[Gutsy]Looking for a program that analyzes a file and makes a "best guess" attempt to identify or provide information
Felipe Figueiredo
philsf79 at gmail.com
Thu Dec 27 22:25:13 UTC 2007
Em Thursday 27 December 2007 19:37:05 John Toliver escreveu:
> > It really depends on what you mean by 'analyse' the file. Do you intend to
> > actually screen the file content's, to discover something specific on that
> > file? If you only want a generic description of "file type", based on a
mime
> > list, Corey' s suggestion (the 'file' command) should do.
>
> What I mean is if I happen to be working on my system and I uncover a
> file I don't recognize, and I'm not sure where it came from alarms go
> up. I'll probably want to scan the daylights out of it for viruses,
> but also I would want to know what information it has in it. What
> program created it. etc. And I might not feel comfortable submitting
> it to an online service to analyze it. Maybe it was a data store for
> my passwords and I just don't know it etc....
>
Ok, so maybe you can work around your needs using a set of pre-existing
utilities, instead of working on a script (that's probably never going to be
sufficiently generic so as not to be updated very frequently).
As I said, the "file" command should be the first step - it uses magic numbers
and mime types (check google or wikipedia, if you want details on them) to
give generic concise descriptions.
If it's a text file, you can just open it with any text editor (nano, vim,
emacs, gedit, etc) or pager (less, more, most, etc). If it's binary, you can
use the 'strings' command to see what strings it has.
If you are concerned that strange files might appear at random in
otherwise 'secure' directories, you should consider using a IDS
like 'tripwire', 'aide', or others (check the dependencies
of 'harden-environment' for a list of interesting packages).
If they (the strange files) might appear in your home dir, or any dir your
account has write access to, you should even be able to see what program is
using it, if it's still open (even in background). To this, you use the
command 'lsof'. AFAIK, there's no way of accurately knowing what program
accessed a file in a 'normal' installation. Maybe if you use SElinux or
AppArmor, they have some advanced logging system, but I have zero information
on that. The 'old' way of knowing what programs have been run, is by process
accounting (package acct, command 'lastcomm'), but I don't think you can know
which files they created, unless you know the programs themselves and know
what to expect from them).
Beware that any such logging system you enable that logs individual process
information to disk will probably use huge ammounts of space, and if you use
a GUI, many of it will be useless messagens of gui apps and widgets opening
and closing.
Of course, none of these measures are useful if the file is encrypted.
regards
FF
More information about the ubuntu-users
mailing list