Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
KIT-CERT
Linux-Forensic-Checklist
Commits
08fe6e7c
Commit
08fe6e7c
authored
Sep 23, 2015
by
Heiko Reese
Browse files
typo
parent
791f5f91
Changes
1
Hide whitespace changes
Inline
Side-by-side
Linux-Forensics-Checklist.md
View file @
08fe6e7c
...
...
@@ -285,7 +285,8 @@ Have a look at the open files. If the file has been deleted, ls will append
` (deleted)`
to the destination filename. The contents can still be accessed
using the symlinks in
`/proc/${PID}/fd`
. This often happens with malware
written in interpreted languages like perl and python. Save all interesting
open files now:
```sh
open files now:
```
sh
ls
-l
/proc/
${
PID
}
/fd
>
proc_
${
PID
}
_fd.txt
# copy interesting open files, substitute MYFD with file descriptor number
MYFD
=
1234
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
