AUTOMATED DATA COLLECTION USING$-$ KAPE $($WIN$10)$

Performing disk forensics using KAPE.

Step$0$: Fire the Windows$10$ VM up

Step$1$: Download KAPE

$$ From your Win$10$ VM$,$ open Edge up

$$ Download Kape.zip

$$ Unzip Kape.zip in the folder C:$\backslash$user$\backslash$XXX

$$ Run the command$-$line and cd to kape: cd $\backslash$ C:$\backslash$user$\backslash$XXX

$$ Display the KAPE folder and make sure kape.exe is there: dir

Collect and process the following artifacts from a live system $($your Win$10$ VM$)$ and save them in the C:$\backslash$tmp folder $($remember to create a subfolder under the tmp folder for each artifact$)$

$-$ GroupPolicy

$-$ RegistryHivesUser

$-$ WindowsTimeline

Answer the following questions:

Question $1$

Include the top of screenshots $($see slide#$36$ for an example$)$ here for GroupPolicy

Question $2$

Include the top of screenshots $($see slide#$36$ for an example$)$ here for RegistryHivesUser

Question $3$

Include the top of screenshots $($see slide#$36$ for an example$)$ here for WindowsTimeline

Analyze the artifacts of WindowsTimeline and RegistryHivesUser using Timeline Explorer. Open the CSV files and answer the following questions:

Question $4$

WindowsTimeline

$-$ When was the coiadmin user account created?

ex$.2016-03-02$ at $10$:$16$:$42$

$-$ When was the last time the coiadmin user account was modified?

$,,$ and

ex$.2016-03-02$ at $10$:$16$:$42/$or $2016($date and time order is from low to high$)$

$-$ When was the coistudent user account created?

ex$.2016-03-02$ at $10$:$16$:$42$

$-$ When was the last time the coistudent user account was accessed?

$,,$ and

ex$.2016-03-02$ at $10$:$16$:$42/$or $2016($date and time order is from low to high$)$

Question $5$

RegistryHivesUser:

$-$ When was the $\backslash$config$\backslash$DEFAULT created?

ex$.2016-03-02$ at $10$:$16$:$42/$ or $2016$

$-$ When was the last time the $\backslash$config$\backslash$DEFAULT was modified?

ex$.2016-03-02$ at $10$:$16$:$42/$or $2016$