I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange
Orlando, FL
Joined November 2008
- Tweets 19,311
- Following 237
- Followers 13,672
- Likes 12
Hal Pomeranz retweeted
Had some fun with this - exploiting the Process Explorer driver for kernel code execution. Will msft ever add to their own blocklist? 🤔
elastic.co/security-labs/sto…
14
200
9
631
Daily Linux Forensics Trivia #14 - If the default log rotation policy has not been changed, roughly how many days worth of logs should you expect to find on a Linux system?
2
1
Trivia Answer #13 - On modern Linux distros, look in /var/lib/NetworkManager for dhclient-<GUID>-<NIC>.lease files. These are text files containing details of DHCP leases acquired. They are not normally cleaned up and may cover the entire lifetime of the equipment.
1
1
3
Hal Pomeranz retweeted
Dropping this in the thread here as @riptari at @TechCrunch did an amazing job explaining this Facebook lawsuit and the latest discovery. This isn’t unexpected as she’s one of the best in the biz at unpacking data and privacy issues. /25 techcrunch.com/2022/09/16/un…
2
21
37
Hal Pomeranz retweeted
I'm not certain it is widely appreciated that excess US deaths in 2022 nearly exactly match excess deaths in 2021.
There is nothing about this pandemic that is "winding down" except for public health response, workplace safety precautions, and funding to keep it from worsening.
29
1,632
46
3,445
Daily Linux Forensics Trivia #13 - Your suspect claims they never connected their Linux laptop to their neighbor's WiFi network. What Linux artifact could you use to disprove this claim?
2
1
4
Substitute the path where you have your evidence mounted for "/etc/localtime" in these examples, e.g. "/mnt/evidence/etc/localtime".
1
Finally, I've seen cases where /etc/localtime is simply a copy of a file from /usr/share/zoneinfo. In this case, "zdump /etc/localtime" will display the current time with the time zone indicated in the output.
1
1
On other Linux distros, /etc/localtime is a symlink to the timezone file under /usr/share/zoneinfo - use "ls -l /etc/localtime" or "readlink /etc/localtime" to view.
1
1
2
Trivia Answer #12 - Shout out to @JPoForenso for a pretty complete solution. It turns out not all Linux distros are the same in this. Some have an /etc/timezone file that contains the time zone name in text format.
1
1
3
Daily Linux Forensics Trivia #12 - Given only a disk image, how do you determine the default timezone of a Linux system?
3
5
Trivia Answer #11 - @MalwareJake checked in with the correct answer: “cat /proc/<pid>/exe > /path/to/newfile”. The “cp” command works too. Try to write the recovered file someplace that won’t mess up your evidence.
3
Daily Linux Forensics Trivia #11 - Yesterday's question asked how to spot processes running from deleted executables during live analysis. How would you recover the deleted executable?
2
1
Then @DfirNotes chimed in with the other typical way for doing this, "lsof +L1", which would show all open but unlinked files ("+L1" means "link count < 1", or zero). If you just want running deleted executables, make it "lsof +L1 -a -d txt"
2
Trivia Answer #10 - @jgasmussen got in first with one good answer: "ls -l /proc/*/exe 2>/dev/null | grep deleted" (bonus points for redirecting stderr!)
1
7
Hal Pomeranz retweeted
Something I need cis people to understand: Trans people were four times as likely to be violently attacked, three times as likely to go hungry, and twice as likely to live in poverty *and then* all this bullshit started.
7
402
9
1,300
Hal Pomeranz retweeted
Only one more day to get the early bird discount for BSides Augusta! It's always a great con. I was thinking about heading that way, but noticed there are no offensive appsec talks on the schedule. :-(
1
1
Hal Pomeranz retweeted
Hackers trojanize PuTTY SSH client to backdoor media company - @billtoulas
bleepingcomputer.com/news/se…
2
105
10
176
