Unix Security: Diagnostics and Forensics

8. Find and understand every process

If at all possible, use statically-linked tools and utilities mounted from a CD-R for this investigation.

There are two or three easy ways to do this:

use the standard utility ps auxww or ps -ef;
use lsof

if you /proc filesystem is up to it (e.g., as on Linux) try something like this:

        for J in 1 2 3 4 5 6 7 8 9; do ls -d  /proc/$J* | sort ; done > /tmp/proclist
        for I in `cat /tmp/proclist`; do cat $I/cmdline && echo "" ; done

Any process which you do not recognise should be treated as suspicious — Google it; any differences in the results between the two (or three) sets of results should be treated with equal suspicion.

...previous

up (conts)

next...

About this document:

Produced from the SGML: /home/umits/public_html/_unix_security/_reml_grp/diagnostic_forensic_tools.reml
On: 23/10/2005 at 13:29:12
Options: reml2 -i noindex -l long -o html -p multiple