[LWN Logo]
[Timeline]
Date:         Tue, 1 Aug 2000 08:10:45 -0400
From: Wietse Venema <wietse@PORCUPINE.ORG>
Subject:      Dan & Wietse's Forensics Tools released
To: BUGTRAQ@SECURITYFOCUS.COM

It is with great relief that we announce the first official release
of the Coroner's Toolkit software, also called TCT.

TCT is a collection of programs that can be used for a post-mortem
analysis of a UNIX system after break-in. The software was presented
first during a free Computer Forensics Analysis class that we gave
one year ago (almost to the day).

Notable TCT components are the grave-robber tool that captures
information, the ils and mactime tools that display access patterns
of files dead or alive, the unrm and lazarus tools that recover
deleted files, and the keyfind tool that recovers cryptographic
keys from a running process or from files.

To set your expectations, the TCT software is not for the faint of
heart. It is relatively unpolished compared to the software that
we usually release. TCT can spend a lot of time collecting data.
And although TCT collects lots of data, many analysis tools still
need to be written. Nevertheless TCT sure beats the competition,
which is non-existent, and beats them at the right price, too.

TCT runs on recent versions of SUN Solaris, FreeBSD, RedHat Linux,
BSD/OS, OpenBSD, and even runs on SunOS 4.x. It requires perl 5.004
or later, although perl 5.000 is probably adequate if you are going
to do the actual analysis on a different machine.

TCT source code is available from the following places:

    http://www.porcupine.org/forensics/
    http://www.fish.com/forensics/
    ftp://tct.earthlink.net/pub/

Enjoy!

        Wietse Venema
        Dan Farmer