Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Oct 9, 2022 · 2:39 PM UTC

Hal Pomeranz · Oct 9, 2022 · 2:39 PM UTC

Hal Pomeranz @hal_pomeranz

9 Oct 2022

Daily Linux Forensics Trivia #34 [last daily trivia before @WWHackinFest!] - How are atimes handled by default in EXT?

Oct 9, 2022 · 2:39 PM UTC

Hal Pomeranz · Oct 9, 2022 · 2:39 PM UTC

Hal Pomeranz @hal_pomeranz

9 Oct 2022

Oh come on. If you know me at all, you knew I would end on a file systems question!

Hal Pomeranz · Oct 10, 2022 · 1:21 PM UTC

Hal Pomeranz @hal_pomeranz

10 Oct 2022

Trivia Answer #34 - By default EXT uses "relatime" ("relative atimes") which means that atimes are only updated if the mtime on the file is newer than the atime at the moment the file is read.

Hal Pomeranz · Oct 10, 2022 · 1:23 PM UTC

Hal Pomeranz @hal_pomeranz

10 Oct 2022

Note that under "relatime" atimes will also be updated if the current atime is more than 24hrs old. The upshot is that atime often indicates the FIRST time a program is executed during an incident, rather than the last time as we would infer when atimes were updated every access.

Michael Boelen · Oct 9, 2022 · 3:41 PM UTC

Michael Boelen @mboelen

9 Oct 2022

Replying to @hal_pomeranz @WWHackinFest

Hmm, don't fully remember, but I thought it's updated when ctime needs to be updated or otherwise after 24 hours