Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
An open file is any filesystem object (which in Linux includes files, devices, pipes, or unix sockets) to which a process has an open handle.
Report Data: Open Files
Following are the open files present at the time the memory snapshot was taken of the centos 6 - 2.6.32-696.28.1.el6.x86_64 image from the samples gallery (requires authentication).
The following table describes each column of the reported data.
| Column | Description | Notes |
|---|---|---|
| Pid | PID of the owning process | |
| Comm | Process name of the owning process | |
| Fd | File descriptor number | 1=stdin, 2=stdout, 3=stderr, etc. |
| Size | Filesize (only defined for files, not pipe, etc.) | |
| Offset | ||
| Path | Filesystem path |
Forensic Hints
Patterns to look for: Anything look out of the ordinary? Any unexpected programs or services for this server role or desktop layout?
The same set of open files can be obtained from a running Linux
system via the lsof command (with appropriate filtering); any difference between the set
(a) read from usermode and (b) derived from memory inspection should be
investigated, as discussed here.