Module 5 Working with FTK Part 1

Tyler Watson
Working with FTK Part I Skill Builder Exercise (Graded, 20pts)

This skill builder exercise uses the Mantooth.E01 and Washer17.EO1

1. What is the total size of:

a. The Mantooth32.E01 evidence item? 119.8 MB
b. The Washer17.E01 evidence item? 117.6 MB
c. Where did you look for this information? In file list Total LSize
2. In the overview tab, answer the following:
a. How many Zip files are there? 163
i. How many are from Washer? 150
ii. How many are from Mantooth? 13
b. How many Microsoft word 2003 are there? 21
i. How many of the Microsoft 2003 documents are encrypted from
Mantooth? 1
ii. How many of the Microsoft 2003 documents are encrypted from Washer?
7
c. Which user created “How to Steal Credit Numbers.doc? Rascoe Badguy
i. When was it created? ***Make sure you are using the right time Zone.
d. Which user had an appointment to go “Check stealing”? Wes Mantooth
i. What date/time was he supposed to complete this action?
6/20/2007-6/21/2007
e. Expand Internet/Chat files. Go to Mozilla Files> Form History.
i. List all form data. Formhistory.dat

This study source was downloaded by 100000813497303 from CourseHero.com on 07-04-2022 11:52:12 GMT -05:00

https://www.coursehero.com/file/120948926/Module-5-Working-with-FTK-Part-1pdf/
This study source was downloaded by 100000813497303 from CourseHero.com on 07-04-2022 11:52:12 GMT -05:00

https://www.coursehero.com/file/120948926/Module-5-Working-with-FTK-Part-1pdf/
 f. Expand OS/File System Files
i. How many Windows EVTX Event Logs are listed? 7
ii. Which files would you want to take a look at? DFS Replication, Security
g. Under OS/File System Files, select the recycle bin.
i. What is the name of the TXT file sent to the bin? Evidence.txt
1. Was it removed from the bin? No
h. Go to Microsoft spreadsheets?

This study source was downloaded by 100000813497303 from CourseHero.com on 07-04-2022 11:52:12 GMT -05:00

https://www.coursehero.com/file/120948926/Module-5-Working-with-FTK-Part-1pdf/
 i.
Which user is the owner ot the ~ar1730.xar spreadsheet? Wes Mantooth
1. What does it have in it? Names of people, with the drugs they
bought and what they are owed or what they owe
2. When was it created? 7/12/2007 5:02:28 pm
3. When was it last accessed? 7/12/2007 5:02:28 pm
4. When was it last modified? 7/12/2007 4:56:54 pm
i. How many deleted files are there? 273
i. Who owns the file My Confession.txt? Wes Mantooth
1. When was this file created? 2/12/2008
2. When was it last modified? 8/14/2007
Working with FTK Part I Review Questions (Graded, 5pts)

1. Name three things a case reviewer cannot do.Adding and creating users, using analysis
tools, and creating cases
2. When archiving a case, which two things must occur separately? Archiving the case and
the evidence files separately
3. What are the eight primary containers on the Overview tab?
1. File items
2. Evidence Groups
3. File Category
4. File Extension
5. File Status
6. Email Status
7. Bookmarks
8. Labels
4. In which file category is Unallocated Space located? It is located in the overview tab
5. How is Unallocated Space named in FTK and FTK Imager? It is named after the sector
that it starts in
6. How can you get all the images in a case to appear in the File List on the Graphics tab?
Evidence Tree to Quick Picks
7. Name two default KFF groups.
AD_Alert, AD_Ignore

This study source was downloaded by 100000813497303 from CourseHero.com on 07-04-2022 11:52:12 GMT -05:00

https://www.coursehero.com/file/120948926/Module-5-Working-with-FTK-Part-1pdf/
Powered by TCPDF (www.tcpdf.org)