Forensics Automation Skill

Automated collection and archival of Linux system forensic data.

Quick Start

Prerequisites

Google Drive API setup required once:

CODEBLOCK0

Basic Usage

Generate forensic report:
CODEBLOCK1

Upload to Google Drive:
CODEBLOCK2

One-command: Generate + Upload:
CODEBLOCK3

Send forensic data via email:
CODEBLOCK4

What Gets Collected

Each forensic report includes:

• - System Info: Kernel version, hostname, OS details
• Users & Groups: All user accounts, sudoers configuration
• Network: IP addresses, routes, listening ports, connections
• Packages: Installed software (apt/rpm)
• Processes: Full process listing with arguments
• System Logs: dmesg, auth logs, system events
• Cron Jobs: Scheduled tasks across all users
• File Integrity: Recently modified files (last 7 days)
• Disk Usage: Storage breakdown

Script Details

linux_forensics.sh

Core forensic collection script.

CODEBLOCK5

What it does:

• - Gathers comprehensive system information
• Runs read-only commands (safe to execute)
• Outputs to timestamped file for easy tracking
• Minimal dependencies (bash, standard Unix tools)

forensics_and_upload.sh

Orchestration script: Generate report + Upload to Drive in one command.

CODEBLOCK6

What it does:

• - Runs linux_forensics.sh automatically
• Gets most recent report
• Waits 2 seconds (rate limiting)
• Uploads to Google Drive
• Returns Drive link

upload_to_drive.py

Upload any file to Google Drive using authenticated session.

CODEBLOCK7

Returns:

• - File name on Drive
• File ID (for API access)
• Shareable link

send_email.py

Send emails via Gmail API.

CODEBLOCK8

Integration Examples

Security Operations Center (SOC)

Automate daily forensic snapshots:

CODEBLOCK9

Incident Response

Rapid forensic collection during incident:

CODEBLOCK10

Compliance & Auditing

Monthly forensic audits:

CODEBLOCK11

Setup & Requirements

1. Google Drive API Setup (One-time)

CODEBLOCK12

2. First-time Authorization

CODEBLOCK13

3. Verify Setup

CODEBLOCK14

Error Handling

Common Issues

"No tokens found"
CODEBLOCK15

"HTTP Error 400: Bad Request"
CODEBLOCK16

"Permission denied" on /var/log
CODEBLOCK17

Rate limiting from Google APIs
CODEBLOCK18

Performance Notes

• - Forensic collection: ~1-5 seconds (depends on system load)
• Report size: ~250-400KB typical
• Drive upload: ~2-5 seconds (depends on network)
• Email send: ~1-2 seconds
• Total one-command: ~10-15 seconds

Security Considerations

1. 1. OAuth tokens stored in ~/.gmail_tokens.json — keep secure (600 permissions)
2. Refresh tokens enable long-term automation without re-auth
3. Scripts run read-only — no system modification
4. Drive links are shareable — consider folder permissions

Customization

Extend forensic data collection

Edit linux_forensics.sh to add custom commands:

CODEBLOCK19

Change upload destination

Specify Google Drive folder:

CODEBLOCK20

Batch operations

Upload multiple reports:

CODEBLOCK21

References

• - Google Drive API Documentation
• Linux forensics best practices
• OAuth 2.0 for Desktop Apps