I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange
Orlando, FL
Joined November 2008
- Tweets 19,311
- Following 237
- Followers 13,672
- Likes 12
From the early days of Unix file systems, permissions are stored in a packed two-byte field. The upper four bits are the file type. The remaining twelve bits track set-UID, set-GID, "sticky", and then "rwx" perms for owner, group, and other.
1
7
I think it would get ugly. They’d want to install their own “old white guy” advisors and have you run things the “old white guy” way. Money never comes without strings.
1
1
Daily Linux Forensics Trivia #9 - Describe how file permissions are stored in the inode for EXT and XFS.
1
1
3
Trivia Answer #8 — Look in $HOME/.local/share/recently-used.xbel for the Nautilus/Nemo file browsing history. XML formatted doc includes file name, app used to open file, and first/last visit times.
1
1
5
lost+found gets created when the file system is created. fsck may place orphaned inodes into lost+found if it finds file system damage, but it does not create the directory.
1
Have we ever had the “How Hal ended up in DFIR” talk? Remind me the next time we are drinking together.
2
6
It’s hard to imagine a better brand ambassador than Lesley— exec at one of the hottest tech companies on the planet, accomplished hacker, community leader, veteran who helps other veterans, expert martial artist in multiple disciplines. Always willing to fight the good fight.
2
1
5
Daily Linux Forensics Trivia #8 — Where does the Nautilus/Nemo file browser for the Gnome desktop store browsing history?
2
1
Several folks noted, however, that the known_hosts file is just a text file and can be edited. So perhaps that entry is bogus. I recommend comparing the public host key from the remote system against the public key in the known_hosts entry as an additional level of validation.
2
You would have to check the logs on the remote system to determine if there was any kind of login and what happened from there.
1
1
Trivia Answer #7 — Shout out to @DfirNotes for the first correct response. An entry in known_hosts means the account established an SSH connection to the remote host long enough to exchange public keys. It does NOT tell you whether or not there was a successful login.
1
1
2
Hey @KirrinFinch, one of our community leaders is feeling a profound sense of grief due to the loss of their Kirrin Finch suit. Perhaps you can help Lesley out? Nobody could be more deserving, after helping so many others.
Just such a miserable situation. It was from a company called Kirrin Finch that makes suits for non gender conforming people, and it was super gender-affirming, too. I got to wear it once and I was so damn excited to get it.
2
5
1
20
I’m sorry for your loss and frustration. It sucks. Putting the cleaners aside for a moment, perhaps you could come at this another way. Reach out to the suit designers, explain the issue and your pain of loss, and see what they can do. You have enormous influencer clout. Use it.
1
3
Daily Linux Forensics Trivia #7 -- You find an entry for a suspicious IP address in /root/.ssh/known_hosts. What conclusions can you draw from this artifact?
4
3