The Coroner's Toolkit (TCT)
source code |
mailing list |
TCT is a collection of programs by Dan Farmer and Wietse Venema
for a post-mortem analysis of a UNIX system. The software was
presented first in a Computer Forensics Analysis class in August
1999 (handouts can be found here).
Examples of using TCT can be found in our Forensic Discovery book.
Note: consider using Brian Carrier's Sleuthkit. It is the official
successor, based on parts from TCT. Development of the Coroner's
Toolkit was stopped years ago. It is updated only for for bugfixes
which are very rare, and after Wietse discovers that the programs
no longer work on a new machine.
Notable TCT components are the grave-robber tool that captures
information, the ils and mactime tools that display access patterns
of files dead or alive, the unrm and lazarus tools that recover
deleted files, and the findkey tool that recovers cryptographic
keys from a running process or from files.
This software is not for the faint of heart. It is relatively
unpolished compared to the software that Dan and Wietse usually
release. TCT can spend a lot of time collecting data. And although
TCT collects lots of data, many analysis tools still need to be
Different versions of TCT were tested with the following systems:
- Solaris 2.4, 2.5.1, 2.6, 7.0, 8
- FreeBSD 2.2.1, 3.4, 4.4
- RedHat 5.2, 6.1, 7.3
- BSD/OS 2.1, 4.1
- OpenBSD 2.5, 3.0, 3.1
- SunOS 4.1.3_U1, 4.1.4
TCT requires Perl 5.004 or later, although Perl 5.000 is probably
sufficient if you only use the data collection software, and do
the analysis on a different machine.
Since Dan&Wietse's resources are limited we are usually unable to
take over the maintenance of contributed code.
Extensions by other people
TCT has inspired people to implement additional functionality.
In order to have your software listed here, send mail to the
tct-users mailing list (see below).
This mailing list is now closed. The announcement below
is kept for historical reasons.
We've created a mailing list email@example.com to
discuss the toolkit and methods used to forensically analyze Unix
systems. This list accepts postings from subscribers only.
- To subscribe send a mail to firstname.lastname@example.org with
content (not subject) subscribe tct-users.
- To unsubscribe send mail with content (not subject) unsubscribe
Frequently Asked Questions (FAQ)