Perform Registry analysis
Investigate Windows Events
Search for evidence of antiforensic activity
Windows forensics workstation
Peterson Windows hard disk image
Files from Canvas Lab 11 link
In this lab we are going to dig into Norm’s Windows hard drive to see if he was attempting to intentionally hide evidence.
Part 1: Investigate the Registry
Locate Norm’s ntuser and view the contents. You have two ways you can do this:
Option #1 (I recommend this option):
Launch your Peterson case in Autopsy.
Add the Peterson hard drive image as a new data source ONLY processing file identification and encryption detection ingest modules.
Locate Norm’s ntuser.dat Registry file. Click to view his ntuser contents in the bottom pane.
Option #2 (this option is faster, but won’t allow you to revisit the image later)
Load the Peterson Windows hard drive image into FTK Imager.
Locate and export Norm’s ntuser.dat Registry file.
Load the ntuser.dat file into Registry Viewer.
Look for evidence of the most recent 20 files Norm’s accessed on his computer. You will find this information in the following Registry key:
List the exact name of three files that may be relevant to this case. Be sure to include the file extension and explain why this might be relevant.
Name of file Type of file Relevance
Part 2: Investigate the Event Logs
Add the Peterson Windows hard drive image to FTK Imager.
Navigate through the file system until you find a record of all the system Event Logs:
Locate the Security Event logs in the file list pane. The file will be named Security.evtx
Export the Security.evtx log to your workstation.
Open the Security.evtx log to view all the security events. You have two options to do this:
Double click and allow Event Viewer to natively launch the file
Open Event Viewer and add the Security.evtx file using Actions > Open Saved Log
Investigate the Security Events and answer the following questions:
What is the Event ID number for a standard logon?
What was the first date and time Norm logged into this computer from the ZeroBit domain?
What was the last date and time Norm logged into this computer from the ZeroBit domain?
Find the anonymous logon that came from someone’s workstation OTHER than Norm. What was the workstation name and IP address?
Part 3: Truecrypt Investigation
From Canvas, download the Confidential File and the Suspect’s Folder. You will need to unzip the suspect’s folder.
2. Your mission is to prove that the suspect stole the confidential file and intentionally tried to hide it. Hint – did you watch the Truecrypt video in Canvas?
3. Once you recover the suspect’s copy of the confidential file, do NOT change the name.
4. Paste a screen shot here showing names and hash values for BOTH the original confidential file and the one you discovered in the suspect’s folder.
The post What is the Event ID number for a standard logon? appeared first on Essay Lane.