Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Sep 6, 2022 · 1:31 PM UTC

34
50
2
95
Daily Linux Forensics Trivia #1 -- Name two places in the Linux file system where the file type is encoded. wildwesthackinfest.com/deadw…
1
8
6
Trivia Answer #1 — File type was originally only stored in the inode. It was later added to directory entries so that commands like “ls -F” would not have to read every inode in a directory in order to display the file type.
1
3
Daily Linux Forensics Trivia #2 — What environment variable setting immediately truncates .bash_history to zero bytes? wildwesthackinfest.com/deadw…
2
7
Trivia Answer #2 -- "export HISTFILESIZE=0" immediately truncates $HOME/.bash_history to zero bytes
3
Daily Linux Forensics Trivia #3 - True or False: the mlocate.db file contains timestamps for all listed files.
1
1
3
Trivia Answer #3 -- False. mlocate.db does contain directory timestamps. This timestamp is the larger of the directory's mtime or ctime at the time the database is created. There are no timestamps on the individual file entries.
3
Daily Linux Forensics Trivia #4 -- If you want to display the contents of /var/log/wtmp as text, what command do you use?
3
2
Trivia Answer #4 - Congrats to @obnoxious4n6 for being first with the correct answer. The "last" command displays the contents of /var/log/wtmp. Use the "-f" option to specify an alternate wtmp file, for example from a mounted forensic image.
1
1
4
Daily Linux Forensics Trivia #5 - What is the meaning of this crontab entry: "*/5 * * * * /tmp/.ICEd-unix/.src.sh"? [and don't forget I'll be teaching Linux Foreniscs live in-person and streamed @WWHackinFest Deadwood wildwesthackinfest.com/deadw…]
1
5
6
Trivia Answer #5 - It means “Every five minutes execute the script /tmp/.ICEd-unix/.src.sh”. You’ll often see entries like this used for persistence after a successful exploitation event.
1
4