Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Linux-Forensic-Checklist
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
6
Issues
6
List
Boards
Labels
Service Desk
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
KIT-CERT
Linux-Forensic-Checklist
Commits
08fe6e7c
Commit
08fe6e7c
authored
Sep 23, 2015
by
Heiko Reese
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
typo
parent
791f5f91
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
2 additions
and
1 deletion
+2
-1
Linux-Forensics-Checklist.md
Linux-Forensics-Checklist.md
+2
-1
No files found.
Linux-Forensics-Checklist.md
View file @
08fe6e7c
...
...
@@ -285,7 +285,8 @@ Have a look at the open files. If the file has been deleted, ls will append
` (deleted)`
to the destination filename. The contents can still be accessed
using the symlinks in
`/proc/${PID}/fd`
. This often happens with malware
written in interpreted languages like perl and python. Save all interesting
open files now:
```sh
open files now:
```
sh
ls
-l
/proc/
${
PID
}
/fd
>
proc_
${
PID
}
_fd.txt
# copy interesting open files, substitute MYFD with file descriptor number
MYFD
=
1234
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
