Answered step by step
Verified Expert Solution
Question
1 Approved Answer
Introduction to Operating Systems You will be utilizing two (2) tools to complete this lab. Both are located under the FTK Imager section on the
- Introduction to Operating Systems
You will be utilizing two (2) tools to complete this lab. Both are located under the "FTK Imager" section on the left hand side. Before proceeding, please download these two tools to your Windows VM and then install them.
- Once installed, create a new folder on your virtual machine desktop (this new folder will hold your extracted registry files).
- Open up FTK Imager and click 'File' and then 'Obtain Protected Files'. Choose the "Password recovery and all registry files" option and then set the destination to the new folder you created in step 1.
- Close FTK Imager and open Registry Viewer. It will ask you if you have a network security device. Click "No". It will then tell you that it will run in demo mode. Click 'File' and then 'Open' and you can choose one Registry Key to look at. You can only look at one at a time. You will now use Registry Viewer to answer the questions below. Document your findings and support your answers with screenshots.
- Open up the SAM key and navigate to SAM\Domains\Account\Users. You will see a folder for each user on the machine. You are to identify specific details about the individual user accounts on a machine. We are particularly interested in finding the following information: How many times has each user logged in? When was the last time each user has logged in? When is the last time each user changed their password? How many times has each user failed to enter the correct password? You will find this information in the "Key Properties" window in the lower left pane.
- Open up the SYSTEM key and navigate to ControlSet001\Control\TimeZoneInformation (you may have something different that ControlSet001 such as ControlSet002 which is fine). You are to identify the timezone that this machine has been set to. What other information is available in this subkey?
- Staying in the SYSTEM key, navigate to ControlSet001\Enum\USBSTOR. This is where the inventory of USB devices inserted into this machine is kept. How many devices have been inserted into this machine? When was the last time each USB device was written to (found in the Key Properties pane lower left). You may not see any depending on if you're using a virtual machine and never inserted a USB device into it. Just take a screenshot of the location if this is the case.
- Open up the Software key and navigate to Microsoft\Windows\CurrentVersion\Run. Perform some open source research on this subkey to determine what data is stored at this location. Take a screenshot of what you have stored here. Also, why would malicious code want to write to this subkey?
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started