Scribd Logo
Upload

Welcome to Scribd!

  • Cyber Forensics Investigation Reveals Wi-Fi Hacking Suspect

    Uploaded by

    Hemanth Kumaar Reddy Nandipati
    34 views14 pages
    The forensic investigation analyzed a Dell computer suspected of being used for Wi-Fi hacking. The investigation found that the operating system was Windows XP, the registered owner was Greg Schardt, and the last login was by the user "Mr.Evil". By searching the computer, investigators found evidence that Greg Schardt used the alias "Mr.Evil" and installed hacking tools on the computer, confirming he was behind the alleged Wi-Fi hacking.

    Original Description:

    Original Title

    19BCI0074_VL2021220701828_DA03 (1)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The forensic investigation analyzed a Dell computer suspected of being used for Wi-Fi hacking. The investigation found that the operating system was Windows XP, the registered owner was Greg Schardt, and the last login was by the user "Mr.Evil". By searching the computer, investigators found evidence that Greg Schardt used the alias "Mr.Evil" and installed hacking tools on the computer, confirming he was behind the alleged Wi-Fi hacking.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    34 views14 pages

    Cyber Forensics Investigation Reveals Wi-Fi Hacking Suspect

    Uploaded by

    Hemanth Kumaar Reddy Nandipati
    The forensic investigation analyzed a Dell computer suspected of being used for Wi-Fi hacking. The investigation found that the operating system was Windows XP, the registered owner was Greg Schardt, and the last login was by the user "Mr.Evil". By searching the computer, investigators found evidence that Greg Schardt used the alias "Mr.Evil" and installed hacking tools on the computer, confirming he was behind the alleged Wi-Fi hacking.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    DA – 3

    CYBER FORENSICS AND INVESTIGATION - BCI4001


    E1+TE1+E2+TE2

    Team members:
    19BCI0074 - Nandipati Hemanth Kumar Reddy
    19BCE2081 - Y.V.N.S.R.K.Teja
    19BCE0952 - Rahul Sanjeev
    Case:
    A complaint was made to the authorities describing alleged Wi-Fi hacking
    activity. When the authorities reached the spot, they found an abandoned Dell
    computer which is suspected that this computer was used for hacking
    purposes. Schardt uses "Mr.Evil" nickname when he goes online.
    During the course of investigation, analysis of the evidence would require
    performing these tasks of computer forensics:
    1. The operating system which was used in the computer
    2. The registered owner of the computer
    3. The computer account name
    4. The last recorded computer shutdown date/time
    5. Total accounts recorded
    6. The account name of the user who mostly uses the computer 7. The last
    user to login into the computer
    8. A search for the name of “Greg Schardt” to prove that he is Mr. Evil and is
    also the administrator of this computer and the file used to prove it.
    9. The same file in above reports the IP address and MAC address of the
    computer.
    10. Some installed programs that may be used for hacking.
    11. E-mail address of Mr. Evil
    12. The NNTP (news server) settings of Mr. Evil
    13. Two installed programs show information about mail
    14. A popular IRC (Internet Relay Chat) program called MIRC was installed
    and how it’s used.
    Dataset Used

    Opening the dataset in autopsy


    1.The operating system used in the computer can be found in Data Artifacts--
    >Operating System Information
    Here it’s Windows XP

    2. The registered owner of the computer can be found in


    Data Artifacts-->Operating System Information and in that we can see the
    Owner name
    Here it’s Greg Schardt
    3. The computer account name can be found in
    Data Artifacts-->Operating System Information-->System and name. Here
    it’s N-1A9ODN6ZXK4LQ It’s also the primary domain

    4. The last recorded computer shutdown session can be found in OS accounts


    Here it’s used by Mr.Evil on 20-8-2004
    5. Total accounts recorded can be found in OS accounts
    Here a total of 5 accounts are used. We must exclude LocalService,
    NetworkService, systemprofile as these are system profiles.

    6. The account name of the user who mostly uses the computer can be seen
    in OS accounts under Mr.Evil info
    Here he has a login count of 15

    7. Last user to login is Mr.Evil we can conclude it from above


    8. Searching for keyword “Greg Schardt” in keywood search we can find
    whether he is Mr.Evil or not
    Searching keyword “Greg Schardt”

    Searching in irunin.ini configuration file we can find a link between Grig


    Schardt and Mr.Evil. He used irunin.ini to run a program Look@LAN which
    is commonly used for hacking purposes it’s basically used to monitor
    networks.
    Also we can match the domain name to the account primary domain i.e
    N-1A9ODN6ZXK4LQ.
    So we can confirm that Greg Schardt is Mr.Evil

    9. The irunin.ini file in above reports the IP address of the computer which
    can be found in it
    %LANIP%=192.168.1.111
    10. Some installed programs that may be used for hacking are found in
    Installed Programs
    They are
    Ethereal – Packet Sniffing
    123 Write all stored passwords – Password dumping
    CuteFTP – Transfer Files
    Cain & Abel – Password Hacking/Cracking
    WinPcap – Packet Capturing
    Look@Lan – Monitor Networks
    11. SMTP E-Mail address of Mr.Evil can be found in an Installed program
    named Forte Agent which is a mail service provider
    We go to vol2-->program files-->agent-->data and whike searching files in
    that we find the email id in a file 00000158.IDX here mail is
    whoknowsme@sbcglobal.net
    It can be confirmed by doing a keyword search as the SMTP E-Mail Id of
    Mr.Evil

    12. The NNTP(News Server) details of Mr.Evil can be found by keyword


    searching the SMTP email of him and then in AGENT.INI
    13. Two installed programs show information about mail are Forte Agent and
    Thunderbird as they contain the email

    14. A popular IRC (Internet Relay Chat) program called MIRC is used and
    it’s details can be show below
    User id is mini me
    The Autopsy Report
    Conclusion:
    The forensic investigation that is carried out on the disk image is displayed. It
    is possible to identify the types of crime committed and the criminal behind
    the crime. The Computer hard disk is a main source of evidence against such
    crimes as it maintains the digital information on it. Hence we found hacker
    using the autopsy tool.

    You might also like