Plagiarism Free Homework and Assignment Help

Lab 3 Guide CMIT 424 Computer
Forensics

1
Lab 3 Guide CMIT 424 Computer
Forensics
Table of Contents
Introduction ………………………………………………………………………………………………………………………………………. 2
Section 1 – Examining Windows Events Logs……………………………………………………………………………………………. 3
Section 2 – Parsing Event Logs…………………………………………………………………………………………………………….. 12
Section 3 – ClearingWindows Events Logs……………………………………………………………………………………………… 23
2
Introduction
Important Note: To complete Lab 3, you need to complete Lab1 and Lab2.
During this lab, we will examine the Windows Event Viewer. The Event Viewer has many relevant
artifacts related to activity on the system.
Lab Description:
To fully understand Computer Forensics, it is essential that you understand how the Operating
Systems and File Systems work, and how to utilize computer forensics tools that will help you
recover the artifacts relevant to the case.
Learning Outcomes:
The goal is to implement various techniques to collect and analyze information from digital
media that are used in computer forensic investigations.
After completing this course, you should be able to:
Course Learning Outcomes
• establish a digital forensic workstation for the purpose of collecting and analyzing data.
• select and apply the most appropriate methodology to extract data based on circumstances and
reassemble artifacts from data fragments.
• apply rules and guidelines as they pertain to the acquisition, handling, and storage of digital
artifacts.
• analyze and interpret data collected and report outcomes in accordance with incident response
handling guidelines.
3
Section 1 – Examining Windows Events Logs

  1. (You completed the OS install in Lab 1). Click Power on this Virtual Machine:
    Power On
  2. Use this button to send a Control+Alt+Delete to the Windows VM.
    Control+Alt+Delete
  3. Log on to your Windows 10 Virtual Machine you created in lab 1 with the username of your first name
    and the password of [email protected]
  4. If you did not already do so for Lab 1, download the CMIT 424 Software Tools ISO file needed for this
    class from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools
    4
  5. Right click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
    Command Prompt
  6. Type the following below, replacing my name with your First Name and Last Name.
    (No Spaces). This adds an account to your Windows 10 forensics Workstation.
    C:\Windows\system32>net user FirstNameLastName [email protected] /add
    Command Prompt
    Add your screenshot to page 3 of your CMIT_424_LAB3_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    5
  7. Right click on the start button and select Event Viewer.
    Event Viewer
    6
  8. After the Event Viewer opens, click Windows logs, and then click the Security log. We will be looking
    for events that fall under the category of User Account Management. Double Click on the Event 4720
    and then look for your first and last name. Click on the details tab. Make sure that the Date and Time
    stamp, provided with the Event Viewer views, is displayed in your screenshot.
    Event Viewer
    Add your screenshot to page 4 of your CMIT_424_LAB3_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    7
  9. Switch back to the Command Prompt. Type the following command to enumerate all of the running
    services on the Windows Server.
    C:\Windows\system32>net start
    Net start
    Sometime hackers may stop services that interfere with their mischief, like Windows Update, the Firewall, or
    Antivirus. When they do stop a service, that action will be logged in the Windows event Viewer. This is a reason
    that a Computer Forensic examiner might sift through the Event Viewer Logs.
    8
  10. Type the following command to stop the Windows Firewall service on the Windows Server.
    C:\Windows\system32>net stop “Security Center”
    Netstop
  11. Click back on the Windows Sever and go back into the Event Viewer. Click Windows logs, and then click
    the Application log. We will be looking for events that fall under the category of Security Center.
    Double Click on the Events and then look for the Security Center stopping. Make sure that the Date
    and Time stamp, provided with the Event Viewer views, in your screenshot.
    Event Viewer
    Add your screenshot to page 5 of your CMIT_424_LAB3_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    9
    The Security Log has to do with Security related Events like Account Creation or File or Folder Access.
    The Application log has to do with Software which is exactly what Windows Security Center is, Software.
    The System log has to do with any hardware on the system. We will examine that next.
  12. Type the following command to stop the Windows Audio service on the Windows Server.
    C:\Windows\system32>net stop “Windows Audio”
    Netstop
    Add your screenshot to page 6 of your CMIT_424_LAB3_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
  13. Click back on the Windows Sever and go back into the Event Viewer. Click Windows logs, and then click
    the System log. There are no events relevant to the Windows Audio service stopping. This is because
    auditing of System events is somewhat limited. You will not usually see this type of event of a
    standalone system with the default Windows settings for a Windows 10 machine. However, we will
    see relevant Computer Forensic information about when the system was asleep or turned off. We will
    examine those records next which can be extremely relevant to Computer Forensics Investigations.
    Event Viewer
    10
  14. Type the following command at the Command Prompt to attempt to shut down the system.
    C:\Windows\system32>shutdown /r /t 6000
    Note: The r is for reboot, t is for time, and the 6000 = 100 minutes.
    Command Prompt
  15. Type the following command at the Command Prompt to abort the shutdown of the system.
    C:\Windows\system32>shutdown /a
    Note: The a is for abort.
    Command Prompt
    11
  16. Click back on the Windows Sever and go back into the Event Viewer. Click Windows logs, and then click
    the System log. There are no events relevant to the Windows Audio service stopping. This is because
    auditing of System events is somewhat limited. You will not usually see this type of event of a
    standalone system with the default Windows settings for a Windows 10 machine.
    Event Viewer
    Add your screenshot to page 7 of your CMIT_424_LAB3_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    12
    Section 2 – Parsing Event Logs
  17. If you did not already do so for Lab 1, download the CMIT 424 Software Tools ISO file needed for this
    class from the following Microsoft SharePoint link: https://tinyurl.com/CMIT424-tools
  18. Click edit virtual machines settings.
    Edit Settings
    13
  19. Click on the CD/DVD icon and then click Browse. Go to the location on your system where you
    downloaded the CMIT 424 tools ISO File. Verify that both Connected boxes are checked.
    CMIT 424 Tools
    14
  20. Double Click on the npp.8.0.Installer.x64 file to install the Notepad++ program.
    Click Yes, OK. Nest, I Agree, Next, Next, Install
    Notepad++
    15
  21. Right click on SysinternalsSuite and select Send to Documents. Click Replace Destination.
    SysinternalsSuite
  22. Right click on SysinternalsSuite and select Extract All… Click Extract. Click Replace the Files.
    16
  23. Find psloglist in the list of extracted files. Right click on the file and select copy.
    psloglist
    17
  24. Click on Local Disk C:, find the Windows Directory, and then click Paste. Click Continue.
    Windows
    18
  25. Right click on the shortcut to the Command Prompt and select run as Administrator. Click Yes.
    Command Prompt
    19
  26. Type the following below, replacing my name with your First Name followed by the number 1.
    This adds another account to your Windows 10 forensics Workstation.
    Hit the up-arrow key, replace 1 with 2, and then press enter again.
    Hit the up-arrow key, replace 2 with 3, and then press enter again.
    Hit the up-arrow key, replace 3 with 4, and then press enter again.
    Hit the up-arrow key, replace 4 with 5, and then press enter again.
    C:\Windows\system32>net user Jesse1 [email protected] /add
    Command Prompt
  27. Type the following below to initialize psloglist. Agree to the license agreement.
    C:\Windows\system32>psloglist
    20
  28. Type the following command to parse the user creation from the Security Event Logs, replacing my
    name with your first name.
    C:\Windows\system32>psloglist Security | find “jesse”
    Command Prompt
    Add your screenshot to page 8 of your CMIT_424_LAB3_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
  29. Type the following command to send the output of the Security Event Logs to a file.
    C:\Windows\system32> psloglist >> C:\users\%username%\desktop\security.txt
    Command Prompt
    21
  30. Right click on the file and open with Notepad++
    Notepad++
    22
  31. Go to Edit. Select All. Search Find. Type your first name and click the count button.
    Note: This tool will be excellent for the log analysis and other questionsin Project 1 and Project 2.
    Add your screenshot to page 9 of your CMIT_424_LAB3_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.
    23
    Section 3 – Clearing Windows Events Logs
  32. Type the following command at the Command Prompt to clear the Security Log.
    C:\Windows\system32> wevtutil.exe cl Security
    Command Prompt
  33. Click back on the Windows Sever and go back into the Event Viewer, and then click the Security log.
    There should only be a single event listed. Double Click on the Event. It should say that the Audit Log
    was cleared. Make sure that the Date and Time stamp, provided with the Event Viewer views, is
    displayed in your screenshot.
    Event Viewer
    Add your screenshot to page 10 of your CMIT_424_LAB3_WORKSHEET.
    Note: Your screenshot will be different from the example provided. Do not use the EXAMPLE screenshot.