Computer Hacking Forensic Investigator (CHFI) — Question 11

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

Answer options

• A. The system files have been copied by a remote attacker
• B. The system administrator has created an incremental backup
• C. The system has been compromised using a t0rnrootkit
• D. Nothing in particular as these can be operational files

Correct answer: D

Explanation

The correct answer is D because the presence of Zer0.tar.gz and copy.tar.gz does not definitively indicate malicious activity; they could very well be legitimate operational files. Options A, B, and C suggest specific malicious actions or intentions, which cannot be substantiated without further evidence.