Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 11, 2022 · 2:42 PM UTC

Hal Pomeranz @hal_pomeranz

11 Sep 2022

Daily Linux Forensics Trivia #6 - How can you determine when a Linux system was installed?

Hal Pomeranz · Sep 12, 2022 · 12:38 PM UTC

Hal Pomeranz · Sep 12, 2022 · 12:38 PM UTC

Hal Pomeranz @hal_pomeranz

12 Sep 2022

I'm going to give @stoney27 credit on this one-- his answer was "date on the device of the root file system". Since there is no standard artifact for install date on Linux systems, the creation date on the root directory (or "/lost+found") is generally used.

Sep 12, 2022 · 12:38 PM UTC

Hal Pomeranz · Sep 12, 2022 · 12:39 PM UTC

Hal Pomeranz @hal_pomeranz

12 Sep 2022

Note that on some Linux distros there is an installation log that you can find under /var/log or /root. That will give you a much more exact timeline, if present.

Hal Pomeranz · Sep 12, 2022 · 12:42 PM UTC

Hal Pomeranz @hal_pomeranz

12 Sep 2022

Some people use the creation dates on the host SSH keys (/etc/ssh/ssh_host_*). These are generally a good indicator for when the system was first booted, since they are usually generated automatically at first boot.

Mike · Sep 14, 2022 · 3:15 AM UTC

Mike @cartoonlord

14 Sep 2022

Replying to @hal_pomeranz @stoney27

Hal, is lost+found created when fsck is run so maybe not at installation?

Hal Pomeranz · Sep 14, 2022 · 7:59 AM UTC

Hal Pomeranz @hal_pomeranz

14 Sep 2022

lost+found gets created when the file system is created. fsck may place orphaned inodes into lost+found if it finds file system damage, but it does not create the directory.

more replies