Eric Huber's interview with (Deer Run Associates' founder) Hal Pomeranz on the "A Fistful of Dongles" blog
Joe Garcia's interview with Hal Pomeranz on the "Cyber Crime 101" podcast
Lenny Zeltser's interview with Hal Pomeranz on the SANS Forensics blog.
"You Don't Know Jack About bash_history", bash_history behaviors that are applicable for forensics and anti-forensics (BSides NOLA, Apr 2016).
"What Your (Encrypted) iPhone Backup Says About You", Details about forensic analysis of iTunes backup directories for iOS devices... even if the backup is encrypted! (BSides NOLA, May 2015).
"Automating Linux Memory Capture", A free USB-based tool to automate extraction of Linux memory and building Volatility profiles for Linux analysis (SANS DFIR Summit, June 2014).
"Detecting Malware with Memory Forensics", A quick intro to memory forensics and some techniques for using Redline and Volatility to detect code injection and process hiding (SANS Webcast, Oct 2012).
"Tales From The Crypt!", How to detect the presence of TrueCrypt and TrueCrypt volumes in forensic images. Artifacts that can give you details about the contents of the volume even if the decryption keys are not available (presented at the SANS Forensics Summit, June 2012).
"Passwords are Everywhere", Some thoughts on interesting places to look for clear-text (or easily reversible) passwords during investigations, and why these might be useful (presented at the SANS Forensics Summit, June 2012.
"A Hash Is Worth 1000 Words" (SANS360 presentation), A short talk on how to use MD5 hash values to find common GIF/JPEG/etc files across multiple forensic images using devious Linux command-line kung fu (presented at the SANS Forensics Summit, June 2012).
"Images and dm-crypt and LVM2... Oh Mount!" (presented at CEIC, May 2011). Some tips for working with Linux images that may have complicated disk layouts that include encrypted file systems and Logical Volume Manager (LVM2) configurations. See also the related blog post at the SANS Forensics Blog.
"EXT4 Bit-by-Bit" (presented at CEIC, May 2011). Get out your hex editors for an in-depth look at the EXT4 inode. New timestamps! Extents! Crazy de-allocation behaviors! See also the related blog posts at the SANS Forensics Blog as well as this video of Hal Pomeranz presenting at the SANS Forensics Summit (June 2011).
"Linux EXT3 File Recovery via Indirect Blocks" (presented at DoD Cybercrime, Jan 2011). The tools covered in this talk, along with additional documentation can be found in this article on the FireEye blog. There is also a video of Hal Pomeranz giving this talk at the SANS Forensics Summit (June 2011).
"Simple MySQL Data Extraction": some tips and tricks for investigators who want to extract database data to CSV files without having to become a database expert (presented at DoD Cybercrime, Jan 2011). Also the mysql2csv tool referenced in the presentation.
Two presentations related to Zeus botnets and ACH fraud:
Intro to Linux Digital Forensics, with information on Linux file systems and recovering deleted data
Several different versions of Hal's "Unix Command-Line Kung Fu" talk:
"Demystifying Sendmail", a two-day Sendmail course covering basic Sendmail concepts (last update Sep 2006).
"Detecting Break-ins"-- some simple tricks and freely available utilities for discovering when your Unix systems have been compromised. Given to the Mid Willamette Valley Linux User Group, September 2004.
An old version of a full-day tutorial on DNS and Sendmail, last update April, 2002.
"NTP, the Network Time Protocol", last update February 2001.
"Solaris Jumpstart", last update January, 2001.
Hal Pomeranz's series of articles on independent consulting (external link)
Eric Huber's interview with Deer Run Associates' founder Hal Pomeranz (external link)
"Linux Password Enforcement with PAM, an update to my earlier article on pam_cracklib
Instructions on how to build statically-linked executables under Solaris.
"A Simple DNS-Based Approach for
Blocking Web Advertising", originally published in
Also, here's a brief update to the original article based on reader feedback.
"Name Server Security with BIND and chroot()", originally published in 8wire (now defunct). Note that while this article covers chroot()-ing BIND under Solaris, the EUGLUG talk listed above has the details for Linux systems.
"Great Moments In Customer Service", a humorous editorial originally published in 8wire.
"Dealing with <BUTTON>", explains a work-around required because Microsoft Internet Explorer (MSIE) doesn't implement the <BUTTON> tag properly.
h2n, a tool for converting a static hosts file into DNS zone files. Originally written by Cricket Liu for the O'Reilly DNS and BIND book.
mysql2csv, a tool for easily extracting MySQL data to CSV files.
PLOD, my tool for keeping an on-line journal of what you're working on.