Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 11, 2022 · 2:42 PM UTC

Hal Pomeranz @hal_pomeranz

11 Sep 2022

Daily Linux Forensics Trivia #6 - How can you determine when a Linux system was installed?

Hal Pomeranz · Sep 12, 2022 · 12:38 PM UTC

Hal Pomeranz @hal_pomeranz

12 Sep 2022

I'm going to give @stoney27 credit on this one-- his answer was "date on the device of the root file system". Since there is no standard artifact for install date on Linux systems, the creation date on the root directory (or "/lost+found") is generally used.

Mike · Sep 14, 2022 · 3:15 AM UTC

Mike @cartoonlord

14 Sep 2022

Hal, is lost+found created when fsck is run so maybe not at installation?

Hal Pomeranz · Sep 14, 2022 · 7:59 AM UTC

Hal Pomeranz · Sep 14, 2022 · 7:59 AM UTC

Hal Pomeranz @hal_pomeranz

14 Sep 2022

Replying to @cartoonlord @stoney27

lost+found gets created when the file system is created. fsck may place orphaned inodes into lost+found if it finds file system damage, but it does not create the directory.

Sep 14, 2022 · 7:59 AM UTC

Mike · Sep 14, 2022 · 8:18 PM UTC

Mike @cartoonlord

14 Sep 2022

Replying to @hal_pomeranz @stoney27

Thanks for the clarification