Hal Pomeranz @hal_pomeranz

I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange

 Orlando, FL
deer-run.com/~hal/
Joined November 2008
  • Tweets 19,311
  • Following 237
  • Followers 13,672
228 Photos and videos
Filter
Exclude
Time range
-
Near
Load newest
Note that on some Linux distros there is an installation log that you can find under /var/log or /root. That will give you a much more exact timeline, if present.
1
2
I'm going to give @stoney27 credit on this one-- his answer was "date on the device of the root file system". Since there is no standard artifact for install date on Linux systems, the creation date on the root directory (or "/lost+found") is generally used.
2
2
Replying to @wendynather
I had the Moderna bivalent and likewise basically no side-effects
1
4
Replying to @wuxmedia @WWHackinFest
Always a good idea, but requires extra configuration that most sites in my experience won’t do consistently
1
Replying to @hal_pomeranz @WWHackinFest
Daily Linux Forensics Trivia #6 - How can you determine when a Linux system was installed?
3
1
3
Replying to @hal_pomeranz @WWHackinFest
Trivia Answer #5 - It means “Every five minutes execute the script /tmp/.ICEd-unix/.src.sh”. You’ll often see entries like this used for persistence after a successful exploitation event.
1
4
Honorable mention for @_malwarez for mentioning utmpdump man7.org/linux/man-pages/man…
2
Daily Linux Forensics Trivia #5 - What is the meaning of this crontab entry: "*/5 * * * * /tmp/.ICEd-unix/.src.sh"? [and don't forget I'll be teaching Linux Foreniscs live in-person and streamed @WWHackinFest Deadwood wildwesthackinfest.com/deadw…]
1
5
6
Trivia Answer #4 - Congrats to @obnoxious4n6 for being first with the correct answer. The "last" command displays the contents of /var/log/wtmp. Use the "-f" option to specify an alternate wtmp file, for example from a mounted forensic image.
1
1
4
Daily Linux Forensics Trivia #4 -- If you want to display the contents of /var/log/wtmp as text, what command do you use?
3
2
Trivia Answer #3 -- False. mlocate.db does contain directory timestamps. This timestamp is the larger of the directory's mtime or ctime at the time the database is created. There are no timestamps on the individual file entries.
3
Replying to @webjedi
I just got boosted but decided to space out the flu shot. I’ll be interested to hear if the combo hits you any harder than the single shots.
1
3
Yay! New iPhone 14s are announced. Now I can pick up an iPhone 13 at a reduced price. #NotBuyingTheHype
7
Daily Linux Forensics Trivia #3 - True or False: the mlocate.db file contains timestamps for all listed files.
1
1
3
Replying to @crash0ver1d3 @WWHackinFest
Close! "export HISTSIZE=0" clobbers the history list in memory but has no impact on .bash_history
2
Trivia Answer #2 -- "export HISTFILESIZE=0" immediately truncates $HOME/.bash_history to zero bytes
3
Seems like there is a lot of darkness in the world right now. Hold fast to your truth. Let your light shine.
2
9
Looking forward to seeing everybody!
This tweet is unavailable
1
Replying to @hal_pomeranz @WWHackinFest
Daily Linux Forensics Trivia #2 — What environment variable setting immediately truncates .bash_history to zero bytes? wildwesthackinfest.com/deadw…
2
7
Trivia Answer #1 — File type was originally only stored in the inode. It was later added to directory entries so that commands like “ls -F” would not have to read every inode in a directory in order to display the file type.
1
3
Load more