CHFI (312-49) Digital Forensics Simulation

This simulation tests your ability to identify and analyze user activity artifacts on a Linux system. You will learn to locate crucial shell history files during the Examination phase to establish an attacker's actions post-compromise.

Investigation Scenario

A Linux-based web server located in Portland, Oregon, was recently identified as a staging point for data exfiltration. Preliminary triage indicates unauthorized root-level access occurred on April 8, 2026. As the lead forensic investigator, you have acquired a bit-by-bit physical image of the server's primary storage drive. Your objective is to reconstruct the timeline of commands executed by the threat actor after they gained root privileges.

Evidence Collected

[+] Disk Image: E01_Portland_Web01.e01 (Verified SHA-256)
[+] File System: EXT4
[+] Extracted Directory: /root/
[+] Note: Timestamps on several hidden configuration files in the root directory indicate modification between 02:00 and 03:15 UTC.

Question

During a forensic examination of a Linux-based web server in Portland, Oregon, an investigator needs to review the history of commands executed by the "root" user. Which file in the root user's home directory should the investigator examine?

Hint: Think about the default shell used in most Linux distributions (Bash) and the specific hidden file it uses to store previous terminal inputs.

Expert Analysis

1. What Evidence Shows

The forensic task requires reconstructing post-exploitation command-line activity executed specifically under the `root` account on an EXT4 file system.

2. Forensic Stage

Examination & Analysis: Extracting specific user activity artifacts from an acquired forensic image to build an event timeline.

3. Why the Correct Answer is Correct (A)

In Linux environments utilizing the Bash shell (the default for most distributions), user-executed terminal commands are automatically logged to the .bash_history file located within the user's home directory (e.g., /root/.bash_history). Extracting and examining this file is a fundamental forensic step to reconstruct attacker activity, tool usage, and lateral movement attempts.

4. Why Others are Wrong

B. .profile: This file is utilized to configure the user's environment variables and startup scripts upon initial login. It does not record interactive command history.

C. .bashrc: This is a script executed whenever a new terminal session is started in interactive mode to set local aliases and functions. It is a configuration file, not a log file.

D. .ssh/authorized_keys: This file contains public keys for passwordless SSH authentication. While critical for identifying persistence mechanisms and unauthorized access points, it does not log executed shell commands.

5. Real-World Forensic Action

A digital forensic investigator mounts the E01 forensic image as read-only. Using a tool like Autopsy or Sleuth Kit (TSK), they navigate to the `/root/` directory, export the `.bash_history` file, and generate its cryptographic hash to maintain the chain of custody. The investigator will also check the `.bash_logout` file and verify if the threat actor executed commands like history -c or unlinked the file to evade forensic logging.

MINI LESSON: Artifact Interpretation - Shell History

Linux shell history files (like .bash_history, .zsh_history) are primary artifacts for determining user intent. However, investigators must be cautious: by default, `.bash_history` may only append commands when the session closes, and it often lacks explicit timestamps unless the HISTTIMEFORMAT environment variable was previously configured. If timestamps are absent, commands appear sequentially, requiring the investigator to cross-reference the history file with system logs (like /var/log/auth.log or syslog) to accurately plot actions within the overall forensic timeline.

Ready for the next investigation?

Master the CHFI 312-49 domains with realistic, scenario-based environments.

Explore more CHFI simulations