Strengths: Extremely powerful Unix forensic tool in the right hands; freeware.
Weaknesses: Not for the faint-hearted – it is difficult to use and requires a significant knowledge of Unix to use it successfully; virtually no documentation.
Verdict: Very useful collection of tools, but a high barrier to entry.
The Coroner’s Toolkit, or TCT is an open-source set of forensic tools for performing post-mortem analysis on Unix systems. Written by Dan Farmer and Wietse Venema, both very well known in security circles for such programs as SATAN, TCT is not an easy product to use. A serious knowledge of Unix is a prerequisite for success, but if you can manage it, this is an extremely powerful set of tools.
This is not a GUI-based product. It is a collection of command line tools designed for the experienced Unix engineer. In that context we found that the TCT has everything we needed to analyse a Linux disk. Using a command line forensics program can be difficult, although forensic analysts who have used the older NTI Tools will feel at home. Our grade of four stars for features comes with the caveat that this is a Unix-only tool and that the user is a solid Unix citizen.
It’s the same story with the Toolkit’s high performance rating. It has no trouble taking an image and using the individual tools to perform analyses of various kinds. Images are taken with dd, as is usual in a Unix environment, but in the class slides for a 1999 training session, other suggestions are explored.
Documentation is skimpy, but there is a very complete set of slides from a class taught on TCT in 1999. We found them both useful and interesting. Also, since this product is intended for experienced Unix users, there is an implied understanding of common Unix functions and conventions, make files, man pages, utilities, and so on.
There is, essentially, no support for this product. Typical of many open-source products, the user is left to their own devices. There is a mail list supported by the developers and, also typical of the Unix open-source community, help can be found there. But the bottom line is: if you want to use TCT, you’re on your own.
If you know Unix and you use Unix, The Coroner’s Toolkit is an excellent second product to back up your primary IT forensic tool. The developers are extremely proficient in Unix and the Unix file system, so TCT is reliable and very useful in the right hands and for its intended purpose. And as far as freeware goes, the price certainly is right.