Procfs

Case 1. IP Theft Linux Investigation

Nearly all IP (intellectual property) are recreated by a competitor. Investigate the development machine

Potential data exfiltration.

1. netstat -lpeanut shows that there are two dhcp clients running, one using unusual port and user:

1. ps aux | grep 40500 or ps aux | grep dhclient shows the running processes and sometimes commands used to run them. This suspicious client was run from /tmp folder:

1. ls -la /tmp/ to see the file that was launched. But nothing there. Seems that the file was deleted after being launched: