WK 5 LAB

docx

School

SUNY Buffalo State College *

*We aren’t endorsed by this school

Course

COMPUTER F

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

12

Uploaded by DeanField4049

Report
DIGITAL FORENSIC SCIENCE (DFS-501-85A) Week 5: Examination of the Windows Registry CLIFFORD KWAME ATTAGLO AKETTE COWART NOVEMBER 28, 2023
Week 5 Lab Laboratory Number: 790906 Examiner’s Name: Clifford Attaglo <Exercise, Validation Test, or Examination> Number: 50185AWK5 Examination or Validation Tasking: To use RegRipper to examine several Windows Registry hives and relevant artifacts that are necessary and important to digital forensic investigations. Forensic Question(s): 1. What are you being tasked to find? To use RegRipper to retrieve information from Window Registry SYSTEM, NTUSER.DAT, SAM, SECURITY, and SOFTWARE and therefore open the resulting text files generated, check the results for important files necessary for your investigations. 2. What are the goals for this forensic analysis and examination? To retrieve specific activities or information’s on the system through the registry hive SYSTEM, NTUSER.DAT, SAM, SECURITY, and SOFTWARE analyze the resulting files generated by RegRipper to acquire the necessary information. Steps Taken: 1. Lunch RegRipper from your Workstation. 2. In the resulting RegRipper GUI, Click the “Browse” button next to the “Hive File” field, and select your file from either your drive or folder on the Desktop folder as shown below.
3. Click the “Browse” button next to the “Report File” field and specify “Informant-SAM” as the name for the RegRipper report for content of the selected file registry hive as show below. 4. With those two values set, click the “Rip!” button to start the process.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
5. Repeat the same process for all other files in your drive or folder to rip the rest of Mr. Informant’s registry hives. 6. Confirm the content of the directory to ensure all the files are generated with appropriate naming convention which would allow you to differentiate between the files. Results: Analysis of NTUSER.DAT File. 1. What applications did Mr. Informant run that might be notable in the context of your investigation OOO? The applications that Mr. Informant runs which might be of interest include ccsetup504.exe, iCloud, Eraser, Google Drive, Internet Explorer, and Remote Desktop.
2. Are the last date/time those applications were run relevant to your inquiry (and why or why not)? Yes, this points to the exact date and time the suspect run the application as this is recorded in the NTUSER.DAT. Analysis of the SAM File 3. What is Mr. Informant’s password hint? Hypothetically, how might a user’s password hint be useful to you as an investigator? The password hint is IAMAN as can be seen from the screen shot below. This would give the investigator an insight as to what the account’s password might be. For example, if the password hint is an animal name, I can employ a dictionary attack to crack the password. There are so many tools that would be able to crack the password just by having the password hint. Examples of such a tool include John the Ripper.
4. What was the most recent PowerPoint document opened by the informant user? When was it open? Did the informant user open any files more recently than that PowerPoint doc? The most recent PowerPoint document opened by the informant is Power Point Slide 7 at 15.03.45. No, Mr. Informant opened PowerPoint more frequently than any other application. Though Microsoft Excel Sheet was opened many times but is not frequently as compared to PowerPoint.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
5. What was the last date/time Mr. Informant logged on the system? In your opinion, does that last logon relate to your scenario timeline and, if so, how? The last login date for Mr. Informant was 2015-03-25 14:45:59Z. In my opinion, yes it does fall within the window of the investigations. 6. What is the name and version of the Windows OS installed on this system? What date was it installed? Who is listed as the RegisteredOwner? Windows OS: Windows 7 Ultimate. Version: v.20200525. Installed Date: 2015-03-22 14:34:26Z. RegisteredOwner: Informant.
7. Did the informant user do any searches in Windows? If so, when does it appear he performed that/those search(es)? Search Word: order Date it appeared: 2015-03-23 18:40:17Z.
8. Were there any USB or flash drives connected to the system? If so, what is the FriendlyName and serial number of each? When was each most likely first connected to the system? Yes, there was a USB or flash drive connected to the system. FriendlyName: SanDisk Cruzer. Serial Number: 4C530012550531106501&0, 4C530012450531101593&0
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Result: The RegRipper v.3.0 was able to acquire all necessary and specific information from the suspect system via the registry hive NTUSER.DAT, SYSTEM, SOFTWARE, SAM, and SECURITY. RegRipper was able to collect all necessary information necessary to the investigation such as the search word, password hint, USB, Users etc.
Conclusion: This is one of the best tools for extracting or parsing information that is keys, values, and data from the Windows Registry. It is capable to present information or data for analysis and investigator to select a hive to parse an output file for the results including the profile to run against a specific Windows Registry Hive. Referrence Hayes, D. R., DR. (2021). A Practical Guide To Digital Forensics Investigations . Pearson. www.pearson.com
Blogspot (2020, April 28). Windows Incident Response . Retrieved November 28, 2023, from https://windowsir.blogspot.com/2020/05/regripper-v30.html Microsoft (2020, April 28). Windows registry information for advanced users . Retrieved March 8, 2023, from https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry- advanced-users Ware, R. (2022, July 12). How to Search the Windows Registry More Effectively . Retrieved November 28, 2023, from https://www.makeuseof.com/easiest-way-search-windows-registry/#:~:text=To%20use %20the%20Find%20function,data%20or%20search%20all%20three.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

Lab 10 Instructions.docx
Assignment2.docx
IT Proposal_2_Chloe Kalsi.docx
Module 1 Practice Quiz.docx
WK 5 Forensic Methodology Paper.docx
E-Bike-Rental.docx
CTI3561-Lab2.1-HammerDB-William-Feller.docx
CTI3561-Lab2.2-NagiosXI-William-Feller.docx
milestone update 4.docx
CTI3561-Lab1.1-William-Feller.pdf
Jordan Jones - ITS3210 - Current Events 5 - 20231124.docx
Jordan Jones - ITS3210 - Case Study 4 - 20231119.docx