I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange

Orlando, FL
Joined November 2008
Hal Pomeranz retweeted
Had some fun with this - exploiting the Process Explorer driver for kernel code execution. Will msft ever add to their own blocklist? 🤔 elastic.co/security-labs/sto…
14
200
9
631
Daily Linux Forensics Trivia #14 - If the default log rotation policy has not been changed, roughly how many days worth of logs should you expect to find on a Linux system?
2
1
On older systems, look under /var/lib/dhc* for similar files.
2
Trivia Answer #13 - On modern Linux distros, look in /var/lib/NetworkManager for dhclient-<GUID>-<NIC>.lease files. These are text files containing details of DHCP leases acquired. They are not normally cleaned up and may cover the entire lifetime of the equipment.
1
1
3
Hal Pomeranz retweeted
Dropping this in the thread here as @riptari at @TechCrunch did an amazing job explaining this Facebook lawsuit and the latest discovery. This isn’t unexpected as she’s one of the best in the biz at unpacking data and privacy issues. /25 techcrunch.com/2022/09/16/un…
2
21
37
I'm not certain it is widely appreciated that excess US deaths in 2022 nearly exactly match excess deaths in 2021. There is nothing about this pandemic that is "winding down" except for public health response, workplace safety precautions, and funding to keep it from worsening.
Cumulative Excess Deaths in the US, 2021 vs 2022 data.cdc.gov/NCHS/Excess-Dea…
29
1,632
46
3,445
Daily Linux Forensics Trivia #13 - Your suspect claims they never connected their Linux laptop to their neighbor's WiFi network. What Linux artifact could you use to disprove this claim?
2
1
4
Substitute the path where you have your evidence mounted for "/etc/localtime" in these examples, e.g. "/mnt/evidence/etc/localtime".
1
Finally, I've seen cases where /etc/localtime is simply a copy of a file from /usr/share/zoneinfo. In this case, "zdump /etc/localtime" will display the current time with the time zone indicated in the output.
1
1
On other Linux distros, /etc/localtime is a symlink to the timezone file under /usr/share/zoneinfo - use "ls -l /etc/localtime" or "readlink /etc/localtime" to view.
1
1
2
Trivia Answer #12 - Shout out to @JPoForenso for a pretty complete solution. It turns out not all Linux distros are the same in this. Some have an /etc/timezone file that contains the time zone name in text format.
1
1
3
Daily Linux Forensics Trivia #12 - Given only a disk image, how do you determine the default timezone of a Linux system?
3
5
Trivia Answer #11 - @MalwareJake checked in with the correct answer: “cat /proc/<pid>/exe > /path/to/newfile”. The “cp” command works too. Try to write the recovered file someplace that won’t mess up your evidence.
3
Daily Linux Forensics Trivia #11 - Yesterday's question asked how to spot processes running from deleted executables during live analysis. How would you recover the deleted executable?
2
1
Then @DfirNotes chimed in with the other typical way for doing this, "lsof +L1", which would show all open but unlinked files ("+L1" means "link count < 1", or zero). If you just want running deleted executables, make it "lsof +L1 -a -d txt"
2
Trivia Answer #10 - @jgasmussen got in first with one good answer: "ls -l /proc/*/exe 2>/dev/null | grep deleted" (bonus points for redirecting stderr!)
1
7
Something I need cis people to understand: Trans people were four times as likely to be violently attacked, three times as likely to go hungry, and twice as likely to live in poverty *and then* all this bullshit started.
7
402
9
1,300
Hal Pomeranz retweeted
Only one more day to get the early bird discount for BSides Augusta! It's always a great con. I was thinking about heading that way, but noticed there are no offensive appsec talks on the schedule. :-(
1
1
Hal Pomeranz retweeted
I’m saying this as a manager. Like, have an open dialogue with your boss and give constructive and courteous feedback to your peers first, but if you are constantly silently saving the day and nobody sees it, they’re probably gonna get promoted and you’re not.
23
92
9
1,003