Assignment Unit 3
Part I Hands-On Steps
Part 1: Use WinAudit to inventory the vWorkstation
1. Figure 1 shows screen shot of system overview using WinAudit a. Figure 1
2. Figure 2 shows screen shot of Windows Firewall findings.
b. Figure 2
3. Figure 3 shows screen shot of user accounts findings.
c. Figure 3
4. Figure 4 shows screen shot of Drive C findings.
d. Figure 4
5. Figure 5 shows screen shot of Physical Disk.
e. Figure 5
Part 2: Use DenManView to identify system devices
1. Figure 1 show screen capture of CDROM and System CMOS/real time clock. . Figure 1
There are 89 devices identified by DenManView.
Part 3: Use Frhed to perform a byte-level file analysis
1. Figure 1 shows screen shot of Frhed view of target.abc
. Figure 1
2. Figure 2 shows screen shot of target.jpg file.
. Figure 2
3. Figure 3 shows screen shot of entire contents of the file properties dialog box. . Figure 3
Part II Lab Assessment Questions & Answers
1. What is the main purpose of a software tool like WinAudit in computer forensics? WinAudit is a GUI based tool that reports on a numerous aspects of running system, inclduign both volatile and non-volatile information, providing computer inventory and system configuration (Aquilina, J., & Casey, E., 2008). 2. Which item(s) generated by WinAudit would be of critical importance in a computer Forensic investigation? I will say that some of the most important items in a computer for a forensic investigation are: Drivers, running programs, installed programs, operating system, computer name, security setting and configurations, and firewall configurations. 3. Could you run WinAudit from a flash drive or any other external media? If so, why is this important during a computer forensic investigation? Yes, we can run WinAudit from a flash drive. Its important during a computer forensic investigation because it would prevent alter any important evidence. 4. Why would you use a tool like DevManView while performing a computer forensic investigation? I would use DevManView because it displays the properties of all devices running in a computer that is using my network. 5. Which item(s) available from DevManView would be of critical importance in a computer forensic investigation? The item available form DevManView that are important in a computer forensic investigation are mostly hardware, and most likely they are Hardrive and USB devices that its been use within the network. 6. What tool similar to DevManView is already present in Microsoft Windows systems? Another tool similar to DevManView that is used in Microsoft Windows systems is WinHEX 7. Why would someone use a Hex editor during a forensic investigation? A forensic investigator need Hex editor for analyzing file structures allowing him to go beyond the application or file, and it will allows for the viewing of all the data contained within a file including remnant of old file or even deleted files (Marcella, A., & Guillossou, F., 2012). 8. What “clue” in the Frhed examination of target.abc led you to the correct extension for that file? The “clue” that led me to correct the Frhed examination of target.abc was the Target.jpeg. 9. Describe the contents of the target.jpg file, and the application in which it opens. The content of the target.jpg file is a picture of a fingerprint, which let us to view the hexadecimal file as an image. The application in which it opens was Windows Photo Viewer. 10. Why do you need to keep evidence unaltered?
It’s important that we kept evidence unaltered for admissible purposes. If the evidence it’s altered it could become inadmissible in a court, changing the path and result of a digital forensic case.
Aquilina, J., & Casey, E. (2008). Malware Incident Response: Volatile Data Collection and Examination on a Live Windows System. In Malware forensics investigating and analyzing malicious code. Burlington, MA: Syngress Pub.
Marcella, A., & Guillossou, F. (2012). The Power of HEX. In Cyber forensics: From data to digital evidence. Hoboken, New Jersey: Wiley.