The Coroner's Toolkit
The Coroner's Toolkit (TCT) is a suite of tools written by Wietse Venema
and Dan Farmer that was written to help a System Admin doing forensic
analysis on their cracked Unix box. The tools are written in a
mixture of c and perl. The authors say that TCT does not have
one single goal, but instead it has the theme of making a
snapshot of the machine so that there can be an attempt towards
reconstruction of the past. The software is released under the IBM Public
License and all source code is included.
TCT can be downloaded from:
Quite a few Unix OS's are supported the INSTALL document lists the following:
Currently the following OS's are at least semi-supported (e.g. the
more recent versions (as of this writing, June 24, 2000) of the OS
The suite tared and gziped is about 300K. It is suggested that for normal
usage the tools will need between several MB and more than one hundred
MB. If you are going to be using the unrm or Lazarus tools then the
space you will need is based on the amount of disk you are going to
use them on and you may need more than one disk.
The software is designed to be used from the directory that it is
untarred to, so to install it you just download the tar file, unzip it
and then untar it.
To compile TCT cd into the install directory and type make. The make
file will try to determine
what OS you are running and try to do the right thing. I did my
installation on a RedHat Linux 6.1 machine (2.2.12-20 Kernel) and it
worked like a champ.
When you have compiled everything you will have the following tools in
the bin/ directory:
- grave-robber - the main data gathering program.
It runs the following programs:
- file - Ian Darwin's file command
- icat - copies a file by inode number.
- ils - list file system inode information.
- lastcomm - a portable lastcomm command
- mactime - the M, A, C time file system reporter.
- md5 - the RSA MD5 digital signature tool.
- pcat - copies the address space of a running process.
- unrm - uncovers unallocated blocks from a raw Unix file system.
- Lazarus - attempts to resurrect deleted files or data from raw data
There are some other tools that are only used internally by TCT that I
have not listed. If you are interested they are described in the
documentation that comes with the package.
To start the toolkit type 'bin/grave-robber' from the installation
directory. grave-robber has lots of command line perimeters you can
give it. To learn about all of them there are man pages included in
the distribution. The more interesting ones include -v which turns on
verbose mode, -f fast mode turns off the md5 hash and some other slow
things, and -p copy process memory to a file with pcat (this one has
a warning that some systems have problems with this).
grave-robber runs the tools based on the Order of Volatility. The
authors describe the Order of Volatility as certain data is more
volatile than other types and that you want to capture the most
volatile information first, before it has gone away.
By default grave-robber runs on the entire system and it is suggested
that you run the tool as root so that it can look at the things that a
normal user can not. The file system scan can run for hours if you
have enough disk.
For my test I ran grave-robber with no command line perimeters. Grave
robber ran for about two hours and generated about 64MB of data. The
machine that I was using is a Dell Pentium MMX 133 with 32MB memory
running RedHat Linux 6.1. It has 1.4 GB of disk space being used.
Analyzing the Data
When the data gathering has finished you have two files in the install
directory error.log and coroner.log. The error log (surprise) has a
listing of any errors that grave-robber ran into and coroner.log has a
listing of everything that grave-robber did.
All of the data gathered is under the data directory in a directory
named the system name and the data/time. Here is a list of the
data that was gathered on my machine.
A subdirectory that contains a dump of the processes that are
running and a md5 hash of them.
A subdirectory that keeps the output of most of the programs that
execute code under the grave-robber.
Each file in this directory is generally named
after the command run and its arguments. In
an MD5 (of the output file) & time stamp (of
the program was run) is created, saved to the
filename with the ".md5" extension.
This is the mactime database.
This contains file attributes of all SUID
files. They are in the normal mactime DB
as well, it's simply simpler to see them
This directory contains all deleted files that were
still open or running when the grave-robber
ran. (Done by a combination of ils & icat).
This directory is an archive of all the files that
the grave-robber found of interest.
files, critical files & directories, etc.
controlled by the configuration files:
A subdirectory that contains information on trust relationships.
contains information about users on the system.
Listing of md5 hashes for all the data files.
md5 hash of MD5_all. (Nothing like covering all the bases :)
Other than generating the md5 hashes and finding running programs that
have been removed none of this data has really been analyzed, only collected.
The analysis part will have to be done by the System Admin. I do not
think that this is a bad thing it is very useful to be able to grab a
snapshot of the system state. A tool that attempted to do all of the
analysis would be a tool that could be fooled by the cracker rootkits
Also included in TCT are some extra programs that they say they have
been using to test or analyze systems.
From the README:
bdf - Basic Dependency Finder. This rather odd thing goes
text & binaries files recursively, looking for executables
files of potential interest. Try it on /etc/rc files and
whatnot for a laugh. Look at options and such in the
at the top of the code.
ils2mac - This converts the output of the ils command to a "body"
database that mactime can use. This is how we get mactimes
for removed files. You can concatenate it to a normal body
file and look at the combined results for better
of system behavior.
realpath - uses the realpath library to get the real path of a file
(resolves links, etc.)
findkey - Search data for cryptographic keys.
entropy - Compute data entropy a la Shannon.
I found this to be a very useful package of tools that gives you a
good snapshot of the state of a compromised machine. While not being
designed for a newbie it would still allow a less experienced Admin to
collect the data so that someone with more experience could look at
later. This is a tool that would have been very useful when the
system I was helping to run had been cracked.
Wietse Venema and Dan Farmer have done it
again. They have expanded the world of Open Source security software
and provided us with useful and needed security tools.