What Is the Main Purpose of a Software Tool Like Winaudit
Lab: Documenting a Workstation Configuration Using Common Forensic Tools
Learning Objectives - Upon completing this lab, you will be able to:
- Use a forensics tool to identify a computer system's configuration, hardware, and software.
- Use a forensics tool to identify device information and configuration details of a computer system.
- Use a hex editor to perform a byte-level examination of an unknown file type.
- Correctly identify and confirm the file type for a misnamed file.
- Create a forensics report of your findings from the computer audit.
In this lab, you performed a forensic analysis of a Windows machine using three commonly available tools: WinAudit, DevManView, and Frhed. You reviewed the forensic capabilities of each tool, using the sample files provided, to determine any clandestine threats and vulnerabilities such as viruses or malicious software, if any. You also recovered a file that was altered to hide its native file format. You documented your findings in a forensics report.
Lab Assessment Questions & Answers
1. What is the main purpose of a software tool like WinAudit in computer forensics?
2. Which item(s) generated by WinAudit would be of critical importance in a computer forensic investigation?
3. Could you run WinAudit from a flash drive or any other external media? If so, why is this important during a computer forensic investigation?
4. Why would you use a tool like DevManView while performing a computer forensic investigation?
5. Which item(s) available from DevManView would be of critical importance in a computer forensic investigation?
6. What tool similar to DevManView is already present in Microsoft Windows systems?
7. Why would someone use a hex editor during a forensic investigation?
8. What "clue" in the Frhed examination of target.abc led you to the correct extension for that file?
9. Describe the contents of the target.jpg file and the application in which it opens.
10. Why do you need to keep evidence unaltered?