Introduction to Operating Systems You will be utilizing two (2) tools to complete this lab Both are located under the FTK Imager section on the left hand side Before proceeding, please download these two tools to your Windows VM and then install them Once installed, create a new folder on your virtual machine desktop (this new folder will hold your extracted registry files) Open up FTK Imager and click 'File' and then 'Obtain Protected Files' Choose the Password recovery and all registry files option and then set the destination to the new folder you created in step 1 Close FTK Imager and open Registry Viewer It will ask you if you have a network security device Click No It will then tell you that it will run in demo mode Click 'File' and then 'Open' and you can choose one Registry Key to look at You can only look at one at a time You will now use Registry Viewer to answer the questions below Document your findings and support your answers with screenshots Open up the SAM key and navigate to SAM Domains Account Users You will see a folder for each user on the machine You are to identify specific details about the individual user accounts on a machine We are particularly interested in finding the following information How many times has each user logged in When was the last time each user has logged in When is the last time each user changed their password How many times has each user failed to enter the correct password You will find this information in the Key Properties window in the lower left pane Open up the SYSTEM key and navigate to ControlSet001 Control TimeZoneInformation (you may have something different that ControlSet001 such as ControlSet002 which is fine) You are to identify the timezone that this machine has been set to What other information is available in this subkey Staying in the SYSTEM key, navigate to ControlSet001 Enum USBSTOR This is where the inventory of USB devices inserted into this machine is kept How many devices have been inserted into this machine When was the last time each USB device was written to (found in the Key Properties pane lower left) You may not see any depending on if you're using a virtual machine and never inserted a USB device into it Just take a screenshot of the location if this is the case Open up the Software key and navigate to Microsoft Windows CurrentVersion Run Perform some open source research on this subkey to determine what data is stored at this location Take a screenshot of what you have stored here Also, why would malicious code want to write to this subkey

The Answer is in the image, click to view ...

Answered step by step

Verified Expert Solution

Link Copied!

Question

1 Approved Answer

Posted on Sep 24, 2024

Introduction to Operating Systems You will be utilizing two (2) tools to complete this lab. Both are located under the FTK Imager section on the

Introduction to Operating Systems

You will be utilizing two (2) tools to complete this lab. Both are located under the "FTK Imager" section on the left hand side. Before proceeding, please download these two tools to your Windows VM and then install them.

Once installed, create a new folder on your virtual machine desktop (this new folder will hold your extracted registry files).
Open up FTK Imager and click 'File' and then 'Obtain Protected Files'. Choose the "Password recovery and all registry files" option and then set the destination to the new folder you created in step 1.
Close FTK Imager and open Registry Viewer. It will ask you if you have a network security device. Click "No". It will then tell you that it will run in demo mode. Click 'File' and then 'Open' and you can choose one Registry Key to look at. You can only look at one at a time. You will now use Registry Viewer to answer the questions below. Document your findings and support your answers with screenshots.
1. Open up the SAM key and navigate to SAM\Domains\Account\Users. You will see a folder for each user on the machine. You are to identify specific details about the individual user accounts on a machine. We are particularly interested in finding the following information: How many times has each user logged in? When was the last time each user has logged in? When is the last time each user changed their password? How many times has each user failed to enter the correct password? You will find this information in the "Key Properties" window in the lower left pane.
2. Open up the SYSTEM key and navigate to ControlSet001\Control\TimeZoneInformation (you may have something different that ControlSet001 such as ControlSet002 which is fine). You are to identify the timezone that this machine has been set to. What other information is available in this subkey?
3. Staying in the SYSTEM key, navigate to ControlSet001\Enum\USBSTOR. This is where the inventory of USB devices inserted into this machine is kept. How many devices have been inserted into this machine? When was the last time each USB device was written to (found in the Key Properties pane lower left). You may not see any depending on if you're using a virtual machine and never inserted a USB device into it. Just take a screenshot of the location if this is the case.
4. Open up the Software key and navigate to Microsoft\Windows\CurrentVersion\Run. Perform some open source research on this subkey to determine what data is stored at this location. Take a screenshot of what you have stored here. Also, why would malicious code want to write to this subkey?