Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…
34
50
2
95
Daily Linux Forensics Trivia #23 - You find these commands in /root/.bash_history: "dd if=/dev/urandom of=/junk bs=1M; rm -rf /junk". What did these commands accomplish?

Sep 28, 2022 · 2:15 PM UTC

7
3
1
9
Trivia Answer #23 - Lots of responses, including @rvandenbrink, @DfirNotes, and @jtsylve. The dd command will create a file called junk that will consume all unallocated blocks and overwrite them with random data. This should obliterate any evidence in unallocated.
2
If you’re in a virtual environment that doesn’t pre-allocate disks, this also has the side-effect of increasing the storage used by your instance and making it more costly to get a forensic copy.
1
Replying to @hal_pomeranz @strandjs
You just shredded a new filled called "junk" in the "/" directory essentially and then unlinked it.
1
Replying to @hal_pomeranz @strandjs
If /junk is a directory, then it overwrites some slack space (deleted file data) with random chars. If /junk is a file, then it is likely overwriting an attacker’s file with random prior to deleting it. Either way, some of your deleted blocks will be less useful 🙂
Replying to @hal_pomeranz
Overwrites the file /junk in memory with random data to keep it from being recovered, before unlinking it. I'm curious why that block size though
2
Replying to @hal_pomeranz
really muddy up the disk and possibly in-memory data/ swap to make recovery and forensic analysis harder ( use up blocks freed by unlinking files and folders)
Replying to @hal_pomeranz
Essentially fills unallocated space with garbage by creating a large file containing random data until the file system runs out of space and then deletes the file.