- " Note: consider using Brian Carrier's Sleuthkit. It is the official successor, based on parts from TCT. Development of the Coroner's Toolkit was stopped years ago. It is updated only for for bugfixes which are very rare, and after Wietse discovers that the programs no longer work on a new machine. "
'TCT' is a collection of programs for a post-mortem analysis of a *NIX system after break-in. It is meant to create areconstruction of the past - determining as much as possible what happened with a static snapshot of a system. 'TCT' was designed primarily for people in the trenches - systems administrators, security response teams, security investigators, etc. There are currently four major parts to TCT:
- grave-robber (data capturing tool)
- the C tools (ils, icat, pcat, file, etc.)
- unrm & lazarus (collection & analysis of data on a file)
- mactime (analyzes the mtime file)
DocumentationUser README and man pages included
released on 19 July 2016
|License||Verified by||Verified on||Notes|
|IBM Public License 1.0||Janet Casey||5 August 2004|
Leaders and contributors
Resources and communication
|Required to use||Perl 5.004 or later|
This entry (in part or in whole) was last reviewed on 11 January 2017.