I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange
Orlando, FL
Joined November 2008
- Tweets 19,311
- Following 237
- Followers 13,672
- Likes 12
Some people use the creation dates on the host SSH keys (/etc/ssh/ssh_host_*). These are generally a good indicator for when the system was first booted, since they are usually generated automatically at first boot.
4
Note that on some Linux distros there is an installation log that you can find under /var/log or /root. That will give you a much more exact timeline, if present.
1
2
I'm going to give @stoney27 credit on this one-- his answer was "date on the device of the root file system". Since there is no standard artifact for install date on Linux systems, the creation date on the root directory (or "/lost+found") is generally used.
2
2
Trivia Answer #5 - It means “Every five minutes execute the script /tmp/.ICEd-unix/.src.sh”. You’ll often see entries like this used for persistence after a successful exploitation event.
1
4
Hal Pomeranz retweeted
Cloud Investigate by Jerzy 'Yuri' Kramarz
"A preconfigured Windows-based system designed for rapid forensic investigations in both Azure and AWS."
#DFIR
github.com/op7ic/Cloud-Inves…
1
40
100
Honorable mention for @_malwarez for mentioning utmpdump man7.org/linux/man-pages/man…
2
Daily Linux Forensics Trivia #5 - What is the meaning of this crontab entry: "*/5 * * * * /tmp/.ICEd-unix/.src.sh"? [and don't forget I'll be teaching Linux Foreniscs live in-person and streamed @WWHackinFest Deadwood wildwesthackinfest.com/deadw…]
1
5
6
Trivia Answer #4 - Congrats to @obnoxious4n6 for being first with the correct answer. The "last" command displays the contents of /var/log/wtmp. Use the "-f" option to specify an alternate wtmp file, for example from a mounted forensic image.
1
1
4
Hal Pomeranz retweeted
Like this one: "An SSH Server that Launches Containers in Kubernetes and Docker"
github.com/ContainerSSH/Cont…
14
39
Daily Linux Forensics Trivia #4 -- If you want to display the contents of /var/log/wtmp as text, what command do you use?
3
2
Trivia Answer #3 -- False. mlocate.db does contain directory timestamps. This timestamp is the larger of the directory's mtime or ctime at the time the database is created. There are no timestamps on the individual file entries.
3
Hal Pomeranz retweeted
“Don’t speak ill of the dead“ means that you don’t stand in the funeral parlor and rehash Auntie Beverly‘s two painful divorces in front of her kids.
It doesn’t mean that you don’t hold the powerful to account for what they did — and their failures — which impacted millions.
44
3,620
58
16,744
Hal Pomeranz retweeted
I wanted to share some findings about RDP, Network Layer Authentication, LogonTypes and brute forcing 🔭
Recently, we perused some EventID 4625s (login failures) originating from public IPv4s brute forcing...
🧵
9
154
10
685
Yay! New iPhone 14s are announced. Now I can pick up an iPhone 13 at a reduced price. #NotBuyingTheHype
7
Daily Linux Forensics Trivia #3 - True or False: the mlocate.db file contains timestamps for all listed files.
1
1
3
Trivia Answer #2 -- "export HISTFILESIZE=0" immediately truncates $HOME/.bash_history to zero bytes
3