The Coroner’s Toolkit

The Coroner’s Toolkit is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system. The software was presented first in a Computer Forensics Analysis class in August 1999 (handouts can be found here). Examples of using TCT can be found in our Forensic Discovery book.

Note: consider using Brian Carrier's Sleuthkit. It is the official successor, based on parts from TCT. Development of the Coroner's Toolkit was stopped years ago. It is updated only for for bugfixes which are very rare, and after Wietse discovers that the programs no longer work on a new machine.

Features
Notable The Coroner’s Toolkit components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the findkey tool that recovers cryptographic keys from a running process or from files.

Warning
This software is not for the faint of heart. It is relatively unpolished compared to the software that Dan and Wietse usually release. The Coroner’s Toolkit can spend a lot of time collecting data. And although it collects lots of data, many analysis tools still need to be written.

URL: http://www.porcupine.org/forensics/tct.html