Thursday, 2 July 2020

Autopsy Training Quiz

Q1: What are the two different ways that you can deploy Autopsy?
Solution: "Desktop/Single-User" and "Cluster/Multi-User"

Q2: What are two benefits of utilizing a multi-user Autopsy deployment?
Solution: + Allows for "Auto-Ingest" mode, where new media is automatically analyzed 24 x 7 by multiple nodes
+ Analysis can be faster (if you have fast hardware)

Q3: True or False: One of the primary reasons for having the Central Repository is that it allows you to easily access metadata from past cases
Solution: True

Q4: True or False: You can store hash sets in the Central Repository that can be shared by everyone in the lab.
Solution: True

Q5: What are the two types of databases supported by a Central Repository deployment?
Solution: + SQLite
+ PostgresSQL

Q6: Step 1 of the Basic Investigation Autopsy Workflow is to make a Case. True or False: Step 2 to add a data source to the case.
Solution: True

Q7: True or False: You can have multiple versions of Autopsy installed on an endpoint at the same time
Solution: True

Q8: True or False: Running on OSX or Linux requires more manual steps that are outlined in Running_Linux_OSX.txt.
Solution: True

Q9: True or False: For all Autopsy releases prior to Autopsy 4.15, the Central Repository is enabled by default.
Solution: False

Q10: What are the minimum resources needed for a multi-user Autopsy deployment?
Solution: Central Shared Storage and 2 Servers

Q11: True or False: Autopsy needs to be installed on each examiner's computer, whether using a single-user or multi-user deployment
Solution: True

Q12: True or False: Autopsy supports Machine Translation integration from Google and Microsoft
Solution: True

Q13: True or False: In a multi-user cluster, all examiners need to have access to the case directory at the same path (i.e. \\server\cases\ or Z:\Cases)
Solution: True

Q14: Autopsy is able to ingest the following data sources directly:
Solution: + Disk Image or VM file
+ Logical files

Q15: True or False: When adding a data source to Autopsy, in-depth analysis on the data is automatically performed
Solution: False

Q16: True or False: The Autopsy case database stores a full copy of every single file contained within a data source
Solution: False

Q17: Autopsy supports many volume systems, including:
Solution: + DOS
+ BSD
+ GPT

Q18: Autopsy supports many file system formats, including:
Solution: + FAT32
+ YAFFS2
+ HFS+
+ Ext4
+ NTFS

Q19: Orphan files in Autopsy are stored under the $OrphanFile folder. What is an orphan file?
Solution: A deleted file that no longer has a parent folder.

Q20: What types of disk images are currently NOT NATIVELY SUPPORTED by Autopsy
Solution: + Bitlocker
+ RAID

Q21: True or False: When adding "Local Files and Folders" to a case in Autopsy, file times are added to the database
Solution: False

Q22: True or False: When adding an E01 file to a case within Autopsy, the E01 file is automatically validated upon import
Solution: False

Q23: How many volumes does the disk image have?
Solution: 6

Q24: What is the name of the unallocated space file in vol1?
Solution: Unalloc_3_0_1048576

Q25: What file system is in vol7?
Solution: NTFS

Q26: What is the database called?
Solution: autopsy.db

Q27: Roughly how big is the case database (in megabytes)?
Solution: 250MB

Q28: The Tree Structure within Autopsy has five (5) top-level nodes, including:
Solution: + Data Sources
+ Results
+ Tags

Q29: If you want to immediately see all picture files after adding a data source, you should use the View that uses Extension or MIME type?
Solution: Extension

Q30: Grouping the tree by data source can be useful when:
Solution: You have data sources from several suspects in the same case.

Q31: True or False: A red icon under the "S" (Score) column under the Table in Autopsy means that the file is corrupted and cannot be recovered
Solution: False

Q32: True or False: The "Text / Strings" content viewer contains only words are found in a standard English dictionary
Solution: False

Q33: True or False: By selecting any item within the "Table", you can then type in a search term that looks for matching results within that column
Solution: True

Q34: What actions are available to a user when right clicking on a file within Autopsy?
Solution: + Extract File(s)
+ Open in External Viewer

Q35: True or False: The "Other Occurrences" content viewer area allows you to see if the file existed in a previous case.
Solution: True

Q36: True or False: The "Application" content viewer allows users to render html files as they were viewed in a web browser
Solution: True

Q37: True or False: Video Triage is a free download from "autopsy.com" that allows users to see screen captures of portions of a video file without having to actually play back a video
Solution: True

Q38: True or False: The "Timeline" interface shows events and file data sorted by file size
Solution: False

Q39: By extension, how many databases are there?
Solution: Fifty nine (59)

Q40: What is the size of the largest database?
Solution: 5242880 bytes

Q41: Are there any databases by MIME type yet?
Solution: No, because file types have not been yet determined.

Q42: Select the names of the files between 200MB and 1GB in size:
Solution: + $BadClus:$Bad
+ Winre.wim
+ chrome.7z

Q43: What are the two types of Ingest Modules utilized by Autopsy?
Solution: + File Ingest Modules
+ Data Source Ingest Modules

Q44: True or False: Ingest modules can run in parallel
Solution: True

Q45: Autopsy prioritizes files so that important ones are analyzed first. The priority order is:
Solution: User Folders, Program Files and other root folders, Windows folder, Unallocated space

Q46: What are some of the "official" ingest modules that are included with the download of Autopsy?
Solution: + Email
+ Hash Lookup

Q47: Which of the following are types of data that will be stored as a Blackboard artifact?
Solution: + Hash Hit
+ Encryption Detected

Q48: A Blackboard artifact is a _____ and ______ pair
Solution: Type, Value

Q49: True or False: The "Hash Lookup" can calculate the MD5 hash of a file.
Solution: True

Q50: What are some reasons on why a user would run the "Hash Lookup" module?
Solution: + To include MD5 hash values in reports
+ To identify notable ('known bad') files

Q51: What hash set formats does Autopsy currently support
Solution: + EnCase
+ NIST NSRL
+ md5sum

Q52: What two places will show you the files in the case that were found in a hash set?
Solution: + Ingest Inbox
+ In the Hashset Hits part of the tree

Q53: To make your own hash set from scratch, you'd choose which button from the Options -> Hash Sets panel?
Solution: New Hash Set

Q54: To add a hash set that a colleague shared with you, you'd choose which button from the Options -> Hash Sets panel?
Solution: Import Hash Set

Q55: True or False: An index allows Autopsy to lookup hash values faster.
Solution: True

Q56: Where should you get the pre-indexed version of the NIST NSRL?
Solution: From the Autopsy site

Q57: True or False: If a hash set is stored on the Central Repository then only one user can access it
Solution: False

Q58: How many total hits are found under the “Hashset Hits” results after running the Hash Lookup Ingest Module?
Solution: Six (6)

Q59: What are the filenames of the hash hits?
Solution: "RN.jpg" and "f_000239"

Q60: Question: How many total ".jpg" files are in the folder “Pictures” where the notable hash hit was found?
Solution: Seven (7)

Q61: What type of file does the MIME type "application/octet-stream" designate?
Solution: Unknown type

Q62: What types of data can be stored in EXIF data?
Solution: + Camera Type
+ Geolocation coordinates of where the photo was taken
+ Date and Time of when a photo was taken

Q63: The Exif module extracts:
Solution: A subset of Exif data that is most often relevant to an investigation

Q64: The Embedded File Extractor ingest module has the ability to extract files from:
Solution: + Compressed files, such as RAR, ZIP, 7Z, etc.
+ Images from PDF documents
+ Images from Office documents

Q65: True or False: The Embedded File Extractor ingest module will flag a file if it is password protected
Solution: True

Q66: True or False: If a ZIP file has a password, you can supply the password by right clicking on the file.
Solution: True

Q67: The Email Module searches for and processes email from known email file types, including:
Solution: + MBOX
+ PST
+ EML

Q68: True or False: You can make rules for the Interesting Files module to automate your checklist of applications to always look for (such as BitCoin and Cloud Storage).
Solution: True

Q69: The Encryption Detection Module detects files that may be encrypted by looking for what characteristics?
Solution: High entropy, multiple of 512 bytes, no distinguishable file type

Q70: True or False: The Plaso module is enabled by default
Solution: False

Q71: The Virtual Machine Extractor module will:
Solution: Detect virtual machine files (vmdk, vhdi, etc.) and add them back in as a data source

Q72: The Data Source Integrity module will do what to a disk image:
Solution: Calculate its hash value

Q73: Under the “Exif Metadata results, how many photos were taken with an iPhone 7 Plus?
Solution: One (1)

Q74: Under the “Exif Metadata results, how many photos were taken with a BLU R1 HD?
Solution: Fifteen (15)

Q75: Under the “Exif Metadata results, how many photos were taken with a Samsung Galaxy S8?
Solution: Zero (0)

Q76: What is the MIME type listed for the file “D3D11_Default.shader-db.bin”?
Solution: application/octet-stream

Q77: What is the file size, in bytes, for the file “D3D11_Default.shader-db.bin”?
Solution: 594728

Q78: Are there extension mismatch results?
Solution: Yes

Q79: What are some common file types with unexpected extensions?
Solution: png

Q80: Was veracrypt.exe found on the system?
Solution: Yes

Q81: Was the executable file "truecrype.exe" found on the system?
Solution: No

Q82: What types of user activity does the "Recent Activity" module extract?
Solution: + Web Activity (Bookmarks, Cookies, etc.)
+ Installed Programs
+ Recycle Bin Analysis

Q83: True or False: The Recent Activity module can be configured by a user to only parse out certain types of data
Solution: False

Q84: The Recent Activity Module automatically parses browsing history for what web browsers?
Solution: + Chrome
+ Internet Explorer
+ Edge
+ Safari
+ Firefox

Q85: True or False: The Recent Activity module creates a deleted file entry in the location where a file in the Recycle Bin originally existed
Solution: True

Q86: True or False: Web Form Autofill data extracts name and value pairs that are entered into web forms
Solution: True

Q87: What open source tool does Autopsy rely upon to perform analysis of Registry Hives?
Solution: RegRipper

Q88: What are some attributes of connected USB devices that can be extracted using RegRipper?
Solution: + Device Model
+ Device Make
+ Device ID

Q89: True or False: You can access the raw RegRipper output in the Reports part of the tree.
Solution: True

Q90: How many web bookmarks are listed?
Solution: Five (5)

Q91: What URL is a suspicious bookmark given the dognapping?
Solution: ransomizer.com

Q92: What month and year are the cookies associated with the domain “youtube.com” from?
Solution: November 2019

Q93: What is the Value associated with the Name “identifier” under Web Form Autofill?
Solution: antirenzik@gmail.com

Q94: Under "Web History", what is the day associated with the Google Search "how to treat a dog bite"?
Solution: November 12, 2019

Q95: Under "Web History", what day is associated with the Google Search "how to make a ransom note"?
Solution: November 5, 2019

Q96: Under "Web History", what is the date (in YYYY-MM-DD format) associated with the Google Search "hostage negotiation tactics"?
Solution: 2019-11-05

Q97: What was likely original name of the file "$RFC5YC5.txt", that is currently located in the Recycle Bin?
Solution: VCPW.txt

Q98: Under Accounts, what is the username associated with the Twitter account found on the device?
Solution: AntiRenzik

Q99: True or False: A text index is an organized collection of words and the files that contain them.
Solution: True

Q100: Autopsy uses what open source search enginge for text indexing?
Solution: Apache Solr

Q101: Due to shortcomings by a majority of widely available extraction tools, Basis Technology wrote a custom text extractor for what data type in order to process things such as comments and Javascript?
Solution: HTML

Q102: True or False: The more encodings and languages that you add for strings extraction, the less false positives that you get
Solution: False

Q103: True or False: Autopsy will normalize text within the index to make all searches case insensitive
Solution: True

Q104: Once you have a text index, you can perform all of the following types of searches:
Solution: + Exact matches
+ Substrings
+ Regular expressions

Q105: True or False: Substring match is the default text match search within Autopsy
Solution: False

Q106: When viewing an individual file that contains a keyword search hit, that keyword is ...
Solution: Highlighted

Q107: True or False: Keyword lists can be exported and imported.
Solution: True

Q108: There are references to a document with renzik. What is the name of the file?
Solution: in order to ensure that renzik is treated properly.docx

Q109: How many hits are there for “Renzik” in NTUSER.DAT?
Solution: Ten (10) - (Four (4) on one page, Six (6) on another)

Q110: What type(s) of data from past cases are stored in the Central Repository?
Solution: + MD5 hash values
+ Wifi SSID

Q111: True or False: There is one row in the Central Repository for every instance of a property
Solution: True

Q112: True or False: USB devices will never be flagged if they were previously seen
Solution: False

Q113: True or False: The correlation engine module extracts and calculates data, such as hash values
Solution: False

Q114: The Correlation Engine module has two basic features, which are
Solution: Query Central Repository, to see if items in current case were previously seen, and adding data to Central Repository

Q115: True or False: The Correlation engine module can be configured to generate alerts based on the existence of previously seen data.
Solution: True

Q116: True or False: The Correlation Engine module does not rely on other modules obtain data that is inserted into the Central Repository
Solution: False

Q117: What was the created date (in YYYY-MM-DD format) of the file "IMG_20191024_155744.jpg" on the media card?
Solution: 2019-10-24

Q118: How many total .jpg files are in the folder where the interesting file is located on the media card?
Solution: Five (5)

Q119: Was the file "IMG_20191024_155744.jpg" seen in any other folders/and or directories on the hard drive? If so, what was the name of the other file(s)?
Solution: Yes, "f_00022e"

Q120: What types of data are currently able to be extracted and parsed from an Android device?
Solution: + Call Logs
+ WhatsApp

Q121: True or False: Android Analyzer only parses data from native Android applications. It cannot parse any third party Android applications
Solution: False

Q122: True or False: Autopsy cannot acquire data directly from an Android device
Solution: True

Q123: What types of artifacts can be created by the Android Analyzer?
Solution: + Messages
+ GPS Points

Q124: Select the three main areas of the layout of the timeline interface.
Solution: + Filters
+ Events
+ Files and Content

Q125: True or False: The timeline feature allows an analyst to view a graphical representation of time based events that occurred on a system
Solution: True

Q126: True or False: The timeline interface extracts data does not rely on other modules to extract time stamps
Solution: False

Q127: What are the three "Views" that an analyst can choose from to display timeline data?
Solution: + Counts
+ Details
+ List

Q128: True or False: The default scale of the "counts" view is linear.
Solution: False

Q129: True or False: In the Details View, you "Expand" a cluster to see more details.
Solution: True

Q130: An analyst can ______ clusters to bring them to the top of the Details view.
Solution: Pin

Q131: In the List View, the letter "A" under Event Type stands for ________?
Solution: Last Accessed

Q132: In the List View, the letter "B" under Event Type stands for ________?
Solution: Born Date

Q133: The "Law Enforcement Bundle", a free add-on provided by Basis Technology, provides access to which of the following databases?
Solution: + C4ALL
+ Project Vic

Q134: Image Gallery folders are prioritized based on ________
Solution: Density of hash hits and number of images in folder

Q135: True or False: A purple dashed line around an image indicates that it was taken with an iPhone
Solution: False

Q136: True or False: The Image Gallery provides an infinite scroll bar of thumbnails
Solution: False

Q137: What is the name of the button that will take an analyst to the next group of Image Gallery photos?
Solution: Next Unseen group

Q138: True or False: The C4ALL database with MD5 hashes are provided by Basis Technology
Solution: False

Q139: How can Autopsy integrate with Project Vic?
Solution: By importing hash values into hash sets named based on their categories.

Q140: True or False: Accounts in Autopsy have both a "type" and a unique "identifier"
Solution: True

Q141: True or False: The Communications Interface is oriented around data types, and not accounts
Solution: False

Q142: A special account that is created by Autopsy for a data source when it doesn't know what account was used is called a _______ account
Solution: Device

Q143: What are two modules that the Communications Interface relies upon to extract communication-related data?
Solution: + Android Analyzer
+ Email

Q144: Which of the following are Account Types that can be identified within the Communications Interface within Autopsy?
Solution: + Phone
+ Website
+ Facebook
+ Twitter
+ Email

Q145: True or False: By default, accounts are sorted by the number of relationships they have in the case.
Solution: True

Q146: True or False: Tagging allows a user to reference a file or object to easily find it later
Solution: True

Q147: Which of the following choices can be the name of a tag within Autopsy?
Solution: + Brian Carrier
+ Suspicious
+ Encryption
+ Kubernetes
+ Blockchain

Q148: True or False: When viewing a result (aka a Blackboard Artifact) you have the choice to tag either the result or its source file
Solution: True

Q149: True or False: You can tag an image, but you cannot tag a specific region of an image
Solution: False

Q150: True or False: In a multi-user environment, tags are associated with the examiner who made them
Solution: True

Q151: Which of the following are valid comments that can be saved along with a Tag?
Solution: + Spy plane
+ Tornado
+ Shield
+ Arc Reactor

Q152: What is the name of the button that an analyst clicks within Autopsy to begin the report generation process?
Solution: Generate Report

Q153: What are some benefits of a Portable Case?
Solution: + Self contained and all relevant files are located in the case folder
+ Can be shared with another user for review or assistance
+ Decrease the overall size of data to review

Q154: True or False: When creating an HTML Result report within Autopsy, an analyst cannot change the default image with their own agency/corporate logo
Solution: False

Q155: When generating a KML report, what items can be contained within the final KML report?
Solution: + Thumbnails of EXIF images
+ EXIF artifacts
+ GPS Route
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)