Excellent day!!
I have doubts about “Autopsy Basics” lab “Challenge”.
Question 1 and 2 need volume data with 4 characters. When you mount an image, multiple volumes are generated.
To answer one has the name Jx Wxxxxx and the other volume is SxxWxxx
Jx Wxxxxx → nine characters (eight if space is ignored)
SxxWxxx → seven characters
—> QUIZ ask 4 characters ←
—> Putting unit { example x:\ or (x:) } does not work.
Use both Explorer and commands from CMD and PowerShell to see if it’s asking for the serial number… There is nothing that meets 4 characters.
Has anyone solved it?
Tip?
Hey there - I’m pretty sure you should be conducting these searches in Autopsy, not the Windows Explorer. Specifically, we’re looking for the volume identifiers used by Autopsy - which you won’t get if you’re extracting them and manually browsing with Explorer.
Specifically:
- Create a case in Autopsy and load the 2020JimmyWilson.E01 image as you did in the previous lesson.
- Inside this image, there is a virtual disk named “system.vhd” hidden in c:\windows\sytem32\config. Find the system.vhd file and extract it.
- Load system.vhd as another data source, then use the contents of that image to answer the questions on the Tasks tab.
So you should be extracting system.vhd, but then you should be loading it back to Autopsy to find the answers to the questions.
1 Like
Thank you CalmQuail2332!!!
I must clarify one thing…
The system doesn’t let me upload more than one image (jpg, png, etc.), I uploaded the final step of the activity… and yes, I did it all with Autopsy.
In the last exercise, extracting is done from Autopsy and to use the image file (vhd created by Autopsy) I have to mount it… or at least that’s what I understood with “Load system.vhd as another data source” 
Should I have used file again from Autopsy using the “Add Data Source” option?
Thank you again for any information you can provide me
Best regards.
In this context, image refers to a disk image - not a graphic file.
I would refer back to the Guided Exercise - specifically Part 3. You basically just need to create a new case, follow the Part 3 instructions to load in the 2020JimmyWilson.E01 image, then locate the system.vhd image within the 2020JimmyWilson.E01 image, extract it (see Part 5, Steps 7-8), then click Add New Data Source again, follow the same steps as before, targeting the system.vhd file you just exported, and let the ingest modules run. At this point, you should be able to browse the new evidence in Autopsy to answer the questions.
Thank you very much CalmQuail2332.
+10
Sorry, I wrote quickly and I didn’t explain myself well. The image (jpg) referred to the screenshot where I showed how far I had come in the challenge:
In the exercise I did not use any graphics files
Anyway… I’ll do the exercise again to get the VHD file and reload it from Autopsy.
So I will… I shouldn’t have any more problems
Best regards.
2 Likes
