ps (Linux) Process State - crupper/Forensics-Tool-Wiki GitHub Wiki

#ps

#####Source: ps is standard on Unix machines, but the source code can be viewed here.

##Description ps is a command that reports information on processes. Without any options, it will just report on the current processes. With options, a lot more information can be given. It is easy to get confused with the syntax for ps due to the three different types of syntax. The standard Unix syntax tends to have dashes preceding them (Ex. -e). BSD syntax often does not include the dashes and rather they are represented as arguments after ps (Ex. ps aux). The third style of syntax is the GNU long format that have two dashes followed by a more verbose option (Ex.--ppid).

##My Thoughts and Uses During forensic analysis, I often get a list of all the running processes by running ps -aux. This will return the UID, PID, time the process started, the command, and more. Other commands with ps that I often use are displaying process trees. To do this there are a few different commands I use.

---

pstree is the most visual of the bunch

Linux@Linux:~$ pstree
systemd─┬─ModemManager─┬─{gdbus}
        │              └─{gmain}
        ├─NetworkManager─┬─{gdbus}
        │                ├─{gmain}
        │                └─{pool}
        ├─accounts-daemon─┬─{gdbus}
        │                 └─{gmain}
        ├─acpid
        ├─agetty
        ├─auditd───{auditd}
        ├─avahi-daemon───avahi-daemon
        ├─bluetoothd
        ├─colord─┬─{gdbus}
        │        └─{gmain}
        ├─cron
        ├─cups-browsed─┬─{gdbus}
        │              └─{gmain}
        ├─dbus-daemon
        ├─freshclam
        ├─fwupd─┬─3*[{GUsbEventThread}]
        │       ├─{fwupd}
        │       ├─{gdbus}
        │       └─{gmain}
        ├─gnome-keyring-d─┬─{gdbus}
        │                 ├─{gmain}
        │                 └─{timer}
        ├─iio-sensor-prox─┬─{gdbus}
        │                 └─{gmain}

---

ps axjf looks more similar to ps -aux, but with lines connecting the children processes to the parents.

---

ps -ejH just uses indentation to show relations.

---

An example of usage in my experience is finding what process started some malware on a machine. To get all the processes I used ps aux. One of the tipping points to find the file causing the trouble was using the command ps -eF. This shows the file that was called to start the process. Then, I was able to use a process tree to track down that it was called by init 1.

##Resources and more information: The Official Man Page.

Some Practical Examples.