Re: UNIX Files

From: McCoy, Brig C. (brigcat_private)
Date: Tue Aug 14 2001 - 14:32:52 PDT

Next message: Jupp, Peter: "Forensics Lab Equipment Questions"

Previous message: tom.picray.bat_private: "rename file containing ^H (was: UNIX Files)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You could use something like:

ls | od -c

to produce a list of names in octal dump format:

$ touch asdf^Hasdf
$ ls -la
total 32
drwxr-xr-x   2 sybase   staff        183 Aug 14 16:30 .
drwxrwxrwt   8 sys      sys         1055 Aug 14 16:30 ..
-rw-r--r--   1 sybase   staff          0 Aug 14 16:30 asdasdf
$ ls | od -c
0000000   a   s   d   f  \b   a   s   d   f  \n
0000012
$

(The "-c" parameter to od produces non-graphic characters as either 
C-language style escapes or three digit octal numbers.)

...brig

At 03:11 PM 8/14/01 -0500, you wrote:
 >NOTE: This may not be the best or most appropriate list, but I've been
 >having an issue in a test/learning environment and I'm trying to clear it.
 >
 >BACKGROUND:  As many of the *NIX gurus probably know, with a default install
 >of Solaris on a telnet session from a Windows workstation, Backspace does
 >not delete the previous character but rather displays the control character
 >^H.  Well, when messing about on a fresh install I was copying a file and
 >not paying attention and typed:
 >	cp filename newd^Hfilename   (I ment to delete the 'd' as a mistype)
 >I wasn't really paying attention and noticed when I did a ls of the
 >directory it listed the file as 'newfilename'.  However if I tried to
 >delete, rename, or do anything with 'newfilename', the OS would report file
 >not found.  However, I could refer to it as 'newd^Hfilename'.
 >
 >QUESTION: My question from a forensics standpoint is, if someone got onto a
 >system and placed a file using that naming scheme, how could you determine
 >its ACTUAL name?  As a relative novice, all the tools I know of seem to
 >interpret the filename and display in the edited form.  If I had to access
 >or read a file to determine what they were doing, and they had named it
 >'x^Hsecret'.  How would I know or be able to access it since it would always
 >show up as 'secret'?
 >
 >Any help is greatly appreciated.  Thanks!
 >-K
 >
 >-----------------------------------------------------------------
 >This list is provided by the SecurityFocus ARIS analyzer service.
 >For more information on this free incident handling, management
 >and tracking system please see: http://aris.securityfocus.com
--
Brig C. McCoy               | <http://world.std.com/~brigc>
106 E 28th Terrace, #12     | 816 392-4536
Kansas City, MO 64108       | <BRIGCat_private>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jupp, Peter: "Forensics Lab Equipment Questions"
Previous message: tom.picray.bat_private: "rename file containing ^H (was: UNIX Files)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 09:39:08 PDT