Linux File Systems Overview

Questions and Answers

What is the current version of the Extended File System (Ext) commonly used with Linux?

Ext4

Which file system can support volumes with sizes up to 1 exabyte and single files with sizes up to 16 terabytes?

Ext4

Which version of the Extended File System (Ext) was the first to support journaling?

Ext3

What is the most secure and safe level of journaling in Ext3 and Ext4?

Journal

Which level of journaling writes only metadata to the journal, but changes to files are not journaled until they have been committed to the disk?

Ordered

What does Ext4 add in the journal to prevent errors?

Checksums

Which file system has always supported journaling?

ReiserFS

Before Ext3, which version of Ext did not support journaling?

Ext2

'With the ordered level, only metadata is written to the journal.' What happens next with changes to files?

'Changes are not journaled until they have been committed to the disk.'

Which file system has the most recent version among the ones mentioned in the text?

ReiserFS

What major scientific discoveries were made at Bell Laboratories?

First evidence of the Big Bang and birth of the C programming language

What was Bell Labs' involvement in the project called Multics?

Multics was a joint project with MIT and General Electric to create an operating system

What decision did Bell Labs make regarding the Multics project?

Bell Labs decided to pull out of the Multics project due to significant problems

Where was the Unix operating system created?

Bell Laboratories

What is a notable characteristic of Linux in relation to Unix?

Linux is a clone of Unix

What motivated the creation of Unix by Bell Laboratories?

The lack of a widely available operating system in the 1960s

Which institution was not involved in the Multics project?

Microsoft Corporation

What significance does understanding Linux history have for conducting forensics on a Linux machine?

Provides a common background knowledge level for all learners

Why is it suggested that learners with a good working knowledge of Linux still read through the basics?

To ensure they don't miss any critical details

What led to Bell Labs' decision to pull out from the Multics project?

Significant issues faced during the project

What was the original name of the Unix project?

Unics

In what year was the Unix operating system released?

1972

Who is considered one of the fathers of the open-source movement for working on a Unix clone called GNU?

Richard Stallman

Which operating system did Andrew S. Tanenbaum create primarily as a teaching tool for his students?

Minix

What was Linus Torvalds' motivation for creating Linux?

To create an open-source version of Unix

Which shell is considered the most commonly used in Linux?

Bash

"GNU's Not Unix" was created by Richard Stallman as an acronym for what purpose?

"GNU's No Unix"

"Minix" was intended primarily as a ____________.

Research project

'Linus' + 'Unix' gave rise to which operating system?

"Minix"

'Bourne-like syntax' is a characteristic of which shell?

"C shell (csh)"

What does the 'ls -a' flag do when used with the ls command?

Displays hidden files

When using the 'cp -R' command in Linux, what does it do?

Recursively copies directories and their contents

What is the purpose of the 'mkdir -p' command in Linux?

Creates parent directories as needed

Which command is used to delete or remove a file in Linux?

rm

What does the 'rm -i' command do when deleting a file?

Prompts before any removal

In Linux, what does the 'cd ~' command do?

Changes to the home directory of the current user

What does the diff command do when comparing two files?

Performs a byte-by-byte comparison

Which command is used to move a file to a different location?

mv

What does the pstree command display about processes?

Shows processes in a tree format, indicating process relationships

In Linux, what does the top command primarily provide information on?

Currently running processes

Which command is used to list various partitions in Linux?

fdisk

What does the rmdir command do in Linux?

Removes or deletes entire directories

cmp in Linux is primarily used for what purpose?

Performing a byte-by-byte comparison of files

ps -aux provides additional details about what in Linux processes?

% memory usage

What is the main function of the fsck command in Linux?

Check if a given partition is in good working condition

When using the > command in Linux, what action does it perform?

Redirects output to a file

What does the 'lsattr' command specifically list on a Linux second extended file system?

File attributes

Which command is used to display all environmental variables in Linux?

env

In a forensics context, why is the 'lsof' command particularly useful?

To identify open files and their associated processes

What is the primary function of the 'lsattr' command when used on a Linux system?

List file attributes

Which command would you use in Linux to view open files and the processes that opened them?

lsof

Which desktop environment is known to be quite easy to learn and use?

LXDE

What was the default desktop for Sun Solaris systems at one point in time?

CDE

Which desktop environment is specifically meant for graphics developers?

Enlightenment

On which desktop environment is Linux Mint's desktop frequently seen?

Cinnamon

Which desktop environment is a lightweight (low resource utilization) desktop?

LXDE

What was KDE founded as a word play on?

'Common Desktop Environment' (CDE)

Which GUI framework is KDE built on?

C++

'Spectacle' in KDE Plasma 5 is primarily used as:

A screenshot tool

'Dolphin' in KDE Plasma 5 functions as:

'A file manager'

When comparing to Linux Mint, where can you often find Cinnamon desktop?

Lightweight X11 Desktop Environment (LXDE)

Which of the following is NOT one of the two most popular Linux GUIs discussed in the text?

Cinnamon

What is the current version of the KDE Plasma Desktop as per the text?

KDE Plasma 5.22

Which toolkit is GNOME built on according to the text?

GNOME Toolkit (GTK+)

Where is Plasma Mobile primarily intended to be used based on the text?

Phones

What is the acronym for GNOME as stated in the text?

GNOME

Which Linux distribution exclusively ships with GNOME according to the text?

Ubuntu

In which year was GNOME 3 released as per the text?

2011

What system does KDE Plasma use for windowing functions based on the text?

X Window System

What is the full form of KDE as mentioned in the text?

K Desktop Environment

What is the main role of the first-stage boot loader in a Linux system?

Load the second-stage boot loader

What is the purpose of the 64 bytes partition table in a Linux first boot loader?

Records partitions information

What happens after the kernel is decompressed and initialized in a Linux boot process?

Devices are reinitialized

What does the second-stage boot loader do after loading the Linux kernel into RAM?

Mounts the root device

In a Linux system, what triggers the system to switch from real mode to protected mode?

Decompressing and initializing the kernel

What is the significance of the 2 bytes magic number (0xAA55) in a Linux first boot loader?

Terminates the first boot loader

What does the second-stage boot loader primarily focus on loading in a Linux system?

Linux kernel

What is the purpose of the master boot record (MBR) in the Linux boot process?

Loads the boot loader program

What is the significance of the Unified Extensible Firmware Interface (UEFI) in modern systems?

Replaces the BIOS in booting Linux

In the Linux boot process, what is the role of the bootstrap environment on embedded systems?

Executes special programs like U-Boot or RedBoot

What distinguishes GRUB from LILO in the Linux boot process?

More widely used and modern

What does the hex value 0xaa55 represent in the boot sector of Linux disks?

Indicates a bootable disk

Which program directly follows the master boot record (MBR) in the Linux boot process?

Bootstrap environment

What occurs after the bootstrap environment is loaded in the Linux boot process?

Execution of special programs like U-Boot

Which statement about GRUB in Linux is correct?

Exists in two versions: 1.0 and 2.0.

What is the role of the first-stage boot loader in a Linux system?

Execute the second-stage boot loader

Which command would you use to view the content of the Master Boot Record (MBR) in a Linux system?

hexdump -n 512 /dev/sda

After the kernel is decompressed and initialized in a Linux boot process, what is the next step?

Mount the root device and load kernel modules

In Linux, what is the purpose of the second-stage boot loader?

Load the Linux kernel

What does the primary boot loader in Linux contain?

Error messages and executable code

What is the function of the partition table in a Linux boot loader?

Hold records for each partition on a device

What happens when the Linux kernel initializes system devices?

Devices initialized by BIOS are skipped

After loading the compressed kernel, what does the system do next in the Linux boot process?

'Start_kernel()' function is called

What marks the end of the first stage of the Linux boot process?

Passing control from BIOS/UEFI to MBR

Which program is loaded by the master boot record (MBR) in the Linux boot process?

LILO (Linux Loader)

What is the purpose of the bootstrap environment in embedded Linux systems?

Execute boot sector code

What is the significance of the hex value 0xaa55 in the boot sector of a disk?

Identifies the disk as bootable

In modern Linux systems, which program handles loading, managing and switching between different operating systems on startup?

GRUB

What is located on the first sector of a bootable disk in a Linux system?

Master Boot Record (MBR)

Which firmware is used in modern systems that provides an improvement over BIOS but achieves similar goals?

UEFI firmware

What role does U-Boot or RedBoot play in the Linux boot process in embedded systems?

Loads GRUB bootloader

What is the default run level for a Linux system that boots into full multiuser mode without GUI?

Run level 3

In a Linux system, what is the primary purpose of run level 1?

Enter Single-user mode

Which directory in Linux houses the service configurations for halting the system?

/etc/rc.d/rc0.d

What is the default active service for a Linux system in run level 6?

Reboot

Which run level in Linux is associated with full multiuser mode but without a graphical user interface (GUI)?

Run level 3

What is the primary role of Logical Volume Manager (LVM) on a single system?

Resizing partitions and taking snapshots

According to SWDGE, what does LVM provide on top of traditional partitions and block devices?

Flexibility in configuring storage

In a forensics context, why must forensic tools be LVM aware?

To accurately parse on-disk structures

What important structure is found in the first megabyte of a Physical Volume (PV) in LVM?

LVM header

How does LVM allow for more flexible storage configuration compared to traditional partitions?

By virtualizing partitions and enabling splitting, combining, and arraying across disks

What must be considered when acquiring an LVM volume according to the text?

The logical configuration of the storage

What is the maximum size of single files that the Ext4 file system can support?

16 petabytes

Which type of journaling in Ext3 and Ext4 writes both metadata and file contents to the journal before committing changes to the main file system?

Journal

What was the first version of the Extended File System (Ext) to support journaling?

Ext3

Which of the following is NOT a level of journaling in Ext3 and Ext4 file systems?

Logged

What significant feature did Ext4 add to its journal to prevent errors?

Checksums

In the Reiser File System (ReiserFS), what feature has it always supported?

Journaling

'Only metadata is written to the journal, and it might be written to the journal before or after it is actually committed.' Which level of journaling does this statement refer to?

'Writeback' level

'With the ordered level, only metadata is written to the journal; however, changes to files are not journaled until they have been committed.' What happens next with changes to files after they are committed?

'Ordered' level writes them to the disk.

What is the name for the least secure level of journaling in Ext3 and Ext4 where only metadata is written to the journal?

Writeback

What was a distinguishing feature between the first two versions of Ext and Ext3 regarding journaling support?

No support for journaling at all

What type of log can be useful in tracking attempts to hack into a web server when running the Lighttpd server on a machine?

/var/log/lighttpd/* Log

In a computer crime investigation, which log would be particularly relevant to look into for database attacks?

/var/log/mysql.* Log

What is the main function of Snort in computer security as described in the text?

Detecting suspicious network activity

In the context of intrusion detection systems, what differentiates passive IDS from active IDS?

Passive IDS shut down suspected attacks while active IDS only log them.

Why might an organization's security administrator need to make a decision about the use of active versus passive IDS?

To determine how suspected attacks are handled

What does the Apport log primarily record as stated in the text?

Application crashes

In a computer crime investigation, what can examining email logs be particularly useful for?

Cyberstalking cases

What distinguishes passive IDS from active IDS in handling suspicious network activity?

Active IDS shut down suspected attacks while passive IDS only log.

Which type of logging would be most relevant for crimes involving web server attacks?

/var/log/lighttpd/* Log

What type of information does the /var/log/faillog log contain?

Failed user logins

Why are numerous failed login attempts at diverse times concerning from a forensic perspective?

They may be an indicator of someone trying to compromise system access.

What is the main purpose of the /var/log/kern.log log in Linux forensics?

Displaying messages from the operating system kernel

In a forensic investigation, why is finding related messages in the kern.log considered beneficial?

It can rule out the presence of malware.

What kind of information does the /var/log/lpr.log log provide?

Printed documents record

Why might the printer log (/var/log/lpr.log) be particularly relevant in corporate espionage cases?

It provides evidence of printed sensitive documents.

Where can binary or compiled files be found in a Linux system?

/bin directory

Which directory in Linux contains binary files not intended for the average computer user?

/sbin directory

What type of files are typically stored in the /etc folder in Linux?

Configuration files

Which directory serves as the home directory for the root user in Linux?

/root directory

In a Linux system, where might an administrator typically find data located?

/root directory

Which Linux directory may contain programs, including potentially harmful ones like malware?

/bin directory

What does the inittab file define in a Linux system?

Init levels and actions at boot-up

Where can you find backups of system files like /etc/shadow/ and /etc/inetd.conf?

/var/backups directory

What type of data is primarily stored in the /tmp directory of a Linux system?

Temporary files needed by the system

Which directory should a forensic analyst check to see what devices are currently mounted on a Linux system?

/mnt directory

What is the primary function of the /var/tmp directory compared to the /tmp directory in a Linux system?

It contains temporary files that persist between reboots

Where would you look to determine the initial run level of a Linux system if there is no initdefault entry present in the inittab file?

/etc/inittab file

What type of directory is the /proc directory in Linux?

It keeps information about currently running processes

If an intruder deletes an executable and a text file, but the process is still running in memory, how can you recover the deleted executable on a live Linux system?

By navigating to /proc/ and copying the executable

Which directory in Linux contains information about run-time variable data that is cleared during the boot process?

/run

What makes the content of the /proc directory unique compared to other directories on a Linux system?

It is created in memory

Why is the /var/spool directory considered important for system security?

It is where hackers hide files and communications

How does copying an executable from /proc/ help recover a deleted file on a live Linux system?

By extracting the deleted file from memory

What information can be found in the /run directory in Linux?

/run stores run-time variable data cleared during boot

How does the /proc directory differ from other directories on a Linux system?

/proc keeps information about currently running processes

What type of files are typically found in the /bin directory in Linux?

Binary or compiled files

Where is the mke2fs command, a file system utility mainly used by administrators, typically located in Linux?

/sbin directory

Which directory in Linux contains configuration files for applications and is essential for their startup?

/etc folder

In a Linux system, where would you typically find the home directory for the root user?

/root directory

Which major Linux directory contains binary files not meant for average users but rather for system administrators?

/bin directory

If an intruder wants to modify how a specific application behaves on a Linux system, which folder would they most likely target?

/etc folder

Where are device files located in a Linux system?

/dev directory

What is the primary function of the /mnt directory in Linux?

Mounts devices like floppy and CD-ROM drives

Which directory in Linux primarily stores temporary files needed by the system?

/tmp directory

What kind of files are typically found in the /var/tmp directory in Linux?

Temporary files preserved between system reboots

Which subdirectory under /var stores backups of system files in Linux?

/var/backups

What is the primary purpose of the inittab file in Linux?

Setting the boot-up process and run levels

What type of information is stored in the /var/spool directory in Linux?

Print queue information

How does the /proc directory differ from other directories in a Linux system?

It is created in memory and keeps information about running processes

In a live Linux system, how can a deleted executable file be recovered from memory?

By copying the executable from /proc to another directory

Which directory in Linux contains run-time variable data that is cleared during the boot process?

/run

Why is the /proc directory considered useful on a live Linux system before it is shut down?

To recover deleted files and evidence

What kind of data does the /run directory contain in Linux?

Boot-time variable data

If an intruder deletes an executable but it is still running in memory, how can it be recovered on a live Linux system?

By copying it from the /proc directory to another directory

What is the primary purpose of the /run directory in a Linux system?

To maintain run-time variable data.

What command in Linux allows you to view the commands that have previously been entered?

history

Which Linux command is commonly used to mount a new file system?

mount

On a Linux system, which command shows the currently running processes for the current user?

ps

If you want to search for specific data in a file named 'myfile.txt' in Linux after using the 'dmesg > myfile.txt' command, which command would you use?

grep

In Linux, what information does the history command provide by default?

Last 500 shell commands

Which Linux command allows you to find the history files for specific users?

history

What does the ps command in Linux display by default?

Currently running processes for the current user

Which Linux command is commonly used to display more information about processes?

$ ps -aux

'When you first locate a Linux machine that is suspect, this is one of the commands you might want to run and record the results of before powering down the system.' Which command does this statement refer to?

history

What is the primary function of the dmesg command in a forensic investigation?

Display messages during the Linux boot process

Which utility can help detect and resolve issues with aging hard drives during forensic analysis?

e2fsck

In what scenario would it be advisable to pipe the output of dmesg to a file?

To store boot process messages for investigation

What precaution should be taken before using file system utilities like fsck in forensic analysis?

Run all other forensic methods first

What type of information can be found in the messages displayed by the dmesg command?

Hardware initialization details

How can the output of the dmesg command be managed to avoid filling multiple screens?

Pipe output to a separate file for viewing

What distinguishes the dmesg command from other shell commands in a forensic context?

'dmesg' captures boot process messages

Why is it crucial to review messages displayed during the boot process in forensic investigations?

To understand system initialization and potential issues

'fsck' is primarily used in forensic investigations to ______________.

Assess data integrity and resolve file system issues

What makes storing dmesg output in a file advantageous for forensic professionals?

Preserves system messages for post-boot analysis.

What additional information does the pstree command provide compared to the ps command?

Process initiation relationships

Which command in Linux is useful for retrieving the PID of a process based on its name?

pgrep

When using the top command in Linux, how are processes listed?

By CPU time utilization

What is the primary function of the file command in a forensic investigation?

Identify file types

How can the kill command be used in Linux?

To halt a running process by its PID

Which Linux command can help identify what a file truly is, even if its extension has been changed?

file

In a forensic investigation, why might knowing the process initiation relationships be crucial?

To identify potential malware origins

What distinguishes the output of the top command from the ps command in terms of process information?

CPU time utilization

Why is the kill command considered a crucial tool in managing processes in a Linux system?

To terminate specific running processes by their PIDs

What command can you use in Linux to make a forensic copy of a suspect drive?

dd

Which command would you use to check all the users currently logged in to a Linux system?

who

If you notice one specific user consuming resources on your server, which command could help you gather more information about that user?

finger

In Linux, how can you acquire root privileges without logging out and then back in as the root user?

Invoke super-user mode using su

Where do you find device files located in a Linux system?

/dev/mem and /proc/kcore files

What is a primary use of the dd command besides creating forensic copies of drives?

Making physical images of live memory

What does the who command primarily display in a Linux system?

Logged-in users

What does the -R flag do when used with the ls command in Linux?

Causes a recursive listing of all subdirectories

Why is it important to check for executables in places like the /tmp directory in Linux forensics?

To ensure no unauthorized executables are present

In Linux forensics, which command can be combined with the ELF file format to find executables in suspicious locations?

find

What role does the > directories.txt play when using the ls command in Linux?

Writes the output of ls to a text file

Why is it crucial to know what scheduled tasks have been set on a machine in a forensic investigation?

To identify potential malicious activities

What can be inferred about the system from an executable being found in the /tmp directory in Linux?

There might be a security breach or malware presence

How can the find command be used to detect potential malware executables in Linux forensics?

-exec flag to execute actions on found files

What does the inode store information about in a Linux file system?

Everything about the file except its name and data

What does the inode link count reaching zero signify in Linux?

The file has been permanently removed from the system

How can a deleted file be recovered in Linux according to the text?

By retrieving the file before the inode link count reaches zero

What method is suggested by the text for recovering a deleted file in Linux?

Moving the system to single-user mode

What happens to a file in Linux when its reference count reaches zero?

It is permanently removed from the system

How does the operating system locate a file based on its name in Linux?

By looking up the corresponding inode number

What does an inode represent in a Linux file system?

A data structure storing information about a file

In Linux, what does it mean when a filename is referred to as an 'entry in a table'?

'Table' represents an internal lookup structure in memory

'ls -i' provides what information about files according to the text?

'inode number for listed files'

'grep' is traditionally used in Unix/Linux for what purpose?

Searching for patterns in text files

What is the primary reason mentioned in the text for using multiple forensics tools, even if you already have a preferred commercial tool?

To ensure quality control by repeating tests with a second tool

What is highlighted in the text as a benefit of using open-source tools like those available in Kali Linux?

Cost-effective solutions

In the context of Kali Linux forensics, which factor may vary between different versions of Kali Linux?

The availability of forensics tools

Why is it recommended in the text to repeat certain tests with a second tool even if you already have a preferred commercial tool for forensics?

To ensure the accuracy and reliability of results

What is emphasized in the text as a good practice when using Kali Linux for forensics, especially when you already have a commercial tool like OSForensics or EnCase?

Use multiple tools to cross-verify forensic findings

What is the primary purpose of using the cat command in Linux forensics?

To display the contents of a file

What is the purpose of the locate command with the -i flag in Linux forensics?

Search for files in a case-insensitive manner

In Linux forensics, what is the role of the xargs command?

Build an execution pipeline from standard input

Which advanced Linux command can be used to display a list of partitions in a disk image?

mmls

What is the main function of the dstat command in Linux forensics?

List statistics associated with specific disk blocks

When talking about Linux forensics, what does the dcalc command help in mapping?

Deleted disk blocks to existing files

In Linux forensics, what does the dls command primarily list?

/etc directory contents

What does the mmls command specifically display when used on a disk image?

/etc directory contents