1 / 23

Coroner’s Toolkit: An Introduction

Coroner’s Toolkit: An Introduction. Victor Hazlewood victor@sdsc.edu San Diego Supercomputer Center HTCIA Meeting September 10, 2001. TCT Tutorial Goal. Goal of this lecture and tutorial is to expose you to the Coroner’s Toolkit (TCT) Not trying to make you an expert! Will explain

liang
Download Presentation

Coroner’s Toolkit: An Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Coroner’s Toolkit: An Introduction Victor Hazlewood victor@sdsc.edu San Diego Supercomputer Center HTCIA Meeting September 10, 2001

  2. TCT Tutorial Goal • Goal of this lecture and tutorial is to expose you to the Coroner’s Toolkit (TCT) • Not trying to make you an expert! • Will explain • where to get it • what it can do • Will give some quick demonstrations • Opportunity for you to try a few TCT tools

  3. TCT Overview • TCT is a collection of programs written by Dan Farmer and Wietse Venema for performing a post-mortem analysis of UNIX after a break-in or suspected break-in • Available at http://www.porcupine.org/forensics/ • Requires C compiler and Perl 5.004 or later • Not a point and click tool so the novice or intermediate UNIX user will need to spend some time getting to know TCT

  4. TCT Overview • A good collection of DDJ articles about the uses of TCT can be found at http://www.porcupine.org/forensics/column.html • Tested on the following • Solaris 2.4, 2.5.1, 2.6, 7.0, 8 • FreeBSD 2.2.1, 3.4, 4.0 • RedHat 5.2, 6.1 • BSD/OS 2.1, 4.1 • OpenBSD 2.5 • SunOS 4.1.3_U1, 4.1.4

  5. Short Lab • Install TCT into /tmp • Download from http://www.porcupine.org/forensics/ftp://www.porcupine.org/forensics/ • gunzip it% gunzip tct-1.07.tar.gz • Untar the file • % tar xvf tct-1.07.tar • Change directory to tct-1.07 • Perform a make% make

  6. TCT – Tool Overview • mactimes - report on times of files • ils - list inode info (usually removed files) • icat - copies files by inode number • unrm - copies unallocated data blocks • lazarus - create structure from unstructured data • file - determine file type • pcat - copy process memory • grave-robber - captures forensic data

  7. mactime • mactime is shorthand reference to the three time attributes - mtime, atime, and ctime • atime - time of last access • mtime - time of last modification • ctime - time of last status change of inode • dtime - time of deletion (Linux only) • Examples# mactime -d /var/adm -y 1/1/1970# mactime –R -d /var/log -y 1/1/1970 # mactime –R –d / -y 7/1/2001

  8. mactime • Examples# mactime -d /var/adm -y 1/1/1970# mactime –R -d /var/log -y 1/1/1970 # mactime –R –d / -y 7/1/2001

  9. Mactime Most Useful Options • -d dir list a specific dir on running system • -h put output in HTML format • -y list output with year first • -t output in machine format (Epoch time) • -u user in HTML output put this user in a diff color • -R recursively go through subdirectories • See What are MACtimes article • mactime demonstration

  10. ils • ils lists inode information of removed files. Can be used to identify deleted files for possible attempt to undelete with icat. Specify a device file which contains a file system. • Example ils /dev/hdb1 • ils demonstration

  11. icat • icat copies files by inode number from a device which contains a file system. Can be used to recover a deleted file (when intact) • Exampleicat /dev/hdb1 17 • icat demonstration

  12. unrm • unrm – copies unallocated data blocks Used to copy unallocated blocks to an output file in order to be processed by lazarus. WARNING! This can take a lot of disk space • Example# unrm /dev/hdb1 > /tmp/unrm.of.hdb1 • Demonstration, if possible

  13. lazarus • lazarus – attempts to make sense out of raw data blocks • Use to process the output from unrm. WARNING! This can take a lot of disk space.Saves blocks into files that lazarus thinks are associated in blocks directory • Output controlled by lazarus.cf file • Example# lazarus /tmp/unrm.of.hdb1 • # lazarus –h /tmp/unrm.of.hdb1

  14. lazarus • Typical output looks something likeatttttccccccpppptttttattcccpppttttotherwise output is in html files (-h option) • See lazarus man page for translation of characters • lazarus demonstration, if possible

  15. file • File – determine file type • Similar to UNIX System V file command, but may generate better indication of file type

  16. pcat • Pcat – copies process memory using ptrace or /proc file system. This is used to try to understand what a program is (doing), especially when the executable file has been deleted. (See Strangers in the Night article) • Modern UNIX systems have a /proc filesystem that makes process information available in a convenient manner, including the executable file, current directory, and process memory.

  17. pcat • Process attributes available in /procexecutable /proc/pid/exememory /proc/pid/memmemory map /proc/pid/maps

  18. grave-robber • grave-robber captures system forensic dataRuns many of TCT tools under the covers • Three types of options • general optionswhere output goes, verbosity, etc • micro optionsfiner control over what data is collected • macro optionsputs micro data collection into logical groups

  19. grave-robber • Can take a loooong time to run • Leaving this as a exercise for the student

  20. Other Tools You May Need • The following tools you should have on a CDROM toolkit because on a suspected compromised machine you can’t trust the local versions • lsof – list open files • netstat, ifconfig – network info • ls, df, ps – files, file systems, process info • od – dump file into octal, hex, etc. • Don’t forget to use UNIX accounting tools if you can for more audit trails

  21. Try These Exercises • Use mactime to find all mac time information about all files in /var/log recursively • Use ils to discover all the deleted files on one device on your system • Make a copy of /usr/sbin/tcpdumpUse ls –li to determine the inode # of the copyDelete your tcpdump copyUse icat to recover your deleted copy • Build a tar file. Repeat above exercise with this tar file

  22. Try These Exercises • If there is a SMALL partition on your system then create a file called needle.in.a.haystack on another partition. Copy needle.in.a haystack to the small partition. • Sync your file systems • Delete the needle.in.a.haystack from your small partition • Use unrm to copy the unallocated blocks • Use lazarus to profile the unallocated blockscan you find your needle.in.a.haystack?

  23. My slides • Slides • http://www.sdsc.edu/~victor • -> Coroners Toolkit presentation

More Related