Date: Tue, 1 Aug 2000 08:10:45 -0400
From: Wietse Venema wietse@PORCUPINE.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Dan & Wietse’s Forensics Tools released
It is with great relief that we announce the first official
release of the Coroner’s Toolkit software, also called TCT.
TCT is a collection of programs that can be used for a
post-mortem analysis of a UNIX system after break-in. The software
was presented first during a free Computer Forensics Analysis class
that we gave one year ago (almost to the day).
Notable TCT components are the grave-robber tool that captures
information, the ils and mactime tools that display access patterns
of files dead or alive, the unrm and lazarus tools that recover
deleted files, and the keyfind tool that recovers cryptographic
keys from a running process or from files.
To set your expectations, the TCT software is not for the faint
of heart. It is relatively unpolished compared to the software that
we usually release. TCT can spend a lot of time collecting data.
And although TCT collects lots of data, many analysis tools still
need to be written. Nevertheless TCT sure beats the competition,
which is non-existent, and beats them at the right price, too.
TCT runs on recent versions of SUN Solaris, FreeBSD, RedHat
Linux, BSD/OS, OpenBSD, and even runs on SunOS 4.x. It requires
perl 5.004 or later, although perl 5.000 is probably adequate if
you are going to do the actual analysis on a different machine.
TCT source code is available from the following places:
http://www.porcupine.org/forensics/
http://www.fish.com/forensics/
Enjoy!
Wietse Venema
Dan Farmer