Cyber Forensics Lab Report 2

Complete the following tasks related to this case and answer the questions:
1. Use FTK to create a new case called Lab1. Then add the ID THEFT1.E01 image with all processing options except a SHA1 hash.
2. Locate evidence that can assist in prosecuting the following offenses:
a. Counterfeiting U.S. currency b. Counterfeiting U.S. passports
c. Theft of credit card information
Tip:
To find evidence of credit card theft, you can create a regular expression to find
American Express Card numbers (e.g., 1234 123456 12345).
You can also create another regular expression to find JC Penney Card numbers
(e.g., 123 456 789 0 1).
3. If possible, ascertain if Elvis has any upcoming travel plans.
4. Bookmark and document findings including the registry file analysis in your case report.

Part 2
Provide answers to the following questions using the NTUSER.DAT file and the information you generated from the report:
1. Police suspect that Elvis was in possession of illegal MP3 files obtained from an RIAA sting operation. How can you determine if Elvis possessed any of the following audio files?
a. “La Femme Nikita” Maine Theme (club Version) b. Copy of “La Femme Nikita,” “Spies” by Coldplay c. “How You Remind Me” (Acoustic) by Nickelback
2. Several paper documents were recovered in Elvis’ locker. Document analysis has begun. What printer was Elvis using?
3. Elvis maintained a POP e-mail account with the IRS fake-ID site. Provide evidence of this account as well as the password Elvis was using to access that account. Add this key to the report.
CIS 4810
Page 2 of 2
4. What was Elvis’ Internet Explorer homepage?
5. What was the last location that Elvis downloaded something from using Internet
Explorer?
6. Add the following to your report:
a. Internet Explorer Typed URLS.
b. Recent Documents (all categories)
c. Run MRU list information
d. Last Visited MRU information
e. Open Saved MRU information (Open With or Save As dialog)
7. Generate a report based on the NTUSER.DAT file
8. Answer the following questions using the SYSTEM file.
a. Elvis is known to transport illicit files on portable storage devices. The Pomona PD has several portable storage devices in their possession from Elvis’ school locker. Can you give them any information that can help them determine if Elvis has connected to these portable storage devices?
b. Elvis’ computer has been attempting to hack several Salt Lake City credit card sites. The event logs continually show a reference to KAL as an incoming computer name. Look for information that supports this and list a location that could be used to corroborate it.
9. Generate a report based on the System file.
10. Even though Elvis had his SAM file on this thumb drive, document when Elvis last logged on to his machine using the SAM file. His machine account name is ID THEFT DUDE. Generate a report.
11. Generate a report based on the SAM file.
12. Use the File Filter Manager to create and apply the following filters to this case.
Document the number of times resulting from each filter.
a. Display all allocated graphics created on October 1, 2003. How many hits result?
b. Display only deleted graphics. How many hits result?
c. Display all allocated duplicate graphics with a logical size between 6-11
KB. How many hits result?