topic Was file created by "dd" command? in Operating System - Linux

Was file created by "dd" command?

Gilbert Standen_1 — Tue, 02 Jun 2009 15:43:48 GMT

Is there a command that will tell you if a given file was created by dd ? Something like:

command filename

output shows if the file was originally created using:

dd if=/dev/zero of=filename bs=1k count=4100000

Thanks!

Re: Was file created by "dd" command?

Steven E. Protter — Tue, 02 Jun 2009 16:38:57 GMT

Shalom

a file named filename in whatever directory you were in when you ran the command

SEP

Re: Was file created by "dd" command?

Gilbert Standen_1 — Tue, 02 Jun 2009 17:13:03 GMT

Shalom thanks I'm talking about after the fact. You're walking down the street and you bump into a file that someone left there and you are wondering how they created it - did the use dd? did they use vi? did they copy the file from another file? what i'm wondering is is there some tag in the file or anywhere else in linux that allows you to determine the historical geneaology of the file you just bumped into?

Re: Was file created by "dd" command?

Ivan Ferreira — Tue, 02 Jun 2009 18:04:16 GMT

There is no tool to know the exact original command used to create a file.

Re: Was file created by "dd" command?

James R. Ferguson — Tue, 02 Jun 2009 19:15:18 GMT

Hi:

For that matter, how would you distinguish this(?):

# touch myfile
# cat /dev/null > myfile

...in each the the resulting file is empty.

This empty file comes about by truncation too:

# cp /etc/hosts myfile && > myfile

If you command, you are creating a "sparse" file. You can't distinguish these cases either:

# dd if=/dev/zero of=file1 bs=1k count=100

# perl -e 'open(FH,">","file2") or die;seek(FH,(1024*99+1023),1);print FH "\000";close FH'

Regards!

...JRF...

Re: Was file created by "dd" command?

Dennis Handly — Sat, 06 Jun 2009 10:34:48 GMT

The only tool I know of that does this is Clearcase's clearmake or clearaudit. The configuration record contains the commands used to create any derived object. You do have to be in a view for this to be done.

Re: Was file created by "dd" command?

Gilbert Standen_1 — Fri, 19 Jun 2009 01:06:44 GMT

Hey Dennis thanks so much for this really very helpful bit of information. I am looking into this product now. Sorry I was a bit tardy in assigning points to your post. Thanks ever so much.

Can knowing where/how a file was created help to detect intrusions? malicious "planted" code, etc?

Re: Was file created by "dd" command?

James R. Ferguson — Fri, 19 Jun 2009 15:02:10 GMT

Hi:

> Can knowing where/how a file was created help to detect intrusions? malicious "planted" code, etc?

More than that, knowing that there has been a _change_ when none was anticipated is an "alarm" to be investigated. You might want to look at 'tripwire':

http://www.tripwire.com/products/servers/features.cfm

Regards!

...JRF...

Re: Was file created by "dd" command?

Ivan Ferreira — Fri, 19 Jun 2009 15:15:46 GMT

You could also use two tools that are normally distributed by defualt with Linux. AIDE (similar to tripwire) and audit.

Re: Was file created by "dd" command?

Dennis Handly — Sun, 21 Jun 2009 01:39:27 GMT

>I am looking into this product now.

Clearcase is a revision history management system. It isn't really for security.

>Can knowing where/how a file was created help to detect intrusions? malicious "planted" code, etc?

Clearcase works by users wanting to track their changes, and won't work for malicious users, unless you want to protect read only files.

Re: Was file created by "dd" command?

Matt Palmer_2 — Tue, 23 Jun 2009 12:06:29 GMT

Hi,

have you looked to see if any of the components of the "coroners toolkit" provides you with that functionality. A google of Wietse Venema should bring up some results for you.

Hope this helps

regards

Matt