Hal Pomeranz @hal_pomeranz

I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange

 Orlando, FL
deer-run.com/~hal/
Joined November 2008
  • Tweets 19,311
  • Following 237
  • Followers 13,672
228 Photos and videos
Filter
Exclude
Time range
-
Near
Load newest
Trivia Answer #23 - Lots of responses, including @rvandenbrink, @DfirNotes, and @jtsylve. The dd command will create a file called junk that will consume all unallocated blocks and overwrite them with random data. This should obliterate any evidence in unallocated.
2
Replying to @darthsaac
Good so far— just a lot of rain and wind here. You all OK?
1
Replying to @bettersafetynet
I have to explain to my dog that it’s going to be windy and rainy for the next 48 hours and the bathroom is still OUTSIDE
1
2
Nice!
Also can we take a moment to recognize your mom's badass koala socks!
This panel was a lot of fun!
Wild West Hackin' Fest @WWHackinFest
28 Sep 2022
Here's more good stuff from Way West 2022...it's "Everything Old is New Again" with @hal_pomeranz , @edskoudis , @AlyssaM_InfoSec, and Tony Sager! youtube.com/watch?v=cT3YXCqe…
2
They’re just waiting for him to be big enough to be worth eating
1
Replying to @AlyssaM_InfoSec @bettersafetynet
Yes, you’re grappling with the “demonstrating a negative” problem. The spending did likely prevent multiple incidents that never rose to the level of visibility.
3
24
Thanks everybody for your concern. We are prepared for Ian and will be fine. If you are stuck in central Florida and need help, please reach out. DMs are open.
2
1
19
Daily Linux Forensics Trivia #23 - You find these commands in /root/.bash_history: "dd if=/dev/urandom of=/junk bs=1M; rm -rf /junk". What did these commands accomplish?
7
3
1
9
Trivia Answer #22 -- The quick summary is that the entry for the deleted file becomes "slack space" at the end of the previous directory entry. The inode number and file name from the deleted file entry are still visible. More details at sans.org/blog/understanding-…
1
Replying to @bettersafetynet @HackingDave
I’d go further. I challenge orgs to stop supporting and turn off one tool per year where they could easily get similar coverage from other existing tools in their environment.
9
Daily Linux Forensics Trivia #22 - Explain what happens in an EXT directory file when you delete a file from that directory.
1
1
Trivia Answer #21 - Shout out to @lux_amalgamated for chiming in on this one. Assuming you have your evidence mounted on /mnt/evidence, the easiest thing to do is "find /mnt/evidence -newer /mnt/evidence/tmp/evil". This will show all files with a later mtime than /tmp/evil.
1
2
Important thread here. Everybody fails. The people who I look up to are honest about their failures, figure out why things failed, and come back better.
Mick Douglas 🇺🇦🌻 @bettersafetynet
27 Sep 2022
Got several DMs about this. Folks, I fail in tech all the time. SPOILER: EVERYONE DOES. The reason you don't hear about the issues is everyone wants to put their best foot forward. If you think somehow folks "level up" and don't have these issues, please think again. 1
1
5
It’s also the key to Perl programming
1
4
Orlando is my home base. If your travel plans get messed up by the weather and you get stuck in the City Beautiful, reach out and we will help. DMs are open.
1
8
Got my flu shot. Please think about getting yours. Much love!
4
Daily Linux Forensics Trivia #21 - You find the attacker's privilege escalation exploit installed as /tmp/evil. You want to find all files on the system that were modified since the privileged escalation exploit was dropped. How would you do this in Linux?
6
4
Trivia Answer #20 - Shout out to @countuponsec for a great list-- linux_check_modules and linux_hidden_modules to look for modules that are hiding, linux_check_syscall to look for kernel hooks, and linux_check_inline_kernel to look for patching
3
Load more