Which of the following would be used in forensic analysis of a compromised Linux system? (Select THREE).
A . Check log files for logins from unauthorized IPs.
B . Check /proc/kmem for fragmented memory segments.
C . Check for unencrypted passwords in /etc/shadow.
D . Check timestamps for files modified around time of compromise.
E . Use lsof to determine files with future timestamps.
F . Use gpg to encrypt compromised data files.
G . Verify the MD5 checksum of system binaries.
H . Use vmstat to look for excessive disk I/
Answer: A, D, G