Commands

Question 1

lsblk

Answer 1

list disks and partitions attached to system

Question 2

What command can be used to display mounted devices and paritions

Answer 2

lsblk

Question 3

What commands can be used to create or list partitions

Answer 3

fdisk -l <dev>
gdisk -l <dev></dev></dev>

Question 4

fdisk -l

Answer 4

list partitions

Question 5

gdisk

Answer 5

likes GPT partitions

Question 6

su -

Answer 6

switch user to root

Question 7

uname

Answer 7

identify kernel version

Question 8

sudo

Answer 8

use root for one specific command

Question 9

What commands can be used to identify hard ware

Answer 9

lspci
lsusb
usb-devices

-v (verbose)
-k (expanded output)

Question 10

cat <file></file>

Answer 10

stream contents of file to terminal/shell

Question 11

What commands can be used to identify USB serial number

Answer 11

lsusb -v
usb-devices

Question 12

man <command></command>

Answer 12

user manual / information on the command

Question 13

What commands can be used to identify disk information

Answer 13

lsscsi (does not show partitions)
file -s
fdisk - l </dev/>

Question 14

What is the order of commands to use to identify a device, partition, and file system

Answer 14

lsblk = mounted devices
fdisk -l <> = partition information
file -s <> = file system

Question 15

lsscsi

Answer 15

list the scsi partitions

Question 16

file -s </dev/sdaX>

Answer 16

identify the file system of a device

Question 17

dmesg

Answer 17

device messages / information about a device received directly from kernel

can contain serial number, model, date/time connected/disconnected

Question 18

what is the /bin folder

Answer 18

binary folder which contains standard commands like ls, cd, pwd, etc

Question 19

what is the /boot folder

Answer 19

contains files needed at bool (LILO or GRUB)

Question 20

what is the /dev folder

Answer 20

files that represent devices on a system (device nodes)

Question 21

what is the /etc folder

Answer 21

contains administrative configuration files and scrips

Question 22

what is the /home folder

Answer 22

user home directory

Question 23

what is the /lib folder

Answer 23

32bit software libraries (program files)

Question 24

what is the /lib64 folder

Answer 24

64bit software libraries (program filesx64)

Question 25

what is the /media folder

Answer 25

udisks mount points / standard place to mount system removable media

Question 26

what is the /mnt folder

Answer 26

temporary mount points for external, remote, removeable file systems

Question 27

what is the /opt folder

Answer 27

folder for optional software files

Question 28

what is the /sbin folder

Answer 28

administrative commands (fdisk, ifconfig, etc.)

Question 29

what is the /usr folder

Answer 29

contains local software, libraries, and user specific installer files

Question 30

what is the /var folder

Answer 30

contains logs and other variable files

Question 31

what is the /run directory

Answer 31

contains dynamic run files for system daemons like udev and udisks

Question 32

mount

Answer 32

manually mount a specific device

example:

mount -t <file> -o <option> <device> <mountpoint></mountpoint></device></option></file>

Question 33

what command can be used to unmount a mount point

Answer 33

umount

Question 34

what does the /etc/fstab file contain

Answer 34

file system table of device, mountpoint, file system type, and default options

Question 35

What is the userspace command to mount / unmount a device

Answer 35

udiskctl mount
udiskctl unmount

-b (specifies block device to mount)

will mount under /run/media

Question 36

grep < pattern > < filename >

Answer 36

search for occurrences of the pattern within the file name

Question 37

find <start directory <criteria></criteria>

Answer 37

searches for files based on criteria

Question 38

what is this find command looking for

find /etc -iname fstab

Answer 38

find, starting in the /etc directory, a filename fstab (case insensitive)

Question 39

file

Answer 39

categorizes files based on a file signature comparison (to magic files)

Question 40

ps

Answer 40

list current running processes

Question 41

strings

Answer 41

prints out readable characters from a file

used to search data files and extract useful strings

Question 42

chmod

Answer 42

change permissions on a file

Question 43

chown

Answer 43

change owner (and group) of a file

Question 44

what information is outputted for ls -l

Answer 44

file type (. - regular file, d-directory, b-block device, c-character device, l-link)

permissions (owner, group, others)

user

group

size in bytes

date modified

filename

Question 45

What does > do

Answer 45

output to a file (stdout)

Question 46

What does&raquo_space; do

Answer 46

append to a file

Question 47

What does 2> do

Answer 47

output error messages (stderr)

Question 48

bc

Answer 48

basic calculator

Question 49

Explain the command:

echo “scale =2”; 5/3” | bc

Answer 49

Divide 5/3 with decimal place of 2

Output: 1.66

Question 50

explain the command:

echo “ibase=16;4C | bc”

Answer 50

calculate the hex to decimal value of 4C

output = 76

Question 51

What is a base shell arithmetic expansion

Answer 51

echo $((Calculation))

Question 52

Explain the command:

echo $((0x4c-70))

Answer 52

Calculate the hex to decimal value of 4C (76) and subtract 70

Output = 6

Question 53

What file stores the history of a bash shell

Answer 53

.bash_history

Question 54

vi

Answer 54

virtual editor

Question 55

What are the edit modes in vi

Answer 55

i = insert
a= append
o=open a new line under current line
0 = open a new line above current line

Question 56

Explain the following commands in vi

0-
$-
x-
X-
dd-
y-
p-
P-
:wq
:w
:q!
:wq!
:w fname
/string

Answer 56

0-move cursor to beginning of line
$-move cursor to end of line
x-delete character under the cursor
X-delete the character before the cursor
dd- delete the entire line the cursor is on
y-yank/copy
p-paste after the cursor
P-paste before the cursor
:wq- save and quit
:w- save and continue editing
:q! - quit and discard changes
:wq! - save and quit without prompt
:w - save as filename
/string - search for strings\

Question 57

What file controls the init program

Answer 57

/etc/inittab

Question 58

What does /etc/profile contain

Answer 58

global bash initialization file for login shells

Question 59

What is a runlevel

Answer 59

A description of a system state (shutdown, single user mode, reboot, graphical login) for BSD startup

Question 60

what does the /.bash_profile contain

Answer 60

used by bash to load configuration for login shell for each user

Question 61

what does the /.bashrc contain?

Answer 61

used by bash to load configuration for non-login shells

Question 62

What files are used to control access to the linux system

Answer 62

/etc/hosts.deny
/etc/hosts.allow

Question 63

iptables

Answer 63

used to block network traffic at physical network interface (IP level)

Question 64

what command is used in Slackware for package management

Answer 64

slackpkg

Question 65

Explain compiling from source

Answer 65

distribution agnostic
can tailor to your specific environment
without careful manipulation, the executables and libraries placed in less than optimal locations
can be difficult to manage upgrade paths or remembering what has been installed

Question 66

tar

Answer 66

used to extract/create tar archives

Question 67

make

Answer 67

used to create an install package

Question 68

Explain distribution packages

Answer 68

package manager
handles the work of adding and removing software packages from your system

Question 69

wget

Answer 69

download files from website

Question 70

sbotools

Answer 70

install and building software on slackware

Question 71

sbointsall

Answer 71

install a package (and is dependencies)

Question 72

hdparm -I /dev/sdd

Answer 72

used to identify hard drive detailed information

Question 73

md5sum <file></file>

Answer 73

calculates md5 hash

Question 74

sha1sum <file></file>

Answer 74

calculate sha1sum

Question 75

explain the following command:

dd if=/dev/sdd of=/path/image.raw bs=512

Answer 75

using dd, image /dev/sdd to file image.raw with block size 512

Question 76

what is conv=noerror,sync when used with dd

Answer 76

pass copying sectors with errors and pad those sectors with zeros

Question 77

How can you split a raw image

Answer 77

split <file> <output></output></file>

-d (output file uses numerical numbers)
-aN (suffix length and N= length of characters i.e. a3 for .001)
-bXG (treat input as binary and line are ignored, XG=size in GB i.e. 4GB)

Question 78

How can you use cat to merge split image files

Answer 78

cat image.raw.* > image.raw.new

Question 79

What are the command line imaging tools used

Answer 79

dd
dc3dd
ewfacquire
ddrescue

Question 80

Explain the following command:

dc3dd if=/dev/sdc hofs=dc3dd.raw ofsz=512M hash=sha1 hash=md5 log=dc3dd.log

Answer 80

hof = hash of input, output

ofs = split output file

hofs = hashes and splits

ofsz = output file size
hash = algorithm
log=FILEname for logfile
hlog = write hash log of image and any split files to the log file

Question 81

ewfacquire

example: ewfacquire -C “2019-001” -d sha1 -D “thumb drive seized from bad buy” -e “Barry Grundy” -E “2019-001-002” -m removable -M physical -S 512M -t case.disk2 -u /dev/sdb

Answer 81

acquire a specific device (forensic image) with added features of adding metadata into E01 files

Question 82

ewfinfo

Answer 82

reads the metadata that was entered during the imaging process

Question 83

ewfverify

Answer 83

hashes the forensic image file / allows to verify against original media

Question 84

ewfexport

ewfexport -t < file> -f raw -u < file>.E01

Answer 84

take an ewf file and convert it to bit stream image file (raw file)

-t(target) - to write a file
-f - file format
-u - accept remaining defaults / run unsupervise

Question 85

ddrescue

ddrescue /dev/sdb ddres_image.raw ddress.map.txt
ddrescue <device> <extracted> <map file></extracted></device>

Answer 85

when there are errors in disk when creating an image (conv=noerror,sync) this can use a map file to recreate

will read the healthy portions of a disk first then fall back to recovery mode, trying to read data from bad sectors, allowing ddrescue to resume any imaging job given a map file (of bad sectors) to work off of

Question 86

what does tar tzvf < file> do

Answer 86

tar command will extract a zip

t-list
z-decompress
v-
f-file
x-extract

Question 87

what command would you use to listen for a netcat command on port 2525 and output to a raw file

Answer 87

nc -l -p 2525 | dd of=/mnt/vidence/net.dd.raw

Question 88

Explain what this command is doing:

dd if=/dev/sda | nc 192.168.0.1 2525

Answer 88

Pipes the output of dd command of /dev/sda to the IP address through port 2525

Question 89

What does ewfacquirestream do

Answer 89

similar to ewfacwuire but through a netcat / stream command

example: nc -l -p 2524 | ewfacquirestream -M physical -t / mnt/evidence/net_ewfstream

Question 90

What are these flags for ewfacquirestream

-C
-D
-e
-E
-f
-m
-M
-N
-t

Answer 90

-C=case number
-D=description
-e=examiner
-E=evidence number
-f=encase format (-f encase6)
-m=media type
-M=media flags
-N=notes
-t=target path and file name

Question 91

What does gzip do

Answer 91

compresses and decompresses files

-c compress
-d decompress

Question 92

What commands can be used to wipe /dev/sda with block size 4kb chunks

Answer 92

dd if=/dev/zero of=/dev/sda bs=4k

dc3dd wipe=/dev/sdb

Question 93

What commands can be used to check to see if a wipe was complete

Answer 93

xxd -a /dev/sda

-a = autoskip option to find next character

dc3dd hwipe=/dev/sda hash=sha1

Question 94

What steps can you take to mount an image

Answer 94

1. identify structure (fdisk -l, mmls)
2. identify the file system (file -s)
3. Mount using mount or loop (mount -t <> -o ro,loop <image> <location>, losetup /dev/loop0 <image>)</image></location></image>
4. If using losetup, mount to directory (mount /dev/loop0p1 /mnt/tmp)
5. unmount (umount , losetup -d)

Question 95

Explain this command:

mount -t vfat -o ro,loop fat_fs.raw /mnt/analysis

Answer 95

mounting fat_fs.raw to the mount location /mnt/analysis with read only permissions and file structure of ‘vfat’ using loop device to mount thf file system within the image

Question 96

What command can be used to loop a mount device

Answer 96

losetup /dev/sda <image></image>

Question 97

What command resulted in this output:

Disk NTFS_Pract_2017.raw: 500 MiB, 524288000 bytes, 1024000 sectors
Units: sectors of 1 *512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe8dd21ee
Device Boot Start End Sectors Size Id Type
NTFS_Pract_2017.raw1 2048 1023999 1021952 499M 7 HPFS/NTFS/exFAT

Answer 97

fdisk -l NFTS_Pract_2017.raw

Question 98

What is the offset starting sector and respective bytes

Units: sectors of 1 *512 = 512 bytes
Device Boot Start End Sectors Size Id Type
NTFS_Pract_2017.raw1 2048 1023999 1021952 499M 7 HPFS/NTFS/exFAT

Answer 98

2048, (2048*512)

Question 99

What command would be used to mount the partition

Units: sectors of 1 *512 = 512 bytes
Device Boot Start End Sectors Size Id Type
NTFS_Pract_2017.raw1 2048 1023999 1021952 499M 7 HPFS/NTFS/exFAT

Answer 99

mount -o ro,loop,offset=1048576 NTFS_Pract_2017.raw /mnt/tmp

losetup -o $((2048512)) –sizelimit
$((1021952512))/dev/loop0 NTFS_Pract_2017.raw

Question 100

What does the flag -P mean for losetup

what about -r and -f

Answer 100

automatically maps partitions to separate loop devices

-r = read only
-f = find first available loop device

Question 101

What command can be used to mount a split image

Answer 101

affuse <image> <mount></mount></image>

example: affuse able3.000 /mnt/aff

Question 102

What is the unmount command for affuse

Answer 102

fusermount -u /mnt/aff

Question 103

What ewf command can be used to mount an imag

Answer 103

ewfmount

ewfmount NTFS_Pract_2017.E01 /mnt/ewf

Question 104

Explain how to mount an ewf image

Answer 104

Using fdisk -l, we see the structure of the image.

We use losetup -P with the read-only
option (-r), find the first available loop device (-f) to add the loop mapping for the partition.

We use the the file command with the (-s) option to confirm the file system type. In this case we see it is NTFS.

Finally we mount the volume with the mount command using the ntfs-3g22 file system driver (-t ntfs-3g).

Question 105

Explain this command:

grep -abif analysis/searchlist.txt fat_fs.raw >
analysis/hits.txt

Answer 105

searching using grep through fat_fs.raw for any phrases in searchlist.txt and output results to hits.txt

-a = process file as text
-b=provide byte offset of hit
-i=ignore upper and lower case
-f=read file in for search terms

Question 106

Explain the command:

xxd -s 1261479 fat_fs.raw | head -n 5

Answer 106

display top 5 lines for hex view of fat_fs.raw starting at byte offset 1261479

Question 107

What does the awk command do

Answer 107

allows files to be displayed as columns based on delimiter

example: awk ’{print $1” “$2}’

Question 108

What are the steps taken to carve a file using dd

Answer 108

1. Find the start of the JPEG (xxd and grep)
   - xxd image_carve_2017.raw | grep ffd8
   (location 36AC0)
   - echo “ibase=16;36AC0” | bc
2. Find the end of the JPEG (xxd and grep)
   - xxd -s 223942 image_carve_2017.raw | grep ffd9 (location 0005D3C6)
   -echo “ibase=16;0005D3C6” | bc
3. Calculate the size of the JPEG in bytes (bc)
   -echo “381906-223942” | bc (157964)
4. Cut from the calculated start - the calculated number of bytes and output to a file (dd)
   -dd if=image_carve_2017.raw of=carved.jpg bs=1 skip=223942 count=157964

Question 109

Describe how to carve a partition using dd

Answer 109

1. fdisk -l < image > to find the offset
   - starts at 2048, number of sectors 102400
2. use dd to extract using start and total sectors
   dd if=able_3.raw of=able_3.part1.raw bs=512 skip=2048
   count=102400

Question 110

What commands will help identify file system layer

Answer 110

file
fsstat
fls

Question 111

What commands will help identify physical device layer

Answer 111

lshw
lsscsi
hdparm

Question 112

What commands will help identify media layer

Answer 112

fdisk
gdisk
file -s
mmls
mmcat
mmstat

Question 113

What commands will help identify the metadata (inode) layer

Answer 113

icat
ils
ifind
istat

Question 114

What commands will help identify content/data layer

Answer 114

blkcalc
blkcat
blkls
blkstat

Question 115

mmls

Answer 115

provides partition table and offsets

similar to fdisk and gdisk

Question 116

fsstat

Answer 116

gather file system information

example: fsstat -o 2048 <image></image>

Question 117

fls

Answer 117

list file names and directories contained in directory or specific metadata identifier

example: fls -o 10260 able2.dd 2

Question 118

Explain the command

fls -o 10260 -Frd able2.dd

Answer 118

displays directory information against the partition in able2.dd starting at sector offset 10260 (-o 10260), showing only file entries (-F), descending into directories recursively (-r), and displaying deleted (unallocated) entries (-d).

• asterisk listed before the node means it is deleted/unallocated

Question 119

ffind

Answer 119

find all file names associated with particular metadata entry by using the ffind command

example: ffind -o 10260 -a able2.dd 2139

Question 120

Explain command:

ffind -o 10260 -a able2.dd 2139

Answer 120

find all entries for offset / partition at 10260 that are associated with metadata id /inode 2139

-a=get all nodes associated with inode

Question 121

istat

Answer 121

gather file information on inode, data blocks can be used to extract data using icati

example: istat -o 10260 able2.dd 2139

Question 122

icat

Answer 122

stream contents from inode to a file

example: icat -o 10260 able2.dd 2139 > lrkn.tgz.2139

Question 123

Explain the command:

icat -o 10260 able2.dd 11108 | file -

Answer 123

stream contents from partition starting at offset 10260 all data blocks associated with inode 11108 and result of contents is run through file to identify the file type

Question 124

Explain the order of identifying information from an image using TSK

Answer 124

1. mmls (get offset information
2. fsstat -o (get file system information)
3. fls -o <offset> -r < image> (file directories / inodes)</offset>
4. istat -o <offset> <image> < node ></image></offset>
5. icat -o <offset> <image> < node> | xxd or file -</image></offset>

Question 125

Explain the command

grep -abi cybernetik able2.dd

Answer 125

Search for phrase cybernetik to get case insensitive results with the byte offset and treating the .dd file as a text file

Question 126

Explain how to find file based on grep results

Answer 126

1. Search grep
2. use resulting byte to calculate sector (echo “10561603/512” | bc = 20628)
3. mmls to find what partition the sector is located in (10260)
4. find offset of partition in sectors (echo “10260*512” | bc=5253120)
5. find volume offset (echo “10561603-5253120” | bc =5308483)
6. ffstat to get information file system (fsstat -o 10260 able2.dd)
7. find data block (echo “5308483/1024” | bc=5184)
8. get block data for the block (blkstat -o 10260 able2.dd 5184)
9. find which inode consists of that block (ifind -o 10260 -d 5184 able2.dd)
10. identify file information for file in that inode (istat -o 10260 able2.dd 10090)
11. stream contents of file (icat -o 10260 able2.dd 10090 | less)

Question 127

blkls

Answer 127

list all data blocks unallocated

-e = copy every block

Question 128

Explain the command

blkls -o 10260 able2.dd > able2.blkls

Answer 128

in the partition starting at offset 10260 extract all unallocated blocks to file .blkls

Question 129

blkcalc

Answer 129

blkcalc with the -u option to specify that we want to calculate the block address from an extracted unallocated image

example: blkcalc -o 10260 -u 1593 able2.dd

Question 130

Explain the command

blkstat -o 10260 able2.dd 5184

Answer 130

output for block 5184 in the original image to determine if it is unallocated, fragmented

Question 131

What command would you use to find an inode based on a block

Answer 131

ifind

example: ifind -o 10260 -d 5184 able2.dd
output: 10090

istat -o 10260 able2.dd 10090

Question 132

What is a difference between examining FAT and NTFS file systems in TSK

Answer 132

NTFS file system allows for alternate data streams (ADS)

Example:
39-128-1
39-128-3

Question 133

bulk_extractor

Answer 133

used to identify particular features from a set of data

Question 134

photorec

Question 135

scalpel

Answer 135

file carving tool