If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system during an investigation, what can you conclude?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system during an investigation, what can you conclude?

Explanation:
In this situation, context and provenance matter more than the file type itself. Zer0.tar.gz and copy.tar.gz are simply compressed tar archives. That format is widely used for backups, data transfers, packaging, or simply making copies of files. The names themselves do not indicate malicious activity or a breach. To determine anything meaningful, you’d look at metadata and contents rather than the existence of the files alone. Check who created them, when they were created or modified, where they’re located on the filesystem, and what permissions they have. Inspect the contents safely (for example, list them without extracting, or extract in a controlled environment) and compare any hashes or signatures to known-good baselines. Review surrounding logs for evidence of how they were produced—cron jobs, backup utilities, admins, or potential intruders. Unless those reviews reveal tampering, unusual payloads, or suspicious access patterns, these archives don’t by themselves prove a compromise. So, nothing in particular can be concluded from their presence; they can be operational files used for legitimate backups or copies.

In this situation, context and provenance matter more than the file type itself. Zer0.tar.gz and copy.tar.gz are simply compressed tar archives. That format is widely used for backups, data transfers, packaging, or simply making copies of files. The names themselves do not indicate malicious activity or a breach.

To determine anything meaningful, you’d look at metadata and contents rather than the existence of the files alone. Check who created them, when they were created or modified, where they’re located on the filesystem, and what permissions they have. Inspect the contents safely (for example, list them without extracting, or extract in a controlled environment) and compare any hashes or signatures to known-good baselines. Review surrounding logs for evidence of how they were produced—cron jobs, backup utilities, admins, or potential intruders. Unless those reviews reveal tampering, unusual payloads, or suspicious access patterns, these archives don’t by themselves prove a compromise.

So, nothing in particular can be concluded from their presence; they can be operational files used for legitimate backups or copies.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy