160 likes | 472 Views
What is it?. TCT is a collection of tools written with the specific goal of gathering or analyzing forensic information on a Un*x machine...It's free and includes all source code.. Who wrote it?. Wietse Venema and Dan Farmerfirst version released circa Aug. 1999Also collaborated on: SATAN (1995) Security Administrator Tool for Analyzing Networks.
E N D
1. The Coroners Toolkit
its veet-sa...
3. Who wrote it? Wietse Venema and Dan Farmer
first version released circa Aug. 1999
Also collaborated on:
SATAN (1995) Security Administrator Tool for Analyzing Networks
4. Who should use it? TCT is not for the faint of heart.
very unpolished
documentation is lacking
there are still bugs to be ironed out
5. Why was it written?
6. How does it work? Four major parts of TCT:
grave-robber
the C tools (ils, icat, pcat, file, etc.)
unrm & lazarus
mactime
7. grave-robber data capturing tool at the heart of TCT
runs various commands and records the output
captures by order of volatility
most effectively used when run as root over an entire filesystem
8. grave-robber (cont.) output is timestamped
output has MD5 checksum generated
Avoids shell invocation
9. Scratching the surface typical grave-robber output
command-out dir
keeps output of all commands run under g-r
md5 checksums
strings-log
output of strings(1) on all traversed dirs
usually reveals names of deleted files
10. Scratching the surface (cont.) body: mactime database
body.S: file attributes of all SUID files
deleted_files dir
all deleted files still open or running when g-r was launched.
pcat dir
images of running processes (user shell histories, environment, etc)
11. the C tools in brief... ils(1) lists inode information, can look @ files in memory and find their former location on the filesystem.
icat(1) copies files by inode number
pcat(1) can image a process in memory w/o interrupting it, access kernel data structures
12. unrm & lazarus unrm(1) copies unallocated diskspace
can easily generate 2 to 3 times the amount of raw data present in the fs.
ideally the entire filesystem should be dumped to another machine w/ dd(8)
13. unrm & lazarus (cont.) lazarus analyzes information from unrm.
reads in a chunk of data from unrm
looks at magic number
pass to file(1) for further inspection
different consecutive blocks = different files
maps out files by blocks
14. mactime mactime collects information about the last access or modification of a file.
was the system recompiled?
what headers were used
whats being loaded at startup
results in html with cross referencing
15. Why its important Forensics is a field where the gap between raw data and meaningful information makes all the difference.
This program automates the collection process, removing a certain margin of human error.
TCT is easy to install/configure.
16. Where to get it www.porcupine.org
Tools (Postfix, tcpd, SATAN)
Papers by Wietse and Dan
other auditing tools and procedures