Offline Analysis of Historical Bitcoin Transactions

Questions and Answers

Which of the following wallets is known for being a multi-chain wallet?

• Electrum
• Bitcoin Core
• Exodus (correct)
• BTCRecover

Which of the following wallets is known for being a thin client?

• Bitcoin Core
• Exodus
• Electrum (correct)
• BTCRecover

Which of the following wallets stores its data in encrypted Secure Container (.SECO) files?

• Electrum
• Exodus (correct)
• BTCRecover
• Bitcoin Core

Which of the following wallets allows users to password protect and encrypt their wallet data?

Electrum (D)

Which of the following wallets is a full node client and requires a full copy of the BTC blockchain to run correctly?

Bitcoin Core (B)

Which command can be used to filter out irrelevant lines from the output of a command?

findstr (D)

What information does the 'pslist' command provide?

Process name and identifier (A)

What does the 'netscan' command identify?

Processes connected to and talking to the network (D)

What do the IP addresses identified by 'netscan' indicate?

The content viewed on the internet (B)

What do Virtual Address Descriptors (VAD) describe?

The slivers of a process in memory (B)

Which command should be used to combine multiple .dmp files into a single file?

copy /b *.dmp bitcoin-qt.dmp (A)

What is the purpose of BTCScan.py?

To extract crypto artefacts from the process space (C)

Why is it important to remove duplicates from the csv file?

To ensure only unique addresses are considered (C)

What is the purpose of the User Assist registry key in Windows?

To track user activities and program usage (A)

Why is being able to attribute an address to a specific user and software valuable in a cryptocurrency investigation?

To understand the addresses provenance (B)

Which of the following is NOT a magic value used to locate valuable artifacts in MetaMask?

balance (D)

What is the purpose of the seedword recovery tool in MetaMask?

To recreate the seed phrase (A)

Where can the necessary wallet data for Chrome extensions be found?

Google/Chrome/Default/Local Extension Settings/[Chrome Extension Hash] (C)

Which Chrome extension has the hash 'nkbihfbeogaeaoehlefnkodbefgpgknn'?

Crypto MetaMask (A)

Where can the wallet data for TronLink be found in Google Chrome?

Google/Chrome/Default/Local Extension Settings/ibnejdfjmmkpcnlpebklmnkoeoihofec (A)

Which command can be used to determine the profile of a RAM image in Volatility?

imageinfo (B)

Where are Bitcoin wallet files saved in the default data directory on Windows Vista and 7?

C:\Users\YourUserName\Appdata\Roaming\Bitcoin\Wallets (D)

What is the magic value at offset zero for all raw Bitcoin data?

f9beb4d9 (D)

Which tool can be used to search for Bitcoin wallet files by file names, contents, and regular expressions?

Agent Ransack (A)

Which script can be used to extract Bitcoin addresses, private keys, and Xpriv/Xpub keys by scanning drives, directories, and/or files using RegEx?

BTCScan (B)

Where can you find the MetaMask log file on Windows Chrome?

C:\Users\USER_NAME\AppData\Local\Google\Chrome"User Data"\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn (C)

What is MetaMask primarily used for?

Interacting with web3 compatible sites (B)

Which EVM blockchains are supported by MetaMask?

Ethereum (ETH) and Binance Smart Chain (BSC) (B)

What can be found within the MetaMask log file?

Encrypted copy of the wallets seed phrase (A)

Where can you find the MetaMask log file on Mac Firefox?

Library>Application Support>Firefox>Profiles> mqusl6b4.default-release-1653305409297>storage>default (D)

Flashcards are hidden until you start studying