Man Linux: Main Page and Category List


       grave-robber - capture system forensic data


       grave-robber [ -filmnpstvDEFIMOPVS ] [ -b body_file ] [ -c corpse_dir ]
       [  -d  data_directory  ]  [  -e  error_file  ]  [  -o   os_type   ]   [
       directory_name(s) ]


       grave-robber  runs  many sub-programs in an attempt to capture forensic
       information about a Unix  system.   It  captures  process  and  network
       information,  as  well as gathering data from the directory and all its
       subdirectories passed as a command line  argument  (defaulting  to  the
       root  directory  (‘/’) if no directories are specified.)  It may be run
       by any user, but note  that  many  of  the  programs  it  runs  require
       privileged access.

       It  roughly captures data according to the Order of Volatility; the OOV
       roughly says that certain data is more volatile or ephemeral than other
       types  (memory  vs. disk, for instance); generally speaking you want to
       capture the most volatile information before it  goes  away.   However,
       since  any  queries  of  the  system  risk disturbing other potentially
       valuable data one must be careful.  And while it impossible to automate
       this  perfectly, the grave-robber can be a useful way of automating the

       The results are saved in the directory $DATA (the  value  of  which  is
       found  in  the file), with each subprogram saving its output
       to a separate file.


       There are three main types of options - general, micro data collection,
       and  macro  data  collection.  The general options control basic things
       such as where output goes, program  verbosity,  etc.   The  micro  data
       collection  flags  allow  finer  grained control over what sort of data
       gets collected - MACtimes, process information, etc.   The  macro  data
       collection  flags  group  the  micro data collection flags into logical

General Options

       -b body_file
               The grave robber will write lstat and md5 information  to  this
               bodyfile instead of the default ($TCT_HOME/data/hostname/body).

       -c corpse_dir
               A dead, not live, system (such as a mounted disk.)  Prepend all
               stuff  with  corpse_dir...  e.g.  -c /foo would make it look in
               /foo/etc/passwd for the passwd file, etc.  This  also  REQUIRES
               the -o flag.  Implies the -l option.

       -d datadir
               Specify  the  data directory; this overrides the $DATA/hostname
               default.   All  forensic  information  captured  goes  into   a
               subdirectory of this directory.  This subdirectory is formed by
               concatenating the hostname the grave-robber was  run  from  and
               the date the program was executed.

       -e errorfile
               The file to redirect the stderr stream to.

       -o os_type
               To  be  used with the -c flag, this tells the grave-robber what
               sort of corpse you have.  Acceptable values include ‘FREEBSD2’,
               ‘FREEBSD3’,   ‘OPENBSD2’,   ‘OPENBSD3’,   ‘OPENBSD4’,  ‘BSDI2’,
               ‘BSDI3’, ‘SUNOS4’, ‘SUNOS5’, and ‘LINUX2’.

       -v      Verbose; lots of output to stdout that attempts  to  give  some
               idea of what the program is doing at any given time.

       -D      debug - print *lots* of output.  Usually not desired.

Macro Data Collection

       -E      This  collects  everything  that  it  can,  including dangerous
               operations like pcat.  Currently this only adds -I  and  -p  to
               the default.

       -f      Fast/quick  capture  -  try to avoid the file system; no MD5’s,
               lstat(),  or other very expensive data  grabbing.   It  doesn’t
               make sense with the -m option.  Implies -O, -P, & -s.

       -n      The  default flag - if neither -E, -f, or any of the other data
               options are chosen, then the -i, -m, -M, -P, -s,  -t,  -l,  -I,
               -O, -F, -S, and -V flags are set.

Micro Data Collection

       -F      collect  files  from  the file system as the file walking moves
               through.  Copies things from the $conf_pattern variable (set in
     ,   and   usually   including  REGEXPs  like  "*.cf",
               "*.conf", etc.)  Implies -m (lstats()  are  done  by  the  file
               walking anyway, so we save that information)

       -i      collect  inode  data  from  the  unallocated  area  of the file
               systems.  Requires read access to the device in question.

       -I      capture the executable files of  running  process.   First  try
               copying  the  executable file using information found in /proc,
               then try to use icat with inode information that  was  obtained
               from lsof.  Requires a live system.

       -l      Before  gathering  the requested information, lstat() all files
               and directories listed in the user’s $PATH variable, listed  in
               the   look@first  file,  and  below  the  $TCT_HOME  directory.
               Requires a live system.

       -M      do md5’s of files - implies -m (lstats() are done anyway, so we
               save them)

       -m      gather lstat() results for the mactime program.

       -O      save  files  that  are open but have been deleted from the disk
               (often config files, executables, etc.)  Requires  read  access
               to the device in question.

       -p      Copy  process  memory to file with the pcat command.  WARNING -
               some systems have significant trouble with this!   Be  sure  to
               test  this  first  before  using it in a crisis.  Requires root
               access to capture processes owned by other users, as well as  a
               live system.

       -P      run  the  process  commands  -  ps, lsof, icat - to get data on
               running processes and to make copies of their executable files.
               Requires  a  live  system  for  many of the commands.  The icat
               command requires privileges and is used only on  systems  where
               the  executable  file cannot be accessed through the /proc file

       -S      save files listed in the save_these_files configuration file.

       -s      run the general Shell  commands  on  the  host;  this  includes
               network  & host info gathering, such as netstat, df, etc.  This
               doesn’t include process ( ps, lsof, etc. commands (see  the  -P
               flag for that.  Many require a live system.

       -t      gather  trust  information  from both the host and users.  This
               includes hosts.equiv files, .rhosts, xhosts, etc.

       -V      do some mucking around in dev (deV? - Out of letters!),  mostly
               getting major & minor numbers for devices.


       TCT_HOME, location of grave-robber software and configuration files.

FILES  the main configuration file (is perl executable code). some global TCT defaults and configuration details (is  perl
       executable code).
       look@first files that are stashed away when the -L option is chosen.


       mactime(1) ils(1) pcat(1) icat(1) look@first lazarus.README


       Distributed  under the details found in the COPYRIGHT file found in the
       root directory of The Coroner’s Toolkit.


       dan farmer