Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.
On a UNIX system, why would it be critical NOT to reboot a system which is being examined post-compromise?
Users might still have open files
Files in /tmp will be removed
Users might still be logged on
The network connection will be lost
Most unix systems write temporary files to /tmp, which is usually memory. When a unix box reboots, it resets this memory space. Since this is a world writable file system, it can be a good place to hide things such as download scripts or locally-written exploit code; an operator must have secured mount parameters in /etc/fstab to prevent these writable temporary files from executing. || Edit: This question isn't necessarily worded poorly, however there are two answers that are viable. During an initial digital forensic investigation, if the DFI/Incident responder were to reboot the system, the answer selection of "user still may have files open" would potentially compromise viable evidence that would prove or disprove the DFI'S case. AK
EDIT: Also "The network connection will be lost" is a correct one, because analyzing current network connections can show attacker or C&C IP address. "Users might still have open files" - can be true (for forensic analysis). "Files in /tmp will be removed" - it depends on linux OS version. In newer distributions and versions it is true, but not in all distributions! This question must be changed.
Train with Skillset and pass your certification exam. Faster. Guaranteed.
Study thousands of practice questions that organized by skills and ranked by difficulty.
Create a tailored training plan based on the knowledge you already possess.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.