Trivia Answer #13 - On modern Linux distros, look in /var/lib/NetworkManager for dhclient-<GUID>-<NIC>.lease files. These are text files containing details of DHCP leases acquired. They are not normally cleaned up and may cover the entire lifetime of the equipment.
Daily Linux Forensics Trivia #13 - Your suspect claims they never connected their Linux laptop to their neighbor's WiFi network. What Linux artifact could you use to disprove this claim?
Finally, I've seen cases where /etc/localtime is simply a copy of a file from /usr/share/zoneinfo. In this case, "zdump /etc/localtime" will display the current time with the time zone indicated in the output.
On other Linux distros, /etc/localtime is a symlink to the timezone file under /usr/share/zoneinfo - use "ls -l /etc/localtime" or "readlink /etc/localtime" to view.
Trivia Answer #12 - Shout out to @JPoForenso for a pretty complete solution. It turns out not all Linux distros are the same in this. Some have an /etc/timezone file that contains the time zone name in text format.
Trivia Answer #11 - @MalwareJake checked in with the correct answer: “cat /proc/<pid>/exe > /path/to/newfile”. The “cp” command works too. Try to write the recovered file someplace that won’t mess up your evidence.
Daily Linux Forensics Trivia #11 - Yesterday's question asked how to spot processes running from deleted executables during live analysis. How would you recover the deleted executable?
Then @DfirNotes chimed in with the other typical way for doing this, "lsof +L1", which would show all open but unlinked files ("+L1" means "link count < 1", or zero). If you just want running deleted executables, make it "lsof +L1 -a -d txt"
Trivia Answer #10 - @jgasmussen got in first with one good answer: "ls -l /proc/*/exe 2>/dev/null | grep deleted" (bonus points for redirecting stderr!)
Daily Linux Forensics Trivia #10 - When investigating a live Linux system, how can you detect if a process is running from a deleted binary? [and don't forget to sign up for live Linux forensics training wildwesthackinfest.com/deadw…]