Find & Locate
Hunt for hidden files. Locate planted evidence. Find backdoors.
CLASSIFIED SCENARIO
Intelligence suggests a mole has planted trojans and hidden classified documents in obscure directories. Your mission: systematically search the compromised system, locate all hidden files starting with dots, find SUID binaries that could be backdoors, and track down the planted evidence before the mole can extract it.
The Art of File Hunting
Adversaries hide their tools and stolen data in unexpected places. System administrators hide configs in dot-files. Malware hides in /tmp, /var/tmp, or deep in /usr. As a specialist, you need to find anything, anywhere.
Linux provides multiple search tools, each with different strengths. Knowing when to use which tool separates amateurs from operators.
What Attackers Hide
- Dot-files - .backdoor, .secret, .cache (hidden by default)
- SUID binaries - Privilege escalation backdoors
- Temp directories - /tmp, /var/tmp, /dev/shm
- World-writable dirs - Drop zones for exfiltration
- Recently modified files - Signs of active compromise
Core Search Commands
find - The Power Tool
Real-time recursive search with complex filters. Slower but always current. The most powerful search tool.
locate - Speed Search
Searches pre-built database. Lightning fast but may be stale. Run updatedb to refresh.
which - Binary Location
Finds executable in PATH. Shows which binary runs when you type a command.
whereis - Binary + Docs
Finds binary, source, and man page locations. Broader than which.
type - Command Type
Shows if command is alias, builtin, function, or file. Reveals hidden aliases.
find Command Deep Dive
The find command is your primary hunting tool. Master these patterns:
Basic Syntax
$ find [path] [conditions] [actions]
# Examples:
$ find /home -name "*.txt" # Find by name
$ find /tmp -type f -mtime -1 # Files modified today
$ find / -perm -4000 2>/dev/null # SUID binaries
Hunting Hidden Files
$ find /home -name ".*" -type f
/home/user/.bashrc
/home/user/.profile
/home/user/.secret_keys <-- SUSPICIOUS!
/home/user/.backdoor.sh <-- TROJAN!
[INTEL] Dot-files are hidden by default. Always check for unexpected ones.
Finding SUID Backdoors
$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/su
/tmp/.hidden/rootkit <-- BACKDOOR in /tmp!
/var/tmp/privesc <-- Privilege escalation tool!
[INTEL] -perm -4000 finds SUID bits. Legit ones are in /usr, suspicious ones hide elsewhere.
Finding Recent Activity
$ find / -mtime -1 -type f 2>/dev/null | head -20
# Files modified in last 24 hours
$ find / -mmin -60 -type f 2>/dev/null
# Files modified in last 60 minutes
$ find /home -newer /tmp/marker -type f
# Files newer than marker file
locate vs find
| Feature | find | locate |
|---|---|---|
| Speed | Slow (real-time search) | Fast (database lookup) |
| Accuracy | Always current | May be stale |
| Filters | Complex (size, time, perms) | Basic (name only) |
| New files | Finds immediately | Needs updatedb |
| Use case | Forensics, hunting | Quick lookups |
Quick Reference
| Command | Purpose | Example |
|---|---|---|
find / -name "file" |
Search by name | find / -name "*.conf" |
find -type f/d |
Files or directories | find /tmp -type d |
find -perm -4000 |
SUID binaries | find / -perm -4000 |
find -mtime -N |
Modified in N days | find / -mtime -1 |
find -size +100M |
Files larger than | find /data -size +1G |
locate filename |
Fast database search | locate passwd |
which command |
Binary in PATH | which python |
whereis command |
Binary + man + source | whereis bash |
type command |
Command type | type ls |
Operational Patterns
# === BACKDOOR HUNTING ===
$ find / -perm -4000 -o -perm -2000 2>/dev/null
# SUID and SGID binaries
$ find /tmp /var/tmp /dev/shm -type f 2>/dev/null
# Files in temp directories (common malware staging)
$ find / -name ".*" -type f -not -path "/home/*" 2>/dev/null
# Hidden files outside home directories
# === EVIDENCE RECOVERY ===
$ find / -name "*.pdf" -o -name "*.doc*" 2>/dev/null
# Document files
$ find /home -type f -size +100M 2>/dev/null
# Large files (possible data staging)
Ready to Hunt?
Test your search skills, then track down the planted evidence.