Skip to content
/ nix_dfir Public

Perform post-mortem Linux baselining and forensic analysis.

3 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

glowbase/nix_dfir

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

78 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
nixdfir
nixdfir
 
 

Repository files navigation

Nix DFIR

Mount forensic disk images and perform baselining and post-mortem analysis on Linux machines.

Use

sudo ./baseline.sh -m <image_file> /mnt/<mount_point> <time_zone>

Example Usage

sudo ./baseline.sh /mnt/web_server
sudo ./baseline.sh /mnt/web_server UTC
sudo ./baseline.sh -m Webserver.E01 /mnt/web_server
sudo ./baseline.sh -m Webserver.E01 /mnt/web_server UTC
  • /mnt/<mount_point> - Specify the target filesystem location that has been mounted from a dead disk image.
  • <time_zone> - Specify a timezone for command based output (log based output will still be in the timezone of the target machine). By default this is set to the same as the target machine.
  • -m <image_file> - Specify an image file format (.E01, .dd, .img) to automatically mount to the mountpoint specified in `/mnt/<mount_point

About

Perform post-mortem Linux baselining and forensic analysis.

Topics

linux analysis post-mortem forensic

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

5 forks
Report repository

Contributors 5

Languages