Lab 4: Shortcuts and Meta Data
When you're done with this lab you will have done the following things:
- Identified sources of "what was opened and when"
- Extracted thumbnails or summaries of files that may have been deleted.
- Extracted metadata about images and other types of files
- Uncovered event times and built a timeline of what happened
Throughout this entire lab (and this course), this web site assumes you are using the RHIT-supplied image of Windows and that you're working in partners out of the Digital Forensics Workbook (Michael K. Robinson).
Expectations
Keep in mind as you work on this lab that your efforts must be Repeatable and Reproducible.
Document your steps as you do them. At the end of each part (chapter), be sure to update your lab writeup with a short summary or conclusion, then sign and date it.
When you acquire evidence or artifacts, you must document:
- What the evidence item is (e.g., usb drive or a file)
- Where the evidence came from
- How the evidence was acquired
Chapter 14: Shortcuts/Link files and Jump Lists
Read chapter 14 and follow the instructions it contains.
Do activity 14-1
You can obtain MiTeC Windows File Analyzer (WFA.zip) and Shortcuts.zip from the
mirror.
SKIP the additional exercises in 14-1
Do activity 14-2
JumpLister is small, get it from the website in the book.
You can get JumpLists.zip from the
mirror.
Step 15 is wrong: The timestamp for circle 9 is incorrect: the picture shows the correct time.
Do the additional exercises in 14-2
You can get JumpLists-2.zip from the
mirror.
Chapter 15: Thumbnail Caches
Read chapter 15 and follow the instructions it contains.
Do activity 15-1
You can obtain Thumbnails.zip from the
mirror.
Do the additional exercises in 15-1
Do activity 15-2
Do the additional exercises in 15-2
You can obtain OSForensics (osf.exe) from the
mirror.
Do activity 15-3
Do the additional exercise in 15-3
Chapter 10: File Analysis
Read chapter 10 and follow the instructions it contains.
You can obtain File_Analysis.zip from the
mirror.
Do activity 10-1
Step 12 is wrong: The date shown in the text is incorrect, so is the little "3" indicator. The date in the screenshot is correct, but it is not the one with the "3" indicator.
Do the additional exercises in 10-1
Do activity 10-2
You can obtain the ExifRead program from the mirror.
Do the additional exercises in 10-2
These are the same three steps for four files (photo{2-5}.jpg). You may find it handy to make a table in your lab writeup and describe how to read your entries in the table.
Chapter 18: Timestamps and Timelines
Read chapter 18 and follow the instructions it contains.
You probably already have WinPrefetchView installed from a previous lab.
You can obtain MiTeC Windows File Analyzer (WFA.zip) and timeline.zip from the
mirror.
Do activity 18-1
Step 7: To find more info about a prefetch item, right click it and choose properties.
Step 8: The dates may vary. Some unzip tools will change modified times; you have three times: interpret them the best as you can.
Step 10: The "Windows Shortcut" is in the Windows-Recent folder you unziped from timeline.zip.
Step 15: The Hidden.docx file is in the parent folder of your shortcut -- it is not the shortcut (.lnk).
Do activity 18-2
"Event Log Viewer" is a native windows program. You can find it by searching for "Event Viewer".
NOTE: Events.zip does not exist. Instead, download EventLogs.zip from the
mirror.
Do the additional exercises in 18-2
Optional Exercises:
For real, this time. This is optional. It may not work on your system.
Do activity 18-3
You can get a 64-bit version of plaso (log2timeline) from the mirror. You can also find it on github.
Do the additional exercises in 18-3
Finishing This Lab
When you're done with this lab, read over your lab writeup and ensure you've properly documented what you've done and with what you've worked.
Submit your lab write-up for grading (to moodle in PDF format) when you are done with the lab.