TCT is a collection of tools which are geared towards gathering and analyzing forensic data UNIX system after a break-in. TCT features the grave-robber tool which captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the keyfind tool that recovers cryptographic keys from a running process or from files. TCT is tested on Linux, BSD, and Solaris. For more information see the handouts from Dan Farmer and Wietse Venema's computer forensics analysis class.
fce955a06d118664ebcbb0d9360ef897a8c0150f57b63742153a2faa4d4d662b