select * from file where path in ('/dev/.lib', '/dev/.lib/1iOn.sh', '/bin/mjy', '/bin/in.telnetd', '/usr/info/torn');

select * from listening_ports;

select * from file where path in ('/tmp/xp', '/tmp/kidd0.c', '/tmp/kidd0');

select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;

select key, subkey, value from plist where path = '/Library/Preferences/com.apple.loginwindow.plist';

select key, subkey, value from plist where path = '/Library/Preferences/loginwindow.plist';

select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/com.apple.loginwindow.plist';

select username, key, subkey, value from plist p, (select * from users where directory like '/Users/%') u where p.path = u.directory || '/Library/Preferences/loginwindow.plist';

select * from file where path in ('/dev/ida/.inet');

SELECT * FROM processes WHERE LOWER(name)='lsass.exe' AND LOWER(path)!='c:\windows\system32\lsass.exe' AND path!='';