[Gutsy]Looking for a program that analyzes a file and makes a "best guess" attempt to identify or provide information

Thu Dec 27 22:25:13 UTC 2007

Em Thursday 27 December 2007 19:37:05 John Toliver escreveu:
> > It really depends on what you mean by 'analyse' the file. Do you intend to
> > actually screen the file content's, to discover something specific on that
> > file? If you only want a generic description of "file type", based on a 
mime
> > list, Corey' s suggestion (the 'file' command) should do.
> 
> What I mean is if I happen to be working on my system and I uncover a
> file I don't recognize, and I'm not sure where it came from alarms go
> up.  I'll probably want to scan the daylights out of it for viruses,
> but also  I would want to know what information it has in it.  What
> program created it.  etc.  And I might not feel comfortable submitting
> it to an online service to analyze it.  Maybe it was a data store for
> my passwords and I just don't know it etc....
> 

Ok, so maybe you can work around your needs using a set of pre-existing 
utilities, instead of working on a script (that's probably never going to be 
sufficiently generic so as not to be updated very frequently).

As I said, the "file" command should be the first step - it uses magic numbers 
and mime types (check google or wikipedia, if you want details on them) to 
give generic concise descriptions.

If it's a text file, you can just open it with any text editor (nano, vim, 
emacs, gedit, etc) or pager (less, more, most, etc). If it's binary, you can 
use the 'strings' command to see what strings it has.

If you are concerned that strange files might appear at random  in 
otherwise 'secure' directories, you should consider using a IDS 
like 'tripwire', 'aide', or others (check the dependencies 
of 'harden-environment' for a list of interesting packages).

If they (the strange files) might appear in your home dir, or any dir your 
account has write access to, you should even be able to see what program is 
using it, if it's still open (even in background). To this, you use the 
command 'lsof'. AFAIK, there's no way of accurately knowing what program 
accessed a file in a 'normal' installation. Maybe if you use SElinux or 
AppArmor, they have some advanced logging system, but I have zero information 
on that. The 'old' way of knowing what programs have been run, is by process 
accounting (package acct, command 'lastcomm'), but I don't think you can know 
which files they created, unless you know the programs themselves and know 
what to expect from them).

Beware that any such logging system you enable that logs individual process 
information to disk will probably use huge ammounts of space, and if you use 
a GUI, many of it will be useless messagens of gui apps and widgets opening 
and closing.

Of course, none of these measures are useful if the file is encrypted.

regards
FF