Fearless Forensic Shell Fu With Hal Pomeranz
Antisyphon Training Antisyphon Training
8.03K subscribers
948 views
48

 Published On Streamed live on Aug 28, 2024

đź”— Register for webcasts, summits, and workshops -
https://poweredbybhis.com
🛝 Webcast Slides -
https://www.antisyphontraining.com/wp...
✏️ 🔗 Linux Forensics with Hal Pomeranz -
https://www.antisyphontraining.com/co...

Expensive forensic tools making you blue? Get back to basics with some wacky Linux shell recipes for parsing forensic artifacts. “dd”, “xxd”, arithmetic problems, loops and more! You may never want to go back to your old tools.

Chat with your fellow attendees in the Antisyphon Discord server:
  / discord  
in the #🍿anticasts-chat channel

/// Contents
00:00 - Intro - Bash, Hex Editors and -dd can verify the results of more expensive tools.
Basic Linux command line tools are useful when the expensive tools aren't available.
05:22 - Hex Editor
06:08 - "Linux Systemd journal files" blog post: https://righteousit.com/author/halpom...
07:11 - xxd example
08:14 - Carving journal files - magic numbers
11:55 - Using "xxd -r -p" to convert hex-encoded data to ASCII, etc.
15:10 - Making it look pretty with "tr"
18:17 - HAL9000 AI examples :)
19:07 - "strings -a -t -d" - forensics without Sleuthkit
23:13 - Reverse-engineering the file system to find inodes
25:28 - debugfs in interactive shell mode makes "help" available
25:46 - "debugfs -R icheck" from CLI to make it scriptable
27:00 - "debugfs -R stat" "debugfs -R cat"
28:34 - "find", "md5sum"
30:36 - "zgrep"
31:42 - byte offset -] sector offset - direct address (daddr)
32:46 - "xfs_db -r -c 'convert daddr [daddr] fsblock [file]"
34:15 - "xfs_db -r -c 'blockget -ns' -c 'fsblock [blocknumber] -c 'blockuse -n' [filesystemimage]"
37:25 - Red Teamers can alter file timestamps with these tools (LOL)
38:58 - xfs_db has a built-in hexdump review
42:36 - No raw mode output in xfs_db - workaround
43:30 - "dd"
44:38 - How xfs does block addressing
52:54 - Shell script to pull out and parse the xfs-extents from a deleted inode
54:01 - Hal's upcoming classes - pay-what-you-can "Zero to Linux", 2-day class at Wild West Hackin' Fest
55:27 - All of Hal's course material is Creative Commons licensed - get it FREE for self-study
Q&A
58:10 - Can you modify the creation timestamp of a running file? debugfs, YES. xfs_db, NO.
(but xfs_db can be hacked to do it)
59:46 - Flush file system cache with "drop_caches"
1:00:37 - Hardware RAID vs Software RAID

#linux #cybersecurity #infosec #livestream

show more

Share/Embed

Up next