Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 18, 2022 · 1:36 PM UTC

Hal Pomeranz · Sep 18, 2022 · 1:36 PM UTC

Hal Pomeranz @hal_pomeranz

18 Sep 2022

Daily Linux Forensics Trivia #13 - Your suspect claims they never connected their Linux laptop to their neighbor's WiFi network. What Linux artifact could you use to disprove this claim?

Sep 18, 2022 · 1:36 PM UTC

Hal Pomeranz · Sep 19, 2022 · 11:07 AM UTC

Hal Pomeranz @hal_pomeranz

19 Sep 2022

Trivia Answer #13 - On modern Linux distros, look in /var/lib/NetworkManager for dhclient-<GUID>-<NIC>.lease files. These are text files containing details of DHCP leases acquired. They are not normally cleaned up and may cover the entire lifetime of the equipment.

Hal Pomeranz · Sep 19, 2022 · 11:08 AM UTC

Hal Pomeranz @hal_pomeranz

19 Sep 2022

On older systems, look under /var/lib/dhc* for similar files.

Ricky 👻🖤🎶 · Sep 18, 2022 · 1:49 PM UTC

Ricky 👻🖤🎶 @Teck923

18 Sep 2022

Replying to @hal_pomeranz

top of my head: routing table. /proc/net/route? dhcp leases. (forgot the location) arp table. SSID/wireless history /etc/networkmanager (dependent on the OS)