Lab 5 - Windows Registry_2023
pdf
keyboard_arrow_up
School
University of Cincinnati, Main Campus *
*We aren’t endorsed by this school
Course
3075C
Subject
Information Systems
Date
Feb 20, 2024
Type
Pages
4
Uploaded by SuperLeopard4063
IT3072C LAB 5 – Windows Registry Page 1 LAB5 – Windows Registry Ensure your vApp has the following Forensic Examination software Please read the file “Lab 5 Assistance.pdf” that accompanies this lab. It will give you an overview of the basic instructions necessary to access and view Windows Registry files. Instructions Login to the Sandbox environment and access your VM. PART 1: Check the Datastore ISO File
Make sure the Datastore ISO File is “IT3072C-ImageFiles.iso”.
Make sure the VM optical drive has “LAB-image-files”.
PART 2: Access the sample image file
Use the file located in your “C:\Images” directory that you previously downloaded in Lab3.
FAT32 Image.e01 AccessData FTK Imager software
Create a directory on your VM named C
:\Registry
Create a sub-directory in \Registry named \
FAT32
Launch the FTK Imager software
Open the FAT32 Image.e01 file.
Locate and extract the following registry files to the \FAT32 directory: 1.
NTUSER.DAT [Hint: \Documents & Settings\*] 2.
SAM [Hint: \Windows\*]
4GB RAM
Hard drive1: 120GB
AccessData FTK v6.0
AccessData FTK Imager v3.4.3.3
AccessData Registry Viewer v1.8.3.0
AccessData Password Recovery Toolkit (PRTK) v7.9.0
IT3072C LAB 5 – Windows Registry Page 2 3.
SYSTEM 4.
SECURITY 5.
SOFTWARE AccessData Registry Viewer software
Launch the AccessData Registry Viewer
software.
Using the registry files that you extracted, answer the following questions: 1.
[SYSTEM] What is the timezone of the computer? 2.
[SYSTEM] What is the hostname of the computer? 3.
[SYSTEM] What are the two IP Addresses of the DHCP servers? 4.
[SOFTWARE] What is the default username? 5.
[SOFTWARE] What is the Operating System and Service Pack? 6.
[SOFTWARE] Who is the registered owner of the computer? 7.
[NTUSER.dat] What is the last Network Drive location that the user mapped? 8.
[NTUSER.dat] What was the last *.rar file that the user accessed? 9.
[NTUSER.dat] What URL did the user recently Type? 10.
[SAM] How many user accounts are listed under the “Names” key? PART 3: Access the Windows10 Registry Files
Locate the directory on your VM named C
:\Registry and create a \Win10
subdirectory.
Access drive E: with the volume label “LAB-image-files”.
IT3072C LAB 5 – Windows Registry Page 3
Locate the contents of \Win10_Edge \0x04_reference_hive \p1 folder.
Review the contents of the \Windows\system32\config folder to see how Windows10 Registry Files are stored.
Copy the “SAM”, “SOFTWARE”, “SYSTEM” and “SECURITY” registry files to C:\Registry\Win10.
Locate the contents of E:\Win10_Edge \0x04_reference_hive \p1\Users folder.
Locate the user profile “
CFTT
” and copy the “NTUSER.DAT” registry file to C:\Registry\Win10.
AccessData Registry Viewer software
Launch the AccessData Registry Viewer
software.
Using the registry files that you extracted, answer the following questions: 11.
[SYSTEM] What is the timezone of the computer? 12.
[SYSTEM] What is the hostname of the computer? 13.
[SYSTEM] What mounted device drive letter is assigned to the CD-ROM drive? 14.
[SOFTWARE] What is the Operating System and Build number? 15.
[SOFTWARE] What is the Last Used Username? 16.
[SOFTWARE] What is the AutoLogon SID? 17.
[SAM] Is the Administrator account enabled or disabled? 18.
[SAM] What is the full name of user “cfttu”? 19.
[NTUSER.DAT] What evidence eliminating software is set to start in monitor mode? 20.
[NTUSER.DAT] What command was most recently run by the user?
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
IT3072C LAB 5 – Windows Registry Page 4 SUBMISSION: Input your answers to the 20 questions into a file with the following name: username
_Lab5.txt and submit it. [end]