Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 16, 2022 · 11:30 AM UTC

Hal Pomeranz · Sep 16, 2022 · 11:30 AM UTC

Hal Pomeranz @hal_pomeranz

16 Sep 2022

Daily Linux Forensics Trivia #11 - Yesterday's question asked how to spot processes running from deleted executables during live analysis. How would you recover the deleted executable?

Sep 16, 2022 · 11:30 AM UTC

Hal Pomeranz · Sep 17, 2022 · 4:32 PM UTC

Hal Pomeranz @hal_pomeranz

17 Sep 2022

Trivia Answer #11 - @MalwareJake checked in with the correct answer: “cat /proc/<pid>/exe > /path/to/newfile”. The “cp” command works too. Try to write the recovered file someplace that won’t mess up your evidence.

Jake Williams · Sep 16, 2022 · 11:31 AM UTC

Jake Williams @MalwareJake

16 Sep 2022

Replying to @hal_pomeranz

cat /proc/{pid}/exe > malware