CSCI 393 Computer Forensics FTK Graded Lab 2

Document your answers in text/Word file and submit on Campus Cruiser

• Open New Case call it March28. Follow Page 306 #1, #3, #4, and #5 ONLY and use exactly the same options. Make sure you EXCLUDE everyting listed in #4
• Add Clampet evidence to your case
• Go to the Overview Tab and check File Status > KFF Alert Files. At this point you MUST HAVE 0 files in that category. CONFIRM!
• Save this file on the Desktop
• Part I: Using KFF
  • Follow the lab on pages 509-510 #4 - #22 and using file above that you just saved instead of Thumbdrive Hashes in #7 and #17.
  • After KFF lookup is complete, go to the Overview Tab again and check File Status > KFF Alert Files.
  • List the number of files you currently have in KFF Alert
  • Select one file and look at its properties.
  • List the information is listed in KFF Status portion of the properties.
• Part II: Regular Expressions and Search Tabs
  • Create a regular expression that search for the part of address that includes STATE and ZIP CODE. The State part consists of TWO UPPER LEVEL CHARS, the ZIP CODE has the following structure: XXXXX-XXXX. Last 4 digits are OPTIONAL. Could be Space or , between State and ZIP CODE
  • Use Live Search Tab to search for state and zip code using your regular expression.
  • How many hits did you find
  • LIST ALL OF THEM
  • Bonus: look on the hits you found above and try to construct a regular expression that will find the whole address, not only state and zip code. BUT Pay attention, in both hits the address starts with PO Box, so you can assume you are looking only for PO Box addresses.
  • Use Live Search Tab to search for your regular expression.
  • How many hits did you find
  • LIST ALL OF THEM