Incident Response Self-Compiling Toolkit
(Needs Testing!)
by Kenneth VoortThis project is licensed under the GNU General Public License
Project Summary Page
stattool.tar.bz2
stattool.tar.gz
The forensic investigation field has long been plagued with a lack of statically linked, trusted tools to use during live investigations of compromised machines. This is due mainly to the problems inherent when running tools on a victim machine which have been compiled against a different kernel and/or C library.
To this end, I have created a script which will provide necessary compiler and configuration flags to a number of source packages which are used in forensic investigation toolkits.
The goal of this project is to create a standardized utility for compiling statically linked toolkits for this purpose, which can be compiled on as many different platforms as possible. An incident response script based on F.I.R.E and Helix is also provided which more closely follows the order of volatility as specified in RFC 3227. This script will eventually be expanded to determine which, if any, specific vulnerabilities were exploited on a victim system to gain access.
At its current stage, this project has not been well tested. It compiles and links statically on Slackware 10 systems with C library version 2.3.2. Further testing is required to determine its compatibility with other C library versions, distributions and operating systems. Current problems include packages not compiling properly or not statically and random segmentation faults.
Future improvements before a beta release will include a comprehensive test suite, a more involved response script, a proper makefile, and a bug report generator.
At this point, this toolkit is *NOT* ready for use in forensic investigations. Certain statically linked tools will still call shared libraries. This is because of a diffioculty encountered when compiled tools use NSS routines from the C library. These routines are dynamically linked at runtime, which is handled transparently by the C library. Compiling a toolkit which uses statically linked NSS routines is one of the major difficulties in making such a toolkit. Work is being done which will determine a way to portably generate a statically linkable verion of the C library, using static NSS routines, which these tools will eventually be linked against. This is in accordance with the goals of this project; to generate a comprehensive toolkit which can be easily compiled for any system and does not touch the victim machine in any way, shape, or form.
Although statically linked tools which use NSS routines from the C library will still work without a C library, thay will quite often produce insufficient output, or no output at all, which is unacceptable when running a response script given a timeframe of only a few minutes. At this point, the renaming of the C library to avoid its use, or the renaming of /lib and /usr/lib would be an effective way to prevent this toolkit from using them. Some tools would not work properly, but the investigator would be assured that, beyond the temporary renaming of a directory or two, the victim machine's filesystem was not affected. A statically linkable version of the C library is being developed at this time.
Please email bug reports and suggestions to < kvoort (at) kvoort (dot) [SPAMGUARD] cjb (dot) net >
The following packages are included in this project:
2hash-v0.2
ald-0.1.7
bash-3.0
binutils-2.15
chkrootkit-0.44
coreutils-5.2.1
diffutils-2.8.1
ex-041202
fatback-1.3
file-4.12
findutils-4.2.20
foremost-0.69
gdb-6.3
grep-2.5.1a
ld.so-1.9.11
less-382
lsof_4.73
mac-robber-1.00
md5deep-1.4
net-tools-1.60
netcat
procinfo-18
procps-3.2.4
psmisc-21.5
shadow-4.0.6
sleuthkit-1.73
strace-4.5.8
sysvinit-2.86
unrm-0.92
util-linux-2.12i