Answered step by step
Verified Expert Solution
Question
00
1 Approved Answer
Use Autopsy to solve the following Frensic problem while you screenshot steps for a better understanding: Add commentry where nessessary. Windows Investigation with Autopsy Instructions
Use Autopsy to solve the following Frensic problem while you screenshot steps for a better understanding: Add commentry where nessessary. Windows Investigation with Autopsy Instructions Create a lab report that includes the answers and screen shots requested below. Be sure to number your responses and label them clearly. While you are finding answers to the questions below make sure to Tag the relevant items. There are two kinds of tags, Result tags and File tags. Make sure to use the appropriate tag for the data you are interested in Create a new case using Autopsy. Add the CBARROW evidence file to the case You can uncheck the following ingest modules: Android Analyzer, PhotoRec Carve, Process Unallocated Space On the Hash Lookup ingest module make sure to check the option to calculate MD hash values Once the options are configured add the evidence to the case and let Autopsy finish processing. Answer the following questions about the disk image: What version of Windows is this? What is the install date and time of the system? Who is the owner of the system? What human useable user accounts exist? What version of WinZip is installed? Have any USB drives been used with this system? Provide a manufacturer if so Create a new Hash Database under the Tools Options menu. Click the Create Database button in the dialog. Name the hash set SuspiciousImages and save the database in your Week folder. The type should be Known Bad and check the box to send messages. In some cases you may receive hashes as part of some IoCs and you would add them directly to the case. Here we are going to build our own simulated IoC hashes by adding some hashes to our SuspiciousImages hash set. Using the tree pane on the left side of Autopsy expand the Data Sources item. Expand the tree to find the My Pictures folder of the user Clyde. Add all of the images with the yellow evidence banner into the SuspicousImages hash set. Once you have built the complete hash set we are going to rerun the hash ingest module to determine if there are any other suspicious images. Locate the CBARROW.E item under the Data Sources item in the tree view. Right click the E and choose the Run ingest modules option.
Use Autopsy to solve the following Frensic problem while you screenshot steps for a better understanding: Add commentry where nessessary.
Windows Investigation with Autopsy
Instructions
Create a lab report that includes the answers and screen shots requested below. Be
sure to number your responses and label them clearly. While you are finding answers to
the questions below make sure to Tag the relevant items. There are two kinds of tags,
Result tags and File tags. Make sure to use the appropriate tag for the data you are
interested in
Create a new case using Autopsy.
Add the CBARROW evidence file to the case
You can uncheck the following ingest modules: Android Analyzer,
PhotoRec Carve, Process Unallocated Space
On the Hash Lookup ingest module make sure to check the option to
calculate MD hash values
Once the options are configured add the evidence to the case and let
Autopsy finish processing.
Answer the following questions about the disk image:
What version of Windows is this?
What is the install date and time of the system?
Who is the owner of the system?
What human useable user accounts exist?
What version of WinZip is installed?
Have any USB drives been used with this system? Provide a
manufacturer if so
Create a new Hash Database under the Tools Options menu.
Click the Create Database button in the dialog.
Name the hash set SuspiciousImages and save the database in your
Week folder.
The type should be Known Bad and check the box to send messages.
In some cases you may receive hashes as part of some IoCs and you would add
them directly to the case. Here we are going to build our own simulated IoC
hashes by adding some hashes to our SuspiciousImages hash set.
Using the tree pane on the left side of Autopsy expand the Data
Sources item.
Expand the tree to find the My Pictures folder of the user Clyde.
Add all of the images with the yellow evidence banner into the
SuspicousImages hash set.
Once you have built the complete hash set we are going to rerun the hash ingest
module to determine if there are any other suspicious images.
Locate the CBARROW.E item under the Data Sources item in the tree
view.
Right click the E and choose the Run ingest modules option.
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access with AI-Powered Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started