Thursday December 4, 2008 6:55 AM AEST

SC Magazine Australia/NZ > Reviews > Biometrics & Forensics > Forensics > Coroner's Toolkit

Vulnerability Alerts

SANS

Microsoft

MS07-068 - Critical: Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275) - Version:2.3
MS07-005: Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723) - Version:2.0

CERT/CC

Latest Comments

"its gud"

on Bluefire Mobile Security 4.0.2

by Mahesh | Dec 3, 2008 5:59 PM

"I like this"

on AVG update deletes critical Windows file

by nanwin | Dec 3, 2008 3:05 PM

"Concerned man's comments seem to intimate that if I'm using agents all will be well but the ..."

on Shavlik Technologies to broaden its patch management offerings

by Werner K | Nov 26, 2008 8:36 PM

"That will enhance Microsoft Office system, including SharePoint - good platform for enterprise ..."

on Companies have security to consider with in-the-cloud Office

by SGE | Nov 25, 2008 3:29 PM

"how many users allow per session? because the digital persona password manager allows only 10 ..."

on DigitalPersona Pro Workstation/Pro Server

by Daniel | Nov 25, 2008 12:14 AM

Forensics

Coroner's Toolkit

Product Info

Supplier:

Open source/Dan Farmer and Wietse Venema

Product Rating

Features:

Ease of Use:

Performance:

Documentation:

Support:

Value for Money:

Overall Rating:

For: Extremely powerful Unix forensic tool in the right hands; freeware.
Against: Not for the faint-hearted – it is difficult to use and requires a significant knowledge of Unix to use it successfully; virtually no documentation.
Verdict: Very useful collection of tools, but a high barrier to entry.

The Coroner’s Toolkit, or TCT is an open-source set of forensic tools for performing post-mortem analysis on Unix systems. Written by Dan Farmer and Wietse Venema, both very well known in security circles for such programs as SATAN, TCT is not an easy product to use. A serious knowledge of Unix is a prerequisite for success, but if you can manage it, this is an extremely powerful set of tools.

This is not a GUI-based product. It is a collection of command line tools designed for the experienced Unix engineer. In that context we found that the TCT has everything we needed to analyse a Linux disk. Using a command line forensics program can be difficult, although forensic analysts who have used the older NTI Tools will feel at home. Our grade of four stars for features comes with the caveat that this is a Unix-only tool and that the user is a solid Unix citizen.

It’s the same story with the Toolkit’s high performance rating. It has no trouble taking an image and using the individual tools to perform analyses of various kinds. Images are taken with dd, as is usual in a Unix environment, but in the class slides for a 1999 training session, other suggestions are explored.

Documentation is skimpy, but there is a very complete set of slides from a class taught on TCT in 1999. We found them both useful and interesting. Also, since this product is intended for experienced Unix users, there is an implied understanding of common Unix functions and conventions, make files, man pages, utilities, and so on.

There is, essentially, no support for this product. Typical of many open-source products, the user is left to their own devices. There is a mail list supported by the developers and, also typical of the Unix open-source community, help can be found there. But the bottom line is: if you want to use TCT, you’re on your own.

If you know Unix and you use Unix, The Coroner’s Toolkit is an excellent second product to back up your primary IT forensic tool. The developers are extremely proficient in Unix and the Unix file system, so TCT is reliable and very useful in the right hands and for its intended purpose. And as far as freeware goes, the price certainly is right.

Ads by Google

Thoughts on this article? Add a comment below.

Be the first to comment on this article.

Report this comment as offensive:

* Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.

Name:

Email:

(will not be displayed)

Comment:

(HTML not permitted)

Validation

Enter the code you see below:

Most Read
Most Discussed
Latest News

Biometrics & Forensics Whitepapers

Coroner's Toolkit

Sponsored Links

SC MAGAZINE SITEMAP

CATEGORIES

News

Alerts

Products

Stats

Blogs

Photo Galleries

Whitepapers

Events

Jobs

Downloads

Vulnerabilities & Exploits

Breaches & Exposures

Messaging

Mobile

Access Control

Biometrics & Forensics

Legal

Risk Management

Job Centre

Patch Management