ippsec · Mar 13, 2022 · 4:01 PM UTC

ippsec

ippsec

@ippsec

13 Mar 2022

Ever come across a file running on a Linux box that was deleted from the disk? Did you know you can likely use DD to recover the file without any non-standard tools?

626

2,861

Hal Pomeranz · Mar 14, 2022 · 12:04 AM UTC

Hal Pomeranz · Mar 14, 2022 · 12:04 AM UTC

Hal Pomeranz @hal_pomeranz

14 Mar 2022

Replying to @ippsec @DfirNotes

You can also just “cp /proc/<pid>/exe /some/new/path”

Mar 14, 2022 · 12:04 AM UTC

Craig Rowland - Agentless Linux Security · Mar 14, 2022 · 12:14 AM UTC

Craig Rowland - Agentless Linux Security

@CraigHRowland

14 Mar 2022

Replying to @hal_pomeranz @ippsec @DfirNotes

Can also do a hash on the running binary this way as well even if deleted: sha1sum /proc/<pid>/exe

strandjs - strandjs@bsky.social · Mar 14, 2022 · 2:33 AM UTC

strandjs - strandjs@bsky.social @strandjs

14 Mar 2022

Replying to @hal_pomeranz @ippsec @DfirNotes

And, you can find them with #lsof +L1

Zeyad Abulaban · Mar 14, 2022 · 10:22 AM UTC

Zeyad Abulaban @zAbuQas3m

14 Mar 2022

Replying to @hal_pomeranz @ippsec @DfirNotes

This doesn't work with python files