Report: Open Files
An open file is any filesystem object (which in Linux includes files, devices, pipes, or unix sockets) to which a process has an open handle.
Report Data: Open Files
Following are the open files present at the time the memory snapshot was taken of the centos 6 - 2.6.32-696.28.1.el6.x86_64 image from the samples gallery (requires authentication).
The following table describes each column of the reported data.
Column | Description | Notes |
---|---|---|
Pid | PID of the owning process | |
Comm | Process name of the owning process | |
Fd | File descriptor number | 1=stdin, 2=stdout, 3=stderr, etc. |
Size | Filesize (only defined for files, not pipe, etc.) | |
Offset | ||
Path | Filesystem path |
Forensic Hints
Patterns to look for: Anything look out of the ordinary? Any unexpected programs or services for this server role or desktop layout?
The same set of open files can be obtained from a running Linux
system via the lsof
command (with appropriate filtering); any difference between the set
(a) read from usermode and (b) derived from memory inspection should be
investigated, as discussed here.