Computer Hacking Forensic Investigator (CHFI v10) — Question 12

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

Answer options

• A. The system files have been copied by a remote attacker
• B. The system administrator has created an incremental backup
• C. The system has been compromised using a t0rnrootkit
• D. Nothing in particular as these can be operational files

Correct answer: D

Explanation

The correct answer is D because the presence of Zer0.tar.gz and copy.tar.gz does not definitively indicate malicious activity; they could be legitimate operational files. Options A, B, and C suggest specific malicious or administrative actions that are not guaranteed just by the existence of these files.