In this section

LX0.12 Check My Knowledge

3-4 hours · Module 0 · Free

Check My Knowledge

1. What is the primary reason Linux incident response requires a different methodology from Windows?

Linux is more difficult to compromise than Windows

Linux has fewer forensic tools available

Linux has no registry, Prefetch, or unified Event Log — evidence is distributed across the filesystem and must be correlated across multiple independent sources

Linux investigations always require commercial forensic suites

Correct. Linux lacks the centralized forensic artifacts that Windows provides. Evidence is distributed across /var/log, /proc, /etc, /home, and volatile locations. The investigator must correlate across multiple sources rather than parsing a single rich artifact like the registry or MFT.

2. An attacker truncates /var/log/auth.log and runs unset HISTFILE. Which evidence source is most likely to still contain a record of their SSH login?

The .bash_history file in the attacker's home directory

The wtmp binary log file, read with the last command

The /proc filesystem, which records all historical logins

The kernel ring buffer accessed via dmesg

Correct. wtmp is a binary file that records login and logout events independently of auth.log. Attackers who truncate auth.log frequently forget about wtmp, which is managed by a different subsystem. The systemd journal also records SSH events independently and is checksummed, making it harder to tamper with.

3. A file at /usr/local/bin/svc_monitor has mtime of 2024-06-15 and ctime of 2026-03-28. What does this indicate?

The file was created on 2024-06-15 and its metadata was modified on 2026-03-28 — the attacker likely used touch to backdate the modification time

The file was accessed on 2024-06-15 and modified on 2026-03-28

The file was moved from a different directory on 2026-03-28

The timestamps are corrupted and cannot be trusted

Correct. The ctime (change time) updates automatically on any inode metadata operation and cannot be directly set by userspace tools. The mtime can be set with touch -t. A discrepancy where mtime is older than ctime indicates deliberate timestamp manipulation — the attacker created or modified the file on 2026-03-28 and backdated the mtime to 2024-06-15 to avoid detection.

4. A Kubernetes pod was restarted by a liveness probe 10 minutes before you were notified. Which evidence source survived the restart?

The container's filesystem modifications from the previous instance

The /proc entries for the previous container's processes

The Kubernetes audit log recording API calls and the container runtime logs from the previous instance

The contents of /dev/shm from the previous container

Correct. The Kubernetes audit log exists outside the container and survives pod restarts. Container runtime logs (accessible via kubectl logs --previous) are retained for the previous instance. The container's filesystem, /proc entries, /dev/shm contents, and network state are all destroyed when the container restarts.

5. You run ps auxf and see 187 processes. A /proc enumeration finds 190 process directories. What is the most likely explanation?

Three processes started between running the two commands

The /proc filesystem is reporting kernel threads that ps filters out

A rootkit is hooking the library calls that ps uses, hiding 3 attacker processes — direct /proc reads bypass the hooks

Three processes are zombie processes that /proc counts but ps does not

Correct. A userspace rootkit hooks the library functions that ps uses to enumerate processes, filtering out attacker processes from the output. Reading /proc directly reads from the kernel's process list, bypassing the rootkit's hooks. The discrepancy between ps output and direct /proc enumeration is a strong indicator of rootkit presence.

6. You SSH into a compromised server and run cat /var/log/auth.log — the file does not exist. What is your immediate next step?

Conclude that the attacker deleted the authentication log

Run cat /etc/os-release to identify the distribution — the system is likely RHEL-based where the authentication log is /var/log/secure

Check /proc for authentication records instead

Skip authentication log analysis and focus on filesystem timestamps

Correct. The absence of auth.log most commonly indicates a RHEL/CentOS/Rocky/Amazon Linux distribution, where the equivalent file is /var/log/secure. Always identify the distribution first with cat /etc/os-release, then use the correct evidence paths for that distribution family.

7. What does rpm -Va report on a RHEL-based system, and why is it forensically significant?

It verifies all installed package files against their RPM manifests — any file modified after installation (including by an attacker) is flagged with codes indicating what changed

It lists all running processes and their associated packages

It shows all packages installed in the last 24 hours

It validates the RPM database itself for corruption

Correct. rpm -Va compares every file from every installed package against the original RPM manifest. Output codes indicate what changed: S (size), 5 (MD5 checksum), T (mtime), M (mode/permissions), U (user), G (group). If an attacker replaced a system binary like /usr/bin/ps with a trojaned version, rpm -Va flags it.

8. A compromised web server runs on a system with SELinux in enforcing mode. The attacker's web shell attempts to read /etc/shadow. What happens?

SELinux allows the read because the web server runs as root

The read succeeds but is logged in auth.log

SELinux blocks the read and logs an AVC denial in the audit log — the httpd_t context is not permitted to access shadow_t

SELinux disables itself to allow the web server to function

Correct. SELinux enforces mandatory access control based on security contexts (labels). The web server process runs in the httpd_t context, and /etc/shadow has the shadow_t context. The SELinux policy does not permit httpd_t to read shadow_t. The attempt is blocked and an AVC denial is logged in /var/log/audit/audit.log, providing evidence of the attacker's credential harvesting attempt.

9. You need to acquire memory from a compromised server. Why must LiME be pre-compiled for the target's exact kernel version?

LiME uses kernel-specific system calls that change between versions

LiME is a loadable kernel module — the kernel rejects modules compiled for a different version to prevent instability

Different kernel versions store memory in different formats that LiME must match

LiME requires the kernel source code to be present on the target system

Correct. Linux kernel modules must be compiled against the exact kernel version headers. The kernel verifies the module's vermagic string against its own version and rejects mismatches. This means you must pre-compile LiME for every kernel version in your infrastructure before an incident occurs — you cannot compile during the incident without kernel headers (rarely installed on production servers).

10. Which volatile filesystem is specifically used by attackers because files written there never touch the disk?

/tmp

/dev/shm

/var/run

/proc

Correct. /dev/shm is a RAM-backed tmpfs filesystem. Files written there exist only in memory and are never written to disk. This makes them invisible to disk forensics — if you image the disk without first collecting /dev/shm contents from the live system, the attacker's staged files are permanently lost. /tmp may also be tmpfs on modern distributions, but /dev/shm is always RAM-backed.

11. An investigator needs to examine a compromised AWS EC2 instance but has only AWS console access — no SSH. What is the most forensically sound first action?

Create a disk snapshot via the EC2 API — this captures the disk state without logging into or modifying the running instance

Terminate the instance to preserve the disk state

Modify the security group to allow SSH access

Use AWS SSM Session Manager to connect to the instance

Correct. A disk snapshot via the EC2 API captures the complete disk state at a point in time without any interaction with the running instance. It is the forensically cleanest collection method for cloud VMs. Terminating the instance destroys volatile evidence. Modifying the security group changes the evidence. SSM would allow live response but modifies the system state.

12. What is the minimum Linux IR lab configuration needed to complete the free-tier exercises in this course?

A single Linux VM with forensic tools installed

Five VMs matching the full Northgate Engineering infrastructure

A forensic workstation with analysis tools (Sleuth Kit, Volatility 3, plaso, UAC) and one target VM to collect evidence from

An AWS account with EC2 instances and CloudTrail enabled

Correct. The minimum lab is a forensic workstation (with Sleuth Kit, Volatility 3, plaso, UAC, dc3dd installed) and one target VM (e.g., BASTION-NGE01 with SSH and user accounts). This supports live response practice, evidence collection, and filesystem analysis. The full 5-VM infrastructure is recommended for all scenario modules but is not required for the free-tier foundation modules.

💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.

Unlock the Full Course See Full Course Agenda

← Previous Next →