Lab 1 Guide CMIT 424 Computer Forensics Table of Contents
Get PDF VERSION: https://researchome.com/wp-content/uploads/2022/01/CMIT_424_LAB1_GUIDE-FINAL-1.pdf
Introduction ……………………………………………………………………………………………………………………………………………. 2 Section 1 – Windows ISO Download and Creating a New Virtual Machine ……………………………………………………… 3 Section 2 –Installation and Configuration of Windows 10 …………………………………………………………………………… 13 Section 3 – Post Installation Tasks……………………………………………………………………………………………………………. 28 Section 4 – Dumping and Examining the Registry ………………………………………………………………………………………. 33 2 Introduction Lab Description: To fully understand Computer Forensics, it is essential that you understand how the Operating Systems and File Systems work, and how to utilize computer forensics tools that will help you recover the artifacts relevant to the case. Learning Outcomes: The goal is to implement various techniques to collect and analyze information from digital media that are used in computer forensic investigations. After completing this course, you should be able to: Course Learning Outcomes • establish a digital forensic workstation for the purpose of collecting and analyzing data. • select and apply the most appropriate methodology to extract data based on circumstances and reassemble artifacts from data fragments. • apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital artifacts. • analyze and interpret data collected and report outcomes in accordance with incident response handling guidelines. 3 Section 1 – Windows ISO Download and Creating a New Virtual Machine 1. Install VMware Workstation. 2. Download the Microsoft Windows 10 ISO file needed for this class from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424 Note: Use the version of Windows 10 provided for the class, even if you have a different Windows 10 ISO. Different versions have different features and configurations that may interfere with our CMIT 424 labs. This file is only for use in this class. Do not redistribute the file or use it for any other purpose than this class. 3. In VMware Workstation, select File and New Virtual Machine. New Virtual Machine 4 4. Select Custom and click Next. New Virtual Machine 5 5. Click Next at the Choose the Virtual Machine Hardware Compatibility. At the Operating System Installation screen, verify that the default choice of I will install the operating system later and click next. Note: Do not use the Easy install. We will do a manual install. New Virtual Machine 6 6. Select Microsoft Windows for the Guest Operating System and Windows 10 from the dropdown box. Click Next. New Virtual Machine 7 7. Name the Virtual Machine Windows 10 CMIT 424 and click Next. New Virtual Machine 8. Select BIOS (Basic Input Output System) for the Firmware and click next. New Virtual Machine 8 9. Keep the settings as 1 CPU and 2 processor per core if you have a lower end PC or laptop. If you have a higher end machine, feel free to add additional processors (in factors of 2). New Virtual Machine 9 10. For the Memory, you can use 1 GB, but 2 GB is recommended, and 4 GB is even better (as long as you have at least 8 GB on your system). I was able to complete all of the labs using 2 GB of RAM. New Virtual Machine 10 11. For Network type, select host only. This prevents any Internet Access. New Virtual Machine 12. Select next to the recommended I//O Controller type (LSI Logic SAS) and click Next. New Virtual Machine 11 13. For the Disk type, pick IDE (Integrated Drive Electronics) and click Next. New Virtual Machine 12 14. For the Maximum disk size 25GB. Note: Do not use the recommended size of 60 GB. New Virtual Machine 15. Click Next to the Specify Disk File. 16. Click Finish. 17. Your setup of the Virtual Machine is done. 13 Section 2 –Installation and Configuration of Windows 10 1. If you did not already do so in Section 1, download the Microsoft Windows 10 ISO file needed for this class from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424 2. Within VMware Workstation, Click edit virtual machines settings. Installing Windows 10 14 3. Click on the CD/DVD icon and then click Browse. Go to the location on your system where you downloaded the Windows 10 ISO file. Installing Windows 10 15 4. Click Power on this Virtual Machine: Windows 10 Install 5. Click Next at the Windows Setup screen. Windows 10 Install 16 6. Click Install Now. Windows 10 Install 17 7. Click I do not have a product key. Windows 10 Install Note: UMGC has licenses for Windows 10 for students. You can get your own product code for use from the following link: https://azureforeducation.microsoft.com/devtools . You need to sign in with your student email. In order to make the lab match to the screenshots, use the ISO we provided as there are many variations to the interface of different versions of Windows 10. Do not use that ISO outside of this class. 18 8. From the list of Windows 10 version, choose Windows 10 Pro. Click Next. Windows 10 Install 9. Agree to the software license and then click next. 19 10. Click Custom. Windows 10 Install 20 11. Verify that the disk is 25 GB and click Next. Windows 10 Install 21 12. This Next part will take a few minutes. If you have installed Windows before, please pay attention to the next few steps as following them will be critical to ensure that you get full credit for this lab. Windows 10 Install 22 13. Click Yes to United States. Windows 10 Install 14. Click Yes to a US Keyboard Layout. 15. Click Skip to adding a second keyboard. 23 16. Click Skip for now. This comes up because the host only networking is in use (without Internet). Windows 10 Install 24 17. Enter your first name and then take a screenshot of this step. Add this to your worksheet. Add your screenshot to page 3 of your CMIT_424_LAB1_WORKSHEET. Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. Windows 10 Install 25 18. For the password type [email protected] (That is a zero, not the letter 0). Windows 10 Install 19. Confirm the password of [email protected]. 26 20. For the hint type, CMIT424-Yourname and then take a screenshot and add it to your worksheet. Add your screenshot to page 4 of your CMIT_424_LAB1_WORKSHEET. Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. Windows 10 Install 21. Click No to Cortana 27 22. Click Accept to the privacy settings. Windows 10 Install 23. Windows will finish installing. Move on to the next section of the lab. 28 Section 3 – Post Installation Tasks First, we will install VMware Tools which allows seamless integration between the guest and host machine. VMware Tools allows you to drag files back and forth between the host computer and the guest machine. 1. From the VMware menu, click VM, Install VMware tools. VMware Tools 29 2. Click Windows Explorer. Click this PC. Double click on the VMware tools icon. Click Yes, Next, Next, Install. Click Yes, and then finish and yes to the restart to complete the VMware Tools installation. VMware Tools Install 3. Use this button to send a Control+Alt+Delete to the Windows VM. Control+Alt+Delete 30 4. Take a screenshot of your name on the logon screen. Add your screenshot to page 5 of your CMIT_424_LAB1_WORKSHEET. Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. Windows Login 5. Log in with the password of [email protected]. 31 6. Within the VM, right click on the start button and select Run. In the run box, type sysdm.cpl . Post installation tasks 7. Click the Change button on the Computer Name tab. Post installation tasks 32 8. For the new computer name, use Win10-Yourfirstname. Take a screenshot of your name in the computer domain name change screen. Add your screenshot to page 6 of your CMIT_424_LAB1_WORKSHEET. Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. 9. Click Ok, OK, Close. Restart now. Next, we will use some forensics tools. 33 Section 4 – Dumping and Examining the Registry 1. Download the CMIT 424 Software Tools ISO file needed for this class from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools 2. Click edit virtual machines settings. Edit Settings 34 3. Click on the CD/DVD icon and then click Browse. Go to the location on your system where you downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked. CMIT 424 Tools 35 4. Right click on the Desktop and make a new folder with your first and last name. New Folder 5. Click This PC. Right Click the DVD and select open. Double click on the FTK Imager Lite folder. DVD Tools 36 6. Find the FTK Imager program and right click and run as Administrator. Click Yes to the User Account Control Warning. FTK Imager 7. Click the Gold box to Obtain the Protected Registry. Browse to the location of your folder on the desktop. Select the option for Password recovery for registry and all files. Click OK. FTK Imager 37 8. Close the other Windows and open the yourname folder with the registry files. Make sure that the Date Modified time appears in your screenshot. Windows Registry Add your screenshot to page 7 of your CMIT_424_LAB1_WORKSHEET. Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. 9. Click the DVD under this PC. Double click on the WRR.exe file. DVD Tools 38 10. Select File, Open, click Desktop, and then click the yourname folder. Double click on system. Windows Registry 11. Click User Data. You will see the Machine Name pulled from the registry. Windows Registry Add your screenshot to page 8 of your CMIT_424_LAB1_WORKSHEET. Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. 39 12. Select File, Open, click Desktop, and then click the yourname folder. Double click on software. Windows Registry 13. Click Windows Installation. Note the Install date which matches when you installed Windows. Windows Registry Add your screenshot to page 9 of your CMIT_424_LAB1_WORKSHEET. Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. 40 14. Select File, Open, click Desktop, and then click the yourname folder. Double click on SAM. Windows Registry 15. Click on SAM. Expand Users to see the Yourname user. Windows Registry Add your screenshot to page 10 of your CMIT_424_LAB1_WORKSHEET. Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot. Hint: Do not forget your Introduction and Conclusion in your lab worksheet or you will lose points on your assignment.