Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz · Sep 6, 2022 · 1:32 PM UTC

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Daily Linux Forensics Trivia #1 -- Name two places in the Linux file system where the file type is encoded. wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 7, 2022 · 11:18 AM UTC

Hal Pomeranz @hal_pomeranz

7 Sep 2022

Trivia Answer #1 — File type was originally only stored in the inode. It was later added to directory entries so that commands like “ls -F” would not have to read every inode in a directory in order to display the file type.

Load newest

Hal Pomeranz · Sep 26, 2022 · 11:18 AM UTC

Hal Pomeranz @hal_pomeranz

26 Sep 2022

Daily Linux Forensics Trivia #21 - You find the attacker's privilege escalation exploit installed as /tmp/evil. You want to find all files on the system that were modified since the privileged escalation exploit was dropped. How would you do this in Linux?

Hal Pomeranz · Sep 27, 2022 · 2:31 PM UTC

Hal Pomeranz @hal_pomeranz

27 Sep 2022

Trivia Answer #21 - Shout out to @lux_amalgamated for chiming in on this one. Assuming you have your evidence mounted on /mnt/evidence, the easiest thing to do is "find /mnt/evidence -newer /mnt/evidence/tmp/evil". This will show all files with a later mtime than /tmp/evil.

Hal Pomeranz · Sep 27, 2022 · 2:34 PM UTC

Hal Pomeranz @hal_pomeranz

27 Sep 2022

Daily Linux Forensics Trivia #22 - Explain what happens in an EXT directory file when you delete a file from that directory.

Hal Pomeranz · Sep 28, 2022 · 2:12 PM UTC

Hal Pomeranz @hal_pomeranz

28 Sep 2022

Trivia Answer #22 -- The quick summary is that the entry for the deleted file becomes "slack space" at the end of the previous directory entry. The inode number and file name from the deleted file entry are still visible. More details at sans.org/blog/understanding-…

Hal Pomeranz · Sep 28, 2022 · 2:15 PM UTC

Hal Pomeranz @hal_pomeranz

28 Sep 2022

Daily Linux Forensics Trivia #23 - You find these commands in /root/.bash_history: "dd if=/dev/urandom of=/junk bs=1M; rm -rf /junk". What did these commands accomplish?

Hal Pomeranz · Sep 29, 2022 · 12:17 PM UTC

Hal Pomeranz @hal_pomeranz

29 Sep 2022

Trivia Answer #23 - Lots of responses, including @rvandenbrink, @DfirNotes, and @jtsylve. The dd command will create a file called junk that will consume all unallocated blocks and overwrite them with random data. This should obliterate any evidence in unallocated.

more replies

Hal Pomeranz · Sep 29, 2022 · 12:22 PM UTC

Hal Pomeranz @hal_pomeranz

29 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Daily Linux Forensics Trivia #24 - You look at a directory listing and there are two subdirectories named “..”. How is this possible?

Hal Pomeranz · Sep 30, 2022 · 12:02 PM UTC

Hal Pomeranz @hal_pomeranz

30 Sep 2022

Trivia Answer #24 - One of the directories is named “.. “ (dot dot space) or some other similar name with a non-printing character. Use “ls -b” to see the non-printing characters. @MalwareJake was suspiciously quick with the answer on this one… almost as if… nah!