CO-O5 Cyber Forensics

Methods and procedures for identifying, preserving, analyzing, and presenting digital evidence.

Learning outcomes

What a student must demonstrate to claim coverage of this unit. Each outcome links to the skill drills that assess it.

1. CO-O5-O1 Collect and preserve volatile and non-volatile operating-system evidence.
2. CO-O5-O2 Analyze file metadata and timestamps to reconstruct attacker activity.

Exam questions that cite this unit

• CSCD240-E1-A-Q30 archive Create gzip-compressed tarball backup.tar.gz of all .txt files in pwd.
• CSCD240-E1-A-Q48 metadata Show detailed metadata for /etc/passwd: inode, all three timestamps, octal perms.
• CSCD240-E1-B-Q10 enum-setuid Locate every setuid-root file on the filesystem; suppress permission-denied noise.
• CSCD240-E1-B-Q33 forensics-stat Print all metadata for /etc/passwd: inode, perms in octal, all three timestamps.
• CSCD240-E1-B-Q34 forensics-file Identify the data type of sample.bin (ELF, ASCII, gzip, etc).
• CSCD240-E1-B-Q35 forensics-time Print last-modification time of /var/log/syslog in machine-readable (seconds-epoch or ISO) format.
• CSCD240-E1-B-Q36 forensics-timeline List the 5 most recently modified files in /tmp (newest first).
• CSCD240-E1-B-Q37 forensics-hex Print a hex + ASCII side-by-side dump of the first 256 bytes of sample.bin.
• CSCD240-E1-B-Q38 forensics-strings List every printable ASCII string length≥8 inside sample.bin.
• CSCD240-E1-B-Q50 archive-evidence Create gzip-compressed tarball evidence.tar.gz of every .log in /var/log/.
• CSCD240-E1-C-Q01 forensics Which command returns inode, permission bits, size, and all three timestamps of a file?
• CSCD240-E1-C-Q19 forensics-strings Which command lists printable ASCII strings of length ≥8 inside binary.bin?
• CSCD240-E1-C-Q21 forensics-time Which find predicate matches files modified within the last 24 hours?
• CSCD240-E1-C-Q30 forensics-timeline List 10 most-recently modified files in /var/log/ (newest first).
• CSCD240-E1-C-Q31 archive Create gzipped tarball ir-evidence.tar.gz of every .log in /var/log/.
• CSCD240-E1-C-Q33 forensics-hex Hex + ASCII side-by-side dump of first 128 bytes of sample.bin.
• CSCD240-E1-C-Q35 archive-extract Extract the archive case-123.tar.gz into the current directory.
• CSCD240-E1-C-Q36 forensics-time Print ISO-8601 modification time of /etc/passwd.
• CSCD240-E1-C-Q45 integrity Verify /opt/ids/analyze has not been silently replaced — which find predicate and which file-metadata command (no crypto)?
• CSCD240-E1-C-Q50 ir-process IR runbook: capture terminal session output of every IR command. Name the command and why it matters for chain of custody.