Processes

Overview

Evidence: Process Description: Collect Process Category: System Platform: Linux Short Name: process Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Linux process information provides details about running processes, their relationships, and resource usage. This data is essential for understanding system activity, detecting malicious processes, and investigating process-based security incidents.

Data Collected

This collector gathers structured data about processes.

Processes Data

Field

Description

Example

ID

Primary key (auto-increment)

CWD

Current working directory

/home/user

ChildrenMajorFaults

Major page faults by child processes

ChildrenMinorFaults

Minor page faults by child processes

Command

Process command name

bash

CommandLine

Full command line

/bin/bash -l

EffectiveGroupId

Effective group ID

1000

EffectiveUserId

Effective user ID

1000

EffectiveUserName

Effective username

user

Environment

Environment variables

PATH=/usr/bin:/bin

Executable

Executable path

/bin/bash

IsExecutableExists

Whether executable file exists

true

Hash

Executable file hash

sha256:abc123...

FileDescriptors

Open file descriptors

stdin, stdout, stderr

Flags

Process flags

GroupId

Process group ID

1000

MajorFaults

Major page faults

MinorFaults

Minor page faults

Nice

Process nice value

ParentId

Parent process ID

1234

Priority

Process priority

ProcessId

Process ID

5678

RealGroupId

Real group ID

1000

RealUserId

Real user ID

1000

ResidentSize

Resident set size in bytes

1024000

SavedGroupId

Saved group ID

1000

SavedUserId

Saved user ID

1000

SessionId

Session ID

State

Process state

S (sleeping)

Threads

Number of threads

TpgId

Terminal process group ID

5678

TtyNr

Terminal device number

34816

RealUserName

Real username

user

SavedUserName

Saved username

user

VMSize

Virtual memory size in bytes

2048000

CSTime

Children system time

CUTime

Children user time

SystemTime

System time used

StartTime

Process start time (Unix timestamp)

1697443200

StartDateTime

Process start datetime

2023-10-15 08:00:00

UserTime

User time used

Collection Method

This collector parses the necessary data from the process table.

Usage

This evidence is crucial for forensic investigations as it provides process activity information. It helps investigators understand system activity, detect malicious processes, and investigate process-based attacks. The data can reveal running processes, process relationships, and potential security incidents. Analysts can use this information to identify process compromises, trace malicious activities, and assess Linux security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousFile System Enumeration NextProcess Open Files

Last updated 16 minutes ago

Was this helpful?