Goal: Freeze the process state of a running system, in a non-intrusive manner, for further analysis. Use in conjunction with The Coroner's Toolkit and standard Unix utilities to carry out forensic analysis of a suspect system.
Method: Mine Proc filesystem entries for running processes to gather the command line, current working directory, root directory, open file descriptors, environment, executable image (even if the process unlinked the executable to hide itself), memory map, and status for each process. Currently Linux specific, but there are future plans to port Cryogenic to BSD and Solaris. On systems without a Proc filesystem, one must grovel around in virtual memory to achieve the goal.
Output (per process):
total 55
-rw------- 1 root root
141 Jul 17 06:16 cmdline
-rw------- 1 root root
837 Jul 17 06:16 dirs_and_descriptors
-rw------- 1 root root
529 Jul 17 06:16 environ
-rw------- 1 root root
46945 Jul 17 06:16 exe
-rw------- 1 root root
3448 Jul 17 06:16 maps
-rw------- 1 root root
420 Jul 17 06:16 status
Output Analysis: Examine open file descriptors (dirs_and_descriptors) for rootkit or other suspicious files, command line and environment for unusual values like buffer overflow code, memory map for unexpected shared libraries (could indicate added code such as trojan horses), and status for UID and GID of process. For any suspicious process found, the executable can be analyzed with a disassembler and other standard tools (strings, ltrace, strace, gdb) or run in a sandboxed environment for further analysis.
Future additions: Add gcore type functionality to generate
core files, without aborting, for each process. With the executable
image, memory map, and core file, it becomes much easier to figure out
exactly what a process was up to at the time. For backdoored programs,
it maybe possible to recover access passwords, encryption keys, and other
interesting information that can be used to further the investigation.
[Source code]