Conceptual bash-shell tracking and logging.
Project description
bashproof
This little project is just a conceptual work used for my thesis about documentation of forensic processes.
It's purpose is to log the input/output of the bash terminal in a readable and evidentiary way. Forensic staff would be able to prove any of their actions when confronted with digital evidence.
However, this project is just a CONCEPT - it shows how one step of documentation COULD be done - or moreover, what kind of output would be useful - as a small part of the overall forensic process. One problem is that the script does not directly start an interactive shell in the traditional sense, but simulates one by creating a custom shell-like environment. A sub-process is used to pipe the input to bash and receive stdout/stderr accordingly. Because of this, you cannot use auto-completion. Also, I have not tested complex input.
There is the Linux script utility, but it lacks good timestamping and readability.
Installation
pip install pybashproof
Usage
- Run with
bashproof - Stores log in your home dir
bashproof.log - Leave Session with
CTRL+C - Close Case with
bashproof --close- Renames to
bashproof_closed.log - Creates
bashproof_sha256.logwith SHA forbashproof.log
- Renames to
Example log
[2024-12-09 11:27:01]
[2024-12-09 11:27:01] ----------------------------------
[2024-12-09 11:27:01] STARTED SHELL-TRACKING
[2024-12-09 11:27:01] ----------------------------------
[2024-12-09 11:27:01] HOST: somehost; USER: someuser
[2024-12-09 11:27:01] ----------------------------------
[2024-12-09 11:27:01]
[2024-12-09 11:27:09] --> [ stdIN] lsblk
[2024-12-09 11:27:09] ────────────────────────────────────────────────────
[2024-12-09 11:27:09] <-- [stdOUT] NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
[2024-12-09 11:27:09] <-- [stdOUT] device0 259:0 0 XXXXXX 0 disk
[2024-12-09 11:27:09] <-- [stdOUT] ├─device0p1 259:1 0 XXXM 0 part /boot/efi
[2024-12-09 11:27:09] <-- [stdOUT] ├─device0p2 259:2 0 XXXXXG 0 part /var/log
[2024-12-09 11:27:09] <-- [stdOUT] │ /home
[2024-12-09 11:27:09] <-- [stdOUT] │ /var/cache
[2024-12-09 11:27:09] <-- [stdOUT] │ /
[2024-12-09 11:27:09] <-- [stdOUT] ├─device0p3 259:3 0 XXM 0 part
[2024-12-09 11:27:09] <-- [stdOUT] └─device0p4 259:4 0 XXXXXG 0 part
[2024-12-09 11:27:09] ────────────────────────────────────────────────────
[2024-12-09 11:27:25] --> [ stdIN] wget google.com
[2024-12-09 11:27:25] ────────────────────────────────────────────────────
[2024-12-09 11:27:25] <-- [stdERR] --2024-12-09 11:27:25-- http://google.com/
[2024-12-09 11:27:25] <-- [stdERR] Resolving google.com (google.com)... 0000:0000:0000:000::0000, 172.217.16.174
[2024-12-09 11:27:25] <-- [stdERR] Connecting to google.com (google.com)|0000:0000:0000:000::0000|:80... connected.
[2024-12-09 11:27:25] <-- [stdERR] HTTP request sent, awaiting response... 301 Moved Permanently
[2024-12-09 11:27:25] <-- [stdERR] Location: http://www.google.com/ [following]
[2024-12-09 11:27:25] <-- [stdERR] --2024-12-09 11:27:25-- http://www.google.com/
[2024-12-09 11:27:25] <-- [stdERR] Resolving www.google.com (www.google.com)... 0000:0000:0000:000::0000, 142.251.37.4
[2024-12-09 11:27:25] <-- [stdERR] Connecting to www.google.com (www.google.com)|0000:0000:0000:000::0000|:80... connected.
[2024-12-09 11:27:25] <-- [stdERR] HTTP request sent, awaiting response... 200 OK
[2024-12-09 11:27:25] <-- [stdERR] Length: unspecified [text/html]
[2024-12-09 11:27:25] <-- [stdERR] Saving to: ‘index.html’
[2024-12-09 11:27:25] <-- [stdERR]
[2024-12-09 11:27:25] <-- [stdERR] 0K .......... ......... 376K=0,05s
[2024-12-09 11:27:25] <-- [stdERR]
[2024-12-09 11:27:25] <-- [stdERR] 2024-12-09 11:27:25 (376 KB/s) - ‘index.html’ saved [19563]
[2024-12-09 11:27:25] <-- [stdERR]
[2024-12-09 11:27:25] ────────────────────────────────────────────────────
[2024-12-09 11:27:30]
[2024-12-09 11:27:30] ----------------------------------
[2024-12-09 11:27:30] TERMINATED SHELL-TRACKING
[2024-12-09 11:27:30] ----------------------------------
[2024-12-09 11:27:32] ----------------------------------
[2024-12-09 11:27:32] ------------ CASE DONE -----------
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pybashproof-0.1.2.tar.gz.
File metadata
- Download URL: pybashproof-0.1.2.tar.gz
- Upload date:
- Size: 5.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
45f30fbca5ff741f4552618802508ed40d278722babb5f78c21d5586c630b8af
|
|
| MD5 |
41c7122e46e36345aa2ef262b141a90c
|
|
| BLAKE2b-256 |
a8c9d64cc668b28294c1e277fb627be6f5f7978550dbe820b33d723c3bbb5ed1
|
File details
Details for the file pybashproof-0.1.2-py3-none-any.whl.
File metadata
- Download URL: pybashproof-0.1.2-py3-none-any.whl
- Upload date:
- Size: 6.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d86794f3b3515b7803b8d0c6086c913f021b04fcfe7ff5ff79c35ce82207680c
|
|
| MD5 |
718dea39b0c79d1e63ddc5f97e2f3120
|
|
| BLAKE2b-256 |
c3dff304ab0dcbe83b58a6be54314ac562594c51d35c871b03138aa1623ada56
|
