A Novel Method of Filing

When it comes time to organize files, the common wisdom (and good advice, too) is to put everything together in a file cabinet in alphabetical order. No matter the subject, put the files in alphabetical order by their title.

Then when you need a file, you can get it out of the file cabinet, and put it back when done. When you choose the file titles wisely (usually by picking the first thing which comes to mind as a topic), this works well.

However, I added another step in my system that seemed to work and work quite well. When you take out a file folder from the file cabinet, instead of putting it back, put it in the front of a small file drawer. Even though this goes against the recommendation to sort alphabetically, what happens is the smaller file drawer is then sorted by frequency of use. The most often used files will be toward the front of the drawer.

Then, from time to time, take the files out of the back of the drawer (that is, the oldest files and least used) and put them back into the file cabinet.

These added steps mean that your file drawer is automatically filled with the most often used files, and the file cabinet is much easier to weed out and is also less often used in favor of the file drawer (which is normally closer).

Try it and see if I’m right…

Tips on using lsof

The utility lsof is a relatively new (well, compared to UNIX anyway) that has more options than even ls. These options provide for some extremely powerful capabilities, some of which we aim to illuminate here.

My favorite use for lsof is for networking: all sockets can be seen with the following options:

lsof -n -i

The -n option prevents lsof from being slowed down by a large number of DNS lookups, and the -i option returns all TCP/IP connections (with process numbers, user ids, file descriptor ids, and so on). To narrow it down, utilize options like the following – to list all SMTP connections, for example:

lsof -n -i :25

It is also possible to list only certain processes (such as process 25 and process 45):

lsof -n -p 25 -p 45

Alternately, the process can be selected by name:

lsof -n -c perl

However, suppose one wants to list all TCP/IP sockets held open by perl processes. The obvious choice does not work! This is because the options are combined together as an OR function; to combine them as an AND function (that is, all options must be satisfied) use the -a option – such as this:

lsof -a -n -c perl -i

This lists, as desired, all TCP/IP sockets held open by perl processes.

Another that might be useful in a security context is listing all files that are open but have no links to them: that is, they’ve been deleted, but one or more processes are keeping the file open, which means the file itself (and its blocks) are being preserved even though it appears to be deleted from the filesystem. To see these files, use this option:

lsof +L1

The utility lsof is indeed very useful, and reading the man page for lsof is recommended.

Dealing with “Hidden” Files

Files can be “hidden” on a filesystem in several ways; some are just attempts to “hide in plain sight.” This is not hiding data in files (such as steganography) but rather hiding the mere existence of files themselves.

There are several ways to do this. The basic ideas are:

  • Make reporting tools lie about the existence of files. This falls into the realm of “rootkits.” Utilities such as ls (and even the kernel itself) may modified in order to not report the existance a particular file. A way to avoid this is to use programs (during examination) that are statically linked and precompiled and saved to read-only media: such programs are immune to future modifications, except for kernel resources (if the kernel is taken over, then all other resources are suspect).
  • Make files “disappear” in file listings. Files of this sort include “.. ” (two dots followed by a space) and other non-standard characters. These files look normal but are not. One way to see files like these is to use the ls command and its -b and -q options. The -b option prints the octal equivalent of non-printing characters; the -q option uses the “?” character instead of non-printing characters. The -F option may also be of use: a file with a terminating space will show up when the -F places its “type” character at the end of the file name.
  • Open the file, then delete it. As long as the file is in use, its disk blocks remain in use, and the file remains available. No other processes can access it – or even see it – but the program (or programs) that opened it still has access to it. Of course, this only works for running programs, but files disappear this way almost entirely. To see the files, use the utility lsof with the +L1 option. The +L option lists files with less than that many links; thus, +L1 lists files with less than one link (or zero links).

As mentioned previously, a static build of all relevant utilities to CDROM can be a very useful tool during investigation of a possible system break-in. All general reporting tools should be included: ls, ps, top, etc. Also included should be any desired programming interpreters: ksh, perl, ruby, tclsh, lua (whatever one finds useful). Also included should be any more intensive tools as well: tcpdump, nmap, etc.