TCT

The Coroner's Toolkit (TCT) is a collection of tools that are either oriented towards gathering or analyzing forensic data on a Unix system.


Frequently Asked Questions

A bit of help if you've just been broken into
A bit of help recovering a deleted file under Unix


Requirements

Shortly before release, TCT was tested with the following systems:

Solaris 2.4, 2.5.1, 2.6, 7.0, 8 FreeBSD 2.2.1, 3.4, 4.0 RedHat 5.2, 6.1
BSD/OS 2.1, 4.1 OpenBSD 2.5 SunOS 4.1.3_U1, 4.1.4

TCT requires Perl 5.004 or later, although Perl 5.000 is possibly sufficient if you only use the data collection software, and do the analysis on a different machine.


Source code

You can get it (gzip'd):

TCT 1.15
PGP signature
PGP key

TCT patches for various levels may be found here


Extensions by other people

TCT has inspired people to implement additional functionality. In order to have your software listed here, send mail to the tct-users mailing list (see below).

Since our resources are limited we are usually unable to take over the maintenance of contributed code.


Mailing list

We've created a mailing list tct-users@porcupine.org to discuss the toolkit and methods used to forensically analyze Unix systems.