CertNexus Certified Cyber Secure Coder (CSC) — Question 94

A security investigator has detected an unauthorized insider reviewing files containing company secrets. Which of the following commands could the investigator use to determine which files have been opened by this user?

Answer options

• A. ls
• B. lsof
• C. ps
• D. netstat

Correct answer: B

Explanation

The correct answer is B, lsof, as it lists open files and the processes that opened them, which is essential for identifying which files were accessed by the user. The other options do not provide this functionality; A (ls) lists directory contents, C (ps) displays running processes, and D (netstat) shows network connections.