Learning outcome 1

Collect and preserve volatile and non-volatile operating-system evidence.

Skill drills that assess this outcome

• CSCD240-E1-A-Q30 primary performance archive Create gzip-compressed tarball backup.tar.gz of all .txt files in pwd.
• CSCD240-E1-B-Q34 primary performance forensics-file Identify the data type of sample.bin (ELF, ASCII, gzip, etc).
• CSCD240-E1-B-Q37 primary performance forensics-hex Print a hex + ASCII side-by-side dump of the first 256 bytes of sample.bin.
• CSCD240-E1-B-Q38 primary performance forensics-strings List every printable ASCII string length≥8 inside sample.bin.
• CSCD240-E1-B-Q50 primary performance archive-evidence Create gzip-compressed tarball evidence.tar.gz of every .log in /var/log/.
• CSCD240-E1-C-Q19 primary multiple_choice forensics-strings Which command lists printable ASCII strings of length ≥8 inside binary.bin?
• CSCD240-E1-C-Q31 primary performance archive Create gzipped tarball ir-evidence.tar.gz of every .log in /var/log/.
• CSCD240-E1-C-Q33 primary performance forensics-hex Hex + ASCII side-by-side dump of first 128 bytes of sample.bin.
• CSCD240-E1-C-Q35 primary performance archive-extract Extract the archive case-123.tar.gz into the current directory.
• CSCD240-E1-C-Q50 primary scenario ir-process IR runbook: capture terminal session output of every IR command. Name the command and why it matters for chain of custody.