Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…
34
50
2
95
Replying to @hal_pomeranz @WWHackinFest
Daily Linux Forensics Trivia #29 - You are given a disk image of a Linux system. How do you determine which distro and version it is?

Oct 4, 2022 · 12:13 PM UTC

6
9
1
14
Trivia Answer #29 - Shout out to @Grabbi_it for chiming in with the answer. Mount your evidence and look at /etc/os-release, which should be there regardless of which distro you have been given.
1
2
4
Other distros may also have another /etc/*-release file, like /etc/lsb-release on Debian/Ubuntu or /etc/redhat-release on RHEL/Fedora/CentOS
1
Some folks suggested looking at /etc/issue or /etc/motd. While these files often contain the distro/version info, they are also just as likely to have been edited and contain a site-specific message without the OS information.
Replying to @hal_pomeranz @strandjs @WWHackinFest
I upload it to virustotal.
3
GIF
Replying to @hal_pomeranz @WWHackinFest
Mount with autofs and cat /etc/*-release ?!
Replying to @hal_pomeranz @WWHackinFest
..and cat /etc/lsb-release
4
Replying to @hal_pomeranz @WWHackinFest
mount it and cat /etc/issue, /etc/issue.net, or /etc/release
7
Replying to @hal_pomeranz @WWHackinFest
..or mount the boot partition and have a look at the grub / isolinux config.
1