Digital Forensics
Due Thursday, February 4th

Assignment: Looking Around in Windows, Copying Volatile Data

If you haven't installed to the hard disk, please go ahead and do so.

Once you have installed to the hard disk (and, optionally, updated your system), start the rdesktop program using the address to connect to a Windows 2008 server, and login (you can try Krdc, but I don't believe that the current version supports Windows 2008.)

Without installing any software on a system-wide basis, collect volatile information on the Windows 2008 machine that you have logged into. Retrieve that information in some manner back to your Linux machine.

I am looking here for text data retrieved from (1) use of standard Windows tools installed on the machine (2) use of any scripting that you can devise on this particular machine (hint: from looking around the machine, what kind of scripting is possible?) (3) use of binaries that you have put in your own space, but not in system space (4) the means that you use to get your data collection from the remote server back to your machine.

Do not change any system settings, and do not enable any new services.

I expect two work products: a flat text file called "results.txt", and a printed write-up. Use the file "results.txt" to save all of your collected results. Make sure that the "results.txt" collection text file starts with your name, and the times when your collection began and ended.

For the write-up, create a short narrative of your experiences, and make sure to describe each program that you called. If you see anything anomalous, be sure to highlight the anomalies in a separate section of your writeup.

(1) Email the "results.txt" file to me at "langley AT".

(2) Print out the write-up of your experiences, and give that to me at the beginning of class on Feburary 4th.