[ Thanks to Nobody for this link.
]
“The Coroner’s Toolkit (TCT) is a suite of tools written by
Wietse Venema and Dan Farmer that was written to help a System
Admin doing forensic analysis on their cracked Unix box. The tools
are written in a mixture of c and perl. The authors say that TCT
does not have one single goal, but instead it has the theme of
making a snapshot of the machine so that there can be an attempt
towards reconstruction of the past. The software is released under
the IBM Public License and all source code is included.”
“grave-robber runs the tools based on the Order of Volatility.
The authors describe the Order of Volatility as certain data is
more volatile than other types and that you want to capture the
most volatile information first, before it has gone away. By
default grave-robber runs on the entire system and it is suggested
that you run the tool as root so that it can look at the things
that a normal user can not.”
“I found this to be a very useful package of tools that
gives you a good snapshot of the state of a compromised machine.
While not being designed for a newbie it would still allow a less
experienced Admin to collect the data so that someone with more
experience could look at later. This is a tool that would have
been very useful when the system I was helping to run had been
cracked.”