Computer Forensics
Practice Lab FTK

Document your findings in Word file

• Create a new case, call it Lab1. Follow steps 1 - 4 on page 306. PAY ATTENTION: You have to EXCLUDE options listed in #4
• Follow page 276 Part 2 ONLY to create a Custom Identifier for the Windows XP prefetch files, since in this case you will work with WIndows XP. Following Prefetch From Worensics Wiki information, the Signature for Windows XP is 11 00 00 00 53 43 43 41
• Open the case
• Add the following evidence: Clampett18.aff from Course Material/EvidenceFiles
• Click the Overview Tab(reference pages: 332 - 337)
  • Expand File Status
  • How many Bad Extensions files are found?
  • Choose one Bad Extension file and explain why the file was added to Bad Extension folder
  • Expand File Category Container
  • Follow page 397 to view registry files and find the information below:
  • Confirm operating system
  • Number of users and SID for one user of your choice
  • Find Time Zone
  • Before you change the Time Zone Display, go to File Category->Documents->Microsoft Documents->Microsoft Word->Microsoft Word 2003
  • Highlight the file Apology.doc
  • Find the Create Date of the file and write it BEFORE and AFTER you changed Time Zone Display
• Click the EMAIL Tab
  • Expand Email Status container
  • How many Email Reply are found
  • Expand Email by Date
  • List the year and month of submitted and delivered e-mails
• Click Live Search Tab and Search for word "bad", then click Index Search Tab and search for the same word. Compare results: number of hits, number of files, location(allocated/unallocated) (pages: 347 - 351)
• Follow Lab on page 393 Part 1, perform the steps for the file Epizudi Remedy.doc from Documents->Microsoft Documents->Microsoft Word->Microsoft Word 2003. You don't need to Bookmark anything, but instead, view Metadata and find who is the author of the file?
• Click the Explore tab, then locate and expand RECYCLER folder. How many subfolders are there and why? List one deleted file, owner name and owner SID. (pages 400 and 402 Part 1)
• Click on Internet/Chat Tab. Expand Internet Explorer Browser -> Internet Explorer Files->MSIE History. How many index.dat files are in that folder. Highlight first index.dat, right-click and then click View Item in Different List->Explore. In the Explore tab's Evidence Items paae, the parent index.dat will be highlighted. In the File List find the Internet Explorer History Entry #00195. What is the visited URL listed in this entry.