Evidence: Process Open Files
Description: Collect process open files information
Category: System
Platform: linux
Short Name: popenf
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
This collector gathers process open files information from the Linux system. This data is essential for understanding process activity, detecting suspicious file access, and investigating process-based security incidents.
Data Collected
This collector gathers structured data about process open files.
Collection Method
This collector parses process file descriptor information and records it into the process_open_files table.
Forensic Value
This evidence is crucial for forensic investigations as it reveals files accessed by processes, helping detect data exfiltration, malware behavior, and unauthorized access.
