Lab 3: File System Artifacts

When you're done with this lab you will have done the following things:

Searched through the Windows Registry for relevant evidence.
Mined web browser caches/history
Used windows prefetch files to identify usage habits

Expectations

Throughout this entire lab (and this course), this web site assumes you are using the RHIT-supplied image of Windows and that you're working in partners out of the Digital Forensics Workbook (Michael K. Robinson). If you are not using the RHIT-supplied image, the steps may be slightly different. Your instructor is available for help.

Details about expectations for your lab write-ups are available in the previous labs.

Keep in mind as you work on this lab that your efforts must be Repeatable and Reproducible.

Document your steps as you do them. At the end of each part (chapter), be sure to update your lab writeup with a short summary or conclusion, then sign (or write your name) and date it.

Chapter 7: Artifacts in the Registry

Read chapter 7 and follow the instructions it contains.

READ Activity 7-1

Download and extract a copy of RegistryFiles-1.zip mentioned in the book.

Don't perform the rest of the steps in 7-1, but read through the instructions and review the results with your lab partner. (You don't need to document this part in your lab notebook.)

Do Activity 7-2

Be sure to document where you obtained the hive files in your lab report.

A copy of Windows Registry Recover is mirrored here: WRR.zip

ntuser.dat is a hidden system file. To show it in windows file explorer, change the folder and search options: uncheck "Hide protected operating system files".

Do Activity 7-3

A copy of RegRipper is mirrored here: RegRipper2.8.zip, but it is recommended you grab the latest version from GitHub using this download link or by cloning the keydet89/RegRipper2.8 repo.

Hint: when you do step 11, you should select the system profile.

Do the Additional Exercises at the end of chapter 7

You can get a mirrored copy of RegistryFiles-2.zip mentioned in the book.

Chapter 11: Internet History

Read chapter 11 and follow the instructions it contains.

Be sure to document your actions so your work is repeatable and reproducible.

Do Activity 11-1

You can get ChromeCacheView, ChromeHistoryView, and the Compressed_Caches.zip file from the mirror.

Information about using the programs is available at the url written in the book.

SUGGESTION: extract the compressed caches zip into a folder at the root of your C:/ drive -- this will make the paths shorter and reduce the chance of errors.

Step 6 is wrong: There is a typo. Assuming you extracted Compressed_Caches to your C drive root, this is the path you should load:

C:\Compressed_Caches\Google\Chrome\User Data\Default\Cache

Step 14 is wrong: There is a typo. Assuming you extracted Compressed_Caches to your C drive root, this is the path you should load:

C:\Compressed_Caches\Google\Chrome\User Data\Default\History

Chapter 13: Prefetch Files

Read chapter 13 and follow the instructions it contains.

Do Activity 13-1

You can get a 32-bit version of WinPrefetchView and the Prefetch_Examples.zip file from the mirror.

Do the Additional Exercises at the end of 13-1

HINTS:

"Microsoft Management Console" is mmc.exe
The command prompt is cmd.exe
You can use "Control-F" to search

Optional: Going deeper

If you have enough time, complete some of these additional exercises. A real lab tech would have much more time and also may have to use different tools -- so this will help build your skills.

Do Activity 11-2

You can get MozillaCacheView and MozillaHistoryView from the mirror.

Finishing This Lab

When you're done with this lab, read over your lab notebook and ensure you've properly documented what you've done and with what you've worked.

Submit your lab write-up for grading (to moodle in PDF format) when you are done with the lab.