Scribd Logo
Upload

Welcome to Scribd!

  • Skilling Exercise-11

    Uploaded by

    Krishna Sai
    6 views7 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    6 views7 pages

    Skilling Exercise-11

    Uploaded by

    Krishna Sai

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 7

    19CS3259S- DIGITAL FORENSICS

    DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


    COURSE CODE: 19CS3259
    DIGITAL FORENSICS WORKBOOK

    11. Timestamps, Timelines and Recovering Passwords

    Date of the Session: ___/___/_ Time of the Session_______to

    Learning Outcomes:
     To understand and analyse the timestamps.
     To understand and analyse the timelines.
     To understand and recover passwords
    Task 1: In this activity you will analyze a series of timestamps related to one event – the
    creation of a Microsoft Word document.

    Q1. When was Microsoft Word last run?

    Q2. When was the Prefetch file created and when was it last modified?

    Q3. When was the file named “Hidden.docx” created and last modified?

    Q4. When was the file created and modified?

    Q5. Based on the timestamps provided, identify a timeline of events.

    1
    19CS3259S- DIGITAL FORENSICS

    2
    19CS3259S- DIGITAL FORENSICS

    Task 2: In this activity you will analyze a series of timestamps for events in a Windows
    Event log to show when a user logged on and off a Windows 7 system.

    Q1. What user account logged into the system on October 2, 2015, through an interactive
    session?

    Q2. In what format was the logon time stored?

    Q3. When did the user log off the system?

    Examine the System Event logs, i.e., system.evtx.

    Q4. When did the system event logs start and stop on October 2, 2015?

    Q5. Based on a comparison of these times against the Security log for the same day,
    which log runs longer?

    3
    19CS3259S- DIGITAL FORENSICS

    4
    19CS3259S- DIGITAL FORENSICS

    Task3: In this activity you will crack passwords taken from a Windows-based computer
    using Ophcrack in Kali Linux.

    Q1. What is the password for the account named “Sparky”?


    Q2. What is the password for the account named Administrator?
    Q3. What is the password for the account named Guest?
    Q4. What is the password for the account named HelpAssistant?
    Q5. What is the password for the account named Jim?
    Q6. What is the password for the account named test_account?

    5
    19CS3259S- DIGITAL FORENSICS

    6
    19CS3259S- DIGITAL FORENSICS

    Viva Voce:
    1. What are the three rules for a forensic hash?

    2. What does MFT stand for?

    3. In Windows 7 and later, how much data from RAM is loaded into RAM slack on
    a disk drive?

    4. Clusters in Windows always begin numbering at what number?

    5. What’s the advantage of a write-blocking device that connects to a computer


    through a FireWire or USB controller?

    (For Evaluator’s use only)

    Comment of the Evaluator (if Any) E valuator’s Observation

    Marks Secured: _ out of __

    Full Name of the Evaluator:

    Signature of the Evaluator Date of Evaluation:

    You might also like