Installing The Coroner's Toolkit and using the mactime utility |
Implementation Details |
|
| Introduction | In the aftermath of a network break-in, system administrators
are often asked to explain what happened. The Coroner's Toolkit (TCT) is
a collection of tools that gather and analyze data about a UNIX system
and help the administrator answer that question. This implementation describes
how to install TCT on the Sun Solaris operating system, version 2.x. It
discusses the use of one TCT tool, mactime. You can use this approach
with other UNIX operating systems and hosts.
As the TCT authors point out: "If there was a theme, it would be the reconstruction of the past - determining as much as possible what happened with a static snapshot of a system." Certainly such activities require an experienced and committed system administrator during the forensic investigation phase of an intrusion. No software can replace someone who knows the system well, but using TCT is a start. In the emerging field of computer forensics, there are few tools that help identify an attacker's/intruder's activities. TCT contains two major parts that help to identify what happened after a break-in. They are
This program controls several other tools that function to capture as much information as possible about the system and its files. These programs can be used together to recover destroyed or lost data. While unrm makes a copy of all unallocated (free) disk space accessible, lazarus analyzes this copy and tries to determine the type of data. In future updates and in other implementations, we will provide more
information about the TCT toolkit. For this implementation, we selected
a utility included in the TCT toolkit called mactime because it
provides a limited but useful functionality without requiring detailed
knowledge of the entire toolkit. mactime is used to access time
stamps of file objects. Three values are available that show the last time
the file was Modified, Accessed or Created, hence
the name mactime. These values are properties of a file and stored
in the directory entry of the file. Even though these values are destroyed
with each new access or modification, they can provide insight to an analysis
expert who is responding to an intrusion or performing forensic analysis.
|
|
|
|
| Effort Estimates | The time needed to retrieve the source code from the distribution site
varies depending upon your connection speed. The source code is less than
301 KB (version 1.06). Building and installing TCT depends upon machine
performance but on average takes less than ten minutes.
The TCT tools are used primarily for gathering data; therefore, using these tools can take considerably more time depending on the system under examination. Statistical analysis can easily take hours. |
|
|
|
| System Prerequisites | You can build and install TCT on many UNIX systems. Version 1.06 supports
the following systems to some degree:
|
Software Prerequisites |
|
To build TCT on your system, you need Internet access to
retrieve the following software tools:
|
|
|
|
|
| Downloading and Verifying | The latest release of TCT is available from http://www.fish.com/tct/.
It is also available from http://www.porcupine.org/forensics/tct.html.
Download the distribution package (at the time of this writing tct-1.06.tar.gz) into a directory (we assume the directory to be /tmp for any further use within this implementation). To verify the authenticity with PGP, you also need to download the detached PGP signature file into the same directory from |
| Verify the authenticity
of the TCT distribution using PGP.
To do so, you need to get the PGP public key from "wietse venema <wietse@wzv.win.tue.nl>" and put it on your own PGP public key ring. You can get a copy of his key from the public PGP key servers. A match with his digital signature ensures that the software was downloaded successfully without modification. To verify the digital signature, the following commands are issued in the directory containing the downloaded files: $ pgp tct-1.06.tar.gz.sig If the signature doesn't match, verify that
|
|
| Verify the
authenticity of the TCT distribution using MD5.
You can also verify the TCT distribution by using MD5 checksums. File to Download http://www.fish.com/tct/tct-1.06.tar.gz MD5 Checksum fe46fe1e83bbb73beba2b477b24f8e81 If the computed cryptographic checksum of the download files does not correspond to the information above, verify that
|
|
|
|
|
| Building | TCT is distributed as a compressed source code package. |
| Choose a directory for installing the TCT distribution. | |
| TCT intends to execute from its own directory. By default
all output of the tools are stored within a subdirectory of it's install
directory. If you want to keep it like that make sure to allocate a large
amount of disk space as the output of the tools can take hundreds of megabytes,
depending on the system and its file systems. As an extreme example, the
output of the unrm tool can consume twice as much space
as the free space on a disk! Options are available to direct all output
to other directories if you run out of disk space or you prefer to have
it stored elsewhere.
For this implementation we assume that the TCT toolkit will be made available under /usr/local/. We will explain at the end of the implementation how to create a write-protectable floppy disk that will enable you to have an authentic copy available when you need it. # cd /usr/local |
|
| Unpack the TCT distribution. | |
| The compressed file can be uncompressed using the GNU gunzip
utility and unpacked using the system tar command:
# gunzip /tmp/tct-1.06.tar.gz
This command creates a subdirectory named tct-1.06. This subdirectory will then be renamed to tct to become the directory in which TCT is installed. # mv tct-1.06 tct Change to this directory (/usr/local/tct/) now as all further operations are to be performed within this subdirectory. |
|
| Build the TCT programs. | |
| The Makefile contains the necessary configuration
commands. Build the binaries by specifying the make command:
# make As the documentation points out: "Don't be too alarmed by any files that it says it can't find - unless it's something major, like perl (!) - it is attempting to find everything that it could possibly use for any operating system the package supports." |
|
|
|
|
| Testing | No test suites are available for TCT. |
|
|
|
| Installation | No further installation steps are needed as the TCT toolkit
is fully built in its installation directory. Simply provide the full path
name to use any tool. As an alternative you can provide a symlink out of
another directory (like /sbin) for frequently used commands.
All tools that are supported by this toolkit are accessible from the directory /usr/local/tct/bin/ (if you followed the steps above). Some additional (but unsupported) tools not yet used by the toolkit are accessible from the directory /usr/local/tct/extras/. To have the man pages available, copy them into the default locations. The toolkit contains implementations of the file and md5 commands. Therefore their man pages file.1 and md5.1 might already exist: # cp man/man1/* /usr/local/man/man1/
|
|
|
|
| Using mactime | mactime is part of the TCT toolkit. The two basic options for its use (independently or in concert with grave-robber) are explained below. |
| Using mactime independently of grave-robber. | |
| mactime displays time stamp information for files
within a user-specified time frame. You can provide either a start time
or a start time/end time pair. Time is specified as "month/day/year". You
need to specify a full four-digit year and a date after 1/1/1970. Specifying
a second time value limits the processing to dates in the specified range.
The -d option is used to ignore any existing database Its argument is the name of a directory. mactime starts in the given directory. mactime continues processing all subdirectories recursively only if the -R option is given. You need to have read access rights on the desired files and directories to access time stamp values. The following command displays all time stamps for the entire file system (we assume that all files were created after January 2, 1970). The -y option displays any date as "YY MM DD" instead of "MM DD YY". See mactime.1 for a list of all available options. # /usr/local/tct/bin/mactime -y -R -d / 1/2/1970 mactime has some limited capabilities to create HTML output and flag files, user ids or SUID/SGID bits. Use the following command to archive the time stamp values of a specific subdirectory for files created or used in a fourteen day period: # /usr/local/tct/bin/mactime -y -d bin 1/1/2001-1/14/2001 The output will look similar to the output below: 01 Jan 04 20:03:28 1279 m.c -rwxr--r-- root wheel bin/strip_tct_home 01 Jan 04 20:03:29 12300 m.c -rwxr--r-- root wheel bin/grave-robber 21639 m.c -rwxr--r-- root wheel bin/mactime 01 Jan 04 20:03:32 15149 m.c -rwxr-xr-x root wheel bin/md5 15772 m.c -rwxr-xr-x root wheel bin/timeout 01 Jan 04 20:03:37 62353 m.c -rwxr-xr-x root wheel bin/ils 60969 m.c -rwxr-xr-x root wheel bin/unrm 01 Jan 04 20:03:38 64814 m.c -rwxr-xr-x root wheel bin/icat 01 Jan 04 20:03:39 30640 m.c -rwxr-xr-x root wheel bin/pcat 01 Jan 04 20:03:43 73830 m.c -rwxr-xr-x root wheel bin/file 01 Jan 04 20:03:45 21698 m.c -rwxr-xr-x root wheel bin/lastcomm 8455 m.c -rwxr-xr-x root wheel bin/major_minor 01 Jan 13 23:04:34 64814 .a. -rwxr-xr-x root wheel bin/icat 62353 .a. -rwxr-xr-x root wheel bin/ils 21698 .a. -rwxr-xr-x root wheel bin/lastcomm 8455 .a. -rwxr-xr-x root wheel bin/major_minor 15149 .a. -rwxr-xr-x root wheel bin/md5 1279 .a. -rwxr--r-- root wheel bin/strip_tct_home 01 Jan 13 23:04:38 30640 .a. -rwxr-xr-x root wheel bin/pcat 01 Jan 13 23:04:39 12300 .a. -rwxr--r-- root wheel bin/grave-robber 01 Jan 13 23:23:36 60969 .a. -rwxr-xr-x root wheel bin/unrm 01 Jan 13 23:25:31 73830 .a. -rwxr-xr-x root wheel bin/fileAll files (the file name is listed in the last column) are listed in order by date and time (first column). The second column lists the size of the file. The next column contains the action on the file: m for modification, a for access, and c for creation. This is followed by access rights, user name, and group names. |
|
| Using mactime with grave-robber. | |
| mactime can access time stamp values previously
stored in a database created by grave-robber (as contrasted
with displaying time stamp values "on the fly" described above). Access
is performed using the same options described above; just omit the -d
option and its argument. The database must be established before any access
(accomplished by executing grave-robber). mactime and
grave-robber
use a common configuration file to establish the location of the database.
grave-robber can collect much more data then the time stamp value, but a discussion of its extensive features is outside the scope of this implementation. To collect only time stamp values, use option -m. # /usr/local/tct/bin/grave-robber -m / The results are stored in the default database directory /usr/local/tct/data/. For each run, a new subdirectory is created based on hostname and the time of the actual program execution (like: my-host_2001_01_15_01:32:23_+0100). This allows you to access prior results at a later time. There are options to change the name of the database directory and related files. See grave-robber.1 for more information. # /usr/local/tct/bin/mactime -d bin -y 1/1/2001-1/14/2001 By assessing the database, mactime retrieves all files with time stamp values within the given range. The output will be the same as shown above. |
|
|
|
|
| Put it on a Floppy Disk | The Coroner's Toolkit is small enough to be put on a write-protected
floppy disk for any real use in case of an actual investigation. You might
use the online version, especially mactime, within day-to-day
operation. But in case you want to do a detailed analysis of a compromised
system you need to base your analysis on tools that are authentic and not
compromised as well. Keeping them on an isolated and write-protected media
which you have kept under your own control since its creation is the safest
way to provide such tools.
We recognize that it is not enough to have the TCT tools an a write-protected floppy disk. Instead we recommend that you create a more complete CD-ROM containing copies of tools necessary for the TCT toolkit (including PERL) as well as tools that are called from the TCT toolkit (including LSOF, last, lastcomm, ps, etc.). To complicate things further, be aware that any media you create will work only under specific circumstances:
|
| Prepare a new floppy disk. | |
| To prepare a new floppy disk you have to insert a new, blank
floppy into the floppy drive.
Add the following line to the file /etc/vfstab: /dev/diskette /dev/rdiskette /floppy/tct ufs 2 yes - This will automatically mount the floppy disk when the machine boots. Next you need to determine if Volume Management is running by issuing the following commands: # ps -e | grep vold If there are any processes named vold (similar to the ps output below), then Volume Management is running. 1680 ? 0:00 vold Depending on your configuration, you have two choices: 1) If Volume Management is running issue the following commands: # fdformat -U -H -b tct
Remove and reinsert the floppy disk. # volcheck 2) If Volume Management is not running issue the following commands: # fdformat -U -H -b tct
|
|
| Prepare a copy of TCT that is small enough to copy to a floppy disk. | |
| TCT as installed above is to large to be placed on a floppy
disk. Therefore you need to prepare a small enough copy before you can
place it on the floppy.
# mkdir /usr/local/tct-copy
After this step you are ready to copy the remaining files onto the floppy disk: # cp -R /usr/local/tct-copy/* /floppy/tct/ |
|
| Initiate a reconfiguration of TCT. | |
| Because the copy still contains references to the directories
it was previously installed in, all these references need to be changed.
For this purpose the authors of TCT provided a reconfiguration script which
makes this task very simple.
# cd /floppy/tct
After the script terminates just unmount the floppy and write protect it. Make sure to place this floppy in a safe place to avoid any tampering later on. |
|
|
|
|
| Tripwire Configuration | The following is the Tripwire
configuration for the TCT program following installation.
The following files should not change. Any changes are unexpected and should be analyzed. Keep in mind that most of the TCT tools create or are based on previously collected data. These files are not listed and no documentation files are listed. We recommended that you adjust the configuration below to reflect your needs: @@define BINARY E+pinugsamc1-023456789 @@define DYNAMIC E+pinugc-sam0123456789 /usr/local/man/man1/file.1 @@BINARY /usr/local/man/man1/lazarus.1 @@BINARY /usr/local/man/man1/grave-robber.1 @@BINARY /usr/local/man/man1/icat.1 @@BINARY /usr/local/man/man1/ils.1 @@BINARY /usr/local/man/man1/lastcomm.1 @@BINARY /usr/local/man/man1/major_minor.1 @@BINARY /usr/local/man/man1/md5.1 @@BINARY /usr/local/man/man1/pcat.1 @@BINARY /usr/local/man/man1/unrm.1 @@BINARY /usr/local/man/man1/mactime.1 @@BINARY /usr/local/man/man1/timeout.1 @@BINARY /usr/local/man/man5/magic.5 @@BINARY /usr/local/man/man5/tm-format.5 @@BINARY /usr/local/tct/lib/body_init.pl @@BINARY /usr/local/tct/lib/bsd.pl @@BINARY /usr/local/tct/lib/chk_binaries.pl @@BINARY /usr/local/tct/lib/command.pl @@BINARY /usr/local/tct/lib/crunch.pl @@BINARY /usr/local/tct/lib/date.pl @@BINARY /usr/local/tct/lib/datez.pl @@BINARY /usr/local/tct/lib/dig-sig.pl @@BINARY /usr/local/tct/lib/file_mode.pl @@BINARY /usr/local/tct/lib/getopts.pl @@BINARY /usr/local/tct/lib/hostname.pl @@BINARY /usr/local/tct/lib/is_able.pl @@BINARY /usr/local/tct/lib/linux.pl @@BINARY /usr/local/tct/lib/logger.pl @@BINARY /usr/local/tct/lib/maj_min_walk.pl @@BINARY /usr/local/tct/lib/major_minor.pl @@BINARY /usr/local/tct/lib/misc.pl @@BINARY /usr/local/tct/lib/ostype.pl @@BINARY /usr/local/tct/lib/pass.cache.pl @@BINARY /usr/local/tct/lib/print_table.pl @@BINARY /usr/local/tct/lib/proc.pl @@BINARY /usr/local/tct/lib/process_dirs.pl @@BINARY /usr/local/tct/lib/ps_spy.pl @@BINARY /usr/local/tct/lib/rawdev.pl @@BINARY /usr/local/tct/lib/realpath.pl @@BINARY /usr/local/tct/lib/save_the_files.pl @@BINARY /usr/local/tct/lib/savecore.pl @@BINARY /usr/local/tct/lib/solaris.pl @@BINARY /usr/local/tct/lib/stat.pl @@BINARY /usr/local/tct/lib/suck_free_inodes.pl @@BINARY /usr/local/tct/lib/suck_table.pl @@BINARY /usr/local/tct/lib/sunos.pl @@BINARY /usr/local/tct/lib/system_stubs.pl @@BINARY /usr/local/tct/lib/tm_misc.pl @@BINARY /usr/local/tct/lib/tree.pl @@BINARY /usr/local/tct/lib/trust.pl @@BINARY /usr/local/tct/lib/vault_cp.pl @@BINARY /usr/local/tct/conf/coroner.cf @@BINARY /usr/local/tct/conf/grave-robber.cf @@BINARY /usr/local/tct/conf/lazarus.cf @@BINARY /usr/local/tct/conf/look@first @@BINARY /usr/local/tct/conf/mac_file.headers @@BINARY /usr/local/tct/conf/mac_file.lst @@BINARY /usr/local/tct/conf/paths.pl @@BINARY /usr/local/tct/conf/paths.pl.old @@BINARY /usr/local/tct/conf/save_these_files @@BINARY /usr/local/tct/Date/Manip.pm @@BINARY /usr/local/tct/etc/magic @@BINARY /usr/local/tct/lazarus/lazarus @@BINARY /usr/local/tct/lazarus/post-processing/rip-mail @@BINARY /usr/local/tct/bin/file @@BINARY /usr/local/tct/bin/grave-robber @@BINARY /usr/local/tct/bin/icat @@BINARY /usr/local/tct/bin/ils @@BINARY /usr/local/tct/bin/lastcomm @@BINARY /usr/local/tct/bin/lazarus @@BINARY /usr/local/tct/bin/mactime @@BINARY /usr/local/tct/bin/major_minor @@BINARY /usr/local/tct/bin/md5 @@BINARY /usr/local/tct/bin/pcat @@BINARY /usr/local/tct/bin/strip_tct_home @@BINARY /usr/local/tct/bin/timeout @@BINARY /usr/local/tct/bin/unrm @@BINARY |