312-49 Question #425: Real Exam Question with Answer & Explanation

Question

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

Options

• AThe system files have been copied by a remote attacker
• BThe system administrator has created an incremental backup
• CThe system has been compromised using a t0rn rootkit
• DNothing in particular as these can be operational files

Explanation

Observing files named Zer0.tar.gz and copy.tar.gz on a Linux system provides no inherent conclusion about system compromise or specific operational activity without further context, as these are generic names.

Common mistakes.

• A. While an attacker could create such files, these names are not inherently indicative of a remote attacker versus a local user or automated process without further evidence.
• B. These names do not specifically suggest an 'incremental backup'; they are too generic to infer a particular backup strategy without more information.
• C. The filenames Zer0.tar.gz and copy.tar.gz are not specifically associated with the t0rn rootkit or any other particular malware without additional evidence.

Concept tested. Linux file system forensics, initial assessment

No community discussion yet for this question.