Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details

All Projects → spieglt → Whatfiles

spieglt / Whatfiles

Licence: gpl-3.0

Log what files are accessed by any Linux process

Programming Languages

50402 projects - #5 most used programming language

Labels

digital-forensics

Projects that are alternatives of or similar to Whatfiles

Cortex Analyzers

Cortex Analyzers Repository

Stars: ✭ 246 (-69.25%)

Mutual labels: digital-forensics

A list of free and open forensics analysis tools and other resources

Stars: ✭ 392 (-51%)

Mutual labels: digital-forensics

Digital Forensics Investigation Platform

Stars: ✭ 257 (-67.87%)

Mutual labels: digital-forensics

ThePhish: an automated phishing email analysis tool

Stars: ✭ 676 (-15.5%)

Mutual labels: digital-forensics

MemProcFS-Analyzer

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR

Stars: ✭ 89 (-88.87%)

Mutual labels: digital-forensics

Catalyst is an open source SOAR system that helps to automate alert handling and incident response processes

Stars: ✭ 91 (-88.62%)

Mutual labels: digital-forensics

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.

Stars: ✭ 210 (-73.75%)

Mutual labels: digital-forensics

Digging Deeper....

Stars: ✭ 680 (-15%)

Mutual labels: digital-forensics

The Red Rabbit project is just what a hacker needs for everyday automation. Red Rabbit unlike most frameworks out there does not automate other peoples tools like the aircrack suite or the wifite framework, it rather has its own code and is raw source with over 270+ options. This framework might just be your everyday key to your workflow

Stars: ✭ 123 (-84.62%)

Mutual labels: digital-forensics

documentation, scripts, tools related to Zena Forensics (http://blog.digital-forensics.it)

Stars: ✭ 66 (-91.75%)

Mutual labels: digital-forensics

Information Security Library

Stars: ✭ 60 (-92.5%)

Mutual labels: digital-forensics

cybersecurity-career-path

Cybersecurity Career Path

Stars: ✭ 335 (-58.12%)

Mutual labels: digital-forensics

artifactcollector

🚨 The artifactcollector is a customizable agent to collect forensic artifacts on any Windows, macOS or Linux system

Stars: ✭ 140 (-82.5%)

Mutual labels: digital-forensics

Telegram cache4.db parser

Stars: ✭ 52 (-93.5%)

Mutual labels: digital-forensics

Documentation of TheHive

Stars: ✭ 353 (-55.87%)

Mutual labels: digital-forensics

DFIRTrack - The Incident Response Tracking Application

Stars: ✭ 232 (-71%)

Mutual labels: digital-forensics

The Python implementation of the AFF4 standard.

Stars: ✭ 37 (-95.37%)

Mutual labels: digital-forensics

Educational, CTF-styled labs for individuals interested in Memory Forensics

Stars: ✭ 696 (-13%)

Mutual labels: digital-forensics

Cortex: a Powerful Observable Analysis and Active Response Engine

Stars: ✭ 676 (-15.5%)

Mutual labels: digital-forensics

Cyber-investigation Analysis Standard Expression (CASE) Ontology

Stars: ✭ 46 (-94.25%)

Mutual labels: digital-forensics

View All Similar Projects ➔

whatfiles

Whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.

Rationale:

I've long been frustrated at the lack of a simple utility to see which files a process touches from main() to exit. Whether you don't trust a software vendor or are concerned about malware, it's important to be able to know what a program or installer does to your system. lsof only observes a moment in time and strace is large and somewhat complicated.

Sample output:

mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-clone-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-heal-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-perspective-clone-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-convolve-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-smudge-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-dodge-burn-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-desaturate-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/plug-ins, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /usr/lib/gimp/2.0/plug-ins, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/pluginrc, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /usr/share/locale/en_US/LC_MESSAGES/gimp20-std-plug-ins.mo, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /usr/lib/gimp/2.0/plug-ins/script-fu, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpui-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimp-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpcolor-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu

Use:

basic use, launches ls and writes output to a log file in the current directory:

$ whatfiles ls -lah ~/Documents
specify output file location with -o:

$ whatfiles -o MyLogFile cd ..
include debug output, print to stdout rather than log file:

$ whatfiles -d -s apt install zoom
attach to currently running process (requires root privileges):

$ sudo whatfiles -p 1234

Distribution

Ready-to-use binaries are on the releases page! Someone also kindly added it to the Arch repository, and letompouce set up a GitLab pipeline as well.

Compilation (requires `gcc` and `make`):

$ cd whatfiles
$ make
$ sudo make install

Supports x86, x86_64, ARM32, and ARM64 architectures.

Questions that could be asked at some point:

Isn't this just a reimplementation of strace -fe trace=creat,open,openat,unlink,unlinkat ./program?

Yes. Though it aims to be simpler and more user friendly.
Are there Mac and Windows versions?

No. Tracing syscalls on Mac requires task_for_pid(), which requires code signing, which I can't get to work, and anyway I have no interest in paying Apple $100/year to write free software. dtruss on Mac can be used to follow a single process and its children, though the -t flag seems to only accept a single syscall to filter on. fs_usage does something similar though I'm not sure if it follows child processes/threads. Process Monitor for Windows is pretty great.

Known issues:

Tabs crash when whatfiles is used to launch Firefox. (Attaching with -p [PID] once it's running works fine, as does using whatfiles to launch a second Firefox window if one's already open.)

Planned features:

None currently, open to requests and PRs.

Thank you for your interest, and please also check out Cloaker, Nestur, and Flying Carpet!

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 800

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (0) 🔗