TCTUTILs
Platforms:
Linux,
OpenBSD,
Solaris
Categories:
Auditing,
Forensics
Version: v1.01
URL: www.cerias.purdue.edu/homes/carrier/forensics
TCTUTILs is a collection of utilities that adds additional functionality to The Coroners Toolkit (TCT).
Features: - List directory inode contents to view file, device, and directory names. This also allows deleted file names to be viewed and with some platforms an entire file that was recently deleted can be easily recovered. - Get Modified, Accessed, and Created time data on deleted files (not possible on all systems) and merge the data into the mactimes output from TCT. - Find the names of files and directories that are using a given inode. On some systems, deleted file names will also be given. - Find the inode that is using a given block. On some systems, the inode may not even be allocated. - Display the contents of a given block in several formats - Display the details of an inode (including all block numbers)
