Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 11, 2022 · 2:42 PM UTC

Hal Pomeranz · Sep 11, 2022 · 2:42 PM UTC

Hal Pomeranz @hal_pomeranz

11 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Daily Linux Forensics Trivia #6 - How can you determine when a Linux system was installed?

Sep 11, 2022 · 2:42 PM UTC

Hal Pomeranz · Sep 12, 2022 · 12:38 PM UTC

Hal Pomeranz @hal_pomeranz

12 Sep 2022

I'm going to give @stoney27 credit on this one-- his answer was "date on the device of the root file system". Since there is no standard artifact for install date on Linux systems, the creation date on the root directory (or "/lost+found") is generally used.

Hal Pomeranz · Sep 12, 2022 · 12:39 PM UTC

Hal Pomeranz @hal_pomeranz

12 Sep 2022

Note that on some Linux distros there is an installation log that you can find under /var/log or /root. That will give you a much more exact timeline, if present.

Hal Pomeranz · Sep 12, 2022 · 12:42 PM UTC

Hal Pomeranz @hal_pomeranz

12 Sep 2022

Some people use the creation dates on the host SSH keys (/etc/ssh/ssh_host_*). These are generally a good indicator for when the system was first booted, since they are usually generated automatically at first boot.

Scott Stonefield · Sep 11, 2022 · 3:53 PM UTC

Scott Stonefield @stoney27

11 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

Check the date on the device of root filesystem?

LeadSoulSearcher · Sep 11, 2022 · 5:43 PM UTC

LeadSoulSearcher @LL_CISSP

11 Sep 2022

Replying to @hal_pomeranz @WWHackinFest

As an auditor, I am interested in the answer