"cat -e" shows control characters. Personally, I would use "ls | cat -etv" That'd show the control characters (-e), trailing whitespace (-v), and tabs represented as ^I (-t). Check the manpage in case my explanation may not be exactly accurate. Hope this helps. Now, that just shows what the filename (in this instance) is. To rename it, I'd use a shell that has command line editing (like bash or ksh). Then I'd make sure my preferred editor was selected. Then type the command I want (preceeding every control character with a control-V). For any embedded spaces, I'd just preceed each one with a backslash. $ ksh $ set -o vi $ mv newd^V^Hfilename newfilename $ exit # return to your original shell ----- Forwarded by Tom Picray/IS/US/BAYER on 08/14/2001 09:38 PM ----- "Skinner, Kit" <KSkinnerat_private> 08/14/2001 04:11 PM To: Forensics <forensicsat_private> cc: Subject: UNIX Files NOTE: This may not be the best or most appropriate list, but I've been having an issue in a test/learning environment and I'm trying to clear it. BACKGROUND: As many of the *NIX gurus probably know, with a default install of Solaris on a telnet session from a Windows workstation, Backspace does not delete the previous character but rather displays the control character ^H. Well, when messing about on a fresh install I was copying a file and not paying attention and typed: cp filename newd^Hfilename (I ment to delete the 'd' as a mistype) I wasn't really paying attention and noticed when I did a ls of the directory it listed the file as 'newfilename'. However if I tried to delete, rename, or do anything with 'newfilename', the OS would report file not found. However, I could refer to it as 'newd^Hfilename'. QUESTION: My question from a forensics standpoint is, if someone got onto a system and placed a file using that naming scheme, how could you determine its ACTUAL name? As a relative novice, all the tools I know of seem to interpret the filename and display in the edited form. If I had to access or read a file to determine what they were doing, and they had named it 'x^Hsecret'. How would I know or be able to access it since it would always show up as 'secret'? Any help is greatly appreciated. Thanks! -K ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 09:37:06 PDT