File: README.FIRST

package info (click to toggle)
sleuthkit 2.06-3etch1
  • links: PTS
  • area: main
  • in suites: etch
  • size: 7,128 kB
  • ctags: 5,133
  • sloc: ansic: 41,406; sh: 14,123; perl: 4,745; cpp: 4,297; makefile: 925; python: 29
file content (62 lines) | stat: -rw-r--r-- 2,589 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 


        NOTE: If you've just been broken into and are desperate for help,
              read the "help-when-broken-into" file.  If you've deleted
              a file and want to recover it, read "help-recovering-file".

The Coroner's Toolkit (TCT) - a Brief Introduction

TCT is a collection of tools - some large, some small, some in perl,
some in C - that are all either oriented towards gathering or analyzing
forensic data on a Unix system.  There is no single task or ultimate
goal that they are directed to, but if there was a theme it'd be an
effort towards the reconstruction of the past - determining as much
as possible what happened with a static snapshot of a system.  Most of
the tools are oriented towards data collection rather than analysis -
a good use of the toolkit could be for a relative neophyte in Unix
forensic security to send the data to someone who does know something and
can further analyze the output.  (Do NOT send it to us, however!  ;-))
Note that by default we don't gather *ALL* data - unallocated blocks of
disks (let alone the entire contents of your media!) and raw memory are
not touched by default... where would you put the results, for starters?

So, as a general overview:

A quick start for the impatient may be found in the "quickstart" file.

The most current version of TCT may be found at both:

	http://www.fish.com/forensics/

	http://www.porcupine.org/forensics/

To install TCT read the "INSTALL" file.

A list of the contents of TCT may be found in the "MANIFEST" file.

A copyright notice is in the "COPYRIGHT" file; additional copyrights
might be included in individual source code files (especially look at
the C source code files, which are mostly covered by IBM's open source
license, in the file "LICENSE".)

A general overview of the toolkit may be found in the "README" file
in the "docs" subdirectory.  More about TCT's design methodology and 
philosophy can be found in the "design-notes" file in the same directory.

We hope that you enjoy this and find our work useful to you!

Dan Farmer & Wietse Venema

August 1st, 2000


p.s.  There's a mailing list (with on-line archive) for sharing
experiences. To subscribe, send a message to majordomo@porcupine.org
with body (not subject): subscribe tct-users. The list will reject mail
from non-members so it is unlikely to catch UCE. To unsubscribe, send
mail with as body (not subject): unsubscribe tct-users.

p.p.s. Some unpolished, unfinished, and perhaps not very useful tools 
and notes are in the "extras" subdirectory; feel free to check them out,
but caveat emptor.