CSCI 393 Computer Forensics FTK Practice Lab

Document your answers in text/Word file and submit on Campus Cruiser

• Open New Case call it April 4. Follow Page 306 #1, #3, #4 ONLY and use exactly the same options. Make sure you EXCLUDE everyting listed in #4
• Add Clampet evidence to your case
  • Follow lab on page 586 to create a new Filter SID 1003 or SID 1006 which will find all files that belong to users with SID 1003 OR SID 1006
  • Apply the filter. How many files did you find?
  • Clear the filter.
  • Use Compound Filters (page 590) to find the number of files and name of at least ONE file that satisfy the following conditions:
    1. Include Encrypted Files that belong to users SID 1003 or SID 1006
    2. Include Encrypted Files that are in KFF Alert group
    3. Include Encrypted Files that belong to users SID 1003 or SID 1006 and Exclude Microsoft Office Files