Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Sep 28, 2022 · 2:15 PM UTC

Hal Pomeranz @hal_pomeranz

28 Sep 2022

Daily Linux Forensics Trivia #23 - You find these commands in /root/.bash_history: "dd if=/dev/urandom of=/junk bs=1M; rm -rf /junk". What did these commands accomplish?

Hal Pomeranz · Sep 29, 2022 · 12:17 PM UTC

Hal Pomeranz · Sep 29, 2022 · 12:17 PM UTC

Hal Pomeranz @hal_pomeranz

29 Sep 2022

Trivia Answer #23 - Lots of responses, including @rvandenbrink, @DfirNotes, and @jtsylve. The dd command will create a file called junk that will consume all unallocated blocks and overwrite them with random data. This should obliterate any evidence in unallocated.

Sep 29, 2022 · 12:17 PM UTC

Hal Pomeranz · Sep 29, 2022 · 12:19 PM UTC

Hal Pomeranz @hal_pomeranz

29 Sep 2022

If you’re in a virtual environment that doesn’t pre-allocate disks, this also has the side-effect of increasing the storage used by your instance and making it more costly to get a forensic copy.

Rob VandenBrink · Sep 29, 2022 · 12:50 PM UTC

Rob VandenBrink @rvandenbrink

29 Sep 2022

Replying to @hal_pomeranz @DfirNotes @jtsylve

If you do fill up the drive, especially if it is the boot drive, all sorts of other unfortunate things are likely to happen too, even if you delete the file right away