Renaming

Enable fullscreen

Since these videos were made, we renamed the "Correlation Engine" module to the "Central Repository" module because it now does much more than just correlation.

We have not remade the videos yet though. So, please use the "Central Repository" module when ever you see references to "Correlation Engine". 

COMPLETE & CONTINUE

 

Quiz

Enable fullscreen

QUESTION 1 OF 7

What type(s) of data from past cases are stored in the Central Repository?

Choose ALL answers that apply.

·         A

MD5 hash values

·         B

Wifi SSID

·         C

Details of disk image formats

·         D

Binary data

This answer is incorrect.

 

 

QUESTION 2 OF 7

True or False: There is one row in the Central Repository for every instance of a property

Choose only ONE best answer.

A

True

B

False

This answer is correct.

NEXT

 

QUESTION 3 OF 7

True or False: USB devices will never be flagged if they were previously seen

Choose only ONE best answer.

A

True

B

False

This answer is incorrect.

 

QUESTION 4 OF 7

True or False: The correlation engine module extracts and calculates data, such as hash values

Choose only ONE best answer.

A

True

B

False

This answer is incorrect.

 

QUESTION 5 OF 7

The Correlation Engine module has two basic features, which are

Choose only ONE best answer.

A

Calculates the hash of all of the Central Repository data

B

Compress files and see if there was a previous file with the same size

C

Query Central Repository, to see if items in current case were previously seen, and adding data to Central Repository

D

Uses Google Analytics to find outlier data

This answer is incorrect.

 

QUESTION 6 OF 7

True or False: The Correlation engine module can be configured to generate alerts based on the existence of previously seen data. 

Choose only ONE best answer.

A

True

B

False

This answer is correct.

NEXT

 

QUESTION 7 OF 7

True or False: The Correlation Engine module does not rely on other modules obtain data that is inserted into the Central Repository

Choose only ONE best answer.

A

True

B

False

This answer is incorrect.

 

Lab Steps

Enable fullscreen

At this point in the scenario, the police have searched the house and, with the help of Siri the electronic sniffing K9, found a media card.  We will add that to our case and find some correlations. 

1.      Add device2_mediacard.e01 as a new data source (NOTE: We already added the device1_laptop.e01 data source to the Central Repository during the Hash Lookup Lab)

2.      Right click on device2_mediacard.e01 and run Ingest Modules, with the following enabled:

1.      Hash Lookup

2.      Exif Parser

3.      Central Repository

3.      Question: Was an Interesting Item created because a file on the media card was previously marked as notable?

4.      Question: The picture on the laptop had a created date of 2019-11-01. What is the created date (in YYYY-MM-DD format) on the media card? 

5.      Question: How many total .jpg files are in the same folder as the Notable file? 

6.      Question: Look at the Other Occurrences tab for that file to see if it showed up anywhere else in this case with a different name. If it was, what is the other name?

COMPLETE & CONTINUE

 

Lab Quiz

Enable fullscreen

QUESTION 1 OF 4

Was an Interesting Item created because a file on the media card was previously marked as notable?

Choose only ONE best answer.

A

Yes

B

No

This answer is correct.

 

QUESTION 2 OF 4

What was the created date (in YYYY-MM-DD format) of the file "IMG_20191024_155744.jpg" on the media card?

Choose only ONE best answer.

A

2019-10-15

B

2019-10-20

C

2019-10-21

D

2019-10-24

This answer is incorrect.

 

Enable fullscreen

QUESTION 3 OF 4

How many total .jpg files are in the folder where the interesting file is located on the media card?

Choose only ONE best answer.

A

Five (5)

B

Ten (10)

C

Fifteen (15)

D

Twenty (20)

This answer is correct.

 

QUESTION 4 OF 4

Was the file "IMG_20191024_155744.jpg" seen in any other folders/and or directories on the hard drive? If so, what was the name of the other file(s)?

Choose only ONE best answer.

A

No

B

Yes, "f_123456"

C

Yes, "f_00022e"

D

Yes, "Important.txt"

This answer is incorrect.