In this paper I will describe evidence gathering on a Unix system using 'The Coroners Toolkit' version 1.09 (TCT). TCT is freeware. The two types of evidence I will focus on are ephemeral and static evidence. Ephemeral evidence refers to evidence, which generally doesn't last a long time. They are...