Corey Harrell · Oct 30, 2012 · 1:26 PM UTC

Corey Harrell @corey_harrell

30 Oct 2012

Coolest thing is seeing a Linux box through the lense of a timeline. Overlaying log data on top of filesystem metadata

Hal Pomeranz · Oct 30, 2012 · 1:39 PM UTC

Hal Pomeranz · Oct 30, 2012 · 1:39 PM UTC

Hal Pomeranz @hal_pomeranz

30 Oct 2012

@corey_harrell What's interesting is to try to map cmds in shell history to filesystem artifacts: pkg updates, file copies, archive unpacks.

Oct 30, 2012 · 1:39 PM UTC

Corey Harrell · Oct 30, 2012 · 1:42 PM UTC

Corey Harrell @corey_harrell

30 Oct 2012

@hal_pomeranz I'll keep that in mind when I set up my next test system. Exploiting Apache on a Linux box to see how it looks.

Corey Harrell · Oct 30, 2012 · 1:58 PM UTC

Corey Harrell @corey_harrell

30 Oct 2012

@hal_pomeranz Besides testing, I've been examining a few Linux boxes over past few months. Pretty interesting stuff

Hal Pomeranz · Oct 30, 2012 · 3:46 PM UTC

Hal Pomeranz @hal_pomeranz

30 Oct 2012

@corey_harrell Need to blog about this, but file timeline + user logins + cmd history tells an interesting story about system activity.