Linux Proof Acquisition Framework (LEAF) acquires artifacts and proof from Linux EXT4 methods, accepting person enter to customise the performance of the software for simpler scalability. Providing a number of modules and parameters as enter, LEAF is ready to use sensible evaluation to extract Linux artifacts and output to an ISO picture file.
Utilization
LEAF_master.py [-h] [-i INPUT [INPUT ...]] [-o OUTPUT] [-u USERS [USERS ...]] [-c CATEGORIES [CATEGORIES ...]] [-v]
[-s] [-g [GET_FILE_BY_OWNER [GET_FILE_BY_OWNER ...]]] [-y [YARA [YARA ...]]]
[-yr [YARA_RECURSIVE [YARA_RECURSIVE ...]]] [-yd [YARA_DESTINATIONS [YARA_DESTINATIONS...]]]LEAF (Linux Proof Acquisition Framework) - Cartware
____ _________ ___________ __________
/ / / _____/ / ____ / / ______/
/ / / /____ / /___/ / / /____
/ / / _____/ / ____ / / _____/
/ /_____ / /_____ / / / / / /
/_________/ /_________/ /___/ /___/ /___/ v2.0
Course of Ubuntu 20.04/Debian file methods for forensic artifacts, extract essential knowledge, and export data to an ISO9660 file. Appropriate with EXT4 file system and customary places on Ubuntu 20.04 working system. See assist web page for extra data. Recommended utilization: Don’t run from LEAF/ listing
Parameters
optionally available arguments:-h, --help present this assist message and exit
-i INPUT [INPUT ...], --input INPUT [INPUT ...]
Extra Enter places. Separate a number of enter recordsdata with areas
Default: /residence/user1/Desktop/LEAF-3/target_locations
-o OUTPUT, --output OUTPUT
Output listing location
Default: ./LEAF_output
-u USERS [USERS ...], --users USERS [USERS ...]
Customers to incorporate in output, separated by areas (i.e. -u alice bob root).
Customers not current in /and so forth/passwd will probably be eliminated
Default: All non-service customers in /and so forth/passwd
-c CATEGORIES [CATEGORIES ...], --categories CATEGORIES [CATEGORIES ...]< br/> Specific artifact classes to incorporate throughout acquisition.
Classes should be separated by house, (i.e. -c community customers apache).
Full Listing of built-in classes consists of:
APPLICATIONS, EXECUTIONS, LOGS, MISC, NETWORK, SHELL, STARTUP, SERVICES, SYSTEM, TRASH, USERS
Classes are suitable with user-inputted recordsdata so long as they observe the notation:
# CATEGORY
/location1
/location2
.../location[n]
# END CATEGORY
Default: "all"
-v, --verbose Output in verbose mode, (might battle with progress bar)
Default: False
-s, --save Save the uncooked proof listing
Default: False
-g [GET_ OWNERSHIP [GET_OWNERSHIP ...]], --get_ownership [GET_OWNERSHIP [GET_OWNERSHIP ...]]
Get recordsdata and directories owned by included customers.
Enabling this may improve parsing time.
Use -g alone to parse from / root listing.
Embody paths after -g to specify goal places (i.e. "-g /and so forth /residence/person/Downloads/
Default: Disabled
-y [YARA [YARA ...]], --yara [YARA [YARA ...]]
Configure Yara IOC scanning. Choose -y alone to allow Yara scanning.
Specify '-y /path/to/yara/' to specify customized enter location.
For a number of inputs, use areas between gadgets,
i.e. '-y rulefile1.yar rulefile2.yara rule_dir/'
All yara recordsdata m ust have ".yar" or ".yara" extension.
Default: None
-yr [YARA_RECURSIVE [YARA_RECURSIVE ...]], --yara_recursive [YARA_RECURSIVE [YARA_RECURSIVE ...]]
Configure Recursive Yara IOC scanning.
For a number of inputs, use areas between gadgets,
i.e. '-yr rulefile1.yar rulefile2.yara rule_dir/'.
Directories on this listing will probably be scanned recursively.
Can be utilized together with the traditional -y flag,
however intersecting directories will take recursive precedence.
Default: None
-yd [YARA_DESTINATIONS [YARA_DESTINATIONS...]], --yara_destinations [YARA_DESTINATIONS [YARA_DESTINATIONS...]]
Vacation spot to run yara recordsdata towards.
Separate a number of targets with an area.(i.e. /residence/alice/ /bin/star/)
Default: All person directories
Instance Usages:
To make use of default arguments [this will use default input file (./target_locations), users (all users), categories (all categories), and output location (./LEAF_output/). Cloned data will not be stored in a local directory, verbose mode is off, and yara scanning is disabled]:
LEAF_main.pyAll arguments:
LEAF_main.py -i /residence/alice/Desktop/customfile1.txt -o /residence/alice/Desktop/ExampleOutput/ -c logs startup providers apache -u alice bob charlie -s -v -y /path/to/yara_rule1.yar -yr /path2/to/yara_rules/ -yd /residence/frank -g /and so forth/
To specify usernames, classes, and yara recordsdata:
LEAF_main.py -u alice bob charlie -c purposes executions customers -y /residence/alice/Desktop/yara1.yar /residence/alice/Desktop/yara2.yar
To incorporate customized enter file(s) and classes:
LEAF_main.py -i /residence/alice/Desktop/customfile1.txt /residence/alice/Desktop/customfile2.t xt -c apache xampp
- Set up Python necessities:
- Python 3 (ideally 3.8 or greater) (
apt set up python3) - pip 3 (
apt set up pip3)
- Python 3 (ideally 3.8 or greater) (
- Obtain required modules
- Set up modules from necessities.txt (
pip3 set up -r necessities.txt) - In the event you get an set up error, attempt
sudo -H pip3 set up -r necessities.txt
- Set up modules from necessities.txt (
- Run the script
sudo python3 LEAF_master.pywith optionally available arguments
