We are doing the forensic analysis of the 🔗 Hacking Case from the CFReDS (Computer Forensic Reference Data Sets).
- We will be using the tool name Autopsy.
On 09/20/04 , a Dell CPi notebook computer, serial # VLQLW, was found abandoned along with a wireless PCMCIA card and an external homemade 802.11b antennae. It is suspected that this computer was used for hacking purposes, although cannot be tied to a hacking suspect, G=r=e=g S=c=h=a=r=d=t. (The equal signs are just to prevent web crawlers from indexing this name; there are no equal signs in the image files.)
Schardt also goes by the online nickname of “Mr. Evil” and some of his associates have said that he would park his vehicle within range of Wireless Access Points (like Starbucks and other T-Mobile Hotspots) where he would then intercept internet traffic, attempting to get credit card numbers, usernames & passwords.
Find any hacking software, evidence of their use, and any data that might have been generated. Attempt to tie the computer to the suspect, G=r=e=g S=c=h=a=r=d=t.
Ans. MD5 Hash : aee4fcd9301c03b3b054623ca261959a
Acquisition hash is not given in the above scenario. So, we don’t say whether the acquisition hash & verification hash match or not.
Ans. Microsoft Windows XP Professional
Ans. Friday, August 20, 2004 4:18:27 AM GMT+05:30
This information can be found at the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
The actual path of the registry key storage is: C:\Windows\system32\config\Software\Microsoft\Windows NT\CurrentVersion\InstallDate
The time value stored in this registry value is in the UNIX time formate. So, we have convert it.
Ans. Central Standard Time
This information can be found at the registry key: HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\TimeZoneInformation
The actual path of the registry key storage is: C:\windows\system32\config\system\CurrentControlSet\Control\TimeZoneInformation
Ans. Registered Owner is Greg Schardt.
The path of the registry key for this information is: C:\Windows\system32\config\Software\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
Ans. DefaultUserName Mr. Evil
The path of the registry key for this information is: C:\Windows\system32\config\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Ans. DefaultDomainName N-1A9ODN6ZXK4LQ
The path of the registry key for this information is: C:\Windows\system32\config\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Ans. 2004-08-27 21:16:33.1092164 GMT+05:30
The path of the registry key for this information is: C:\windows\system32\config\system\CurrentControlSet\Control\Windows\ShutdownTime
In this the time is in the Hex format. So, I convert it by using the tool name DCode which I found online.
Note:- We also found this by following below path “C:\WINDOWS\system32\config\software\Microsoft\WindowNT\CurrentVersion\Prefetcher\ExitTime”
Ans. 5 (Administrator, Guest, HelpAssistant, Mr. Evil, Support_388945a0)
The path of the registry key for this information is: C:\windows\system32\config\SAM\Domains\Account\Users\Names
Note:- We also find this info by going to “OS Accounts” in the left tree structure.
Ans. Mr. Evil (count 15 times)
This information can be found by going to “OS Accounts” in the left tree structure.
Ans. Mr. Evil
I found online that the name of the last user who logged in successfully appears in the key “DefaultUserName” of registry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon".
NOTE:- Can be found from path "C:\WINDOWS\system32\config\software\Microsoft\WindowNT\CurrentVersion\Winlogon"
12. A search for the name of “G=r=e=g S=c=h=a=r=d=t” reveals multiple hits. One of these proves that G=r=e=g S=c=h=a=r=d=t is Mr. Evil and is also the administrator of this computer. What file is it? What software program does this file relate to?
Ans. The perticular file which gives info is "C:\Program Files\Look@LAN\irunin.ini" and name of program is Look@LAN.
We found the values in that file which indicates that the G=r=e=g S=c=h=a=r=d=t is Mr. Evil and is also the administrator of this computer.
The Values are: %LANUSER%=Mr. Evil, %REGOWNER%=Greg Schardt
Ans. There are 2 Network Cards:
First is Compaq WL110 Wireless LAN PC Card
Second is Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface)
NOTE:- To find the network card the path is "C:\windows\system32\config\software\Microsoft\Windows NT\CurrentVersion\NetworkCards"
Ans. File is "C:\Program Files\Look@LAN\irunin.ini".
IP Address : 192.168.1.111
MAC Address : 00:10:a4:93:3e:09
15. An internet search for vendor name/model of NIC cards by MAC address can be used to find out which network interface was used. In the above answer, the first 3 hex characters of the MAC address report the vendor of the card. Which NIC card was used during the installation and set-up for LOOK@LAN?
Ans. Upon looking on MAC Lookup the company name found was: XIRCOM.
So, the NIC card used for setup the Look@LAN is: Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface)
Ans.
| Program Found | Usage |
|---|---|
| Cain & Abel v2.5 beta45 | Password cracking tool |
| Ethereal 0.10.6 v.0.10.6 | Advanced Network Analysis Software |
| Network Stumbler 0.4.0 (remove only) | Wireless LAN detaction and attack |
| Look@LAN 2.50 Build 29 | an advanced network monito |
| 123 Write All Stored Password | display all passwords of the currently logged on user that are stored in the Microsoft PWL file |
| Anonymizer Bar 2.0 (remove only) | a tool that attempts to make activity on the Internet untraceable |
This Information can be found by Selecting the "Installed Programs" from left pane.
Ans. E-mail Address of Mr. Evil is : [email protected]
TO find this do the keyword search of SMTP.
Then search for the file NTUSER.DAT, click on it and in the lower pane click on Text Tab. You will find it there.
Ans. NNTP (news server) is : news.dallas.sbcglobal.net
NNTP user name : [email protected]
There is also some other info about it.
TO find this do the keyword search of NNTP.
Then search for the file NTUSER.DAT, click on it and in the lower pane click on Text Tab. You will find it there.
Ans. There are 4 Email services found.
Forte Agent, Hot Mail, MSN Explorer, Outlook Express
The program show this information is MS Outlook Express.
This thing can be varified by checking the file on given path.
Path: "C:\Document and Settings\Mr. Evil\NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\UnreadMail\[email protected]"
Where it is showing the application msimn which is the exe of outlook express.
Upon looking in the C:\Program Files, the program for the Forte Agent which is named as Agent.
After some roaming around, I find file named AGENT.ini where the same EMail is used.
Ans. The answer is in given image.
Note:- The newsgroups can be found at the Path: C:\Document and Settings\Mr. Evil\Local Settings\Application Data\Identities\
{EF086998–1115–4ECD-9B13 9ADC067B4929} \Microsoft\Outlook Express
21. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the user settings that was shown when the user was online and in a chat channel?
Ans. User = Mini Me
Email = [email protected]
nick = Mr
anick = mrevilrulez
host = Undernet: US, CA, LosAngelesSERVER:losangeles.ca.us.undernet.org:6660GROUP:Undernet
Note:- Can be found at Path: C:\Program Files\mIRC\mirc.ini
22. This IRC program has the capability to log chat sessions. List 3 IRC channels that the user of this computer accessed.
Ans. To view the logs, we have to go inside the logs directory of mIRC. The channels that the user has accessed is given in below picture.
Note:- Path is: C:\Program Files\mIRC\logs
23. Ethereal, a popular “sniffing” program that can be used to intercept wired and wireless internet packets was also found to be installed. When TCP packets are collected and re-assembled, the default save directory is that users \My Documents directory. What is the name of the file that contains the intercepted data?
Ans. To find the file, we can look to the application data of the Ethereal. The file name is "recent".
Upon looking we can see that the recent capture is "interception".
recent.capture_file: C:\Documents and Settings\Mr. Evil\interception
Note:- The path to find the file is : C:\Documents and Settings\Mr. Evil\Application Data\Ethereal\recent
24. Viewing the file in a text format reveals much information about who and what was intercepted. What type of wireless computer was the victim (person who had his internet surfing recorded) using?
Ans. To get this data we have look into the file which contains intercepted data which is at
"C:\Documents and Settings\Mr. Evil\interception".
The wireless computer used by the victim is: Windows CE (Pocket PC) - Version 4.20
Ans. Upon checking the file "interception", the website accessed by user is :
mobile.msn.com, MSN Hotmail Email
Ans. For this, I search in the Web History which is present in Extracted Content.
After searching through all the files, I found a file in which I found that
the user has a login to some FTP service using his email id.
Yahoo! Mail - [email protected]
Ans. To find the file name, I did the keyword search.
The file found is : ShowLetter[1].htm
Ans. To find the files, we have to look into folder of Recycle Bin.3
Note:- The Path is: "C:\RECYCLER\S-1–5–21–2000478354–688789844–1708537768–1003\"
Ans. By looking at Deleted Files in the left pane, the total count of deleted files is: 1371
Ans. By looking at Deleted Files in the left pane, the files actually reported to be deleted by file system is: 365
Ans. Autopsy itself performs an antivirus check & it shows its result inside Interesting Items (left-side tree structure).
Upon looking at, we find out that there is a zip bomb.
Location of zip bomb: C:\My Documents\FOOTPRINTING\UNIX\unix_hack.tgz
