CSCI 393 Computer Forensics
Registry Viewer Practice Lab
PART 1
- Use SAM file from Clampet image to find SID of user Jed (for reference Page 188 and Page 221)
- Open FTK Imager, add Clampet image file, find the NTUSER.DAT file for user Jed and save it on your computer (for
reference Page 188)
- Use SOFTWARE file to confirm that Jed is an owner of the computer Clampet image was taking from (reference Page 204)
- Use NTUSER.DAT file for user Jed and follow steps on page 217 - 219 including Find , Advanced Find, Find by Date
and perform steps on page 224 starting from #7 but working with NTUSER.DAT for Jed
- Create a Summary report that includes the following information you found for user Jed: SID, any recovered passwords,
one typed URL, one name of the Recent Document
Registry Viewer Practice Lab PART 2
- On the desktop create a new folder, name it CurrentComputerRegistry
- Open FTK Imager. In the File menu choose Obtain Protected Files.
Save these registry file in the new folder you created earlier.
- Work with SAM, System and Software files and perform steps on pages 221 - 223 and 225 (#16 USBSTOR key) to find the following
information: the number of users, SID for each user, Time
Zone, Registered Owner, Registered Organization, ProductID, ProductName, InstallDate, etc...
- Explore file named default
- Create a Summary report that includes information listed above