Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 26, 2022 · 11:18 AM UTC

Hal Pomeranz @hal_pomeranz

26 Sep 2022

Daily Linux Forensics Trivia #21 - You find the attacker's privilege escalation exploit installed as /tmp/evil. You want to find all files on the system that were modified since the privileged escalation exploit was dropped. How would you do this in Linux?

Hal Pomeranz · Sep 27, 2022 · 2:31 PM UTC

Hal Pomeranz · Sep 27, 2022 · 2:31 PM UTC

Hal Pomeranz @hal_pomeranz

27 Sep 2022

Trivia Answer #21 - Shout out to @lux_amalgamated for chiming in on this one. Assuming you have your evidence mounted on /mnt/evidence, the easiest thing to do is "find /mnt/evidence -newer /mnt/evidence/tmp/evil". This will show all files with a later mtime than /tmp/evil.

Sep 27, 2022 · 2:31 PM UTC

KL · Sep 27, 2022 · 2:53 PM UTC

KL @lux_amalgamated

27 Sep 2022

Replying to @hal_pomeranz

That is easier! This is just one of the cool tricks I picked up in Hal's Linux Forensics class @Antisy_Training . The hands-on labs were great - clear instructions & explanations. Bonus: Great I.R. war stories from someone who's seen pretty much everything!