Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz · Sep 6, 2022 · 1:32 PM UTC

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Daily Linux Forensics Trivia #1 -- Name two places in the Linux file system where the file type is encoded. wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 7, 2022 · 11:18 AM UTC

Hal Pomeranz @hal_pomeranz

7 Sep 2022

Trivia Answer #1 — File type was originally only stored in the inode. It was later added to directory entries so that commands like “ls -F” would not have to read every inode in a directory in order to display the file type.

Load newest

Hal Pomeranz · Sep 19, 2022 · 11:13 AM UTC

Hal Pomeranz @hal_pomeranz

19 Sep 2022

Daily Linux Forensics Trivia #14 - If the default log rotation policy has not been changed, roughly how many days worth of logs should you expect to find on a Linux system?

Hal Pomeranz · Sep 20, 2022 · 11:47 AM UTC

Hal Pomeranz @hal_pomeranz

20 Sep 2022

Trivia Answer #14 - Standard log rotation happens weekly and four weeks of old logs are saved. So you could end up with anywhere from 28-35 days of logs online.

Hal Pomeranz · Sep 21, 2022 · 11:57 AM UTC

Hal Pomeranz @hal_pomeranz

21 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Daily Linux Forensics Trivia #16 - How many bits are block addresses in EXT4?

Hal Pomeranz · Sep 22, 2022 · 2:01 PM UTC

Hal Pomeranz @hal_pomeranz

22 Sep 2022

Trivia Answer #16 - EXT4 uses 48-bit block addresses. Apparently the developers were concerned that 64-bit addresses would result in file systems that were so large that they could potentially not be fsck-ed in a reasonable amount of time.

Hal Pomeranz · Sep 23, 2022 · 10:34 AM UTC

Hal Pomeranz @hal_pomeranz

23 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Daily Linux Forensics Trivia #18 - During an IR you find a script used by the attackers that is gathering known_hosts and id_* files from user $HOME/.ssh directories. What would the attacker use these files for?

Hal Pomeranz · Sep 24, 2022 · 4:26 PM UTC

Hal Pomeranz @hal_pomeranz

24 Sep 2022

Trivia Answer #18 - @MalwareJake points out that determining attacker intent is always difficult, but known_hosts files plus SSH keys (id_* files) are useful for attempts at lateral movement. Enabling the HashKnownHosts option and using strong pass phrases on keys slows attackers

Hal Pomeranz · Sep 24, 2022 · 4:28 PM UTC

Hal Pomeranz @hal_pomeranz

24 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Daily Linux Forensics Trivia #19 - What data can you find in $HOME/.lesshst?

Hal Pomeranz · Sep 25, 2022 · 12:15 PM UTC

Hal Pomeranz @hal_pomeranz

25 Sep 2022

Trivia Answer #19 - Congrats to @lux_amalgamated for checking in with the correct answer! $HOME/.lesshst tracks search terms and shell eacape commands entered by the user in the “less” program. It DOES NOT track which files the used has viewed.