Which of the following would be used in forensic analysis of a compromised Linux system? (Select THREE).

A.
Check log files for logins from unauthorized IPs.

B.
Check /proc/kmem for fragmented memory segments.

C.
Check for unencrypted passwords in /etc/shadow.

D.
Check timestamps for files modified around time of compromise.

E.
Use lsof to determine files with future timestamps.

F.
Use gpg to encrypt compromised data files.

G.
Verify the MD5 checksum of system binaries.

H.
Use vmstat to look for excessive disk I/O.