Linux artifacts useful for reconstructing user command history after a breach include which of the following?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Linux artifacts useful for reconstructing user command history after a breach include which of the following?

Explanation:
Reconstructing what a user did on a Linux system hinges on artifacts that capture both the commands issued and the authentication context around those commands. The Bash history file in a user’s home directory, typically ~/.bash_history, records the commands entered during Bash sessions. While it isn’t perfect (it’s often written on exit and can be edited or cleared), it provides a direct view of user activity. Shell history files for other shells (like zsh or fish) serve a similar purpose, giving a broader picture of command history across environments a user might have used. Equally important are the authentication logs, found in /var/log/auth.log (Debian-based systems) or /var/log/secure (Red Hat-based systems). These logs document login attempts, SSH sessions, and sudo usage, providing the timing and context for when commands could have been executed. When you correlate the timestamps in history files with these authentication records, you can establish a clear sequence of user actions after a breach. The other choices don’t fit as well because they focus on artifacts that are either Windows-centric or not specifically tied to recording user-issued commands on Linux. Prefetch, USN Change Journal, and Sysmon are Windows-oriented or file-system event sources; Windows Event Logs, LSASS memory, and Mimikatz strings are Windows-focused artifacts; kernel crash dumps, dmesg, and syslog offer system-wide information but don’t reliably enumerate the exact commands a user typed in interactive shells.

Reconstructing what a user did on a Linux system hinges on artifacts that capture both the commands issued and the authentication context around those commands. The Bash history file in a user’s home directory, typically ~/.bash_history, records the commands entered during Bash sessions. While it isn’t perfect (it’s often written on exit and can be edited or cleared), it provides a direct view of user activity. Shell history files for other shells (like zsh or fish) serve a similar purpose, giving a broader picture of command history across environments a user might have used.

Equally important are the authentication logs, found in /var/log/auth.log (Debian-based systems) or /var/log/secure (Red Hat-based systems). These logs document login attempts, SSH sessions, and sudo usage, providing the timing and context for when commands could have been executed. When you correlate the timestamps in history files with these authentication records, you can establish a clear sequence of user actions after a breach.

The other choices don’t fit as well because they focus on artifacts that are either Windows-centric or not specifically tied to recording user-issued commands on Linux. Prefetch, USN Change Journal, and Sysmon are Windows-oriented or file-system event sources; Windows Event Logs, LSASS memory, and Mimikatz strings are Windows-focused artifacts; kernel crash dumps, dmesg, and syslog offer system-wide information but don’t reliably enumerate the exact commands a user typed in interactive shells.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy