Coroner�s Toolkit: An Introduction

Document Sample
Coroner�s Toolkit: An Introduction Powered By Docstoc
					Coroner’s Toolkit: An Introduction




            Victor Hazlewood
            victor@sdsc.edu
    San Diego Supercomputer Center
            HTCIA Meeting
           September 10, 2001
    NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                      SAN DIEGO SUPERCOMPUTER CENTER
                  TCT Tutorial Goal
• Goal of this lecture and tutorial is to expose
  you to the Coroner’s Toolkit (TCT)
• Not trying to make you an expert!
• Will explain
   •where to get it
   •what it can do
• Will give some quick demonstrations
• Opportunity for you to try a few TCT tools


       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                     TCT Overview
• TCT is a collection of programs written by
  Dan Farmer and Wietse Venema for
  performing a post-mortem analysis of UNIX
  after a break-in or suspected break-in
• Available at
  http://www.porcupine.org/forensics/
• Requires C compiler and Perl 5.004 or later
• Not a point and click tool so the novice or
  intermediate UNIX user will need to spend
  some time getting to know TCT
      NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                        SAN DIEGO SUPERCOMPUTER CENTER
                      TCT Overview
• A good collection of DDJ articles about the
  uses of TCT can be found at
  http://www.porcupine.org/forensics/column.html
• Tested on the following
  •Solaris 2.4, 2.5.1, 2.6, 7.0, 8
  •FreeBSD 2.2.1, 3.4, 4.0
  •RedHat 5.2, 6.1
  •BSD/OS 2.1, 4.1
  •OpenBSD 2.5
  •SunOS 4.1.3_U1, 4.1.4
       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                          Short Lab
• Install TCT into /tmp
• Download from
  http://www.porcupine.org/forensics/
  ftp://www.porcupine.org/forensics/
• gunzip it
  % gunzip tct-1.07.tar.gz
• Untar the file
• % tar xvf tct-1.07.tar
• Change directory to tct-1.07
• Perform a make
  % make
      NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                        SAN DIEGO SUPERCOMPUTER CENTER
              TCT – Tool Overview
• mactimes - report on times of files
• ils   - list inode info (usually removed files)
• icat - copies files by inode number
• unrm - copies unallocated data blocks
• lazarus - create structure from unstructured
  data
• file   - determine file type
• pcat - copy process memory
• grave-robber - captures forensic data

       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                             mactime
• mactime is shorthand reference to the three
  time attributes - mtime, atime, and ctime
   •atime - time of last access
   •mtime - time of last modification
   •ctime - time of last status change of inode
   •dtime - time of deletion (Linux only)
• Examples
  # mactime -d /var/adm -y 1/1/1970
  # mactime –R -d /var/log -y 1/1/1970
  # mactime –R –d / -y 7/1/2001
       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                             mactime
• Examples
  # mactime -d /var/adm -y 1/1/1970
  # mactime –R -d /var/log -y 1/1/1970
  # mactime –R –d / -y 7/1/2001




       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
     Mactime Most Useful Options
• -d dir list a specific dir on running system
• -h     put output in HTML format
• -y     list output with year first
• -t    output in machine format (Epoch time)
• -u user in HTML output put this user in a
  diff color
• -R recursively go through subdirectories

• See What are MACtimes article
• mactime demonstration
       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                                    ils
• ils lists inode information of removed files.
  Can be used to identify deleted files for
  possible attempt to undelete with icat.
  Specify a device file which contains a file
  system.
• Example
  ils /dev/hdb1

• ils demonstration

       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                                   icat
• icat copies files by inode number from a
  device which contains a file system. Can be
  used to recover a deleted file (when intact)
• Example
  icat /dev/hdb1 17

• icat demonstration



       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                                 unrm
• unrm – copies unallocated data blocks
  Used to copy unallocated blocks to an output
  file in order to be processed by lazarus.

 WARNING! This can take a lot of disk space

• Example
  # unrm /dev/hdb1 > /tmp/unrm.of.hdb1

• Demonstration, if possible
       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                              lazarus
• lazarus – attempts to make sense out of raw
  data blocks
• Use to process the output from unrm.
  WARNING! This can take a lot of disk space.
  Saves blocks into files that lazarus thinks are
  associated in blocks directory
• Output controlled by lazarus.cf file
• Example
  # lazarus /tmp/unrm.of.hdb1
• # lazarus –h /tmp/unrm.of.hdb1
       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                              lazarus
• Typical output looks something like
  atttttccccccpppptttttattcccppptttt
  otherwise output is in html files (-h option)
• See lazarus man page for translation of
  characters

• lazarus demonstration, if possible



       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                                  file
• File – determine file type
• Similar to UNIX System V file command, but
  may generate better indication of file type




      NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                        SAN DIEGO SUPERCOMPUTER CENTER
                                  pcat
• Pcat – copies process memory using ptrace or
  /proc file system. This is used to try to
  understand what a program is (doing),
  especially when the executable file has been
  deleted. (See Strangers in the Night article)
• Modern UNIX systems have a /proc
  filesystem that makes process information
  available in a convenient manner, including
  the executable file, current directory, and
  process memory.
       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                                  pcat
• Process attributes available in /proc
  executable /proc/pid/exe
  memory        /proc/pid/mem
  memory map /proc/pid/maps




       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                       grave-robber
• grave-robber captures system forensic data
  Runs many of TCT tools under the covers
• Three types of options
   •general options
    where output goes, verbosity, etc
   •micro options
    finer control over what data is collected
   •macro options
    puts micro data collection into logical
    groups
       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                       grave-robber
• Can take a loooong time to run
• Leaving this as a exercise for the student




       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
       Other Tools You May Need
• The following tools you should have on a
  CDROM toolkit because on a suspected
  compromised machine you can’t trust the
  local versions
• lsof – list open files
• netstat, ifconfig – network info
• ls, df, ps – files, file systems, process info
• od – dump file into octal, hex, etc.
• Don’t forget to use UNIX accounting tools if
  you can for more audit trails
       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
              Try These Exercises
• Use mactime to find all mac time information
  about all files in /var/log recursively
• Use ils to discover all the deleted files on one
  device on your system
• Make a copy of /usr/sbin/tcpdump
  Use ls –li to determine the inode # of the copy
  Delete your tcpdump copy
  Use icat to recover your deleted copy
• Build a tar file. Repeat above exercise with
  this tar file
       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
              Try These Exercises
• If there is a SMALL partition on your system
  then create a file called needle.in.a.haystack
  on another partition. Copy needle.in.a
  haystack to the small partition.
• Sync your file systems
• Delete the needle.in.a.haystack from your
  small partition
• Use unrm to copy the unallocated blocks
• Use lazarus to profile the unallocated blocks
  can you find your needle.in.a.haystack?
       NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                         SAN DIEGO SUPERCOMPUTER CENTER
                           My slides
• Slides
• http://www.sdsc.edu/~victor
• -> Coroners Toolkit presentation




      NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE

                                        SAN DIEGO SUPERCOMPUTER CENTER

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:11
posted:12/12/2011
language:
pages:23