lsof - crupper/Forensics-Tool-Wiki GitHub Wiki
#lsof
#####Source: lsof is standard on *almost all Unix systems, but if one seeks the source code, here it be:
##Description### "List open Files" This unix tool reports shows all the open files on the system and which process opened them. This is a special tool in forensics due to the amount of information you can receive from it. It could show port redirections, sniffers, eggdrop IRC bots, or even some backdoors.
##My Thoughts and Uses## My forensics book touts lsof as the single most powerful tool in a Unix Live Response Toolkit. I believe it. There are so many command-line options that can be applied to it. Here are some of my favorite:
-n - This lists the raw IP addresses (Look at the last line of the example output for an example)
-iTCP - This will show only the TCP connections (can use UDP as well)
-i :[port number] - This is especially useful for seeing only the networking based on a given port
-i@[host_ip] - Narrow down to one IP
-c [command or process name] - This will show certain command or processes
From this, we can see that lsof is a goldmine of information. Even without options, one can learn alot. It will just list all open files belonging to all active processes.
Here is an example output from lsof -n:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd DIR 8,1 4096 2 /
init 1 root rtd DIR 8,1 4096 2 /
init 1 root txt REG 8,1 190432 927934 /sbin/init
init 1 root mem REG 8,1 47040 918484 /lib/i386-linux-gnu/libnss_files-2.15.so
init 1 root mem REG 8,1 42652 918488 /lib/i386-linux-gnu/libnss_nis-2.15.so
init 1 root mem REG 8,1 92016 918478 /lib/i386-linux-gnu/libnsl-2.15.so
ksoftirqd 3 root txt unknown /proc/3/exe
migration 6 root cwd DIR 8,1 4096 2 /
migration 6 root rtd DIR 8,1 4096 2 /
migration 6 root txt unknown /proc/6/exe
watchdog/ 7 root cwd DIR 8,1 4096 2 /
watchdog/ 7 root rtd DIR 8,1 4096 2 /
watchdog/ 7 root txt unknown /proc/7/exe
cpuset 8 root cwd DIR 8,1 4096 2 /
cpuset 8 root rtd DIR 8,1 4096 2 /
cpuset 8 root txt unknown /proc/8/exe
khelper 9 root cwd DIR 8,1 4096 2 /
khelper 9 root rtd DIR 8,1 4096 2 /
khelper 9 root txt unknown /proc/9/exe
kdevtmpfs 10 root cwd DIR 0,5 4240 3 /
kdevtmpfs 10 root rtd DIR 0,5 4240 3 /
kdevtmpfs 10 root txt unknown /proc/10/exe
netns 11 root cwd DIR 8,1 4096 2 /
netns 11 root rtd DIR 8,1 4096 2 /
netns 11 root txt unknown /proc/11/exe
sync_supe 12 root cwd DIR 8,1 4096 2 /
python 873 root 3u IPv4 9836 0t0 TCP 192.168.185.150:58349->192.168.241.3:56603 (ESTABLISHED)
*By almost I mean these Unix dialects:
AIX 5.3
Apple Darwin 9 (Mac OS X 10.5)
FreeBSD 4.9 for x86-based systems
FreeBSD 7.[012] and 8.0 for AMD64-based systems
Linux 2.1.72 and above for x86-based systems
Solaris 9 and 10
##Resources and more information:## A great writeup on lsof and advanced usage