Hal Pomeranz @hal_pomeranz

I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange

 Orlando, FL
deer-run.com/~hal/
Joined November 2008
  • Tweets 19,311
  • Following 237
  • Followers 13,672
228 Photos and videos
Filter
Exclude
Time range
-
Near
Load newest
On older systems, look under /var/lib/dhc* for similar files.
2
Trivia Answer #13 - On modern Linux distros, look in /var/lib/NetworkManager for dhclient-<GUID>-<NIC>.lease files. These are text files containing details of DHCP leases acquired. They are not normally cleaned up and may cover the entire lifetime of the equipment.
1
1
3
Where by “decimal variable” I think they meant “floating point variable”. Sigh.
Replying to @MalwareJake
I’m just going to stick with what I first saw, because that reality is so much cooler!
7
Daily Linux Forensics Trivia #13 - Your suspect claims they never connected their Linux laptop to their neighbor's WiFi network. What Linux artifact could you use to disprove this claim?
2
1
4
Substitute the path where you have your evidence mounted for "/etc/localtime" in these examples, e.g. "/mnt/evidence/etc/localtime".
1
Finally, I've seen cases where /etc/localtime is simply a copy of a file from /usr/share/zoneinfo. In this case, "zdump /etc/localtime" will display the current time with the time zone indicated in the output.
1
1
On other Linux distros, /etc/localtime is a symlink to the timezone file under /usr/share/zoneinfo - use "ls -l /etc/localtime" or "readlink /etc/localtime" to view.
1
1
2
Trivia Answer #12 - Shout out to @JPoForenso for a pretty complete solution. It turns out not all Linux distros are the same in this. Some have an /etc/timezone file that contains the time zone name in text format.
1
1
3
Replying to @k8em0
If only we knew a boss like that…
1
Replying to @hal_pomeranz @WWHackinFest
Daily Linux Forensics Trivia #12 - Given only a disk image, how do you determine the default timezone of a Linux system?
3
5
Trivia Answer #11 - @MalwareJake checked in with the correct answer: “cat /proc/<pid>/exe > /path/to/newfile”. The “cp” command works too. Try to write the recovered file someplace that won’t mess up your evidence.
3
Replying to @elkentaro @hacks4pancakes
“Apollo 13”
2
Replying to @johullrich
Unbelievable amounts of rain— we are way ahead of monthly and annual averages and haven’t even seen major storms this year. Crazy. #MyPoolOverfloweth
Replying to @MalwareJake
Strikes me as an interesting honeypotting technique for defenders
1
4
Daily Linux Forensics Trivia #11 - Yesterday's question asked how to spot processes running from deleted executables during live analysis. How would you recover the deleted executable?
2
1
Then @DfirNotes chimed in with the other typical way for doing this, "lsof +L1", which would show all open but unlinked files ("+L1" means "link count < 1", or zero). If you just want running deleted executables, make it "lsof +L1 -a -d txt"
2
Trivia Answer #10 - @jgasmussen got in first with one good answer: "ls -l /proc/*/exe 2>/dev/null | grep deleted" (bonus points for redirecting stderr!)
1
7
Replying to @hacks4pancakes
An organization that is successful because of heroic and/or “last minute” efforts is not a successful organization
1
18
1
86
Daily Linux Forensics Trivia #10 - When investigating a live Linux system, how can you detect if a process is running from a deleted binary? [and don't forget to sign up for live Linux forensics training wildwesthackinfest.com/deadw…]
3
3
6
Load more