The Coroner's Toolkit (TCT)

source code | features | warning | requirements | mailing list

TCT is a collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in. The software was presented first during a free Computer Forensics Analysis class in August 1999. Copies of class handouts can be found at http://www.porcupine.org/forensics/handouts.html.

Source code

tct-1.0.tar.gz (source code)
tct-1.0.tar.gz.sig (Wietse's PGP signature)
wietse.pgp (Wietse's PGP public key)

Features

Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the keyfind tool that recovers cryptographic keys from a running process or from files.

Warning

This software is not for the faint of heart. It is relatively unpolished compared to the software that Dan and Wietse usually release. TCT can spend a lot of time collecting data. And although TCT collects lots of data, many analysis tools still need to be written.

Requirements

Shortly before release, TCT was tested with the following systems:

Solaris 2.4, 2.5.1, 2.6, 7.0, 8
FreeBSD 2.2.1, 3.4, 4.0
RedHat 5.2, 6.1
BSD/OS 2.1, 4.1
OpenBSD 2.5
SunOS 4.1.3_U1, 4.1.4

TCT requires Perl 5.004 or later, although Perl 5.000 is probably sufficient if you only use the data collection software, and do the analysis on a different machine.

Mailing list

We've created a mailing list tct-users@porcupine.org to discuss the toolkit and methods used to forensically analyze Unix systems. This list accepts postings from subscribers only.

To subscribe send a mail to majordomo@porcupine.org with content (not subject) subscribe tct-users.
To unsubscribe send mail with content (not subject) unsubscribe tct-users.