grave-robber(1) capture system forensic data


grave-robber [ -filmnpstvDEFIMOPVS ] [ -b body_file ] [ -c corpse_dir ] [ -d data_directory ] [ -e error_file ] [ -o os_type ] [ directory_name(s) ]


grave-robber runs many sub-programs in an attempt to capture forensic information about a Unix system. It captures process and network information, as well as gathering data from the directory and all its subdirectories passed as a command line argument (defaulting to the root directory (`/') if no directories are specified.) It may be run by any user, but note that many of the programs it runs require privileged access.

It roughly captures data according to the Order of Volatility; the OOV roughly says that certain data is more volatile or ephemeral than other types (memory vs. disk, for instance); generally speaking you want to capture the most volatile information before it goes away. However, since any queries of the system risk disturbing other potentially valuable data one must be careful. And while it impossible to automate this perfectly, the grave-robber can be a useful way of automating the process.

The results are saved in the directory $DATA (the value of which is found in the file), with each subprogram saving its output to a separate file.


There are three main types of options - general, micro data collection, and macro data collection. The general options control basic things such as where output goes, program verbosity, etc. The micro data collection flags allow finer grained control over what sort of data gets collected - MACtimes, process information, etc. The macro data collection flags group the micro data collection flags into logical groups.

General Options

-b body_file
The grave robber will write lstat and md5 information to this bodyfile instead of the default ($TCT_HOME/data/hostname/body).
-c corpse_dir
A dead, not live, system (such as a mounted disk.) Prepend all stuff with corpse_dir... e.g. -c /foo would make it look in /foo/etc/passwd for the passwd file, etc. This also REQUIRES the -o flag. Implies the -l option.
-d datadir
Specify the data directory; this overrides the $DATA/hostname default. All forensic information captured goes into a subdirectory of this directory. This subdirectory is formed by concatenating the hostname the grave-robber was run from and the date the program was executed.
-e errorfile
The file to redirect the stderr stream to.
-o os_type
To be used with the -c flag, this tells the grave-robber what sort of corpse you have. Acceptable values include `FREEBSD2', `FREEBSD3', `OPENBSD2', `OPENBSD3', `OPENBSD4', `BSDI2', `BSDI3', `SUNOS4', `SUNOS5', and `LINUX2'.
Verbose; lots of output to stdout that attempts to give some idea of what the program is doing at any given time.
debug - print *lots* of output. Usually not desired.

Macro Data Collection

This collects everything that it can, including dangerous operations like pcat. Currently this only adds -I and -p to the default.
Fast/quick capture - try to avoid the file system; no MD5's, lstat(), or other very expensive data grabbing. It doesn't make sense with the -m option. Implies -O, -P, & -s.
The default flag - if neither -E, -f, or any of the other data options are chosen, then the -i, -m, -M, -P, -s, -t, -l, -I, -O, -F, -S, and -V flags are set.

Micro Data Collection

collect files from the file system as the file walking moves through. Copies things from the $conf_pattern variable (set in, and usually including REGEXPs like "*.cf", "*.conf", etc.) Implies -m (lstats() are done by the file walking anyway, so we save that information)
collect inode data from the unallocated area of the file systems. Requires read access to the device in question.
capture the executable files of running process. First try copying the executable file using information found in /proc, then try to use icat with inode information that was obtained from lsof. Requires a live system.
Before gathering the requested information, lstat() all files and directories listed in the user's $PATH variable, listed in the look@first file, and below the $TCT_HOME directory. Requires a live system.
do md5's of files - implies -m (lstats() are done anyway, so we save them)
gather lstat() results for the mactime program.
save files that are open but have been deleted from the disk (often config files, executables, etc.) Requires read access to the device in question.
Copy process memory to file with the pcat command. WARNING - some systems have significant trouble with this! Be sure to test this first before using it in a crisis. Requires root access to capture processes owned by other users, as well as a live system.
run the process commands - ps, lsof, icat - to get data on running processes and to make copies of their executable files. Requires a live system for many of the commands. The icat command requires privileges and is used only on systems where the executable file cannot be accessed through the /proc file system.
save files listed in the save_these_files configuration file.
run the general Shell commands on the host; this includes network & host info gathering, such as netstat, df, etc. This doesn't include process ( ps, lsof, etc. commands (see the -P flag for that. Many require a live system.
gather trust information from both the host and users. This includes hosts.equiv files, .rhosts, xhosts, etc.
do some mucking around in dev (deV? - Out of letters!), mostly getting major & minor numbers for devices.


TCT_HOME, location of grave-robber software and configuration files.

FILES the main configuration file (is perl executable code). some global TCT defaults and configuration details (is perl executable code).
look@first files that are stashed away when the -L option is chosen.


Distributed under the details found in the COPYRIGHT file found in the root directory of The Coroner's Toolkit.


dan farmer
[email protected]