Collect Linux Evidence for Forensics.
This script collect evidence on a Linux system.
- work on Debian-Based Linux Distributions
- work on RedHat-Based Linux Distributions
- work on minimal systems like containers (tested on docker)
- work offline, in chroot or other method to isolate your Linux
This script generate a full TAR archive with evidences from the live linux system, you should push/pull it on your own system for investigation.
This package require:
- bash (version >= 4)
- basic commands (cat, cp find, grep, awk...)
- root privileges
curl -O https://raw.githubusercontent.com/mauricelambert/CLEF/refs/heads/main/CLEF.shwget https://raw.githubusercontent.com/mauricelambert/CLEF/refs/heads/main/CLEF.shgit clone https://github.com/mauricelambert/CLEF.git
cd CLEFsudo bash CLEF.sh -f# Help
bash CLEF.sh -h
bash CLEF.sh --help
# Full collect
bash CLEF.sh
# OR
chmod +x CLEF.sh
./CLEF.sh
# Fast mode
bash CLEF.sh -f
bash CLEF.sh --fast
# No color mode
bash CLEF.sh -c
bash CLEF.sh --no-color
# No logs
bash CLEF.sh -l
bash CLEF.sh --no-logs
# No debug (interactive mode for debugging)
bash CLEF.sh -d
bash CLEF.sh --no-debug~# bash CLEF --help
Description: This script collects maximum evidence for forensic investigations.
USAGES: CLEF.sh [-h] [-c] [-d] [-l] [-f]
-h/--help: this help message
-c/--no-color: disabled colors (useful for output redirection)
-d/--no-debug: disabled breakpoints (interactive mode for debugging)
-l/--no-logs: no logs
-f/--fast: fast mode (no files analysis and reporting)
Licensed under the GPL, version 3.