1 / 16

The Coroner s Toolkit

What is it?. TCT is a collection of tools written with the specific goal of gathering or analyzing forensic information on a Un*x machine...It's free and includes all source code.. Who wrote it?. Wietse Venema and Dan Farmerfirst version released circa Aug. 1999Also collaborated on: SATAN (1995) Security Administrator Tool for Analyzing Networks.

Thomas
Download Presentation

The Coroner s Toolkit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. The Coroner’s Toolkit it’s “veet-sa”...

    3. Who wrote it? Wietse Venema and Dan Farmer first version released circa Aug. 1999 Also collaborated on: SATAN (1995) Security Administrator Tool for Analyzing Networks

    4. Who should use it? TCT is not for the faint of heart. very unpolished documentation is lacking there are still bugs to be ironed out

    5. Why was it written?

    6. How does it work? Four major parts of TCT: grave-robber the C tools (ils, icat, pcat, file, etc.) unrm & lazarus mactime

    7. grave-robber data capturing tool at the heart of TCT runs various commands and records the output captures by order of volatility most effectively used when run as root over an entire filesystem

    8. grave-robber (cont.) output is timestamped output has MD5 checksum generated Avoids shell invocation

    9. Scratching the surface typical grave-robber output command-out dir keeps output of all commands run under g-r md5 checksums strings-log output of strings(1) on all traversed dirs usually reveals names of deleted files

    10. Scratching the surface (cont.) body: mactime database body.S: file attributes of all SUID files deleted_files dir all deleted files still open or running when g-r was launched. pcat dir images of running processes (user shell histories, environment, etc)

    11. the C tools in brief... ils(1) – lists inode information, can look @ files in memory and find their former location on the filesystem. icat(1) – copies files by inode number pcat(1) – can image a process in memory w/o interrupting it, access kernel data structures

    12. unrm & lazarus unrm(1) – copies unallocated diskspace can easily generate 2 to 3 times the amount of raw data present in the fs. ideally the entire filesystem should be dumped to another machine w/ dd(8)

    13. unrm & lazarus (cont.) lazarus – analyzes information from unrm. reads in a chunk of data from unrm looks at magic number pass to file(1) for further inspection different consecutive blocks = different files maps out files by blocks

    14. mactime mactime collects information about the last access or modification of a file. was the system recompiled? what headers were used what’s being loaded at startup results in html with cross referencing

    15. Why it’s important Forensics is a field where the gap between raw data and meaningful information makes all the difference. This program automates the collection process, removing a certain margin of human error. TCT is easy to install/configure.

    16. Where to get it www.porcupine.org Tools (Postfix, tcpd, SATAN) Papers by Wietse and Dan other auditing tools and procedures

More Related