mlocate.db
What is this artifact?
https://www.signal-chief.com/wp-content/uploads/2021/01/Kali-Analysis.pdf
mlocate.db contains file and directory metadata. When the utility locate is ran, it looks up the provided parameters in the mlocate database and returns matching entries. The mlocate.db is created and updated by updatedb. Updatedbs' configuration file is located at /etc/update.conf. When updatedb is ran, it will create a mlocate.db file if it doesn't exist or update it with any new information found in the system like new directories and files.
mlocate is similar to the locate utility (from GNU findutils), in that they both build an index of all files, except mlocate only lets the calling user see files that it could access.
Where can it be found?
mlocate is compressed and located at:
/var/lib/mlocate/mlocate.db
/var/lib/plocate/plocate.db (GNU findutils)
/var/lib/locate/locate.db (alternate to mlocate on kali linux)
/var/cache/locate/locatedb
Updatedb
/etc/update.conf
Find mlocate.db on any system:
Locate vs Mlocate:
The locate package is the implementation of locate from GNU findutils. The mlocate package is another implementation of the same concept called mlocate.
What information does it contain?
File names
File Paths
Investigative Pro-Tips:
Useful in identifying evidence of attacker tools and directories that may have been present.
Assumptions to be careful about:
Just because a tool is not present, does not mean it did not exist. The database is not consistently updated and may not contain the data you're searching for.
When looking on a live system, mlocate will build an index of all files but only lets the calling user see the files that it could access.
Tools How To:
mlocate.db can be extracted and parsed with strings to then be searched with text editor.
Misc
mlocate can be downloaded and parsed in order to better utilize a Local File Disclosure.
Last updated
