Andrew Case · Sep 9, 2012 · 10:01 PM UTC

Andrew Case @attrc

9 Sep 2012

Month of @volatility plugins teaser: Recovering .bash_history from memory, even in the face of anti-forensics: pastebin.com/Pj39TMrU #dfir

Hal Pomeranz · Sep 9, 2012 · 10:19 PM UTC

Hal Pomeranz @hal_pomeranz

9 Sep 2012

@attrc Does it only work if history timestamps are enabled?

Andrew Case · Sep 9, 2012 · 10:27 PM UTC

Andrew Case @attrc

9 Sep 2012

@hal_pomeranz nope, that's the awesome part, bash keeps them anyway

Hal Pomeranz · Sep 9, 2012 · 10:28 PM UTC

Hal Pomeranz · Sep 9, 2012 · 10:28 PM UTC

Hal Pomeranz @hal_pomeranz

9 Sep 2012

Replying to @attrc

@attrc Ah, I gotcha-- identifying the bash processes and sucking the history out?

Sep 9, 2012 · 10:28 PM UTC

Andrew Case · Sep 9, 2012 · 10:30 PM UTC

Andrew Case @attrc

9 Sep 2012

@hal_pomeranz yep using the structures in mem so u get time run and command together

Hal Pomeranz · Sep 9, 2012 · 10:38 PM UTC

Hal Pomeranz @hal_pomeranz

9 Sep 2012

@attrc Nice work!

Andrew Case · Sep 9, 2012 · 10:31 PM UTC

Andrew Case @attrc

9 Sep 2012

@hal_pomeranz also works if histfile / histsize is unset by the attacker