Resources

Free content from Hal Pomeranz

Free Courseware

All of my courseware is provided under Creative Commons license. Please contact me if you are interested in having me present any of these courses, in person or via the internet. Pre-recorded versions of these trainings are also available on-demand via Antisyphon Training.

“Linux Forensics“, A four-day (32 hour) course on Linux incident response and forensic investigations. A virtual machine with forensic images and lab exercises is provided along with the course content.

“Linux Command Line for Analysts and Operators“, A two-day (16 hours) practical introduction to Linux command line skills. Lab exercises and course content are provided.

“SELinux“, A brief (six hour) introduction to SELinux and SELinux troubleshooting. A virtual machine with lab exercises is provided along with the course content.

“Not Scary Binary“, This short four-hour course is an introduction to binary encoding/decoding, hexadecimal encoding/decoding, and simple binary arithmetic with masks and shifting.

Linux File System Forensics

XFS — A series of blog posts with a detailed breakdown of the XFS file system:

• “XFS Part 1: The Superblock“
• “XFS Part 2: Inodes“
• “XFS Part 3: Short Form Directories“
• “XFS Part 4: Block Directories“
• “XFS Part 5: Multi-Block Directories“
• “XFS Part 6: B+Tree Directories“
• “Recovering Deleted Files in XFS“

Also several presentations on XFS forensics:

• “XFS: Bit-by-Bit“, originally presented at BSides NOLA
• “XFS Forensics with xfs_db“, an Antisyphon Anti-Cast (video/slides)
• “XFS Deleted File Recovery“, from ComfyCon AU (video/slides)

EXT4 — Taking a deep dive into the changes in EXT4, starting with a series of blog postings:

• “EXT4 Part 1: Extents“
• “EXT4 Part 2: Timestamps“
• “EXT4 Part 3: Extent Trees“
• “EXT4 Part 4: File Deletion“
• “EXT4 Part 5: Large Extents“
• “EXT4 Part 6: Directories“
• “More on EXT4 Timestamps and Timestomping“

Also slides from “EXT4: Bit-by-Bit” (presented at CEIC), as well as another blog article on “How to Mount Dirty EXT File Systems“

EXT3 — Long ago I wrote an explainer on “Indirect Blocks in Unix File Systems” for the SANS Forensics blog. That led to my developing tools for “EXT3 File Recovery via Indirect Blocks” during my time as a sub-contractor for Mandiant. At DoD CyberCrime I presented “EXT3 File Recovery“, and here’s a video of my giving the presentation to the Omaha Linux User Group. The tools I developed for recovering files from EXT3 file systems are available from my Github repos.

Other Linux/Unix Forensics Content

“Systemd Journal and journalctl“, An overview of the Systemd journal and the journalctl command for manipulating it.

“All About Systemd Timers“, What you need to know about forensics related to Linux’s most recently added task scheduling system (blog post/video/slides)

“Linux LKM Persistence“, Tips on persisting an LKM rootkit across reboots and forensic artifacts that can be used to detect such techniques. And then a follow-up article, “A Little More on LKM Persistence“.

“Forensicating Linux LD_PRELOAD Rootkits“, Even low-tech coin miner attacks are attempting to drop LD_PRELOAD rootkits these days. What is an LD_PRELOAD rootkit and how can you detect them? (video/slides)

“You Don’t Know Jack About bash_history“, Turns out that I new less about bash_history than I thought when I began this research. The basics of bash_history forensics and anti-forensics along with some of my more surprising findings. (video/slides)

“Orphan Processes in Linux“, Was that process started by Systemd or is it an orphan process from an interactive session?

“Hudak’s Honeypot“, A multi-part investigation into a compromised Linux honeypot, using volatile data captured by UAC supported by disk image forensics.

“Working With UAC“, Some examples of how to modify UAC to add your own artifacts

Two episodes of my “Linux Forensics Magical Mystery Tour” and other Antisyphon Training webcasts:

• “Episode 1: Let’s Talk About EXT (Baby)“, What do atimes mean in the era of “relatime”? What can EXT’s allocation algorithm teach us about recovering deleted data? (video/slides)
• “Episode 2: It’s All About the Logs“, Syslog, auditd, web logs, and more! Oh my! (video/slides)
• “Fearless Forensic Shell Fu“, Living off the land with bash, xxd, and dd (video/slides)

“EXT File System Recovery“, Your file system is trashed! How much of the directory structure can you recover from the remaining block information? (video/slides)

“Images and dm-crypt and LVM2… Oh My!“, A blog article explaining how to navigate and unpack Linux disk images that use both LUKS/dm-crypt encrypted containers and logical volume management (LVM2). This led to a CEIC presentation, “Images and dm-crypt and LVM2… Oh Mount!“

“More on mlocate.db“, Recovering fragments of deleted mlocate.db data on Linux

“Linux Forensics for Non-Linux Folks“, Just getting started in Linux Forensics? Here are some useful artifacts to know about. (video/slides)

“Simple MySQL Data Extraction“, some tips and tricks for investigators who want to extract database data to CSV files without having to become a database expert. Also the mysql2csv tool referenced in the presentation.

“FreeBSD Computer Forensic Tips and Tricks“, Older content but people keep telling me it’s still useful to them.

Windows Forensics and Incident Response

“IR Event Log Analysis“, Some helpful tips and patterns to look for when analyzing Windows event logs during an incident. (video/slides)

“Resident $DATA Residue in NTFS MFT Entries“, Also known as “MFT Slack”, MFT entries in NTFS can contain copies of resident data from previous files or previous versions of the same file.

Linux Red-Teaming/Offensive Security

extstomp, A shell script that uses debugfs to set file timestamps in EXT file systems

“Hiding Linux Processes with Bind Mounts“, A fun living off the land trick for hiding processes in Linux plus some notes on how to detect it.

“Linux [EX]DR Evasion“, Some quick thoughts about evading current Linux endpoint security tools. For more explanation, see this video of my Antisyphon presentation.

“Leveraging SSH Keys for Lateral Movement“, We’re seeing attackers hoover up SSH keys and known_hosts files for lateral movement, but they’re missing a trick by not looking for ssh-agent sockets.

Linux Command Line Skills

Command Line Kung Fu — The blog that started it all. Great times with Ed Skoudis (CMD.EXE), Tim Medin (Powershell and later CMD.EXE), and Paul Asadoorian (Mac and Linux)

Archive of my “Daily Linux Command Line Trivia” questions and answers from Mastodon

Several episodes of “Linux Command Line Dojo” with Antisyphon Training:

• “Command Line Dojo“, Histograms, time zones, SSH trickeration, anti-forensics (video/slides). Also bash_history files for root and hal from the presentation.
• “Return of the Sensei“, Sorting, finding, breaking down complex problems (video/slides). Also bash_history files for root and hal from the presentation.
• “Old Dog, New Tricks“, New stuff with find command, file handles not FIFOs (video/slides)

Several different versions of my older “Unix Command-Line Kung Fu” talks:

• The most recent Return of Command-Line Kung Fu talk from SANS NetSec 2010.
• Updated Return of Command-Line Kung Fu presentation from OS Bridge 2010.
• Yet another Return of Command-Line Kung Fu slide deck, first used at the SANS2010 Conference in Orlando. It covers some useful command-line hacks for Computer Forensics folks (and others) and is very different from the talk above.
• The version from the Open Source Bridge 2009 conference in Portland covers more general command-line tips and tricks.
• The original version of the talk, given a few times at SANS conferences.

Professional Development

“You Caught Me In An Introspective Moment” is my look back at nearly 40 years of professional IT experience and my journey into the field. And there’s career advice mixed in there too, of course.

After fifteen years as a “lone eagle” consultant I wrote a series of blog posts trying to encapsulate my experiences and pass along guidance and “lessons learned”. It’s been quite a while since then, but the advice is still valid:

• Consulting Part 1: The Case for Consulting
• Consulting Part 2: An Important Cash Flow Lesson
• Consulting Part 3: Billing Rates
• Consulting Part 4: Insurance Matters
• Consulting Advice from a Friend
• Consulting Part 5: Finding Work
• Consulting Part 6: Work Finds Experts
• Consulting Part 7: Work? What Work?
• Consulting Part 8: Avoiding Overhead
• Consulting Part 9: Knowing When to Say When

I’ve been working professionally in IT since the 1980s and would like to think I’ve learned a few things along the way. Here are some hard-learned lessons and bits of my personal philosophy:

• “Facing Your Dragons” (true learning is found outside your comfort zone)
• “How I Learned to Start Loving Implementation Plans” (planning makes perfect)
• “It Doesn’t Take that Much Longer to do it Right” (don’t create avoidable technical debt)
• “Never Sell Security as Security” (don’t expend political capital you don’t have to)
• “The Blame Game” (fix the problem, don’t fix blame)
• “Never Argue With Your Boss” (lesson from my worst day in IT)
• “Communicating Success (and Failure)” (don’t hide your light)

Finally some advice for people who are just starting out in the Information Security field:

• “Getting Started in InfoSec (or Any Other Field)“
• Eric Huber’s “Interview with Hal Pomeranz“
• Cyber Security Interviews, “#18 – Hal Pomeranz“