CYBV388 Lab #4IsaacSanchez

.docx

School

University Of Arizona *

*We aren’t endorsed by this school

Course

309

Subject

Information Systems

Date

May 3, 2024

Type

docx

Pages

3

Uploaded by DukeResolveZebra39 on coursehero.com

?EII #WÅ؉›‚·Øfi¸˛‚Ø· bbnn / n N bn CYBV 388: Cyber Investigations and Forensics Lab #4: Windows Registry, File System Identification and File Carving University of Arizona, College of Applied Science & Technology Lab #4 Exercise: Windows Registry, File System Identification and File Carving The file system and operating system can provide a wealth of information when investigating a case. This week we will examine the Windows registry which contains a vast amount of infor- mation about the Windows environment and the software within it. We will also look at various types of file systems and then finally manually carve out files that have been previously deleted. Lab Report Part 1 In this portion of the lab, we will examine the forensic value of the Windows registry files. Even though the registry appears to be a single database, it is comprised of information from a number of physical files saved on the system. Each file is known as a hive and contains a portion of the registry. Registry Hive HKEY_LOCAL_MACHINE\ Software HKEY_LOCAL_MACHINE\System HKEY_LOCAL_MACHINE\SAM HKEY_LOCAL_MACHINE\Security HKEY_User Location Windows\System32\Config\Software Windows\System32\Config\System Windows\System32\Config\SAM Windows\System32\Config\Security Userfolder\Ntuser.dat Tools: Product: Registry Ripper Manufacturer: H. Carvey Web site: https://github.com/keydet89/RegRipper3.0 (NOTE: Please make sure to use Version 3.0 and not 2.8) 1. Ensure that you have the following files in the Part 1 folder: a. Ntuser.dat b. SAM c. SECURITY d. SOFTWARE e. SYSTEM 2. Open Registry Ripper (RegRip) and load the System Hive. Run RegRip and output the file to a location of your choosing. Once RegRip has finished examining the Hive, open the output file and view its contents. Answer questions 1 – 6.
3. Load the Software Hive and run RegRip against it. Open the output file and view its contents. Answer questions 7 – 10. 4. Load the SAM Hive and run RegRip against it. Open the output file and view its contents. Answer questions 11 – 14. 5. 5. Load the User Hive and run RegRip against it. Open the output file and view its contents. Answer questions 15 Lab Exercise # 4 LAB REPORT PART 1 System 1. What is the Hostname for the computer system? informant-PC 2. What is the MAC address of the system? 80:6E:6F:6E:69:63 3. What was the IP address (DhcpIPAddress) of the system? 10.11.11.129 4. When was the system last shutdown? 2015-03-25 15:31:05Z 5. What is the timezone for the system? Eastern Standard Time 6. A USB drive with the serial number 4C530012450531101593 was plugged into the sys- tem. a. When was it first installed? [2015-03-24 13:38:00Z] Software 7. What program is configured to Run on startup? (Search for RunOnce) Eraser.exe 8. What version of Windows is being run? (Search for product) Windows 7 Ultimate 9. When was Windows installed? 2015-03-22 14:34:26Z 10. What is the version of Office Professional being run? (search for professional) SAM v.15.0.4420.1017 11. What is the RID for the Informant account? S-1-5-21-2425377081-3129163575-2985601102-1000 12. True/False: The user admin11 requires a password to logon. True 13. How many times has the Informant account logged into the system? 2 14. What accounts have administrative access to the system? 4 NTUsers
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help