The Coroner's Toolkit (TCT)

source code | features | warning | requirements | extensions | mailing list | faq | help!

TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system. The software was presented first in a Computer Forensics Analysis class in August 1999 (handouts can be found here). Examples of using TCT can be found in our Forensic Discovery book.

Note: consider using Brian Carrier's Sleuthkit. It is the official successor, based on parts from TCT. Development of the Coroner's Toolkit was stopped years ago. It is updated only for for bugfixes which are very rare, and after Wietse discovers that the programs no longer work on a new machine.

Source code


Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the findkey tool that recovers cryptographic keys from a running process or from files.


This software is not for the faint of heart. It is relatively unpolished compared to the software that Dan and Wietse usually release. TCT can spend a lot of time collecting data. And although TCT collects lots of data, many analysis tools still need to be written.


Different versions of TCT were tested with the following systems:

TCT requires Perl 5.004 or later, although Perl 5.000 is probably sufficient if you only use the data collection software, and do the analysis on a different machine.

Extensions by other people

TCT has inspired people to implement additional functionality. In order to have your software listed here, send mail to the tct-users mailing list (see below). Since Dan&Wietse's resources are limited we are usually unable to take over the maintenance of contributed code.

Mailing list

This mailing list is now closed. The announcement below is kept for historical reasons.

We've created a mailing list to discuss the toolkit and methods used to forensically analyze Unix systems. This list accepts postings from subscribers only.

Frequently Asked Questions (FAQ)