PRTK GRADED LAB

Full Credit (100 points)

• Open one of the cases you have, remove all old images, and add precious.E01 image
• Document results in Word file
• Find the total number of enrypted files
• Find the number of EFS encrypted files
• List the owner (name and SID) for each encrypted file.
• Decrypt files. Document your steps. Pay attention, the procedure is different for EFS encrypted files.
• List all recovered passwords: make a table: first column - file name and second column - recovered password
• List first 3 words from each decrypted file: make a table: first column - file name and second column - first 3 words in the file.
• Submit Word file on Campus Cruiser

Grading Rubrics:

• To receive 75 points it is sufficient to decrypt the following file: Mortgage accounting inc escrow (Microsoft Excel 97-2003 Worksheet (.xls)) file and document all passwords associated with this file, decrypt the file and submit the decrypted file.
• To receive full credit, in addition you need to find a LOGON password for the user who owns EFS encrypted files, and decrypt at LEAST ONE EFS file and explain the steps.

If Time Permits: Optional Lab Page 630

Useful links on Recycle Bin Forensics

• $Recycle.Bin Forensics for Windows 7 and Windows Vista by Timothy R. Leschke
• Forensic Analysis of the Microsoft Windows Vista Recycle Bin By Mitchell Machor
• Information on funding sources, commissioner approved training and worker retraining from CyberSecurity Institute
• From www.4n6xplorer.com