Learning outcome 2

Analyze file metadata and timestamps to reconstruct attacker activity.

Skill drills that assess this outcome

• CSCD240-E1-A-Q48 primary performance metadata Show detailed metadata for /etc/passwd: inode, all three timestamps, octal perms.
• CSCD240-E1-B-Q33 primary performance forensics-stat Print all metadata for /etc/passwd: inode, perms in octal, all three timestamps.
• CSCD240-E1-B-Q35 primary performance forensics-time Print last-modification time of /var/log/syslog in machine-readable (seconds-epoch or ISO) format.
• CSCD240-E1-B-Q36 primary performance forensics-timeline List the 5 most recently modified files in /tmp (newest first).
• CSCD240-E1-C-Q01 primary multiple_choice forensics Which command returns inode, permission bits, size, and all three timestamps of a file?
• CSCD240-E1-C-Q21 primary multiple_choice forensics-time Which find predicate matches files modified within the last 24 hours?
• CSCD240-E1-C-Q30 primary performance forensics-timeline List 10 most-recently modified files in /var/log/ (newest first).
• CSCD240-E1-C-Q36 primary performance forensics-time Print ISO-8601 modification time of /etc/passwd.
• CSCD240-E1-C-Q45 primary scenario integrity Verify /opt/ids/analyze has not been silently replaced — which find predicate and which file-metadata command (no crypto)?
• CSCD240-E1-B-Q10 secondary performance enum-setuid Locate every setuid-root file on the filesystem; suppress permission-denied noise.