Q 1. Use Window Disk Manager, format Disk 1 with NTFS. Label the volume “Evidence” and the drive letter “S”. Take a screenshot and paste in a Word document labeled ‘Created Evidence volume on Disk 1” showing that you completed the process. Save this Word document to your new Evidence (S) volume. 2. Use FTK Imager, acquire an image of the Drive 1 of the Target VM. Use the E01 format for your image and place the file in a folder named "E01 Image" in Evidence (S) Volume of the Target VM. 3. Use FTK Imager, acquire a Logical Image of the "Pictures Hash" folder located on the desktop of the Target VM. Use the AD1 format and place the file in a folder named "Logical Image" in Evidence (S) Volume of the Target VM. 4. Capture Memory of the Target VM as a .AD1 file using FTK Imager in a folder named "Memory" in Data (E) Partition. Include the Pagefile. Save a copy of the memcapture.ad1.txt file to the Evidence (S) Volume of the Target VM. 5. Acquire the Registry Hive Files of the Target VM using FTK Imager and place the output file in a folder named "Registry" in Evidence (S) Volume of the Target VM. Include all registry files needed for password recovery. 6. Open Registry Explorer and load SAM, SYSTEM, SECURITY, SOFTWARE hives, and the NTUSER.DAT hive for the student. Create a Word document named Registry Explorer and save it in the Evidence (S) Volume of the Target VM. Select five (5) Common Bookmarks of interest (has interpreted tab like User Accounts in the SAM hive) and paste them into your Word document. Provide the Bookmark label for each and a description of what you see. 7. Open PowerShell on your Target VM. Change to your S drive. Show the contents of the S drive by using the following command: PS S:\> Get-ChildItem -Recurse > S:\Timestamps.txt Rubric Final Practical Exam Rubric Final Practical Exam Rubric Criteria Ratings Pts This criterion is linked to a Learning OutcomeUsing Window Disk Manager, format disk 1 with NTFS. Label the volume Evidence with a drive letter S.Take a screenshot and paste it in a Word document labeled ‘Created Evidence volume on Disk 1,” showing that you completed the process. Save this Word document to your new Evidence (S) volume. 15 pts Full Marks 0 pts No Marks 15 pts This criterion is linked to a Learning OutcomeUse FTK Imager, acquire an image of the Drive 1 of the Target VM. Use the E01 format for your image and place the file in a folder named "E01 Image" in Evidence (S) Volume of the Target VM. 15 pts Full Marks 0 pts No Marks 15 pts This criterion is linked to a Learning OutcomeUse FTK Imager, acquire a Logical Image of the "Pictures Hash" folder located on the desktop of the Target VM. Use the AD1 format and place the file in a folder named "Logical Image" in Evidence (S) Volume of the Target VM. 15 pts Full Marks 0 pts No Marks 15 pts This criterion is linked to a Learning OutcomeCapture Memory of the Target VM as a .AD1 file using FTK Imager in a folder named "Memory" in Data (E) Partition. Include the Pagefile. Save a copy of the memcapture.ad1.txt file to the Evidence (S) Volume of the Target VM. 15 pts Full Marks 0 pts No Marks 15 pts This criterion is linked to a Learning OutcomeAcquire the Registry Hive Files of the Target VM using FTK Imager and place the output file in a folder named "Registry" in Evidence (S) Volume of the Target VM. Include all registry files needed for password recovery. 15 pts Full Marks 0 pts No Marks 15 pts This criterion is linked to a Learning OutcomeOpen Registry Explorer and load SAM, SYSTEM, SECURITY, SOFTWARE hives, and the NTUSER.DAT hive for the student. Create a Word document named Registry Explorer and save it in the Evidence (S) Volume of the Target VM. Select five (5) Common Bookmarks of interest (has interpreted tab like User Accounts in the SAM hive) and paste them into your Word document. Provide the Bookmark label for each and a description of what you see. 15 pts Full Marks 0 pts No Marks 15 pts This criterion is linked to a Learning OutcomeOpen PowerShell on your Target VM. Show the contents of the S drive by using the following command: PS S:\> Get-Item -Recurse > S:\Timestamps 10 pts Full Marks 0 pts No Marks 10 pts Total Points: 100 PreviousNext