There are now some questions where they give you lists of files and hashes at various times, and they ask you to identify which is the sign of an intrusion.
You have to know, at a very basic level, where some files are located and which will change during routine operation.
Windows File Tampering
They may show you that the hash for a file like one of the
following has changed, and ask you what it means:
Those are parts of the operating system itself or the boot loader, so you have been seriously hacked. If "root kit" is a choice, select that.
is part of the operating system, either the kernel,
Windows applications, or DLLs that other applications
Linux File Tampering
The kernel, the core of the OS itself,
and how it boots,
are based on files under
vmlinuz* is the kernel itself,
grub.cfg is the configuration file for the
GRUB boot loader.
It specifies how the kernel is loaded and started,
and an attacker might boot it strangely to completely
relied upon by everyone including
the system administrator and the operating system
bin (short for "binary")
in their first or second element.
Shared libraries, like DLL files in Windows,
provide "one-step hacking" opportunities for an attacker.
Modify a shared library, and you modify the behavior of
all the dynamically linked programs using it,
which will be many or most binaries on the system.
(short for "library") in their first or second element.
None of the things I have listed so far should change unexpectedly!
System configuration goes under
For the most part, these files shouldn't change.
Almost everything about a user except their password
is defined in
and the hash of their current password is stored in
(Yes, everything was originally in
then the password hash was moved to
So, creating and modifying users changes
And, when a user changes their password,
We expect those changes.