T0447
Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion.
Skill drills that exercise this task
- CSCD240-E1-A-Q14 Show the filenames containing "printf" in all .c files in home directory and subdirs.
- CSCD240-E1-A-Q29 contacts.txt has Name<tab>number lines. Print only those whose number ends with 6.
- CSCD240-E1-A-Q34 Print lines of access.log containing 403 with their line numbers.
- CSCD240-E1-A-Q48 Show detailed metadata for /etc/passwd: inode, all three timestamps, octal perms.
- CSCD240-E1-A-Q50 auth.log line format "2026-04-14 08:31 FAIL user=alex src=10.x". Print top-3 FAIL source IPs, count first, most-frequent first.
- CSCD240-E1-B-Q18 Print every line of auth.log containing "Failed password" (case-insensitive), with line numbers.
- CSCD240-E1-B-Q19 Top 5 source IPs in FAIL lines of auth.log, where IP is field 5.
- CSCD240-E1-B-Q20 Count distinct usernames on FAIL lines of auth.log where username is "user=<name>".
- CSCD240-E1-B-Q22 Print lines of fw.log matching DENY OR DROP (extended regex).
- CSCD240-E1-B-Q23 Recursively search /etc for any file containing "password=" and print only filenames.
- CSCD240-E1-B-Q28 Suspect PID 31337 is a reverse shell. Print its full command line and working directory.
- CSCD240-E1-B-Q33 Print all metadata for /etc/passwd: inode, perms in octal, all three timestamps.
- CSCD240-E1-B-Q34 Identify the data type of sample.bin (ELF, ASCII, gzip, etc).
- CSCD240-E1-B-Q35 Print last-modification time of /var/log/syslog in machine-readable (seconds-epoch or ISO) format.
- CSCD240-E1-B-Q36 List the 5 most recently modified files in /tmp (newest first).
- CSCD240-E1-B-Q37 Print a hex + ASCII side-by-side dump of the first 256 bytes of sample.bin.
- CSCD240-E1-B-Q38 List every printable ASCII string length≥8 inside sample.bin.
- CSCD240-E1-C-Q01 Which command returns inode, permission bits, size, and all three timestamps of a file?
- CSCD240-E1-C-Q11 A log file is continuously updated. Which command shows new lines as written?
- CSCD240-E1-C-Q17 Which command searches the filesystem for a file by name, suppressing permission-denied errors?