SlideShare a Scribd company logo

Digital Forensic Examination Summary Report(for ALL lab assignme.docx

Download as DOCX, PDF
L
lynettearnold46882

Digital Forensic Examination Summary Report (for ALL lab assignments except Lab 0; remove red writing before submitting assignments) Examiner: your name and company (simulated) ______________________________________________________________________________ Case Background: give an adequate description of the scenario as if the reader knows nothing about this case. why are you conducting this examination? who requested it? This should be more than 2-3 sentences. Use what's given to you in the lab scenario assignment to establish a quality case background. ______________________________________________________________________________ Legal Authority: (to conduct exam i.e. warrant, consent, government / organizational property. This must be always stated in a report): ______________________________________________________________________________ Tools Used: for the readers sake who often are not technical, break up this section into subsections Hardware Software (include full software versions (simulate when necessary); include hardware i.e. the system you used to conduct the examination with serial numbers (your desktop / laptop). Also, simulate using a hardware write-blocker if the scenario doesn't specify how the data is write protected. A write-blocker prevents any writes to the media being examined so the examiner can acquire it safely without altering original evidence.) ______________________________________________________________________________ Initial Processing (show both acquisition and verification hash sums; list the media examined with description and serial number / see Addendum A) example verbiage: "The processing included inspection, photography, anti-virus scan, and the imaging laptop. The imaging of the media created forensic evidence files for use in the subsequent forensic examination. Methods were forensically sound and verifiable." ______________________________________________________________________________ Preliminary Findings: (out of analyzing X number of files, X were of forensic value; briefly describe the partition and file structure of the media examined; this is a synopsis of what you found of forensic value.) ______________________________________________________________________________ Detailed Findings: (this is where most or all of the case questions can be answered along with whatever else is required in the grading deliverables. This will always be the longest part of your report. If you feel that some detailed findings would be better placed in an Addendum, that's a good place too). ______________________________________________________________________________ Conclusions / Further Actions Required: (just state the facts; recommend what other devices could be examined to further the case; recommend interviews of subjects if applicable; are there protected files that need decryption? Do not make judgment calls i.e. John Smith should be removed from his position; give the client the facts and let th.

Education
1 of 23
Digital Forensic Examination Summary Report (for ALL lab assignments except Lab 0; remove red writing before submitting assignments) Examiner: your name and company (simulated) _____________________________________________________ _________________________ Case Background: give an adequate description of the scenario as if the reader knows nothing about this case. why are you conducting this examination? who requested it? This should be more than 2-3 sentences. Use what's given to you in the lab scenario assignment to establish a quality case background. _____________________________________________________ _________________________ Legal Authority: (to conduct exam i.e. warrant, consent, government / organizational property. This must be always stated in a report): _____________________________________________________ _________________________ Tools Used: for the readers sake who often are not technical, break up this section into subsections Hardware Software (include full software versions (simulate when necessary); include hardware i.e. the system you used to conduct the examination with serial numbers (your desktop / laptop). Also, simulate using a hardware write-blocker if the scenario doesn't specify how the data is write protected. A write-blocker prevents any writes to the media being examined so the examiner can acquire it safely without altering original evidence.) _____________________________________________________ _________________________ Initial Processing (show both acquisition and verification hash
sums; list the media examined with description and serial number / see Addendum A) example verbiage: "The processing included inspection, photography, anti-virus scan, and the imaging laptop. The imaging of the media created forensic evidence files for use in the subsequent forensic examination. Methods were forensically sound and verifiable." _____________________________________________________ _________________________ Preliminary Findings: (out of analyzing X number of files, X were of forensic value; briefly describe the partition and file structure of the media examined; this is a synopsis of what you found of forensic value.) _____________________________________________________ _________________________ Detailed Findings: (this is where most or all of the case questions can be answered along with whatever else is required in the grading deliverables. This will always be the longest part of your report. If you feel that some detailed findings would be better placed in an Addendum, that's a good place too). _____________________________________________________ _________________________ Conclusions / Further Actions Required: (just state the facts; recommend what other devices could be examined to further the case; recommend interviews of subjects if applicable; are there protected files that need decryption? Do not make judgment calls i.e. John Smith should be removed from his position; give the client the facts and let them make the decisions on what to do with the information.) Each Addendum should start on a separate page. Addendum A: Photos (simulate with pics of similar devices you find on the Internet. It is always a good idea to include a picture of the evidence you examined.) The following is a photograph of XXXX
PICTURE(s) SHOWN HERE The following details the forensic image processing. example: Seagate Hard Drive, 250GB, Serial #12345: Digital Forensics Examiner (DFE) created forensic evidence files of XXXX drive #XXXX. The pre-processing hash results are presented below: MD5 checksum: XXXX SHA1 checksum: XXXX The forensic processing subsequently created XXXX (X) files (simulated). Forensic Evidence Files Created: XXX.E01 – XXXX.E04 (example with four files) The forensic imaging process involved a post processing hash verification of the contents of the evidence file compared with the pre-processing hash. The hash analysis is presented below. MD5 checksum: XXXX: verified SHA1 checksum: XXXX: verified The forensic imaging process successfully created a forensically sound and verifiable bit stream copy of the hard drive in the form of forensic evidence files. Addendum B: Steps Taken These are your notes on the steps you took while conducting the examination. Often, the examiner must submit their notes along with the forensic report if a case goes to court. I recommend just numbering your steps i.e. 1, 2, 3 in chronological order. Start with how you received the media and describe how you sterilized. For example: 1. Original USB drives and CD-Rs received from R. Jones. Items labeled and chain of custody (COC) documentation initiated. 2. Forensically sterilized target media prepared using Paladin vX.XX.XXX. After launching the Paladin tool, the target media was physically connected to the workstation running Paladin. Target media was wiped and verified using command “sudo dcfldd pattern=00 vf=/dev/sdc.” Results were a match,
verifying the target media was forensically sterile. 3. describe your analysis steps 4. cont'd Report End CMIT 424: Digital Forensics Analysis and Application Lab 5: Reconstruct System Usage Using Registry and Other System FilesBefore You Begin 1. Launch FTK 2. Restore the Lab 5 Case File from H:CMIT424Lab5FTK Case BackupLab5 to C:Cases 3. Examine the image using the FTK Examiner and Overview tabs. Note that there are carved files present in the image. ZIP files have also been expanded for you. (Refinement options for the Add Evidence job were: (a) Expand Compound Files: ZIP only and (b) Data Carve: BMP, GIF, JPG, PNG, PDF, MS OLE (documents). 4. Decide if you will use “bookmarks” to help you keep track of important files that you find as you work through this lab. It is highly recommended that you do so. You can use “bookmarks” to categorize and annotate files and then generate a “Bookmarks” report with your annotations. One more important note: there is more information in this evidence file than you will have time to analyze for this lab. You should make sure that you cover the important areas discussed in each Guided Practice. But, you should also leave yourself enough time to write your report and document your findings. Do not get lost in the data!!!Guided Practice #1: Analyzing the Windows Registry In this part of the lab, you will use FTK and FTK Registry viewer to generate a report that you will use in your analysis of
the Windows registry. Use your best judgment and information from your readings to select additional keys that can provide answers to the case questions about how the virtual machine was used. Then, add these keys to your registry reports. For more information about which keys you should look at, see http://www.irongeek.com/i.php?page=security/windows- forensics-registry-and-file-system-spots and http://www.forensicfocus.com/a-forensic-analysis-of-the- windows-registry As you work through this Guided Practice, “check” the files (in the File List pane) that are important and which have time/date information that can be used to construct a system usage timeline. You will use these “checked” files in Guided Practice #3. Locate Registry Hive Files 1. Switch to the Overview tab in the Case Examiner window. 2. Expand the File Category node in the tree. 3. Click on the OS/File System Files node. Expand again to display the list of subcategories. 4. Click on Windows NT Registry to display the list of registry files in the File List pane. 5. Locate the System Hive in the File List pane. This file contains the HKEY_Local_Machine (HKLM) registry keys. Note the information displayed in the File Content pane. SYSTEM Hive 6. Right-click on the System Hive in the File List pane. Select “Open in Registry Viewer” from the pop-up menu. 7. Find HKLMSystemControlSet001ControlComputerNameCompute rName (Expand tree nodes by clicking on the plus signs to the left of the node names.)
8. Add this key to the registry report 9. Find HKLMSystemControlSet001ControlTimeZoneInformation 10. Note that there are sub-keys with values displayed in the upper right pane of the display. Note also that the Key Properties, including “Last Written Time,” are displayed in the lower left pane. 11. Add this key to the registry report. 12. Collapse the “Control” node under ControlSet001. 13. Expand the “Enum” node. 14. Find HKLMSystemControlSet001EnumUSBSTOR 15. Expand the nodes under USBSTOR and review the information provided. Note that you can identify the manufacturer and product name / type from the information provided for the second and third entries under this node. 16. Click on the node below the “device” node. Review the information provided in the right hand pane (Sub Key names and values). 17. After you have finished your review, add this key “with children” to the registry report. 18. Find HKLMSystemMounted Devices and add this key to your registry report. 19. From the Report menu, generate the registry report for your selected keys. 20. Enter SYSTEM Registry Report in the Report Title field. Enter Lastname_SYSTEM_RegistryReport in the Report Filename field. Note that the location of the report will be
C:CasesLab5RegistryViewerReports. 21. Check the box to view the report, then click OK. 22. After the report opens, review the “Last Written Time” key properties for each set of keys. You will use these values later to update your timeline of events. 23. Close the Report and Registry Viewer windows and return to the FTK Case Examiner Window. 24. Locate the Software Hive. Click on its name in the File List pane to display information about this registry hive in the File Contents pane. SOFTWARE Hive 25. Right-click on the Software Hive in the File List pane. Select “Open in Registry Viewer” from the pop-up menu. 26. In the Registry Viewer, find HKLMSoftwareMicrosoftWindows NTCurrent Version 27. Select the key to view its values. Note that the Key Properties pane gives the installation date. The Sub Keys and Values provide additional information about the operating system version, the registered owner, and other information which you will need for your summary report. 28. Add this key to your registry report. 29. Explore the SOFTWARE hive to see if there is additional information that you wish to add to the registry keys report. If so, remember to “add key” or “add key with children” to the report. 30. From the Report menu, generate the registry report for your selected keys. Enter SOFTWARE Registry Report in the Report Title field. Enter Lastname_SOFTWARE_RegistryReport in the Report Filename field. Check the box to view the report, then
click OK. 31. After the report opens, review the “Last Written Time” key properties for each set of keys. You will use these values later to update your timeline of events. 32. Close the Report and Registry Viewer windows and return to the FTK Case Examiner Window. USER Hive 33. Locate the user profile NTUSER.DAT files. There will be multiple files. You will need to widen the File Path column to see where each of these files occurs. For your review, use only those files found under [root]/Users/.... 34. These files contain the HKEY_Current_User or HKCU registry keys. Record the profile name for each of these files (from the file path). You will use the profile name to name the registry report file. You will also use these registry report files to construct your system usage timeline. 35. For each NTUSER.DAT file: a. Add the file to your Registry Files bookmark and open it in Registry Viewer. b. Using Edit > Find and Edit > Find Next (also F3), locate keys and key values that have forensic value. Focus on keys that have information required for your system usage timeline. These keys include: i. Most Recently Used Lists (MRU) ii. Typed URL Lists iii. Recent Docs (note the drive letters as well as the file names) c. As you find useful registry keys, add the keys to your registry report. d. When you are finished your inspection of the registry, generate the registry report for the associated user profile. Enter [profilename] Registry Report in the Report Title field and
Lastname_[profilename]_RegistryReport in the Report Filename field. Check the box to view the report, then click OK. e. After the report opens, review the information. f. Close the Report and Registry Viewer windows and return to the FTK Case Examiner Window.Guided Practice #2: Analyzing Folders and Files to Investigate System Usage As you work through this section, “check” the files (in the File List pane) which have time/date information that can be used to construct a system usage timeline. You will use these “checked” files in Guided Practice #3. System Files 1. Click on the Overview tab. Expand the File Categories container. 2. Click on the Operating System files node to display the list of files in this category. 3. Using the File List pane and File Contents pane, find and review the types of files listed below. Note: FTK will provide an interpreted (formatted) display for certain types of system files. You may wish to snapshot or copy this information for later use in answering the case questions and preparing your system usage timeline. You should also review the file properties shown in the file contents pane. a. Bootstat.dat (there are two; the file dates will tell you the date of the first boot after installation and the date/time of the last shutdown) b. Page File (pagefile.sys) c. System and user-level log files d. User profiles (especially the recent files list and the contents of the desktop) e. Link files (shortcuts) f. Prefetch files User Profiles 1. Return to the Explore tab and open the Evidence Items tree until you see Users. Expand this node. Identify the user profiles
on the system. In this case, we have one “profile” which is not a standard profile – George Dean. We will want to examine this profile more closely. 2. Click on the Folder icon for “George Dean” in the Evidence Items tree. This will cause the contents of the folder to be displayed in the File List pane. Review the files and the metadata for each one (decide which items you will use to help construct your system usage timeline). At a minimum, you should look at the following: · All files and folders listed under the desktop folder · All files and folders listed in subfolders under the desktop folder · Recent folder for user profile and all shortcut files listed under the recent folder · Documents, downloads, pictures, and music folders for user profile · All files and folders listed under each top-level folder (in the same file path) · Find the Recycle bin for this user profile ($Recycle.bin). Then, identify all files and folders listed under $Recycle.bin Note: The image file used in this lab may contain artifacts related to internet browsing. You should note the presence of these files in your report. No other processing of the browser history and browser cache files is required for this lab. (These artifacts will be processed and examined in Lab 6.) Program Files (Applications) 1. Return to the Evidence tab. In the Evidence Items tree, open the nodes until you find [root]/Windows/ProgramData and [root/Windows/Program Files. 2. Examine the contents of these folders. You should see a top- level folder for each software application installed on top of the Windows 7 installation (e.g., antivirus, utilities, word processing packages, web browsers). (Note: you can also
identify software applications by looking for folders or links on the desktops under each user profile.) a. Record the forensically interesting software applications (applications that are not part of the Windows operating system installation). b. Review the file dates/times for each software application. 3. In your analysis, do not include any applications that have last modified dates occurring before the first boot date for this Windows 7 installation (these were installed as part of Windows 7).Guided Practice #3: Using File System Metadata to Create a System Usage Timeline Review Your Analysis Results This guided practice depends upon the “checked files” which you identified in the first two Guided Practices for this lab. If you did not check files as you worked through those exercises, you will need to go back and do so before started this last Guided Practice. After you have selected files, review your selections (your “checked” files). You should not have more than 100 “important” files in your checked files list. If you do, review the files that you have checked and determine which ones can be removed from your list. Use the Overview tab > File Items node to review your checked files. Create an Inventory with Timeline Information 1. Create a file inventory containing the file system metadata for all checked files (do not include any other files): a. Right-click in the file list pane. b. Select Export File List Info from the pop-up menu. c. In the export options window, select “All checked.” d. Name your file yourlastname_Lab5_FileList.csv. e. In the Save as type drop-down, select CSV (Comma delimited) (*.csv).
2. Open your inventory using Excel or another spreadsheet application. a. Format the spreadsheet to give it a professional appearance. b. Save your file inventory as an XLSX or XLS spreadsheet. 3. Examine the file system metadata shown in your file inventory. As you perform your examination, annotate your file inventory spreadsheet to record your analysis and/or findings. 4. Using your file inventory, create a table containing your system usage timeline. Suggested steps are as follows: a. Use Excel’s sorting function to examine the timeline of system usage. First, sort your file inventory using by Creation Date and then by File Path. b. Examine the spreadsheet entries to determine when files were created; draw conclusions as to when the Windows 7 operating system was installed, when software applications were installed, etc. c. Sort your spreadsheet by Last Modified Date and File Path. Reexamine the spreadsheet entries to determine how and when the system was used (what activities or events occurred). d. Highlight rows in the spreadsheet that contain information about significant events or that provide information that can be used to answer one or more of the case questions. e. Transfer information from your spreadsheet into your timeline table. 5. Review the information provided by your examination of the registry files. Add significant event information to your timeline table (e.g., time and date that important registry keys were last written along with the key names and values).Guided Practice #4: Report Writing For this lab, you will prepare a summary report and a system usage timeline. Use the guidance from previous labs to assist you in deciding how to present your findings. Your “high level summaries” of your analysis results should be *summaries* not a compendium of every piece of information found in the image. Focus on providing data which provides support to your answers to the case questions. Irrelevant information should not be
included. Your deliverables are: 1. Incident Investigation Summary Report (5-8 pages with tables / screen shots) Prepare a memo-format report summarizing answers to the case questions and providing documentation as to the tools, techniques, and procedures used in this lab. Your report should include high-level analysis summaries in table format for: a. Registry Analysis & Values of Important Keys (GP#1) b. System Usage Data (GP#2) c. Meta Data Analysis of Important Files (GP#3) 2. System Usage Timeline (attachment to report) This table was created in Guided Practice #3 of this lab. Required Software · Forensic Toolkit · FTK Registry Viewer · MS Excel (or equivalent spreadsheet application) Deliverables · Incident Investigation Summary Report · System Usage Timeline Grading for Lab Deliverables 1. Incident Investigation Summary Report 60% a. Overview 15% b. Findings & Answers to Case Questions 15% c. Summary Tables 15% d. Description of Analysis & Processing 15% 2. System Usage Timeline 25% 3. Professionalism 15% (formatting, grammar, spelling, punctuation, etc.)
Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application Lab 5: Reconstruct System Usage Using Registry and Other System FilesIntroduction This lab builds upon the acquisition, processing, and analysis techniques that you learned and practiced in earlier labs in this course. In this lab, you will practice finding, recovering, and analyzing system usage information for a Windows 7 computer system. Before you begin, you should review the following readings, which address analytical processes and techniques used to recover and evaluate information about system usage. 1. FTK Registry Viewer User Guide (access the PDF file from the Registry Viewer help menu) 2. FTK User Guide (access the PDF file from the FTK help menu) a. Chapter 16, "Using the Examiner Interface" b. Chapter 17, "Exploring Evidence" c. Chapter 18, "Examining Evidence in the Overview Tab" d. Chapter 22, "Examining Miscellaneous Evidence" e. Chapter 23, "Bookmarking Evidence" f. Chapter 32, "Working with Evidence Reports" g. Chapter 35, "Working with Windows Registry Evidence"Lab 5 Scenario and Case Questions A laptop from the offices of Practical Applied Gaming Solution s, Inc., has been sent to your lab for analysis. This laptop was returned to the company by a former employee several weeks
after the employee's unexpected resignation. During case triage, it was determined that VMWare was installed on the laptop. Several folders containing virtual machines were also found. A forensic image (E01 format) was created from each of the virtual disks (VMDK files) by a forensic technician using FTK Imager. You have been asked to contribute to the investigation by reconstructing the usage of one of the virtual machines from the contents of the associated VMDK file. The chain-of-custody log states that this file contains a Windows 7 system disk. The lead investigator has asked you to address the following case questions during your examination of the evidence. (Ignore the Internet cache and index files for this lab; you will analyze and report on them in Lab 6.) 1. When was the Windows 7 image created (installed in the VM), and during what time period was it in use? 2. What software applications were loaded and available for use in the VM? 3. Who used the Windows 7 VM? (More than one user?) 4. What was the Windows 7 VM used for? 5. Was the VM used regularly or repeatedly? 6. Are there indications of an intent to hide or obscure how the VM was used? 7. Are there indications of an intent to use the VM to facilitate illegal or unethical behavior? (Unethical includes actions that
are contrary to the employer's best interests or that violate the company's Acceptable Use Policy governing use of company resources—i.e., the laptop on which the VM was found.)Lab 5 Overview In this lab you will search for, recover, and analyze system usage information from a forensic image provided by your instructor. At a minimum, you should perform the following tasks: · Analyze the Windows Registry to recover information about the Windows 7 operating system and how it was used. · Analyze the contents of system log files, link files (shortcuts), and prefetch files. · Reconstruct user-level system usage using information recovered from folders and files stored in user profiles. · Analyze the contents of the recycle bin. · Reconstruct system-level usage information found in the file system metadata (use the information shown in the file list pane). · Construct a timeline showing significant system usage events, such as boot, shutdown, installation of software, installation of patches or updates, user logins, etc. · Note: The provided forensic image has been modified for training purposes. · The virtual disk is no longer bootable. · Files whose contents are not required for this examination
have been overwritten with 0x00 (securely wiped). · The file system data structures have not been modified; the original directory entries remain intact. As you complete your analysis for this lab, you will need to keep track of specific files that provide forensically important information for your analysis and reporting. In previous labs, you used an annotated file inventory for this purpose. In this lab, you will learn two more methods: · checked files (see Chapter 17, FTK User Guide) and · bookmarks (see Chapter 23, FTK User Guide) Both of these tracking features are accessed in the file list pane by right-clicking on the filename and then selecting the feature from the pop-up menu. You can also access the case Bookmarks using the Bookmarks tab at the top of the Examiner Window. In Guided Practice #1, you will examine the contents of the Windows 7 registry. Your examination of the individual Windows 7 registry hives should provide you with the following information and/or answers to questions listed below. You will need this information to answer the case questions. In this part of the lab, you will also generate a registry report that documents the associated keys and key values. · Operating system version. · Installation date. · Registered owner. (Is there something odd about this?) · Computer name.
· Current time zone. · Fixed hard drives (virtual drives) used in the VM (mounted devices). · Removable USB media used in the VM. What are the manufacturer and serial numbers of the USBs? · Installed software (provide a list of all sub keys showing user- installed software packages; add rows as necessary). Pay attention to the last written dates for keys. Keys prior to the installation date represent software that is part of the Windows 7 package and, for this lab, should not be included in your list of installed software. · Installed software for individual users (find and process the NTUSER.DAT file for each user on the system; this file contains the HKCU hive). · Recent files accessed by individual users (find and process the NTUSER.DAT file for each user on the system; this file contains the HKCU hive). · Most recently used (MRU) items including software applications and files. · Any additional keys you found to be helpful in determining how this VM was used, when it was used, and who used it. In Guided Practice #2, you will examine the contents of link files (shortcut files), log files, and prefetch files recovered from the virtual disk. (You may need to research the format and usage for specific file types to learn more about what they can
tell you regarding system usage.) The file contents provide information about events that occurred or actions that were performed, and possibly also when those events occurred. The locations of these files will provide information as to who (system or a specific user account) performed the actions captured in the contents and metadata. When reviewing these files, be sure to examine both the contents and the file properties using the file contents pane. In this part of the lab, you will mark files of forensic interest (ones that you will use to answer the case questions) using checked files and Bookmark categories. You will then generate an FTK report that lists the files (by file path), the Bookmark categories, and the files included under each bookmark. Before you begin this part of the lab, you should decide upon the format that you will use to create your system usage timeline. Your timeline could be presented in a table in a Microsoft Word document or as an Excel spreadsheet. The important thing to remember is that your timeline should clearly show the events that are of forensic interest and the date/time of occurrence for each event. You should also list the files that provided the information about each event. Below is a suggested table format for a system usage timeline. This format can be used in either Microsoft Word or Microsoft Excel. Date/Time Event
Description Files or Artifacts created or modified In Guided Practice #3, you will generate an inventory of selected folders and files from the forensic image of the virtual disk. You will use this inventory to construct a tentative timeline of events and identify file/folder entries that can provide answers to the case questions. For this part of the lab, your analysis is restricted to file properties and directory-level information—file paths, creation dates, last access dates, last modified dates, etc. In Guided Practice #4, you will write a lab report memo (three to five pages maximum) in which you document your answers to the case questions. Each answer must be supported by information contained in the forensic image and you must identify which artifacts (files or folders) support your answers. Provide your supporting documentation, i.e., registry reports, file inventory, and timeline of system usage, as a single zip
archive. The registry reports, file inventory and timeline files should be submitted in a single zip file archive; this documentation is not counted in the lab memo page count. Required Software · Forensic Toolkit · FTK Registry Viewer · WinHex · MS Office (Word, Excel, PowerPoint) · Adobe Reader (or another PDF file viewer) · Web browser Required Software · Forensic Toolkit · FTK Registry Viewer · MS Excel (or equivalent spreadsheet application) Deliverables 1. Incident Investigation Summary Report (5-8 pages with tables / screen shots) Prepare a memo-format report summarizing answers to the case questions and providing documentation as to the tools, techniques, and procedures used in this lab. Your report should include high-level analysis summaries in table format for:
a. Registry Analysis & Values of Important Keys (GP#1) b. System Usage Data (GP#2) c. Meta Data Analysis of Important Files (GP#3) Note: Your “high level summaries” of your analysis results should be *summaries* not a compendium of every piece of information found in the image. Focus on providing data which provides support to your answers to the case questions. Irrelevant information should not be included. 2. System Usage Timeline This table will be created in Guided Practice #3. Grading for Lab Deliverables 1. Incident Investigation Summary Report 60% a. Overview 15% b. Findings & Answers to Case Questions 15% c. Summary Tables 15% d. Description of Analysis & Processing 15% 2. System Usage Timeline 25% 3. Professionalism 15% (formatting, grammar, spelling, punctuation, etc.)Lab 5 Outcomes Lab 5 Outcomes Course Outcomes for Lab 5 · reconstruct system usage using Windows Registry and other
system files · perform and document timeline analysis · prepare brief report summarizing findings and answering case questions · apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital artifacts · select and apply the most appropriate methodology to extract data based on circumstances and reassemble artifacts from data fragments · analyze and interpret data collected and report outcomes in accordance with incident response handling guidelines Copyright © 2015 by University of Maryland University College. All Rights Reserved.

Recommended

Windows FTK Forensics.pdf
Windows FTK Forensics.pdfWindows FTK Forensics.pdf
Windows FTK Forensics.pdfssusere6dc9d
 
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docx
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docxEvaluate a Health WebsiteName Click here to enter text.Course Cli.docx
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docxSANSKAR20
 
Assessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docxAssessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docxdavezstarr61655
 
FTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docxFTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docxbudbarber38650
 
Examine Evidence PartitionsAnalysis of four small partitions ext.docx
Examine Evidence PartitionsAnalysis of four small partitions ext.docxExamine Evidence PartitionsAnalysis of four small partitions ext.docx
Examine Evidence PartitionsAnalysis of four small partitions ext.docxcravennichole326
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docxevonnehoggarth79783
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 EssayMelissa Moore
 
Exercise 3You work as a forensic investigator. A recent inquiry .docx
Exercise 3You work as a forensic investigator. A recent inquiry .docxExercise 3You work as a forensic investigator. A recent inquiry .docx
Exercise 3You work as a forensic investigator. A recent inquiry .docxrhetttrevannion
 

Recommended

Windows FTK Forensics.pdf
Windows FTK Forensics.pdfWindows FTK Forensics.pdf
Windows FTK Forensics.pdfssusere6dc9d
 
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docx
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docxEvaluate a Health WebsiteName Click here to enter text.Course Cli.docx
Evaluate a Health WebsiteName Click here to enter text.Course Cli.docxSANSKAR20
 
Assessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docxAssessment item 1 File Systems and Advanced Scripting .docx
Assessment item 1 File Systems and Advanced Scripting .docxdavezstarr61655
 
FTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docxFTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docxbudbarber38650
 
Examine Evidence PartitionsAnalysis of four small partitions ext.docx
Examine Evidence PartitionsAnalysis of four small partitions ext.docxExamine Evidence PartitionsAnalysis of four small partitions ext.docx
Examine Evidence PartitionsAnalysis of four small partitions ext.docxcravennichole326
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docxevonnehoggarth79783
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 EssayMelissa Moore
 
Exercise 3You work as a forensic investigator. A recent inquiry .docx
Exercise 3You work as a forensic investigator. A recent inquiry .docxExercise 3You work as a forensic investigator. A recent inquiry .docx
Exercise 3You work as a forensic investigator. A recent inquiry .docxrhetttrevannion
 
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyMichael Gough
 
Data_Processing_Program
Data_Processing_ProgramData_Processing_Program
Data_Processing_ProgramNeil Dahlqvist
 
Sas UTR How To Create Your UTRs Sep2009
Sas UTR How To Create Your UTRs Sep2009Sas UTR How To Create Your UTRs Sep2009
Sas UTR How To Create Your UTRs Sep2009praack
 
Kaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_reportKaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_reportКомсс Файквэе
 
Search++ Manual
Search++ ManualSearch++ Manual
Search++ Manual検索 全文
 
April 29, 2018 Remember that you must enter the answers t.docx
April 29, 2018 Remember that you must enter the answers t.docxApril 29, 2018 Remember that you must enter the answers t.docx
April 29, 2018 Remember that you must enter the answers t.docxtarifarmarie
 
abcd
abcdabcd
abcdguest5f98729
 
nHibernate Explained by example
nHibernate Explained by examplenHibernate Explained by example
nHibernate Explained by exampleGuo Albert
 
Advanced Excel Technologies In Early Development Applications
Advanced Excel Technologies In Early Development ApplicationsAdvanced Excel Technologies In Early Development Applications
Advanced Excel Technologies In Early Development ApplicationsBrian Bissett
 
Test Script Sample- Spry Congressional Managment System
Test Script Sample- Spry Congressional Managment SystemTest Script Sample- Spry Congressional Managment System
Test Script Sample- Spry Congressional Managment SystemVictoria Conroy
 
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docxLab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docxDIPESH30
 
Software Sizing
Software SizingSoftware Sizing
Software SizingNoman Aftab
 
Marking report
Marking reportMarking report
Marking reportAeron Shrestha
 
VITALISE Summer School 2023_ DAY 4 FINAL.pdf
VITALISE Summer School 2023_ DAY 4 FINAL.pdfVITALISE Summer School 2023_ DAY 4 FINAL.pdf
VITALISE Summer School 2023_ DAY 4 FINAL.pdfVITALISEProject
 
N Hibernate Explained By Example
N Hibernate Explained By ExampleN Hibernate Explained By Example
N Hibernate Explained By Exampleguest075fec
 
Submit by 21918Phase IProject SelectionThe first step w.docx
Submit by 21918Phase IProject SelectionThe first step w.docxSubmit by 21918Phase IProject SelectionThe first step w.docx
Submit by 21918Phase IProject SelectionThe first step w.docxpicklesvalery
 
Project #1-Note all projects must be in seperate microsoft word.docx
Project #1-Note all projects must be in seperate microsoft word.docxProject #1-Note all projects must be in seperate microsoft word.docx
Project #1-Note all projects must be in seperate microsoft word.docxdenneymargareta
 
Revision booklet 6957 2016
Revision booklet 6957 2016Revision booklet 6957 2016
Revision booklet 6957 2016jom1987
 
CropSyst.ppt
CropSyst.pptCropSyst.ppt
CropSyst.pptBetterMe4
 
Ophidian
OphidianOphidian
OphidianAneesh Srivastava
 
Assignment User FrustrationThe quality of the user experience i.docx
Assignment User FrustrationThe quality of the user experience i.docxAssignment User FrustrationThe quality of the user experience i.docx
Assignment User FrustrationThe quality of the user experience i.docxlynettearnold46882
 
Assignment Upstream Approaches to Canadian Population HealthAlt.docx
Assignment Upstream Approaches to Canadian Population HealthAlt.docxAssignment Upstream Approaches to Canadian Population HealthAlt.docx
Assignment Upstream Approaches to Canadian Population HealthAlt.docxlynettearnold46882
 

More Related Content

Similar to Digital Forensic Examination Summary Report(for ALL lab assignme.docx

Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyMichael Gough
 
Data_Processing_Program
Data_Processing_ProgramData_Processing_Program
Data_Processing_ProgramNeil Dahlqvist
 
Sas UTR How To Create Your UTRs Sep2009
Sas UTR How To Create Your UTRs Sep2009Sas UTR How To Create Your UTRs Sep2009
Sas UTR How To Create Your UTRs Sep2009praack
 
April 29, 2018 Remember that you must enter the answers t.docx
April 29, 2018 Remember that you must enter the answers t.docxApril 29, 2018 Remember that you must enter the answers t.docx
April 29, 2018 Remember that you must enter the answers t.docxtarifarmarie
 
nHibernate Explained by example
nHibernate Explained by examplenHibernate Explained by example
nHibernate Explained by exampleGuo Albert
 
Advanced Excel Technologies In Early Development Applications
Advanced Excel Technologies In Early Development ApplicationsAdvanced Excel Technologies In Early Development Applications
Advanced Excel Technologies In Early Development ApplicationsBrian Bissett
 
Test Script Sample- Spry Congressional Managment System
Test Script Sample- Spry Congressional Managment SystemTest Script Sample- Spry Congressional Managment System
Test Script Sample- Spry Congressional Managment SystemVictoria Conroy
 
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docxLab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docxDIPESH30
 
VITALISE Summer School 2023_ DAY 4 FINAL.pdf
VITALISE Summer School 2023_ DAY 4 FINAL.pdfVITALISE Summer School 2023_ DAY 4 FINAL.pdf
VITALISE Summer School 2023_ DAY 4 FINAL.pdfVITALISEProject
 
N Hibernate Explained By Example
N Hibernate Explained By ExampleN Hibernate Explained By Example
N Hibernate Explained By Exampleguest075fec
 
Submit by 21918Phase IProject SelectionThe first step w.docx
Submit by 21918Phase IProject SelectionThe first step w.docxSubmit by 21918Phase IProject SelectionThe first step w.docx
Submit by 21918Phase IProject SelectionThe first step w.docxpicklesvalery
 
Project #1-Note all projects must be in seperate microsoft word.docx
Project #1-Note all projects must be in seperate microsoft word.docxProject #1-Note all projects must be in seperate microsoft word.docx
Project #1-Note all projects must be in seperate microsoft word.docxdenneymargareta
 
Revision booklet 6957 2016
Revision booklet 6957 2016Revision booklet 6957 2016
Revision booklet 6957 2016jom1987
 
CropSyst.ppt
CropSyst.pptCropSyst.ppt
CropSyst.pptBetterMe4
 

Similar to Digital Forensic Examination Summary Report(for ALL lab assignme.docx (20)

Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
 
Data_Processing_Program
Data_Processing_ProgramData_Processing_Program
Data_Processing_Program
 
Sas UTR How To Create Your UTRs Sep2009
Sas UTR How To Create Your UTRs Sep2009Sas UTR How To Create Your UTRs Sep2009
Sas UTR How To Create Your UTRs Sep2009
 
Kaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_reportKaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_report
 
Search++ Manual
Search++ ManualSearch++ Manual
Search++ Manual
 
April 29, 2018 Remember that you must enter the answers t.docx
April 29, 2018 Remember that you must enter the answers t.docxApril 29, 2018 Remember that you must enter the answers t.docx
April 29, 2018 Remember that you must enter the answers t.docx
 
abcd
abcdabcd
abcd
 
nHibernate Explained by example
nHibernate Explained by examplenHibernate Explained by example
nHibernate Explained by example
 
Advanced Excel Technologies In Early Development Applications
Advanced Excel Technologies In Early Development ApplicationsAdvanced Excel Technologies In Early Development Applications
Advanced Excel Technologies In Early Development Applications
 
Test Script Sample- Spry Congressional Managment System
Test Script Sample- Spry Congressional Managment SystemTest Script Sample- Spry Congressional Managment System
Test Script Sample- Spry Congressional Managment System
 
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docxLab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
 
Software Sizing
Software SizingSoftware Sizing
Software Sizing
 
Marking report
Marking reportMarking report
Marking report
 
VITALISE Summer School 2023_ DAY 4 FINAL.pdf
VITALISE Summer School 2023_ DAY 4 FINAL.pdfVITALISE Summer School 2023_ DAY 4 FINAL.pdf
VITALISE Summer School 2023_ DAY 4 FINAL.pdf
 
N Hibernate Explained By Example
N Hibernate Explained By ExampleN Hibernate Explained By Example
N Hibernate Explained By Example
 
Submit by 21918Phase IProject SelectionThe first step w.docx
Submit by 21918Phase IProject SelectionThe first step w.docxSubmit by 21918Phase IProject SelectionThe first step w.docx
Submit by 21918Phase IProject SelectionThe first step w.docx
 
Project #1-Note all projects must be in seperate microsoft word.docx
Project #1-Note all projects must be in seperate microsoft word.docxProject #1-Note all projects must be in seperate microsoft word.docx
Project #1-Note all projects must be in seperate microsoft word.docx
 
Revision booklet 6957 2016
Revision booklet 6957 2016Revision booklet 6957 2016
Revision booklet 6957 2016
 
CropSyst.ppt
CropSyst.pptCropSyst.ppt
CropSyst.ppt
 
Ophidian
OphidianOphidian
Ophidian
 

More from lynettearnold46882

Assignment User FrustrationThe quality of the user experience i.docx
Assignment User FrustrationThe quality of the user experience i.docxAssignment User FrustrationThe quality of the user experience i.docx
Assignment User FrustrationThe quality of the user experience i.docxlynettearnold46882
 
Assignment Upstream Approaches to Canadian Population HealthAlt.docx
Assignment Upstream Approaches to Canadian Population HealthAlt.docxAssignment Upstream Approaches to Canadian Population HealthAlt.docx
Assignment Upstream Approaches to Canadian Population HealthAlt.docxlynettearnold46882
 
Assignment Type up an essay on one of two prompts and submit the .docx
Assignment Type up an essay on one of two prompts and submit the .docxAssignment Type up an essay on one of two prompts and submit the .docx
Assignment Type up an essay on one of two prompts and submit the .docxlynettearnold46882
 
Assignment TypeIndividual ProjectDeliverable Length8–10 slid.docx
Assignment TypeIndividual ProjectDeliverable Length8–10 slid.docxAssignment TypeIndividual ProjectDeliverable Length8–10 slid.docx
Assignment TypeIndividual ProjectDeliverable Length8–10 slid.docxlynettearnold46882
 
Assignment Type Individual discussion Board;   450 – 550 word.docx
Assignment Type Individual discussion Board;   450 – 550 word.docxAssignment Type Individual discussion Board;   450 – 550 word.docx
Assignment Type Individual discussion Board;   450 – 550 word.docxlynettearnold46882
 
Assignment Two UNIT 2Student Name _______________________.docx
Assignment Two UNIT 2Student Name _______________________.docxAssignment Two UNIT 2Student Name _______________________.docx
Assignment Two UNIT 2Student Name _______________________.docxlynettearnold46882
 
Assignment Two Select a college or university and provide th.docx
Assignment Two Select a college or university and provide th.docxAssignment Two Select a college or university and provide th.docx
Assignment Two Select a college or university and provide th.docxlynettearnold46882
 
Assignment Two Objectives • Understand how the.docx
Assignment Two Objectives • Understand how the.docxAssignment Two Objectives • Understand how the.docx
Assignment Two Objectives • Understand how the.docxlynettearnold46882
 
Assignment Topic Exploration and Analysis (Proposal)In Week 6 o.docx
Assignment Topic Exploration and Analysis (Proposal)In Week 6 o.docxAssignment Topic Exploration and Analysis (Proposal)In Week 6 o.docx
Assignment Topic Exploration and Analysis (Proposal)In Week 6 o.docxlynettearnold46882
 
Assignment To consider three sources about the Fall of Rome and w.docx
Assignment To consider three sources about the Fall of Rome and w.docxAssignment To consider three sources about the Fall of Rome and w.docx
Assignment To consider three sources about the Fall of Rome and w.docxlynettearnold46882
 
Assignment topic Rapid Influenza Testing in Children and Adult.docx
Assignment topic Rapid Influenza Testing in Children and Adult.docxAssignment topic Rapid Influenza Testing in Children and Adult.docx
Assignment topic Rapid Influenza Testing in Children and Adult.docxlynettearnold46882
 
Assignment Topic 1Choose a contemporary painting, sculpture, o.docx
Assignment Topic 1Choose a contemporary painting, sculpture, o.docxAssignment Topic 1Choose a contemporary painting, sculpture, o.docx
Assignment Topic 1Choose a contemporary painting, sculpture, o.docxlynettearnold46882
 
Assignment TitleAssessment Item 03 Case Study Analysis – Engagi.docx
Assignment TitleAssessment Item 03 Case Study Analysis – Engagi.docxAssignment TitleAssessment Item 03 Case Study Analysis – Engagi.docx
Assignment TitleAssessment Item 03 Case Study Analysis – Engagi.docxlynettearnold46882
 
Assignment Title Knowledge management cycle process in or.docx
Assignment Title Knowledge management cycle process in or.docxAssignment Title Knowledge management cycle process in or.docx
Assignment Title Knowledge management cycle process in or.docxlynettearnold46882
 
Assignment Three Technical Descriptions Due March 2 (1155 PM .docx
Assignment Three Technical Descriptions Due March 2 (1155 PM .docxAssignment Three Technical Descriptions Due March 2 (1155 PM .docx
Assignment Three Technical Descriptions Due March 2 (1155 PM .docxlynettearnold46882
 
Assignment ThreeUNIT 3 – ON LINE CLASSStudent Name __________.docx
Assignment ThreeUNIT 3 – ON LINE CLASSStudent Name __________.docxAssignment ThreeUNIT 3 – ON LINE CLASSStudent Name __________.docx
Assignment ThreeUNIT 3 – ON LINE CLASSStudent Name __________.docxlynettearnold46882
 
Assignment title An Evaluation of the Business Strategy at Mc D.docx
Assignment title An Evaluation of the Business Strategy at Mc D.docxAssignment title An Evaluation of the Business Strategy at Mc D.docx
Assignment title An Evaluation of the Business Strategy at Mc D.docxlynettearnold46882
 
ASSIGNMENT The student will submit a research project that compares.docx
ASSIGNMENT The student will submit a research project that compares.docxASSIGNMENT The student will submit a research project that compares.docx
ASSIGNMENT The student will submit a research project that compares.docxlynettearnold46882
 
Assignment Three Case study report – mixed mediaValue 40 .docx
Assignment Three Case study report – mixed mediaValue 40 .docxAssignment Three Case study report – mixed mediaValue 40 .docx
Assignment Three Case study report – mixed mediaValue 40 .docxlynettearnold46882
 
Assignment The Nurse Leader as Knowledge WorkerThe term kn.docx
Assignment The Nurse Leader as Knowledge WorkerThe term kn.docxAssignment The Nurse Leader as Knowledge WorkerThe term kn.docx
Assignment The Nurse Leader as Knowledge WorkerThe term kn.docxlynettearnold46882
 

More from lynettearnold46882 (20)

Assignment User FrustrationThe quality of the user experience i.docx
Assignment User FrustrationThe quality of the user experience i.docxAssignment User FrustrationThe quality of the user experience i.docx
Assignment User FrustrationThe quality of the user experience i.docx
 
Assignment Upstream Approaches to Canadian Population HealthAlt.docx
Assignment Upstream Approaches to Canadian Population HealthAlt.docxAssignment Upstream Approaches to Canadian Population HealthAlt.docx
Assignment Upstream Approaches to Canadian Population HealthAlt.docx
 
Assignment Type up an essay on one of two prompts and submit the .docx
Assignment Type up an essay on one of two prompts and submit the .docxAssignment Type up an essay on one of two prompts and submit the .docx
Assignment Type up an essay on one of two prompts and submit the .docx
 
Assignment TypeIndividual ProjectDeliverable Length8–10 slid.docx
Assignment TypeIndividual ProjectDeliverable Length8–10 slid.docxAssignment TypeIndividual ProjectDeliverable Length8–10 slid.docx
Assignment TypeIndividual ProjectDeliverable Length8–10 slid.docx
 
Assignment Type Individual discussion Board;   450 – 550 word.docx
Assignment Type Individual discussion Board;   450 – 550 word.docxAssignment Type Individual discussion Board;   450 – 550 word.docx
Assignment Type Individual discussion Board;   450 – 550 word.docx
 
Assignment Two UNIT 2Student Name _______________________.docx
Assignment Two UNIT 2Student Name _______________________.docxAssignment Two UNIT 2Student Name _______________________.docx
Assignment Two UNIT 2Student Name _______________________.docx
 
Assignment Two Select a college or university and provide th.docx
Assignment Two Select a college or university and provide th.docxAssignment Two Select a college or university and provide th.docx
Assignment Two Select a college or university and provide th.docx
 
Assignment Two Objectives • Understand how the.docx
Assignment Two Objectives • Understand how the.docxAssignment Two Objectives • Understand how the.docx
Assignment Two Objectives • Understand how the.docx
 
Assignment Topic Exploration and Analysis (Proposal)In Week 6 o.docx
Assignment Topic Exploration and Analysis (Proposal)In Week 6 o.docxAssignment Topic Exploration and Analysis (Proposal)In Week 6 o.docx
Assignment Topic Exploration and Analysis (Proposal)In Week 6 o.docx
 
Assignment To consider three sources about the Fall of Rome and w.docx
Assignment To consider three sources about the Fall of Rome and w.docxAssignment To consider three sources about the Fall of Rome and w.docx
Assignment To consider three sources about the Fall of Rome and w.docx
 
Assignment topic Rapid Influenza Testing in Children and Adult.docx
Assignment topic Rapid Influenza Testing in Children and Adult.docxAssignment topic Rapid Influenza Testing in Children and Adult.docx
Assignment topic Rapid Influenza Testing in Children and Adult.docx
 
Assignment Topic 1Choose a contemporary painting, sculpture, o.docx
Assignment Topic 1Choose a contemporary painting, sculpture, o.docxAssignment Topic 1Choose a contemporary painting, sculpture, o.docx
Assignment Topic 1Choose a contemporary painting, sculpture, o.docx
 
Assignment TitleAssessment Item 03 Case Study Analysis – Engagi.docx
Assignment TitleAssessment Item 03 Case Study Analysis – Engagi.docxAssignment TitleAssessment Item 03 Case Study Analysis – Engagi.docx
Assignment TitleAssessment Item 03 Case Study Analysis – Engagi.docx
 
Assignment Title Knowledge management cycle process in or.docx
Assignment Title Knowledge management cycle process in or.docxAssignment Title Knowledge management cycle process in or.docx
Assignment Title Knowledge management cycle process in or.docx
 
Assignment Three Technical Descriptions Due March 2 (1155 PM .docx
Assignment Three Technical Descriptions Due March 2 (1155 PM .docxAssignment Three Technical Descriptions Due March 2 (1155 PM .docx
Assignment Three Technical Descriptions Due March 2 (1155 PM .docx
 
Assignment ThreeUNIT 3 – ON LINE CLASSStudent Name __________.docx
Assignment ThreeUNIT 3 – ON LINE CLASSStudent Name __________.docxAssignment ThreeUNIT 3 – ON LINE CLASSStudent Name __________.docx
Assignment ThreeUNIT 3 – ON LINE CLASSStudent Name __________.docx
 
Assignment title An Evaluation of the Business Strategy at Mc D.docx
Assignment title An Evaluation of the Business Strategy at Mc D.docxAssignment title An Evaluation of the Business Strategy at Mc D.docx
Assignment title An Evaluation of the Business Strategy at Mc D.docx
 
ASSIGNMENT The student will submit a research project that compares.docx
ASSIGNMENT The student will submit a research project that compares.docxASSIGNMENT The student will submit a research project that compares.docx
ASSIGNMENT The student will submit a research project that compares.docx
 
Assignment Three Case study report – mixed mediaValue 40 .docx
Assignment Three Case study report – mixed mediaValue 40 .docxAssignment Three Case study report – mixed mediaValue 40 .docx
Assignment Three Case study report – mixed mediaValue 40 .docx
 
Assignment The Nurse Leader as Knowledge WorkerThe term kn.docx
Assignment The Nurse Leader as Knowledge WorkerThe term kn.docxAssignment The Nurse Leader as Knowledge WorkerThe term kn.docx
Assignment The Nurse Leader as Knowledge WorkerThe term kn.docx
 

Recently uploaded

BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 

Recently uploaded (20)

BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 

Digital Forensic Examination Summary Report(for ALL lab assignme.docx

  • 1. Digital Forensic Examination Summary Report (for ALL lab assignments except Lab 0; remove red writing before submitting assignments) Examiner: your name and company (simulated) _____________________________________________________ _________________________ Case Background: give an adequate description of the scenario as if the reader knows nothing about this case. why are you conducting this examination? who requested it? This should be more than 2-3 sentences. Use what's given to you in the lab scenario assignment to establish a quality case background. _____________________________________________________ _________________________ Legal Authority: (to conduct exam i.e. warrant, consent, government / organizational property. This must be always stated in a report): _____________________________________________________ _________________________ Tools Used: for the readers sake who often are not technical, break up this section into subsections Hardware Software (include full software versions (simulate when necessary); include hardware i.e. the system you used to conduct the examination with serial numbers (your desktop / laptop). Also, simulate using a hardware write-blocker if the scenario doesn't specify how the data is write protected. A write-blocker prevents any writes to the media being examined so the examiner can acquire it safely without altering original evidence.) _____________________________________________________ _________________________ Initial Processing (show both acquisition and verification hash
  • 2. sums; list the media examined with description and serial number / see Addendum A) example verbiage: "The processing included inspection, photography, anti-virus scan, and the imaging laptop. The imaging of the media created forensic evidence files for use in the subsequent forensic examination. Methods were forensically sound and verifiable." _____________________________________________________ _________________________ Preliminary Findings: (out of analyzing X number of files, X were of forensic value; briefly describe the partition and file structure of the media examined; this is a synopsis of what you found of forensic value.) _____________________________________________________ _________________________ Detailed Findings: (this is where most or all of the case questions can be answered along with whatever else is required in the grading deliverables. This will always be the longest part of your report. If you feel that some detailed findings would be better placed in an Addendum, that's a good place too). _____________________________________________________ _________________________ Conclusions / Further Actions Required: (just state the facts; recommend what other devices could be examined to further the case; recommend interviews of subjects if applicable; are there protected files that need decryption? Do not make judgment calls i.e. John Smith should be removed from his position; give the client the facts and let them make the decisions on what to do with the information.) Each Addendum should start on a separate page. Addendum A: Photos (simulate with pics of similar devices you find on the Internet. It is always a good idea to include a picture of the evidence you examined.) The following is a photograph of XXXX
  • 3. PICTURE(s) SHOWN HERE The following details the forensic image processing. example: Seagate Hard Drive, 250GB, Serial #12345: Digital Forensics Examiner (DFE) created forensic evidence files of XXXX drive #XXXX. The pre-processing hash results are presented below: MD5 checksum: XXXX SHA1 checksum: XXXX The forensic processing subsequently created XXXX (X) files (simulated). Forensic Evidence Files Created: XXX.E01 – XXXX.E04 (example with four files) The forensic imaging process involved a post processing hash verification of the contents of the evidence file compared with the pre-processing hash. The hash analysis is presented below. MD5 checksum: XXXX: verified SHA1 checksum: XXXX: verified The forensic imaging process successfully created a forensically sound and verifiable bit stream copy of the hard drive in the form of forensic evidence files. Addendum B: Steps Taken These are your notes on the steps you took while conducting the examination. Often, the examiner must submit their notes along with the forensic report if a case goes to court. I recommend just numbering your steps i.e. 1, 2, 3 in chronological order. Start with how you received the media and describe how you sterilized. For example: 1. Original USB drives and CD-Rs received from R. Jones. Items labeled and chain of custody (COC) documentation initiated. 2. Forensically sterilized target media prepared using Paladin vX.XX.XXX. After launching the Paladin tool, the target media was physically connected to the workstation running Paladin. Target media was wiped and verified using command “sudo dcfldd pattern=00 vf=/dev/sdc.” Results were a match,
  • 4. verifying the target media was forensically sterile. 3. describe your analysis steps 4. cont'd Report End CMIT 424: Digital Forensics Analysis and Application Lab 5: Reconstruct System Usage Using Registry and Other System FilesBefore You Begin 1. Launch FTK 2. Restore the Lab 5 Case File from H:CMIT424Lab5FTK Case BackupLab5 to C:Cases 3. Examine the image using the FTK Examiner and Overview tabs. Note that there are carved files present in the image. ZIP files have also been expanded for you. (Refinement options for the Add Evidence job were: (a) Expand Compound Files: ZIP only and (b) Data Carve: BMP, GIF, JPG, PNG, PDF, MS OLE (documents). 4. Decide if you will use “bookmarks” to help you keep track of important files that you find as you work through this lab. It is highly recommended that you do so. You can use “bookmarks” to categorize and annotate files and then generate a “Bookmarks” report with your annotations. One more important note: there is more information in this evidence file than you will have time to analyze for this lab. You should make sure that you cover the important areas discussed in each Guided Practice. But, you should also leave yourself enough time to write your report and document your findings. Do not get lost in the data!!!Guided Practice #1: Analyzing the Windows Registry In this part of the lab, you will use FTK and FTK Registry viewer to generate a report that you will use in your analysis of
  • 5. the Windows registry. Use your best judgment and information from your readings to select additional keys that can provide answers to the case questions about how the virtual machine was used. Then, add these keys to your registry reports. For more information about which keys you should look at, see http://www.irongeek.com/i.php?page=security/windows- forensics-registry-and-file-system-spots and http://www.forensicfocus.com/a-forensic-analysis-of-the- windows-registry As you work through this Guided Practice, “check” the files (in the File List pane) that are important and which have time/date information that can be used to construct a system usage timeline. You will use these “checked” files in Guided Practice #3. Locate Registry Hive Files 1. Switch to the Overview tab in the Case Examiner window. 2. Expand the File Category node in the tree. 3. Click on the OS/File System Files node. Expand again to display the list of subcategories. 4. Click on Windows NT Registry to display the list of registry files in the File List pane. 5. Locate the System Hive in the File List pane. This file contains the HKEY_Local_Machine (HKLM) registry keys. Note the information displayed in the File Content pane. SYSTEM Hive 6. Right-click on the System Hive in the File List pane. Select “Open in Registry Viewer” from the pop-up menu. 7. Find HKLMSystemControlSet001ControlComputerNameCompute rName (Expand tree nodes by clicking on the plus signs to the left of the node names.)
  • 6. 8. Add this key to the registry report 9. Find HKLMSystemControlSet001ControlTimeZoneInformation 10. Note that there are sub-keys with values displayed in the upper right pane of the display. Note also that the Key Properties, including “Last Written Time,” are displayed in the lower left pane. 11. Add this key to the registry report. 12. Collapse the “Control” node under ControlSet001. 13. Expand the “Enum” node. 14. Find HKLMSystemControlSet001EnumUSBSTOR 15. Expand the nodes under USBSTOR and review the information provided. Note that you can identify the manufacturer and product name / type from the information provided for the second and third entries under this node. 16. Click on the node below the “device” node. Review the information provided in the right hand pane (Sub Key names and values). 17. After you have finished your review, add this key “with children” to the registry report. 18. Find HKLMSystemMounted Devices and add this key to your registry report. 19. From the Report menu, generate the registry report for your selected keys. 20. Enter SYSTEM Registry Report in the Report Title field. Enter Lastname_SYSTEM_RegistryReport in the Report Filename field. Note that the location of the report will be
  • 7. C:CasesLab5RegistryViewerReports. 21. Check the box to view the report, then click OK. 22. After the report opens, review the “Last Written Time” key properties for each set of keys. You will use these values later to update your timeline of events. 23. Close the Report and Registry Viewer windows and return to the FTK Case Examiner Window. 24. Locate the Software Hive. Click on its name in the File List pane to display information about this registry hive in the File Contents pane. SOFTWARE Hive 25. Right-click on the Software Hive in the File List pane. Select “Open in Registry Viewer” from the pop-up menu. 26. In the Registry Viewer, find HKLMSoftwareMicrosoftWindows NTCurrent Version 27. Select the key to view its values. Note that the Key Properties pane gives the installation date. The Sub Keys and Values provide additional information about the operating system version, the registered owner, and other information which you will need for your summary report. 28. Add this key to your registry report. 29. Explore the SOFTWARE hive to see if there is additional information that you wish to add to the registry keys report. If so, remember to “add key” or “add key with children” to the report. 30. From the Report menu, generate the registry report for your selected keys. Enter SOFTWARE Registry Report in the Report Title field. Enter Lastname_SOFTWARE_RegistryReport in the Report Filename field. Check the box to view the report, then
  • 8. click OK. 31. After the report opens, review the “Last Written Time” key properties for each set of keys. You will use these values later to update your timeline of events. 32. Close the Report and Registry Viewer windows and return to the FTK Case Examiner Window. USER Hive 33. Locate the user profile NTUSER.DAT files. There will be multiple files. You will need to widen the File Path column to see where each of these files occurs. For your review, use only those files found under [root]/Users/.... 34. These files contain the HKEY_Current_User or HKCU registry keys. Record the profile name for each of these files (from the file path). You will use the profile name to name the registry report file. You will also use these registry report files to construct your system usage timeline. 35. For each NTUSER.DAT file: a. Add the file to your Registry Files bookmark and open it in Registry Viewer. b. Using Edit > Find and Edit > Find Next (also F3), locate keys and key values that have forensic value. Focus on keys that have information required for your system usage timeline. These keys include: i. Most Recently Used Lists (MRU) ii. Typed URL Lists iii. Recent Docs (note the drive letters as well as the file names) c. As you find useful registry keys, add the keys to your registry report. d. When you are finished your inspection of the registry, generate the registry report for the associated user profile. Enter [profilename] Registry Report in the Report Title field and
  • 9. Lastname_[profilename]_RegistryReport in the Report Filename field. Check the box to view the report, then click OK. e. After the report opens, review the information. f. Close the Report and Registry Viewer windows and return to the FTK Case Examiner Window.Guided Practice #2: Analyzing Folders and Files to Investigate System Usage As you work through this section, “check” the files (in the File List pane) which have time/date information that can be used to construct a system usage timeline. You will use these “checked” files in Guided Practice #3. System Files 1. Click on the Overview tab. Expand the File Categories container. 2. Click on the Operating System files node to display the list of files in this category. 3. Using the File List pane and File Contents pane, find and review the types of files listed below. Note: FTK will provide an interpreted (formatted) display for certain types of system files. You may wish to snapshot or copy this information for later use in answering the case questions and preparing your system usage timeline. You should also review the file properties shown in the file contents pane. a. Bootstat.dat (there are two; the file dates will tell you the date of the first boot after installation and the date/time of the last shutdown) b. Page File (pagefile.sys) c. System and user-level log files d. User profiles (especially the recent files list and the contents of the desktop) e. Link files (shortcuts) f. Prefetch files User Profiles 1. Return to the Explore tab and open the Evidence Items tree until you see Users. Expand this node. Identify the user profiles
  • 10. on the system. In this case, we have one “profile” which is not a standard profile – George Dean. We will want to examine this profile more closely. 2. Click on the Folder icon for “George Dean” in the Evidence Items tree. This will cause the contents of the folder to be displayed in the File List pane. Review the files and the metadata for each one (decide which items you will use to help construct your system usage timeline). At a minimum, you should look at the following: · All files and folders listed under the desktop folder · All files and folders listed in subfolders under the desktop folder · Recent folder for user profile and all shortcut files listed under the recent folder · Documents, downloads, pictures, and music folders for user profile · All files and folders listed under each top-level folder (in the same file path) · Find the Recycle bin for this user profile ($Recycle.bin). Then, identify all files and folders listed under $Recycle.bin Note: The image file used in this lab may contain artifacts related to internet browsing. You should note the presence of these files in your report. No other processing of the browser history and browser cache files is required for this lab. (These artifacts will be processed and examined in Lab 6.) Program Files (Applications) 1. Return to the Evidence tab. In the Evidence Items tree, open the nodes until you find [root]/Windows/ProgramData and [root/Windows/Program Files. 2. Examine the contents of these folders. You should see a top- level folder for each software application installed on top of the Windows 7 installation (e.g., antivirus, utilities, word processing packages, web browsers). (Note: you can also
  • 11. identify software applications by looking for folders or links on the desktops under each user profile.) a. Record the forensically interesting software applications (applications that are not part of the Windows operating system installation). b. Review the file dates/times for each software application. 3. In your analysis, do not include any applications that have last modified dates occurring before the first boot date for this Windows 7 installation (these were installed as part of Windows 7).Guided Practice #3: Using File System Metadata to Create a System Usage Timeline Review Your Analysis Results This guided practice depends upon the “checked files” which you identified in the first two Guided Practices for this lab. If you did not check files as you worked through those exercises, you will need to go back and do so before started this last Guided Practice. After you have selected files, review your selections (your “checked” files). You should not have more than 100 “important” files in your checked files list. If you do, review the files that you have checked and determine which ones can be removed from your list. Use the Overview tab > File Items node to review your checked files. Create an Inventory with Timeline Information 1. Create a file inventory containing the file system metadata for all checked files (do not include any other files): a. Right-click in the file list pane. b. Select Export File List Info from the pop-up menu. c. In the export options window, select “All checked.” d. Name your file yourlastname_Lab5_FileList.csv. e. In the Save as type drop-down, select CSV (Comma delimited) (*.csv).
  • 12. 2. Open your inventory using Excel or another spreadsheet application. a. Format the spreadsheet to give it a professional appearance. b. Save your file inventory as an XLSX or XLS spreadsheet. 3. Examine the file system metadata shown in your file inventory. As you perform your examination, annotate your file inventory spreadsheet to record your analysis and/or findings. 4. Using your file inventory, create a table containing your system usage timeline. Suggested steps are as follows: a. Use Excel’s sorting function to examine the timeline of system usage. First, sort your file inventory using by Creation Date and then by File Path. b. Examine the spreadsheet entries to determine when files were created; draw conclusions as to when the Windows 7 operating system was installed, when software applications were installed, etc. c. Sort your spreadsheet by Last Modified Date and File Path. Reexamine the spreadsheet entries to determine how and when the system was used (what activities or events occurred). d. Highlight rows in the spreadsheet that contain information about significant events or that provide information that can be used to answer one or more of the case questions. e. Transfer information from your spreadsheet into your timeline table. 5. Review the information provided by your examination of the registry files. Add significant event information to your timeline table (e.g., time and date that important registry keys were last written along with the key names and values).Guided Practice #4: Report Writing For this lab, you will prepare a summary report and a system usage timeline. Use the guidance from previous labs to assist you in deciding how to present your findings. Your “high level summaries” of your analysis results should be *summaries* not a compendium of every piece of information found in the image. Focus on providing data which provides support to your answers to the case questions. Irrelevant information should not be
  • 13. included. Your deliverables are: 1. Incident Investigation Summary Report (5-8 pages with tables / screen shots) Prepare a memo-format report summarizing answers to the case questions and providing documentation as to the tools, techniques, and procedures used in this lab. Your report should include high-level analysis summaries in table format for: a. Registry Analysis & Values of Important Keys (GP#1) b. System Usage Data (GP#2) c. Meta Data Analysis of Important Files (GP#3) 2. System Usage Timeline (attachment to report) This table was created in Guided Practice #3 of this lab. Required Software · Forensic Toolkit · FTK Registry Viewer · MS Excel (or equivalent spreadsheet application) Deliverables · Incident Investigation Summary Report · System Usage Timeline Grading for Lab Deliverables 1. Incident Investigation Summary Report 60% a. Overview 15% b. Findings & Answers to Case Questions 15% c. Summary Tables 15% d. Description of Analysis & Processing 15% 2. System Usage Timeline 25% 3. Professionalism 15% (formatting, grammar, spelling, punctuation, etc.)
  • 14. Copyright © 2015 by University of Maryland University College. All Rights Reserved. CMIT 424: Digital Forensics Analysis and Application Lab 5: Reconstruct System Usage Using Registry and Other System FilesIntroduction This lab builds upon the acquisition, processing, and analysis techniques that you learned and practiced in earlier labs in this course. In this lab, you will practice finding, recovering, and analyzing system usage information for a Windows 7 computer system. Before you begin, you should review the following readings, which address analytical processes and techniques used to recover and evaluate information about system usage. 1. FTK Registry Viewer User Guide (access the PDF file from the Registry Viewer help menu) 2. FTK User Guide (access the PDF file from the FTK help menu) a. Chapter 16, "Using the Examiner Interface" b. Chapter 17, "Exploring Evidence" c. Chapter 18, "Examining Evidence in the Overview Tab" d. Chapter 22, "Examining Miscellaneous Evidence" e. Chapter 23, "Bookmarking Evidence" f. Chapter 32, "Working with Evidence Reports" g. Chapter 35, "Working with Windows Registry Evidence"Lab 5 Scenario and Case Questions A laptop from the offices of Practical Applied Gaming Solution s, Inc., has been sent to your lab for analysis. This laptop was returned to the company by a former employee several weeks
  • 15. after the employee's unexpected resignation. During case triage, it was determined that VMWare was installed on the laptop. Several folders containing virtual machines were also found. A forensic image (E01 format) was created from each of the virtual disks (VMDK files) by a forensic technician using FTK Imager. You have been asked to contribute to the investigation by reconstructing the usage of one of the virtual machines from the contents of the associated VMDK file. The chain-of-custody log states that this file contains a Windows 7 system disk. The lead investigator has asked you to address the following case questions during your examination of the evidence. (Ignore the Internet cache and index files for this lab; you will analyze and report on them in Lab 6.) 1. When was the Windows 7 image created (installed in the VM), and during what time period was it in use? 2. What software applications were loaded and available for use in the VM? 3. Who used the Windows 7 VM? (More than one user?) 4. What was the Windows 7 VM used for? 5. Was the VM used regularly or repeatedly? 6. Are there indications of an intent to hide or obscure how the VM was used? 7. Are there indications of an intent to use the VM to facilitate illegal or unethical behavior? (Unethical includes actions that
  • 16. are contrary to the employer's best interests or that violate the company's Acceptable Use Policy governing use of company resources—i.e., the laptop on which the VM was found.)Lab 5 Overview In this lab you will search for, recover, and analyze system usage information from a forensic image provided by your instructor. At a minimum, you should perform the following tasks: · Analyze the Windows Registry to recover information about the Windows 7 operating system and how it was used. · Analyze the contents of system log files, link files (shortcuts), and prefetch files. · Reconstruct user-level system usage using information recovered from folders and files stored in user profiles. · Analyze the contents of the recycle bin. · Reconstruct system-level usage information found in the file system metadata (use the information shown in the file list pane). · Construct a timeline showing significant system usage events, such as boot, shutdown, installation of software, installation of patches or updates, user logins, etc. · Note: The provided forensic image has been modified for training purposes. · The virtual disk is no longer bootable. · Files whose contents are not required for this examination
  • 17. have been overwritten with 0x00 (securely wiped). · The file system data structures have not been modified; the original directory entries remain intact. As you complete your analysis for this lab, you will need to keep track of specific files that provide forensically important information for your analysis and reporting. In previous labs, you used an annotated file inventory for this purpose. In this lab, you will learn two more methods: · checked files (see Chapter 17, FTK User Guide) and · bookmarks (see Chapter 23, FTK User Guide) Both of these tracking features are accessed in the file list pane by right-clicking on the filename and then selecting the feature from the pop-up menu. You can also access the case Bookmarks using the Bookmarks tab at the top of the Examiner Window. In Guided Practice #1, you will examine the contents of the Windows 7 registry. Your examination of the individual Windows 7 registry hives should provide you with the following information and/or answers to questions listed below. You will need this information to answer the case questions. In this part of the lab, you will also generate a registry report that documents the associated keys and key values. · Operating system version. · Installation date. · Registered owner. (Is there something odd about this?) · Computer name.
  • 18. · Current time zone. · Fixed hard drives (virtual drives) used in the VM (mounted devices). · Removable USB media used in the VM. What are the manufacturer and serial numbers of the USBs? · Installed software (provide a list of all sub keys showing user- installed software packages; add rows as necessary). Pay attention to the last written dates for keys. Keys prior to the installation date represent software that is part of the Windows 7 package and, for this lab, should not be included in your list of installed software. · Installed software for individual users (find and process the NTUSER.DAT file for each user on the system; this file contains the HKCU hive). · Recent files accessed by individual users (find and process the NTUSER.DAT file for each user on the system; this file contains the HKCU hive). · Most recently used (MRU) items including software applications and files. · Any additional keys you found to be helpful in determining how this VM was used, when it was used, and who used it. In Guided Practice #2, you will examine the contents of link files (shortcut files), log files, and prefetch files recovered from the virtual disk. (You may need to research the format and usage for specific file types to learn more about what they can
  • 19. tell you regarding system usage.) The file contents provide information about events that occurred or actions that were performed, and possibly also when those events occurred. The locations of these files will provide information as to who (system or a specific user account) performed the actions captured in the contents and metadata. When reviewing these files, be sure to examine both the contents and the file properties using the file contents pane. In this part of the lab, you will mark files of forensic interest (ones that you will use to answer the case questions) using checked files and Bookmark categories. You will then generate an FTK report that lists the files (by file path), the Bookmark categories, and the files included under each bookmark. Before you begin this part of the lab, you should decide upon the format that you will use to create your system usage timeline. Your timeline could be presented in a table in a Microsoft Word document or as an Excel spreadsheet. The important thing to remember is that your timeline should clearly show the events that are of forensic interest and the date/time of occurrence for each event. You should also list the files that provided the information about each event. Below is a suggested table format for a system usage timeline. This format can be used in either Microsoft Word or Microsoft Excel. Date/Time Event
  • 20. Description Files or Artifacts created or modified In Guided Practice #3, you will generate an inventory of selected folders and files from the forensic image of the virtual disk. You will use this inventory to construct a tentative timeline of events and identify file/folder entries that can provide answers to the case questions. For this part of the lab, your analysis is restricted to file properties and directory-level information—file paths, creation dates, last access dates, last modified dates, etc. In Guided Practice #4, you will write a lab report memo (three to five pages maximum) in which you document your answers to the case questions. Each answer must be supported by information contained in the forensic image and you must identify which artifacts (files or folders) support your answers. Provide your supporting documentation, i.e., registry reports, file inventory, and timeline of system usage, as a single zip
  • 21. archive. The registry reports, file inventory and timeline files should be submitted in a single zip file archive; this documentation is not counted in the lab memo page count. Required Software · Forensic Toolkit · FTK Registry Viewer · WinHex · MS Office (Word, Excel, PowerPoint) · Adobe Reader (or another PDF file viewer) · Web browser Required Software · Forensic Toolkit · FTK Registry Viewer · MS Excel (or equivalent spreadsheet application) Deliverables 1. Incident Investigation Summary Report (5-8 pages with tables / screen shots) Prepare a memo-format report summarizing answers to the case questions and providing documentation as to the tools, techniques, and procedures used in this lab. Your report should include high-level analysis summaries in table format for:
  • 22. a. Registry Analysis & Values of Important Keys (GP#1) b. System Usage Data (GP#2) c. Meta Data Analysis of Important Files (GP#3) Note: Your “high level summaries” of your analysis results should be *summaries* not a compendium of every piece of information found in the image. Focus on providing data which provides support to your answers to the case questions. Irrelevant information should not be included. 2. System Usage Timeline This table will be created in Guided Practice #3. Grading for Lab Deliverables 1. Incident Investigation Summary Report 60% a. Overview 15% b. Findings & Answers to Case Questions 15% c. Summary Tables 15% d. Description of Analysis & Processing 15% 2. System Usage Timeline 25% 3. Professionalism 15% (formatting, grammar, spelling, punctuation, etc.)Lab 5 Outcomes Lab 5 Outcomes Course Outcomes for Lab 5 · reconstruct system usage using Windows Registry and other
  • 23. system files · perform and document timeline analysis · prepare brief report summarizing findings and answering case questions · apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital artifacts · select and apply the most appropriate methodology to extract data based on circumstances and reassemble artifacts from data fragments · analyze and interpret data collected and report outcomes in accordance with incident response handling guidelines Copyright © 2015 by University of Maryland University College. All Rights Reserved.