Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Axiom Exam Study Guide Questions with Verified Answers., Exams of Computer Science

Axiom Exam Study Guide Questions with Verified Answers.Axiom Exam Study Guide Questions with Verified Answers.Axiom Exam Study Guide Questions with Verified Answers.

Typology: Exams

2023/2024

Available from 08/31/2024

Prudent.
Prudent. šŸ‡ŗšŸ‡ø

1

(1)

745 documents

1 / 21

Toggle sidebar

Related documents


Partial preview of the text

Download Axiom Exam Study Guide Questions with Verified Answers. and more Exams Computer Science in PDF only on Docsity!

Axiom Exam Study Guide Questions with Verified

Answers.

When setting up a new case in Magnet AXIOM process, can you specify separate locations for the case files and the evidence files? - Correct Answer Yes Which types of devices can be imaged using Magnet AXIOM Process? - Correct Answer Hard Drives, Thumb Drives, iOS Phones, Android phones Is it possible to only scan Volume Shadow Copies from a drive? - Correct Answer Yes Which option should be used when loading in data from an iOS or Android device? - Correct Answer Mobile Can Magnet AXIOM Process filter files via hash values? - Correct Answer Yes What are the two main programs of the AXIOM forensics suite? - Correct Answer Examine & Process AXIOM will run natively on a Mac computer. - Correct Answer False AXIOM Process and AXIOM Examine both can be run through a virtual machine. - Correct Answer True What are the three distinct steps of the forensic process? - Correct Answer Acquisition or Extraction Processing Analysis You are working a case and want to know if AXIOM supports extracting artifacts from the app Yik Yak. What documentation can you view to determine if Yik Yak is supported? - Correct Answer Artifact reference What three licensing options are available for the user to license Magnet Forensics AXIOM? - Correct Answer License Key, Network Server, Axiom USB AXIOM Process allows the user to set up the data for Acquisition (imaging) and Processing in the same single step. - Correct Answer True When setting up an item of evidence for processing, what two options are available? - Correct Answer Load Evidence Acquire Evidence During setup for processing, the user can specify the Search Type to be conducted on an item of digital evidence. - Correct Answer True

You can specify that keyword searches be run against either Artifacts or All Content. - Correct Answer True You suspect that a user has an encrypted mobile backup on their computer. You have a list of ten possible passwords. How should you configure the options for processing the computer to ensure that you get the information from the backups? - Correct Answer Check "Search Mobile Backups" and then enter each password that you have in the Mobile Backup Passwords box. When using Magnet.AI to categorize chats, the AI analysis is based on individual messages and not on the entire chat conversation. - Correct Answer False The app Club Penguin is found on a suspect's phone. Through research, you determine that AXIOM does not support the app and that the app stores information in a SQLite database. What option can you select during processing to seek out the Club Penguin database? - Correct Answer Dynamic App Finder It is possible to add evidence to a case that has already been processed. - Correct Answer True If the option "Automatically Build Connections" is checked, connections will automatically be built during the first processing of the case but will NOT be built if any additional evidence is added to the case. - Correct Answer False When in File System view, it is possible to view all sub-folders of the main folder that you are clicked on? - Correct Answer Yes From the Case Dashboard, you chose the option "Categorize pictures with Magnet.AI." Which of the following options are available for categorization? - Correct Answer All pictures Which two hash formats does AXIOM use? - Correct Answer MD5 SHA You want to create a full image of a hard drive. Which two image formats are available in AXIOM? - Correct Answer .E01 and .RAW Since there are substantial differences between computer, mobile, and cloud artifacts, separate AXIOM cases must be created for each type of evidence. - Correct Answer False Which type of scan is the slowest? - Correct Answer Sector Level Scan During imaging, is it possible to break the image file created into segments? - Correct Answer Yes

When processing a case, you enable the option to Remove Duplicates. An identical picture file is located in /Downloads and in /Documents/Pictures. Since processing removed duplicates, only one of these files will be available to view in AXIOM Examine.

  • Correct Answer False When setting up Keyword Search Types for All Content, the user can specify the Encoding used for each keyword list. - Correct Answer True You process a case and begin reviewing the results. Upon doing so, you notice that when you added the evidence, you entered the wrong Scan Information. Is it possible to edit this information now that processing has completed? - Correct Answer False You conduct a keyword search for All Content and there are hits located in unallocated space that have no associated artifact. Where will these results be displayed? - Correct Answer Keyword Snippets Which of the following is not a method of compression used for .E01 images in AXIOM Process? - Correct Answer Least Which file would contain information indicating that a USB device was successfully installed on a computer? config.sys index.dat thumbs.db setupapi.dev.log - Correct Answer setupapi.dev.log What can be interpreted from the following line from an Internet history?http://www.google.com/index.html&q=emperor+penguin. - Correct Answer A search was conducted for "Emperor Penguin" using the search engine Google. From a Windows PreFetch file, it is possible to determine when a program was run. - Correct Answer True While of the following locations would NOT contain information related to external devices connected to a computer? USBSTOR in the Windows registry SAM in the Windows registry NTUSER.DAT file in the Windows registry setupapi.dev.log - Correct Answer SAM What are the registry hives? - Correct Answer Which of the following can be listed as paths in a .LNK file? A local path such as C:\Program Files\Office\winword.exe.

A network path such as \SERVER1\APPS\money.exe A path to an external device, such as F:/MyPenguin.jpgAll of the above - Correct Answer All of the above Each user account on a computer has an associated NTUSER.DAT file. - Correct Answer True Which of the following items of information can be stored in a .LNK file? ( - Correct Answer The full path to the target file The volume label Dates and times of the target file Prefetch files tend to slow down the performance of a computer since the files are loaded prior to the associated application being run. - Correct Answer False Which type of file on a Windows computer can show when a specific file was opened and what application was used to open it? - Correct Answer Jump List Which type of file on a Windows computer keeps track of folder views, sizes, and positions when viewed through Windows Explorer? - Correct Answer Shellbag When examining Operating System artifacts, there are frequently duplicate artifacts. Why is this? - Correct Answer This is due to the fact that the registry automatically backs itself up and saves a copy to \Windows\System32\Config\RegBak. What is the Windows Registry? - Correct Answer A hierarchical database that stores configuration information. The first four bytes in the Data field for a drive letter entry in Mounted Devices are referred to as "drive signature" or "drive identifier" and look similar to this: 25 30 83 F4. Where is information on Mounted Devices located? - Correct Answer Offset 440 of the MBR Where is the Master Boot Record (MBR) located? - Correct Answer Offset 0 of unpartitioned space. The Master Partition Table (MPT) begins with hex code indicating what type of partition it is. If the partition is the bootable partition, what hex code does the MPT begin with? - Correct Answer 80 The Installed/Updated Date/Time under Operating System Information refers to the original install date of Windows. - Correct Answer False

Since USB thumb drives are not a permanent part of the hardware for a computer system, they do not contain Volume Serial Numbers. - Correct Answer False What is the functionality of MountPoints2? - Correct Answer Keeps track of USB devices that are associated with individual users. What naming scheme is used for entries in UserAssist? - Correct Answer ROT LNK files can be created by a user or automatically created by the operating system. - Correct Answer True Which of the following is NOT tracked by System Resource Usage Monitor (SRUM)? - Correct Answer Login Time Usage When in File System Explorer or Registry Explorer, it is possible to display HEX code as an artifact by highlighting the code and selecting "Display as Artifact." - Correct Answer True The category Web Related is typically one of the largest categories in AXIOM. - Correct Answer True Much of the content of the Refined Results artifact group is compiled from the results of browser activity. - Correct Answer True Cookies can be used to determine if a user has visited a specific web site. - Correct Answer False What is the purpose of the service Google Analytics? A. Google Analytics collects information to be used in troubleshooting, such as user IP address. B. Google Analytics is a means for websites to track visitor activity in a detailed manner. C. Google Analytics is a method that Google uses to determine the geolocation of a user. D. Google Analytics is used by Google Street View vehicles to analyze captured network traffic. - Correct Answer B Google Analytics Referral Cookies indicate how a user navigated to a particular web site. What are the three different methods Referral Cookies tracks? A. Direct -- The address was typed into the address bar. B. Home -- The URL is set up as the user's home page. C. Organic -- The user clicked on a link from a search engine. D. Referral -- The user clicked on a link on a web site other than a search engine. - Correct Answer Direct, Organic, Referral

Google Chrome Downloads maintains information indicating if a user has opened a downloaded file. - Correct Answer True What is the purpose of Session Recovery for web browsers? A. Automatically logs in the user when they start their web browser. B. Sorts the daily browser session history. C. Enables users to move from device-to-device while keeping the same browsing session. D. Provides a means for a browser to return to the last pages or tabs open in the event of a crash or sudden power loss. - Correct Answer D In order for Session Recovery to be populated for a web browser, there has to be a browser crash. - Correct Answer False What keyword search can you conduct to get a listing of files that the user opened by navigating to the file and double-clicking on it? A. file:/// B. opened:/// C. recent:/// D. browse:/// - Correct Answer A When surfing the internet, no information is downloaded to the user's computer unless they specifically download it. - Correct Answer False Which of the following would cause an entry to be created in the database that maintains Typed URLs? (Check all that apply) A. The user typed a URL B. The user copied a URL from a document and then pasted it into the address bar of the browser. C. The user cut a URL from a document and then pasted it into the address bar of the browser. D. The user clicked on a list of URLs from a page of search result - Correct Answer A,B,C Google Chrome maintains information indicating how many times autofill data has been used or accessed for a form. - Correct Answer True Search engine queries will normally include the search term itself embedded in the URL. - Correct Answer True The artifact category Refined Results is used for the quick identification of relevant evidence. - Correct Answer True A user is on Ebay and conducts a search for "hard drives." Which artifact category would this search be found in? A. Google Searches

B. Ebay Searches C. Parsed Search Queries D. Web Browser Searches - Correct Answer C Since there are billions of user names, a social media user name will not be displayed in the Identifiers artifact group. - Correct Answer False You want to build a profile on a person. Which group(s) can you use to add identifying information to the profile? A. Classified URLs B. Identifiers C. Email D. Mobile - Correct Answer B What resource lists the various artifacts searched by AXIOM and the meaning of the column values? A. Artifact reference B. User guide C. Terms of services D. Licensing guide - Correct Answer A Given that the source of much of the Refined Results artifacts come from web browser activity, many results will appear in both Refined Results as well as Web Related. - Correct Answer True What is the purpose of Source Linking? A. Verifies that the artifact came from the image source. B. Allows the examiner to go to the source of the artifact in File system or Registry view. C. Provides the source hash value of the artifact. D. Allows the examiner to link additional sources of evidence to the case. - Correct Answer B AXIOM has a built in viewer to view SQLite database files. - Correct Answer True What is the difference between the artifact categories Google Searches and Parsed Search Queries? A. Nothing. They both compile the same search results. B. Google Searches contains artifacts of completed searches. Parsed Search Queries contains artifacts of incomplete searches. C. Google Searches contains only artifacts of searches that were done on Google. Parsed Search Queries contains artifacts of searches that were done on sites other than Google. D. Google searches contains artifacts of searches that were done when a user was logged into Google. Parsed Search Queries contains artifacts of searches that were done when the user was not logged in. - Correct Answer C

Which artifact category in Refined Results would compile sites such as Amazon, Ebay, and Craigslist? A. Classifieds URLs B. Shopping URLs C. Auction URLs D. Parsed URLs - Correct Answer A Only one filter can be applied at a time in AXIOM Examine. - Correct Answer False What artifact category would you expect to see results from the site Dropbox? A. Internet URLs B. Data Storage URLs C. Upload URLs D. Cloud Services URLs - Correct Answer D In the artifact category Facebook URLs, it is possible to determine the specific activity occurring on Facebook. - Correct Answer True Artifacts contained in the category Facebook URLs will also be contained in the category Social Media URLs. - Correct Answer False What is the purpose of the Identifiers artifact group? A. It stores the identification of the owner of the digital device. B. It collects sources by which a person may be identified. C. It stores log in information for the digital device. D. It provides a listing of all artifact categories that have been identified in the case. - Correct Answer B You are reviewing a Word document and see that application metadata indicates that the Last Author was Opus Penguin. Would this information also be contained in the Identifiers artifact category? A. Yes. The name Opus Penguin would be listed as an Identifier. B. No. Since the name Opus Penguin is listed only in metadata, it would not be listed as an Identifier. - Correct Answer A Once you build a profile, you cannot add additional information to it. - Correct Answer False You are in File System explorer and see a file that AXIOM did not create an artifact for. Is it possible to create an artifact from this file? A. Yes. An examiner can create an artifact from a file in File System explorer. This is done by right-clicking on the file and selecting, "Save file as artifact." B. No. All artifacts must be parsed and created by AXIOM. The examiner has no ability to create artifacts. - Correct Answer A

Social media sites other than Facebook will be compiled in which artifact category? A. Web Related > Social Networking B. Web Related > Internet Activity C. Refined Results > Social Media URLs D. Refined Results > All Internet - Correct Answer C Tagging an artifact under the artifact category Facebook URLs or Social Media URLs will not automatically tag the artifact from the browser-specific category that it originated from. - Correct Answer True What is the purpose of the Potential Activity column for the artifact category Facebook URLs? A. Attempts to determine the activity being conducted by the user. B. Provides a history of the user's login. C. Determines if the user is also using Facebook Messenger. D. Provides a listing of Facebook tracking cookies. - Correct Answer A With the exception of Facebook, all other social media sites currently being used on the internet will be populated in the Social Media URLs artifact category. - Correct Answer False AXIOM supports searching of only traditional email client artifacts (such as POP and IMAP protocols) but not web-based email (such as Gmail). - Correct Answer False Which of the following will AXIOM parse from Microsoft Outlook? (check all that apply) A. Emails B. Contacts C. Appointments D. Notes - Correct Answer ALL The PREVIEW card in the Details pane will render all emails that are in HTML format. - Correct Answer False As emails travel from origin to destination, they go through a number of servers. Where can you locate information on the servers that an email has traveled through? A. Email body B. Email attachments C. Email headers D. Email HTML - Correct Answer C Which of the following pieces of information would NOT be contained in an email header? A. IP address of the sender B. Password for the email client C. Email address of the sender D. Email address of the recipient - Correct Answer B

All recovered emails have full header information information available, including the origin IP address for the email. - Correct Answer False How can you view an email attachment in AXIOM? A. By clicking on the hyperlink in the PREVIEW pane. B. The PREVIEW pane will render all attachments making them viewable. C. By switching to Documents view. D. Attachments are not visible in AXIOM. - Correct Answer A Which option would you use to export email messages from AXIOM? A. Save artifact to B. Create report / export C. Change encoding D. View connections - Correct Answer B When conducting a keyword search against emails, the only thing that is searched is the body of the email. Other information, such as To, From, and Subject are not searched. - Correct Answer False Since emails are parsed from a database, it is not possible to view emails in File System view, only Artifact view. - Correct Answer False A keyword search conducted in the Documents artifact group will find a word within a PDF document. - Correct Answer True When viewing a document, the Preview Card will display the document as it would appear in the original application that was used to create it. - Correct Answer True Where is File System Metadata (created, accessed, modified dates/times) parsed from? A. $MFT B. $LOGFILE C. $VOLUME D. $BITMAP - Correct Answer A A document file can contain either File System Metadata or Application Metadata, but not both. - Correct Answer False Where is document metadata (Application Metadata) typically stored? A. $MFT B. .plist file C. .dat file D. Internally within the document. - Correct Answer D How does AXIOM differentiate between different tabs of an Excel spreadsheet when viewing in the Preview pane?

A. Tab are separated by a dotted line and blue text. B. Tab are separated by a solid line and red text. C. Tab are separated by a dashed line and green text. D. All tabs are displayed as one sheet. - Correct Answer A If you want to save a document out of the AXIOM case locally to your computer, which option do you use? A. Create report / export B. Save artifact to ... C. Copy file D. Create Portable Case - Correct Answer B If you want to export a document's metadata to a report on your computer, which option do you use? A. Save artifact to ... B. Export Metadata C. Create report / export D. Compile Metadata - Correct Answer c The following expression searches for an email address. What type of expression is this? [\w-]+(?:.[\w-]+)*@(?:[\w-]+.)+[a-zA-Z]{2,7} A. HEX Expression B. UNIX Expression C. Encoded Expression D. Regular Expression - Correct Answer D In addition to the text of a document, a document's metadata is also searchable. - Correct Answer True What functionality within AXIOM can be used to determine the Who, What, When, Where, Why, and How of a file? A. Connections View B. Registry View C. Histogram View D. File System View - Correct Answer A Connections Explorer can be launched from which view in AXIOM Examine? A. Case Dashboard B. Artifact View C. File System View D. Registry View - Correct Answer B When viewing an item in Connections Explorer, you must view all connections as there is no way to filter out any specific attributes. - Correct Answer False Which is the default setting for building Connections in AXIOM?

A. Connections are not built by default. This is a setting that must be enabled. B. Connections are built by default and connections will automatically be built on any new evidence added to a case. - Correct Answer A At what percentage does the filmstrip view grab stills from a video file? A. Every 5% B. Every 10% C. Every 15% D. Every 20% - Correct Answer B Magnet.AI can be used to identify which of the following picture categories? (check all that apply) A. Child Abuse B. Animals C. Money D. Weapons - Correct Answer ACD You can adjust the size of thumbnails displayed in Thumbnail View. - Correct Answer True AXIOM only recovers pictures from allocated space. The program cannot carve for pictures. - Correct Answer False Which of the following are artifact categories under the MEDIA category? A. Pictures B. Videos C. Carved Picture D. Carved Video - Correct Answer A,B,D If there is no File System Metadata available for a picture, what does this typically indicate? A. The picture was never saved. B. The picture was from web cache. C. The picture is not fully recovered. D. The picture was carved. - Correct Answer D World Map view will display a map with drop pins for all pictures and videos that contain location metadata. - Correct Answer True If you want to view videos in filmstrip view, which option should you enable in AXIOM Process? A. Save videos up to: B. Create a preview using still frames C. Carve videos up to: D. Detect skin tone - Correct Answer B

n order to play an entire movie file, you must first export the file to your computer. - Correct Answer False Is it possible to run Magnet.AI for Picture Categorization after processing has been completed? - Correct Answer Yes When running Magnet.AI for Picture Classification, you must classify all pictures contained in the case - Correct Answer False Magnet.AI for Picture Classification automatically tags any pictures matching the classification criteria. - Correct Answer True When using Picture Comparison, your comparison picture must be a picture in the case. It is not possible to import a picture as a reference picture. - Correct Answer False After running Picture Comparison, what order are the results displayed in? A. Ordered by size, largest to smallest B. Ordered by size, smallest to largest C. Ranked order based on similarity to the comparison picture D. No order - Correct Answer C What type of database is typically used by mobile devices and applications to store data on the device? A. SQLite Database B. Extensible Database C. Access Database D. DBase Database - Correct Answer A Which .plist file associated with an iOS backup keeps a record of the device name and UDID (Unique Device Identifier)? A. Status.plist B. Manifest.plist C. Config.plist D. Info.plist - Correct Answer D AXIOM Process can extract information from which types of devices? (Check all that apply) A. Android B. iOS C. Windows D. Flip Phones E. Kindle Fire - Correct Answer A,B,C,E Since many of the techniques used by examiners for iOS exams rely on Apple's built in backup features, the forensic capabilities of each iOS version are consistent from version-to-version. - Correct Answer False

Which of the following is not an identifying value of an Apple device? A. IMEI (International Mobile Equipment Identity) B. Cellular telephone number. C. MEID (Mobile Equipment Identifier) D. Serial number assigned by Apple. E. UDID (Unique Device Identifier) - Correct Answer B The UDID is unique to an Apple device and Apple maintains records for each device based on the UDID. - Correct Answer True In which situation would an iOS device NOT pass the UDID into the registry of a Windows computer when attached? A. The device is locked. B. The device is not trusted. C. The device is not powered on. D. The device is trusted but not unlocked. - Correct Answer C Which of the following is the format of an iOS UDID? A. 12a6 iPad 3 B. 574-234- C. 2C7D24D2346E0F4F8FE727EC0F3435AD22E1BF3C D. 12a8 iPhone5/5C/5S/6/6+/7 - Correct Answer C The location of an iOS backup on a Windows computer depends on how iTunes was installed. - Correct Answer True If an examiner knows that a computer contains an encrypted iOS backup, where in AXIOM Process is the examiner able to enter a password to decrypt and process the backup? A. Mobile Artifacts B. Mobile Backup Passwords C. Mobile Backup Decryption D. AXIOM will not process encrypted backups. - Correct Answer B The passcode assigned to an iTunes backup is different from the passcode on the device and different from the iCloud password. - Correct Answer True It is possible to reset an iTunes backup password with all versions of iOS. - Correct Answer False All drivers need to extract data from an iOS device are included with AXIOM. - Correct Answer False

You plug an iOS device into a computer but don't know the passcode when prompted to "Enter iPhone Passcode to Trust This Computer." How does this impact extraction of data from the device? A. You cannot extract data because a Pairing Certificate could not be established. B. You cannot extract data because the iTunes drivers could not be copied to the device. C. You can extract data. Once plugged in, the computer accesses the device. D. You can extract data. The passcode is only needed for encrypted backups. - Correct Answer A When imaging an iOS device using AXIOM, when is the option Full Image available? A. It is available all the time. B. Only for devices running iOS 10.0 or older C. Only for devices older than iPhone 4 D. Only when the device is jailbroken. - Correct Answer D There are jailbreaks available for all iOS versions and devices. - Correct Answer False What are the two types of .plist files within the iOS file system? A. XML .plist files B. iOS .plist files C. UNIX .plist files D. Binary .plist files - Correct Answer A and D There are no registry files in iOS like there are in Windows. - Correct Answer True SQLite databases always have the file extension .sqlite. - Correct Answer False During processing, AXIOM Process is not able to extract or process information from the Write Ahead Log (WAL) of a SQLite database. - Correct Answer False What technology does SQLite version 3.7 use frequently to store data prior to the data being written to the main database. A. System Logs (SYSLOG) B. Temp Logs (TMP) C. Write-Ahead Logs (WAL) D. Roll-Ahead Logs (RAL) - Correct Answer C iOS is the mobile operating system that has is the most common worldwide and has the biggest market share. - Correct Answer False On an iOS device, the majority of data comes from what directory in the file system? A. /data/user/applications B. /private/applications C. /private/var/mobile D. /data/library/content - Correct Answer C

What naming convention does Android use for their operating system versions? A. Large cats B. Sweet deserts C. National parks D. Colors - Correct Answer B In order to conduct a quick extraction from an Android device, the device must have USB Debugging enabled. - Correct Answer True On an Android device, user data and apps are stored in which directory? A. /userapps B. /system C. /cache D. /data - Correct Answer D Similar to Apple owning all of the source code for iOS, Google owns all of the source code for Android. - Correct Answer False For the Android operating system, who has a hand in the distribution of operating system updates? A. Manufacturers B. Carriers C. Manufacturers and Carriers D. None of the above - Correct Answer C Which driver matters the most for an Android acquisition? A. ADB Driver B. iTunes Driver C. System Device Driver D. Windows Update Driver - Correct Answer A Android ADB drivers are included with the installation of AXIOM. - Correct Answer True What are the three parts of the Android Debug Bridge (ADB) server? A. Kernal B. Client C. Daemon D. Server - Correct Answer B C D Can a Command Window be used for ADB access to a device? A. Yes B. No - Correct Answer D In order for ADB protocol to work, what must be enabled on an Android device? A. Airplane Mode

B. Stay Awake C. Verify Apps over USB D. Developer Options - Correct Answer A How do you enable Developer Options on an Android device? A. Settings > Options B. Tap "Build Number" seven times C. Security > Unknown Sources D. Settings > Enable Developer Mode - Correct Answer B Which of the following is NOT a configuration that must be done prior to conducting an acquisition on an Android device? A. Security > Allow Unknown Sources B. Developer Options > Enable USB Debugging C. Developer Options > Select Debug App D. Developer Options > Enable Stay Awake - Correct Answer C What type of access is required in order to conduct a Full extraction on an Android device? A. Logical B. Root C. Supervisor D. Limited - Correct Answer B In order to conduct a quick extraction from an Android device, an agent application (.APK) is required to be installed on the device to extract some of the information. - Correct Answer True What option can a user select to remove the .APK that is installed on an Android device during a quick extraction? A. Restore Device State B. Remove Temporary Files C. Process Temporary Device State D. None. The .APK cannot be removed. - Correct Answer A What are the two sets of data that are recovered when conducting a quick extraction on an Android device? A. Agent Data B. ADB Backup Data C. Root Data D. Mobile Data - Correct Answer A B AXIOM Process can root Android phones running Android version 7.0 or below. - Correct Answer False

If AXIOM does root an Android phone during acquisition, the root is permanent. - Correct Answer False Which partition on an Android device contains the majority of user data? A. /boot B. /system C. /recovery D. /data - Correct Answer D What type of file does Android use to store configuration data? A. XML B. PLIST C. HTML D. BIN - Correct Answer A Since AXIOM is proprietary software, it is not able to accept image files from other sources, such as Cellebrite and XRY. - Correct Answer False What is the name of the Skype database which provided most of the client artifacts in AXIOM? - Correct Answer Main.db In which Skype main.db database table is the field "body_xml" found" - Correct Answer Messages The naming convention that is used for the sub folders in Chatsync is the first two characters of the *.dat file inside the subfolder. - Correct Answer True What function can you use in AXIOM Process to identify database files of apps that are not supported by AXIOM? - Correct Answer Dynamic App Finder Users can use AXIOM to create their own Custom Artifacts based on known database structures. - Correct Answer True If you would like to view chat messages as a threaded conversation between participants, which view should you use? - Correct Answer Conversation View When using Magnet.AI for Chat Categorization, any conversations that involve luring or sexually- related content will automatically be tagged during processing. - Correct Answer True What is the purpose of Skype Chatsync Messages? - Correct Answer Synchronization of messages across multiple devices. AXIOM Process is able to recover IP addresses from Skype chats. - Correct Answer True

What type of file is used by Skype to store IP addresses? - Correct Answer .dat Your suspect is using the chat client WhatsApp. Which of the following can you add as options in AXIOM Processing to ensure that messages in WhatsApp are decrypted? - Correct Answer Email address + Decryption Key In order to decrypt Signal messages during processing, what information is needed? - Correct Answer Signal Password Cloud data is ... A. not accessible with current forensics technology. B. data coming from server-stored locations as opposed to data stored on a local device. C. not accessible without a user's mobile device. D. of little relevance as all information in the cloud will also be on the user's device. - Correct Answer b Which of the following is one of the fastest growing sources of data in forensic examinations? - Correct Answer Cloud Data What two methods can be used to access a user's account for a cloud extraction? - Correct Answer Token Username and Password A token is a key that can be used to re-authenticate to a service without the user constantly needing to enter their credentials over and over within the same session. - Correct Answer True If a user has two-factor authentication enabled, a token is useless to log into the user's account. - Correct Answer False Where are token's most commonly stored on a device? - Correct Answer accounts.db on an Android device Keychain on an iOS device When conducting a cloud extraction, you must extract the entire contents of the account. - Correct Answer False When processing cloud evidence, in addition to the Cloud artifacts, AXIOM will automatically select and search for all computer and mobile artifacts across the cloud evidence. - Correct Answer True

Since Facebook Messenger is a different product than Facebook, Facebook Messenger messages will not be extracted when doing a cloud extraction of a Facebook account. - Correct Answer False Since a user's cloud data is stored on computers not owned by the user, search authorization is not required to access the information. - Correct Answer False Since cloud data is all accessed via the internet, laws and procedures for acquisition of cloud data are consistent between regions and countries. - Correct Answer False If you access a user's account using a token, the user will not be notified of the account access. - Correct Answer True Is the structure of a token consistent from service to service? For example, does a token from Dropbox contain the same structure as a token from Google? - Correct Answer No When logging a user's iCloud account for a cloud extraction, frequently Apple will detect this as suspicious activity due to the log in coming from a location that has not been previously used. - Correct Answer True When conducting a cloud extraction of a Facebook account, what information is available to be downloaded? - Correct Answer Profile info, Messenger messages facebook friends and facebook timeline AXIOM Process has the capability to process search warrant results received from certain service providers, such as Apple and Facebook. - Correct Answer True How does AXIOM Process identify Encrypted Files? - Correct Answer Entropy Value Check In addition to identifying files that are encrypted, AXIOM will also display the program that was used to encrypt the file. - Correct Answer When encountering encrypted files, what options does the examiner have to decrypt the file? - Correct Answer dictionary attack, brute force attack, and ask user Only one Portable Case can be merged back into the main case. - Correct Answer False "Exporting" from an AXIOM case creates a file that contains attributes about an artifact while "Saving" from an AXIOM case saves the actual artifact. - Correct Answer True When creating a report of Tagged Items, all tagged items are included in the report. The user does not have the option to exclude certain items. - Correct Answer False

When examining a Portable Case, a non-licensed user will not have access to File System Explorer or Registry Explorer. - Correct Answer True When viewing a .html report created with AXIOM, the user cannot filter or sort items in the report since .html is a static file. - Correct Answer False What happens if an examiner is merging a Portable Case back to the parent case and there are conflicts between the Tags in the cases? - Correct Answer AXIOM detects the conflicts and gives the examiner the option of renaming the tags prior to the merge. An analyst reviews a Portable Case and tags several items as evidence. You want to include the work of the analyst in the parent case. What option to you use to do this? - Correct Answer Merge portable case What file does a user double-click on to view a Portable Case? - Correct Answer OpenCase.bat Multiple Portable Cases can be created from one parent case. - Correct Answer True AXIOM uses a feature known as "true view" export. What does this mean? - Correct Answer The exported data is exactly what the examiner was viewing, including order of the columns and any sorting applied to the data. Exporting in AXIOM can be performed from either Artifacts View or File System View. - Correct Answer True What is the file format for a Project Vic export? - Correct Answer json Exporting in AXIOM can be performed from the registry view. - Correct Answer False Which of the following is not a case attribute that is included by default when a portable case is merged back into its parent case? - Correct Answer Hashes