CYBV388 Lab #4IsaacSanchez
.docx
keyboard_arrow_up
School
University Of Arizona *
*We aren’t endorsed by this school
Course
309
Subject
Information Systems
Date
May 3, 2024
Type
docx
Pages
3
Uploaded by DukeResolveZebra39 on coursehero.com
™ ?EII
#WÅ؉›‚·Øfi¸˛‚Ø· bbnn
/
n
N bn
CYBV 388: Cyber Investigations and Forensics
Lab #4: Windows Registry, File System Identification and File Carving University of Arizona, College of Applied Science & Technology
Lab #4 Exercise: Windows Registry, File System Identification and File Carving
The file system and operating system can provide a wealth of information when investigating a case. This week we will examine the Windows registry which contains a vast amount of infor-
mation about the Windows environment and the software within it. We will also look at various
types of file systems and then finally manually carve out files that have been previously deleted.
Lab Report Part 1
In this portion of the lab, we will examine the forensic value of the Windows registry files. Even though the registry appears to be a single database, it is comprised of information from a number
of physical files saved on the system. Each file is known as a hive
and contains a portion of the registry.
Registry Hive
HKEY_LOCAL_MACHINE\
Software
HKEY_LOCAL_MACHINE\System
HKEY_LOCAL_MACHINE\SAM
HKEY_LOCAL_MACHINE\Security
HKEY_User
Location
Windows\System32\Config\Software
Windows\System32\Config\System
Windows\System32\Config\SAM
Windows\System32\Config\Security
Userfolder\Ntuser.dat
Tools:
Product: Registry Ripper
Manufacturer: H. Carvey
Web site: https://github.com/keydet89/RegRipper3.0
(NOTE: Please make sure to use Version 3.0 and not 2.8)
1.
Ensure that you have the following files in the Part 1 folder:
a.
Ntuser.dat
b.
SAM
c.
SECURITY
d.
SOFTWARE
e.
SYSTEM
2.
Open Registry Ripper (RegRip) and load the System
Hive. Run RegRip and output the file to a location of your choosing. Once RegRip has finished examining the Hive, open
the output file and view its contents. Answer questions 1 – 6.
3.
Load the Software Hive and run RegRip against it. Open the output file and view its
contents. Answer questions 7 – 10.
4.
Load the SAM
Hive and run RegRip against it. Open the output file and view its contents. Answer questions 11 – 14. 5.
5. Load the User Hive and run RegRip against it. Open the output file and view its contents. Answer questions 15
Lab Exercise # 4
LAB REPORT PART 1
System
1.
What is the Hostname for the computer system?
informant-PC
2.
What is the MAC address of the system?
80:6E:6F:6E:69:63
3.
What was the IP address (DhcpIPAddress) of the system?
10.11.11.129 4.
When was the system last shutdown?
2015-03-25 15:31:05Z
5.
What is the timezone for the system?
Eastern Standard Time
6.
A USB drive with the serial number 4C530012450531101593 was plugged into the sys-
tem. a.
When was it first installed?
[2015-03-24 13:38:00Z]
Software 7.
What program is configured to Run on startup? (Search for RunOnce)
Eraser.exe
8.
What version of Windows is being run? (Search for product)
Windows 7 Ultimate
9.
When was Windows installed?
2015-03-22 14:34:26Z
10. What is the version of Office Professional being run? (search for professional)
SAM
v.15.0.4420.1017
11. What is the RID for the Informant account?
S-1-5-21-2425377081-3129163575-2985601102-1000
12. True/False: The user admin11 requires a password to logon.
True
13. How many times has the Informant account logged into the system? 2
14. What accounts have administrative access to the system?
4
NTUsers
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help