Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Oct 5, 2022 · 12:52 PM UTC

Hal Pomeranz · Oct 5, 2022 · 12:52 PM UTC

Hal Pomeranz @hal_pomeranz

5 Oct 2022

Daily Linux Forensics Trivia #30 - Write a "find" expression to locate directories whose names begin with a dot (".") and which are not located in a user's home directory.

Oct 5, 2022 · 12:52 PM UTC

Hal Pomeranz · Oct 6, 2022 · 12:59 PM UTC

Hal Pomeranz @hal_pomeranz

6 Oct 2022

Trivia Answer #30 - The correct answer is "find / \( -path /root -o -path /home/\*/\* \) -prune -o -type d -name .\* -print", but this one deserves some deeper explanation.

Hal Pomeranz · Oct 6, 2022 · 1:02 PM UTC

Hal Pomeranz @hal_pomeranz

6 Oct 2022

"find / -type d -name .\*" will get you directory names that begin with dot. But dot directories in user home dirs are not unusual. "\( -path /root -o -path /home/\*/\* \)" matches the normal user profile paths and "-prune" says don't go into those dirs.

Hal Pomeranz · Oct 6, 2022 · 1:04 PM UTC

Hal Pomeranz @hal_pomeranz

6 Oct 2022

So if it's a user home dir path, we prune our search there. Otherwise print directory names starting with dot.

Hal Pomeranz · Oct 6, 2022 · 1:06 PM UTC

Hal Pomeranz @hal_pomeranz

6 Oct 2022

The final "-print" matters here! Because find's default action is "-print", leaving off the final "-print" means that both the "-prune" directories and the dot directories would print out. Specifying "-print" for the dot dirs means the "-prune" dirs won't print. find is weird.