# Process Open Files

## Overview

**Evidence:** Process Open Files\
**Description:** Collect process open files information\
**Category:** System\
**Platform:** linux\
**Short Name:** popenf\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

This collector gathers process open files information from the Linux system. This data is essential for understanding process activity, detecting suspicious file access, and investigating process-based security incidents.

## Data Collected

This collector gathers structured data about process open files.

## Collection Method

This collector parses process file descriptor information and records it into the `process_open_files` table.

## Forensic Value

This evidence is crucial for forensic investigations as it reveals files accessed by processes, helping detect data exfiltration, malware behavior, and unauthorized access.