Computer Forensics
Introduction to FTK
Purpose: To Introduce some basic features of FTK.
Preparation: Review user guide and lab video/slides on Blackboard.
Application location: Virtual Computing Lab
Evidence file: Mantooth.E01 (located in \\144.175.196.12\Forensic Data\Mantooth.E01)
Questions to answer:
1) What sector does Partition 2 begin in?
2) What is the physical size of Partition 1?
3) What is the volume serial number for Partition 1?
4) What is Dracula’s SID unique identifier?
5) When was the last time Dracula logged on?
6) How many times has Wes Mantooth logged on?
7) Which control set is being used?
8) What is the current time zone setting? Besides your screenshot, explain in writing how you got your answer. Is the system set for Daylight Saving Time? How do you know?
9) What Windows operating system (OS) is installed on the system? What is the OS install date (UTC)?
10) What is Wes Mantooth’s Run MRU (Most Recently Used) list?
11) What is Jim Jobob’s screen name?
12) Who is the registered owner and what is the registered organization of this system?
13) Wes Mantooth mentions his dad and includes a picture of him in a letter to someone called “Sweetie.” Attach the picture of his dad that was included in the letter.
14) Wes Mantooth sent an email to his mom. What is his mom’s email address? What event was he discussing with his mother?
15) Wes Mantooth has an appointment titled “Pharmacy.” What is the location of this appointment?
16) Wes Mantooth has written a confession and deleted the file. What are the contents of this file?