Clarification on Section 7 Question 8

wdmenzie · April 10, 2020, 1:41pm

Regarding,

The spelling of the executable file “truecrype.exe” in the question is correct. Added a small bit of extra clarification to the question, but the spelling in the question is correct.

If this was indeed how you wanted it spelled in the interesting files rule creation then the spelling in the lab needs to be adjusted to reflect “truecrype.exe” and not “truecrypt.exe”

carrier · April 21, 2020, 4:10pm

The intention of the interesting file rule is to preset known file names and flag them if they are found. The user would normally enter truecrypt.exe because that is what they’d expect to find if TrueCrypt was on the system.

It points out the limitations of relying on file names…

Topic		Replies	Views
Section 7 Lab question 5 Online Training	5	1299	April 16, 2020
Orignal Filename Autopsy Help	4	1929	April 13, 2021
Section 10 quiz 3 Online Training	1	707	June 4, 2020
Section 10 LAb Question 4 Online Training	2	732	April 13, 2020
Hash Sets - Ignore Known Files? Autopsy Help	0	543	January 26, 2021

Clarification on Section 7 Question 8

Related Topics