lsof (‘list open files’) is a powerful Unix tool which lets us link open ports (discovered through tools like netcat) to running processes. It also lists the files which a given process has open, along with information about those files. Since everything is considered to be a file in Unix, this tool can be used to get information on actual files, directories, devices, and more.
For basic purposes, no extra flags are needed and the command can simply be run as so:
To view connections as raw IP addresses instead of Fully Qualified Domain Names (FQDN), use the -n flag as well, like so:
*There are many other flags/options which can be used with lsof. See the “More Information” section at the bottom for more details.
How to Use in Forensics Investigation
As stated above, lsof is most useful if open ports are discovered first, preferably with their associated process ID’s (PID’s). On Linux machines, this is with the netstat -anp command. The PID’s for open ports can then be used in cross reference with the lsof output to discover which processes opened those ports or files or directories, etc. lsof can often produce many lines of output, making it difficult to analyze to the untrained user. However, by searching for specific syntax such as “TCP,” “UDP,” or “Listen,” it becomes easy to find the processes dealing with network activity.
Looking at the column labeled “FD,” (file descriptor) you are even able to see which files are currently open by searching for a “cwd” (current working directory) value in that field. If a process has a current working directory, and that directory is some hidden directory or perhaps a directory named password_cracker/execute, there is most likely a malicious process running on your system. The user who began the process is listed under the column “USER” (as difficult as that may have been to figure out). If a malicious process is being run, and the user is root, you know that the attacker has root (administrative) access to your machine and you should probably escalate the investigation in case the attacker uses your machine to attack the entire network.
Try it out!
Spin up your favorite Linux distro (if you’re new to this, I’d go with Ubuntu; also, Mac computers run a Unix kernel so opening a terminal on a Mac would work too), and find ports being used on your machine. If you don’t remember how to do this, see the “How to Use in Forensics Investigation” section above. Next, use lsof to see which processes are connected to those ports. Feel free to simply search for open files (with the “cwd” value in the “FD” column). You can discover a lot about your machine by analyzing output from tools such as lsof.
lsof is a great way to discover rogue processes and the files they may have open. You can easily discover the location of an attacker’s toolbox on your system through this tool. It should also be added that the lack of information from lsof can be of great worth as well. If there is an open port on the device with a process ID, but it doesn’t show up in the lsof output, it may indicate some sort of Trojan on the machine. There are many ways to use the tool and this is a very basic introduction, but the more you learn about tools such as this one, the faster you can discover an intrusion on your systems.
A more basic version of lsof for Windows is called FPort, but this only works for older versions of Windows (although I read that it works up through Windows 7). A more recent tool which will work on Windows 10 is called TCPView, and is part of the Sysinternals package.
Linux systems should come with lsof pre-installed. If it doesn’t, use the sudo apt-get install lsof or the yum install lsof commands, depending on which version of Linux you are using.