GitHunt
4X

4xrhd/IRkit

IR-Kit is a comprehensive bash-based incident response and forensic analysis tool designed for rapid evidence collection during cybersecurity incidents. This tool automates the process of gathering critical system artifacts for forensic investigation and generates detailed HTML reports with PDF export capability.

attackbashforesicsincident-responseirlinuxproject

๐Ÿ” IR-Kit - Incident Response & Forensic Toolkit

๐Ÿ“š Project Overview

IR-Kit is a comprehensive bash-based incident response and forensic analysis tool designed for rapid evidence collection during cybersecurity incidents. This tool automates the process of gathering critical system artifacts for forensic investigation and generates detailed HTML reports with PDF export capability.

๐ŸŽฏ Project Details

  • University: [University Of Information Technology And Sciences(UITS)]
  • Course: Linux Programming Lab
  • Project Type: Bash Scripting & Digital Forensics
  • Developed By: Md Azhar Uddin & Sadia Akter Liza

๐Ÿ‘จโ€๐Ÿ’ป Development Team

Name Role Contribution
Md Azhar Uddin Project Lead Core architecture, module development, reporting system
Sadia Akter Liza Co-developer Evidence collection modules, utility functions,UX-UI, Testing

๐Ÿš€ Features

๐Ÿ” Evidence Collection Modules

  • Process Analysis - Running processes and memory usage
  • Network Information - Active connections, IP configuration, firewall rules
  • User Account Analysis - User/group information, login history
  • Storage Analysis - Mount points and block devices
  • Shell History - User command history collection
  • File System Analysis - Recently modified files
  • Scheduled Tasks - Cron job analysis
  • System Logs - Auth logs, system messages, syslog
  • Suspicious Activity - SUID binaries, executable files in /tmp

๐Ÿ“Š Reporting Features

  • HTML Report Generation - Beautiful, responsive web report
  • PDF Export - One-click export to PDF format
  • Executive Summary - Key metrics and findings
  • Integrity Verification - SHA-256 hashing of all evidence
  • Interactive Interface - Modern UI with hover effects

๐Ÿ› ๏ธ Installation & Setup

Prerequisites

# Ensure required tools are available
sudo apt-get update
sudo apt-get install coreutils findutils tar gzip

Installation Steps

  1. Clone or Download the Project

    git clone [https://github.com/4xrhd/IRkit]
cd ir-kit

  2. Make Scripts Executable

    chmod +x irkit.sh
chmod +x generate_report.sh
chmod +x modules/*.sh
chmod +x utils.sh

  3. Review Configuration

    nano config.conf

    Adjust settings as needed:

    MONITOR_PATH="/var /etc /home"
LOOKBACK_MINUTES=240
HASH_ALGO=sha256sum
COLOR_OUTPUT=true
LOG_LEVEL=INFO

๐ŸŽฎ Usage

Basic Execution

./irkit.sh

Expected Output

[INFO] Starting IR-Kit โ€” output: /path/to/outputs/IRKIT_20231201_143022
[INFO] Running module: processes
[INFO] Running module: network
[INFO] Running module: users
...
[INFO] Generating HTML report
[INFO] Compressing evidence to outputs/IRKIT_20231201_143022.tar.gz
[INFO] IR-Kit completed. Archive: outputs/IRKIT_20231201_143022.tar.gz
[INFO] HTML Report: outputs/IRKIT_20231201_143022/report.html

Output Structure

outputs/
โ””โ”€โ”€ IRKIT_20231201_143022/
    โ”œโ”€โ”€ report.html                 # ๐Ÿ“Š Main HTML report
    โ”œโ”€โ”€ EVIDENCE_SHA256.txt         # ๐Ÿ”’ Integrity hashes
    โ”œโ”€โ”€ running_processes.txt       # โšก Process information
    โ”œโ”€โ”€ network_connections.txt     # ๐ŸŒ Network data
    โ”œโ”€โ”€ passwd_entries.txt          # ๐Ÿ‘ฅ User accounts
    โ”œโ”€โ”€ mounts.txt                  # ๐Ÿ’พ Storage info
    โ”œโ”€โ”€ history_*.txt               # ๐Ÿ“œ Shell histories
    โ”œโ”€โ”€ modified_files_*.txt        # ๐Ÿ“ File changes
    โ”œโ”€โ”€ user_cron.txt               # โฐ Scheduled tasks
    โ”œโ”€โ”€ suid_binaries.txt           # ๐Ÿšจ Security findings
    โ””โ”€โ”€ [other evidence files...]

๐Ÿ“‹ Module Details

1. Processes Module (processes.sh)

  • Collects running processes sorted by memory usage
  • Output: running_processes.txt

2. Network Module (network.sh)

  • Active network connections using ss or netstat
  • IP configuration and firewall rules
  • Output: network_connections.txt, ip_brief.txt, firewall_rules.txt

3. Users Module (users.sh)

  • User and group information from /etc/passwd and /etc/group
  • Recent login history
  • Output: passwd_entries.txt, group_entries.txt, last_logins.txt

4. History Module (history.sh)

  • Bash history for all users including root
  • Output: history_[username].txt, history_root.txt

5. Suspicious Activity Module (suspicious.sh)

  • SUID binaries for privilege escalation analysis
  • Executable files in temporary directories
  • Output: suid_binaries.txt, tmp_executables.txt

๐Ÿ“Š Report Features

HTML Report Includes:

  • Executive Summary with key metrics
  • Collection Statistics (files collected, sizes, counts)
  • Module Execution Status
  • Evidence File Listing
  • Key Findings Preview (top processes, recent logins)
  • Integrity Verification (SHA-256 hashes)
  • Professional Styling with responsive design

PDF Export:

  • One-click export using html2pdf.js
  • Print-optimized layout
  • Professional formatting for reports

๐Ÿ”ง Configuration Options

config.conf Settings:

# Paths to monitor for modified files
MONITOR_PATH="/var /etc /home"

# Time window for file modifications (minutes)
LOOKBACK_MINUTES=240

# Hashing algorithm for integrity
HASH_ALGO=sha256sum

# Colored console output
COLOR_OUTPUT=true

# Logging verbosity
LOG_LEVEL=INFO

๐ŸŽ“ Educational Value

This project demonstrates:

  • Bash Scripting advanced techniques
  • Digital Forensics evidence collection
  • Incident Response procedures
  • System Administration commands
  • HTML/CSS/JavaScript for reporting
  • Cybersecurity best practices

๐Ÿ“ Academic Considerations

Learning Outcomes:

  1. Understand forensic evidence collection methodologies
  2. Implement automated incident response procedures
  3. Develop comprehensive reporting systems
  4. Practice secure coding and error handling
  5. Create user-friendly interfaces for technical tools

Potential Enhancements for Grading:

  • Additional collection modules
  • Enhanced error handling
  • Database integration for evidence storage
  • Timeline analysis features
  • Integration with other forensic tools

โš ๏ธ Important Notes

  • Only use on systems you own or have explicit permission to test
  • Comply with local laws and regulations
  • Use responsibly in academic environments

Limitations:

  • Requires root privileges for complete evidence collection
  • Some modules may not work on all Linux distributions
  • Designed for educational purposes

๐Ÿ› Troubleshooting

Common Issues:

  1. Permission Denied Errors

    sudo ./irkit.sh

  2. Missing Dependencies

    # Ubuntu/Debian
sudo apt-get install coreutils findutils net-tools

  3. Script Not Executable

    chmod +x *.sh
chmod +x modules/*.sh

๐Ÿ“ž Support

For questions or issues related to this university project:

  • Contact: Md. Azhar Uddin & Sadia Akter Liza

  • Course Instructor: Md. Tasnin Tanvir ~ Lecturer(UITS)~ B.Sc in CSE, Khulna University of Engineering & Technology (KUET)

  • Course Instructor: Md. Azharul Karim Chowdhury Anik ~Lecturer ~B.Sc. (Engg.) in CSE, Shahjalal University of Science and Technology (SUST)

  • Submission Date: [18-November-2025]

๐Ÿ“„ License

This project is developed for educational purposes as part of university coursework. All rights reserved by the developers.

๐Ÿ”’ Developed for Academic Excellence in Linux Programming
Md Azhar Uddin & Sadia Akter Liza - [University Of Information Technology And Sciences] - [2025]

Languages

Shell100.0%

Contributors

4X
Other
Created November 15, 2025
Updated November 19, 2025