As an incident response personnel, if you were to choose a single command that you can run on *nix systems, which one would you choose? My pick would be the "lsof" command.
Here are some of the useful options of this command.
lsof /var/log/messages - to see the process, process ID, and the user who initiated this process and holds the file
lsof -c syslogd - to see all files open for this process with the path, size, and inode
lsof -u root - to see all processes and files that run under root
lsof -an -i - to show all connections, with the process, Process ID, and the user who initiated the process
lsof -an -i -r 2 - puts this in repeat mode and it repeats the command every t seconds
lsof -an -i @10.1.1.1 - shows all connections for a single IP
lsof -i -a -u root - to see all network connections for a particular user
lsof -i :6106 - to find what process is listening on a given port and who's connecting to it
lsof -i -U - to list all open files, processes and connections