Process Open Files
Overview
Section titled “Overview”Evidence: Process Open Files
Description: Collect process open files information
Category: System
Platform: linux
Short Name: popenf
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”This collector gathers process open files information from the Linux system. This data is essential for understanding process activity, detecting suspicious file access, and investigating process-based security incidents.
Data Collected
Section titled “Data Collected”This collector gathers structured data about process open files.
Collection Method
Section titled “Collection Method”This collector parses process file descriptor information and records it into the process_open_files table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals files accessed by processes, helping detect data exfiltration, malware behavior, and unauthorized access.