Professional Documents
Culture Documents
Process We use regripper tool. The plug in used is SAMPARSE to parse the Security Account
Mananger File (SAM) in windows. The samparse plug in parse the SAM file for user and group
member info.
Reasoning Here we can clearly see that Dawn Bellwether has logged in 16 times.
Process we use the regrippler plug usbstor, usbstor2, and usbstor3 to extract the usb store key
information from the ControlSet001 subkey.
Reasoning We can clearly see the names of the USB devices which were connected to the
system.
Screenshot is below
3) The files are:
images9.jpg
images5.jpg
images6.jpg
images7.jpg
images8.jpg
Process Go to the RECYCLER folder, and navigate to he folder for the primary user.
We use the cat command to read the INFO2 file.
Reasoning Here we can see the details of the files which were deleted from the user’s My
Documents directory, as shown below.
Process We have to navigate to the user’s recycler folder, the path is:
/mnt/windows_mount/RECYCLER/S-1-5-21-839522115-1202660629-1343024091-1003
The files in the recycle bin can be seen primary computer users recycle folder. These are the
files in the recycle bin.
5) The first three website (not folder) accessed by the primary computer user are:
http://www.google.com.au/url?url=http://theconversation.com/rhinos-should-be-conserved-in-
africa-not-moved-to-australia-72551&rct=j&frm=1&q=&esrc=s&sa=U&ved=0ahUKEwjrhb-
JwILkAhVDJHIKHY9zA_gQwW4IFjAA&usg=AOvVaw2CNyZCRsyGeHSxSzVmWTob
https://unsplash.com/search/photos/rhino
https://www.amazon.com/s/ref=nb_sb_noss
Process The internet explorer history is stored in index.dat file in the history folder. We use pasco
to read the contents of this file, we can redirect the output to a csv file. The csv file is shown below.
Reasoning Although we can see some local folders, in the index.dat, these are not websites. The
urls which start https are treated as websites.