The Coroners Toolkit

1
The Coroners Toolkit

• its veet-sa...

2
What is it?

• TCT is a collection of tools written with the
  specific goal of gathering or analyzing forensic
  information on a Unx machine...
• Its free and includes all source code.

3
Who wrote it?

• Wietse Venema and Dan Farmer
• first version released circa Aug. 1999
• Also collaborated on
• SATAN (1995) Security Administrator Tool for
  Analyzing Networks

4
Who should use it?

• TCT is not for the faint of heart.
• very unpolished
• documentation is lacking
• there are still bugs to be ironed out

5
Why was it written?
Remarkably, after over ten years of working on
Internet investigations, we see people using the
same tired tools and techniques... the same ones
that were used at the time that the Internet worm
made security a concern to system administrators
on the net. Why hasn't more progress been
made? -Wietse Venema
6
How does it work?

• Four major parts of TCT
• grave-robber
• the C tools (ils, icat, pcat, file, etc.)
• unrm lazarus
• mactime

7
grave-robber

• data capturing tool at the heart of TCT
• runs various commands and records the output
• captures by order of volatility
• most effectively used when run as root over an
  entire filesystem

8
grave-robber (cont.)

• output is timestamped
• output has MD5 checksum generated
• Avoids shell invocation

9
Scratching the surface

• typical grave-robber output
• command-out dir
• keeps output of all commands run under g-r
• md5 checksums
• strings-log
• output of strings(1) on all traversed dirs
• usually reveals names of deleted files

10
Scratching the surface (cont.)

• body mactime database
• body.S file attributes of all SUID files
• deleted_files dir
• all deleted files still open or running when g-r
  was launched.
• pcat dir
• images of running processes (user shell
  histories, environment, etc)

11
the C tools in brief...

• ils(1) lists inode information, can look _at_
  files in memory and find their former location on
  the filesystem.
• icat(1) copies files by inode number
• pcat(1) can image a process in memory w/o
  interrupting it, access kernel data structures

12
unrm lazarus

• unrm(1) copies unallocated diskspace
• can easily generate 2 to 3 times the amount of
  raw data present in the fs.
• ideally the entire filesystem should be dumped to
  another machine w/ dd(8)

13
unrm lazarus (cont.)

• lazarus analyzes information from unrm.
• reads in a chunk of data from unrm
• looks at magic number
• pass to file(1) for further inspection
• different consecutive blocks different files
• maps out files by blocks

14
mactime

• mactime collects information about the last
  access or modification of a file.
• was the system recompiled?
• what headers were used
• whats being loaded at startup
• results in html with cross referencing

15
Why its important

• Forensics is a field where the gap between raw
  data and meaningful information makes all the
  difference.
• This program automates the collection process,
  removing a certain margin of human error.
• TCT is easy to install/configure.

16
Where to get it

• www.porcupine.org
• Tools (Postfix, tcpd, SATAN)
• Papers by Wietse and Dan
• other auditing tools and procedures