CSCI 393 Computer Forensics
Registry Viewer Graded Lab

• In this lab you will work with Washer image.
• In this lab you will create only ONE summarry report for NTUSER.DAT file for Administrator and document all additional findings in the text or Word file named LastNameRegLab

• Create a folder GradedLab to save registry files, reports, and Words file with answers to the Lab quedstions. Name the Word file: LastNameRegLab.
• Harvest registry files from Washer Image
• Find the following information: the number of users, SID for each user. Document # of users, names and last four digits of the SID for each user in the text/Word file LastNameRegLab
• Find Time Zone, Registered Owner, Registered Organization, ProductID, ProductName, InstallDate (in case and values are set), and ONE USB drive that have been attached to the suspect's system(hint: navigate to USBSTOR key in SYSTEM page 225). Document your findings in LastNameRegLab
• Harvest NTUSER.DAT file for the Administrator
• Find the following information: ONE recovered password, ONE typed URL, ONE name of the Recent Document. Add your findings to report you will create.
• Create ONE report that documents information you found in NTUSER.DAT file. Name report LasNameReport (this is htm file)
• Submit the Report and LastNameRegLab file on campus cruiser