I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange
Orlando, FL
Joined November 2008
- Tweets 19,311
- Following 237
- Followers 13,672
- Likes 12
Daily Linux Forensics Trivia #31 - Name three places in Linux where scheduled tasks can be configured.
5
4
7
The final "-print" matters here! Because find's default action is "-print", leaving off the final "-print" means that both the "-prune" directories and the dot directories would print out. Specifying "-print" for the dot dirs means the "-prune" dirs won't print. find is weird.
1
So if it's a user home dir path, we prune our search there. Otherwise print directory names starting with dot.
1
"find / -type d -name .\*" will get you directory names that begin with dot. But dot directories in user home dirs are not unusual. "\( -path /root -o -path /home/\*/\* \)" matches the normal user profile paths and "-prune" says don't go into those dirs.
1
Trivia Answer #30 - The correct answer is "find / \( -path /root -o -path /home/\*/\* \) -prune -o -type d -name .\* -print", but this one deserves some deeper explanation.
1
1
Daily Linux Forensics Trivia #30 - Write a "find" expression to locate directories whose names begin with a dot (".") and which are not located in a user's home directory.
1
1
Some folks suggested looking at /etc/issue or /etc/motd. While these files often contain the distro/version info, they are also just as likely to have been edited and contain a site-specific message without the OS information.
Other distros may also have another /etc/*-release file, like /etc/lsb-release on Debian/Ubuntu or /etc/redhat-release on RHEL/Fedora/CentOS
1
Trivia Answer #29 - Shout out to @Grabbi_it for chiming in with the answer. Mount your evidence and look at /etc/os-release, which should be there regardless of which distro you have been given.
1
2
4
And while you're there take a look at their security monitoring solution for Linux-- so much more than a typical XDR solution.
Check out this fun little tool from my friends @SpyderbatInc -- a historical process and performance monitoring tool for Linux spyderbat.com/all-posts/moni…
1
12
23
“Our new medicine costs thousands per month, but your insurance covers it! Oh you say it’s not covered? Here’s a coupon so you can get it for $25/mo!” — Why do we keep letting this scam play out?
2
1
4
Hal Pomeranz retweeted
These implement a really cool technique for parsing data structures from c headers. This is the type of stuff I love to see and study! great stuff @foxit #DFIR
Fox-IT just open sourced their enterprise forensics tooling dissect. This is a big project that some of the smartest people I know have worked on. It supports many filesystems and file formats, all as Python libraries. Docs: docs.dissect.tools / code: github.com/fox-it/dissect
2
2
12
Daily Linux Forensics Trivia #29 - You are given a disk image of a Linux system. How do you determine which distro and version it is?
6
9
1
14
Trivia Answer #28 - False. XFS allocates inodes on demand, and the inode number is assigned based on the inode’s position on the disk.
2
Hal Pomeranz retweeted
Welp… my husband got laid off from his job today 😞
This may be a long-shot, but if any of you work in tech and know of an open position that fits his skillset, shoot me a DM.
(If you don’t, but would like to buy him a beer—he’s had a rough day: paypal.me/jprice 💖)
25
151
4
234
The #DFIR community needs funding and resources put towards libsleuthkit. And everybody needs to share their "private" forks where they have fixed bugs and added new file systems support. Hackathon anybody?
10
16
Just wanted to mention that my Linux Forensics training is happening next week. There is still time to sign up, and class size will be small. Hope to see you there!
Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…
1
5
9