CSCI 388 Computer Forensics Fall 2014
Graded Lab Nov 14

Document your answers in text/Word file and submit on Campus Cruiser

• Open New Case call it Nov14. Follow Page 306 and use exactly the same options. Make sure you EXCLUDE everyting listed in #4
• Add Clampet evidence to your case
• Go to the Overview Tab and check File Status > KFF Alert Files. At this point you MUST HAVE 0 files in that category. CONFIRM!
• Save this file in Forensics2014 folder
• Part I: Using KFF
  • Follow the lab on pages 509-510 #4 - #22 and using file above that you just saved instead of Thumbdrive Hashes.
  • After KFF lookup is complete, go to the Overview Tab again and check File Status > KFF Alert Files.
  • List the number of files you currently have in KFF Alert
  • Select one file and look at its properties.
  • List the information is listed in KFF Status portion of the properties.
• Part II: Filters
  • Follow lab on page 586 to create a new Filter SID 1003 or SID 1006 which will find all files that belong to users with SID 1003 OR SID 1006
  • Apply the filter. How many files did you find?
  • Clear the filter.
  • Use Compound Filters (page 590) to find the number of files and name of at least ONE file that satisfy the following conditions:
    1. Include Encrypted Files that belong to users SID 1003 or SID 1006
    2. Include Encrypted Files that are in KFF Alert group
    3. Include Encrypted Files that belong to users SID 1003 or SID 1006 and Exclude Microsoft Office Files
• Regular Expressions and Search Tabs
  • Create a regular expression that search for the part of address that includes STATE and ZIP CODE. The State part consists of TWO UPPER LEVEL CHARS, the ZIP CODE has the following structure: XXXXX-XXXX. Last 4 digits are OPTIONAL. Could be Space or , between State and ZIP CODE
  • Use Live Search Tab to search for state and zip code using your regular expression.
  • How many hits did you find
  • LIST ALL OF THEM
  • Bonus: look on the hits you found above and try to construct a regular expression that will find the whole address, not only state and zip code. Pay attention, in both hits the address starts with PO Box, assume you are looking only for PO Box addresses.
  • Use Live Search Tab to search for state and zip code using your regular expression.
  • How many hits did you find
  • LIST ALL OF THEM