Entryway to a Buddhist temple.

Windows and Linux File Locations

Don't Panic!

There are now some questions where they give you lists of files and hashes at various times, and they ask you to identify which is the sign of an intrusion.

You have to know, at a very basic level, where some files are located and which will change during routine operation.

Windows File Tampering

They may show you that the hash for a file like one of the following has changed, and ask you what it means:
C:\Windows\SysWOW64\KernelBase.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\System32\kernel32.dll
C:\Windows\System32\boot\*
Those are parts of the operating system itself or the boot loader, so you have been seriously hacked. If "root kit" is a choice, select that.

Anything under C:\Windows\Sys* is part of the operating system, either the kernel, Windows applications, or DLLs that other applications may use.

Linux File Tampering

The kernel, the core of the OS itself, and how it boots, are based on files under /boot/*. A file vmlinuz* is the kernel itself, grub.cfg is the configuration file for the GRUB boot loader. It specifies how the kernel is loaded and started, and an attacker might boot it strangely to completely subvert security.

Executable programs relied upon by everyone including the system administrator and the operating system have bin (short for "binary") in their first or second element. That is:
/bin/*
/sbin/*
/usr/bin/*
/usr/sbin/*

Shared libraries, like DLL files in Windows, provide "one-step hacking" opportunities for an attacker. Modify a shared library, and you modify the behavior of all the dynamically linked programs using it, which will be many or most binaries on the system. They have lib (short for "library") in their first or second element. That is:
/lib/*
/lib64/*
/usr/lib/*
/usr/lib64/*

Someone responded to this unannounced addition to the test by saying that CompTIA was probably just beta-testing potential Linux+ question. No. The Linux+ test doesn't get into these issues at all. It's much more about "which command does what?" and memorizing the synopsis line and first paragraph of a large number of manual pages.

None of the things I have listed so far should change unexpectedly!

System configuration goes under /etc/* For the most part, these files shouldn't change. However...

Almost everything about a user except their password is defined in /etc/passwd, and the hash of their current password is stored in /etc/shadow. (Yes, everything was originally in passwd, then the password hash was moved to shadow)

So, creating and modifying users changes /etc/passwd. And, when a user changes their password, /etc/shadow changes. We expect those changes.

To the Cybersecurity Page