July 11, 2006
Open source/Dan Farmer and Wietse VenemaProduct:
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Extremely powerful Unix forensic tool in the right hands; freeware.
- Weaknesses: Not for the faint-hearted – it is difficult to use and requires a significant knowledge of Unix to use it successfully; virtually no documentation.
- Verdict: Very useful collection of tools, but a high barrier to entry.
The Coroner's Toolkit, or TCT is an open-source set of forensic tools for performing post-mortem analysis on Unix systems. Written by Dan Farmer and Wietse Venema, both very well known in security circles for such programs as SATAN, TCT is not an easy product to use. A serious knowledge of Unix is a prerequisite for success, but if you can manage it, this is an extremely powerful set of tools.
This is not a GUI-based product. It is a collection of command line tools designed for the experienced Unix engineer. In that context we found that the TCT has everything we needed to analyse a Linux disk. Using a command line forensics program can be difficult, although forensic analysts who have used the older NTI Tools will feel at home. Our grade of four stars for features comes with the caveat that this is a Unix-only tool and that the user is a solid Unix citizen.
It's the same story with the Toolkit's high performance rating. It has no trouble taking an image and using the individual tools to perform analyses of various kinds. Images are taken with dd, as is usual in a Unix environment, but in the class slides for a 1999 training session, other suggestions are explored.
Documentation is skimpy, but there is a very complete set of slides from a class taught on TCT in 1999. We found them both useful and interesting. Also, since this product is intended for experienced Unix users, there is an implied understanding of common Unix functions and conventions, make files, man pages, utilities, and so on.
There is, essentially, no support for this product. Typical of many open-source products, the user is left to their own devices. There is a mail list supported by the developers and, also typical of the Unix open-source community, help can be found there. But the bottom line is: if you want to use TCT, you're on your own.
If you know Unix and you use Unix, The Coroner's Toolkit is an excellent second product to back up your primary IT forensic tool. The developers are extremely proficient in Unix and the Unix file system, so TCT is reliable and very useful in the right hands and for its intended purpose. And as far as freeware goes, the price certainly is right.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Russian intelligence claims to bust up pending banking cyber-attack
- Presidential commission calls for collaborative action to combat cyber-threats
- Russia's banks will be hacked today, apparently
- Met Police grab suspect with phone unlocked to get hold of data
- Researchers hack Visa cards in six seconds