How to collect memory-only filesystems on Linux systems, (Wed, Oct 29th)
I&#;x26;#;39;ve been doing Unix/Linux IR and Forensics for a long time. I logged into a Unix system for the first time in 1983. That&#;x26;#;39;s one of the reasons I love teaching FOR577[1], because I have …
#hackernews #news
I&#;x26;#;39;ve been doing Unix/Linux IR and Forensics for a long time. I logged into a Unix system for the first time in 1983. That&#;x26;#;39;s one of the reasons I love teaching FOR577[1], because I have …
#hackernews #news
How to collect memory-only filesystems on Linux systems, (Wed, Oct 29th)
I&#;x26;#;39;ve been doing Unix/Linux IR and Forensics for a long time. I logged into a Unix system for the first time in 1983. That&#;x26;#;39;s one of the reasons I love teaching FOR577[1], because I have stories that go back to before some of my students were even born that are still relevant today.
isc.sans.edu
October 30, 2025 at 12:20 AM
How to collect memory-only filesystems on Linux systems, (Wed, Oct 29th)
I&#;x26;#;39;ve been doing Unix/Linux IR and Forensics for a long time. I logged into a Unix system for the first time in 1983. That&#;x26;#;39;s one of the reasons I love teaching FOR577[1], because I have …
#hackernews #news
I&#;x26;#;39;ve been doing Unix/Linux IR and Forensics for a long time. I logged into a Unix system for the first time in 1983. That&#;x26;#;39;s one of the reasons I love teaching FOR577[1], because I have …
#hackernews #news
2 more days to get the early-bird discount for one of my all-time favorite conferences, #SANS #DFIRCON in Miami in Nov. There are a bunch of hands-on workshops on Sun, 16 Nov, lots of evening events during the week #FOR577 my last in 2025. Reg here: www.sans.org/cyber-securi...
September 29, 2025 at 6:25 PM
2 more days to get the early-bird discount for one of my all-time favorite conferences, #SANS #DFIRCON in Miami in Nov. There are a bunch of hands-on workshops on Sun, 16 Nov, lots of evening events during the week #FOR577 my last in 2025. Reg here: www.sans.org/cyber-securi...
New tool: convert-ts-bash-history.py, (Fri, Sep 26th)
In SANS FOR577&#;x26;#;x5b;1&#;x26;#;x5d;, we talk about timelines on day 5, both filesystem and super-timelines. but sometimes, I want something quick and dirty and rather than fire up plaso, just to create a timeline of .ba…
#hackernews #news
In SANS FOR577&#;x26;#;x5b;1&#;x26;#;x5d;, we talk about timelines on day 5, both filesystem and super-timelines. but sometimes, I want something quick and dirty and rather than fire up plaso, just to create a timeline of .ba…
#hackernews #news
New tool: convert-ts-bash-history.py, (Fri, Sep 26th)
In SANS FOR577&#;x26;#;x5b;1&#;x26;#;x5d;, we talk about timelines on day 5, both filesystem and super-timelines. but sometimes, I want something quick and dirty and rather than fire up plaso, just to create a timeline of .bash&#;x26;#;x5f;history data, it is nice to just be able to parse them and, if timestamps are enabled, see them in a human-readable form. I&#;x26;#;39;ve had some students in class write scripts to do this and even had one promise to share it with me after class, but I never ended up getting it so I decided to write my own. This script takes the path to 1 or more .bash&#;x26;#;x5f;history files and returns a PSV (pipe separated values) list (on stdout) in the form: || where the is in ISO-8601 format (the one true date time format, but only to 1 sec resolution since that his the best that the .bash&#;x26;#;x5f;history file will give us). In a future version I will probably offer an option to change from PSV to CSV.
isc.sans.edu
September 28, 2025 at 12:47 PM
New tool: convert-ts-bash-history.py, (Fri, Sep 26th)
In SANS FOR577&#;x26;#;x5b;1&#;x26;#;x5d;, we talk about timelines on day 5, both filesystem and super-timelines. but sometimes, I want something quick and dirty and rather than fire up plaso, just to create a timeline of .ba…
#hackernews #news
In SANS FOR577&#;x26;#;x5b;1&#;x26;#;x5d;, we talk about timelines on day 5, both filesystem and super-timelines. but sometimes, I want something quick and dirty and rather than fire up plaso, just to create a timeline of .ba…
#hackernews #news
New Tool: ficheck.py, (Thu, Jul 24th) As I mention every time I teach FOR577, I have been a big fan of file integrity monitoring tools (FIM) since Gene Kim first released Tripwire well over 30 year...
#Malware #News
Origin | Interest | Match
#Malware #News
Origin | Interest | Match
New Tool: ficheck.py, (Thu, Jul 24th)
As I mention every time I teach FOR577, I have been a big fan of file integrity monitoring tools (FIM) since Gene Kim first released Tripwire well over 30 years ago. I’ve used quite a few of them over the years including tripwire, OSSEC, samhain, and aide, just to name a few. For many years, I used the fcheck Perl script (by Michael A. Gumienny) that was available as an apt package on Ubuntu because it was lightning fast. Unfortunately, sometime between Ubuntu 16.04 and Ubuntu 20.04 (my memory f...
malware.news
July 24, 2025 at 5:08 AM
Hiding Payloads in Linux Extended File Attributes, (Thu, Jul 17th)
This week, it&#;x26;#;39;s SANSFIRE[1]! I&#;x26;#;39;m attending the FOR577[2] training ("Linux Incident Response &#;x26; Threat Hunting"). On day 2, we covered the different filesystems and how data is organized…
#hackernews #news
This week, it&#;x26;#;39;s SANSFIRE[1]! I&#;x26;#;39;m attending the FOR577[2] training ("Linux Incident Response &#;x26; Threat Hunting"). On day 2, we covered the different filesystems and how data is organized…
#hackernews #news
Hiding Payloads in Linux Extended File Attributes, (Thu, Jul 17th)
This week, it&#;x26;#;39;s SANSFIRE[1]! I&#;x26;#;39;m attending the FOR577[2] training ("Linux Incident Response &#;x26; Threat Hunting"). On day 2, we covered the different filesystems and how data is organized on disk. In the Linux ecosystem, most filesystems (ext3, ext4, xfs, ...) support "extended file attributes", also called "xattr". It&#;x26;#;39;s a file system feature that enables users to add metadata to files. These data is not directly made available to the user and may contain anything related to the file (ex: the author&#;x26;#;39;s name, a brief description, ...). You may roughly compare this feature to the Alternate Data Stream (ADS) available in the Windows NTFS filesystem.
isc.sans.edu
July 18, 2025 at 1:30 AM
Hiding Payloads in Linux Extended File Attributes, (Thu, Jul 17th)
This week, it&#;x26;#;39;s SANSFIRE[1]! I&#;x26;#;39;m attending the FOR577[2] training ("Linux Incident Response &#;x26; Threat Hunting"). On day 2, we covered the different filesystems and how data is organized…
#hackernews #news
This week, it&#;x26;#;39;s SANSFIRE[1]! I&#;x26;#;39;m attending the FOR577[2] training ("Linux Incident Response &#;x26; Threat Hunting"). On day 2, we covered the different filesystems and how data is organized…
#hackernews #news
Linux touches every part of our networks. Our routers, switches, and firewalls likely run some flavor of Linux or Unix. Join me in London in July for the newly updated #SANS #FOR577 where we'll learn how to investigate attacks on Linux systems. www.sans.org/cyber-securi...
April 29, 2025 at 12:20 PM
Linux touches every part of our networks. Our routers, switches, and firewalls likely run some flavor of Linux or Unix. Join me in London in July for the newly updated #SANS #FOR577 where we'll learn how to investigate attacks on Linux systems. www.sans.org/cyber-securi...
Join me in one of my favorite places for the updated FOR577. Now, with more BTRFS, more rootkits, and more Linux attacks. #FOR577 #SANSSecWest
February 14, 2025 at 4:58 PM
Join me in one of my favorite places for the updated FOR577. Now, with more BTRFS, more rootkits, and more Linux attacks. #FOR577 #SANSSecWest
In just over five and a half hours, there will be a new batch of #Linux incident response coin winners at #SANSLondon. After 5 days on #FOR577, they now face the capstone challenge, and the winners get the coin. #DFIR
January 18, 2025 at 8:23 AM
In just over five and a half hours, there will be a new batch of #Linux incident response coin winners at #SANSLondon. After 5 days on #FOR577, they now face the capstone challenge, and the winners get the coin. #DFIR
I just posted a Handler's Diary, I've released a python script to find Linux files with the immutable bit set. #FOR577 @sansisc.bsky.social #SANSDFIR isc.sans.edu/diary/New+to...
New tool: immutable.py - SANS Internet Storm Center
New tool: immutable.py, Author: Jim Clausing
isc.sans.edu
January 18, 2025 at 5:40 AM
I just posted a Handler's Diary, I've released a python script to find Linux files with the immutable bit set. #FOR577 @sansisc.bsky.social #SANSDFIR isc.sans.edu/diary/New+to...
Earlier today I had a discussion about #Btrfs and it reminded me of this article on LinkedIn (from March 2024) talking about the Copy-on-Write elements.
If you want to learn more about #Linux incident response, have a look at sans.org/for577!
www.linkedin.com/pulse/linux-...
#dfir
If you want to learn more about #Linux incident response, have a look at sans.org/for577!
www.linkedin.com/pulse/linux-...
#dfir
Linux Copy on Write for Incident Responders
Copy on Write filesystems prevent some interesting situations for incident response and digital forensics. This article looks at file creation and deletion.
www.linkedin.com
December 27, 2024 at 9:04 PM
Earlier today I had a discussion about #Btrfs and it reminded me of this article on LinkedIn (from March 2024) talking about the Copy-on-Write elements.
If you want to learn more about #Linux incident response, have a look at sans.org/for577!
www.linkedin.com/pulse/linux-...
#dfir
If you want to learn more about #Linux incident response, have a look at sans.org/for577!
www.linkedin.com/pulse/linux-...
#dfir
I'm a CISO and never heard of FOR577 before. Shame on me.
At first, I thought it was about FORTRAN 77. 😜
Anyways, your class might have been cancelled but now I'm gonna learn about FOR577. So, thank you for this!
At first, I thought it was about FORTRAN 77. 😜
Anyways, your class might have been cancelled but now I'm gonna learn about FOR577. So, thank you for this!
December 1, 2024 at 1:56 PM
I'm a CISO and never heard of FOR577 before. Shame on me.
At first, I thought it was about FORTRAN 77. 😜
Anyways, your class might have been cancelled but now I'm gonna learn about FOR577. So, thank you for this!
At first, I thought it was about FORTRAN 77. 😜
Anyways, your class might have been cancelled but now I'm gonna learn about FOR577. So, thank you for this!
I have a bit of sad news - the #FOR577 class scheduled for Munich in March has been cancelled.
I appreciate it is 4 months away so some people might have been planning to attend but not yet booked. If this is the case, please reach out to SANS and see if is possible to get it relisted.
I appreciate it is 4 months away so some people might have been planning to attend but not yet booked. If this is the case, please reach out to SANS and see if is possible to get it relisted.
December 1, 2024 at 1:52 PM
I have a bit of sad news - the #FOR577 class scheduled for Munich in March has been cancelled.
I appreciate it is 4 months away so some people might have been planning to attend but not yet booked. If this is the case, please reach out to SANS and see if is possible to get it relisted.
I appreciate it is 4 months away so some people might have been planning to attend but not yet booked. If this is the case, please reach out to SANS and see if is possible to get it relisted.
It's the final countdown here at #DFIRCON Miami as #FOR577 comes to an end!
In a few minutes, the teams will present their evidence, and the best team will win the coveted lethal forensicator coin!
#dfir #cybersecurity
In a few minutes, the teams will present their evidence, and the best team will win the coveted lethal forensicator coin!
#dfir #cybersecurity
November 23, 2024 at 6:56 PM
It's the final countdown here at #DFIRCON Miami as #FOR577 comes to an end!
In a few minutes, the teams will present their evidence, and the best team will win the coveted lethal forensicator coin!
#dfir #cybersecurity
In a few minutes, the teams will present their evidence, and the best team will win the coveted lethal forensicator coin!
#dfir #cybersecurity
It's a gorgeous morning here in Miami as we get ready to start the last day of #FOR577 at #DFIRCON.
The good news is that I *think* we will be coming back here in 2025! If you have ideas for hands-on workshops or want to do awesome #infosec training, keep checking in with SANS for details.
The good news is that I *think* we will be coming back here in 2025! If you have ideas for hands-on workshops or want to do awesome #infosec training, keep checking in with SANS for details.
November 22, 2024 at 1:52 PM
In #FOR577 today, we are talking about issues trying to read auditd logs when you dont have access to good tools.
Although there is no one-size-fits-all solution, I've found that deploying an Elastic docker container and ingesting data really speeds things up.
www.linkedin.com/pulse/linux-...
Although there is no one-size-fits-all solution, I've found that deploying an Elastic docker container and ingesting data really speeds things up.
www.linkedin.com/pulse/linux-...
Linux DFIR - Rapid Audit Log Ingestion with Elasticsearch
A guide to using Elasticsearch and Kibana containers to rapidly analyse complex Linux logs, such as the auditd log files.
www.linkedin.com
November 20, 2024 at 7:12 PM
In #FOR577 today, we are talking about issues trying to read auditd logs when you dont have access to good tools.
Although there is no one-size-fits-all solution, I've found that deploying an Elastic docker container and ingesting data really speeds things up.
www.linkedin.com/pulse/linux-...
Although there is no one-size-fits-all solution, I've found that deploying an Elastic docker container and ingesting data really speeds things up.
www.linkedin.com/pulse/linux-...
It's a sunny start to day 2 of #FOR577 here at #SANSMiami! There are lots of exciting things to cover, and then tonight, I'm giving a keynote on "AI enhanced IR." (Spoiler, we can't really trust it, but it might be useful...)
It's going to be a great day!
#infosec #potatosecurity
It's going to be a great day!
#infosec #potatosecurity
November 19, 2024 at 1:31 PM
It's a sunny start to day 2 of #FOR577 here at #SANSMiami! There are lots of exciting things to cover, and then tonight, I'm giving a keynote on "AI enhanced IR." (Spoiler, we can't really trust it, but it might be useful...)
It's going to be a great day!
#infosec #potatosecurity
It's going to be a great day!
#infosec #potatosecurity
It's a sunny start to day 2 of #FOR577 here at #SANSMiami! There are lots of exciting things to cover, and then tonight, I'm giving a keynote on "AI enhanced IR." (Spoiler, we can't really trust it, but it might be useful...)
It's going to be a great day!
#infosec #cybersecurity
It's going to be a great day!
#infosec #cybersecurity
November 19, 2024 at 1:21 PM
It's a sunny start to day 2 of #FOR577 here at #SANSMiami! There are lots of exciting things to cover, and then tonight, I'm giving a keynote on "AI enhanced IR." (Spoiler, we can't really trust it, but it might be useful...)
It's going to be a great day!
#infosec #cybersecurity
It's going to be a great day!
#infosec #cybersecurity
Ten minutes until the start of #FOR577, the Linux IR course, here in sunny Miami!
Super excited to get into the training week after a fantastic #DFIRCon yesterday.
#infosec #cybersecurity
Super excited to get into the training week after a fantastic #DFIRCon yesterday.
#infosec #cybersecurity
November 18, 2024 at 1:21 PM
Ten minutes until the start of #FOR577, the Linux IR course, here in sunny Miami!
Super excited to get into the training week after a fantastic #DFIRCon yesterday.
#infosec #cybersecurity
Super excited to get into the training week after a fantastic #DFIRCon yesterday.
#infosec #cybersecurity
I dropped a quick little tool today after some discussion on class today of the /proc filesystem and network connections #dfir #for577 isc.sans.edu/diary/New%20...
New tool: le-hex-to-ip.py - SANS Internet Storm Center
New tool: le-hex-to-ip.py, Author: Jim Clausing
isc.sans.edu
October 5, 2023 at 9:19 PM
I dropped a quick little tool today after some discussion on class today of the /proc filesystem and network connections #dfir #for577 isc.sans.edu/diary/New%20...