EC-CouncilEC-Council
312-49 · Question #350
312-49 Question #350: Real Exam Question with Answer & Explanation
Sign in or unlock 312-49 to reveal the answer and full explanation for question #350. The question stem and answer options stay visible for context.
Submitted by haruto_sh· Apr 18, 2026Computer Forensics Investigation Process
Question
If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?
Options
- AThe system has been compromised using a t0rnrootkit
- BThe system administrator has created an incremental backup
- CThe system files have been copied by a remote attacker
- DNothing in particular as these can be operational files
Unlock 312-49 to see the answer
You've previewed enough free 312-49 questions. Unlock 312-49 for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.
Topics
#File analysis#Evidence interpretation#Forensic methodology