CECS $7237$ Windows Registry Exercise

This exercise is based on the Andrew Blitz Lab Manual $5$th Edition Chapter $5$ specifically Sections $5\mathrm{.}2$ and $5\mathrm{.}4.$ To complete this lab you will need the image file for chapter $5$ InCh$05.$exe

$($InCh$05.$img$),$ FTK Imager and FTK registry viewer. Your instructor will provide a USB with all of

these files. It might also be possible to use regedit instead of FTK registry viewer. Follow the

instructions in the Andrew Blitz Lab Manual $5$th Edition Section $5\mathrm{.}2$ and answer the following

review questions:

Lab $5\mathrm{.}2$ Examining the SAM Hive

a$.$ The registry contains how many hives?

b$.$ How many user accounts are disabled:

c$.$ The SAM hive uses PIDs to store information on user accounts. True False $\_\_.$ d$.$ Name two SID values which indicate whether an account was created automatically.

e$.$ The keys property pane shows when user accounts changed their passwords. True$\_$false$\_.$

Lab $5\mathrm{.}4$ Examining the ntuser.dat registry file.

a$.$ The ntuser.dat file contains information on multuple account holders. True

False

b$.$ What is the email account for user Denise?

c$.$ The ntuser.dat file contains information on which of the following $($choose all that apply$)$:

drive letter designations

personalized desktop settings.

PID key$\_$

MRU devices

d$.$ Password decryption tools need

to retrieve user passwords.

e$.$ In which path is the ntuser dat file found?