Lock Files

Overview

Evidence: Lock Files Description: Collect lock files Category: System Platform: Linux Short Name: lckfls Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers lock files information from the Linux system. This data is essential for understanding process/file locking behavior, detecting contention or misuse, and investigating system-related events.

Data Collected

This collector gathers structured data about lock files.

Lock Files Data

Field

Description

Example

ID

Start

Start

Example value

End

End

Example value

UserId

User Id

Example value

GroupId

Group Id

Example value

Mode

Mode

Example value

Path

Path

/path/to/file

Size

Size

1024

Type

Type

Example value

ProcessId

Process Id

Example value

AccessTime

Access Time

2023-10-15 14:30:25

LastChangeTime

Last Change Time

2023-10-15 14:30:25

ModificationTime

Modification Time

2023-10-15 14:30:25

Collection Method

This collector parses process file descriptor info and lock metadata and records it into the lock_files table.

Usage

This evidence is crucial for forensic investigations as it reveals locked resources and processes holding them, helping identify sabotage, ransomware behavior, or resource contention.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousKernel Modules NextSystemctl

Last updated 1 hour ago

Was this helpful?