Week3 Chapter5 Session2 Lab
Week3 Chapter5 Session2 Lab
Digital Forensics
EMCS-642
LAB Activities
Fall2025
Focus of This Session
File System
Exploring Disks Registry
Forensic Tools
Hashing
LAB Activities
2
This Week OBJECTIVES:
1. Explain the purpose and structure of file systems
2. Describe Microsoft file structures
3. Explain the structure of NTFS disks
4. List some options for decrypting drives encrypted with whole disk encryption
5. Explain how the Windows Registry works
6. Describe Microsoft startup
Week tasks
(5) Session (1)
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
2
7. Explain the purpose of a virtual machine
Outline
Lab Activity 1. Using WinHex Forensic Tool
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
3
Computer science Department
Executive Master in Cyber Security
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
5
Lab Activity 1: Using WinHex
▪ Start a Web browser, and go to:
▪ https://www.x-ways.net/winhex/index-m.html
Under Software Products, click WinHex
▪ Download and install the program
▪ Right-click the WinHex desktop icon and click Run as
administrator
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
6
WinHex User Interface
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
7
Computer science Department
Executive Master in Cyber Security
Lab Activity 2
Christopher Steuart
6th Edition
Exploring Disks
Lab Activity 2: Exploring Disks
▪ Objectives
▪ After completing this lab, you will be able to:
▪ Identify the disks on a computer system
▪ Explore disk partitions
▪ Explore disk clusters and sectors
▪ Identify the file system
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
9
Lab Activity 2: Exploring Disks
▪ Right-click the WinHex desktop
icon and click Run as administrator
▪ Follow the steps:
1. Click Tools, select Open Disk from
the menu to see a list of logical and
physical drives
2. Click Physical Storage Devices,
expand and select HDD, click OK
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
10
Lab Activity 2: Exploring Disks
▪ Exploring the partition table
▪ Follow the steps
1. Click Tools, Open Disk from the
menu to see a list of logical and
physical drives
2. Click Physical Storage Devices,
expand and select HDD, click OK
3. Locate the start sector 0 of the
disk drive
4. Identify all the partitions
5. Identify the size of each partition
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
11
Lab Activity 2: Exploring Disks
▪ Disk clusters and sectors
▪ Follow the steps
1. Click Tools, Open Disk from the menu
to see a list of logical drives
2. Click C drive (or your working drive),
and click OK
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
12
Lab Activity 2: Exploring Disks
▪ File system identification
▪ Follow the steps:
1. Insert a USB drive into a USB port.
2. Click Tools, Open Disk from WinHex menu.
▪ From the logical drives, Click C drive
▪ Click OK
▪ Figure shows a typical HD in the WinHex window.
3. Click Tools, Open
▪ Click your USB drive in the Edit Disk list
▪ Click OK
▪ Compare file system label for this drive with
the one you saw in Step 3
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
13
Computer science Department
Executive Master in Cyber Security
LAB Activity 3
Christopher Steuart
6th Edition
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
15
Lab Activity 3: File Type Identification
▪ Follow the steps
1. Download the files logo.bmp and data.docx to your working directory
2. Click File, Open from the WinHex menu
3. In the Open Files dialog box, navigate to the folder containing the bitmap
file (logo.bmp), and then double-click the file
4. Identify the file type
▪ What is the first line 2-hex value that indicates a jpg file signature?
▪ …ÿØÿà…JFIF
5. Repeat steps: 2 and 3, but use the Office document (data.docx)
6. Identify the file type
▪ What is the first line 8-hex value that indicates an Office document
signature?
▪ …
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
16
Computer science Department
Executive Master in Cyber Security
LAB Activity 4
Christopher Steuart
6th Edition
Hashing
Lab Activity 4: Hashing
▪ Objectives
▪ After completing this lab, you will be able to:
▪ Compute the hash value for a file using a hashing algorithm
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
18
Lab Activity 4: Hashing
▪ Follow the steps
1. Download the files data.docx to your working directory
2. Select Tools, then select Compute Hash
3. From the Compute Hash list, select the SHA1 (160 bit) hashing
algorithm
4. Copy the computed value and paste in a notepad file
5. Close the file in WinHex
6. Edit the data.docx file by replacing the first letter in the document by
the same letter then save the file
7. Repeat steps 2-3
8. What is your observation?
▪ …
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
19
Computer science Department
Executive Master in Cyber Security
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
21
Lab Activity 5: Examining SAM Hive
1. Download the Compressed file ch05.zip to your work folder.
▪ Start a Web browser and Go to https://cengage-
dps.s3.amazonaws.com/computing/computer_concepts/nelson-
222257/ch05.zip
▪ Right-click this file and click Extract
to extract it to your work folder.
▪ Click the Extracted folder (ch05)
▪ Double click the file InCh05.exe
▪ In the WinRAR self-extracting archive
window click Browse to select your work
directory (see Figure)
▪ Click Extract,
▪ In the Confirm file replace window,
click Yes (see Figure
▪ Extraction will take few minutes
▪ You will get the file InCh05.img
for use in step 4.
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
22
Lab Activity 5: Examining SAM Hive
2. Create subfolder of your work folder named Registry_Viewer.
▪ Start a Web browser and Go to:
https://www.exterro.com/ftk-product-downloads/registry-viewer-2-0-0
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
23
Lab Activity 5: Examining SAM Hive
4. Start FTK Imager.
▪ Click File, Add Evidence Item from the menu.
▪ In the Select Source dialog box, click the Image File option button, and
then click Next.
▪ In the Select File dialog box, click Browse, navigate to and click your work
folder, click InCh05.img file, and then click OK.
▪ Click Finish to open the image in FTK Imager.
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
24
Lab Activity 5: Examining SAM Hive
5. In the left pane:
▪ Click to expand InCh05.img, 6gb [NTFS], [root], and Users.
▪ Click Denise folder, right-click ntuser.dat file in the File List pane and
click Export Files.
▪ In the Browse For Folder dialog box, navigate to and click your work
folder, click Make New Folder, and type Registry Files-Lab5-2 for the
new name.
▪ Click OK to copy the file.
▪ Click OK in the Export Results message box.
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
25
Lab Activity 5: Examining SAM Hive
6. In the left pane:
▪ Click to expand Windows and
System32, and then click config.
▪ In the File List pane, Ctrl+click:
SYSTEM, SOFTWARE, SECURITY,
SAM, and DEFAULT.
▪ Right-click one of these selected
files and click Export Files
▪ Navigate to and click the Registry
Files-Lab5-2 subfolder of your work
folder, and click OK to copy the
files.
▪ Click OK in the Export Results
message box
▪ Exit FTK Imager.
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
26
Lab Activity 5: Examining SAM Hive
7. Start Registry Viewer, click Run as administrator.
▪ If necessary, click Yes in the UAC message box.
▪ Click Yes in the ERROR dialog box, click Cancel in the Security Device
Settings dialog box, and click OK in the Registry Viewer dialog box to
start Registry Viewer in demo mode.
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
27
Computer science Department
Executive Master in Cyber Security
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
29
Task-1: Examining SAM Hive
Click 000003E9 folder.
▪ Findout the username:
▪ How many times the account has been logged on:
▪ What is the SID value:
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
30
Task-1: Examining SAM Hive
1. The Registry contains how many hives?
a. Three b. Two c. Five d. Six
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
33
Task-2 - Examining SYSTEM Hive
1. In the Registry Viewer, click File, Open from the menu.
▪ Navigate to the Registry Files-Lab5-2 subfolder of your work folder
▪ Click SYSTEM file, and then click Open.
3. Scroll down
▪ Click TimeZoneInformation in the left pane.
▪ Information is critical because timestamps
for files, folders, and logs are based on
the time zone.
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
34
Task-2 - Examining SYSTEM Hive
4. Scroll down left pane and expand
Enum folder and IDE folder.
▪ Contains IDE storage devices, such
as CD/DVD drive.
5. Expand the USB folder to see all USB
storage devices plugged into the
computer.
▪ Each storage device has a unique serial
number and a Last Written Time entry in
the Key Properties pane.
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
35
Task-2 - Examining SYSTEM Hive
1. What’s the computer name of this system?
a. mnmsrv b. GCFI5E c. HAL d. MSDTC
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
36
Computer science Department
Executive Master in Cyber Security
▪ Objectives
▪ After completing this lab, you will be able to:
▪ Load a file in Registry Viewer to search for evidence
▪ Find Windows user account information in the Registry
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
38
Task 3: Examining ntuser.dat Registry File
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
39
Task 3: Examining ntuser.dat Registry File
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
40
Task 3: Examining ntuser.dat Registry File
1. ntuser.dat file contains information on multiple account holders.
a.True b. False
2. What’s the e-mail account for the Denise user?
a. [email protected] b. [email protected]
c. [email protected] d. [email protected]
3. ntuser.dat file contains information on which of the following?
a. Drive letter designations b. Personalized desktop settings
c. PID key d. MRU devices
4. Password decryption tools often need which of the following to retrieve user
passwords? (Choose all that apply.)
a. SYSTEM hive b. SAM hive c. ntuser.dat file d. Enum folder
5. ntuser.dat file is in which of the following paths?
a. C:\Windows\System32\Config b. C:\Documents and Settings\Users
c. C:\Users\username d. C:\SYSTEM
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
41