Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 15, 2022 · 2:15 PM UTC

Hal Pomeranz @hal_pomeranz

15 Sep 2022

Daily Linux Forensics Trivia #10 - When investigating a live Linux system, how can you detect if a process is running from a deleted binary? [and don't forget to sign up for live Linux forensics training wildwesthackinfest.com/deadw…]

Hal Pomeranz · Sep 16, 2022 · 11:25 AM UTC

Hal Pomeranz · Sep 16, 2022 · 11:25 AM UTC

Hal Pomeranz @hal_pomeranz

16 Sep 2022

Trivia Answer #10 - @jgasmussen got in first with one good answer: "ls -l /proc/*/exe 2>/dev/null | grep deleted" (bonus points for redirecting stderr!)

Sep 16, 2022 · 11:25 AM UTC

Hal Pomeranz · Sep 16, 2022 · 11:27 AM UTC

Hal Pomeranz @hal_pomeranz

16 Sep 2022

Then @DfirNotes chimed in with the other typical way for doing this, "lsof +L1", which would show all open but unlinked files ("+L1" means "link count < 1", or zero). If you just want running deleted executables, make it "lsof +L1 -a -d txt"