According to the CHFI v11 Operating System Forensics objectives, Linux system logs are a critical source of evidence for identifying unauthorized access, brute-force attempts, and SSH key–based authentication activities . On modern Linux systems that use systemd , SSH-related events are logged and managed by the system journal , which can be queried using the journalctl utility.
The command journalctl -u ssh retrieves all log entries associated with the SSH service unit , making it the most appropriate command when an investigator needs a complete and unfiltered view of SSH activity. SSH key fingerprints are typically logged during public key authentication events , including successful and failed login attempts, and may appear alongside details such as usernames, source IP addresses, and authentication methods.
While options A and C restrict log output to specific time ranges and option B follows logs in real time, the question specifically asks which command should be executed to view the SSH key fingerprint in the SSH unit logs . CHFI v11 best practices recommend starting with the base unit log query to ensure no relevant artifacts are missed before applying filters.
Therefore, to reliably extract SSH key fingerprints and correlate authentication activity during forensic analysis, Hazel should execute journalctl -u ssh , making Option D the correct and CHFI v11–verified answer.
