Emperor (inspired by Kestrel) is a DFIR script designed to pull critical forensic artifacts from a target during IR.
Download Emperor.sh and run via the command line:
sudo bash ./Emperor.sh
Emperor collects the following artifacts.
[+] sysctl + Kernel Information
[+] Running Processes & Resource Usage Data
[+] Full File System Enumeration
[+] Firewall rules
[+] Active connections
[+] Processes & PIDs / Command Lines
[+] Installed Packages
[+] All Executable, Shell, & Script Files + Hashes
[+] Mounted Filesystems
[+] /proc/
[+] /home/
[+] /var/
[+] /etc/
[+] /usr/
[+] /tmp/
[+] Bash History
[+] zsh History