Expand the FTK Imager" section and scroll down to "FTK IMAGER LITE VERSION 3.1.1". Click the "DOWNLOAD PAGE" button, as shown below.
Fill in a form with your name and contact information, and a working email address, as shown below If you need a temporary email address, make one at "mail.com".
Open your email to download the file. Save the FTK Imager file in your Downloads folder.
With Bing open, search for "fake credit card numbers". Open one of the pages it finds. It should show several credit card numbers, as shown below.
Copy the numbers from the Web page into a Notepad file. Leave the Notepad file open.
Copy the numbers from the Web page into a Notepad file, as shown below. Leave the Notepad file open.
Open a second Notepad window and type in your own email address. Don't close Notepad or save the file.
net user waldo Apple123 /add
net user YOUR-NAME SuperSecret! /add
These commands create two new user accounts with the passwords "Apple123" and "SuperSecret!".
Right-click the "Imager_Lite_3.1.1.zip" file and click "Extract All...". In the 'Extract Compressed (Zipped) Folders" box, clck Extract.
In the "Imager_Lite_3.1.1" window, double-click FTK_Imager.exe.
In the "Open File - Security Warning" box, click Run.
An "AccessData FTK imager 3.1.1.8" window opens. From the menu bar, click File, "Capture Memory...", as shown below:
In the "Memory Capture" box, click the Browse button. Click Desktop and click OK.
In the "Memory Capture" box, click the "Capture Memory" button.
You should see a box saying "Memory capture finished successfully", as shown below:
In a Web browser, go to https://mh-nexus.de/en/hxd/
Scroll down and find the download link for modern Windows versions, as shown below.
Click the download link, download the English version, unzip it, and install it with the default options.
In HxD, press Ctrl+F. Search for
net use
HxD finds the string and highlights it, as shown below. You can see one of the command-line commands you created when making evidence.
In HxD, press Ctrl+F. Search for
samsclass.info
HxD finds the string and highlights it, as shown below.
On the right side of the HxD window, a pane shows various interpretations of this byte sequence. The Int32 value is a long number beginning with 19, as show below. Make a note of this number.