Cyber forensics Lab
- 1. College of Technological Innovation MSIT 10, CIT 530 Cyber Forensics Lab 5: File Structure Analysis & Examine the Windows Registry Supervised by: Dr. Farkhund Iqbal Ms. Mona Bader Prepared by: Musaab Hasan Zayed Balbahaith Abdulrahman Sabbagh M80006988@zu.ac.ae M80007225@zu.ac.ae M80007043@zu.ac.ae September 28, 2016
- 2. List of Figures Figure 1: A file was created on the flash disk with the following paragraph......3 Figure 2: WinHex used to open the flash disk..................................................................3 Figure 3: A "Security" word searched on the flash disk...............................................4 Figure 4: the display result for the searched word........................................................4 Figure 5: the text file was deleted..........................................................................................5 Figure 6: A "Security" word searched on the flash disk after deleted....................5 Figure 7: the display result for the searched word after deleting the file...........6 Figure 8: a Quick format have been applied on the flash disk...................................6 Figure 9: A "Security" word searched on the flash disk after a quick format applied...............................................................................................................................................7 Figure 10: a full format have been applied on the flash disk.....................................7 Figure 11: A "Security" word searched on the flash disk after a full format applied...............................................................................................................................................8 Figure 12: A "security" word was not found.....................................................................8 Figure 13: finding the repeating pattern of F6.................................................................9 Figure 14: the second appearance of the pattern F6....................................................9 Figure 15: A search on the acquired image of windows 98 have been applied ............................................................................................................................................................ 10 Figure 16: Content search applied for the system.dat & user.dat......................... 10 ............................................................................................Figure 17: Registry files extracted ............................................................................................................................................................ 11 Figure 18: finding the key word "superior" and searching for whole occurrence .................................................................................................................................... 11 Figure 19: Copying the Key Name for the key word "superior" in text file....... 12 Figure 20: finding the key word "superior" & “denise” and searching for whole occurrence and copying the Key in text file Name........................................ 12 Figure 21: Deleting the redundant folder names and saving the final file........ 13
- 3. Executive Summary On the first part a located data on a disk was investigated using WinHex regardless of how the operating system render it. A few scenarios have been applied to test the existence of the file using different methods. On the second part a windows registry have been used to extract System.dat & User.dat on the image file and searching on those files for specific information then copy the registry path to a text file. Part 1 : File Structure Analysis Phase1 : setup Figure 1: A file was created on the flash disk with the following paragraph. Phase2 : Opening and searching the flash disk Figure 2: WinHex used to open the flash disk
- 4. Figure 3: A "Security" word searched on the flash disk Figure 4: the display result for the searched word Result 1: the word was found on the flash disk since the file already existed on the flash and wasn’t deleted.
- 5. Phase3 : Opening and searching the flash disk after a delete Figure 5: the text file was deleted Figure 6: A "Security" word searched on the flash disk after deleted
- 6. Figure 7: the display result for the searched word after deleting the file Result 2: the word was found on the flash disk after deleting the file since the file still on the original place except it is not readily viewable or accessible. Phase4 : Opening and searching the flash disk after a Quick format Figure 8: a Quick format have been applied on the flash disk
- 7. Figure 9: A "Security" word searched on the flash disk after a quick format applied Result 3: the word was found on the flash disk after applying a quick format since it’s not checking the bad sector and the volume of the drive can be re- built to gain access to the deleted files again. Phase5 : Opening and searching the flash disk after a full format Figure 10: a full format have been applied on the flash disk
- 8. Figure 11: A "Security" word searched on the flash disk after a full format applied Figure 12: A "security" word was not found Result 4: the word was not found on the flash disk after applying a full format since its checks the bad sectors also on the disk.
- 9. Figure 13: finding the repeating pattern of F6 Figure 14: the second appearance of the pattern F6
- 10. Part2 : Examine the Windows Registry Figure 15: A search on the acquired image of windows 98 have been applied Figure 16: Content search applied for the system.dat & user.dat
- 11. Figure 17: Registry files extracted Figure 18: finding the key word "superior" and searching for whole occurrence
- 12. Figure 19: Copying the Key Name for the key word "superior" in text file Figure 20: finding the key word "superior" & “denise” and searching for whole occurrence and copying the Key in text file Name
- 13. Figure 21: