The Coroner’s Toolkit

When a thief breaks into your home, you’re likely to feel victimized, vulnerable, and confused. You may wonder: What was taken? Will the house ever feel safe again? What can I do to protect myself from another intrusion?

When a malcontent breaks into, or cracks, your computer, your reactions are likely to be very much the same. What was taken? What was left behind? Is the computer safe to use? How can I keep my computer safer in the future?

While the latter question is important, the former three questions weigh more heavily immediately after a break-in. The suits and the geeks want an assessment as soon as possible, especially if the compromised system held critical information or served a critical purpose.

If you (unfortunately) find yourself heading up such an investigation, reach for The Coroner’s Toolkit (TCT, http://www.porcupine.org/forensics/tct.html), a collection of programs by Dan Farmer and Wietse Venema (of Postfix fame) that performs post mortem analysis of Linux and Unix systems. TCT may not finger the perp, but it can resurrect the dead.

Whoever quipped “An ounce of prevention is worth a pound of cure” must have been a system administrator. Many system problems can best be solved by preventing them from occurring. But because not all problems can be prevented, the next best practice is preparation. Indeed, the TCT documentation says, “TCT probably won’t help you out unless you’ve already looked at it, played with it, and know…

Not Yet a Member? Register with LinuxMagazine.com and get free access to the entire archive, including: Hands-on Content White Papers Community Features And more.

Already a Member? Log in! Username Password Remember me Forgotten your password? Forgotten your username?

1. Five Easy Ways to Secure Your Linux System
2. Got Security? You're in Denial
3. Klaatu Recommends Nikto for Web Security
4. Ubuntu's Encrypted Home Directory: A Canonical Approach to Data Privacy
5. Your Distro is Insecure: Ubuntu