Digital Forensic Examination Summary Report
(for ALL lab assignments except Lab 0; remove red writing before submitting assignments)
Examiner: your name and company (simulated)
______________________________________________________________________________
Case Background: give an adequate description of the scenario as if the reader knows nothing about this case. why are you conducting this examination? who requested it? This should be more than 2-3 sentences. Use what's given to you in the lab scenario assignment to establish a quality case background.
______________________________________________________________________________
Legal Authority: (to conduct exam i.e. warrant, consent, government / organizational property. This must be always stated in a report):
______________________________________________________________________________
Tools Used:
for the readers sake who often are not technical, break up this section into subsections
Hardware
Software
(include full software versions (simulate when necessary); include hardware i.e. the system you used to conduct the examination with serial numbers (your desktop / laptop). Also, simulate using a hardware write-blocker if the scenario doesn't specify how the data is write protected.
A write-blocker prevents any writes to the media being examined so the examiner can acquire it safely without altering original evidence.)
______________________________________________________________________________
Initial Processing (show both acquisition and verification hash sums; list the media examined with description and serial number / see Addendum A) example verbiage: "The processing included inspection, photography, anti-virus scan, and the imaging laptop. The imaging of the media created forensic evidence files for use in the subsequent forensic examination. Methods were forensically sound and verifiable."
______________________________________________________________________________
Preliminary Findings: (out of analyzing X number of files, X were of forensic value; briefly describe the partition and file structure of the media examined; this is a synopsis of what you found of forensic value.)
______________________________________________________________________________
Detailed Findings: (this is where most or all of the case questions can be answered along with whatever else is required in the grading deliverables. This will always be the longest part of your report. If you feel that some detailed findings would be better placed in an Addendum, that's a good place too).
______________________________________________________________________________
Conclusions / Further Actions Required: (just state the facts; recommend what other devices could be examined to further the case; recommend interviews of subjects if applicable; are there protected files that need decryption?
Do not make judgment calls i.e. John Smith should be removed from his position; give the client the facts and let th.
Digital Forensic Examination Summary Report(for ALL lab assignme.docx
1. Digital Forensic Examination Summary Report
(for ALL lab assignments except Lab 0; remove red writing
before submitting assignments)
Examiner: your name and company (simulated)
_____________________________________________________
_________________________
Case Background: give an adequate description of the scenario
as if the reader knows nothing about this case. why are you
conducting this examination? who requested it? This should be
more than 2-3 sentences. Use what's given to you in the lab
scenario assignment to establish a quality case background.
_____________________________________________________
_________________________
Legal Authority: (to conduct exam i.e. warrant, consent,
government / organizational property. This must be always
stated in a report):
_____________________________________________________
_________________________
Tools Used:
for the readers sake who often are not technical, break up this
section into subsections
Hardware
Software
(include full software versions (simulate when necessary);
include hardware i.e. the system you used to conduct the
examination with serial numbers (your desktop / laptop). Also,
simulate using a hardware write-blocker if the scenario doesn't
specify how the data is write protected.
A write-blocker prevents any writes to the media being
examined so the examiner can acquire it safely without altering
original evidence.)
_____________________________________________________
_________________________
Initial Processing (show both acquisition and verification hash
2. sums; list the media examined with description and serial
number / see Addendum A) example verbiage: "The processing
included inspection, photography, anti-virus scan, and the
imaging laptop. The imaging of the media created forensic
evidence files for use in the subsequent forensic examination.
Methods were forensically sound and verifiable."
_____________________________________________________
_________________________
Preliminary Findings: (out of analyzing X number of files, X
were of forensic value; briefly describe the partition and file
structure of the media examined; this is a synopsis of what you
found of forensic value.)
_____________________________________________________
_________________________
Detailed Findings: (this is where most or all of the case
questions can be answered along with whatever else is required
in the grading deliverables. This will always be the longest part
of your report. If you feel that some detailed findings would be
better placed in an Addendum, that's a good place too).
_____________________________________________________
_________________________
Conclusions / Further Actions Required: (just state the facts;
recommend what other devices could be examined to further the
case; recommend interviews of subjects if applicable; are there
protected files that need decryption?
Do not make judgment calls i.e. John Smith should be removed
from his position; give the client the facts and let them make
the decisions on what to do with the information.)
Each Addendum should start on a separate page.
Addendum A: Photos
(simulate with pics of similar devices you find on the Internet.
It is always a good idea to include a picture of the evidence you
examined.)
The following is a photograph of XXXX
3. PICTURE(s) SHOWN HERE
The following details the forensic image processing.
example: Seagate Hard Drive, 250GB, Serial #12345:
Digital Forensics Examiner (DFE) created forensic evidence
files of XXXX drive #XXXX.
The pre-processing hash results are presented below:
MD5 checksum: XXXX
SHA1 checksum: XXXX
The forensic processing subsequently created XXXX (X) files
(simulated).
Forensic Evidence Files Created: XXX.E01 – XXXX.E04
(example with four files)
The forensic imaging process involved a post processing hash
verification of the contents of the evidence file compared with
the pre-processing hash. The hash analysis is presented below.
MD5 checksum: XXXX: verified
SHA1 checksum: XXXX: verified
The forensic imaging process successfully created a forensically
sound and verifiable bit stream copy of the hard drive in the
form of forensic evidence files.
Addendum B: Steps Taken
These are your notes on the steps you took while conducting the
examination. Often, the examiner must submit their notes along
with the forensic report if a case goes to court.
I recommend just numbering your steps i.e. 1, 2, 3 in
chronological order.
Start with how you received the media and describe how you
sterilized. For example:
1. Original USB drives and CD-Rs received from R. Jones.
Items labeled and chain of custody (COC) documentation
initiated.
2. Forensically sterilized target media prepared using Paladin
vX.XX.XXX. After launching the Paladin tool, the target media
was physically connected to the workstation running Paladin.
Target media was wiped and verified using command “sudo
dcfldd pattern=00 vf=/dev/sdc.” Results were a match,
4. verifying the target media was forensically sterile.
3. describe your analysis steps
4. cont'd
Report End
CMIT 424: Digital Forensics Analysis and Application
Lab 5: Reconstruct System Usage Using Registry and Other
System FilesBefore You Begin
1. Launch FTK
2. Restore the Lab 5 Case File from H:CMIT424Lab5FTK
Case BackupLab5 to C:Cases
3. Examine the image using the FTK Examiner and Overview
tabs. Note that there are carved files present in the image. ZIP
files have also been expanded for you. (Refinement options for
the Add Evidence job were: (a) Expand Compound Files: ZIP
only and (b) Data Carve: BMP, GIF, JPG, PNG, PDF, MS OLE
(documents).
4. Decide if you will use “bookmarks” to help you keep track of
important files that you find as you work through this lab. It is
highly recommended that you do so. You can use “bookmarks”
to categorize and annotate files and then generate a
“Bookmarks” report with your annotations.
One more important note: there is more information in this
evidence file than you will have time to analyze for this lab.
You should make sure that you cover the important areas
discussed in each Guided Practice. But, you should also leave
yourself enough time to write your report and document your
findings. Do not get lost in the data!!!Guided Practice #1:
Analyzing the Windows Registry
In this part of the lab, you will use FTK and FTK Registry
viewer to generate a report that you will use in your analysis of
5. the Windows registry. Use your best judgment and information
from your readings to select additional keys that can provide
answers to the case questions about how the virtual machine
was used. Then, add these keys to your registry reports. For
more information about which keys you should look at, see
http://www.irongeek.com/i.php?page=security/windows-
forensics-registry-and-file-system-spots and
http://www.forensicfocus.com/a-forensic-analysis-of-the-
windows-registry
As you work through this Guided Practice, “check” the files (in
the File List pane) that are important and which have time/date
information that can be used to construct a system usage
timeline. You will use these “checked” files in Guided Practice
#3.
Locate Registry Hive Files
1. Switch to the Overview tab in the Case Examiner window.
2. Expand the File Category node in the tree.
3. Click on the OS/File System Files node. Expand again to
display the list of subcategories.
4. Click on Windows NT Registry to display the list of registry
files in the File List pane.
5. Locate the System Hive in the File List pane. This file
contains the HKEY_Local_Machine (HKLM) registry keys.
Note the information displayed in the File Content pane.
SYSTEM Hive
6. Right-click on the System Hive in the File List pane. Select
“Open in Registry Viewer” from the pop-up menu.
7. Find
HKLMSystemControlSet001ControlComputerNameCompute
rName (Expand tree nodes by clicking on the plus signs to the
left of the node names.)
6. 8. Add this key to the registry report
9. Find
HKLMSystemControlSet001ControlTimeZoneInformation
10. Note that there are sub-keys with values displayed in the
upper right pane of the display. Note also that the Key
Properties, including “Last Written Time,” are displayed in the
lower left pane.
11. Add this key to the registry report.
12. Collapse the “Control” node under ControlSet001.
13. Expand the “Enum” node.
14. Find HKLMSystemControlSet001EnumUSBSTOR
15. Expand the nodes under USBSTOR and review the
information provided. Note that you can identify the
manufacturer and product name / type from the information
provided for the second and third entries under this node.
16. Click on the node below the “device” node. Review the
information provided in the right hand pane (Sub Key names
and values).
17. After you have finished your review, add this key “with
children” to the registry report.
18. Find HKLMSystemMounted Devices and add this key to
your registry report.
19. From the Report menu, generate the registry report for your
selected keys.
20. Enter SYSTEM Registry Report in the Report Title field.
Enter Lastname_SYSTEM_RegistryReport in the Report
Filename field. Note that the location of the report will be
7. C:CasesLab5RegistryViewerReports.
21. Check the box to view the report, then click OK.
22. After the report opens, review the “Last Written Time” key
properties for each set of keys. You will use these values later
to update your timeline of events.
23. Close the Report and Registry Viewer windows and return
to the FTK Case Examiner Window.
24. Locate the Software Hive. Click on its name in the File List
pane to display information about this registry hive in the File
Contents pane.
SOFTWARE Hive
25. Right-click on the Software Hive in the File List pane.
Select “Open in Registry Viewer” from the pop-up menu.
26. In the Registry Viewer, find
HKLMSoftwareMicrosoftWindows NTCurrent Version
27. Select the key to view its values. Note that the Key
Properties pane gives the installation date. The Sub Keys and
Values provide additional information about the operating
system version, the registered owner, and other information
which you will need for your summary report.
28. Add this key to your registry report.
29. Explore the SOFTWARE hive to see if there is additional
information that you wish to add to the registry keys report. If
so, remember to “add key” or “add key with children” to the
report.
30. From the Report menu, generate the registry report for your
selected keys. Enter SOFTWARE Registry Report in the Report
Title field. Enter Lastname_SOFTWARE_RegistryReport in the
Report Filename field. Check the box to view the report, then
8. click OK.
31. After the report opens, review the “Last Written Time” key
properties for each set of keys. You will use these values later
to update your timeline of events.
32. Close the Report and Registry Viewer windows and return
to the FTK Case Examiner Window.
USER Hive
33. Locate the user profile NTUSER.DAT files. There will be
multiple files. You will need to widen the File Path column to
see where each of these files occurs. For your review, use only
those files found under [root]/Users/....
34. These files contain the HKEY_Current_User or HKCU
registry keys. Record the profile name for each of these files
(from the file path). You will use the profile name to name the
registry report file. You will also use these registry report files
to construct your system usage timeline.
35. For each NTUSER.DAT file:
a. Add the file to your Registry Files bookmark and open it in
Registry Viewer.
b. Using Edit > Find and Edit > Find Next (also F3), locate keys
and key values that have forensic value. Focus on keys that
have information required for your system usage timeline.
These keys include:
i. Most Recently Used Lists (MRU)
ii. Typed URL Lists
iii. Recent Docs (note the drive letters as well as the file names)
c. As you find useful registry keys, add the keys to your registry
report.
d. When you are finished your inspection of the registry,
generate the registry report for the associated user profile. Enter
[profilename] Registry Report in the Report Title field and
9. Lastname_[profilename]_RegistryReport in the Report Filename
field. Check the box to view the report, then click OK.
e. After the report opens, review the information.
f. Close the Report and Registry Viewer windows and return to
the FTK Case Examiner Window.Guided Practice #2: Analyzing
Folders and Files to Investigate System Usage
As you work through this section, “check” the files (in the File
List pane) which have time/date information that can be used to
construct a system usage timeline. You will use these “checked”
files in Guided Practice #3.
System Files
1. Click on the Overview tab. Expand the File Categories
container.
2. Click on the Operating System files node to display the list
of files in this category.
3. Using the File List pane and File Contents pane, find and
review the types of files listed below. Note: FTK will provide
an interpreted (formatted) display for certain types of system
files. You may wish to snapshot or copy this information for
later use in answering the case questions and preparing your
system usage timeline. You should also review the file
properties shown in the file contents pane.
a. Bootstat.dat (there are two; the file dates will tell you the
date of the first boot after installation and the date/time of the
last shutdown)
b. Page File (pagefile.sys)
c. System and user-level log files
d. User profiles (especially the recent files list and the contents
of the desktop)
e. Link files (shortcuts)
f. Prefetch files
User Profiles
1. Return to the Explore tab and open the Evidence Items tree
until you see Users. Expand this node. Identify the user profiles
10. on the system. In this case, we have one “profile” which is not a
standard profile – George Dean. We will want to examine this
profile more closely.
2. Click on the Folder icon for “George Dean” in the Evidence
Items tree. This will cause the contents of the folder to be
displayed in the File List pane. Review the files and the
metadata for each one (decide which items you will use to help
construct your system usage timeline). At a minimum, you
should look at the following:
· All files and folders listed under the desktop folder
· All files and folders listed in subfolders under the desktop
folder
· Recent folder for user profile and all shortcut files listed
under the recent folder
· Documents, downloads, pictures, and music folders for user
profile
· All files and folders listed under each top-level folder (in the
same file path)
· Find the Recycle bin for this user profile ($Recycle.bin).
Then, identify all files and folders listed under $Recycle.bin
Note: The image file used in this lab may contain artifacts
related to internet browsing. You should note the presence of
these files in your report. No other processing of the browser
history and browser cache files is required for this lab. (These
artifacts will be processed and examined in Lab 6.)
Program Files (Applications)
1. Return to the Evidence tab. In the Evidence Items tree, open
the nodes until you find [root]/Windows/ProgramData and
[root/Windows/Program Files.
2. Examine the contents of these folders. You should see a top-
level folder for each software application installed on top of the
Windows 7 installation (e.g., antivirus, utilities, word
processing packages, web browsers). (Note: you can also
11. identify software applications by looking for folders or links on
the desktops under each user profile.)
a. Record the forensically interesting software applications
(applications that are not part of the Windows operating system
installation).
b. Review the file dates/times for each software application.
3. In your analysis, do not include any applications that have
last modified dates occurring before the first boot date for this
Windows 7 installation (these were installed as part of Windows
7).Guided Practice #3: Using File System Metadata to Create a
System Usage Timeline
Review Your Analysis Results
This guided practice depends upon the “checked files” which
you identified in the first two Guided Practices for this lab. If
you did not check files as you worked through those exercises,
you will need to go back and do so before started this last
Guided Practice.
After you have selected files, review your selections (your
“checked” files). You should not have more than 100
“important” files in your checked files list. If you do, review
the files that you have checked and determine which ones can
be removed from your list. Use the Overview tab > File Items
node to review your checked files.
Create an Inventory with Timeline Information
1. Create a file inventory containing the file system metadata
for all checked files (do not include any other files):
a. Right-click in the file list pane.
b. Select Export File List Info from the pop-up menu.
c. In the export options window, select “All checked.”
d. Name your file yourlastname_Lab5_FileList.csv.
e. In the Save as type drop-down, select CSV (Comma
delimited) (*.csv).
12. 2. Open your inventory using Excel or another spreadsheet
application.
a. Format the spreadsheet to give it a professional appearance.
b. Save your file inventory as an XLSX or XLS spreadsheet.
3. Examine the file system metadata shown in your file
inventory. As you perform your examination, annotate your file
inventory spreadsheet to record your analysis and/or findings.
4. Using your file inventory, create a table containing your
system usage timeline. Suggested steps are as follows:
a. Use Excel’s sorting function to examine the timeline of
system usage. First, sort your file inventory using by Creation
Date and then by File Path.
b. Examine the spreadsheet entries to determine when files were
created; draw conclusions as to when the Windows 7 operating
system was installed, when software applications were installed,
etc.
c. Sort your spreadsheet by Last Modified Date and File Path.
Reexamine the spreadsheet entries to determine how and when
the system was used (what activities or events occurred).
d. Highlight rows in the spreadsheet that contain information
about significant events or that provide information that can be
used to answer one or more of the case questions.
e. Transfer information from your spreadsheet into your
timeline table.
5. Review the information provided by your examination of the
registry files. Add significant event information to your
timeline table (e.g., time and date that important registry keys
were last written along with the key names and values).Guided
Practice #4: Report Writing
For this lab, you will prepare a summary report and a system
usage timeline. Use the guidance from previous labs to assist
you in deciding how to present your findings. Your “high level
summaries” of your analysis results should be *summaries* not
a compendium of every piece of information found in the image.
Focus on providing data which provides support to your answers
to the case questions. Irrelevant information should not be
13. included.
Your deliverables are:
1. Incident Investigation Summary Report (5-8 pages with
tables / screen shots)
Prepare a memo-format report summarizing answers to the case
questions and providing documentation as to the tools,
techniques, and procedures used in this lab. Your report should
include high-level analysis summaries in table format for:
a. Registry Analysis & Values of Important Keys (GP#1)
b. System Usage Data (GP#2)
c. Meta Data Analysis of Important Files (GP#3)
2. System Usage Timeline (attachment to report)
This table was created in Guided Practice #3 of this lab.
Required Software
· Forensic Toolkit
· FTK Registry Viewer
· MS Excel (or equivalent spreadsheet application)
Deliverables
· Incident Investigation Summary Report
· System Usage Timeline
Grading for Lab Deliverables
1. Incident Investigation Summary Report 60%
a. Overview 15%
b. Findings & Answers to Case Questions 15%
c. Summary Tables 15%
d. Description of Analysis & Processing 15%
2. System Usage Timeline 25%
3. Professionalism 15% (formatting, grammar, spelling,
punctuation, etc.)
15. after the employee's unexpected resignation.
During case triage, it was determined that VMWare was
installed on the laptop. Several folders containing virtual
machines were also found. A forensic image (E01 format) was
created from each of the virtual disks (VMDK files) by a
forensic technician using FTK Imager.
You have been asked to contribute to the investigation by
reconstructing the usage of one of the virtual machines from the
contents of the associated VMDK file. The chain-of-custody log
states that this file contains a Windows 7 system disk.
The lead investigator has asked you to address the following
case questions during your examination of the evidence. (Ignore
the Internet cache and index files for this lab; you will analyze
and report on them in Lab 6.)
1. When was the Windows 7 image created (installed in the
VM), and during what time period was it in use?
2. What software applications were loaded and available for use
in the VM?
3. Who used the Windows 7 VM? (More than one user?)
4. What was the Windows 7 VM used for?
5. Was the VM used regularly or repeatedly?
6. Are there indications of an intent to hide or obscure how the
VM was used?
7. Are there indications of an intent to use the VM to facilitate
illegal or unethical behavior? (Unethical includes actions that
16. are contrary to the employer's best interests or that violate the
company's Acceptable Use Policy governing use of company
resources—i.e., the laptop on which the VM was found.)Lab 5
Overview
In this lab you will search for, recover, and analyze system
usage information from a forensic image provided by your
instructor. At a minimum, you should perform the following
tasks:
· Analyze the Windows Registry to recover information about
the Windows 7 operating system and how it was used.
· Analyze the contents of system log files, link files (shortcuts),
and prefetch files.
· Reconstruct user-level system usage using information
recovered from folders and files stored in user profiles.
· Analyze the contents of the recycle bin.
· Reconstruct system-level usage information found in the file
system metadata (use the information shown in the file list
pane).
· Construct a timeline showing significant system usage events,
such as boot, shutdown, installation of software, installation of
patches or updates, user logins, etc.
· Note: The provided forensic image has been modified for
training purposes.
· The virtual disk is no longer bootable.
· Files whose contents are not required for this examination
17. have been overwritten with 0x00 (securely wiped).
· The file system data structures have not been modified; the
original directory entries remain intact.
As you complete your analysis for this lab, you will need to
keep track of specific files that provide forensically important
information for your analysis and reporting. In previous labs,
you used an annotated file inventory for this purpose. In this
lab, you will learn two more methods:
· checked files (see Chapter 17, FTK User Guide) and
· bookmarks (see Chapter 23, FTK User Guide)
Both of these tracking features are accessed in the file list pane
by right-clicking on the filename and then selecting the feature
from the pop-up menu. You can also access the case Bookmarks
using the Bookmarks tab at the top of the Examiner Window.
In Guided Practice #1, you will examine the contents of the
Windows 7 registry. Your examination of the individual
Windows 7 registry hives should provide you with the following
information and/or answers to questions listed below. You will
need this information to answer the case questions. In this part
of the lab, you will also generate a registry report that
documents the associated keys and key values.
· Operating system version.
· Installation date.
· Registered owner. (Is there something odd about this?)
· Computer name.
18. · Current time zone.
· Fixed hard drives (virtual drives) used in the VM (mounted
devices).
· Removable USB media used in the VM. What are the
manufacturer and serial numbers of the USBs?
· Installed software (provide a list of all sub keys showing user-
installed software packages; add rows as necessary). Pay
attention to the last written dates for keys. Keys prior to the
installation date represent software that is part of the Windows
7 package and, for this lab, should not be included in your list
of installed software.
· Installed software for individual users (find and process the
NTUSER.DAT file for each user on the system; this file
contains the HKCU hive).
· Recent files accessed by individual users (find and process the
NTUSER.DAT file for each user on the system; this file
contains the HKCU hive).
· Most recently used (MRU) items including software
applications and files.
· Any additional keys you found to be helpful in determining
how this VM was used, when it was used, and who used it.
In Guided Practice #2, you will examine the contents of link
files (shortcut files), log files, and prefetch files recovered from
the virtual disk. (You may need to research the format and
usage for specific file types to learn more about what they can
19. tell you regarding system usage.) The file contents provide
information about events that occurred or actions that were
performed, and possibly also when those events occurred. The
locations of these files will provide information as to who
(system or a specific user account) performed the actions
captured in the contents and metadata. When reviewing these
files, be sure to examine both the contents and the file
properties using the file contents pane. In this part of the lab,
you will mark files of forensic interest (ones that you will use
to answer the case questions) using checked files and Bookmark
categories. You will then generate an FTK report that lists the
files (by file path), the Bookmark categories, and the files
included under each bookmark.
Before you begin this part of the lab, you should decide upon
the format that you will use to create your system usage
timeline. Your timeline could be presented in a table in a
Microsoft Word document or as an Excel spreadsheet. The
important thing to remember is that your timeline should clearly
show the events that are of forensic interest and the date/time of
occurrence for each event. You should also list the files that
provided the information about each event. Below is a suggested
table format for a system usage timeline. This format can be
used in either Microsoft Word or Microsoft Excel.
Date/Time
Event
20. Description
Files or Artifacts created or modified
In Guided Practice #3, you will generate an inventory of
selected folders and files from the forensic image of the virtual
disk. You will use this inventory to construct a tentative
timeline of events and identify file/folder entries that can
provide answers to the case questions. For this part of the lab,
your analysis is restricted to file properties and directory-level
information—file paths, creation dates, last access dates, last
modified dates, etc.
In Guided Practice #4, you will write a lab report memo (three
to five pages maximum) in which you document your answers to
the case questions. Each answer must be supported by
information contained in the forensic image and you must
identify which artifacts (files or folders) support your answers.
Provide your supporting documentation, i.e., registry reports,
file inventory, and timeline of system usage, as a single zip
21. archive. The registry reports, file inventory and timeline files
should be submitted in a single zip file archive; this
documentation is not counted in the lab memo page count.
Required Software
· Forensic Toolkit
· FTK Registry Viewer
· WinHex
· MS Office (Word, Excel, PowerPoint)
· Adobe Reader (or another PDF file viewer)
· Web browser
Required Software
· Forensic Toolkit
· FTK Registry Viewer
· MS Excel (or equivalent spreadsheet application)
Deliverables
1. Incident Investigation Summary Report (5-8 pages with
tables / screen shots)
Prepare a memo-format report summarizing answers to the case
questions and providing documentation as to the tools,
techniques, and procedures used in this lab. Your report should
include high-level analysis summaries in table format for:
22. a. Registry Analysis & Values of Important Keys (GP#1)
b. System Usage Data (GP#2)
c. Meta Data Analysis of Important Files (GP#3)
Note: Your “high level summaries” of your analysis results
should be *summaries* not a compendium of every piece of
information found in the image. Focus on providing data which
provides support to your answers to the case questions.
Irrelevant information should not be included.
2. System Usage Timeline
This table will be created in Guided Practice #3.
Grading for Lab Deliverables
1. Incident Investigation Summary Report 60%
a. Overview 15%
b. Findings & Answers to Case Questions 15%
c. Summary Tables 15%
d. Description of Analysis & Processing 15%
2. System Usage Timeline 25%
3. Professionalism 15% (formatting, grammar, spelling,
punctuation, etc.)Lab 5 Outcomes
Lab 5 Outcomes
Course Outcomes for Lab 5
· reconstruct system usage using Windows Registry and other