Operating System - Linux
1748119 Members
3385 Online
108758 Solutions
New Discussion юеВ

Re: Was file created by "dd" command?

 
SOLVED
Go to solution
Gilbert Standen_1
Frequent Advisor

Was file created by "dd" command?

Is there a command that will tell you if a given file was created by dd ? Something like:

command filename

output shows if the file was originally created using:

dd if=/dev/zero of=filename bs=1k count=4100000

Thanks!
If I could take one thing with me into the next world it would be my valid login to HP ITRC Forums
10 REPLIES 10
Steven E. Protter
Exalted Contributor

Re: Was file created by "dd" command?

Shalom

a file named filename in whatever directory you were in when you ran the command

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Gilbert Standen_1
Frequent Advisor

Re: Was file created by "dd" command?

Shalom thanks I'm talking about after the fact. You're walking down the street and you bump into a file that someone left there and you are wondering how they created it - did the use dd? did they use vi? did they copy the file from another file? what i'm wondering is is there some tag in the file or anywhere else in linux that allows you to determine the historical geneaology of the file you just bumped into?
If I could take one thing with me into the next world it would be my valid login to HP ITRC Forums
Ivan Ferreira
Honored Contributor

Re: Was file created by "dd" command?

There is no tool to know the exact original command used to create a file.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
James R. Ferguson
Acclaimed Contributor

Re: Was file created by "dd" command?

Hi:

For that matter, how would you distinguish this(?):

# touch myfile
# cat /dev/null > myfile

...in each the the resulting file is empty.

This empty file comes about by truncation too:

# cp /etc/hosts myfile && > myfile

If you command, you are creating a "sparse" file. You can't distinguish these cases either:

# dd if=/dev/zero of=file1 bs=1k count=100

# perl -e 'open(FH,">","file2") or die;seek(FH,(1024*99+1023),1);print FH "\000";close FH'

Regards!

...JRF...
Dennis Handly
Acclaimed Contributor
Solution

Re: Was file created by "dd" command?

The only tool I know of that does this is Clearcase's clearmake or clearaudit. The configuration record contains the commands used to create any derived object. You do have to be in a view for this to be done.
Gilbert Standen_1
Frequent Advisor

Re: Was file created by "dd" command?

Hey Dennis thanks so much for this really very helpful bit of information. I am looking into this product now. Sorry I was a bit tardy in assigning points to your post. Thanks ever so much.

Can knowing where/how a file was created help to detect intrusions? malicious "planted" code, etc?
If I could take one thing with me into the next world it would be my valid login to HP ITRC Forums
James R. Ferguson
Acclaimed Contributor

Re: Was file created by "dd" command?

Hi:

> Can knowing where/how a file was created help to detect intrusions? malicious "planted" code, etc?

More than that, knowing that there has been a _change_ when none was anticipated is an "alarm" to be investigated. You might want to look at 'tripwire':

http://www.tripwire.com/products/servers/features.cfm

Regards!

...JRF...
Ivan Ferreira
Honored Contributor

Re: Was file created by "dd" command?

You could also use two tools that are normally distributed by defualt with Linux. AIDE (similar to tripwire) and audit.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Dennis Handly
Acclaimed Contributor

Re: Was file created by "dd" command?

>I am looking into this product now.

Clearcase is a revision history management system. It isn't really for security.

>Can knowing where/how a file was created help to detect intrusions? malicious "planted" code, etc?

Clearcase works by users wanting to track their changes, and won't work for malicious users, unless you want to protect read only files.