Computer Hacking Forensic Investigator (CHFI v10) — Question 401

In a cyber-forensic investigation, a CHFI expert found a Linux system unexpectedly booting into a different OS kernel. The system was configured with the Grand Unified Bootloader (GRUB). The expert suspects that an attacker may have tampered with the bootloader stage of the Linux boot process. Which one of the following is NOT a step performed during the bootloader stage in a normal Linux boot process?

Answer options

• A. Execution of the Linuxrc program to generate the real file system for the kernel
• B. Detecting the device that contains the file system and loading the necessary modules
• C. Loading the kernel into memory
• D. Loading the Linux kernel and optional initial RAM disk

Correct answer: A

Explanation

The correct answer is A because the Linuxrc program is not executed during the bootloader stage; this phase focuses on loading the kernel and necessary modules. Options B, C, and D are all essential steps in the bootloader process, as they involve detecting the file system, loading the kernel, and managing the initial RAM disk.