GaryCollinsAI-Sec/Automated-Incident-Response-Triage-Tool

GitHub: GaryCollinsAI-Sec/Automated-Incident-Response-Triage-Tool

Stars: 0 | Forks: 0

🛡️ Automated Incident Response Triage Tool

Linux Forensics • Threat Hunting • Volatile Memory Analysis • Incident Response

📌 Overview

The Automated Incident Response Triage Tool is a lightweight Linux forensic triage framework engineered for rapid live-system investigation during active security incidents.

Built in Bash and designed for volatile artifact acquisition, the framework automates the early stages of host-based incident response by collecting high-value forensic telemetry before evidence can be altered, deleted, or lost from memory.

The project focuses heavily on:

  • Live host forensic collection
  • Memory-resident threat detection
  • Linux process inspection
  • Persistence auditing
  • Security log preservation
  • Adversary emulation and detection validation

The tool was developed and validated inside an isolated Linux security lab environment using controlled, non-destructive adversary simulation techniques.

🚀 Core Features

🔍 Live System Triage

Rapidly collects critical forensic artifacts from a live Linux system to preserve state metrics.

Captured Artifacts

  • Active network connections
  • Listening sockets
  • Running process trees
  • Interactive user sessions
  • Authentication history
  • Persistence mechanisms
  • System logs
  • Shell profile modifications

🧠 Volatile Memory Hunting

Implements lightweight memory-hunting logic through Linux kernel process metadata.

Detection Logic Includes

  • Deleted-but-running binaries
  • Execution from volatile directories
  • Suspicious runtime execution paths
  • Memory-resident process indicators

Targeted Directories

/tmp

/dev/shm

  


  
⚔️ Adversary Simulation


  


    A controlled adversary emulation workflow was used to validate runtime

    detection capabilities. By executing a safe standalone utility, masking its path, 

    and unlinking the disk file while active in RAM, the framework successfully identified:

  


  
    

    
  • Masked process execution
    • 

    
  • Decoupled runtime binaries
    • 

    
  • Deleted memory-resident executables
    • 

    
  • Suspicious active execution states
    • 

  


  


  
🛠️ Technical Skills Demonstrated


  
    

    
  • Digital Forensics: Live Linux artifact acquisition and volatile evidence preservation
    • 

    
  • Threat Hunting: Detection of stealth execution techniques and memory-resident binaries
    • 

    
  • Bash Scripting: Automated forensic triage workflows and evidence packaging
    • 

    
  • Linux Internals: Process inspection using the /proc filesystem
    • 

    
  • Adversary Emulation: Simulated, non-destructive defense-evasion validation testing
    • 

    
  • Security Operations: SOC-oriented incident investigation workflows
    • 

    
  • System Administration: Linux auditing, persistence analysis, and log preservation
    • 

    
  • Virtualization: Hardened, network-isolated lab environment deployment using VirtualBox
    • 

  


  


  
🧩 Architecture Overview


  
Live Host

   ↓

Artifact Collection

   ↓

Process & Memory Analysis

   ↓

Persistence Enumeration

   ↓

Log Preservation

   ↓

Evidence Packaging

   ↓

  


  
📂 Artifact Collection Categories


  
    

    
  • Network Auditing: Enumerates sockets, listeners, and active connections
    • 

    
  • Process Analysis: Captures process trees and suspicious runtime behavior
    • 

    
  • Memory Hunting: Detects deleted binaries still executing in memory via ProcFS
    • 

    
  • User Auditing: Reviews active sessions and login history
    • 

    
  • Persistence Analysis: Identifies cron jobs and shell persistence hooks
    • 

    
  • Log Preservation: Preserves critical authentication and system logs
    • 

    
  • Packaging: Compresses forensic artifacts into secure investigation bundles
    • 

  


  


  
💻 Sample Detection Logic


  
Deleted Binary Detection


  
#!/bin/bash



echo "[!] Hunting for deleted binaries executing in memory..."



ls -al /proc/*/exe 2>/dev/null | grep '(deleted)' \

  


    This logic identifies processes that were executed and later removed

    from disk while remaining active in memory.

  


  


    These behaviors are commonly associated with:

  


  
    

    
  • Fileless malware techniques
    • 

    
  • Defense evasion
    • 

    
  • Runtime-only payload execution
    • 

    
  • Anti-forensics activity
    • 

  


  


  
🧪 Example Triage Workflow


  
#!/bin/bash

#

# Live Linux Incident Response Triage Tool

# Purpose: Gathers volatile forensic data from a suspected compromised host.

# Note: Must be run with sudo/root privileges.



# Ensure script is running as root

if [ "$EUID" -ne 0 ]; then

    echo "[-] Error: This script must be run as root to gather forensic artifacts." >&2

    exit 1

fi



# Setup Output Directories

TIMESTAMP=$(date +%Y%m%d_%H%M%S)

HOSTNAME=$(hostname)

OUT_DIR="/tmp/triage_${HOSTNAME}_${TIMESTAMP}"

mkdir -p "$OUT_DIR"



echo "[+] Starting Triage on $HOSTNAME at $(date)"

echo "[+] Artifacts will be saved to: $OUT_DIR"

echo "--------------------------------------------------"



# --- 1. NETWORK AUDITING ---

audit_network() {

    echo "[*] Collecting Network Sockets..."

    # Get active listening and established connections with PIDs/Process Names

    ss -tulpn > "$OUT_DIR/net_listening.txt" 2>&1

    ss -atp > "$OUT_DIR/net_all_connections.txt" 2>&1

}



# --- 2. PROCESS ANALYSIS ---

audit_processes() {

    echo "[*] Capturing Running Processes..."

    ps auxf > "$OUT_DIR/process_tree.txt"

    

    # Flag processes running from temporary/volatile directories (Common for malware)

    echo "[!] Checking for suspicious execution paths (/tmp, /dev/shm)..."

    ls -al /proc/*/exe 2>/dev/null | grep -E '(/tmp|/dev/shm|/run)' > "$OUT_DIR/suspicious_proc_paths.txt"

}



# --- 3. PERSISTENCE CHECKING ---

audit_persistence() {

    echo "[*] Auditing Scheduled Tasks and Backdoors..."

    # Dump all user crontabs

    for user in $(cut -f1 -d: /etc/passwd); do

        crontab -u "$user" -l > "$OUT_DIR/cron_$user.txt" 2>/dev/null

    done

    

    # Grab system-wide cron locations

    ls -la /etc/cron* /etc/anacrontab > "$OUT_DIR/system_cron_list.txt" 2>&1

    

    # Inspect user shell profiles for suspicious additions (e.g., reverse shells)

    tail -n 20 /etc/profile /etc/bash.bashrc ~/.bashrc ~/.bash_profile > "$OUT_DIR/shell_profiles_tail.txt" 2>/dev/null

}



# --- 4. LOG PRESERVATION ---

preserve_logs() {

    echo "[*] Preserving Security and System Logs..."

    # Copy the tail end of critical security logs

    tail -n 500 /var/log/auth.log > "$OUT_DIR/auth_log_tail.txt" 2>/dev/null

    tail -n 500 /var/log/secure > "$OUT_DIR/secure_log_tail.txt" 2>/dev/null

    tail -n 500 /var/log/syslog > "$OUT_DIR/syslog_tail.txt" 2>/dev/null

}



# --- 5. PACKAGING ---

package_artifacts() {

    echo "--------------------------------------------------"

    echo "[*] Packaging artifacts..."

    TAR_FILE="/tmp/triage_${HOSTNAME}_${TIMESTAMP}.tar.gz"

    tar -czf "$TAR_FILE" -C "/tmp" "triage_${HOSTNAME}_${TIMESTAMP}"

    

    # Clean up the uncompressed directory to keep host tidy

    rm -rf "$OUT_DIR"

    echo "[+] Triage Complete! Investigation bundle saved to: $TAR_FILE"

}



# Run execution sequence

audit_network

audit_processes

audit_persistence

preserve_logs

  
Output Example


  
/tmp/triage_test-VirtualBox_20260520_203552.tar.gz


  


    Generated bundles contain structured forensic artifacts for offline

    investigation and analyst review.

  


  


  
📸 Project Evidence


  
Detection Engine Logic


  


    Detection Engine Logic




  Detection logic identifying deleted but actively executing binaries

  through Linux kernel process metadata.




  


  


  
Simulated Threat Detection


  


    Simulated Threat Detection




  Successful interception of a simulated stealth execution technique

  during adversary emulation testing.




  


  


  
📈 Development Roadmap


  
✅ Phase 1 — Completed


  
    

    
  • Built core forensic collection framework
    • 

    
  • Implemented volatile memory hunting engine
    • 

    
  • Added deleted-binary detection logic
    • 

    
  • Validated runtime detection against non-destructive adversary simulation
    • 

    
  • Implemented evidence packaging workflow
    • 

  


  


  
🚧 Phase 2 — Active Development


  
Artifact Parsing Optimization


  


    Reducing environmental noise and improving analyst signal-to-noise ratio.

  


  
SOC/SIEM Integration


  


    Building automated ingestion workflows for SIEM and SOAR platforms.

  


  
Automated Response Actions


  


    Researching automated host isolation and enrichment capabilities.

  


  


  
🔐 Technologies Used


  
    

    
  • Linux
    • 

    
  • Bash
    • 

    
  • ProcFS
    • 

    
  • VirtualBox
    • 

    
  • Incident Response
    • 

    
  • Threat Hunting
    • 

    
  • Digital Forensics
    • 

    
  • System Auditing
    • 

    
  • Security Operations
    • 

  


  


  
⚠️ Disclaimer


  


    This project was developed strictly for:

  


  
    

    
  • Educational purposes
    • 

    
  • Defensive security research
    • 

    
  • Incident response training
    • 

    
  • Controlled adversary simulation
    • 

  


  


    All testing was conducted safely inside isolated lab environments. No hazardous or actual malicious code was utilized during development or validation.