search

Set 8

71. Forensic Analysis – Extract Authentication Failures

Scenario Security team is investigating repeated authentication failures during a suspected breach.

Instructions:

  • Navigate to ~/kactii29

  • Create folder auth_failures

  • Assume auth.log exists

  • Extract lines containing FAIL

  • Save output to auth_fail.log

Commands Expected: grep, output redirection

72. Storage Evidence – Disk Usage Snapshot

Scenario Forensic investigators need a point-in-time snapshot of disk usage for evidence.

Instructions:

  • Navigate to ~/kactii29

  • Create disk_evidence

  • Measure directory disk usage

  • Display in human-readable format

  • Save output to disk_evidence.txt

Commands Expected: du -h

73. User Activity Evidence – Logged-In Users

Scenario Investigation requires identifying which users were logged in at a specific time.

Instructions:

  • Navigate to ~/kactii29

  • Create user_activity_evidence

  • Capture logged-in users

  • Append current date and time

  • Save to user_activity.log

Commands Expected: who, date, output redirection

74. Tool Integrity – Verify Forensic Utilities

Scenario Before evidence collection, analysts must confirm required utilities exist.

Instructions:

  • Navigate to ~/kactii29

  • Create tool_integrity

  • Locate paths for grep, du, and uptime

  • Save output to tools_verified.txt

Commands Expected: which

75. Service Traceability – Scheduler Service Status

Scenario Investigators need to verify whether scheduled tasks could have executed.

Instructions:

  • Navigate to ~/kactii29

  • Create scheduler_trace

  • Check cron service status

  • Start service if inactive

  • Save output to scheduler_status.txt

Commands Expected: systemctl status, systemctl start

76. Deferred Execution Trace – Scheduled Job Listing

Scenario Forensic review requires a list of all deferred one-time jobs.

Instructions:

  • Navigate to ~/kactii29

  • Create deferred_trace

  • List all scheduled at jobs

  • Save output to deferred_trace.txt

Commands Expected: atq

77. Runtime State Capture – Environment Variables

Scenario Application behavior must be reconstructed using runtime environment data.

Instructions:

  • Navigate to ~/kactii29

  • Create runtime_state

  • Display all environment variables

  • Save output to runtime_state.txt

Commands Expected: printenv

78. Network Forensics – Listening Port Snapshot

Scenario Security team needs a snapshot of exposed listening ports during investigation.

Instructions:

  • Navigate to ~/kactii29

  • Create network_forensics

  • Capture all listening TCP and UDP sockets

  • Save output to listening_ports.txt

Commands Expected: ss -tuln

79. Evidence Normalization – Unique Sorted Indicators

Scenario Investigators need a normalized list of unique indicators from raw data.

Instructions:

  • Navigate to ~/kactii29

  • Create indicator_normalization

  • Assume indicators.log exists

  • Sort and remove duplicate entries

  • Save to unique_indicators.txt

Commands Expected: sort, uniq

80. Timeline Evidence – System Uptime Record

Scenario Incident timeline reconstruction requires uptime evidence.

Instructions:

  • Navigate to ~/kactii29

  • Create timeline_evidence

  • Capture system uptime

  • Append timestamp

  • Save to timeline_uptime.log

Commands Expected: uptime, date, output redirection

PreviousSet 7NextSet 9

Last updated