Computer Forensics
Graded Lab FTK

Document your findings in Word file, name it FTK_your_last_name and submit it on Campus Cruiser

• Open an existing case you created on Wed and remove all evidences from that case (if you were not in class on Wed, follow instructions in Practice Lab to create a case).
• Add new evidence Image File: precious.E01
  To add the new evidence follow the following steps: In Evidence Menu choose Add/Remove. In the Manage Evidence Window, click Add, in Select Evidence Type, choose Acquired Image (first choice), then lcik OK and browse to the location of the file.
• Click the Overview Tab(reference pages: 332 - 337)
  • Expand File Status
  • How many Bad Extensions files are found?
  • Choose the following file: crs_2467[1].jpg from the Bad Extension files list and explain why this file was added to Bad Extension folder.
    • Document the current extension and the file category, see the difference.
    • Document the actual file signature and the file signature of the extension it is listed under.
    • Did you get the same result? Explain

  • Still in File Status, look on Encrypted Files. How many Encrypted Files are in this image? How many EFS (Encryption File System) encrypted files? (Hint: look on the brown key next to the file name and in the Category Column)
  • Expand File Category Container
  • Follow page 397 to view registry files and find the information below:
  • Confirm operating system
  • Number of users and SID for one user of your choice
  • Find Time Zone
  • Before you change the Time Zone Display, go to File Category->Documents->Microsoft Documents->Microsoft Word->Microsoft Word 2002
  • Highlight the file Options.doc
  • Find the Create Date of the file and write it BEFORE and AFTER you changed Time Zone Display
• Click the EMAIL Tab
  • Expand Email Status container
  • How many Email Reply are found
  • Expand Email by Date
  • List the year and month of submitted and delivered e-mails
• Click Live Search Tab and Search for word "password", then click Index Search Tab and search for the same word. Compare results: number of hits, number of files, location(allocated/unallocated) (pages: 347 - 351)
• Follow Lab on page 393 Part 1, perform the steps for the file Passwords and Stuff.doc from Documents->Microsoft Documents->Microsoft Word->Microsoft Word 2000. You don't need to Bookmark anything, but instead, view Metadata (File Properties) and find who is the author of the file?
• Click the Explore tab, then locate and expand RECYCLER folder. How many subfolders are there? Who is the owner of each subfolder? Look on Dd6.jpg file. List owner name and owner SID. (pages 400 and 402 Part 1)
• Click on Internet/Chat Tab. Expand Internet Explorer Browser -> Internet Explorer Files->MSIE History. How many index.dat files are in that folder. Highlight first index.dat, right-click and then click View Item in Different List->Explore. In the Explore tab's Evidence Items paae, the parent index.dat will be highlighted. In the File List find the Internet Explorer History Entry #00011. What is the visited URL listed in this entry.