GIAC
GCFA · Question #115
GCFA Question #115: Real Exam Question with Answer & Explanation
The correct answer is C. icat. The Sleuth Kit command 'icat' extracts and outputs the data blocks of a file identified by its meta-data address (inode number) on a Linux file system.
Question
Adam works as a professional Computer Hacking Forensic Investigator. A project has been assigned to him to investigate a compromised system of a cyber criminal, who hides some information in his computer. This computer runs on Linux operating system. Adam wants to extract the data units of a file, which is specified by its meta-data address. He is using the Sleuth Kit for this purpose. Which of the following commands in the Sleuth kit will he use to accomplish the task?
Options
- Adcat
- Bifind
- Cicat
- Distat
Explanation
The Sleuth Kit command 'icat' extracts and outputs the data blocks of a file identified by its meta-data address (inode number) on a Linux file system.
Common mistakes.
- A. The 'dcat' command outputs the raw contents of a specific data unit (block or cluster) identified by its block address, not by a file's meta-data address.
- B. The 'ifind' command is used to locate the meta-data structure (inode) that has allocated a given disk block or file name, not to extract data from a known meta-data address.
- D. The 'istat' command displays the detailed attributes and metadata of an inode structure (timestamps, permissions, block pointers) but does not extract or output the actual file data content.
Concept tested. Sleuth Kit icat command for inode-based data extraction
Reference. https://www.sleuthkit.org/sleuthkit/man/icat.html
Community Discussion
No community discussion yet for this question.