grave-robber - capture system forensic data
grave-robber [ -filmnpstvDEFIMOPVS ] [ -b body_file ] [ -c corpse_dir ]
[ -d data_directory ] [ -e error_file ] [ -o os_type ] [
grave-robber runs many sub-programs in an attempt to capture forensic
information about a Unix system. It captures process and network
information, as well as gathering data from the directory and all its
subdirectories passed as a command line argument (defaulting to the
root directory (‘/’) if no directories are specified.) It may be run
by any user, but note that many of the programs it runs require
It roughly captures data according to the Order of Volatility; the OOV
roughly says that certain data is more volatile or ephemeral than other
types (memory vs. disk, for instance); generally speaking you want to
capture the most volatile information before it goes away. However,
since any queries of the system risk disturbing other potentially
valuable data one must be careful. And while it impossible to automate
this perfectly, the grave-robber can be a useful way of automating the
The results are saved in the directory $DATA (the value of which is
found in the coroner.cf file), with each subprogram saving its output
to a separate file.
There are three main types of options - general, micro data collection,
and macro data collection. The general options control basic things
such as where output goes, program verbosity, etc. The micro data
collection flags allow finer grained control over what sort of data
gets collected - MACtimes, process information, etc. The macro data
collection flags group the micro data collection flags into logical
The grave robber will write lstat and md5 information to this
bodyfile instead of the default ($TCT_HOME/data/hostname/body).
A dead, not live, system (such as a mounted disk.) Prepend all
stuff with corpse_dir... e.g. -c /foo would make it look in
/foo/etc/passwd for the passwd file, etc. This also REQUIRES
the -o flag. Implies the -l option.
Specify the data directory; this overrides the $DATA/hostname
default. All forensic information captured goes into a
subdirectory of this directory. This subdirectory is formed by
concatenating the hostname the grave-robber was run from and
the date the program was executed.
The file to redirect the stderr stream to.
To be used with the -c flag, this tells the grave-robber what
sort of corpse you have. Acceptable values include ‘FREEBSD2’,
‘FREEBSD3’, ‘OPENBSD2’, ‘OPENBSD3’, ‘OPENBSD4’, ‘BSDI2’,
‘BSDI3’, ‘SUNOS4’, ‘SUNOS5’, and ‘LINUX2’.
-v Verbose; lots of output to stdout that attempts to give some
idea of what the program is doing at any given time.
-D debug - print *lots* of output. Usually not desired.
Macro Data Collection
-E This collects everything that it can, including dangerous
operations like pcat. Currently this only adds -I and -p to
-f Fast/quick capture - try to avoid the file system; no MD5’s,
lstat(), or other very expensive data grabbing. It doesn’t
make sense with the -m option. Implies -O, -P, & -s.
-n The default flag - if neither -E, -f, or any of the other data
options are chosen, then the -i, -m, -M, -P, -s, -t, -l, -I,
-O, -F, -S, and -V flags are set.
Micro Data Collection
-F collect files from the file system as the file walking moves
through. Copies things from the $conf_pattern variable (set in
coroner.cf, and usually including REGEXPs like "*.cf",
"*.conf", etc.) Implies -m (lstats() are done by the file
walking anyway, so we save that information)
-i collect inode data from the unallocated area of the file
systems. Requires read access to the device in question.
-I capture the executable files of running process. First try
copying the executable file using information found in /proc,
then try to use icat with inode information that was obtained
from lsof. Requires a live system.
-l Before gathering the requested information, lstat() all files
and directories listed in the user’s $PATH variable, listed in
the look@first file, and below the $TCT_HOME directory.
Requires a live system.
-M do md5’s of files - implies -m (lstats() are done anyway, so we
-m gather lstat() results for the mactime program.
-O save files that are open but have been deleted from the disk
(often config files, executables, etc.) Requires read access
to the device in question.
-p Copy process memory to file with the pcat command. WARNING -
some systems have significant trouble with this! Be sure to
test this first before using it in a crisis. Requires root
access to capture processes owned by other users, as well as a
-P run the process commands - ps, lsof, icat - to get data on
running processes and to make copies of their executable files.
Requires a live system for many of the commands. The icat
command requires privileges and is used only on systems where
the executable file cannot be accessed through the /proc file
-S save files listed in the save_these_files configuration file.
-s run the general Shell commands on the host; this includes
network & host info gathering, such as netstat, df, etc. This
doesn’t include process ( ps, lsof, etc. commands (see the -P
flag for that. Many require a live system.
-t gather trust information from both the host and users. This
includes hosts.equiv files, .rhosts, xhosts, etc.
-V do some mucking around in dev (deV? - Out of letters!), mostly
getting major & minor numbers for devices.
TCT_HOME, location of grave-robber software and configuration files.
grave-robber.cf the main configuration file (is perl executable code).
coroner.cf some global TCT defaults and configuration details (is perl
look@first files that are stashed away when the -L option is chosen.
mactime(1) ils(1) pcat(1) icat(1) coroner.cf look@first lazarus.README
Distributed under the details found in the COPYRIGHT file found in the
root directory of The Coroner’s Toolkit.