Product SiteDocumentation Site

11.4. Forensic analysis

If you wish to gather more information, the tct (The Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains utilities which perform a post mortem analysis of a system. tct allows the user to collect information about deleted files, running processes and more. See the included documentation for more information. These same utilities and some others can be found in by Brian Carrier, which provides a web front-end for forensic analysis of disk images. In Debian you can find both sleuthkit (the tools) and autopsy (the graphical front-end).
Remember that forensics analysis should be done always on the backup copy of the data, never on the data itself, in case the data is altered during analysis and the evidence is lost.
You will find more information on forensic analysis in Dan Farmer's and Wietse Venema's book (available online), as well as in their and their Brian Carrier's newsletter is also a very good resource on forensic analysis tips. Finally, the are an excellent way to hone your forensic analysis skills as they include real attacks against honeypot systems and provide challenges that vary from forensic analysis of disks to firewall logs and packet captures. For information about available forensics packages in Debian visit
FIXME: This paragraph will hopefully provide more information about forensics in a Debian system in the coming future.
FIXME: Talk on how to do a debsums on a stable system with the MD5sums on CD and with the recovered file system restored on a separate partition.
FIXME: Add pointers to forensic analysis papers (like the Honeynet's reverse challenge or