Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Sep 6, 2022 · 1:31 PM UTC

34
50
2
95
Daily Linux Forensics Trivia #1 -- Name two places in the Linux file system where the file type is encoded. wildwesthackinfest.com/deadw…
1
8
6
Trivia Answer #1 — File type was originally only stored in the inode. It was later added to directory entries so that commands like “ls -F” would not have to read every inode in a directory in order to display the file type.
1
3
Load newest
Daily Linux Forensics Trivia #7 -- You find an entry for a suspicious IP address in /root/.ssh/known_hosts. What conclusions can you draw from this artifact?
4
3
Trivia Answer #7 — Shout out to @DfirNotes for the first correct response. An entry in known_hosts means the account established an SSH connection to the remote host long enough to exchange public keys. It does NOT tell you whether or not there was a successful login.
1
1
2
more replies
Replying to @hal_pomeranz @WWHackinFest
Daily Linux Forensics Trivia #8 — Where does the Nautilus/Nemo file browser for the Gnome desktop store browsing history?
2
1
Trivia Answer #8 — Look in $HOME/.local/share/recently-used.xbel for the Nautilus/Nemo file browsing history. XML formatted doc includes file name, app used to open file, and first/last visit times.
1
1
5
Replying to @hal_pomeranz @WWHackinFest
Daily Linux Forensics Trivia #9 - Describe how file permissions are stored in the inode for EXT and XFS.
1
1
3
From the early days of Unix file systems, permissions are stored in a packed two-byte field. The upper four bits are the file type. The remaining twelve bits track set-UID, set-GID, "sticky", and then "rwx" perms for owner, group, and other.
1
7
Load more