Why is the /etc directory often examined during a forensic investigation?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Digital Forensics, Investigation, and Response Test. Study with multiple choice questions that include hints and explanations. Enhance your understanding of digital forensics principles and get ready for your exam!

Multiple Choice

Why is the /etc directory often examined during a forensic investigation?

Explanation:
The main idea is that /etc holds system-wide configuration files that directly control how the system behaves and how services operate. In a forensic investigation, this makes /etc a high-value source of evidence because attackers often modify these settings to gain or maintain access, disable defenses, or harden their presence in a stealthy way. For example, altering a service’s configuration (like sshd_config) to allow easier remote login or password-based authentication, tweaking PAM modules, or changing sudoers entries can all be reflected in files under /etc and point to how the attacker gained entry or persisted. Because these configuration changes shape how the system runs, they tend to persist across reboots and can reveal the attacker’s tactics, scope, and timeline when examined alongside timestamps and other artifacts. It’s less about where emails, media files, or application binaries live, which are found in other directories. The strength of /etc in this context comes from its role as the control center for system behavior; changes there are clear indicators of compromise and help explain how the intrusion was set up and maintained.

The main idea is that /etc holds system-wide configuration files that directly control how the system behaves and how services operate. In a forensic investigation, this makes /etc a high-value source of evidence because attackers often modify these settings to gain or maintain access, disable defenses, or harden their presence in a stealthy way. For example, altering a service’s configuration (like sshd_config) to allow easier remote login or password-based authentication, tweaking PAM modules, or changing sudoers entries can all be reflected in files under /etc and point to how the attacker gained entry or persisted. Because these configuration changes shape how the system runs, they tend to persist across reboots and can reveal the attacker’s tactics, scope, and timeline when examined alongside timestamps and other artifacts.

It’s less about where emails, media files, or application binaries live, which are found in other directories. The strength of /etc in this context comes from its role as the control center for system behavior; changes there are clear indicators of compromise and help explain how the intrusion was set up and maintained.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy