mlocate.db

What is this artifact?

https://www.signal-chief.com/wp-content/uploads/2021/01/Kali-Analysis.pdf

mlocate.db contains file and directory metadata. When the utility locate is ran, it looks up the provided parameters in the mlocate database and returns matching entries. The mlocate.db is created and updated by updatedb. Updatedbs' configuration file is located at /etc/update.conf. When updatedb is ran, it will create a mlocate.db file if it doesn't exist or update it with any new information found in the system like new directories and files.

mlocate is similar to the locate utility (from GNU findutils), in that they both build an index of all files, except mlocate only lets the calling user see files that it could access.

Where can it be found?

mlocate is compressed and located at:

/var/lib/mlocate/mlocate.db
/var/lib/plocate/plocate.db (GNU findutils)
/var/lib/locate/locate.db (alternate to mlocate on kali linux)
/var/cache/locate/locatedb
Updatedb
- /etc/update.conf

Find mlocate.db on any system:

locate --statistics

Locate vs Mlocate:

The locate package is the implementation of locate from GNU findutils. The mlocate package is another implementation of the same concept called mlocate.

Difference between locate and mlocateUnix & Linux Stack Exchange

What information does it contain?

File names
File Paths

Investigative Pro-Tips:

Useful in identifying evidence of attacker tools and directories that may have been present.

Assumptions to be careful about:

Just because a tool is not present, does not mean it did not exist. The database is not consistently updated and may not contain the data you're searching for.
When looking on a live system, mlocate will build an index of all files but only lets the calling user see the files that it could access.

Tools How To:

mlocate.db can be extracted and parsed with strings to then be searched with text editor.

#can use .strings instead of txt if oddly formatted.
strings /var/lib/mlocate/mlocate.db > /tmp/mlocate.txt
head -100 /tmp/mlocate.txt | grep \/

#Can manually update updatedb
dbupdate

Misc

mlocate can be downloaded and parsed in order to better utilize a Local File Disclosure.

Taking Local File Disclosure to the Next Level - IonizeIonize

PreviousProcess Accounting (pacct)NextSSH

Last updated 2 years ago

hashtagWhat is this artifact?

hashtagWhere can it be found?

hashtagLocate vs Mlocate:

hashtagWhat information does it contain?

hashtagInvestigative Pro-Tips:

hashtagAssumptions to be careful about:

hashtagTools How To:

hashtagMisc