Computer Hacking Forensic Investigator (CHFI v10) — Question 312

A Linux system is undergoing investigation. In which directory should the investigators look for its current state data if the system is in powered on state?

Answer options

• A. /auth
• B. /proc
• C. /var/log/debug
• D. /var/spool/cron/

Correct answer: B

Explanation

The correct answer is /proc because it contains a virtual filesystem that provides real-time information about the system and its processes. The other options do not contain current state data; for instance, /auth is related to authentication, /var/log/debug holds log files, and /var/spool/cron/ is used for scheduled cron jobs.