Theres Gold in them thar package management databaseby Phil Hagen

There is a lot of useful file metadata stored in package management databases for popular Linux distributions. The RedHat Package Manager (RPM) and Debian’s dpkg are two examples. We’ll focus on how to leverage RPM in forensic investigations, as it can provide a quick and effective way to find changed files that warrant more in-depth analysis. We’ll also discuss potential shortfalls to consider in using this method.

Published 03 March 2015