The Coroners Toolkit - In depth

In this paper I will describe evidence gathering on a Unix system using 'The Coroners Toolkit' version 1.09 (TCT). TCT is freeware. The two types of evidence I will focus on are ephemeral and static evidence. Ephemeral evidence refers to evidence, which generally doesn't last a long time. They are the process and network states of your system. Static evidence refers to all other data that resides on the system in a more or less long-term state. The README provided with TCT describes the package as '...a collection of tools - some large some small some in perl and some in C - That are all either oriented towards gathering or analyzing forensic data on a Unix system.' For the purposes of this paper I will be focusing on the collection capabilities of TCT and only pointing out and describing the tools for data analyses where appropriate. The GSEC paper 'The Coroners Toolkit: A Handy Suite of Utilities' by Mike Wagner describes the general usage of TCT. I will attempt to go further and describe some of the extra functionality that Farmer and Venema the authors provided the user in this robust suite of forensic utilities. As with any software package there are pros and cons associated with it so I will attempt to address some of these as well.