Linux.Forensics.ProcFD :: Velociraptor

Linux.Forensics.ProcFD
This artifact collects metadata about open file descriptors from active processes on a Linux system. Outputs include regular files, sockets, device files, and deleted files used by each process.

name: Linux.Forensics.ProcFD
author: Chris DiSalle - @chrisdfir
description: |
  This artifact collects metadata about open file descriptors from active processes on a Linux system. 
  Outputs include regular files, sockets, device files, and deleted files used by each process.
  
reference:
  - https://sandflysecurity.com/blog/investigating-linux-process-file-descriptors-for-incident-response-and-forensics/
  - https://fareedfauzi.github.io/2024/03/29/Linux-Forensics-cheatsheet.html#review-processes
  
type: CLIENT

precondition: SELECT OS From info() where OS = 'linux'

sources:
  - name: RegularFiles
    query: |
      LET open_fds <= SELECT
            OSPath,
            OSPath[1] AS PID,
            Data.Link AS FilePath,
            Mtime,
            Atime,
            Ctime,
            Btime,
            read_file(filename="/proc/" + OSPath[1] + "/comm") AS ParentCommand,
            read_file(filename="/proc/" + OSPath[1] + "/cmdline") AS ParentCmdLine,
            read_file(filename="/proc/" + OSPath[1] + "/loginuid") AS LoginUID,
            format(format="%o", args=[Mode]) AS OctalMode,
            Mode.String AS StringMode
        FROM glob(globs="/proc/*/fd/*")
        
      SELECT
            OSPath AS FDPath,
            FilePath AS FDLink,
            ParentCmdLine AS ProcessCmdLine,
            ParentCommand AS Process,
            LoginUID,
            Mtime,
            Atime,
            Ctime,
            Btime,
            OctalMode,
            StringMode
      FROM open_fds
      WHERE FilePath =~ "^/" AND NOT FilePath =~ "^/dev/"

  - name: Sockets
    query: |
      SELECT
            OSPath AS FDPath,
            FilePath AS FDLink,
            ParentCmdLine AS ProcessCmdLine,
            ParentCommand AS Process,
            LoginUID,
            Mtime,
            Atime,
            Ctime,
            Btime,
            OctalMode,
            StringMode
      FROM open_fds
      WHERE FilePath =~ "socket:"

  - name: DeviceFiles
    query: |
      SELECT
            OSPath AS FDPath,
            FilePath AS FDLink,
            ParentCmdLine AS ProcessCmdLine,
            ParentCommand AS Process,
            LoginUID,
            Mtime,
            Atime,
            Ctime,
            Btime,
            OctalMode,
            StringMode
      FROM open_fds
      WHERE FilePath =~ "^/dev/"

  - name: DeletedFiles
    query: |
      SELECT
            OSPath AS FDPath,
            FilePath AS FDLink,
            ParentCmdLine AS ProcessCmdLine,
            ParentCommand AS Process,
            LoginUID,
            Mtime,
            Atime,
            Ctime,
            Btime,
            OctalMode,
            StringMode
      FROM open_fds
      WHERE FilePath =~ "deleted"