Random Questioning: July 2020

Sunday, 26 July 2020

remove number 12 from the array below

Q: Which of the following represents the method used to remove number 12 from the array below?
var values=[2, 4, 6, 10, 12]
a. values.remove(at: 4)
b. values.remove(at: 12)
c. values.append(12, at: 5)

d. remove("12")

Solution: values.remove(at: 4)

The above statement is used to remove the element 12 from array by using remove(at:index) method. 12 is at the index 4 , therefore at: 4 is used

The output will be 2 4 6 10 after removing 12.

Constant, Private Data Members

Question: Do not use C++ strings (or the string library) anywhere in the Routes application, in this v.1 or in any future versions. Let's get some experience using C strings. Also, the overhead is way less in this application using C strings.

Write Routes.1.cpp, to design and test a class that represents a leg of a route between two adjacent cities. Here are the specifications for the Leg class:

1. Constant, Private Data Members

Write three private data members: the starting city, the ending city, and the distance (in miles) separating the two.

Use constant, read-only pointers to store the city names as C strings. There will be no need to ever make copies of the names -- no strcpy . Names will be declared and stored in the main program, so all that needs to be stored in the Leg object are the memory locations of those C strings.

For the distance, use any numeric data type of your choosing -- you decide on whole numbers vs floating point. It will never change, so it needs to be constant.

2. Constructor Function(s)

Include one constructor with three parameters -- the start and end cities and the distance separating them. Do not include a default constructor! There can be no "generic" or uninitialized Leg. Each Leg is very specific and constant and unchanging.

3. Getter Function(s)

Write two getters -- one to return the distance and another to produce nicely formatted output.
The output getter would have one parameter -- an ostream reference, so that output can be directed to any stream-oriented source. The "nicely formatted output" should look something like this: "Leg: San Francisco to San Jose, 20 miles" but you decide on the exact appearance.

The declaration of the Leg class should be like,

4. An Array Of Leg Objects

In the main program declare an array of 40 or more Leg objects, each connecting two cities of your choice. They can be any pairs of cities that you choose, but follow these rules:

Do not make 40 legs where each new leg starts where the preceding leg ends. That is, do not make one long list of legs following Interstate 80 from San Francisco to New York City. Instead choose major cities across the United States, connecting adjacent cities.
Do include at least one set of 5 legs that do form a "route" when taken end-to-end. For this to happen you'll need to spell and case the end city of one leg exactly the same as the start city for some other leg so that they "connect".
Use sizeof to get the size of the Leg Objects array

It's okay to estimate the distances between cities -- exactness of your numbers will not be checked. But be reasonable!

5. Sort By Distance

In the main program write a nested-for-loop sorting code block, sorting the Leg objects in the array from shortest distance to longest. This will require swapping of objects, which will require an assignment operator function in the Leg class. Because there are constant data members, you should write an assignment operator function just because it's good programming practice -- but in this case, it's required because of the swapping.

6. Output

In a loop in the main program, call the output getter on each object in the array. The output should be arranged shortest to longest, because the sorting code block should be before the output code block in the main program. Refer to sample output from Files, Assignment5Part1.pdf

Actions

7. Do Not Add To The Public Interface As Specified

Do not add getters, setters, constructors, destructors, friends, or statics to a class, other than the ones specified. If a public function name is given in the specification, spell and case it exactly. If parameters are specified, write them exactly as specified -- do not add or remove parameters or change their type.

Do not add public data members unless specified. Public variables will never be specified, although public constants might be (in a future lab assignment). If that happens, name and case them exactly as specified.

Private members don't matter -- unless specifically told not to, you may add private functions and data.

My code:

#include <iostream>
#include <iomanip>
#include <string>

using namespace std;

class Leg
{
	const char* const startCity;
	const char* const endCity;
	const double distance;
	
	public:
	Leg(const char* const, const char* const, const double);
	Leg& operator=(const Leg&);
	double getDistance() const;
	void output(ostream&) const;
};

int main() 
{
	double arr[40];
	for(int i = 0; i < 40; i++)
	{
		arr[i] = rand() % 39 + 1.45;
	}
	Leg a[ ]={
		Leg("Aberdeen","Abilene", arr[1]),Leg("Akron","Albany", arr[2]),Leg("Albuquerque","Alexandria", arr[3]),
		Leg("Allentown","Amarillo", arr[4]),Leg("Anaheim","Anchorage", arr[5]),Leg("Ann Arbor","Antioch", arr[6]),
		Leg("Apple Valley","Appleton", arr[7]),Leg("Arlington","Arvada", arr[8]),Leg("Asheville","Athens", arr[9]),
		Leg("Atlanta","Atlantic City", arr[10]),Leg("Augusta","Aurora", arr[12]),Leg("Austin","Bakersfield", arr[12]),
		Leg("Baltimore","Barnstable", arr[13]),Leg("Baton Rouge","Beaumont", arr[14]),Leg("Bel Air","Bellevue", arr[15]),
		Leg("Berkeley","Bethlehem", arr[16]),Leg("Billings","Birmingham", arr[17]),Leg("Bloomington","Boise", arr[18]),
		Leg("Boise City","Bonita Springs", arr[19]),Leg("Boston","Boulder", arr[20]),Leg("Bremerton","Brighton", arr[21]),
		Leg("Brownsville","Bryan", arr[22]),Leg("Buffalo","Burbank", arr[23]),Leg("Cambridge","Canton", arr[24]),
		Leg("Cape Coral","Carrollton", arr[25]),Leg("Cary","Cathedral City", arr[26]),Leg("Cedar Rapids","Champaign", arr[27]),
		/*Leg("Aberdeen","Abilene", arr[1]),Leg("Akron","Albany", arr[1]),Leg("Albuquerque","Alexandria", arr[1]),
		 * Leg("Aberdeen","Abilene", arr[1]),Leg("Akron","Albany", arr[1]),Leg("Albuquerque","Alexandria", arr[1]),
		 * Leg("Aberdeen","Abilene", arr[1]),Leg("Akron","Albany", arr[1]),Leg("Albuquerque","Alexandria", arr[1]),
		 * Leg("Aberdeen","Abilene", arr[1]),Leg("Akron","Albany", arr[1]),Leg("Albuquerque","Alexandria", arr[1]),
		 * Leg("Aberdeen","Abilene", arr[1])*/
		 };
		 const int SIZE = sizeof(a) / sizeof(a[0]);
		 for (int i = 0; i < SIZE; i++)
		 {
			 for (int j = i + 1; j < SIZE; j++)
			 {
				 if (arr[j] < arr[i])
				 swap(arr[j], arr[i]);
			 }
		}
}

double getDistance()
{
	return distance;
}

Leg& Leg::operator=(const Leg& copyThis) 
{
	if (this != &copyThis) 
	{
		const_cast<double&>(this->distance) = copyThis.distance;
		const_cast<const char* &>(this->startCity) = copyThis.startCity;
		const_cast<const char* &>(this->endCity) = copyThis.endCity;
	}
	return *this;
}

Solution:

#include <iostream>
#include <iomanip>
#include <cstdlib>

using namespace std;

class Leg
{
	const char* const startCity;
	const char* const endCity;
	const double distance;
	public:
	Leg(const char* const, const char* const, const double);
	Leg& operator=(const Leg&);
	double getDistance() const;
	void output(ostream&) const;
};

// constructor
Leg::Leg(const char* startCity, const char* endCity, const double distance): startCity(startCity), endCity(endCity), distance(distance)
{
}

// return the distance
double Leg:: getDistance() const
{
	return distance;
}

// assignment operator
Leg& Leg::operator=(const Leg& copyThis) 
{
	// avoid self assignment
	if (this != &copyThis) 
	{
		const_cast<double&>(this->distance) = copyThis.distance;
		const_cast<const char* &>(this->startCity) = copyThis.startCity;
		const_cast<const char* &>(this->endCity) = copyThis.endCity;
	}
	return *this;
}

// output the Leg object details to out
void Leg:: output(ostream& out) const
{
	out<<"Leg: "<<startCity<<" to "<<endCity<<", "<<fixed<<setprecision(2)<<distance<<" miles"<<endl;
}

int main()
{
	double arr[40];
	// create an array of random distances
	for(int i = 0; i < 40; i++)
	{
		arr[i] = rand() % 39 + 1.45;
	}
	// create an array of Leg objects
	Leg a[]={
		Leg("Aberdeen","Abilene", arr[1]),
		Leg("Akron","Albany", arr[2]),
		Leg("Albuquerque","Alexandria", arr[3]),
		Leg("Allentown","Amarillo", arr[4]),
		Leg("Anaheim","Anchorage", arr[5]),
		Leg("Ann Arbor","Antioch", arr[6]),
		Leg("Apple Valley","Appleton", arr[7]),
		Leg("Arlington","Arvada", arr[8]),
		Leg("Asheville","Athens", arr[9]),
		Leg("Atlanta","Atlantic City", arr[10]),
		Leg("Augusta","Aurora", arr[12]),
		Leg("Austin","Bakersfield", arr[12]),
		Leg("Baltimore","Barnstable", arr[13]),
		Leg("Baton Rouge","Beaumont", arr[14]),
		Leg("Bel Air","Bellevue", arr[15]),
		Leg("Berkeley","Bethlehem", arr[16]),
		Leg("Billings","Birmingham", arr[17]),
		Leg("Bloomington","Boise", arr[18]),
		Leg("Boise City","Bonita Springs", arr[19]),
		Leg("Boston","Boulder", arr[20]),
		Leg("Bremerton","Brighton", arr[21]),
		Leg("Brownsville","Bryan", arr[22]),
		Leg("Buffalo","Burbank", arr[23]),
		Leg("Cambridge","Canton", arr[24]),
		Leg("Cape Coral","Carrollton", arr[25]),
		Leg("Cary","Cathedral City", arr[26]),
		Leg("Cedar Rapids","Champaign", arr[27])
		/*Leg("Aberdeen","Abilene", arr[1]),Leg("Akron","Albany", arr[1]),Leg("Albuquerque","Alexandria", arr[1]),
		 * Leg("Aberdeen","Abilene", arr[1]),Leg("Akron","Albany", arr[1]),Leg("Albuquerque","Alexandria", arr[1]),
		 * Leg("Aberdeen","Abilene", arr[1]),Leg("Akron","Albany", arr[1]),Leg("Albuquerque","Alexandria", arr[1]),
		 * Leg("Aberdeen","Abilene", arr[1]),Leg("Akron","Albany", arr[1]),Leg("Albuquerque","Alexandria", arr[1]),
		 * Leg("Aberdeen","Abilene", arr[1])*/
	};
	const int SIZE = sizeof(a) / sizeof(a[0]);
	// sort the leg objects in ascending order based on their distance
	int min;
	for(int i=0;i<SIZE-1;i++)
	{
		 min = i;
		 for(int j=i+1;j<SIZE;j++)
		 {
			 if(a[j].getDistance() < a[min].getDistance())
			 min = j;
		 }
		 if(min != i)
		 {
			 Leg temp = a[i];
			 a[i] = a[min];
			 a[min] = temp;
		 }
	}
	// display the sorted order of Leg objects
	for(int i=0;i<SIZE;i++)
		a[i].output(cout);
	return 0;
}
//end of program

Output:

Tuesday, 14 July 2020

Compute the sum of odd numbers

Q: Compute the sum of odd numbers up to a given odd number n.
Input: n
Function: oddsum(n) = 1 + 3 + ...+ (n-2) + n.
Output: oddsum (n)
Examples: oddsum(3) = 4, oddsum(5)=9; oddsum(7)=16.
You may assume the number n is odd.
Use the iterative algoithm such as;
      sum = 0;
      counter = 1;
      while (counter <= n) {
          sum =sum + counter;
          counter= counter + 2;

}

Solution:

#include <iostream>
using namespace std;

void oddsum(int n)
{
	int sum = 0; // variable initialized to compute the sum
	int counter = 1; // variable to counter loop
	while (counter <= n)
	{
		sum = sum + counter;
		counter = counter + 2;
	}
	cout << "The sum is " << sum;
}

int main()
{
	int n;
	cout << "Enter a number: ";
	cin >> n;
	oddsum(n);

	return 0;
}

Screenshot

Thursday, 2 July 2020

Autopsy Training Quiz

Q1: What are the two different ways that you can deploy Autopsy?
Solution: "Desktop/Single-User" and "Cluster/Multi-User"

Q2: What are two benefits of utilizing a multi-user Autopsy deployment?
Solution: + Allows for "Auto-Ingest" mode, where new media is automatically analyzed 24 x 7 by multiple nodes
+ Analysis can be faster (if you have fast hardware)

Q3: True or False: One of the primary reasons for having the Central Repository is that it allows you to easily access metadata from past cases
Solution: True

Q4: True or False: You can store hash sets in the Central Repository that can be shared by everyone in the lab.
Solution: True

Q5: What are the two types of databases supported by a Central Repository deployment?
Solution: + SQLite
+ PostgresSQL

Q6: Step 1 of the Basic Investigation Autopsy Workflow is to make a Case. True or False: Step 2 to add a data source to the case.
Solution: True

Q7: True or False: You can have multiple versions of Autopsy installed on an endpoint at the same time
Solution: True

Q8: True or False: Running on OSX or Linux requires more manual steps that are outlined in Running_Linux_OSX.txt.
Solution: True

Q9: True or False: For all Autopsy releases prior to Autopsy 4.15, the Central Repository is enabled by default.
Solution: False

Q10: What are the minimum resources needed for a multi-user Autopsy deployment?
Solution: Central Shared Storage and 2 Servers

Q11: True or False: Autopsy needs to be installed on each examiner's computer, whether using a single-user or multi-user deployment
Solution: True

Q12: True or False: Autopsy supports Machine Translation integration from Google and Microsoft
Solution: True

Q13: True or False: In a multi-user cluster, all examiners need to have access to the case directory at the same path (i.e. \\server\cases\ or Z:\Cases)
Solution: True

Q14: Autopsy is able to ingest the following data sources directly:
Solution: + Disk Image or VM file
+ Logical files

Q15: True or False: When adding a data source to Autopsy, in-depth analysis on the data is automatically performed
Solution: False

Q16: True or False: The Autopsy case database stores a full copy of every single file contained within a data source
Solution: False

Q17: Autopsy supports many volume systems, including:
Solution: + DOS
+ BSD
+ GPT

Q18: Autopsy supports many file system formats, including:
Solution: + FAT32
+ YAFFS2
+ HFS+
+ Ext4
+ NTFS

Q19: Orphan files in Autopsy are stored under the $OrphanFile folder. What is an orphan file?
Solution: A deleted file that no longer has a parent folder.

Q20: What types of disk images are currently NOT NATIVELY SUPPORTED by Autopsy
Solution: + Bitlocker
+ RAID

Q21: True or False: When adding "Local Files and Folders" to a case in Autopsy, file times are added to the database
Solution: False

Q22: True or False: When adding an E01 file to a case within Autopsy, the E01 file is automatically validated upon import
Solution: False

Q23: How many volumes does the disk image have?
Solution: 6

Q24: What is the name of the unallocated space file in vol1?
Solution: Unalloc_3_0_1048576

Q25: What file system is in vol7?
Solution: NTFS

Q26: What is the database called?
Solution: autopsy.db

Q27: Roughly how big is the case database (in megabytes)?
Solution: 250MB

Q28: The Tree Structure within Autopsy has five (5) top-level nodes, including:
Solution: + Data Sources
+ Results
+ Tags

Q29: If you want to immediately see all picture files after adding a data source, you should use the View that uses Extension or MIME type?
Solution: Extension

Q30: Grouping the tree by data source can be useful when:
Solution: You have data sources from several suspects in the same case.

Q31: True or False: A red icon under the "S" (Score) column under the Table in Autopsy means that the file is corrupted and cannot be recovered
Solution: False

Q32: True or False: The "Text / Strings" content viewer contains only words are found in a standard English dictionary
Solution: False

Q33: True or False: By selecting any item within the "Table", you can then type in a search term that looks for matching results within that column
Solution: True

Q34: What actions are available to a user when right clicking on a file within Autopsy?
Solution: + Extract File(s)
+ Open in External Viewer

Q35: True or False: The "Other Occurrences" content viewer area allows you to see if the file existed in a previous case.
Solution: True

Q36: True or False: The "Application" content viewer allows users to render html files as they were viewed in a web browser
Solution: True

Q37: True or False: Video Triage is a free download from "autopsy.com" that allows users to see screen captures of portions of a video file without having to actually play back a video
Solution: True

Q38: True or False: The "Timeline" interface shows events and file data sorted by file size
Solution: False

Q39: By extension, how many databases are there?
Solution: Fifty nine (59)

Q40: What is the size of the largest database?
Solution: 5242880 bytes

Q41: Are there any databases by MIME type yet?
Solution: No, because file types have not been yet determined.

Q42: Select the names of the files between 200MB and 1GB in size:
Solution: + $BadClus:$Bad
+ Winre.wim
+ chrome.7z

Q43: What are the two types of Ingest Modules utilized by Autopsy?
Solution: + File Ingest Modules
+ Data Source Ingest Modules

Q44: True or False: Ingest modules can run in parallel
Solution: True

Q45: Autopsy prioritizes files so that important ones are analyzed first. The priority order is:
Solution: User Folders, Program Files and other root folders, Windows folder, Unallocated space

Q46: What are some of the "official" ingest modules that are included with the download of Autopsy?
Solution: + Email
+ Hash Lookup

Q47: Which of the following are types of data that will be stored as a Blackboard artifact?
Solution: + Hash Hit
+ Encryption Detected

Q48: A Blackboard artifact is a _____ and ______ pair
Solution: Type, Value

Q49: True or False: The "Hash Lookup" can calculate the MD5 hash of a file.
Solution: True

Q50: What are some reasons on why a user would run the "Hash Lookup" module?
Solution: + To include MD5 hash values in reports
+ To identify notable ('known bad') files

Q51: What hash set formats does Autopsy currently support
Solution: + EnCase
+ NIST NSRL
+ md5sum

Q52: What two places will show you the files in the case that were found in a hash set?
Solution: + Ingest Inbox
+ In the Hashset Hits part of the tree

Q53: To make your own hash set from scratch, you'd choose which button from the Options -> Hash Sets panel?
Solution: New Hash Set

Q54: To add a hash set that a colleague shared with you, you'd choose which button from the Options -> Hash Sets panel?
Solution: Import Hash Set

Q55: True or False: An index allows Autopsy to lookup hash values faster.
Solution: True

Q56: Where should you get the pre-indexed version of the NIST NSRL?
Solution: From the Autopsy site

Q57: True or False: If a hash set is stored on the Central Repository then only one user can access it
Solution: False

Q58: How many total hits are found under the “Hashset Hits” results after running the Hash Lookup Ingest Module?
Solution: Six (6)

Q59: What are the filenames of the hash hits?
Solution: "RN.jpg" and "f_000239"

Q60: Question: How many total ".jpg" files are in the folder “Pictures” where the notable hash hit was found?
Solution: Seven (7)

Q61: What type of file does the MIME type "application/octet-stream" designate?
Solution: Unknown type

Q62: What types of data can be stored in EXIF data?
Solution: + Camera Type
+ Geolocation coordinates of where the photo was taken
+ Date and Time of when a photo was taken

Q63: The Exif module extracts:
Solution: A subset of Exif data that is most often relevant to an investigation

Q64: The Embedded File Extractor ingest module has the ability to extract files from:
Solution: + Compressed files, such as RAR, ZIP, 7Z, etc.
+ Images from PDF documents
+ Images from Office documents

Q65: True or False: The Embedded File Extractor ingest module will flag a file if it is password protected
Solution: True

Q66: True or False: If a ZIP file has a password, you can supply the password by right clicking on the file.
Solution: True

Q67: The Email Module searches for and processes email from known email file types, including:
Solution: + MBOX
+ PST
+ EML

Q68: True or False: You can make rules for the Interesting Files module to automate your checklist of applications to always look for (such as BitCoin and Cloud Storage).
Solution: True

Q69: The Encryption Detection Module detects files that may be encrypted by looking for what characteristics?
Solution: High entropy, multiple of 512 bytes, no distinguishable file type

Q70: True or False: The Plaso module is enabled by default
Solution: False

Q71: The Virtual Machine Extractor module will:
Solution: Detect virtual machine files (vmdk, vhdi, etc.) and add them back in as a data source

Q72: The Data Source Integrity module will do what to a disk image:
Solution: Calculate its hash value

Q73: Under the “Exif Metadata results, how many photos were taken with an iPhone 7 Plus?
Solution: One (1)

Q74: Under the “Exif Metadata results, how many photos were taken with a BLU R1 HD?
Solution: Fifteen (15)

Q75: Under the “Exif Metadata results, how many photos were taken with a Samsung Galaxy S8?
Solution: Zero (0)

Q76: What is the MIME type listed for the file “D3D11_Default.shader-db.bin”?
Solution: application/octet-stream

Q77: What is the file size, in bytes, for the file “D3D11_Default.shader-db.bin”?
Solution: 594728

Q78: Are there extension mismatch results?
Solution: Yes

Q79: What are some common file types with unexpected extensions?
Solution: png

Q80: Was veracrypt.exe found on the system?
Solution: Yes

Q81: Was the executable file "truecrype.exe" found on the system?
Solution: No

Q82: What types of user activity does the "Recent Activity" module extract?
Solution: + Web Activity (Bookmarks, Cookies, etc.)
+ Installed Programs
+ Recycle Bin Analysis

Q83: True or False: The Recent Activity module can be configured by a user to only parse out certain types of data
Solution: False

Q84: The Recent Activity Module automatically parses browsing history for what web browsers?
Solution: + Chrome
+ Internet Explorer
+ Edge
+ Safari
+ Firefox

Q85: True or False: The Recent Activity module creates a deleted file entry in the location where a file in the Recycle Bin originally existed
Solution: True

Q86: True or False: Web Form Autofill data extracts name and value pairs that are entered into web forms
Solution: True

Q87: What open source tool does Autopsy rely upon to perform analysis of Registry Hives?
Solution: RegRipper

Q88: What are some attributes of connected USB devices that can be extracted using RegRipper?
Solution: + Device Model
+ Device Make
+ Device ID

Q89: True or False: You can access the raw RegRipper output in the Reports part of the tree.
Solution: True

Q90: How many web bookmarks are listed?
Solution: Five (5)

Q91: What URL is a suspicious bookmark given the dognapping?
Solution: ransomizer.com

Q92: What month and year are the cookies associated with the domain “youtube.com” from?
Solution: November 2019

Q93: What is the Value associated with the Name “identifier” under Web Form Autofill?
Solution: antirenzik@gmail.com

Q94: Under "Web History", what is the day associated with the Google Search "how to treat a dog bite"?
Solution: November 12, 2019

Q95: Under "Web History", what day is associated with the Google Search "how to make a ransom note"?
Solution: November 5, 2019

Q96: Under "Web History", what is the date (in YYYY-MM-DD format) associated with the Google Search "hostage negotiation tactics"?
Solution: 2019-11-05

Q97: What was likely original name of the file "$RFC5YC5.txt", that is currently located in the Recycle Bin?
Solution: VCPW.txt

Q98: Under Accounts, what is the username associated with the Twitter account found on the device?
Solution: AntiRenzik

Q99: True or False: A text index is an organized collection of words and the files that contain them.
Solution: True

Q100: Autopsy uses what open source search enginge for text indexing?
Solution: Apache Solr

Q101: Due to shortcomings by a majority of widely available extraction tools, Basis Technology wrote a custom text extractor for what data type in order to process things such as comments and Javascript?
Solution: HTML

Q102: True or False: The more encodings and languages that you add for strings extraction, the less false positives that you get
Solution: False

Q103: True or False: Autopsy will normalize text within the index to make all searches case insensitive
Solution: True

Q104: Once you have a text index, you can perform all of the following types of searches:
Solution: + Exact matches
+ Substrings
+ Regular expressions

Q105: True or False: Substring match is the default text match search within Autopsy
Solution: False

Q106: When viewing an individual file that contains a keyword search hit, that keyword is ...
Solution: Highlighted

Q107: True or False: Keyword lists can be exported and imported.
Solution: True

Q108: There are references to a document with renzik. What is the name of the file?
Solution: in order to ensure that renzik is treated properly.docx

Q109: How many hits are there for “Renzik” in NTUSER.DAT?
Solution: Ten (10) - (Four (4) on one page, Six (6) on another)

Q110: What type(s) of data from past cases are stored in the Central Repository?
Solution: + MD5 hash values
+ Wifi SSID

Q111: True or False: There is one row in the Central Repository for every instance of a property
Solution: True

Q112: True or False: USB devices will never be flagged if they were previously seen
Solution: False

Q113: True or False: The correlation engine module extracts and calculates data, such as hash values
Solution: False

Q114: The Correlation Engine module has two basic features, which are
Solution: Query Central Repository, to see if items in current case were previously seen, and adding data to Central Repository

Q115: True or False: The Correlation engine module can be configured to generate alerts based on the existence of previously seen data.
Solution: True

Q116: True or False: The Correlation Engine module does not rely on other modules obtain data that is inserted into the Central Repository
Solution: False

Q117: What was the created date (in YYYY-MM-DD format) of the file "IMG_20191024_155744.jpg" on the media card?
Solution: 2019-10-24

Q118: How many total .jpg files are in the folder where the interesting file is located on the media card?
Solution: Five (5)

Q119: Was the file "IMG_20191024_155744.jpg" seen in any other folders/and or directories on the hard drive? If so, what was the name of the other file(s)?
Solution: Yes, "f_00022e"

Q120: What types of data are currently able to be extracted and parsed from an Android device?
Solution: + Call Logs
+ WhatsApp

Q121: True or False: Android Analyzer only parses data from native Android applications. It cannot parse any third party Android applications
Solution: False

Q122: True or False: Autopsy cannot acquire data directly from an Android device
Solution: True

Q123: What types of artifacts can be created by the Android Analyzer?
Solution: + Messages
+ GPS Points

Q124: Select the three main areas of the layout of the timeline interface.
Solution: + Filters
+ Events
+ Files and Content

Q125: True or False: The timeline feature allows an analyst to view a graphical representation of time based events that occurred on a system
Solution: True

Q126: True or False: The timeline interface extracts data does not rely on other modules to extract time stamps
Solution: False

Q127: What are the three "Views" that an analyst can choose from to display timeline data?
Solution: + Counts
+ Details
+ List

Q128: True or False: The default scale of the "counts" view is linear.
Solution: False

Q129: True or False: In the Details View, you "Expand" a cluster to see more details.
Solution: True

Q130: An analyst can ______ clusters to bring them to the top of the Details view.
Solution: Pin

Q131: In the List View, the letter "A" under Event Type stands for ________?
Solution: Last Accessed

Q132: In the List View, the letter "B" under Event Type stands for ________?
Solution: Born Date

Q133: The "Law Enforcement Bundle", a free add-on provided by Basis Technology, provides access to which of the following databases?
Solution: + C4ALL
+ Project Vic

Q134: Image Gallery folders are prioritized based on ________
Solution: Density of hash hits and number of images in folder

Q135: True or False: A purple dashed line around an image indicates that it was taken with an iPhone
Solution: False

Q136: True or False: The Image Gallery provides an infinite scroll bar of thumbnails
Solution: False

Q137: What is the name of the button that will take an analyst to the next group of Image Gallery photos?
Solution: Next Unseen group

Q138: True or False: The C4ALL database with MD5 hashes are provided by Basis Technology
Solution: False

Q139: How can Autopsy integrate with Project Vic?
Solution: By importing hash values into hash sets named based on their categories.

Q140: True or False: Accounts in Autopsy have both a "type" and a unique "identifier"
Solution: True

Q141: True or False: The Communications Interface is oriented around data types, and not accounts
Solution: False

Q142: A special account that is created by Autopsy for a data source when it doesn't know what account was used is called a _______ account
Solution: Device

Q143: What are two modules that the Communications Interface relies upon to extract communication-related data?
Solution: + Android Analyzer
+ Email

Q144: Which of the following are Account Types that can be identified within the Communications Interface within Autopsy?
Solution: + Phone
+ Website
+ Facebook
+ Twitter
+ Email

Q145: True or False: By default, accounts are sorted by the number of relationships they have in the case.
Solution: True

Q146: True or False: Tagging allows a user to reference a file or object to easily find it later
Solution: True

Q147: Which of the following choices can be the name of a tag within Autopsy?
Solution: + Brian Carrier
+ Suspicious
+ Encryption
+ Kubernetes
+ Blockchain

Q148: True or False: When viewing a result (aka a Blackboard Artifact) you have the choice to tag either the result or its source file
Solution: True

Q149: True or False: You can tag an image, but you cannot tag a specific region of an image
Solution: False

Q150: True or False: In a multi-user environment, tags are associated with the examiner who made them
Solution: True

Q151: Which of the following are valid comments that can be saved along with a Tag?
Solution: + Spy plane
+ Tornado
+ Shield
+ Arc Reactor

Q152: What is the name of the button that an analyst clicks within Autopsy to begin the report generation process?
Solution: Generate Report

Q153: What are some benefits of a Portable Case?
Solution: + Self contained and all relevant files are located in the case folder
+ Can be shared with another user for review or assistance
+ Decrease the overall size of data to review

Q154: True or False: When creating an HTML Result report within Autopsy, an analyst cannot change the default image with their own agency/corporate logo
Solution: False

Q155: When generating a KML report, what items can be contained within the final KML report?
Solution: + Thumbnails of EXIF images
+ EXIF artifacts
+ GPS Route