The Coroner's Toolkit (TCT)

TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in. The software was presented first in a Computer Forensics Analysis class in August 1999 (handouts can be found here). Examples of using TCT can be found in our Forensic Discovery book.

Source code

tct-1.18.tar.gz (TCT source code)
tct-1.18.tar.gz.sig (Wietse's PGP signature)
memdump-1.01.tar.gz (Solaris/BSD/Linux memory dumper)
memdump-1.01.tar.gz.sig (Wietse's PGP signature)
memdump-1.01.README (README file)
tct-1-patch18 (upgrade tct1.17 to tct-1.18)
tct-1-patch17 (upgrade tct1.16 to tct-1.17)
tct-1-patch16 (upgrade tct1.15 to tct-1.16)
tct-1-patch15 (upgrade tct1.14 to tct-1.15)
tct-1-patch14 (upgrade tct1.13 to tct-1.14)
tct-1-patch13 (upgrade tct1.12 to tct-1.13)
tct-1-patch12 (upgrade tct1.11 to tct-1.12)
tct-1-patch11 (upgrade tct1.10 to tct-1.11)
tct-1-patch10 (upgrade tct1.09 to tct-1.10)
tct-1-patch09 (upgrade tct1.08 to tct-1.09)
tct-1-patch08 (upgrade tct1.07 to tct-1.08)
tct-1-patch07 (upgrade tct1.06 to tct-1.07)
tct-1-patch06 (upgrade tct1.05 to tct-1.06)
tct-1-patch05 (upgrade tct1.04 to tct-1.05)
tct-1-patch04 (upgrade tct1.03 to tct-1.04)
tct-1-patch03 (upgrade tct1.02 to tct-1.03)
tct-1-patch02 (upgrade tct1.01 to tct-1.02)
tct-1-patch01 (upgrade tct1.0 to tct-1.01)
wietse.pgp (Wietse's PGP public key)

Features

Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the findkey tool that recovers cryptographic keys from a running process or from files.

Warning

This software is not for the faint of heart. It is relatively unpolished compared to the software that Dan and Wietse usually release. TCT can spend a lot of time collecting data. And although TCT collects lots of data, many analysis tools still need to be written.

Requirements

Different versions of TCT were tested with the following systems:

Solaris 2.4, 2.5.1, 2.6, 7.0, 8
FreeBSD 2.2.1, 3.4, 4.4
RedHat 5.2, 6.1, 7.3
BSD/OS 2.1, 4.1
OpenBSD 2.5, 3.0, 3.1
SunOS 4.1.3_U1, 4.1.4

TCT requires Perl 5.004 or later, although Perl 5.000 is probably sufficient if you only use the data collection software, and do the analysis on a different machine.

Extensions by other people

TCT has inspired people to implement additional functionality. In order to have your software listed here, send mail to the tct-users mailing list (see below).

Since Dan&Wietse's resources are limited we are usually unable to take over the maintenance of contributed code.

Mailing list

We've created a mailing list tct-users@porcupine.org to discuss the toolkit and methods used to forensically analyze Unix systems. This list accepts postings from subscribers only.

To subscribe send a mail to majordomo@porcupine.org with content (not subject) subscribe tct-users.
To unsubscribe send mail with content (not subject) unsubscribe tct-users.

Frequently Asked Questions (FAQ)

Dan Farmer's FAQ web page