From Free Software Directory
Jump to: navigation, search


Tools for analyzing a system after a break-in

  • " Note: consider using Brian Carrier's Sleuthkit. It is the official successor, based on parts from TCT. Development of the Coroner's Toolkit was stopped years ago. It is updated only for for bugfixes which are very rare, and after Wietse discovers that the programs no longer work on a new machine. "

'TCT' is a collection of programs for a post-mortem analysis of a *NIX system after break-in. It is meant to create areconstruction of the past - determining as much as possible what happened with a static snapshot of a system. 'TCT' was designed primarily for people in the trenches - systems administrators, security response teams, security investigators, etc. There are currently four major parts to TCT:

  • grave-robber (data capturing tool)
  • the C tools (ils, icat, pcat, file, etc.)
  • unrm & lazarus (collection & analysis of data on a file)
  • mactime (analyzes the mtime file)



Verified by

Verified on


Verified by

Janet Casey

Verified on

5 August 2004

Leaders and contributors

Wietse Venema Maintainer
Dan Farmer Maintainer

Resources and communication

AudienceResource typeURI
Bug Tracking,Developer,
Bug Tracking,Developer,

Software prerequisites

Required to usePerl 5.004 or later


Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the page “GNU Free Documentation License”.

The copyright and license notices on this page only apply to the text on this page. Any software or copyright-licenses or other similar notices described in this text has its own copyright notice and license, which can usually be found in the distribution or license text itself.