/proc Filesystem (Live Process Data)
Location
/proc/<pid>/ (cmdline, exe, fd/, maps, environ, net/)Description
Virtual filesystem exposing live kernel and process state including command-line arguments, executable path symlink, open file descriptors, memory maps, environment variables, and network connection tables.
Forensic Value
/proc is essential for live triage when a memory dump is not feasible. /proc/<pid>/exe reveals the true binary path even if the process renamed itself. /proc/<pid>/cmdline shows launch arguments. /proc/<pid>/fd/ exposes deleted-but-open files that can still be recovered via cp. /proc/net/tcp provides a live network connection table with owning process inode mapping for identifying C2 connections.
Tools Required
Collection Commands
find
find /proc -maxdepth 2 -name "cmdline" -exec sh -c 'echo "PID: $(dirname {} | xargs basename)"; cat {}; echo' \; > /forensics/output/proc_cmdlines.txtls
ls -la /proc/*/exe 2>/dev/null > /forensics/output/proc_exe_links.txt
cat
cat /proc/net/tcp /proc/net/tcp6 > /forensics/output/proc_net_tcp.txt
lsof
lsof -nP > /forensics/output/lsof_full.txt
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
- •Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
BitLocker/Encrypted Drives Preventing Forensic Imaging
Full-disk encryption (BitLocker, FileVault, LUKS) prevents mounting or imaging the drive without the recovery key. Without decryption you cannot access the filesystem for artifact collection.
Compromised Systems Powered Off or Disconnected
Key systems have been powered off by users, IT, or as part of a premature containment action. Volatile data (running processes, network connections, memory-resident malware) is lost. Remote collection tools cannot reach the host.
Systems Encrypted by Ransomware -- Normal Artifact Collection Blocked
Ransomware has encrypted the filesystem on affected hosts. Standard artifact collection tools cannot read files, registry hives, or event logs from the encrypted volume. The operating system may not boot.
Systems Already Rebooted -- Volatile Data Lost
The affected systems have already been rebooted (by users, IT, or automated patch processes) before memory could be captured. Running processes, network connections, injected code, and encryption keys that existed only in RAM are no longer recoverable.