Data Collection with dd, TCT & cryptcat

Notes:

RUNNING GRAVEROBBER:
Ultimately a cdrom with binaries for <platform>-<os>
Contents: tct-1.03, cryptcat(1), dd(1), files listed in tct-1.03/conf/paths.pl
Customized:
paths.pl for cdrom provided trusted binaries
grave-robber.cf for:
$blocks = <writable path>”/blocks” $error_log = <writable path>”/error.log”
$conf_valut = <writable path>”/conf_valut” $user_vault = <writable path>”/user_valut”
$strings_log = <writable path>”/strings_log”
FLAGS:
-v Verbose; lots of output to stdout that attempts to give some idea of what the program is doing at any given time.
-F collect files from the file system as the file walking moves through. Copies things from the $conf_pattern variable (set in coroner.cf, and usually including REGEXPs like "*.cf", "*.conf", etc.) Implies -m (lstats() are done by the file walking anyway, so we save that information)
-i collect inode data from the unallocated area of the file systems. Requires read access to the device in question.
-l Before gathering the requested information, lstat() all files and directories listed in the user's $PATH variable, listed in the look@first file, and below the $TCT_HOME directory. Requires a live system.
-M do md5's of files - implies --mm (lstats() are done anyway, so we save them)
-m gather lstat() results for the _m_a_c_t_i_m_e program.
-O save files that are open but have been deleted from the disk (often config files, executables, etc.) Requires read access to the device in question.
-P run the process commands - ps, lsof, icat - to get data on running processes and to make copies of their executable files. Requires a live system for many of the commands. The icat command requires privileges and is used only on systems where the executable file cannot be accessed through the /proc file system.
-S save files listed in the save_these_files configuration file.
-s run the general Shell commands on the host; this includes network & host info gathering, such as netstat, df, etc. This doesn't include process (ps, lsof, etc. commands (see the -P flag for that. Many require a live system.
-t gather trust information from both the host and users. This includes hosts.equiv files, .rhosts, xhosts, etc.
-V do some mucking around in dev (deV? - Out of letters!), mostly getting major & minor numbers for devices.
/ gather data from the / directory and all its subdirectories