volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Lsof improvements (show deleted as in lsof output) + files_only argument

Open SolitudePy opened this issue 7 months ago • 0 comments

Improvements for Lsof to show deleted files as in lsof output on live system. its probably shouldnt be in that function directly as its no longer mimic prepend_path kernel function this PR breaks commit 68b51e873fe99ffcbf1679f25a9767774b9da3e2 but it can easily be fixed if desired.

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/deleted_proc_fd_dump.raw -r json linux.lsof --pid 8321
Volatility 3 Framework 2.26.2
/home/ubuntu/Dev/volatility3/volatility3/framework/deprecation.py:105: FutureWarning: This plugin (PluginRequirement) has been renamed and will be removed in the first release after 2026-06-01. PluginRequirement is to be deprecated. Use VersionRequirement instead.
  warnings.warn(
Progress:  100.00               Stacking attempts finished           
[
...
...
  {
    "Accessed": "2025-06-04T18:18:04.438000+00:00",
    "Changed": "2025-06-04T18:15:11.438000+00:00",
    "Device": "0:23",
    "FD": 2,
    "Inode": 4,
    "Mode": "crw--w----",
    "Modified": "2025-06-04T18:18:04.438000+00:00",
    "PID": 8321,
    "Path": "/dev/pts/1",
    "Process": "copied_bash",
    "Size": 0,
    "TID": 8321,
    "Type": "CHR",
    "__children": []
  },
  {
    "Accessed": "2025-06-04T17:49:01.296000+00:00",
    "Changed": "2025-06-04T18:17:41.693000+00:00",
    "Device": "253:0",
    "FD": 255,
    "Inode": 201866930,
    "Mode": "-rw-r--r--",
    "Modified": "2025-06-04T17:48:56.399000+00:00",
    "PID": 8321,
    "Path": "/tmp/evil.sh (deleted)",
    "Process": "copied_bash",
    "Size": 19,
    "TID": 8321,
    "Type": "REG",
    "__children": []
  }
]

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/deleted_proc_fd_dump.raw linux.lsof --files-only | grep deleted
/home/ubuntu/Dev/volatility3/volatility3/framework/deprecation.py:105: FutureWarning: This plugin (PluginRequirement) has been renamed and will be removed in the first release after 2026-06-01. PluginRequirement is to be deprecated. Use VersionRequirement instead.
  warnings.warn(
799gress799100.0systemd-udevd   8tacking/var/lib/sss/mc/group (deleted) 253:0   201339099       REG     -rw-rw-r--      2025-06-04 17:46:02.113000 UTC  2025-06-04 17:46:02.113000 UTC   2025-06-04 17:46:01.736000 UTC  6940392
799     799     systemd-udevd   9       /var/lib/sss/mc/passwd (deleted)        253:0   201866915       REG     -rw-rw-r--      2025-06-04 17:46:02.109000 UTC  2025-06-04 17:46:02.109000 UTC   2025-06-04 17:46:01.724000 UTC  9253600
906     906     auditd  4       /var/lib/sss/mc/group (deleted) 253:0   201339099       REG     -rw-rw-r--      2025-06-04 17:46:02.113000 UTC  2025-06-04 17:46:02.113000 UTC  2025-06-04 17:46:01.736000 UTC   6940392
906     907     auditd  4       /var/lib/sss/mc/group (deleted) 253:0   201339099       REG     -rw-rw-r--      2025-06-04 17:46:02.113000 UTC  2025-06-04 17:46:02.113000 UTC  2025-06-04 17:46:01.736000 UTC   6940392
...
960     1218    gmain   9       / (deleted)     0:1     26770   REG     -rwxrwxrwx      2025-06-04 17:46:02.397000 UTC  2025-06-04 17:46:02.397000 UTC  2025-06-04 17:46:02.397000 UTC   4096
961     961     sssd_nss        6       /var/lib/sss/mc/passwd (deleted)        253:0   201866915       REG     -rw-rw-r--      2025-06-04 17:46:02.109000 UTC  2025-06-04 17:46:02.109000 UTC   2025-06-04 17:46:01.724000 UTC  9253600

SolitudePy avatar Jun 04 '25 19:06 SolitudePy