CSCI 393 Computer Forensics FTK Practice Lab
Document your answers in text/Word file and submit on Campus Cruiser
- Open New Case call it April 4. Follow Page 306 #1, #3, #4 ONLY and use
exactly the same options. Make sure you EXCLUDE
everyting listed in #4
- Add Clampet evidence to your case
- Follow lab on page 586 to create a new Filter SID 1003 or SID 1006 which will find all files
that belong to users with SID 1003 OR SID 1006
- Apply the filter. How many files did you find?
- Clear the filter.
- Use Compound Filters (page 590)
to find the number of files and name of at least ONE file that satisfy the following conditions:
- Include Encrypted Files that belong to users SID 1003 or SID 1006
- Include Encrypted Files that are in KFF Alert group
- Include Encrypted Files that belong to users SID 1003 or SID 1006
and Exclude Microsoft Office Files