IR-Kit is a comprehensive bash-based incident response and forensic analysis tool designed for rapid evidence collection during cybersecurity incidents. This tool automates the process of gathering critical system artifacts for forensic investigation and generates detailed HTML reports with PDF export capability.
- University: [University Of Information Technology And Sciences(UITS)]
- Course: Linux Programming Lab
- Project Type: Bash Scripting & Digital Forensics
- Developed By: Md Azhar Uddin & Sadia Akter Liza
| Name | Role | Contribution |
|---|---|---|
| Md Azhar Uddin | Project Lead | Core architecture, module development, reporting system |
| Sadia Akter Liza | Co-developer | Evidence collection modules, utility functions,UX-UI, Testing |
- Process Analysis - Running processes and memory usage
- Network Information - Active connections, IP configuration, firewall rules
- User Account Analysis - User/group information, login history
- Storage Analysis - Mount points and block devices
- Shell History - User command history collection
- File System Analysis - Recently modified files
- Scheduled Tasks - Cron job analysis
- System Logs - Auth logs, system messages, syslog
- Suspicious Activity - SUID binaries, executable files in /tmp
- HTML Report Generation - Beautiful, responsive web report
- PDF Export - One-click export to PDF format
- Executive Summary - Key metrics and findings
- Integrity Verification - SHA-256 hashing of all evidence
- Interactive Interface - Modern UI with hover effects
# Ensure required tools are available
sudo apt-get update
sudo apt-get install coreutils findutils tar gzip-
Clone or Download the Project
git clone [https://github.com/4xrhd/IRkit] cd ir-kit -
Make Scripts Executable
chmod +x irkit.sh chmod +x generate_report.sh chmod +x modules/*.sh chmod +x utils.sh -
Review Configuration
nano config.conf
Adjust settings as needed:
MONITOR_PATH="/var /etc /home" LOOKBACK_MINUTES=240 HASH_ALGO=sha256sum COLOR_OUTPUT=true LOG_LEVEL=INFO
./irkit.sh[INFO] Starting IR-Kit โ output: /path/to/outputs/IRKIT_20231201_143022
[INFO] Running module: processes
[INFO] Running module: network
[INFO] Running module: users
...
[INFO] Generating HTML report
[INFO] Compressing evidence to outputs/IRKIT_20231201_143022.tar.gz
[INFO] IR-Kit completed. Archive: outputs/IRKIT_20231201_143022.tar.gz
[INFO] HTML Report: outputs/IRKIT_20231201_143022/report.html
outputs/
โโโ IRKIT_20231201_143022/
โโโ report.html # ๐ Main HTML report
โโโ EVIDENCE_SHA256.txt # ๐ Integrity hashes
โโโ running_processes.txt # โก Process information
โโโ network_connections.txt # ๐ Network data
โโโ passwd_entries.txt # ๐ฅ User accounts
โโโ mounts.txt # ๐พ Storage info
โโโ history_*.txt # ๐ Shell histories
โโโ modified_files_*.txt # ๐ File changes
โโโ user_cron.txt # โฐ Scheduled tasks
โโโ suid_binaries.txt # ๐จ Security findings
โโโ [other evidence files...]
- Collects running processes sorted by memory usage
- Output:
running_processes.txt
- Active network connections using
ssornetstat - IP configuration and firewall rules
- Output:
network_connections.txt,ip_brief.txt,firewall_rules.txt
- User and group information from
/etc/passwdand/etc/group - Recent login history
- Output:
passwd_entries.txt,group_entries.txt,last_logins.txt
- Bash history for all users including root
- Output:
history_[username].txt,history_root.txt
- SUID binaries for privilege escalation analysis
- Executable files in temporary directories
- Output:
suid_binaries.txt,tmp_executables.txt
- Executive Summary with key metrics
- Collection Statistics (files collected, sizes, counts)
- Module Execution Status
- Evidence File Listing
- Key Findings Preview (top processes, recent logins)
- Integrity Verification (SHA-256 hashes)
- Professional Styling with responsive design
- One-click export using html2pdf.js
- Print-optimized layout
- Professional formatting for reports
# Paths to monitor for modified files
MONITOR_PATH="/var /etc /home"
# Time window for file modifications (minutes)
LOOKBACK_MINUTES=240
# Hashing algorithm for integrity
HASH_ALGO=sha256sum
# Colored console output
COLOR_OUTPUT=true
# Logging verbosity
LOG_LEVEL=INFOThis project demonstrates:
- Bash Scripting advanced techniques
- Digital Forensics evidence collection
- Incident Response procedures
- System Administration commands
- HTML/CSS/JavaScript for reporting
- Cybersecurity best practices
- Understand forensic evidence collection methodologies
- Implement automated incident response procedures
- Develop comprehensive reporting systems
- Practice secure coding and error handling
- Create user-friendly interfaces for technical tools
- Additional collection modules
- Enhanced error handling
- Database integration for evidence storage
- Timeline analysis features
- Integration with other forensic tools
- Only use on systems you own or have explicit permission to test
- Comply with local laws and regulations
- Use responsibly in academic environments
- Requires root privileges for complete evidence collection
- Some modules may not work on all Linux distributions
- Designed for educational purposes
-
Permission Denied Errors
sudo ./irkit.sh
-
Missing Dependencies
# Ubuntu/Debian sudo apt-get install coreutils findutils net-tools -
Script Not Executable
chmod +x *.sh chmod +x modules/*.sh
For questions or issues related to this university project:
-
Contact: Md. Azhar Uddin & Sadia Akter Liza
-
Course Instructor: Md. Tasnin Tanvir ~ Lecturer(UITS)~ B.Sc in CSE, Khulna University of Engineering & Technology (KUET)
-
Course Instructor: Md. Azharul Karim Chowdhury Anik ~Lecturer ~B.Sc. (Engg.) in CSE, Shahjalal University of Science and Technology (SUST)
-
Submission Date: [18-November-2025]
This project is developed for educational purposes as part of university coursework. All rights reserved by the developers.
๐ Developed for Academic Excellence in Linux Programming
Md Azhar Uddin & Sadia Akter Liza - [University Of Information Technology And Sciences] - [2025]