Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Eccouncil Exam 212-82 Topic 17 Question 36 Discussion

Actual exam question for Eccouncil's 212-82 exam
Question #: 36
Topic #: 17
[All 212-82 Questions]

As a cybersecurity technician, you were assigned to analyze the file system of a Linux image captured from a device that has been attacked recently. Study the forensic image 'Evidenced.img" in the Documents folder of the "Attacker Machine-1" and identify a user from the image file. (Practical Question)

Show Suggested Answer Hide Answer
Suggested Answer: B

The attacker is a user from the image file in the above scenario. A file system is a method or structure that organizes and stores files and data on a storage device, such as a hard disk, a flash drive, etc. A file system can have different types based on its format or features, such as FAT, NTFS, ext4, etc. A file system can be analyzed to extract various information, such as file names, sizes, dates, contents, etc. A Linux image is an image file that contains a copy or a snapshot of a Linux-based file system . A Linux image can be analyzed to extract various information about a Linux-based system or device . To analyze the file system of a Linux image captured from a device that has been attacked recently and identify a user from the image file, one has to follow these steps:

Navigate to Documents folder of Attacker Machine-1.

Right-click on Evidenced.img file and select Mount option.

Wait for the image file to be mounted and assigned a drive letter.

Open File Explorer and navigate to the mounted drive.

Open etc folder and open passwd file with a text editor.

Observe the user accounts listed in the file.

The user accounts listed in the file are:

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100: systemd-network:x: systemd-resolve:x: systemd-bus-proxy:x: syslog:x: _apt:x: messagebus:x: uuidd:x: lightdm:x: whoopsie:x: avahi-autoipd:x: avahi:x: dnsmasq:x: colord:x: speech-dispatcher:x: hplip:x: kernoops:x: saned:x: nm-openvpn:x: nm-openconnect:x: pulse:x: rtkit:x: sshd:x: attacker::1000

The user account that is not a system or service account is attacker, which is a user from the image file.


Contribute your Thoughts:

Gene
2 months ago
Wow, this is a tough one. I'm going to go with A. 'smith'. It's the most normal-sounding name, so it's probably the most suspicious.
upvoted 0 times
Nikita
1 months ago
I agree with you, 'smith' does sound like a normal name. Let's see if that's the right choice.
upvoted 0 times
...
Rory
1 months ago
'john' seems like a pretty generic name, so I'm going with that one.
upvoted 0 times
...
Adelina
1 months ago
I'm leaning towards 'roger'. It just seems like a common name that someone might use as a username.
upvoted 0 times
...
Carmen
2 months ago
I think it might be 'attacker'. Sounds like a typical username for someone up to no good.
upvoted 0 times
...
...
Pok
2 months ago
This question is a piece of cake! The answer is clearly B. 'attacker'. I mean, who else would have the guts to call themselves that, right?
upvoted 0 times
...
Eulah
2 months ago
Hold on, I think it's D. 'john'. The most boring answer is usually the right one in these kinds of tests.
upvoted 0 times
...
Alesia
3 months ago
I'm going with C. 'roger'. It's a classic hacker name, don't you think? Plus, it's not as obvious as 'attacker'.
upvoted 0 times
Daren
2 months ago
I see your point, but I'm sticking with C) roger. It just feels right to me.
upvoted 0 times
...
Kindra
2 months ago
I agree with you, I'll choose D) john. It seems like a plausible choice.
upvoted 0 times
...
Lina
2 months ago
I think I'll go with A) smith. It sounds like a common username.
upvoted 0 times
...
...
Leslie
3 months ago
I think it's john, the file system points to that user.
upvoted 0 times
...
Zack
3 months ago
I believe the user could be roger based on the evidence.
upvoted 0 times
...
Rhea
3 months ago
I agree with Cassie, the user is most likely attacker.
upvoted 0 times
...
Alesia
3 months ago
Definitely B. 'attacker' is the obvious choice here. It's like asking who the criminal is in a crime scene investigation.
upvoted 0 times
Arlette
2 months ago
Yeah, I agree. 'attacker' stands out as the most likely culprit in this case.
upvoted 0 times
...
Lera
3 months ago
I think it's B too. 'attacker' seems like the most suspicious user.
upvoted 0 times
...
...
Cassie
3 months ago
I think the user might be attacker.
upvoted 0 times
...

Save Cancel