WordPress.com



Sarah MussMarch 6, 2017Project 31. C:\Users\Win7\Documents\My Documents\2013-Sales.xlsx2. Removable Storage Media (Floppy, USB)3. 3/2/2014 18:48:134. Removable Storage Media5. 3/2/2014 6:50:20 PM6. B4A2B40D7. Microsoft Excel 20078. C:\Users\Win7\Documents\Personal.docx9. This would refute his claim due to the last accessed time of the file being 2014-03-02 18:45:20. If it was deleted 12 days earlier on 2/20 2014 then how was he able to access this file, this would be the question you would have to ask the person in question because he is lying. Also, using the LECmd tool, the last modified timestamp for the same file displays 2014-03-02 18:48:13, which means the suspect not only accessed the 2013-Sales.xlsx file but also modified its contents.10. You would know the target has been lying due to three removable storage files being accessed on 2014/03/02. Which is the day after the date the subject says he hadn’t connected any removable storage devices to the computer. 11. Jump lists can serve multiple purposes, the most notable of which is to contain a list of recently accessed documents/files. For example, a user would deny he had ever viewed a specific file in question, for this particular incident a jump list would come into play. You would review the jump list associated with the application and it would give the date and time the file was viewed. A link file can potentially signify that a specific file of interest was opened by a user. This is possible due to the fact that, by default, Windows will create link files for files that have been recently opened. If files may have been wiped or deleted, stored on a USB or network share, even though the file may no longer be there, the LNK files associated with the original file will still exist and reveal valuable information as to what was executed on the system.12. 3/2/14 18:5113. 3/2/14 18:5114. C:\Users\Win7\Documents\Clients.xlsx15. 40210716. Documents17. Two user accounts have files in this system.18. From a forensics point of view, the recycle bin is a gold mine for gathering evidence, clues, etc. You could find files the user though were gone forever that could uncover a vital piece of evidence. If the user only “deletes” it with an ordinary Windows delete, the files are still there until the user “empties” the recycle bin. Often times, the suspect may try to quickly delete files not realizing they still exist in the recycle bin, leaving examiners with just the evidence they would need to help put the suspect behind bars.19. Windows 7 Professional. Service Pack 1.20. Sat. 04 Aug 2012 12:21:0021. VMWare Tools, VMWare User Process, MSC22. 2. 0013729B678DEB20C51F0216&0. 4859701DEF10326C&0.23. Administrator, Guest, Win7, Josh24. Administrator, Josh25. Microsoft Visual Studio26. . 3/2/14 19:25:17 PM28. ACME-WORKSTATIO29. Yes, 3/2/14 19:26:43 PM30. 1131. Any activity the user might take on the system, will be recorded in the windows registry. Such as, installing software, connecting a USB device, opening a file, or even navigating a folder (without opening any files), will leave evidence in a Windows registry. Through registry analysis we can figure out the users of the system and whether the account was password protected or not. We could find out if they have an application such as CCleaner set to start at startup. If they do, it would set flags to the forensic investigator. 32. Everyday33. It isn’t scheduled to execute unless logged into.34. 6/20/2013 11:28:50 and by Guest35. Yes the CCleaner as a scheduled task means the user most likely has something to hide, which is why they have it set for the CCleaner to run on a schedule. CCleaner is a disk cleaner tool. This tool frees up space on your hard drive by deleting useless files, old temporary files created by programs, temporary internet files for Internet Explorer, Windows error report logs, and more. This could be suspicious if the user was trying to hide what websites they have been to or want other files deleted so know one knows what they have been up to. 36. Win737. mnmsrvc. I determined this by going to registry explorer and going to the computer name folder. This shows the default computer name is this.38. Serial Number: 4859701DEF10326C&0Manufacturer: SanDiskModel: Cruzer MicroI determined this by going to registry explorer and loading the SYSTEM hive from the forensic images and going to USBStor to figure out the serial number, manufacturer, and model.39. I used VM Ware fusion on my MacBook Air with Windows Server 2008. I used a Verbatim 8GB thumb drive. I used FTK Imager, Microsoft Excel 2010, LECmd, and JLECmd on part one. Part two I used $I Parse. For part three I used Registry Explorer. For part four I used XML Notepad. For part five I used Registry Explorer. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download