Sunday, December 13, 2020

Autopsy and Cyber Triage DFIR Training
Autopsy and Cyber Triage DFIR Training||Cases and Data Sources Part 3

Quiz

QUESTION 1 OF 10

True or False: In a multi-user cluster, all examiners need to have access to the case directory at the same path (i.e. \\server\cases\ or Z:\Cases)

Choose only ONE best answer.

A

True

B

False

This answer is correct.

QUESTION 2 OF 10

Autopsy is able to ingest the following data sources directly:

Choose ALL answers that apply.

·         A

Disk Image or VM file

·         B

Pieces of paper

·         C

Logical files

·         D

Scratched hard drive platters

This answer is correct.

 

QUESTION 3 OF 10

True or False: When adding a data source to Autopsy, in-depth analysis on the data is automatically performed

Choose only ONE best answer.

A

True

B

False

This answer is correct.

 

QUESTION 4 OF 10

True or False: The Autopsy case database stores a full copy of every single file contained within a data source

Choose only ONE best answer.

A

True

B

False

This answer is correct.

 

 

 

QUESTION 5 OF 10

Autopsy supports many volume systems, including:

Choose ALL answers that apply.

·         A

DOS

·         B

BSD

·         C

RSVP

·         D

YAJBFS3

·         E

GPT

This answer is correct.

 

QUESTION 6 OF 10

Autopsy supports many file system formats, including:

Choose ALL answers that apply.

·         A

FAT32

·         B

YAFFS2

·         C

HFS+

·         D

Ext4

·         E

NTFS

This answer is correct.

 

 

QUESTION 7 OF 10

Orphan files in Autopsy are stored under the $OrphanFile folder.  What is an orphan file? 

Choose only ONE best answer.

A

A deleted file that no longer has a parent folder. 

B

An allocated, but corrupt file

This answer is correct.

 

 

QUESTION 8 OF 10

What types of disk images are currently NOT NATIVELY SUPPORTED by Autopsy

Choose ALL answers that apply.

·         A

SUPER DUPER EXTREME RAID

·         B

Bitlocker

·         C

RAID

·         D

KUBEKLUSTER

This answer is correct.

 

QUESTION 9 OF 10

True or False: When adding "Local Files and Folders" to a case in Autopsy, file times are added to the database

Choose only ONE best answer.

A

True

B

False

This answer is correct.

 

QUESTION 10 OF 10

True or False: When adding an E01 file to a case within Autopsy, the E01 file is automatically validated upon import

Choose only ONE best answer.

A

True

B

False

This answer is correct.

 

Lab Steps


Before we begin the lab, make sure you downloaded the images that were listed back in Section 1. If you want to confirm that you had no corruption, these are the MD5 values of the files:

  • MD5 (device1_laptop.e01) = dc176d653c5613e305e831525e874090
  • MD5 (device2_mediacard.e01) = c8343d3976eec2985e7580a2b6321591

We will now begin the analysis of the hard drive that was found in the dognappers car.  At this point in the scenario, we haven’t searched the house yet and therefore will not have access to the media card device.  So, make sure you do not add that yet. 

1.     Launch Autopsy

2.     Choose “Create New Case”

3.     Make a case with the following information:

1.     Case Name: case1

2.     Base Directory: c:\  (or where ever you'd like to store the case)

3.     Skip case number and examiner

4.     Add device1_laptop.e01 image as data source.  
***** NOTE: Do NOT add device2_mediacard.e01 yet *****

5.     Deselect ALL ingest modules.  
- As a reminder, this is not what you’d typically do.  But, we are doing it this way for the course. 

6.     Finish Adding Image.

7.     Open the “Data Sources” part of the left-hand tree (we’ll cover this tree more in the next section). 

1.     Question: How many volumes does the disk image have? 

2.     Question: What is the name of the unallocated space file in vol1? 

3.     Question: Right click on vol7 and choose “File System Details”.  What file system is in vol7?  

8.     In Windows, open “C:\case1” in a file explorer and observe its contents. 

1.     Question: What is the database called?

2.     Question: Roughly how big is the database (in megabytes)?

 

 

Lab Quiz

QUESTION 1 OF 5

How many volumes does the disk image have?

Choose only ONE best answer.

A

1

B

3

C

6

D

9

This answer is correct.

 

QUESTION 2 OF 5

What is the name of the unallocated space file in vol1?

Choose only ONE best answer.

A

Volume1_Unallocated_Space.dat

B

Unalloc_3_0_1048576

C

Vol1 doesn't have unallocated space

This answer is correct.

 

QUESTION 3 OF 5

What file system is in vol7?

Choose only ONE best answer.

A

NTFS

B

FAT

C

YAFFS2

This answer is correct.

 

QUESTION 4 OF 5

What is the database called?

Choose only ONE best answer.

A

device1_laptop.db

B

database.db

C

autopsy.db

This answer is correct.

 


QUESTION 5 OF 5

Roughly how big is the case database (in megabytes)?

Choose only ONE best answer.

A

1MB

B

50MB

C

250MB

D

1GB

This answer is correct.

 

Sponsored by Cyber Triage

https://s3.amazonaws.com/thinkific/file_uploads/220594/images/ae2/138/a2e/Screen_Shot_2020-04-27_at_4.21.29_PM.png

Cyber Triage is fast and affordable DFIR software any organization can use for endpoint visibility. Built by Brian Carrier’s team at Basis Technology, Cyber Triage is agentless and integrates with threat intelligence to automatically collect and analyze endpoint data. 

Click here to start your 7-day free trial now.

https://s3.amazonaws.com/thinkific/file_uploads/220594/images/308/0c1/57d/2020-ct-logo-color.png

Basis Technology and Cyber Triage are providing this free Autopsy training. 

Tags:

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna Veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat.

0 comments:

Post a Comment

Contact Us

Phone :

+20 010 2517 8918

Address :

3rd Avenue, Upper East Side,
San Francisco

Email :

email_support@youradress.com