Feature: The Coroner's Toolkit

Wietse Venema and Dan Farmer the authors of SATAN have written a package called The Coroner's Toolkit that is designed to help a System Administrator do forensic analysis on their cracked Unix box.

"I found this to be a very useful package of tools that gives you a good snapshot of the state of a compromised machine. While not being designed for a newbie it would still allow a less experienced Admin to collect the data so that someone with more experience could look at later. "

The Coroner's Toolkit Noel Introduction The Coroner's Toolkit (TCT) is a suite of tools written by Wietse Venema and Dan Farmer that was written to help a System Admin doing forensic analysis on their cracked Unix box. The tools are written in a mixture of c and perl. The authors say that TCT does not have one single goal, but instead it has the theme of making a snapshot of the machine so that there can be an attempt towards reconstruction of the past. The software is released under the IBM Public License and all source code is included. Downloading TCT TCT can be downloaded from: http://www.fish.com/forensics/ http://www.porcupine.org/forensics Installation Quite a few Unix OS's are supported the INSTALL document lists the following: Currently the following OS's are at least semi-supported (e.g. the more recent versions (as of this writing, June 24, 2000) of the OS should work): FreeBSD 2-4.* OpenBSD 2.* BSD/OS 2-4.* SunOS 4-5.* Linux 2.* The suite tared and gziped is about 300K. It is suggested that for normal usage the tools will need between several MB and more than one hundred MB. If you are going to be using the unrm or Lazarus tools then the space you will need is based on the amount of disk you are going to use them on and you may need more than one disk. The software is designed to be used from the directory that it is untarred to, so to install it you just download the tar file, unzip it and then untar it. To compile TCT cd into the install directory and type make. The make file will try to determine what OS you are running and try to do the right thing. I did my installation on a RedHat Linux 6.1 machine (2.2.12-20 Kernel) and it worked like a champ. When you have compiled everything you will have the following tools in the bin/ directory: grave-robber - the main data gathering program. It runs the following programs: file - Ian Darwin's file command icat - copies a file by inode number. ils - list file system inode information. lastcomm - a portable lastcomm command mactime - the M, A, C time file system reporter. md5 - the RSA MD5 digital signature tool. pcat - copies the address space of a running process. unrm - uncovers unallocated blocks from a raw Unix file system. Lazarus - attempts to resurrect deleted files or data from raw data There are some other tools that are only used internally by TCT that I have not listed. If you are interested they are described in the documentation that comes with the package. Gathering Data To start the toolkit type 'bin/grave-robber' from the installation directory. grave-robber has lots of command line perimeters you can give it. To learn about all of them there are man pages included in the distribution. The more interesting ones include -v which turns on verbose mode, -f fast mode turns off the md5 hash and some other slow things, and -p copy process memory to a file with pcat (this one has a warning that some systems have problems with this). grave-robber runs the tools based on the Order of Volatility. The authors describe the Order of Volatility as certain data is more volatile than other types and that you want to capture the most volatile information first, before it has gone away. By default grave-robber runs on the entire system and it is suggested that you run the tool as root so that it can look at the things that a normal user can not. The file system scan can run for hours if you have enough disk. For my test I ran grave-robber with no command line perimeters. Grave robber ran for about two hours and generated about 64MB of data. The machine that I was using is a Dell Pentium MMX 133 with 32MB memory running RedHat Linux 6.1. It has 1.4 GB of disk space being used. Analyzing the Data When the data gathering has finished you have two files in the install directory error.log and coroner.log. The error log (surprise) has a listing of any errors that grave-robber ran into and coroner.log has a listing of everything that grave-robber did. All of the data gathered is under the data directory in a directory named the system name and the data/time. Here is a list of the data that was gathered on my machine. proc/ A subdirectory that contains a dump of the processes that are running and a md5 hash of them. command_out/ A subdirectory that keeps the output of most of the programs that execute code under the grave-robber. Each file in this directory is generally named after the command run and its arguments. In addition an MD5 (of the output file) & time stamp (of when the program was run) is created, saved to the same filename with the ".md5" extension. body This is the mactime database. body.S This contains file attributes of all SUID files. They are in the normal mactime DB as well, it's simply simpler to see them here. removed_but_running/ This directory contains all deleted files that were still open or running when the grave-robber ran. (Done by a combination of ils & icat). conf_vault/ This directory is an archive of all the files that the grave-robber found of interest. Configuration files, critical files & directories, etc. Mostly controlled by the configuration files: trust/ A subdirectory that contains information on trust relationships. user_vault/ contains information about users on the system. MD5_all Listing of md5 hashes for all the data files. MD5_all.md5 md5 hash of MD5_all. (Nothing like covering all the bases :) Other than generating the md5 hashes and finding running programs that have been removed none of this data has really been analyzed, only collected. The analysis part will have to be done by the System Admin. I do not think that this is a bad thing it is very useful to be able to grab a snapshot of the system state. A tool that attempted to do all of the analysis would be a tool that could be fooled by the cracker rootkits and tools. Extras Also included in TCT are some extra programs that they say they have been using to test or analyze systems. From the README: bdf - Basic Dependency Finder. This rather odd thing goes through text & binaries files recursively, looking for executables and files of potential interest. Try it on /etc/rc files and whatnot for a laugh. Look at options and such in the comments at the top of the code. ils2mac - This converts the output of the ils command to a "body" file database that mactime can use. This is how we get mactimes for removed files. You can concatenate it to a normal body file and look at the combined results for better understanding of system behavior. realpath - uses the realpath library to get the real path of a file (resolves links, etc.) findkey - Search data for cryptographic keys. entropy - Compute data entropy a la Shannon. Conclusions I found this to be a very useful package of tools that gives you a good snapshot of the state of a compromised machine. While not being designed for a newbie it would still allow a less experienced Admin to collect the data so that someone with more experience could look at later. This is a tool that would have been very useful when the system I was helping to run had been cracked. Wietse Venema and Dan Farmer have done it again. They have expanded the world of Open Source security software and provided us with useful and needed security tools.