SANS Digital Forensics and Incident Response Blog: Tag - ln

Understanding *NIX File Linking (ln)

The "ln" command is an important tool in any Unix admin's arsenal and attackers use it too, so it is essential that forensics analysts understand it. It is used to either:

  1. Create a link to a target file with a selected name.
  2. Create a link to a target file in the current directory.
  3. Create links to each target in a directory.

The "ln" command will by default produce hard links. Symbolic links are created with the "-symbolic" option set (or "-s"). In order to create a hard link; the target file has to exist. The primary formats of the commands are:

  • ln [OPTION]... [-T]
  • ln [OPTION]...
  • ln [OPTION]... -t

Some malicious uses of ln are in hiding files, though perhaps not very well, and creating subterfuge by wrapping legitimate programs. The "ln" command need not

... Continue reading Understanding *NIX File Linking (ln)