Lect99 - Example papers Flashcards
The /proc directory is a location for
Virtual file system for process and kernel information
The /etc directory is a location for
Configuration files
The passwd file can be found in
/etc
To transfer ownership of the file toto from dave to nicola type
chown nicola toto
The /etc/services file contains
a list of port mappings for the system (tcp and udp)
To set the read, execute permission of the file toto for group and other type
chmod 755 toto
In an Ubuntu system, the command sudo apt-get dist-upgrade is used to
Upgrade an existing installation and add new packages if needed.
To identify which shell an user is using, (s)he looks in
/etc/passwd (shows default shell)
The command ls -lh is used to show:
a long listing of a file or directory of files, including permissions mod time and size in human readable format.
The /bin directory is a
directory for common executables
The /sbin directory is a location for
for system executables usually used by root
To view the boot message from the kernel type:
dmesg
To show the IP address of the current host, type:
ifconfig
The command ls [t][ne]* is used to list:
files that start with the letter t followed by either an n or e
The /usr directory is a
user binaries, libraries and other software (the majority of the system is in here)
The command cat /etc/passwd | egrep /bin/bash is used to show:
entries in /etc/passwd that contain the string /bin/bash
To run a command vi as root, type:
sudo vi or su – vi
To extract the usernames of all users on your system from /etc/passwd type:
cat /etc/passwd | awk -F’:’ ‘{print $1}’ cat /etc/passwd | cut -d’:’ -f1
To count the lines in a file toto, type:
cat toto | wc -l
To print the result of the command who to a file users.txt, type:
who > users.txt
Change to home directory
cd /home cd ~
Move a file
mv file /destination/file
Delete lines 2 to 3 of a file called toto
sed -e ‘2,3d’ toto
Create a directory tata
mkdir tata
Extract characters 6 to 8 from each line of a file called data
cut -c 6-8 data
To display the content of a text file
cat file less file
To display all lines in a file called toto that contains a number
grep [:digit:] toto
Display all lines of the file data that contain a number from 0 to 9
grep [0-9] toto
Calculate the SHA1 hashes of all files in a directory without showing filenames
sha1sum * | cut -d’ ‘ -f1 sha1sum * | awk ‘{print $1}’
Display all lines except line 10 of file toto
sed -e ‘10d’ toto
Search for the string “hacker” in ps.dd
grep -a hacker ps.dd
Search for IP addresses in ps.dd and place the results in a file called IP.log
egrep -a –color=always ‘([0-9]{1,3}.){3}[0-9]{1,3}’ ps.dd > IP.log
Search for Friday May 26, 2017 and “gmail” in the IP.log file above
egrep ‘Friday May 26, 2017.*gmail’ IP.log
Extract lines that contain the userID=12345 from the file IP.log and place the results in a file called User.log
grep ‘userID=12345’ IP.log > User.log
Extract lines that contain the email address from the file User.log above
grep “email address” User.log
List the first ten characters of the SHA1 sum of sp.e01
sha1sum sp.E01 | cut -c 1-10
Convert sp.E01 to a raw image
ewfexport sp.E01
List the partitions in the image, reporting in units of sectors
mmls sp.E01
List the file system of its bootable partition
fls -o 48195 sp.E01
Mount its Windows NTFS partitions
mkdir /mnt/ewf mkdir /mnt/part2 mkdir /mnt/part4 ewfmount sp.E01 /mnt/ewf mount -o loop,offset=$(48195*512) /mnt/ewf/ewf mnt/part2 mount -o loop,offset=$( *512) /mnt/ewf/ewf /mnt/part4
The /var directory is a location for
data which may be modified in real time by programs
The /mnt directory is a location for
directory in which to mount devices
To show the currently mounted partitions on a Linux system, type:
mount -l
The command netstat -l is used to show:
only listening socket
The command ls -lSr is used to show:
lists files in current directory with long listing, sorting the list by file size
To substitute more than one occurrence per line of ‘one’ with ‘two’ in file called toto, type:
sed ‘s/one/two/g’ toto
To find every occurrence of the word car in a file called engines, type:
grep car engines
To see if user ryan is logged on, type:
who | grep ryan
To display all lines in a file called engines that contain three characters long, starting with a capital letter and ending with a digit, type:
grep [[:upper:]].[[:digit:]] engines
In Linux, to identify the type of a file, the file command is based on:
The header of a file
In Linux, to list the content of an archive toto.tgz, type:
tar tzvf toto.tgz
To print usernames from /etc/passwd, type:
awk –F: ‘{print $1}’ /etc/passwd
To calculate the MD5 hashes of all files in a directory without keeping filenames, type:
md5sum * | cut –c1-32
The output of the command grep -q $(md5sum toto | cut –c1-32) hashes.txt && echo Match is:
Match, if the MD5 hash of the file toto exists in hashes.txt
The command dd if=/dev/hda of=~/hdadisk.img is used to:
create an image of hda device
The command xxd -l 120 -c 20 toto prints:
hexdump the first 120 bytes with 20 bytes per line of the file toto
The command sfdisk -l -uS able2.dd :
shows partition table of the disk image able2.dd
To change directory to the last directory, type:
cd -
To view the boot message from the kernel type:
dmesg
To calculate the SHA1 hashes of all files in a directory, type:
sha1sum *
In Ubuntu, to check who is running what, type:
top
The command icat -o 10260 able2.dd 2139 > lrkn.tgz.2139:
recovers a deleted file from the image able2.dd and store to a report file
The command dd if=/dev/hdx | gzip > ~/image.gz is used to:
create an image of hdx device
The command fls -o 10260 –r able2.dd:
provides file system specific information about the file system of able2.dd
To sum file sizes of all files stored in an archive toto.tgz, type:
tar tzvf toto.tgz | awk ‘{ sum += $3} END {print “Total size: ” sum “ bytes.”}’
ls -lh
List directory contents in long format with human readable sizes.
head -n13 file1.txt
Print first 13 lines.
cp file1 file2
Copy file1 to file2
mkdir /mnt/usb/evidence
Create directory called “evidence” under /mnt/usb
wc -l filename
Count lines in file “filename”
cat /etc/passwd | egrep /bin/bash
Print all lines of /etc/passwd that contains /bin/bash
cut -d: -f1 /etc/passwd
Prints all usernames of /etc/passwd
- d : delimiter
- f1 : field number
grep [[:upper:]] engines
Print all lines that contain at least one upper case letters.
tail /etc/passwd > smallpass
Output the last 10 lines of file /etc/passwd to smallpass
awk –F: ‘{print $1}’ /etc/passwd
Prints out username from /etc/passwd
Rename a file:
mv file1 file2
Delete a file:
rm file1
Find differences between file1 and file2:
diff file1 file2
Create a file:
touch file1
Display a file:
cat file1
To display lines in a file:
sed -n 2p file.txt
Count the number of lines in a file:
wc -l filename
Calculate the MD5 hashes of all files in a directory:
find . -type f -exec md5sum {} \;
Extract files in a tarball:
tar xvf filename
Extract a field from a file:
cut -d: -f1 filename
List the first five characters of the MD5 sum of file.e01:
md5sum filename | cut -c1-5
Convert suspect.E01 to a raw image:
ewfexport -t [NewFileName] -f raw -u suspect.E01
List the partitions in the image suspect.e01:
mmls suspect.e01
List the file system of a partition, which starts at sector 48:
fsstat -o 48 suspect.e01
Mount a Linux partition, which starts at sector 102400:
mount -t ext4 -o ro,loop,offset=$((512*102400)) image.raw /mnt/hdd
Check the file type of access_log:
file access_log
Print the number of lines in this file of access_log:
wc -l access_log
Display and sort the first column of access_log:
cat access_log | awk ‘{print $1}’ | sort
Display and filter out duplicates in the first column of access_log:
cat access_log | awk ‘{print $1}’ | sort -u
Count the number of different IP addresses (suppose that the first column contains the IP addresses) of access_log:
cat access_log | awk ‘{print $1}’ | sort -u | wc -l
