Lab 3

Read the case study document attached and analyse the image file for artifacts and answer
the questions that follow.

“On 09/20/04, a Dell CPi notebook computer, serial # VLQLW, was found abandoned along
with a wireless PCMCIA card and an external homemade 802.11b antennae. It is suspected
that this computer was used for hacking purposes, although cannot be tied to a hacking
suspect, Greg Schardt. Schardt also goes by the online nickname of “Mr. Evil” and some of
his associates have said that he would park his vehicle within range of Wireless Access
Points (like Starbucks and other T-Mobile Hotspots) where he would then intercept
internet traffic, attempting to get credit card numbers, usernames & passwords. Find any
hacking software, evidence of their use, and any data that might have been generated.
Attempt to tie the computer to the suspect, Greg Schardt. A DD image and a EnCase image
of the abandoned computer have already been made.”

1. What is the image hash?

2. What operating system was used on the computer?
3. Who is the registered owner
4. How many accounts are recorded?
5. What is the account name of the user who mostly uses the computer
6. Who was the last user to logon to the computer?
7. Find 6 installed programs that may be used for hacking?
8. Are there any viruses on the computer?

9. When was the last recorded computer shutdown date/time?

Hint to search in registry - “C:\WINDOWS\system32\config\software\Microsoft\WindowNT\
CurrentVersion\Prefetcher\ExitTime”

10. List the network cards used by this computer?

Hint look inside folder of location - “C:\WINDOWS\system32\config\software\
Microsoft\WindowNT\CurrentVersion\

11. Search for the name of “Greg Schardt” One of these proves that Greg Schardt is Mr.
Evil and is also the administrator of this computer. What file is it? What software
program does this file relate to?

12. This same file reports the IP address and MAC address of the computer. What are
they?

13. An internet search for vendor name/model of NIC cards by MAC address can be used
to find out which network interface was used. In the above answer, the first 3 hex
characters of the MAC address report the vendor of the card. Which NIC card was
used during the installation and set-up for LOOK@LAN?
- Hint search MAC address with https://macvendors.com

14. What is the SMTP email address for Mr. Evil?

 Hint search at - C:\Program Files \Agent\Data\AGENT.INI

15. What are the NNTP (News Server) settings for Mr. Evil? What installed programs
show this information? List 5 newsgroups that Mr. Evil has subscribed to?

Hint – search inside documents and settings-application data- identities – search through
folders inside Microsoft outlook to find evidence regarding news groups subscribed.

16. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the
user settings (user, email and nickname) that were shown when the user was online
in a chat channel?

Hint - search and find location of MIRC, the required info can be found in the .ini file
of the installed program MIRC.

17. This IRC program has the capability to log chat sessions. List IRC channels that the
user of this computer accessed?

18. Ethereal, a popular “sniffing” program that can be used to intercept wired and
wireless internet packets was also found to be installed. What is the name of the file
that contains the intercepted data?

Hint look inside Documents and settings - inside folder with users nickname – look
out for files with likely notable result analysis score

19. Viewing the file in a text format reveals much information about who and what was
intercepted. What type of wireless computer was the victim (person who had his
internet surfing recorded) using?

20. What websites was the victim accessing?

21. Yahoo mail, a popular web based email service, saves copies of the email under what
file name?

22. Search for the main user’s yahoo web based email address. What is it?

23. How many executable files are in the recycle bin?

24. How many files are actually reported to be deleted by the file system?

25. Prepare a good report with ample tags and comments against artifacts that prove that
this laptop was used for hacking(programs installed, information stored, participation in
hacking communities and news groups) and that this laptop belonged to Greg Schardt who
also has an online persona “Mr. Evil”.