nerdexam
GIAC

GCIH · Question #624

An investigator is auditing a UNIX system and finds the following entry in the wtmp file. What does the entry indicate? test2 pts/1 202.69.197.99 Fri Apr 01 16:45

The correct answer is C. A user with login id test2 was able to login successfully on 1st April at 16:45 hours. The wtmp file on UNIX systems records successful login events, so an entry with a username, terminal, source IP, and timestamp confirms that user test2 authenticated and established a session.

Incident Response & Cyber Kill Chain

Question

An investigator is auditing a UNIX system and finds the following entry in the wtmp file. What does the entry indicate? test2 pts/1 202.69.197.99 Fri Apr 01 16:45

Options

  • AA user with login id test2 attempted to login on April 1st but failed
  • BA user with login id test2 logged out of the system at 16.45hrs on 1st April
  • CA user with login id test2 was able to login successfully on 1st April at 16:45 hours
  • DA user with login id test2 was able to login successfully with password pts

How the community answered

(22 responses)
  • A
    5% (1)
  • B
    5% (1)
  • C
    91% (20)

Why each option

The wtmp file on UNIX systems records successful login events, so an entry with a username, terminal, source IP, and timestamp confirms that user test2 authenticated and established a session.

AA user with login id test2 attempted to login on April 1st but failed

Failed login attempts are written to the btmp file, not to wtmp; the presence of the entry in wtmp specifically indicates the authentication succeeded.

BA user with login id test2 logged out of the system at 16.45hrs on 1st April

A logout event in wtmp typically appears as a record with a blank or dead-process username field, not a standard user record containing a source IP address.

CA user with login id test2 was able to login successfully on 1st April at 16:45 hoursCorrect

The wtmp binary log captures every successful login, logout, and reboot event on a UNIX/Linux system. An entry containing a valid username (test2), a pseudo-terminal (pts/1), a remote IP address (202.69.197.99), and a date-time stamp is the standard record format written when a user successfully authenticates. The presence of this record in wtmp - as opposed to btmp - confirms a successful login on April 1st at 16:45.

DA user with login id test2 was able to login successfully with password pts

'pts' stands for pseudo-terminal slave, which identifies the type of terminal allocated to the session - it is not related to the user's password.

Concept tested: UNIX wtmp log file login auditing

Source: https://man7.org/linux/man-pages/man5/utmp.5.html

Topics

#wtmp logs#UNIX forensics#login records#log analysis

Community Discussion

No community discussion yet for this question.

Full GCIH Practice