CSCI 393 Computer Forensics
Registry Viewer Practice Lab PART 4
-
In this LAB you will use ID THEFT2.E01 and ID THEFT 3.E01 image files.
- Create a new folder FridayLab
- USE FTK imager to harvest registry files from each image.
- PAY ATTENTION: Different version of Windows in the first image
- Work with SAM, System and Software files and perform steps on pages 221 - 223 and 225 (#16 USBSTOR key) to find the following
information: the number of users, SID for each user, Time
Zone, Registered Owner, Registered Organization, ProductID, ProductName,
InstallDate, etc...
- What is the SID of the Bad Guy 2K (from first
mage) and SecretUser (from the second image)
- In the FTK Imager, find NTUSER files for the Bad Guy 2K (from
first
image) and SecretUser (from the second image)
save it in the new folder, then
open in Registry Veiwer and follow steps on page 217 - 219
and steps on page 224 starting from #7 but working with NTUSER.DAT for these two users.
- Try to find information about PRINTERS for each user.
- Create a Summary report that includes the following information SID(for 2 users mentioned above), any recovered passwords,
one typed URL, one name of the Recent Document, ANY PRINTERS