Lock Files
Overview
Section titled “Overview”Evidence: Lock Files
Description: Collect lock files
Category: System
Platform: linux
Short Name: lckfls
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”This collector gathers lock files information from the Linux system. This data is essential for understanding process/file locking behavior, detecting contention or misuse, and investigating system-related events.
Data Collected
Section titled “Data Collected”This collector gathers structured data about lock files.
Collection Method
Section titled “Collection Method”This collector parses process file descriptor info and lock metadata and records it into the lock_files table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals locked resources and processes holding them, helping identify sabotage, ransomware behavior, or resource contention.