SANS Digital Forensics and Incident Response Blog: Tag - ls

Solaris Digital Forensics: Part2

This series of articles is a primer on Solaris forensics. As such each article will build upon the last and should be read from start to finish for those new to Unix. Part 1 is available at https://blogs.sans.org/computer-forensics/2010/10/15/solaris-forensics-part-1/.

Reading ls output

Being able to correctly read the ls command's output is critical for moving around the OS and to looking for signs of compromise. As you go through the filesystem, keep in mind you may not be truly seeing an accurate picture of the filesystem. If the machine has a rootkit installed on it, some of the files and directories may be hidden.

In the UNIX filesytem we have some basically defined file types:

  • Regular files
  • Directories
  • Symbolic Links (hard and soft)
  • Device

...