Exam 312-49v10 topic 1 question 45 discussion

D: It's difficult to draw a conclusion based solely on the presence of files named Zer0.tar.gz and copy.tar.gz on a Linux system. These files could contain any number of things and their contents might be benign or malicious. To determine the nature of these files and what they contain, an investigation would have to be performed to examine their contents, metadata, and any other relevant information.

Too many clowns answering questions here. Forensics is not about being suspicious. It's about being attentive, and following the evidence. Do your research, and learn your craft. D. Nothing in particular as these can be operational files: Correct – .tar.gz files are common on Linux systems for legitimate purposes, such as archiving or backups. Their presence alone doesn’t imply suspicious activity. There is no evidence that it's this: https://www.giac.org/paper/gcih/321/t0rn-rootkit/103430

The rootkit is a type of rootkit specifically designed for Unix-like operating systems, such as Linux. It is one of the many rootkits used by attackers to gain unauthorized access and maintain control over a compromised system while hiding their presence and activities from system administrators and security tools

This question is a nightmare: In a forensic investigation, it's crucial to be cautious and avoid making assumptions solely based on filenames. File analysis, metadata examination, and additional context are essential to make accurate conclusions and determine whether these files are benign, suspicious, or malicious.

C. seems more logical

C sys compromised using t0rnrootkit

C is the correct answer

C. The system has been compromised using a t0rnrootkit https://pc-freak.net/tutorials/hacking_info/writeup.txt