CSCI 393 Computer Forensics
Registry Viewer Practice Lab PART 1

• Use SAM file from Clampet image to find SID of user Jed (for reference Page 188 and Page 221)
• Open FTK Imager, add Clampet image file, find the NTUSER.DAT file for user Jed and save it on your computer (for reference Page 188)
• Use SOFTWARE file to confirm that Jed is an owner of the computer Clampet image was taking from (reference Page 204)
• Use NTUSER.DAT file for user Jed and follow steps on page 217 - 219 including Find , Advanced Find, Find by Date and perform steps on page 224 starting from #7 but working with NTUSER.DAT for Jed
• Create a Summary report that includes the following information you found for user Jed: SID, any recovered passwords, one typed URL, one name of the Recent Document

Registry Viewer Practice Lab PART 2

• On the desktop create a new folder, name it CurrentComputerRegistry
• Open FTK Imager. In the File menu choose Obtain Protected Files. Save these registry file in the new folder you created earlier.
• Work with SAM, System and Software files and perform steps on pages 221 - 223 and 225 (#16 USBSTOR key) to find the following information: the number of users, SID for each user, Time Zone, Registered Owner, Registered Organization, ProductID, ProductName, InstallDate, etc...
• Explore file named default
• Create a Summary report that includes information listed above