nerdexam
GIAC

GCFA · Question #266

GCFA Question #266: Real Exam Question with Answer & Explanation

The correct answer is D. /sbin. In a Linux forensic investigation, the /sbin directory (System Binaries) contains essential system administration executables such as init, fdisk, fsck, ifconfig, and other critical system tools. A Computer Hacking Forensic Investigator (CHFI) examining installed system-level sof

Question

Sam works as a professional Computer Hacking Forensic Investigator. A project has been assigned to him to investigate a compromised system, which runs on Linux operating system. Sam wants to investigate and review local software, system libraries, and other application installed on the system. Which of the following directories in Linux will he review to accomplish the task?

Options

  • A/tmp
  • B/mnt
  • C/lib
  • D/sbin

Explanation

In a Linux forensic investigation, the /sbin directory (System Binaries) contains essential system administration executables such as init, fdisk, fsck, ifconfig, and other critical system tools. A Computer Hacking Forensic Investigator (CHFI) examining installed system-level software, binaries, and administrative applications would focus on /sbin. The other directories serve different purposes: /tmp holds temporary files (volatile and not useful for reviewing installed software), /mnt is used as a mount point for external/removable file systems, and /lib contains shared library files (.so files) used by binaries - but the exam context frames the investigation around system software and applications, pointing to /sbin as the primary target. Note: a thorough forensic review would also examine /usr/sbin, /usr/bin, /lib, and /opt, but /sbin is the best single answer among the choices provided.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCFA Practice