Commands

Question 1

lsblk

Answer 1

Displays information about block devices, including partitions and mount points.

Question 2

blkid /dev/sdb

Answer 2

Outputs details of /dev/sdb, such as file system type and UUID

Question 3

cat /etc/fstab

Answer 3

Displays the contents of the file that defines file systems to be mounted at boot

Question 4

find /home -type f -name “*.txt”

Answer 4

Searches for all .txt files under the /home directory

Question 5

awk -F ‘:’ ‘{print $1}’ /etc/passwd

Answer 5

Extracts the first field (username) from the /etc/passwd file

Question 6

grep -i “error” /var/log/syslog

Answer 6

Searches case-insensitively for the word “error” in /var/log/syslog

Question 7

mount -o ro,loop disk.img /mnt/evidence

Answer 7

Mounts the disk.img as read only at /mnt/evidence

Question 8

losetup -a

Answer 8

List all active loop devices

Question 9

fsstat -o 2048 disk.img

Answer 9

Shows file system statistics for the image starting at offset 2048

Question 10

blkls -o 63 disk.img > unallocated.blk

Answer 10

Extracts the unallocated space from disk.img starting at offset 63

Question 11

icat -o 63 disk.img 45 > recovered.txt

Answer 11

Recovers the file linked to inoed 45 from disk.img and saves it as recovered.txt

Question 12

dd if=dev/sda ofdisk_backup.img bs=1M

Answer 12

Copies dara from /dev/sdato disk_backup.img in 1MB blocks

Question 13

mmls disk.img

Answer 13

Displays the partition table of disk.img

Question 14

xxd -s 1024 -l 512 file.bin

Answer 14

Outputs a hex dump of 512 bytes starting at offset 1024 in file.bin

Question 15

bulk_extractor -o results evidence.img

Answer 15

Extracts artifacts (e.g email, URLs) from evidence.img and stores results in results.

Question 16

sort -u usernames.txt:

Answer 16

Sorts the contents of usernames.txt and removes duplicates

Question 17

chmod 644 report.txt

Answer 17

Sets permissions of report .txt to be readable and writable by the owner and readable by owner groups and others

Question 18

strings -n 8 disk.img | grep “password”

Answer 18

Extracts ASCII strings of at least 8 characters from disk.img and filters for “password”.

Question 19

file evidence.img

Answer 19

Identifies the file type and encoding of evidence.img

Question 20

tar -cvf archive.tar /home/user

Answer 20

Creats a tarball archive.tar containing the /home/user directory

Question 21

md5sum file.img

Answer 21

Calculates the MD% has of file.img

Question 22

sha256sum image.raw

Answer 22

Calculates the SHA-256 hash of image.raw

Question 23

find /var/log -size +1M

Answer 23

Fine files larger than 1MB in the /var/log directory

Question 24

grep -r “TODO” /project/code

Answer 24

Recursively searches for “TODO” in all files under /project/code.

Question 25

awk '{if ($2 > 10) print $1}' scores.txt

Answer 25

Prints the first column of rows where the second column is greater than 10

Question 26

ls -R /mnt/evidence

Answer 26

Recursively lists all files and directories under /mnt/evidence

Question 27

fdisk -l

Answer 27

List all disk partitions on the system

Question 28

hashdeep -r /mnt/data

Answer 28

Recursicely hashes all files in /mnt/data and generates a report

Question 29

find . -name "*.log" - exec wc -l {} \

Answer 29

Counts the number of lines in each .log file in the current directory

Question 30

chmod 700 secure_file.txt

Answer 30

Sets the permissions of the secure_file.txt so that the owner can read, write and execute and the owners group and others have no permissions

Question 31

xxd evidence.raw

Answer 31

Displays a hex dump of evidence.raw

Question 32

df -h

Answer 32

Displays disk usage information in human readable format

Question 33

dc3dd if=/dec/sda of=image.img hash=md5

Answer 33

Creates an image of /dev/sda while calculating its MD5 hash

Question 34

mmls -t dos disk.img

Answer 34

Displays the DOS partition table of disk.img

Question 35

istat -o 128 image.img 35

Answer 35

Shows metadata for inode 35 in the image, starting at offset 128

Question 36

mount -o loop, ro evidence.img /mnt/mountpoint

Answer 36

Mounts evidence.img as read-only at /mnt/mountpoint

Question 37

echo $((5+3))

Answer 37

Outputs the result of the arthmetric expression 5 + 3

Question 38

less /var/log/auth.log

Answer 38

Open /var/log/auth.log in a pager for easy navigation

Question 39

basename /path/to/file.txt

Answer 39

Strips the directory path and outptus the filename, file.txt

Question 40

head -n 20 report.log

Answer 40

Displays the first 20 lines of report.log