"find / -type d -name .\*" will get you directory names that begin with dot. But dot directories in user home dirs are not unusual. "\( -path /root -o -path /home/\*/\* \)" matches the normal user profile paths and "-prune" says don't go into those dirs.
Trivia Answer #30 - The correct answer is "find / \( -path /root -o -path /home/\*/\* \) -prune -o -type d -name .\* -print", but this one deserves some deeper explanation.
Daily Linux Forensics Trivia #30 - Write a "find" expression to locate directories whose names begin with a dot (".") and which are not located in a user's home directory.
Some folks suggested looking at /etc/issue or /etc/motd. While these files often contain the distro/version info, they are also just as likely to have been edited and contain a site-specific message without the OS information.
Trivia Answer #29 - Shout out to @Grabbi_it for chiming in with the answer. Mount your evidence and look at /etc/os-release, which should be there regardless of which distro you have been given.
“Our new medicine costs thousands per month, but your insurance covers it! Oh you say it’s not covered? Here’s a coupon so you can get it for $25/mo!” — Why do we keep letting this scam play out?
These implement a really cool technique for parsing data structures from c headers. This is the type of stuff I love to see and study! great stuff @foxit#DFIR
Fox-IT just open sourced their enterprise forensics tooling dissect. This is a big project that some of the smartest people I know have worked on. It supports many filesystems and file formats, all as Python libraries. Docs: docs.dissect.tools / code: github.com/fox-it/dissect