Hal Pomeranz · Nov 9, 2020 · 10:10 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

9 Nov 2020

Replying to @johnabbe @IdentityWoman @judell @artbrock @AureliaAugusta @lizbarry @finnern

The problem is that while you control the entire data store, you have to give access to small pieces of info. Those pieces will be aggregated outside of your control, just as they are today.

Hal Pomeranz · Nov 9, 2020 · 10:09 PM UTC

Hal Pomeranz @hal_pomeranz

9 Nov 2020

Replying to @davidseidl @mzyw @randymarchany @SANSInstitute @educause

Which means your password was not stored as a hash on at least some systems.

Hal Pomeranz · Nov 2, 2020 · 12:07 PM UTC

Hal Pomeranz @hal_pomeranz

2 Nov 2020

Replying to @v3rtig0

istat is just returning inode data, nothing else AFAIK

Hal Pomeranz · Nov 1, 2020 · 9:51 AM UTC

Hal Pomeranz @hal_pomeranz

1 Nov 2020

Replying to @v3rtig0

Also not clear on the context for your request. You could track file access in excessive detail using auditd on Linux, but it would have to be configured beforehand. Won’t help if you’re investigating activity that has already happened.

Hal Pomeranz · Nov 1, 2020 · 9:48 AM UTC

Hal Pomeranz @hal_pomeranz

1 Nov 2020

Replying to @v3rtig0

See extundelete and ext4magic. The source code here is probably the best documentation you are going to find on this. There is no USN equivalent for Linux file systems.

Hal Pomeranz · Oct 21, 2020 · 12:25 PM UTC

Hal Pomeranz @hal_pomeranz

21 Oct 2020

For the morning crowd...

Hal Pomeranz @hal_pomeranz

21 Oct 2020

Your most indispensable Windows app(s) and why? GO!

Hal Pomeranz · Oct 21, 2020 · 2:13 AM UTC

Hal Pomeranz @hal_pomeranz

21 Oct 2020

Your most indispensable Windows app(s) and why? GO!

Hal Pomeranz · Oct 16, 2020 · 3:32 PM UTC

Hal Pomeranz @hal_pomeranz

16 Oct 2020

Replying to @jtsylve

Not that I'm seeing.

Hal Pomeranz · Oct 16, 2020 · 1:39 PM UTC

Hal Pomeranz @hal_pomeranz

16 Oct 2020

Replying to @mykill

Good idea, not the execution mechanism in this case

Hal Pomeranz · Oct 16, 2020 · 1:17 PM UTC

Hal Pomeranz @hal_pomeranz

16 Oct 2020

Replying to @jtsylve

Good thought, but I'm not finding any

Hal Pomeranz · Oct 16, 2020 · 12:28 PM UTC

Hal Pomeranz @hal_pomeranz

16 Oct 2020

Replying to @phillmoore

Yeah, that's basically what I'm down to at this point

Hal Pomeranz · Oct 15, 2020 · 9:26 PM UTC

Hal Pomeranz @hal_pomeranz

15 Oct 2020

Replying to @MalwareJake

Sadly, Shell is set to explorer.exe

Hal Pomeranz · Oct 15, 2020 · 8:43 PM UTC

Hal Pomeranz @hal_pomeranz

15 Oct 2020

Replying to @DFIRSamurai

The file manager

Hal Pomeranz · Oct 15, 2020 · 8:32 PM UTC

Hal Pomeranz @hal_pomeranz

15 Oct 2020

I summon the collective #DFIR wisdom of Twitter. User attempts to launch Windows Explorer and another program starts instead. I'm assuming a registry setting, but which one?

Hal Pomeranz · Oct 13, 2020 · 10:34 PM UTC

Hal Pomeranz @hal_pomeranz

13 Oct 2020

I’d eat that!

Hal Pomeranz · Oct 12, 2020 · 12:07 AM UTC

Hal Pomeranz @hal_pomeranz

12 Oct 2020

Replying to @craiu @DfirNotes

“I don’t really understand Linux but the developers keep deploying their stuff on it.”

Hal Pomeranz · Oct 11, 2020 · 2:30 AM UTC

Hal Pomeranz @hal_pomeranz

11 Oct 2020

This content is evergreen volatility-labs.blogspot.com… -- Thanks again, @attrc!

Hal Pomeranz · Sep 22, 2020 · 7:00 PM UTC

Hal Pomeranz @hal_pomeranz

22 Sep 2020

Yeah, people are telling me it's loading for them. Guess I'm on the blocked list! :-)

Hal Pomeranz · Sep 22, 2020 · 6:37 PM UTC

Hal Pomeranz @hal_pomeranz

22 Sep 2020

Replying to @Colddemon00

Weird. Thanks.

Hal Pomeranz · Sep 22, 2020 · 6:35 PM UTC

Hal Pomeranz @hal_pomeranz

22 Sep 2020

Anybody know what happened to the FBI/NSA writeup on the the Drovorub Linux rootkit/malware that used to be at media.defense.gov/2020/Aug/1…