#!/bin/bash

set -euo pipefail
trap 'exit 1' INT

timestamp=$(date -u -Iseconds | sed 's/[:-]//g; s/+0000$/Z/')
hostname=$(hostname)
dir=forensics_${hostname}_$timestamp

cd /root
mkdir -p $dir
cd $dir

echo "$hostname" > hostname
echo "$timestamp" > timestamp
cp -p /etc/{passwd,group} .
w > w
free > free
cat /proc/mounts > mounts
ps auxww > ps-auxww
ls -la /tmp > ls-tmp
ls -la /var/tmp > ls-var-tmp
apt list --upgradable > apt-list-upgradable 2>/dev/null
lsof -n > lsof

cd ..
tar czpf $dir.tar.gz $dir
rm -rf $dir