Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz · Sep 6, 2022 · 1:32 PM UTC

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Daily Linux Forensics Trivia #1 -- Name two places in the Linux file system where the file type is encoded. wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 7, 2022 · 11:18 AM UTC

Hal Pomeranz @hal_pomeranz

7 Sep 2022

Trivia Answer #1 — File type was originally only stored in the inode. It was later added to directory entries so that commands like “ls -F” would not have to read every inode in a directory in order to display the file type.

Load newest

Hal Pomeranz · Sep 17, 2022 · 4:34 PM UTC

Hal Pomeranz @hal_pomeranz

17 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Daily Linux Forensics Trivia #12 - Given only a disk image, how do you determine the default timezone of a Linux system?

Hal Pomeranz · Sep 18, 2022 · 1:28 PM UTC

Hal Pomeranz @hal_pomeranz

18 Sep 2022

Trivia Answer #12 - Shout out to @JPoForenso for a pretty complete solution. It turns out not all Linux distros are the same in this. Some have an /etc/timezone file that contains the time zone name in text format.

more replies

Hal Pomeranz · Sep 18, 2022 · 1:36 PM UTC

Hal Pomeranz @hal_pomeranz

18 Sep 2022

Daily Linux Forensics Trivia #13 - Your suspect claims they never connected their Linux laptop to their neighbor's WiFi network. What Linux artifact could you use to disprove this claim?

Hal Pomeranz · Sep 19, 2022 · 11:07 AM UTC

Hal Pomeranz @hal_pomeranz

19 Sep 2022

Trivia Answer #13 - On modern Linux distros, look in /var/lib/NetworkManager for dhclient-<GUID>-<NIC>.lease files. These are text files containing details of DHCP leases acquired. They are not normally cleaned up and may cover the entire lifetime of the equipment.

more replies

Hal Pomeranz · Sep 20, 2022 · 11:48 AM UTC

Hal Pomeranz @hal_pomeranz

20 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Daily Linux Forensics Trivia #15 - Write a regular expression to match traditional Syslog-style logs in unallocated blocks.

Hal Pomeranz · Sep 21, 2022 · 11:54 AM UTC

Hal Pomeranz @hal_pomeranz

21 Sep 2022

Trivia Answer #15 - The typical Syslog log timestamp is “Mon dd hh:mm:ss”, e.g. “Sep 21 7:49:34”. The regex “[A-Z][a-z]{2} +[0-9]+ +[0-9]+:[0-9]{2}:[0-9]{2} “ matches this pattern and is effective at finding old/deleted log entries in unallocated.

Hal Pomeranz · Sep 22, 2022 · 2:05 PM UTC

Hal Pomeranz @hal_pomeranz

22 Sep 2022

Daily Linux Forensics Trivia #17 - Explain this configuration from /etc/sudoers: "%wheel ALL : (ALL) ALL" [and don't forget to sign up for my 2-day Linux Forensics training at wildwesthackinfest.com/deadw…]

Hal Pomeranz · Sep 23, 2022 · 10:31 AM UTC

Hal Pomeranz @hal_pomeranz

23 Sep 2022

Trivia Answer #18 - “Members of group ‘wheel’ may, on any system, as any user, run any command.” In other words, unlimited Sudo access to all members of group wheel. Group membership may be via a user’s default group in /etc/password or via the “wheel” entry in /etc/group.