CDF-ASSIGNMENT-2

1. Sandipan Dey - MIT2021095 Ques:(1-8)

2. Vinay Kumar - MIT2021091 Ques:(9-15)
3. Akshay Srivastava - MIT2021047 Ques:(16-23)
4. Prashant Mathan - MIT2021027 Ques:(24-31)

Greg Schardt - Hacking Case

Scenario
On September 20, 2004, a Dell CPi laptop with the serial number VLQLW, a wireless
PCMCIA card, and an extra set of DIY 802.11b antennas were discovered abandoned.
Despite being unable to be connected to a hacking suspect named Greg Schardt, it is
believed that this machine was used for malicious reasons. (There are no equal signs in
the picture files; the equal signs are just included to stop web spiders from indexing this
name.) Some of Schardt's associates claim that he would park his car close to Wireless
Access Points (like Starbucks and other T-Mobile Hotspots) where he would then
intercept internet traffic in an effort to obtain credit card numbers, usernames, and
passwords. Schardt also goes by the online handle "Mr. Evil."

1. What is the image hash? Does the acquisition and verification hash match?
2. What operating system was used on the computer?
3. When was the install date?

4. What are the timezone settings?

5. Who is the registered owner?

6. What is the computer account name?

7. What is the primary domain name?
8. When was the last recorded computer shutdown date/time?
9. How many accounts are recorded (total number)?

The total number of recorded account details was found in the OS_ACCOUNT tab.
This evidence comes under the category of indirect evidence.
10. What is the account name of the user who mostly uses the computer?

In Autopsy we go to “Operating System User Account”. We found a column named

“Count” which stores the number of times the user logged in the system.
11. Who was the last user to logon to the computer?

On searching, After discussion, I found that the name of the last user who logged in
successfully appears in the key “DefaultUserName” of the registry.

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon”.

So, the path of the registry is “C:\windows\system32\config software\Microsoft\Windows

NT\CurrentVersion\Winlogon”.

Also Mr.Evil has the most number of logins into the system it can be safely assumed
that he was the last user to logon to the computer (Indirect Evidence)

12. A search for the name of “Greg Schardt” reveals multiple hits. One of these
proves that Greg Schardt is Mr. Evil and is also the administrator of this
computer. What file is it? What software program does this file relate to?

To search for “Greg Schardt” I entered the name in the keyword search & I got 10
results.

After searching every file I found out one interesting file whose location is “C:\Program
Files\Look@LAN\irunin.ini”.

In the link, I found out that Look@LAN is an application that allows users to monitor the
clients who are connected to LAN. In the irunin.ini file, it is mentioned that regowner is
Greg Schardt while the LAN user is Mr. Evil which proves that both are same.
13. List the network cards used by this computer.

Full Path = “C:\windows\system32\config\software\Microsoft\Windows

NT\CurrentVersion\NetworkCards”.
From both the above image we find out that the name of both the network cards is
“Compaq WL110 Wireless LAN PC Card” & “Xircom CardBus Ethernet 100 + Modem 56
(Ethernet Interface)”..

14. This same file reports the IP address and MAC address of the computer. What
are they?
To find IP & MAC address we have to again look into the file which we found out in Q.12
because from that question we know that the Look@LAN application monitors the client
which is connected to the LAN. So we have to open the file whose path is “C:\Program
Files\Look@LAN\irunin.ini”. After opening the file we easily find out the IP & MAC
address in that file.

15) An internet search for vendor name/model of NIC cards by MAC address can
be used to find out which network interface was used. In the above answer, the
first 3 hex characters of the MAC address report the vendor of the card. Which
NIC card was used during the installation and set-up for LOOK@LAN?

Ans) As we all knew that from the previous question that the MAC address of the this
computer is found to be 0010a4933e09 and the first 3 hex characters the MAC address
report the vendor of the card.

The Path to find the LAN IP and LAN NIC is:

If we search for “Greg Schardt” in the keyword search we can find out the file called
irunin.ini containing the details of LANIP and LANNIC as shown below.

XIRCOM is the Vendor name obtained from searching the first 3 hex characters.
16) Find 6 installed programs that may be used for hacking.

Ans)

Among these installed programs there are some of the hacking tools installed
which makes strong evidence towards the suspect Gred Schardt. The Hacking that
were iinstalled are.

1. Ethereal 0.10.6 v.0.10.6 :- is a packet sniffing tool.

https://www.itprotoday.com/security/ethereal-packet-sniffer.
2. Network Stumbler :- is a windows based tool generally used to discover the
WLAN networks running on 802.11 a/b/g standards and war driving purposes for
attackers.

https://www.csie.ntu.edu.tw/~b90047/ebook/winXPhack/0596005113_winxph
ks-chp-5-sect-2.html#:~:text=For%20each%20WiFi%20network%20it,to%20
connect%20to%20the%20network.
 3. Look@LAN :- is a network monitoring tool.
https://www.majorgeeks.com/files/details/looklan.html#:~:text=Look%40Lan%20i
s%20an%20advanced,discovering%20your%20network's%20active%20nodes.

4. 123 Write All Stored Passowrds :- It displays all passwords that are stored in
the Microsoft PWL file.
https://www.techspot.com/downloads/107-123-write-all-stored-passwords.html
5. Anonymizer :- is a tool used to make an activity untraceable on the internet.
https://en.wikipedia.org/wiki/Anonymous_proxy
6. Cain and Abel :- is a password cracking tool.
https://en.wikipedia.org/wiki/Cain_and_Abel_(software).

17) What is the SMTP email address for Mr. Evil?

Ans) whoknowsme@sbcglobal.net

Search keyword ‘SMTP’ in the volume 2 data sources so that we can find a file
called ‘NTUSER.dat’ which contain text information of SMTP email address for Mr.Evil.

.
18. What are the NNTP (news server) settings for Mr. Evil?

Ans)

Search for keyword ‘NNTP’ in the same directory from the previous question we can
find file called ‘NTUSER.DAT’ in it’s text contains the NNTP details.
It contains the details of NNTP server :- news.dallas.sbcglobal.net
NNTP username :- whoknowsme@sbcglobal.net

19) What two installed programs show this information?

Ans)

Thunderbird and Forte are the two program which used email address
whoknowsme@sbcglobal.net.
i) By searching keyword ‘whoknowsme@sbcglobal.net’ in the installed programs we can
find Rigripper. Click on Rigripper to find the Thunderbird.
ii) Forte is also used as an email application. The path to find the mail inside the forte
folder follows the path below

Inside data folder we can find the file called ‘00000157.IDX’ which contain the following
information regarding Mr.Evil.
20) List 5 newsgroups that Mr. Evil has subscribed to?
Ans) The following are list of news groups found in the outlook Express. They are

21. A popular IRC (Internet Relay Chat) program called MIRC was installed. What
are the user settings that was shown when the user was online and in a chat
channel?

Ans) The path to find the MIRC program is:

And inside mIRC file we can find ‘mirc.ini’ which contain the following information

22). This IRC program has the capability to log chat sessions. List 3 IRC channels
that the user of this computer accessed.

Ans) In the same folder from the above question we can find the logs with IRC
channels.They are
23. Ethereal, a popular “sniffing” program that can be used to intercept wired and
wireless internet packets was also found to be installed. When TCP packets are
collected and re-assembled, the default save directory is that users \My
Documents directory. What is the name of the file that contains the intercepted
data?

Ans)
The Path to this recent file is

Inside Ethereal folder we can find a file called ‘recent’ which contain the intercepted file
The name of the file is Interception
24. Viewing the file in a text format reveals much information about who and what
was intercepted. What type of wireless computer was the victim (person who had
his internet surfing recorded) using?

When we view the file, we see that MSIE 4.01 with Windows CE is the user agent. As a
result, the victim's wireless device was a "Microsoft Internet Explorer (MSIE) 4.01 with
Windows CE (Pocket PC)".

25. What websites was the victim accessing?

“C:\Documents and Settings\Mr. Evil\interception”

26. Search for the main users web based email address. What is it?

I look for this in the Web History found in the Extracted Content. After much digging, I
came across a file where I discovered that the user had used his email address to log
into some FTP service.

27. Yahoo mail, a popular web based email service, saves copies of the email
under what file name?

I do a keyword search on the email address which we found in the above question.
28. How many executable files are in the recycle bin?

On seeing the above image of the Recycler folder we found out that there are “4”
executable files in the recycle bin.
29. Are these files really deleted?

They are not actually deleted, though. We can also restore it because they are in the
recycling bin. They are not eliminated; they are merely moved into or retained in the
recycling bin.

30. How many files are actually reported to be deleted by the file system?

31. Perform a Anti-Virus check. Are there any viruses on the computer?

Although zip bombs are not that dangerous as compared to viruses but yet they are
malicious & can crash the whole system.