Nyx

Nyx (goddess of the night in Greek mythology) is a self-contained script for cleaning forensic traces on Linux, macOS, and Windows.

⚠️ DISCLAIMER: Nyx is alpha software.

Features

The following table details which artifacts are cleaned by each module:

OS	Module	Artifacts
Linux	shell	Shell history files (bash, zsh, python, mysql, redis, mongo, docker, IPython, Ruby IRB, PHP, Perl, Erlang, Lua, Julia, Scala, Haskell, Octave, MATLAB, etc.), command histories, recently used files
Linux	logs	System logs (auth, syslog, kernel, boot, package managers), web server logs (Apache, Nginx), journald, database logs (MySQL, PostgreSQL, Redis, MongoDB), VPN/proxy logs (OpenVPN, Squid), mail server logs (Postfix, Dovecot), monitoring logs (Elasticsearch, Logstash, Kibana), sysstat
Linux	audit	Audit logs, search logs, in-kernel audit rules
Linux	temp	Scripts in temp dirs, hidden files, thumbnail caches, core dumps, crash reports, systemd coredumps, trash
Linux	network	ARP cache, NetworkManager connections, DHCP leases, database data files (MySQL binary logs, InnoDB logs), VPN configs (OpenVPN, WireGuard), mail server spool files, iptables rules
Linux	user	Login records, thumbnails, GTK bookmarks, GNOME Tracker, Zeitgeist, editor traces (VS Code, JetBrains), development tools (Git, SVN, Mercurial, Maven, Gradle, npm, pip, Cargo), cloud services (AWS, Google Cloud, Azure, Kubernetes, Terraform), monitoring tools (Prometheus, Grafana), backup tools (Rsync, Restic, Borg, Duplicity), security tools (Metasploit, Nmap, Aircrack-ng, John the Ripper, Hashcat), messaging/chat (IRC, Weechat, Pidgin, Discord, Slack), virtualization (VMware, VirtualBox, QEMU, Vagrant), network analysis (Wireshark, tcpdump, Ettercap), forensic analysis (Autopsy, Volatility, Sleuth Kit, Foremost), remote access (RDP, VNC, TeamViewer, AnyDesk), system monitoring (htop, Nagios, Zabbix), games/entertainment (Steam, Minecraft, Discord), file sharing (Transmission, qBittorrent, Deluge, aMule), multimedia (VLC, Audacity, GIMP, OBS Studio), productivity (LibreOffice, Thunderbird, Evolution, KeePass)
Linux	package	Package caches and logs (APT, YUM, DNF, Pacman)
Linux	browser	Firefox (cache, storage, databases), Chrome/Chromium (history, cookies, cache)
Linux	ssh	SSH known_hosts, connection logs, auth log entries
Linux	container	Docker logs/config, Podman/K8s overlays, libvirt/QEMU logs
Linux	systemd	Random seed, live session journals
Linux	print	CUPS job history and logs
Linux	cicd	CI/CD tools (Jenkins, GitLab Runner, GitHub Actions, CircleCI, Travis CI)
Linux	idsips	IDS/IPS logs (Snort, Suricata, OSSEC, Fail2ban, Samhain)
Linux	crypto	Cryptocurrency wallets and mining configs (Bitcoin, Ethereum, Monero, XMRig, Electrum)
Linux	privacy	Privacy tools (Tor Browser, Tor config, I2P, ProtonVPN, Mullvad, Tails)
Linux	pentest	Penetration testing tools (Burp Suite, OWASP ZAP, Cobalt Strike, Empire, BeEF)
Linux	osint	OSINT tools (Maltego, SpiderFoot, theHarvester, Recon-ng, Shodan)
Linux	iot	IoT/Smart Home (Home Assistant, Mosquitto MQTT, Node-RED, OpenHAB)
Linux	ml	ML/AI frameworks (Jupyter, TensorBoard, PyTorch, Keras, MLflow, Weights & Biases)
macOS	shell	Shell history files (same as Linux)
macOS	macos	.DS_Store files, user trash, Spotlight indexes, QuickLook thumbnails, system logs
macOS	audit	BSM audit trail
macOS	browser	Safari history and cache
macOS	unified	Unified logs (10.12+), diagnostics, log archives
macOS	fileevents	FSEvents, quarantine databases
macOS	usage	KnowledgeC database, Notification Center, recent items
Windows	events	Event logs (Security, System, Application, Sysmon, WinRM, PowerShell/Operational, AppLocker, AMSI)
Windows	history	PowerShell/CMD history, prefetch, jump lists, recent documents, Windows Timeline, Search history, IE/Edge history
Windows	registry	Registry MRUs, USB history, BAM/DAM, ShellBags, UserAssist, Terminal Server Client, Media Player, Office MRUs
Windows	filesystem	USN journal, recycle bin, thumbcache, shortcuts, index files, SRUM database, notification history
Windows	temp	Temp files, DNS cache, shadow copies, WER archives, crash dumps, Cortana history, Office telemetry, OneDrive/Teams logs
Windows	security	EDR/AV logs (CrowdStrike Falcon, SentinelOne, Carbon Black, McAfee, Symantec), Windows Defender ATP, Firewall logs, WMI activity, BitLocker keys, Group Policy cache, authentication cache, Hyper-V/WSL/Docker logs, FTK Imager artifacts
Windows	advanced	Certificates, scheduled tasks, services, wireless profiles, VPN connections, Chrome extensions, cryptographic data, TPM logs, Windows Update logs, Push Notifications, Outlook search, WSA logs, Xbox Game Bar

Quick Start

Linux/macOS

# Download nyx.sh
wget https://github.com/evilsocket/nyx/raw/refs/heads/main/nyx.sh
chmod +x nyx.sh

# Run with dry-run first
sudo ./nyx.sh --dry-run

# Run all modules
sudo ./nyx.sh --force

Windows

# Download nyx.ps1 (run as Administrator)
Invoke-WebRequest -Uri "https://github.com/evilsocket/nyx/raw/refs/heads/main/nyx.ps1" -OutFile "nyx.ps1"

# Run with dry-run first
.\nyx.ps1 -DryRun

# Run all modules
.\nyx.ps1 -Force

# Enable audit logging
.\nyx.ps1 -Force -LogFile "nyx-audit.log"

Usage

Linux/macOS (nyx.sh)

# Show help
./nyx.sh --help

# List available modules
./nyx.sh --list

# Dry run with verbose output
./nyx.sh --dry-run --debug

# Clean specific modules
sudo ./nyx.sh -m shell,logs

# Force run without confirmation
sudo ./nyx.sh --force

Windows (nyx.ps1)

# Show help
.\nyx.ps1 -Help

# List available modules
.\nyx.ps1 -List

# Dry run with verbose output
.\nyx.ps1 -DryRun -Debug

# Clean specific modules (case-insensitive)
.\nyx.ps1 -Modules EVENTS,TEMP -Force

# Advanced mode with memory hardening
.\nyx.ps1 -Advanced -Force

# Enable comprehensive audit logging
.\nyx.ps1 -Force -LogFile "audit.log" -Debug

Contributors

License

nyx is made with ♥ and released under the GPL 3 license.

Stargazers over time