• Using a live acquisition tool to capture evidence.
• Analyzing Virtual Memory Using Forensic Toolkit.
• Analyzing Windows Registry

You have used AccessData’s Forensic Toolkit (FTK) Imager to image storage devices, analyze several files. In addition, FTK Imager is provided a portable version that will fit on a small USB storage device (https://accessdata.com/product-download#past-versions, download FTK Imager Version 4.3.1.1 into your USB driver). Then, a forensic investigator can acquire the contents of virtual memory and the Windows registry that may be related to any computer crimes committed on that machine. As we may know, the virtual memory holds data temporarily when the operating system processes instructions.

Procedures:

You should install FTK Imager Lite (not anymore work, so we use FTK Imager Version 4.3.1.1 as a portable tool) on a USB Flash drive and use it to capture the Windows registry files while extracting all the files of FTK Imager Lite (FTK Imager Version 4.3.1.1) into a USB flash drive.

To start the software, double-click the FTK Imager.exe file.

Because virtual memory is temporary (volatile), examination of this evidence may be possible only before the computer is turned off to move it to a forensic lab.

You should process a virtual memory capture performed on a live computer.

Procedures:

Copy the memdump.zip file wherever you want to save, and extract all (like a RAM folder).

To start FTK tool by right-clicking the FTK icon in your USB drive (e.g., Run as administration).

In the search tab (ctrl+F after highlighting the hexadecimal windows at the right bottom), type bank, and click the blue add button. In the search tab, type search, and click the blue add button. Where both bank and search are found together, click the blue view cumulative results button, select all hits, check apply to all and click OK.

• Screen shot of search results while indicating John Smith used Bing in Internet Explorer to search for bank locations.
• Screen shot of http://www.yellowpages.com to find the Suntrust Bank Plantation location
• What is the size of the memdump.mem file?
• How many evidence items were processed by FTK?
• How many hits are found searching using the word password ?
• How many files are found searching the file extension .doc ?
• How many Cumulative Result Hits are found using both password and .doc ?

The Windows registry is a central repository for all information such as users, passwords, connected devices, and physical hardware. Those data in the registry can be searched for evidence using Access Data’s Registry Viewer. Although it does not display user information in a readable format, every item listed in the registry represents a 128-bit name called a globally unique ID (GUID) that contains useful information such as the last login or last storage device accessed.

Procedures:

First, you should install AccessData Registry Viewer with rv-registry_viewer-1.5.4.exe file on BB.

Right-click the AcessData Registry Viewer icon to start.

Click File tab and click open, navigate where we you saved in 1) lab, and click Registry folder.

Click the SAM file, and click open, click the + symbol next to the SAM to expand it.

• Screen shot of the Administrator account including the Last Logon Time
• Screen shot of the Guest account indicating the SID number 501.
• What is the SID associated with John Smith user name?
• What was the last time John Smith logged into the computer?
• Besides Andrews, which other user has never logged into the computer?
• Screen shot of the attached storage devices implying that a forensic investigator should look for additional storage devices.
• How many USB storage devices have been connected to this computer?
• How many internal hard drives have been attached to this computer?

Close the Registry Viewer dialog box while clicking the file tab.

Click the file tab, select open, and double-click the System registry hive to load it into the registry viewer.