Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…
34
50
2
95
Daily Linux Forensics Trivia #21 - You find the attacker's privilege escalation exploit installed as /tmp/evil. You want to find all files on the system that were modified since the privileged escalation exploit was dropped. How would you do this in Linux?

Sep 26, 2022 · 11:18 AM UTC

6
4
Trivia Answer #21 - Shout out to @lux_amalgamated for chiming in on this one. Assuming you have your evidence mounted on /mnt/evidence, the easiest thing to do is "find /mnt/evidence -newer /mnt/evidence/tmp/evil". This will show all files with a later mtime than /tmp/evil.
1
2
Replying to @hal_pomeranz
I would like to have a word with your attacker about his "I-livz-in-my-p@r3ntz-basement-sh0ut-0utz-to-my-p33pz" naming-convention choices.
1
Replying to @hal_pomeranz
Since the find command won't show you everything that happened on a certain date, you can work around it by creating a custom timestamped file (assuming you are root) using the touch command. 1/
Replying to @hal_pomeranz
Say the initial compromise happened on September 26, 2022. Create a proxy timestamp reference file like this: # touch -t 202209260000 /tmp/timefile Then use find to list the events that happened after your file's timestamp: # find / -newer /tmp/timefile (or other drive) 2/
1
Replying to @hal_pomeranz
Then check the output for weirdness like modified .bash_history and strange filenames in the /tmp directory. Shoutout to Hal's awesome Linux Forensics class that I took through @Antisy_Training (Antisyphon Training) /3
1