX_APIKEY = ‘<key>’

Install YARA/chkrootkit

sudo apt-get install yara chkrootkit

Start Linux Expl0rer server

sudo python linux_explorer.py

Usage

Start your browser firefox http://127.0.0.1:8080

Copyright (C) 2017 intezer

Source: https://github.com/intezer/

Share