Professional Documents
Culture Documents
Network 2 Timeline Utility - Linux Volatile Gathering Tool
Network 2 Timeline Utility - Linux Volatile Gathering Tool
4050-581
Computer System Forensics
Prof. Bill Stackpole
Network 2 Timeline Utility
- Linux volatile date
gathering tool
This document consist a detail Network 2 Time line utility
report, public source code link, tool development process, and
why the tool is important for the forensic community.
Last edit: Aug 9, 2015
Contents
1.
Executive Summary................................................................................................................................................................. 3
2.
3.
Tool Selection.......................................................................................................................................................................... 3
4.
Tool development....................................................................................................................................................................3
5.
6.
Conclusion............................................................................................................................................................................... 4
7.
Appendix................................................................................................................................................................................. 5
1.
Executive Summary
The intention of this project is to create a script to find out all the running processes, sockets, and
network connections by a specific user. I wrote the Network 2 Timeline (n2tm) script to add
more functionality for the existing list of file (LSOF) tool such as the date and timeline for every
lsof output line.
The n2tm script has the ability to list out all the live IPv4/IPv6 connections to the Internet by a
specify user. Another cool feature is that it can automatically lists all the unique running process
ID by the user along with date and time line.
More n2tm functionality will be added in the future release to make this script more useful for
the forensic communities.
I included a documentation and a BASH script in the zip file to get you started.
2.
I have always wanted to find out all the information about a specific user in the Linux operation
system, such as myself. I want to know the date and the timestamp is running by my programs. I
have spent a lot of time get to know the lsof command and it is a very powerful utility that I just
started to use it recently because my RIT professors told me it is a powerful tool and it tells what
going on in the machine.
The lsof command gives me the ability to accomplish the project goals, however, I have to
manually input the PID under the specific user to find out all the running program processes, and
network sockets -- which is time consuming, so I created the n2tm script. This script is
automatically find all the unique processes ID owns by the current user (see Appendix figure 1.3)
-- which it saves the Forensic Investigators times when they want to find out all about that user.
3.
Tool Selection
I chose BASH and AWK as a scripting language, because these tools allow me to solve a
complicated problem with a few lines of code. For instance AWK allows me to use associative
array functions, and pattern matching for a specific user; if user found, it prints nicely on the
screen. The downside is the learning curve. BASH allows me to write a script that it tights the
existing Linux/Unixs tool, such as who, sort, uniq, and AWK together to give me the result.
4.
Tool development
In order to develop a tool to fit for my forensic needs, I did a research and read plenty of articles
about lsof. What I have found out is that the LSOF tool doesnt provide me the timeline such as
date and timestamp when I issued LSOF -i -n -P, where -i lists the IP and sockets, -n disable IP to
Host name, and lastly, the -P disable the port to name translation. So I implemented the date and
timestamp to make the lsof more robust.
I used the BASH debugging mode when I issued bash x l2m -i $USER, where $USER is the
current user on the machine. The -x allows me to the values changes during the code execution
Future development: Will convert this project into Python script, because it enables me to use
Object-oriented programming (OOP) language.
5.
Creating the comma separated values in a file was the most challenging for me, because I ran
into different issues -- some output values were not in the right field in the Microsoft Excel sheet.
I have spent countless hours and it is nearly completed, and I decided not to put into this release,
because I do not want people to get the wrong output data in the CSV file. The output function to
a CSV feature will be released in the future.
Limitation: 1) AWK program doesnt have the ability to add multiple records to the unique
value. For instance, I want to keep track all the unique port by a user. It took me sometimes to
figure out there is another way to accomplish this problem. I utilized BASH and AWK, BASH
keeps track of the user while AWK finds out all the unique PID by the user.
2) Another limitation is that the script only takes in two arguments because I would like the first
release to be easy to use. I would like to see how the forensic communities react to my script. I
am looking forward to hear their feedback.
6.
Conclusion
I learned how to create a useful script for the forensic communities. I hope I will continue to
build this tool more robustness and add more functionality to it. Now Im able to find out what
are the running processes by my machine, thus it informs me if there are any suspicious
programs are running in the machine.
The download link for the source code can be found at http://code.google.com/p/network-2timeline/downloads/list. The current script version is 1.1.
The script works on Linux (e.g., CentOS 5.6) and Mac OS 10.8.2. I use it, just issue these
commands:
bash n2tm -i $USER
list all the IPv4/IPv6 information owns by $USER, where $USER the BASH
variable. Alternatively, you could specify the user name instead of using the BASH variable.
bash n2tm -p $USER
List all the running processes own by the user.
Note: This script requires a root privilege permission to run.
7.
Appendix
TM
EDT
EDT
EDT
USER
FD
TYPE DEVICE SIZE NODE NAME
pod1
3u IPv4 938585
TCP 192.168.1.171:22-
DEVICE
253,0
SIZE
NODE NAME
4096 1474561 /root
COMMAND
PID USER
sshd
16214 pod1
sshd
16214 pod1
sshd
16214 pod1
FD
cwd
rtd
txt
TYPE
DIR
DIR
REG
DEVICE
253,0
253,0
253,0
SIZE
4096
4096
414016
NODE NAME
2 /
2 /
965087 /usr/sbin/sshd
COMMAND
PID
TIME
TM
firefox
3354
USER
pod1
FD
34r
firefox
3354
pod1
47u
IPv4 972527
firefox
3354
pod1
52u
IPv4 972529
firefox
3354
pod1
55u
IPv4 972530
firefox
3354
pod1
57u
IPv4 972533
firefox
3354
pod1
58u
IPv4 972535
sshd
16214
pod1
3u
IPv4 938585
[root@localhost ~]#
TIME
TM
COMMAND
PID USER
FD
TYPE
DEVICE
SIZE
NODE NAME
firefox 3354
pod1
cwd
DIR
253,0
firefox 3354
pod1
rtd
DIR
253,0
firefox 3354
pod1
txt
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
4096
2 /
958320 /usr/lib/libplds4.so
961080 /usr/lib/libXau.so.6.0.0
firefox 3354
pod1
mem
REG
253,0
20092
firefox 3354
pod1
mem
REG
253,0
1062108
firefox 3354
pod1
mem
REG
253,0
62008
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
526896
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
194008
961072 /usr/lib/libfontconfig.so.1.1.0
firefox 3354
pod1
mem
REG
253,0
153504
961078 /usr/lib/libpng12.so.0.10.0
firefox 3354
pod1
mem
REG
253,0
32708
firefox 3354
pod1
mem
REG
253,0
448940
962704 /usr/lib/libcairo.so.2.9.2
firefox 3354
pod1
mem
REG
253,0
114828
965603 /usr/lib/libatk-1.0.so.0.1212.0
firefox 3354
pod1
mem
REG
253,0
31096
firefox 3354
pod1
mem
REG
253,0
8476
firefox 3354
pod1
mem
REG
253,0
185100
firefox 3354
pod1
mem
REG
253,0
35012
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
pod1
mem
961082 /usr/lib/libXdmcp.so.6.0.0
961116 /usr/lib/libX11.so.6.2.0
963181 /usr/lib/libXext.so.6.4.0
961067 /usr/lib/libfreetype.so.6.3.10
962108 /usr/lib/libXrender.so.1.3.0
963455 /usr/lib/libXi.so.6.0.0
963415 /usr/lib/libXinerama.so.1.0.0
962706 /usr/lib/libpangoft2-1.0.so.0.1400.9
972211 /usr/lib/libSM.so.6.0.0
253,0
66708
1221610
/usr/lib/firefox-
3354
pod1
mem
REG
253,0
43936
1411015
/usr/lib/xulrunner-
3354
pod1
mem
REG
253,0
69892
1411016
/usr/lib/xulrunner-
3354
pod1
mem
REG
253,0
71944
1212949
/usr/lib/gtk-
pod1
mem
REG
253,0
15440
1212637
/usr/lib/gtk-
3354
pod1
pod1
mem
REG
mem
57220
1221609
1411018
/usr/lib/firefox-
3354
firefox 3354
pod1
mem
REG
253,0
9816
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
3354
firefox 3354
pod1
mem
REG
253,0
348488
962132 /usr/lib/libsoftokn3.so
firefox 3354
pod1
mem
REG
253,0
236788
961081 /usr/lib/libfreebl3.so
firefox 3354
pod1
mem
REG
253,0
431168
961085 /usr/lib/libnssckbi.so
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
27896
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
34472
962708 /usr/lib/libpangocairo-1.0.so.0.1400.9
firefox 3354
pod1
mem
REG
253,0
17408
963457 /usr/lib/libXfixes.so.3.1.0
firefox 3354
pod1
mem
REG
253,0
254668
firefox 3354
pod1
mem
REG
253,0
38480
963458 /usr/lib/libXcursor.so.1.0.2
firefox 3354
pod1
mem
REG
253,0
94272
961003 /usr/lib/libgdk_pixbuf-2.0.so.0.1000.4
firefox 3354
pod1
mem
REG
253,0
578312
firefox 3354
pod1
mem
REG
253,0
12296
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
135716
firefox 3354
pod1
mem
REG
253,0
30488
mem
253,0
266904
pod1
REG
253,0
/usr/lib/xulrunner-
963194 /usr/lib/libXss.so.1.0.0
968639 /usr/lib/libxml2.so.2.6.26
253,0
52696
1411017
/usr/lib/xulrunner-
972228 /usr/lib/libfam.so.0.0.0
961065 /usr/lib/libpango-1.0.so.0.1400.9
965108 /usr/lib/libgdk-x11-2.0.so.0.1000.4
963456 /usr/lib/libXrandr.so.2.0.0
962909 /usr/lib/libjpeg.so.62.0.0
966415 /usr/lib/libpopt.so.0.0.0
firefox 3354
pod1
mem
REG
253,0
42752
972208 /usr/lib/libesd.so.0.2.36
firefox 3354
pod1
mem
REG
253,0
92784
972153 /usr/lib/libbonobo-activation.so.4.0.0
firefox 3354
pod1
mem
REG
253,0
51372
972213 /usr/lib/libgnome-keyring.so.0.0.1
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
23056
972151 /usr/lib/libORBitCosNaming-2.so.0.1.0
firefox 3354
pod1
mem
REG
253,0
15556
958299 /usr/lib/libplc4.so
firefox 3354
pod1
mem
REG
253,0
3765668
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
124128
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
613716
971882 /usr/lib/libkrb5.so.3.3
firefox 3354
pod1
mem
REG
253,0
157336
971583 /usr/lib/libk5crypto.so.3.1
firefox 3354
pod1
mem
REG
253,0
218628
967955 /usr/lib/libgconf-2.so.4.1.0
firefox 3354
pod1
mem
REG
253,0
33968
firefox 3354
pod1
mem
REG
253,0
357160
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
45516
firefox 3354
pod1
mem
REG
253,0
403388
firefox 3354
pod1
mem
REG
253,0
11460
972148 /usr/lib/libavahi-glib.so.1.0.1
firefox 3354
pod1
mem
REG
253,0
63260
972149 /usr/lib/libavahi-client.so.3.2.1
firefox 3354
pod1
mem
REG
253,0
171292
972155 /usr/lib/libaudiofile.so.0.0.2
firefox 3354
pod1
mem
REG
253,0
183156
967730 /usr/lib/libgnomecanvas-2.so.0.1400.0
firefox 3354
pod1
mem
REG
253,0
409536
972154 /usr/lib/libbonobo-2.so.0.0.0
firefox 3354
pod1
mem
REG
253,0
92760
firefox 3354
pod1
mem
REG
253,0
603140
972214 /usr/lib/libgnomeui-2.so.0.1600.0
firefox 3354
pod1
mem
REG
253,0
420176
972212 /usr/lib/libbonoboui-2.so.0.0.0
firefox 3354
pod1
mem
REG
253,0
88968
972209 /usr/lib/libgnome-2.so.0.1600.0
firefox 3354
pod1
mem
REG
253,0
102788
958454 /usr/lib/libnssutil3.so
firefox 3354
pod1
mem
REG
253,0
228060
958188 /usr/lib/libnspr4.so
firefox 3354
pod1
mem
REG
253,0
1205444
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
936908
966113 /usr/lib/libstdc++.so.6.0.8
firefox 3354
pod1
mem
REG
253,0
166740
958638 /usr/lib/libsmime3.so
firefox 3354
pod1
mem
REG
253,0
217560
958514 /usr/lib/libssl3.so
firefox 3354
pod1
mem
REG
253,0
359364
961768 /usr/lib/libXt.so.6.0.0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
firefox 3354
pod1
mem
REG
REG
965615 /usr/lib/libgtk-x11-2.0.so.0.1000.4
972210 /usr/lib/libICE.so.6.3.0
970146 /usr/lib/libkrb5support.so.0.1
967954 /usr/lib/libORBit-2.so.0.1.0
972098 /usr/lib/libgssapi_krb5.so.2.2
960605 /usr/lib/libart_lgpl_2.so.2.3.17
958508 /usr/lib/libnss3.so
253,0
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
DEL
REG
0,9
firefox 3354
pod1
mem
REG
253,0
6881294 /SYSV00000000
56679 1221594 /usr/lib/firefox-3.6/chrome/en-US.jar
10:28:12
17:18:56
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/b79f3aaa7d385a141ab53ec885cc22a8-x86.cache-2
REG
firefox 3354
pod1
mem
REG
253,0
firefox 3354
pod1
mem
REG
253,0 56471024
25462
253,0
22832
66072
66387 /usr/lib/gconv/gconv-modules.cache
961073 /usr/lib/locale/locale-archive
10:28:12
17:18:57
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/7ddba6133ef499da58de5e8c586d3b75-x86.cache-2
REG
253,0
20544
65605
10:28:12
17:18:57
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/e19de935dec46bbf3ed114ee4965548a-x86.cache-2
REG
253,0
32152
65603
10:28:12
17:18:57
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/87f5e051180a7a75f16eb6fe7dbd3749-x86.cache-2
REG
253,0
5120
66081
10:28:12
17:18:57
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/e3ead4b767b8819993a6fa3ae306afa9-x86.cache-2
REG
253,0
7176
65589
18288
66073
10:28:12
17:18:57
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/beeeeb3dfe132a8a0633a017c99ce0c0-x86.cache-2
REG
253,0
firefox 3354
pod1
0u
CHR
136,1
3 /dev/pts/1
firefox 3354
pod1
1u
CHR
136,1
3 /dev/pts/1
firefox 3354
pod1
2u
CHR
136,1
firefox 3354
pod1
3u
unix 0xeef7e3c0
748241 socket
firefox 3354
pod1
4r
FIFO
0,6
748243 pipe
firefox 3354
pod1
5w
FIFO
0,6
748243 pipe
firefox 3354
pod1
6r
FIFO
0,6
748246 pipe
firefox 3354
pod1
7w
FIFO
0,6
748246 pipe
firefox 3354
pod1
8r
FIFO
0,6
748247 pipe
firefox 3354
pod1
9w
FIFO
0,6
748247 pipe
firefox 3354
pod1
10u
unix 0xeef7e040
748248 socket
firefox 3354
pod1
11u
unix 0xca14bc80
748253 socket
firefox 3354
pod1
12u
unix 0xca14b900
748255 /tmp/orbit-pod1/linc-d1a-0-3f82f94671efd
firefox 3354
pod1
13u
unix 0xca14b580
10:28:12
17:18:57
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/.parentlock
3 /dev/pts/1
748258 /tmp/orbit-pod1/linc-d1a-0-3f82f94671efd
14wW
REG
0,11
253,0
firefox 3354
pod1
15r
0000
firefox 3354
pod1
16u
unix 0xca14b3c0
748264 socket
firefox 3354
pod1
17u
unix 0xca14b200
748265 socket
firefox 3354
pod1
18r
FIFO
0,6
748266 pipe
firefox 3354
pod1
19w
FIFO
0,6
748266 pipe
firefox 3354
pod1
20r
FIFO
0,6
748267 pipe
firefox 3354
pod1
21w
FIFO
0,6
748267 pipe
firefox 3354
pod1
22u
unix 0xca14b040
748268 socket
firefox 3354
pod1
23r
FIFO
0,6
748270 pipe
firefox 3354
pod1
24w
FIFO
0,6
748270 pipe
firefox 3354
pod1
25r
CHR
1,9
1281661
53698560
1281688
748263 eventpoll
953 /dev/urandom
10:28:12
17:18:57
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/urlclassifier3.sqlite
26u
firefox 3354
pod1
27r
REG
253,0
10:28:12
17:18:57
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/permissions.sqlite
REG
28u
REG
253,0
253,0
2048
1281668
firefox 3354
pod1
29r
REG
253,0
firefox 3354
pod1
30r
REG
253,0
firefox 3354
pod1
31r
REG
253,0
firefox 3354
pod1
32r
REG
253,0
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/places.sqlite
10:28:12 17:18:58 EDT
firefox 3354
f6.1e100.net:https (ESTABLISHED)
10:28:12 17:18:58 EDT
firefox 3354
pod1
pod1
35r
34r
IPv4
REG
firefox 3354
pod1
37u
DIR
REG
972525
253,0
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/search.sqlite
10:28:12 17:18:58 EDT
151552
1281666
TCP 192.168.1.171:37825->iad23s06-in-
0,10
253,0
REG
0
253,0
2048
1281673
469 inotify
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/formhistory.sqlite
38u
REG
253,0
4096
1281677
10:28:12
17:18:58
EDT
firefox
3354
pod1
39u
/home/pod1/.mozilla/firefox/lwarezv6.default/content-prefs.sqlite
REG
253,0
7168
1281687
8192
1281678
5672
1281689
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/cookies.sqlite
40uw
REG
10:28:12
17:18:58
EDT
firefox
3354
pod1
41u
/home/pod1/.mozilla/firefox/lwarezv6.default/cookies.sqlite-journal
10:28:12 17:18:58 EDT
firefox 3354
pod1
42r
DIR
REG
253,0
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/Cache/_CACHE_MAP_
253,0
253,0
REG
253,0
8468
1769489
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/Cache/_CACHE_001_
44u
REG
253,0
363395
1769490
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/Cache/_CACHE_002_
45u
REG
253,0
675148
1769491
1156406
1769492
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/Cache/_CACHE_003_
10:28:12 17:18:58 EDT
(ESTABLISHED)
firefox 3354
pod1
47u
IPv4
46u
REG
972527
253,0
TCP 192.168.1.171:55071->ve-in-f99.1e100.net:https
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/cert8.db
48u
REG
253,0
65536
1281685
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/key3.db
49u
REG
253,0
16384
1281686
firefox 3354
pod1
50r
FIFO
0,6
firefox 3354
pod1
51w
FIFO
0,6
pod1
52u
748276 pipe
748276 pipe
IPv4
972529
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/signons.sqlite
53u
REG
10:28:12
17:18:58
EDT
firefox
3354
pod1
54u
/home/pod1/.mozilla/firefox/lwarezv6.default/places.sqlite-journal
10:28:12 17:18:58 EDT
(ESTABLISHED)
firefox 3354
pod1
55u
IPv4
firefox 3354
pod1
57u
pod1
IPv4
58u
REG
972533
firefox 3354
DATE
COMMAND
TIME
TM
pod1
PID USER
66u
FD
253,0
972535
REG
253,0
TYPE
DEVICE
1281693
1281647
2048
1281695
TCP 192.168.1.171:55074->ve-in-f99.1e100.net:https
10:28:12
17:18:58
EDT
firefox
3354
pod1
59u
/home/pod1/.mozilla/firefox/lwarezv6.default/webappsstore.sqlite
10:28:12 17:18:58 EDT
253,0
11264
TCP 192.168.1.171:55073->ve-in-f99.1e100.net:https
56u
IPv4
192.168.1.171:46215-
253,0
REG
972530
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/downloads.sqlite
TCP
TCP 192.168.1.171:50162->iad23s07-inREG
192512
SIZE
253,0
3072
1281705
sshd
16214
pod1
cwd
DIR
253,0
4096
sshd
16214
pod1
rtd
DIR
253,0
4096
2 /
sshd
16214
pod1
txt
REG
253,0
414016
965087 /usr/sbin/sshd
sshd
16214
pod1
mem
REG
253,0
190712
972098 /usr/lib/libgssapi_krb5.so.2.2
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
613716
sshd
16214
pod1
mem
REG
253,0
11492
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
29852
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
sshd
16214
pod1
mem
REG
253,0 1205444
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
15556
2 /
970146 /usr/lib/libkrb5support.so.0.1
971111 /usr/lib/libcrack.so.2.8.0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
6632
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
mem
REG
253,0
sshd
16214
pod1
DEL
REG
0,9
938612 /dev/zero
sshd
16214
pod1
DEL
REG
0,9
938599 /dev/zero
sshd
16214
pod1
0u
CHR
1,3
1505 /dev/null
sshd
16214
pod1
1u
CHR
1,3
1505 /dev/null
sshd
16214
pod1
2u
CHR
1,3
1505 /dev/null
sshd
16214
pod1
3u
IPv4
958454 /usr/lib/libnssutil3.so
964147 /usr/lib/libfipscheck.so.1.1.0
958188 /usr/lib/libnspr4.so
971583 /usr/lib/libk5crypto.so.3.1
938585
TCP 192.168.1.171:ssh->192.168.1.185:52062
sshd
16214
pod1
4u
unix 0xc32caac0
938617 socket
sshd
16214
pod1
5u
unix 0xc32ca740
938621 socket
sshd
16214
pod1
6r
FIFO
0,6
938627 pipe
sshd
16214
pod1
7w
FIFO
0,6
938627 pipe
sshd
16214
pod1
8u
CHR
5,2
957 /dev/ptmx
sshd
16214
pod1
9u
CHR
5,2
957 /dev/ptmx
sshd
16214
pod1
10u
CHR
5,2
957 /dev/ptmx
[root@localhost ~]#
10