Download Magnet AXIOM Exam Study Guide: Questions and Answers and more Exams Engineering in PDF only on Docsity!
Axiom Exam Study Guide questions with
answers
When setting up a new case in Magnet AXIOM process, can you specify separate locations for the case files and the evidence files? - CORRECT ANSWERS ✔✔Yes Which types of devices can be imaged using Magnet AXIOM Process? - CORRECT ANSWERS ✔✔Hard Drives, Thumb Drives, iOS Phones, Android phones Is it possible to only scan Volume Shadow Copies from a drive? - CORRECT ANSWERS ✔✔Yes Which option should be used when loading in data from an iOS or Android device? - CORRECT ANSWERS ✔✔Mobile Can Magnet AXIOM Process filter files via hash values? - CORRECT ANSWERS ✔✔Yes What are the two main programs of the AXIOM forensics suite? - CORRECT ANSWERS ✔✔Examine & Process AXIOM will run natively on a Mac computer. - CORRECT ANSWERS ✔✔False
AXIOM Process and AXIOM Examine both can be run through a virtual machine. - CORRECT ANSWERS ✔✔True What are the three distinct steps of the forensic process? - CORRECT ANSWERS ✔✔Acquisition or Extraction Processing Analysis You are working a case and want to know if AXIOM supports extracting artifacts from the app Yik Yak. What documentation can you view to determine if Yik Yak is supported? - CORRECT ANSWERS ✔✔Artifact reference What three licensing options are available for the user to license Magnet Forensics AXIOM? - CORRECT ANSWERS ✔✔License Key, Network Server, Axiom USB AXIOM Process allows the user to set up the data for Acquisition (imaging) and Processing in the same single step. - CORRECT ANSWERS ✔✔True When setting up an item of evidence for processing, what two options are available? - CORRECT ANSWERS ✔✔Load Evidence Acquire Evidence During setup for processing, the user can specify the Search Type to be conducted on an item of digital evidence. - CORRECT ANSWERS ✔✔True
From the Case Dashboard, you chose the option "Categorize pictures with Magnet.AI." Which of the following options are available for categorization? - CORRECT ANSWERS ✔✔All pictures Which two hash formats does AXIOM use? - CORRECT ANSWERS ✔✔MD SHA You want to create a full image of a hard drive. Which two image formats are available in AXIOM? - CORRECT ANSWERS ✔✔.E01 and .RAW Since there are substantial differences between computer, mobile, and cloud artifacts, separate AXIOM cases must be created for each type of evidence. - CORRECT ANSWERS ✔✔False Which type of scan is the slowest? - CORRECT ANSWERS ✔✔Sector Level Scan During imaging, is it possible to break the image file created into segments? - CORRECT ANSWERS ✔✔Yes When processing a case, you enable the option to Remove Duplicates. An identical picture file is located in /Downloads and in /Documents/Pictures. Since processing removed duplicates, only one of these files will be available to view in AXIOM Examine. - CORRECT ANSWERS ✔✔False When setting up Keyword Search Types for All Content, the user can specify the Encoding used for each keyword list. - CORRECT ANSWERS ✔✔True
You process a case and begin reviewing the results. Upon doing so, you notice that when you added the evidence, you entered the wrong Scan Information. Is it possible to edit this information now that processing has completed? - CORRECT ANSWERS ✔✔False You conduct a keyword search for All Content and there are hits located in unallocated space that have no associated artifact. Where will these results be displayed? - CORRECT ANSWERS ✔✔Keyword Snippets Which of the following is not a method of compression used for .E01 images in AXIOM Process? - CORRECT ANSWERS ✔✔Least Which file would contain information indicating that a USB device was successfully installed on a computer? config.sys index.dat thumbs.db setupapi.dev.log - CORRECT ANSWERS ✔✔setupapi.dev.log What can be interpreted from the following line from an Internet history? http://www.google.com/index.html&q=emperor+penguin. - CORRECT ANSWERS ✔✔A search was conducted for "Emperor Penguin" using the search engine Google. From a Windows PreFetch file, it is possible to determine when a program was run. - CORRECT ANSWERS ✔✔True
Dates and times of the target file Prefetch files tend to slow down the performance of a computer since the files are loaded prior to the associated application being run. - CORRECT ANSWERS ✔✔False Which type of file on a Windows computer can show when a specific file was opened and what application was used to open it? - CORRECT ANSWERS ✔✔Jump List Which type of file on a Windows computer keeps track of folder views, sizes, and positions when viewed through Windows Explorer? - CORRECT ANSWERS ✔✔Shellbag When examining Operating System artifacts, there are frequently duplicate artifacts. Why is this? - CORRECT ANSWERS ✔✔This is due to the fact that the registry automatically backs itself up and saves a copy to \Windows
System32\Config\RegBak. What is the Windows Registry? - CORRECT ANSWERS ✔✔A hierarchical database that stores configuration information. The first four bytes in the Data field for a drive letter entry in Mounted Devices are referred to as "drive signature" or "drive identifier" and look similar to this: 25 30 83 F4. Where is information on Mounted Devices located? - CORRECT ANSWERS ✔✔Offset 440 of the MBR
Where is the Master Boot Record (MBR) located? - CORRECT ANSWERS ✔✔Offset 0 of unpartitioned space. The Master Partition Table (MPT) begins with hex code indicating what type of partition it is. If the partition is the bootable partition, what hex code does the MPT begin with? - CORRECT ANSWERS ✔✔ 80 The Installed/Updated Date/Time under Operating System Information refers to the original install date of Windows. - CORRECT ANSWERS ✔✔False Since USB thumb drives are not a permanent part of the hardware for a computer system, they do not contain Volume Serial Numbers. - CORRECT ANSWERS ✔✔False What is the functionality of MountPoints2? - CORRECT ANSWERS ✔✔Keeps track of USB devices that are associated with individual users. What naming scheme is used for entries in UserAssist? - CORRECT ANSWERS ✔✔ROT LNK files can be created by a user or automatically created by the operating system. - CORRECT ANSWERS ✔✔True Which of the following is NOT tracked by System Resource Usage Monitor (SRUM)? - CORRECT ANSWERS ✔✔Login Time Usage
C. Organic -- The user clicked on a link from a search engine. D. Referral -- The user clicked on a link on a web site other than a search engine. - CORRECT ANSWERS ✔✔Direct, Organic, Referral Google Chrome Downloads maintains information indicating if a user has opened a downloaded file. - CORRECT ANSWERS ✔✔True What is the purpose of Session Recovery for web browsers? A. Automatically logs in the user when they start their web browser. B. Sorts the daily browser session history. C. Enables users to move from device-to-device while keeping the same browsing session. D. Provides a means for a browser to return to the last pages or tabs open in the event of a crash or sudden power loss. - CORRECT ANSWERS ✔✔D In order for Session Recovery to be populated for a web browser, there has to be a browser crash. - CORRECT ANSWERS ✔✔False What keyword search can you conduct to get a listing of files that the user opened by navigating to the file and double-clicking on it? A. file:/// B. opened:/// C. recent:/// D. browse:/// - CORRECT ANSWERS ✔✔A
When surfing the internet, no information is downloaded to the user's computer unless they specifically download it. - CORRECT ANSWERS ✔✔False Which of the following would cause an entry to be created in the database that maintains Typed URLs? (Check all that apply) A. The user typed a URL B. The user copied a URL from a document and then pasted it into the address bar of the browser. C. The user cut a URL from a document and then pasted it into the address bar of the browser. D. The user clicked on a list of URLs from a page of search result - CORRECT ANSWERS ✔✔A,B,C Google Chrome maintains information indicating how many times autofill data has been used or accessed for a form. - CORRECT ANSWERS ✔✔True Search engine queries will normally include the search term itself embedded in the URL. - CORRECT ANSWERS ✔✔True The artifact category Refined Results is used for the quick identification of relevant evidence. - CORRECT ANSWERS ✔✔True A user is on Ebay and conducts a search for "hard drives." Which artifact category would this search be found in? A. Google Searches B. Ebay Searches C. Parsed Search Queries
B. Allows the examiner to go to the source of the artifact in File system or Registry view. C. Provides the source hash value of the artifact. D. Allows the examiner to link additional sources of evidence to the case. - CORRECT ANSWERS ✔✔B AXIOM has a built in viewer to view SQLite database files. - CORRECT ANSWERS ✔✔True What is the difference between the artifact categories Google Searches and Parsed Search Queries? A. Nothing. They both compile the same search results. B. Google Searches contains artifacts of completed searches. Parsed Search Queries contains artifacts of incomplete searches. C. Google Searches contains only artifacts of searches that were done on Google. Parsed Search Queries contains artifacts of searches that were done on sites other than Google. D. Google searches contains artifacts of searches that were done when a user was logged into Google. Parsed Search Queries contains artifacts of searches that were done when the user was not logged in. - CORRECT ANSWERS ✔✔C Which artifact category in Refined Results would compile sites such as Amazon, Ebay, and Craigslist? A. Classifieds URLs B. Shopping URLs C. Auction URLs D. Parsed URLs - CORRECT ANSWERS ✔✔A
Only one filter can be applied at a time in AXIOM Examine. - CORRECT ANSWERS ✔✔False What artifact category would you expect to see results from the site Dropbox? A. Internet URLs B. Data Storage URLs C. Upload URLs D. Cloud Services URLs - CORRECT ANSWERS ✔✔D In the artifact category Facebook URLs, it is possible to determine the specific activity occurring on Facebook. - CORRECT ANSWERS ✔✔True Artifacts contained in the category Facebook URLs will also be contained in the category Social Media URLs. - CORRECT ANSWERS ✔✔False What is the purpose of the Identifiers artifact group? A. It stores the identification of the owner of the digital device. B. It collects sources by which a person may be identified. C. It stores log in information for the digital device. D. It provides a listing of all artifact categories that have been identified in the case. - CORRECT ANSWERS ✔✔B You are reviewing a Word document and see that application metadata indicates that the Last Author was Opus Penguin. Would this information also be contained in the Identifiers artifact category? A. Yes. The name Opus Penguin would be listed as an Identifier.
B. Provides a history of the user's login. C. Determines if the user is also using Facebook Messenger. D. Provides a listing of Facebook tracking cookies. - CORRECT ANSWERS ✔✔A With the exception of Facebook, all other social media sites currently being used on the internet will be populated in the Social Media URLs artifact category. - CORRECT ANSWERS ✔✔False AXIOM supports searching of only traditional email client artifacts (such as POP and IMAP protocols) but not web-based email (such as Gmail). - CORRECT ANSWERS ✔✔False Which of the following will AXIOM parse from Microsoft Outlook? (check all that apply) A. Emails B. Contacts C. Appointments D. Notes - CORRECT ANSWERS ✔✔ALL The PREVIEW card in the Details pane will render all emails that are in HTML format. - CORRECT ANSWERS ✔✔False As emails travel from origin to destination, they go through a number of servers. Where can you locate information on the servers that an email has traveled through? A. Email body
B. Email attachments C. Email headers D. Email HTML - CORRECT ANSWERS ✔✔C Which of the following pieces of information would NOT be contained in an email header? A. IP address of the sender B. Password for the email client C. Email address of the sender D. Email address of the recipient - CORRECT ANSWERS ✔✔B All recovered emails have full header information information available, including the origin IP address for the email. - CORRECT ANSWERS ✔✔False How can you view an email attachment in AXIOM? A. By clicking on the hyperlink in the PREVIEW pane. B. The PREVIEW pane will render all attachments making them viewable. C. By switching to Documents view. D. Attachments are not visible in AXIOM. - CORRECT ANSWERS ✔✔A Which option would you use to export email messages from AXIOM? A. Save artifact to B. Create report / export C. Change encoding D. View connections - CORRECT ANSWERS ✔✔B
B. .plist file C. .dat file D. Internally within the document. - CORRECT ANSWERS ✔✔D How does AXIOM differentiate between different tabs of an Excel spreadsheet when viewing in the Preview pane? A. Tab are separated by a dotted line and blue text. B. Tab are separated by a solid line and red text. C. Tab are separated by a dashed line and green text. D. All tabs are displayed as one sheet. - CORRECT ANSWERS ✔✔A If you want to save a document out of the AXIOM case locally to your computer, which option do you use? A. Create report / export B. Save artifact to ... C. Copy file D. Create Portable Case - CORRECT ANSWERS ✔✔B If you want to export a document's metadata to a report on your computer, which option do you use? A. Save artifact to ... B. Export Metadata C. Create report / export D. Compile Metadata - CORRECT ANSWERS ✔✔c
The following expression searches for an email address. What type of expression is this? [\w-]+(?:.[\w-]+)*@(?:[\w-]+.)+[a-zA-Z]{2,7} A. HEX Expression B. UNIX Expression C. Encoded Expression D. Regular Expression - CORRECT ANSWERS ✔✔D In addition to the text of a document, a document's metadata is also searchable.
- CORRECT ANSWERS ✔✔True What functionality within AXIOM can be used to determine the Who, What, When, Where, Why, and How of a file? A. Connections View B. Registry View C. Histogram View D. File System View - CORRECT ANSWERS ✔✔A Connections Explorer can be launched from which view in AXIOM Examine? A. Case Dashboard B. Artifact View C. File System View D. Registry View - CORRECT ANSWERS ✔✔B When viewing an item in Connections Explorer, you must view all connections as there is no way to filter out any specific attributes. - CORRECT ANSWERS ✔✔False
