A bash script for rapid forensic triage collection on Linux systems. Gathers filesystem artifacts, live system state, browser data, persistence mechanisms, and kernel tracing information into a single timestamped archive — ready for offline analysis.
- Logs —
/var/log,/run/log, coredumps - Persistence — cron, systemd timers/services, at jobs, RC scripts, MOTD, udev rules, modprobe config, ld.so.preload, autostart entries, sudoers
- Per-user artifacts — shell history, SSH keys/known_hosts, browser data (Chrome, Firefox, Chromium, Opera, Yandex), XDG autostart, systemd user timers, tracker databases, recently-used files
- Host information — full filesystem timeline, SUID/SGID binaries, SHA-256 of all executables, PAM config, login policy, installed packages, temporary file listings
- Live system state — running processes (including raw cmdlines), network connections, routing, iptables/nftables rules, loaded kernel modules, login records, service status, cron jobs
- Kernel tracing — ftrace enabled/touched functions, trace buffer, kallsyms, kmsg (raw + parsed), scheduler debug, vmallocinfo (raw + parsed), kcore metadata and ELF header
- Linux (Debian/Ubuntu or RHEL/CentOS family)
- Bash 4.0+
- Root privileges
- Standard utilities:
tar,find,stat,awk,xxd,ss,lsof,dmidecode,lshw
sudo bash eltriage.sh [-a OUTARCHIVE] [-d OUTPATH]| Option | Description | Default |
|---|---|---|
-a OUTARCHIVE |
Output archive name (.tar.gz appended automatically) |
ElTriage_{hostname}-{date}.tar.gz |
-d OUTPATH |
Working directory for collected files | ElTriage_result |
-h |
Show help |
Examples
# Run with defaults
sudo bash eltriage.sh
# Custom archive name and output directory
sudo bash eltriage.sh -a /tmp/my_triage -d /tmp/triage_files
# Include full /proc/kcore image (WARNING: size equals physical RAM)
sudo COLLECT_KCORE=1 bash eltriage.shElTriage_{hostname}-{date}.tar.gz
└── ElTriage_result/
├── Logs/
│ └── Coredumps/
├── LiveInfo/
│ ├── SystemInfo/
│ ├── Logins/
│ ├── Services/
│ └── Time/
├── Persistence/
│ ├── System/ # cron, systemd, at, udev, sudoers, etc.
│ └── Users/ # per-user SSH, autostart, timers
├── Browsers/
│ └── Users/ # Chrome, Firefox, Chromium, Opera, Yandex
├── HostInfo/
│ ├── ExeInfo/ # SUID/SGID list, SHA-256 hashes
│ ├── PAM/
│ ├── LoginPolicy/
│ ├── Packages/
│ ├── Certificates/
│ ├── TemporaryFiles/
│ └── FilesTimeline.txt
├── KernelTracing/
│ ├── Ftrace/
│ ├── SchedDebug/
│ ├── kallsyms.txt
│ ├── kmsg_raw.txt
│ ├── kmsg_parsed.txt
│ ├── vmallocinfo.txt
│ └── vmallocinfo_parsed.txt
└── User Data/
└── Users/ # shell rc files, history, desktop files, tracker DBs
- The script suppresses errors for missing sources, so it is safe to run on any Linux host regardless of which services or browsers are installed.
/proc/kcorecollection is opt-in viaCOLLECT_KCORE=1because the file is as large as physical RAM. The ELF header and metadata are always captured.- Browser SQLite databases (history, cookies, logins) are copied as-is and can be opened with any SQLite browser for analysis.
- The filesystem timeline (
FilesTimeline.txt) covers all mounted local filesystems and can be imported into tools like Plaso or Timeline Explorer.
This tool is intended for authorized incident response and forensic investigation only. Always obtain proper written authorization before running it on any system.