2) Analyzing Virtual Memory Using Forensic Toolkit. Because virtual memory is temporary (volatile), examination of
this evidence may be possible only before the computer is turned off to move it to a forensic lab. You should process a virtual memory capture performed on a live computer. Procedures: Copy the memdump.zip file wherever you want to save, and extract all (like a RAM folder). To start FTK tool by right-clicking the FTK icon (e.g., Run as administration). In the search tab, type bank, and click the blue add button. In the search tab, type search, and click the blue add button. Where both bank and search are found together, click the blue view cumulative results button, select all hits, check apply to all and click OK.
1) Screen shot of search results while indicating John Smith used Bing in Internet Explorer to search for bank locations.
2) Screen shot of http://www.yellowpages.com to find the Suntrust Bank Plantation location
3) What is the size of the memdump.mem file?
4) How many evidence items were processed by FTK?
5) How many hits are found searching using the word password ?
6) How many files are found searching the file extension .doc ?
7) How many Cumulative Result Hits are found using both password and .doc ?
3) Analyzing Windows Registry The Windows registry is a central repository for all information such as users, passwords, connected devices, and physical hardware. Those data in the registry can be searched for evidence using Access Data's Registry Viewer. Although it does not display user information in a readable format, every item listed in the registry represents a 128-bit name called a globally unique ID (GUID) that contains useful information such as the last login or last storage device accessed.
Procedures: First, you should install AccessData Registry Viewer with rv-registry_viewer-1.5.4.exe file on BB. Right-click the AcessData Registry Viewer icon to start. Click File tab and click open, navigate where we you saved in 1) lab, and click Registry folder. Click the SAM file, and click open, click the + symbol next to the SAM to expand it.
1) Screen shot of the Administrator account including the Last Logon Time
2) Screen shot of the Guest account indicating the SID number 501.
3) What is the SID associated with John Smith user name?
4) What was the last time John Smith logged into the computer?
5) Besides Andrews, which other user has never logged into the computer? Close the Registry Viewer dialog box while clicking the file tab. Click the file tab, select open, and double-click the System registry hive to load it into the registry viewer
. 6) Screen shot of the attached storage devices implying that a forensic investigator should look for additional storage devices.
7) How many USB storage devices have been connected to this computer?
8) How many internal hard drives have been attached to this computer?
Recently Asked Questions
- Please refer to the attachment to answer this question. This question was created from PracticeProblems-COA9e.
- Please correct below : 1. An Information System comprises a(n) A. Organizational dimension B. Management dimension C. Technology dimension D. All of the above
- what block mode symmetric algorithm is used by gpg to encrypt/decrypt private keys;