Cpccohs2001a

Advanced Computer Forensics

Windows FTK Forensics Lab
Read the ENTIRE document before starting to be sure you have all the necessary tools and files required to complete the lab. You should further explore the tools used in this lab to ensure your familiarity with alternative investigation options.

Lab Setup for using RLES vCloud

This lab is designed to function on the RLES vCloud. The interface is available by navigating to https://rlesvcloud.rit.edu/cloud/org/NAT . You have created a vApp in your previous labs. Now, you will add the vApp template, 841_Win_Forensics_Updated , from the Public Catalogs, to the same vApp following the instruction of Add Virtual Machines to a vApp without a network required (see RLES vCloud User Guide).

FTK software including FTK 1.8, Registry Viewer and FTK Imager are install in the 841_Win_Forensics_Updated VM. The EnCase evidence file, WinLabEnCase, is located in the local E:\ drive in RLES VM. Please read FTK 1.80 User Manual, posted in RLES, for FTK details.

The 841_Win_Forensics_Updated VM login

Username: Administrator

Password: netsys

NOTE: If you are not able to open the VM, please reset the VM’s mac address (right click on the VM, choose property, then click on the Hardware tab, click on the drop down arrow of mace address to reset the mac address)

PART I: Familiar with FTK Imager

Bonus Exercise 1 (5 points): Assume that you have a write-protected USB device.

Image a USB device or a floppy disk to create an image in a DD format. (Note: You are not able to use the 841_Win_Forensics_Updated VM to perform this bonus exercise. You have to use your own computer for this exercise).

Provide a snapshot from FTK Imager.

Requires: a USB device or a floppy disk

Launch FTK Imager

Click File > Create Disk Image

Click Physical Drive and Next

Select the device and select Raw (dd) Image Type

Exercise 2: View images

Click File > Add Evidence Item

Select Image file and then click Next

Browse to your WinLabEnCase.E01 image and click Finish