0% found this document useful (0 votes)
41 views41 pages

Week3 Chapter5 Session2 Lab

The document outlines the objectives and lab activities for a Digital Forensics course in the Executive Master in Cyber Security program. It includes tasks related to file systems, disk exploration, file type identification, hashing, and examining the SAM hive. Each lab activity specifies required tools, estimated completion times, and step-by-step instructions for completion.

Uploaded by

Vincent Chege
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
41 views41 pages

Week3 Chapter5 Session2 Lab

The document outlines the objectives and lab activities for a Digital Forensics course in the Executive Master in Cyber Security program. It includes tasks related to file systems, disk exploration, file type identification, hashing, and examining the SAM hive. Each lab activity specifies required tools, estimated completion times, and step-by-step instructions for completion.

Uploaded by

Vincent Chege
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

Week (3) Session (2)

Computer science Department


Executive Master in Cyber Security

Digital Forensics
EMCS-642

LAB Activities

Fall2025
Focus of This Session
File System
Exploring Disks Registry

Forensic Tools
Hashing

LAB Activities

2
This Week OBJECTIVES:
1. Explain the purpose and structure of file systems
2. Describe Microsoft file structures
3. Explain the structure of NTFS disks
4. List some options for decrypting drives encrypted with whole disk encryption
5. Explain how the Windows Registry works
6. Describe Microsoft startup
Week tasks
(5) Session (1)
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
2
7. Explain the purpose of a virtual machine
Outline
Lab Activity 1. Using WinHex Forensic Tool

Lab Activity 2. Exploring Disks

Lab Activity 3. File Type Identification

Lab Activity 4. Hashing

Lab Activity 5. Examining SAM Hive

Lab Activity 6. Examining SYSTEM Hive

Lab Activity 7. Examining ntuser.dat Registry File

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
3
Computer science Department
Executive Master in Cyber Security

Source of Slides and Refs:


Guide to Computer Forensics and
Investigations: Processing Digital
Evidence
By Bill Nelson, Amelia Phillips,
Christopher Steuart
6th Edition
Lab Activity 1
Using WinHex
Forensic Tool
Lab Activity 1: Using WinHex
▪ Objectives
▪ After completing this lab, you will be able to:
▪ Describe the WinHex forensic tools

▪ WinHex is a hexadecimal editor for Windows OS. It is


used for forensics, data recovery. It allows the user to
view files in hexadecimal format.
▪ This lab requires the following:
▪ WinHex
▪ Estimated completion time: 10 minutes

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
5
Lab Activity 1: Using WinHex
▪ Start a Web browser, and go to:
▪ https://www.x-ways.net/winhex/index-m.html
Under Software Products, click WinHex
▪ Download and install the program
▪ Right-click the WinHex desktop icon and click Run as
administrator

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
6
WinHex User Interface

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
7
Computer science Department
Executive Master in Cyber Security

Source of Slides and Refs:


Guide to Computer Forensics and
Investigations: Processing Digital
Evidence
By Bill Nelson, Amelia Phillips,

Lab Activity 2
Christopher Steuart
6th Edition

Exploring Disks
Lab Activity 2: Exploring Disks
▪ Objectives
▪ After completing this lab, you will be able to:
▪ Identify the disks on a computer system
▪ Explore disk partitions
▪ Explore disk clusters and sectors
▪ Identify the file system

▪ This lab requires the following:


▪ WinHex
▪ Estimated completion time: 20 minutes

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
9
Lab Activity 2: Exploring Disks
▪ Right-click the WinHex desktop
icon and click Run as administrator
▪ Follow the steps:
1. Click Tools, select Open Disk from
the menu to see a list of logical and
physical drives
2. Click Physical Storage Devices,
expand and select HDD, click OK

▪ Identify the following:


▪ HDD Model:
▪ HDD serial number:
▪ Total capacity:
▪ Bytes per sector:

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
10
Lab Activity 2: Exploring Disks
▪ Exploring the partition table
▪ Follow the steps
1. Click Tools, Open Disk from the
menu to see a list of logical and
physical drives
2. Click Physical Storage Devices,
expand and select HDD, click OK
3. Locate the start sector 0 of the
disk drive
4. Identify all the partitions
5. Identify the size of each partition

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
11
Lab Activity 2: Exploring Disks
▪ Disk clusters and sectors
▪ Follow the steps
1. Click Tools, Open Disk from the menu
to see a list of logical drives
2. Click C drive (or your working drive),
and click OK

▪ From Info pane, identify:


▪ Used space
▪ Free space
▪ Bytes per cluster
▪ Free clusters
▪ Total clusters
▪ Bytes per sector
▪ Sector count
▪ File system

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
12
Lab Activity 2: Exploring Disks
▪ File system identification
▪ Follow the steps:
1. Insert a USB drive into a USB port.
2. Click Tools, Open Disk from WinHex menu.
▪ From the logical drives, Click C drive
▪ Click OK
▪ Figure shows a typical HD in the WinHex window.
3. Click Tools, Open
▪ Click your USB drive in the Edit Disk list
▪ Click OK
▪ Compare file system label for this drive with
the one you saw in Step 3

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
13
Computer science Department
Executive Master in Cyber Security

Source of Slides and Refs:


Guide to Computer Forensics and
Investigations: Processing Digital
Evidence
By Bill Nelson, Amelia Phillips,

LAB Activity 3
Christopher Steuart
6th Edition

File Type Identification


Lab Activity 3: File Type Identification
▪ Objectives
▪ After completing this lab, you will be able to:
▪ Identify the hex codes for some types of file

▪ This lab requires the following:


▪ WinHex
▪ logo.bmp file
▪ data.docx Office document
▪ Estimated completion time: 10 minutes

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
15
Lab Activity 3: File Type Identification
▪ Follow the steps
1. Download the files logo.bmp and data.docx to your working directory
2. Click File, Open from the WinHex menu
3. In the Open Files dialog box, navigate to the folder containing the bitmap
file (logo.bmp), and then double-click the file
4. Identify the file type
▪ What is the first line 2-hex value that indicates a jpg file signature?
▪ …ÿØÿà…JFIF
5. Repeat steps: 2 and 3, but use the Office document (data.docx)
6. Identify the file type
▪ What is the first line 8-hex value that indicates an Office document
signature?
▪ …

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
16
Computer science Department
Executive Master in Cyber Security

Source of Slides and Refs:


Guide to Computer Forensics and
Investigations: Processing Digital
Evidence
By Bill Nelson, Amelia Phillips,

LAB Activity 4
Christopher Steuart
6th Edition

Hashing
Lab Activity 4: Hashing
▪ Objectives
▪ After completing this lab, you will be able to:
▪ Compute the hash value for a file using a hashing algorithm

▪ This lab requires the following:


▪ WinHex
▪ Word document
▪ Estimated completion time: 10 minutes

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
18
Lab Activity 4: Hashing
▪ Follow the steps
1. Download the files data.docx to your working directory
2. Select Tools, then select Compute Hash
3. From the Compute Hash list, select the SHA1 (160 bit) hashing
algorithm
4. Copy the computed value and paste in a notepad file
5. Close the file in WinHex
6. Edit the data.docx file by replacing the first letter in the document by
the same letter then save the file
7. Repeat steps 2-3
8. What is your observation?
▪ …

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
19
Computer science Department
Executive Master in Cyber Security

Source of Slides and Refs:


Guide to Computer Forensics and
Investigations: Processing Digital
Evidence
By Bill Nelson, Amelia Phillips,
Christopher Steuart
6th Edition
LAB Activity 5
Examining SAM Hive
Lab Activity 5: Examining SAM Hive
▪ Objectives
▪ After completing this lab, you will be able to:
▪ Examine SAM hive containing usernames and password hashes
▪ View Registry files in Registry Viewer

▪ This lab requires the following:


▪ Windows
▪ Registry Viewer
▪ FTK Imager
▪ InCh05.exe file
▪ Estimated completion time: 20 minutes.

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
21
Lab Activity 5: Examining SAM Hive
1. Download the Compressed file ch05.zip to your work folder.
▪ Start a Web browser and Go to https://cengage-
dps.s3.amazonaws.com/computing/computer_concepts/nelson-
222257/ch05.zip
▪ Right-click this file and click Extract
to extract it to your work folder.
▪ Click the Extracted folder (ch05)
▪ Double click the file InCh05.exe
▪ In the WinRAR self-extracting archive
window click Browse to select your work
directory (see Figure)
▪ Click Extract,
▪ In the Confirm file replace window,
click Yes (see Figure
▪ Extraction will take few minutes
▪ You will get the file InCh05.img
for use in step 4.
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
22
Lab Activity 5: Examining SAM Hive
2. Create subfolder of your work folder named Registry_Viewer.
▪ Start a Web browser and Go to:
https://www.exterro.com/ftk-product-downloads/registry-viewer-2-0-0

▪ Click DOWNLOAD NOW to download Registry Viewer to Registry_Viewer


subfolder.

3. Double-click AccessData Registry Viewer_2.0.0.exe


▪ In InstallShield Wizard window, click Next
▪ In Custom Setup window, click Next
▪ In Ready To Install the Program window, click Install
▪ Click Finish

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
23
Lab Activity 5: Examining SAM Hive
4. Start FTK Imager.
▪ Click File, Add Evidence Item from the menu.
▪ In the Select Source dialog box, click the Image File option button, and
then click Next.
▪ In the Select File dialog box, click Browse, navigate to and click your work
folder, click InCh05.img file, and then click OK.
▪ Click Finish to open the image in FTK Imager.

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
24
Lab Activity 5: Examining SAM Hive
5. In the left pane:
▪ Click to expand InCh05.img, 6gb [NTFS], [root], and Users.
▪ Click Denise folder, right-click ntuser.dat file in the File List pane and
click Export Files.
▪ In the Browse For Folder dialog box, navigate to and click your work
folder, click Make New Folder, and type Registry Files-Lab5-2 for the
new name.
▪ Click OK to copy the file.
▪ Click OK in the Export Results message box.

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
25
Lab Activity 5: Examining SAM Hive
6. In the left pane:
▪ Click to expand Windows and
System32, and then click config.
▪ In the File List pane, Ctrl+click:
SYSTEM, SOFTWARE, SECURITY,
SAM, and DEFAULT.
▪ Right-click one of these selected
files and click Export Files
▪ Navigate to and click the Registry
Files-Lab5-2 subfolder of your work
folder, and click OK to copy the
files.
▪ Click OK in the Export Results
message box
▪ Exit FTK Imager.

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
26
Lab Activity 5: Examining SAM Hive
7. Start Registry Viewer, click Run as administrator.
▪ If necessary, click Yes in the UAC message box.
▪ Click Yes in the ERROR dialog box, click Cancel in the Security Device
Settings dialog box, and click OK in the Registry Viewer dialog box to
start Registry Viewer in demo mode.

8. Click File, Open from the menu.


▪ Navigate to the Registry Files-Lab5-2 subfolder of your work folder
▪ In the File List pane click SAM
▪ Click Open

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
27
Computer science Department
Executive Master in Cyber Security

Source of Slides and Refs:


Guide to Computer Forensics and
Investigations: Processing Digital
Evidence
By Bill Nelson, Amelia Phillips,
Christopher Steuart
6th Edition
Examining SAM Hive
Task-1: Examining SAM Hive
In the left pane:
▪ Click to expand SAM, Domains, Account, and Users folders.
▪ Click 000001F4 folder
▪ Enlarge the Key Properties pane at the lower left.

▪Answer the following Questions


▪ What is the last logon time:
▪ What is SID unique identifier:
▪ What is the User name:
▪ How many times the account has been logged on:

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
29
Task-1: Examining SAM Hive
Click 000003E9 folder.
▪ Findout the username:
▪ How many times the account has been logged on:
▪ What is the SID value:

Click 000003EC folder.


▪ What is the username:
▪ What is the user full name:
▪ How many times the account has been logged on:

Click to expand Names folder, click jfriday folder.


▪ When was the last time the account has been accessed:

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6 th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
30
Task-1: Examining SAM Hive
1. The Registry contains how many hives?
a. Three b. Two c. Five d. Six

2. How many user accounts are disabled?


a. Two b. Seven c. One d. Three

3. SAM hive uses PIDs to store information on user accounts.


a. True b. False

4. Name two SID values that indicate whether an account was


created automatically.
1. 2.

5. The Key Properties pane in Registry Viewer shows when


user accounts have changed their passwords.
a. True b. False
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
31
Computer science Department
Executive Master in Cyber Security

Source of Slides and Refs:


Guide to Computer Forensics and
Investigations: Processing Digital
Evidence
By Bill Nelson, Amelia Phillips,
Christopher Steuart
6th Edition
Examining SYSTEM
Hive
Task-2 - Examining SYSTEM Hive
▪ Objectives
▪ After completing this lab, you will be able to:
▪ View the SYSTEM hive in Registry Viewer
▪ Look for useful forensic information in the SYSTEM hive.

▪ This lab requires the following:


▪ Windows
▪ Registry Viewer
▪ The SYSTEM hive extracted in Lab Activity 6
▪ The InCh05.exe file
▪ Estimated completion time: 15 minutes

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
33
Task-2 - Examining SYSTEM Hive
1. In the Registry Viewer, click File, Open from the menu.
▪ Navigate to the Registry Files-Lab5-2 subfolder of your work folder
▪ Click SYSTEM file, and then click Open.

2. In the left pane


▪ Expand ControlSet001, Control, and ComputerName folders
▪ Click ComputerName folder to display the name at the upper right.

3. Scroll down
▪ Click TimeZoneInformation in the left pane.
▪ Information is critical because timestamps
for files, folders, and logs are based on
the time zone.

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
34
Task-2 - Examining SYSTEM Hive
4. Scroll down left pane and expand
Enum folder and IDE folder.
▪ Contains IDE storage devices, such
as CD/DVD drive.
5. Expand the USB folder to see all USB
storage devices plugged into the
computer.
▪ Each storage device has a unique serial
number and a Last Written Time entry in
the Key Properties pane.

6. Click MountedDevices folder


▪ Lists every storage device that has been
mounted in Windows OS along with its
associated drive letter and GUID value.

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
35
Task-2 - Examining SYSTEM Hive
1. What’s the computer name of this system?
a. mnmsrv b. GCFI5E c. HAL d. MSDTC

2. What’s the time zone setting for this computer?


a. EST b. MST c. CST d. PST

3. How many mounted devices on this system have assigned drive


letters?

4. What information is stored in the Enum folder?


a. User account information b. Password information
c. File locations d. HW and SW values

5. The SYSTEM hive contains configuration data for passwords.


a. True b. False

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
36
Computer science Department
Executive Master in Cyber Security

Source of Slides and Refs:


Guide to Computer Forensics and
Investigations: Processing Digital
Evidence
By Bill Nelson, Amelia Phillips,
Christopher Steuart
6th Edition Examining ntuser.dat
Registry File
Task 3: Examining ntuser.dat Registry File

▪ Objectives
▪ After completing this lab, you will be able to:
▪ Load a file in Registry Viewer to search for evidence
▪ Find Windows user account information in the Registry

▪ This lab requires the following:


▪ Windows
▪ Registry Viewer
▪ The ntuser.dat file extracted in Lab Activity 6
▪ Estimated completion time: 15 minutes

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
38
Task 3: Examining ntuser.dat Registry File

▪ In this lab, you look for forensic evidence in the


ntuser.dat file belonging to a suspect’s user account:
1. In the Registry Viewer
▪ Click File, Open from the menu.
▪ Navigate to the Registry Files-Lab5-2 subfolder of your work folder
▪ Click the ntuser.dat file
▪ Click Open.

2. Click Edit, Find from the menu.


▪ In the Find dialog box, type Denise and press Enter.
▪ The first Registry key associated with Denise is displayed at the upper right.

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
39
Task 3: Examining ntuser.dat Registry File

3. Press F3 key to search for the next Registry key containing


any references to Denise.
▪ Notice the GUID associated with the username account information.
▪ Press F3 again to find the next key and notice the e-mail account for
Denise along with her full name.

4. Click Edit, Find from the menu.


▪ In the Find dialog box, type jfriday,
press Enter to search for any Registry
keys associated with this suspect.
▪ What do you notice? Why?

© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
40
Task 3: Examining ntuser.dat Registry File
1. ntuser.dat file contains information on multiple account holders.
a.True b. False
2. What’s the e-mail account for the Denise user?
a. [email protected] b. [email protected]
c. [email protected] d. [email protected]
3. ntuser.dat file contains information on which of the following?
a. Drive letter designations b. Personalized desktop settings
c. PID key d. MRU devices
4. Password decryption tools often need which of the following to retrieve user
passwords? (Choose all that apply.)
a. SYSTEM hive b. SAM hive c. ntuser.dat file d. Enum folder
5. ntuser.dat file is in which of the following paths?
a. C:\Windows\System32\Config b. C:\Documents and Settings\Users
c. C:\Users\username d. C:\SYSTEM
© Guide to Computer Forensics and Investigations: Processing Digital Evidence, 6th Edition, by Bill Nelson, Amelia Phillips, and Christopher Steuart, Cengage
41

You might also like