1.1 System and Network Architecture Concepts
OS concepts
📘CompTIA CySA+ (CS0-003)
Understanding how operating systems organize files and where configuration files are stored is an important skill for CySA+ analysts. This knowledge helps you investigate incidents, verify system integrity, troubleshoot issues, and understand how attackers may try to modify system behavior.
This section focuses mainly on:
- Windows file structure
- Linux/Unix file structure
- Common configuration file locations
- How these files relate to security monitoring and analysis
1. Why File Structures Matter in Cybersecurity
A CySA+ analyst must understand file structures because:
- Logs, configuration files, and system binaries are stored in specific places.
- Attackers often modify configuration files to maintain persistence.
- Misplaced or altered files can indicate compromise.
- Analysts must know where to pull logs and verify settings.
2. File Structure Basics
Each OS has its own way of organizing files:
- Windows uses a drive-based structure (C:, D:, etc.).
- Linux/Unix uses a single-root filesystem ( / ).
Both systems store configuration files, logs, program files, and user data in predictable locations.
3. Windows File Structure
Windows organizes files using root directories, system folders, and user-specific areas.
Below are the most important directories for CySA+.
3.1 Key Windows Directories
C:\Windows\
- The main system directory.
- Stores essential OS files, drivers, and system utilities.
C:\Windows\System32
- Core system binaries, DLLs, and administrative tools.
- Critical target for attackers who want persistence or privilege escalation.
C:\Program Files
C:\Program Files (x86)
- Stores installed applications.
- 64-bit apps → Program Files
- 32-bit apps → Program Files (x86)
C:\Users\
Contains user profiles and their personal data:
- Documents
- Desktop
- Downloads
- AppData (hidden)
3.2 Windows Configuration File Locations
C:\Windows\System32\Config
- Stores registry hive files such as:
- SAM
- SYSTEM
- SECURITY
- SOFTWARE
- DEFAULT
- These files contain system configurations and security-sensitive information.
C:\Users<username>\AppData\
AppData has 3 subdirectories:
| Folder | Purpose |
|---|---|
| Local | Machine-specific data and cached files |
| LocalLow | Lower-privilege apps (e.g., sandboxed browsers) |
| Roaming | User-specific settings that follow the user across domain systems |
C:\Windows\Logs
- Contains system and application logs.
C:\Windows\System32\drivers\etc
Contains important text-based configuration files:
| File | Purpose |
|---|---|
| hosts | Local DNS overrides |
| protocol | Protocol mappings |
| services | Services and their port numbers |
Security Importance:
Attackers often modify the hosts file to redirect traffic.
4. Linux/Unix File Structure
Linux uses a hierarchical structure starting from the root directory /.
As a CySA+ analyst, you need to know what each main directory contains and where important configuration files reside.
4.1 Essential Linux Directories
/ (root)
- The top-level directory.
/bin
- Essential user commands (ls, cp, mv).
- Needed for basic system functionality.
/sbin
- System administration commands (iptables, ifconfig).
- Requires elevated permissions.
/usr
- Applications, binaries, libraries, and documentation.
/usr/bin and /usr/sbin
- Non-essential programs and administrative utilities.
/var
- Variable data such as logs and mail queues.
/home
- User home directories.
/lib and /lib64
- Shared libraries necessary for running applications.
/boot
- Kernel, boot loader files.
/opt
- Optional software packages.
/tmp
- Temporary files. Cleared on reboot.
4.2 Linux Configuration File Locations
Linux uses configuration files that are simple text files, making them easy to read, modify, and monitor.
/etc (critical directory)
This is the most important configuration directory in Linux.
Common files include:
| File/Directory | Purpose |
|---|---|
| /etc/passwd | User database |
| /etc/shadow | Encrypted passwords |
| /etc/group | Group info |
| /etc/sudoers | Sudo privileges |
| /etc/fstab | Filesystem mount configurations |
| /etc/hosts | Local hostname resolution |
| /etc/network/interfaces | Network settings (Debian-based) |
| /etc/sysctl.conf | Kernel parameters |
| /etc/ssh/ | SSH server/client settings |
Security Importance:
Attackers often modify /etc/sudoers, /etc/ssh/sshd_config, the cron directories, or startup scripts for persistence.
5. Logs and Monitoring (File Structure Relevance)
For CySA+ you must know where logs are stored.
5.1 Windows Log Files
Windows logs are stored mainly in:
C:\Windows\System32\winevt\Logs
These are .evtx files accessible with Event Viewer.
Important log types:
- Security
- System
- Application
- PowerShell
- Firewall logs
5.2 Linux Log Files
Logs are stored in:
/var/log/
Common log files:
| Log File | Purpose |
|---|---|
| /var/log/auth.log OR /var/log/secure | Authentication attempts |
| /var/log/syslog OR /var/log/messages | System-wide events |
| /var/log/dmesg | Kernel logs |
| /var/log/apache2/ | Web server logs |
| /var/log/faillog | Failed logins |
6. Configuration File Security Risks
Attackers often:
- Modify config files to disable security features.
- Change system files for persistence.
- Add malicious startup commands.
- Edit DNS entries in hosts files.
- Create unauthorized system users.
Analysts should:
- Check integrity using hashing or file monitoring tools.
- Compare configurations to known baselines.
- Look for unexpected changes in directories like:
- Windows: System32, AppData, Startup
- Linux: /etc/, /var/log, cron directories
7. How File Structures Help in Cyber Investigations
As a CySA+ candidate, you use file structures to:
- Collect logs from correct locations.
- Identify unusual files or modifications.
- Understand where malware might hide.
- Review system and user activity via configuration files.
- Validate system integrity.
8. Key Exam Points to Remember
✔ Linux config files = mostly stored in /etc
✔ Windows config files = Registry + System32 + AppData
✔ Logs:
 Windows → winevt\Logs
 Linux → /var/log
✔ Understand purpose of important Linux directories like /bin, /sbin, /usr, /var, /home
✔ Know where user profiles are stored in Windows → C:\Users
✔ Attackers often modify config files for persistence
✔ Analysts check for unauthorized changes using baselines and monitoring tools
