diff --git a/FSCS727_Forensics/Labs/Windows_FileSys_NTFS/NTFS.001 b/FSCS727_Forensics/Labs/Windows_FileSys_NTFS/NTFS.001 new file mode 100644 index 0000000..963a98e --- /dev/null +++ b/FSCS727_Forensics/Labs/Windows_FileSys_NTFS/NTFS.001 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:779702a3506ead434a1888c912c750328e82c12142e1d6feb798f2342c4b5d9a +size 262694912 diff --git a/FSCS727_Forensics/Labs/Windows_FileSys_NTFS/NTFS.001.txt b/FSCS727_Forensics/Labs/Windows_FileSys_NTFS/NTFS.001.txt new file mode 100644 index 0000000..b98e483 --- /dev/null +++ b/FSCS727_Forensics/Labs/Windows_FileSys_NTFS/NTFS.001.txt @@ -0,0 +1,45 @@ +Created By AccessData® FTK® Imager 3.2.0.0 + +Case Information: +Acquired using: ADI3.2.0.0 +Case Number: UB-FSCS727-003 +Evidence Number: NTFS +Unique description: This is NTFS +Examiner: Frank +Notes: This is NTFS + +-------------------------------------------------------------- + +Information for C:\Users\Fxu\Dropbox\Public\forTeaching\images\NTFS: + +Physical Evidentiary Item (Source) Information: +[Device Info] + Source Type: Physical +[Drive Geometry] + Cylinders: 31 + Tracks per Cylinder: 255 + Sectors per Track: 63 + Bytes per Sector: 512 + Sector Count: 513,076 +[Physical Drive Information] + Drive Model: PINGTEC Flash Disk USB Device + Drive Serial Number: 061826000D3A6900 + Drive Interface Type: USB + Removable drive: True + Source data size: 250 MB + Sector count: 513076 +[Computed Hashes] + MD5 checksum: fa7eecd50a691ab3245653ae91b762b2 + SHA1 checksum: 526ceeaed18245cf29dfafb8a7a3cd7a6bf561d0 + +Image Information: + Acquisition started: Mon Oct 08 14:16:46 2018 + Acquisition finished: Mon Oct 08 14:17:19 2018 + Segment list: + C:\Users\Fxu\Dropbox\Public\forTeaching\images\NTFS.001 + +Image Verification Results: + Verification started: Mon Oct 08 14:17:19 2018 + Verification finished: Mon Oct 08 14:17:20 2018 + MD5 checksum: fa7eecd50a691ab3245653ae91b762b2 : verified + SHA1 checksum: 526ceeaed18245cf29dfafb8a7a3cd7a6bf561d0 : verified diff --git a/FSCS727_Forensics/Labs/Windows_Registry/Devon_NTUSER.DAT b/FSCS727_Forensics/Labs/Windows_Registry/Devon_NTUSER.DAT new file mode 100644 index 0000000..3270f7b Binary files /dev/null and b/FSCS727_Forensics/Labs/Windows_Registry/Devon_NTUSER.DAT differ diff --git a/FSCS727_Forensics/Labs/Windows_Registry/Jean_NTUSER.DAT b/FSCS727_Forensics/Labs/Windows_Registry/Jean_NTUSER.DAT new file mode 100644 index 0000000..ecfaa33 Binary files /dev/null and b/FSCS727_Forensics/Labs/Windows_Registry/Jean_NTUSER.DAT differ diff --git a/FSCS727_Forensics/Labs/Windows_Registry/SAM b/FSCS727_Forensics/Labs/Windows_Registry/SAM new file mode 100644 index 0000000..0dff87d Binary files /dev/null and b/FSCS727_Forensics/Labs/Windows_Registry/SAM differ diff --git a/FSCS727_Forensics/Labs/Windows_Registry/SECURITY b/FSCS727_Forensics/Labs/Windows_Registry/SECURITY new file mode 100644 index 0000000..b1012e4 Binary files /dev/null and b/FSCS727_Forensics/Labs/Windows_Registry/SECURITY differ diff --git a/FSCS727_Forensics/Labs/Windows_Registry/administrator_NTUSER.DAT b/FSCS727_Forensics/Labs/Windows_Registry/administrator_NTUSER.DAT new file mode 100644 index 0000000..a3c4262 Binary files /dev/null and b/FSCS727_Forensics/Labs/Windows_Registry/administrator_NTUSER.DAT differ diff --git a/FSCS727_Forensics/Labs/Windows_Registry/default b/FSCS727_Forensics/Labs/Windows_Registry/default new file mode 100644 index 0000000..1571fa5 Binary files /dev/null and b/FSCS727_Forensics/Labs/Windows_Registry/default differ diff --git a/FSCS727_Forensics/Labs/Windows_Registry/default_NTUSER.DAT b/FSCS727_Forensics/Labs/Windows_Registry/default_NTUSER.DAT new file mode 100644 index 0000000..07384b5 Binary files /dev/null and b/FSCS727_Forensics/Labs/Windows_Registry/default_NTUSER.DAT differ diff --git a/FSCS727_Forensics/Labs/Windows_Registry/software b/FSCS727_Forensics/Labs/Windows_Registry/software new file mode 100644 index 0000000..9b3e772 Binary files /dev/null and b/FSCS727_Forensics/Labs/Windows_Registry/software differ diff --git a/FSCS727_Forensics/Labs/Windows_Registry/system b/FSCS727_Forensics/Labs/Windows_Registry/system new file mode 100644 index 0000000..7f67b7a Binary files /dev/null and b/FSCS727_Forensics/Labs/Windows_Registry/system differ