Command Line Kung Fu

SANS Forensics Blog

Righteous IT


Doug Brush's interview with Hal Pomeranz on the Cyber Security Interviews podcast

Eric Huber's interview with Hal Pomeranz on the "A Fistful of Dongles" blog

Lenny Zeltser's interview with Hal Pomeranz on the SANS Forensics blog.


"Getting into the (Net)Flow", A quick introduction to using NetFlow for network forensics (SANS Community presentation, Aug 2019).

"Detecting Rootkits in Windows and Linux", Ideas for finding rootkits in your environment-- via endpoint detection, memory analysis, and even some good old command-line kung fu! (SANS Webcast, May 2019).

"PCAP Command-Line Madness", Various command-line tips and tricks for working with network PCAP data (SANS Webcast, Jun 2018).

"XFS Bit by Bit", XFS internals for forensics, also companion blog posts with additional detail (BSides NOLA, May 2018).

"EXT File System Recovery", Recovering Linux file system structure from carved directory files (SANS DFIR Summit 2017). Also the related AnalyzeEXT tool

"You Don't Know Jack About bash_history", bash_history behaviors that are applicable for forensics and anti-forensics (BSides NOLA, Apr 2016).

"What Your (Encrypted) iPhone Backup Says About You", Details about forensic analysis of iTunes backup directories for iOS devices... even if the backup is encrypted! (BSides NOLA, May 2015).

"IR Event Log Analysis", Some tips for analyzing Windows Event Logs for Incident Responders. A recording of the webcast is available at the SANS web site (SANS Webcast, Feb 2015).

"Automating Linux Memory Capture", A free USB-based tool to automate extraction of Linux memory and building Volatility profiles for Linux analysis (SANS DFIR Summit, June 2014).

"Detecting Malware with Memory Forensics", A quick intro to memory forensics and some techniques for using Redline and Volatility to detect code injection and process hiding (SANS Webcast, Oct 2012).

"Tales From The Crypt!", How to detect the presence of TrueCrypt and TrueCrypt volumes in forensic images. Artifacts that can give you details about the contents of the volume even if the decryption keys are not available (presented at the SANS Forensics Summit, June 2012).

"Passwords are Everywhere", Some thoughts on interesting places to look for clear-text (or easily reversible) passwords during investigations, and why these might be useful (presented at the SANS Forensics Summit, June 2012.

"A Hash Is Worth 1000 Words" (SANS360 presentation), A short talk on how to use MD5 hash values to find common GIF/JPEG/etc files across multiple forensic images using devious Linux command-line kung fu (presented at the SANS Forensics Summit, June 2012).

"Linux Forensics for Non-Linux Folks" (also a recording from the DFIROnline Meetup, March 2012). A survey of useful and important forensic artifacts to check when analyzing a Linux system.

"Images and dm-crypt and LVM2... Oh Mount!" (presented at CEIC, May 2011). Some tips for working with Linux images that may have complicated disk layouts that include encrypted file systems and Logical Volume Manager (LVM2) configurations. See also the related blog post at the SANS Forensics Blog.

"EXT4 Bit-by-Bit" (presented at CEIC, May 2011). Get out your hex editors for an in-depth look at the EXT4 inode. New timestamps! Extents! Crazy de-allocation behaviors! See also the related blog posts at the SANS Forensics Blog as well as this video of Hal Pomeranz presenting at the SANS Forensics Summit (June 2011).

"Linux EXT3 File Recovery via Indirect Blocks" (presented at DoD Cybercrime, Jan 2011). The tools covered in this talk, along with additional documentation can be found in this article on the FireEye blog. There is also a video of Hal Pomeranz giving this talk at the SANS Forensics Summit (June 2011).

"Simple MySQL Data Extraction": some tips and tricks for investigators who want to extract database data to CSV files without having to become a database expert (presented at DoD Cybercrime, Jan 2011). Also the mysql2csv tool referenced in the presentation.

Two presentations related to Zeus botnets and ACH fraud:

Intro to Linux Digital Forensics, with information on Linux file systems and recovering deleted data

Several different versions of Hal's "Unix Command-Line Kung Fu" talk:

"Demystifying Sendmail", a two-day Sendmail course covering basic Sendmail concepts (last update Sep 2006).

"Detecting Break-ins"-- some simple tricks and freely available utilities for discovering when your Unix systems have been compromised. Given to the Mid Willamette Valley Linux User Group, September 2004.

"Unix Hacking 101"-- a brief into to breaking into Unix systems and what attackers do once they get in. Given to the Eugene Unix and GNU/Linux User Group, August 2004.

"The Current Anti-Spam Landscape", given to the Portland Linux User Group, July 2004.

"DNS and BIND", given to the Eugene Unix and GNU/Linux User Group, March, 2004.

A talk on the IT aspects of moving to Eugene, given to the Mid Willamette Valley Linux User Group in January, 2004.

"Solaris Security", webcast by the SANS Institute way back in July, 2002.

An old version of a full-day tutorial on DNS and Sendmail, last update April, 2002.

"NTP, the Network Time Protocol", last update February 2001.

"Solaris Jumpstart", last update January, 2001.

Articles and Other Writing

Hal Pomeranz's series of articles on independent consulting (external link)

Eric Huber's interview with Deer Run Associates' founder Hal Pomeranz (external link)

"Linux EXT3 File Recovery via Indirect Blocks" (external link to the FireEye blog-- see also the related presentation above).

"Linux Password Enforcement with PAM, an update to my earlier article on pam_cracklib

"Remote Logging with SSH and Syslog-NG", originally published in Sys Admin Magazine.

"File Integrity Assessment via SSH", originally published in Sys Admin Magazine. You can find some related configuration files and tools here.

"Solaris Security: Step-by-Step", the definitive guide originally published by The SANS Insitute.

"Solaris BSM Auditing" (aka kernel-level auditing), originally published in Sys Admin Magazine.

Instructions on how to build statically-linked executables under Solaris.

"Improving Sendmail Security by Turning it Off", originally published in Sys Admin Magazine.
Also a follow-up article, "Just Can't Get Enough Sendmail".

"Running Sendmail as an Unprivileged User", originally published in Sys Admin Magazine.

"The Sendmail greet_pause Feature", originally published in Sys Admin Magazine.

"A Simple DNS-Based Approach for Blocking Web Advertising", originally published in Sys Admin Magazine.
Also, here's a brief update to the original article based on reader feedback.

"Name Server Security with BIND and chroot()", originally published in 8wire (now defunct). Note that while this article covers chroot()-ing BIND under Solaris, the EUGLUG talk listed above has the details for Linux systems.

"Great Moments In Customer Service", a humorous editorial originally published in 8wire.

"Dealing with <BUTTON>", explains a work-around required because Microsoft Internet Explorer (MSIE) doesn't implement the <BUTTON> tag properly.


h2n, a tool for converting a static hosts file into DNS zone files. Originally written by Cricket Liu for the O'Reilly DNS and BIND book.

mysql2csv, a tool for easily extracting MySQL data to CSV files.

PLOD, my tool for keeping an on-line journal of what you're working on.

A couple of different Solaris Jumpstart related tools, including an automated hardening tool that performs many of the steps in the "Solaris Security: Step-by-Step" guide mentioned above.