CSCI 393 Computer Forensics
Registry Viewer Practice Lab PART 3
-
In this LAB you will use precious.E01 image file.
- Create a new folder LabPractice_TodayDate
- Open FTK Imager, add precious.E01 image file, find all registry files and save them in the new folder. DON'T close Imager, you would
need it again.
- Work with SAM, System and Software files and perform steps on pages 221 - 223 and 225 (#16 USBSTOR key) to find the following
information: the number of users, SID for each user, Time
Zone, Registered Owner, Registered Organization, ProductID, ProductName, InstallDate, etc...
- What is the SID of the user Frodo Baggins?
- In the FTK Imager, find NTUSER.DAT file for user Frodo Baggins, save it in the new folder, then
open in Registry Veiwer and follow steps on page 217 - 219
and steps on page 224 starting from #7 but working with NTUSER.DAT for Frodo Baggins
- Create a Summary report that includes the following information you found for user Frodo Baggins: SID, any recovered passwords,
one typed URL, one name of the Recent Document
- Go back to FTK Imager and look on the Systen Volume Information Folder.
- Navigate to _restore{GUID}/RP27/snapshot
- Look on the File List window
- Save the following files in the new folder you created:_REGISTRY_MACHINE_SAM,
_REGISTRY_MACHINE_SYSTEM, _REGISTRY_USER_NTUSER_S.....-1003
- Open _REGISTRY_MACHINE_SAM in the Registry Viewer and observe the number of users, their names and SIDs
at this restore point. Do you see any difference between SAM file you examined earlier?
- Follow steps similar to steps on page 224 and 225 (#5 - #16) work with Restore Points. Pay Attention: NOT all information will be
present, so instead, explorer additional folders and see what you can find.
- What can you tell about user with SID 1003?
- Create a Summary Report with your findings and submit it on Campus
Cruiser (Refer to pages: 227-230 but only read portion related to Registry
Viewer and Registry Files).
- ONLY if time permits, examine the UserAssist Registy key in NTUSER.DAT file for Frodo Baggins and read this article from
suppelemental
materials:
Understanding the UserAssist Registry Key