Hal Pomeranz @hal_pomeranz

I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange

 Orlando, FL
deer-run.com/~hal/
Joined November 2008
  • Tweets 19,311
  • Following 237
  • Followers 13,672
228 Photos and videos
Filter
Exclude
Time range
-
Near
Load newest
Replying to @wendynather
youtube.com/watch?v=n4QSYx…
1
1
Replying to @codeslack
Likewise. Good change.
Daily Linux Forensics Trivia #28 - How do Chrome and Firefox web browser artifacts differ on Linux systems as compared to Windows/Mac?
2
1
4
However, @ldsopreload mentioned several other places where login information is tracked, including the btmp (failed logins), and lastlog (detail on most recent login for each user) logs.
Trivia Answer #26 - I should have been more specific here. I was looking for logs that track successful user logins over time and I was thinking of Syslog's LOG_AUTHPRIV stream (usually /var/log/auth.log or .../secure), the wtmp file, and the audit.log.
2
1
Replying to @TimMedin
Sounds like the beginning of a Greek tragedy
1
3
My son's band is planning "Hot For Teacher" for the school talent show. Not sure whether to be amused or appalled.
3
7
Replying to @hal_pomeranz @WWHackinFest
Daily Linux Forensics Trivia #26 - Name three different logs where you can normally find a record of user logins.
2
1
Replying to @hal_pomeranz @WWHackinFest
Trivia Answer #25 - Look at the user’s $HOME/.viminfo file. The file contains information on recently edited files, search terms, commands typed at the “:” prompt, and (probably most useful in this case) commands executed via shell escape.
3
Replying to @daveshackleford
“Self-discovery”?
1
1
Holy smokes! Glad to hear the prognosis is good though. Rest up, big buddy!
And power is restored! Thanks @DukeEnergy for working so hard for Floridians in the wake of hurricane Ian.
10
Replying to @hal_pomeranz @WWHackinFest
Daily Linux Forensics Trivia #25 —A user’s .bash_history file shows repeated use of “sudo vim” with no other arguments. What other artifact could you inspect to get a better picture of their activities?
3
2
7
Replying to @hal_pomeranz @WWHackinFest
Trivia Answer #24 - One of the directories is named “.. “ (dot dot space) or some other similar name with a non-printing character. Use “ls -b” to see the non-printing characters. @MalwareJake was suspiciously quick with the answer on this one… almost as if… nah!
1
1
11
Replying to @elpie
We’re good, although power has been out since this morning. The storm ended up crossing the state well south of us—very unpredictable storm track on this one.
Replying to @jeffmcjunkin
If you have on-prem Exchange, assume breach
1
3
Replying to @johullrich
We lost power this morning after the storm had passed us to the south. Looks like most of the greater Orlando area is without power.
Let me add that a lot of these folks come in from out of state to support us during these disasters. They leave their homes and families and head into harm’s way to get the lights back on. Bravo!
Barstool Sports
 @barstoolsports
29 Sep 2022
40k+ linemen are waiting by in Florida right now ready to go to work when they can. Legit superstars.
3
4
31
Replying to @hal_pomeranz @WWHackinFest
Daily Linux Forensics Trivia #24 - You look at a directory listing and there are two subdirectories named “..”. How is this possible?
3
1
8
Replying to @hal_pomeranz @rvandenbrink @DfirNotes @jtsylve
If you’re in a virtual environment that doesn’t pre-allocate disks, this also has the side-effect of increasing the storage used by your instance and making it more costly to get a forensic copy.
1
Load more