Add to collection(s) Add to saved
  1. No category
Uploaded by rfrageplmbnlblnhmi

Lab 6 answers

advertisement 
Lab 6 answers
Part A – will depend.
Part B
10a. ControlSet001\Control\TimeZoneInformation
10b. GMT Standard Time
10c. LastWrite Time Mon Apr 3 16:27:19 2017 (UTC)
10d. -60 (-1 hours)
10e. Mon Apr 3 17:27:19 2017 (UTC+1). If all this is a bit weird, consider that the date is April 3rd.
British Summer Time (BST) starts the last Sunday in March and is an hour ahead of GMT/UTC. That
explains it all.
11: Administrator, Guest, DefaultAccount, Mick
12: Lewis Campbell, RID 1000
13: Thu Apr 20 16:46:08 2017
14: 33 times
15: S-1-5-21-2807889673-3034866018-1762335187
16: In each of the groups, look at the listed members and look to see if RID 1000 appears in the
group. Mick is in Users and in Administrators.
17: yes – "Administrators have complete and unrestricted access to the computer/domain" is the
Group comment for Admins
18: ProductName : Windows 10 Education
19: InstallDate : Thu Jan 26 23:30:31 2017 (UTC)
20: [Tue Jan 31 06:28:41 2017 (UTC)] StartMenuInternet
VALUE: (default) -> IEXPLORE.EXE
SUBKEY: [Tue Jan 31 06:24:32 2017 (UTC)] FIREFOX.EXE
SUBKEY: [Tue Jan 31 06:28:41 2017 (UTC)] Google Chrome
SUBKEY: [Thu Jan 26 23:22:25 2017 (UTC)] IEXPLORE.EXE
SUBKEY: [Thu Jan 26 23:35:34 2017 (UTC)] VMWAREHOSTOPEN.EXE
21: Default Browser = iexplore.exe
22: [Tue Jan 31 06:46:55 2017 (UTC)] Mail
SUBKEY: [Sat Jul 16 11:49:15 2016 (UTC)] Hotmail
SUBKEY: [Tue Jan 31 06:46:55 2017 (UTC)] Mozilla Thunderbird
SUBKEY: [Sat Jul 16 11:49:15 2016 (UTC)] Windows Mail
Q23:
OpenSavePidlMRU\bmp
LastWrite Time: Wed Mar 15 14:37:57 2017
Note: All value names are listed in MRUListEx order.
Explorer\Second\Vincenzo Iaquinta.bmp
Explorer\Second\Ashley Tisdale.bmp
Explorer\Second\Muhammad Ali.bmp
Explorer\Second\Michael Cera.bmp
Explorer\Second\MC Hammer.bmp
Explorer\Second\Sheryl Crow.bmp
Explorer\Second\Tupac Shakur.bmp
Explorer\Second\Noel Gallagher.bmp
Explorer\Second\Nina Nesbitt.bmp
My Computer\E:\Second\Tupac Shakur.bmp
My Computer\CLSID_Desktop\My new car.bmp
Explorer\Dream Car.bmp
My Computer\C:\Users\Mick\AppData\Roaming\Skype\My Skype Received Files\what I want.bmp
My Computer\{d3162b92-9365-467a-956b-92703aca08af}\what I want.bmp
OpenSavePidlMRU\jpg
LastWrite Time: Tue Mar 14 23:18:50 2017
Note: All value names are listed in MRUListEx order.
My Computer\{d3162b92-9365-467a-956b-92703aca08af}\Tesla-Model-S-P90D.jpg
My Computer\{088e3905-0323-4b02-9826-5d99428e115f}\meirl.jpg
My Computer\{088e3905-0323-4b02-9826-5d99428e115f}\216750a618.jpg
My Computer\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}\Cars\Mercedes-Benz-wedding-cars-s.jpg
My Computer\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}\Cars\Rutland-Cars_736.jpg
OpenSavePidlMRU\PNG
LastWrite Time: Sat Mar 25 14:46:45 2017
Note: All value names are listed in MRUListEx order.
My Computer\CLSID_Desktop\17500327_1496868727024794_314266048_o.png
My Computer\{d3162b92-9365-467a-956b-92703aca08af}\Fitness\Route to Cycle.PNG
24: LastVisitedPidlMRU
LastWrite: Sat Mar 25 15:22:44 2017
Note: All value names are listed in MRUListEx order.
chrome.exe - My Computer\CLSID_Desktop
thunderbird.exe - My Computer\CLSID_Desktop
Skype.exe - My Computer\E:\Second
SnippingTool.exe - My Computer\{d3162b92-9365-467a-956b-92703aca08af}\Fitness
PickerHost.exe - My Computer\{d3162b92-9365-467a-956b-92703aca08af}
quickstego.exe - My Computer\CLSID_Desktop
mspaint.exe - Explorer
firefox.exe - My Computer\{088e3905-0323-4b02-9826-5d99428e115f}
25: Quickstego.exe
26: it is a steganography tool that allows us to hide text messages in images.
Part C- Guzman
Q27: answers found in Operating System User Account.
Username
User ID
Path
Date Created
Date Accessed
Count
Display Name
Password Settings
Flag
Date Created
Date Accessed
Count
Display Name
Password Settings
Flag
Source File Path
Artifact ID
Arnie
S-1-5-21-4169716352-3471613880-3376182406-1000
C:\Users\Arnie
2017-01-27 00:15:30
2017-02-20 19:36:28
28
Christopher Guzman
Password not required
Normal user account
2017-01-27 00:15:30
2017-03-31 18:50:00
58
Christopher Guzman
Password not required
Normal user account
/img_Guzman
Drive.E01/vol_vol2/Windows/System32/config/RegBack/SOFTWARE
-9223372036854771841
Q28: answers in Operating System Info.
Q29: 2017-03-26 13:13:18, found in Devices Attached in results section.
Q30: 16 networks!
Q31: Quick Stego 1.2: Yes, it is installed (Installed Programmed in Extracted Content)
Q32a:
Filenames from Mick's OpenSaveMRU
Vincenzo Iaquinta.bmp
Ashley Tisdale.bmp
Muhammad Ali.bmp
Michael Cera.bmp
MC Hammer.bmp
Sheryl Crow.bmp
Tupac Shakur.bmp
Noel Gallagher.bmp
Nina Nesbitt.bmp
My new car.bmp
Dream Car.bmp
what I want.bmp
Found in
Guzman image
Recent
Documents
√
yes
yes
yes
yes
yes
yes
yes
yes
yes
*No*
yes
Amateur
photo
"real"
Stock
photo
Deleted?
x
yes
x
yes
x
x
x
x
x
x
x
x
x
Tesla-Model-S-P90D.jpg
meirl.jpg
216750a618.jpg
Mercedes-Benz-wedding-cars-s.jpg
Rutland-Cars_736.jpg
7500327_1496868727024794_314266
048_o.png
Route to Cycle.PNG
no
no
no
no
no
no
no
32b: Also a jpg: what i want.jpg (lower case I)
33: NO – we'd need the hashes or images themselves from Mick to make sure.
34: SID S-1-5-21-4169716352-3471613880-3376182406-1000 represents the user Arnie with display
name Christopher Guzman.
35. The rest of the filename is the same for the matching $I and $R files. They also have the same
extension as the original file.
36a. $IWROUXA.jpg and $RWROUXA.jpg. There is also a third file $RWROUXA.jpg:Zone.Identifier
which represents the deleted alternate data stream.
36b. C:\Users\Arnie\Desktop\what i want.jpg
36c. A green car (BMW? It's too blurred to be sure)
36d. 2017-03-05 13:19:05 GMT
36e. The third file is $RWROUXA.jpg:Zone.Identifier. This represents the deleted alternate data
stream. The contents ZoneID=3 suggests this was downloaded from the internet. It also says
LastWriterPackageFamilyName=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
AppZoneId=4
This may suggest that it was downloaded using Edge, but I would want to confirm this before saying
it was definitely the case.
37. 41872 (the number after "All")
38. C:\Users\Arnie\Desktop\HIDEME\Buyer Requests.odt (see screenshot on next page)
39. 2017-03-05 13:07:30
40. To answer this, we need to look back in the recycle bin. The two files there with .lnk extension
are $IR9SGPV.lnk and $RR9SGPV.lnk. The $I file confirms that the original filename and path was
C:\Users\Arnie\Desktop\Quick Stego.lnk. We can also see this in the "Results" for the $R file, which
also tells us that 2017-03-26 13:15:59 is the Time Deleted.
41. /img_Guzman Drive.E01/vol_vol2/Windows/Prefetch/QUICKSTEGO.EXE-80ABC93A.pf
42.a) 8 times
42b) first run: 2017-02-19 12:13:39
Last run: 2017-03-14 22:26:06
Most often run on the 5/3/2017 – 4 times
42c) First run time matches the Modified / Changed / Access / Created time of the prefetch file.
Last run time matches the Modified / Changed / Access / Created time of the prefetch file.
Related documents
Untitled document
Untitled document
Technology & Development Status Report Program Engineering
Technology & Development Status Report Program Engineering
Digital Picture Frame Sources of pictures:  Photographs
Digital Picture Frame Sources of pictures:  Photographs
Behavior Modification Project PowerPoint
Behavior Modification Project PowerPoint
Download
advertisement