CCFE Detailed Forensics Report

6/14/2010

Completed by Brent Dockter

Introduction

On April 23rd, 2010, I was given a DVD containing a DD image of the suspect’s laptop. The user is

suspected of using the laptop to hack into various wireless networks and capturing credit card

information.

Examination

I copied the zip file from the DVD to my local machine, where I extracted the .zip file into a folder called

CCFE Practical. When extracted, the image was comprised of 8 parts.

My next step was to mount this image so that I could perform my examination. I mounted the DD image

using Mount Image Pro and mapped it to my local F drive. This allowed me to run any forensics

investigative tools as well as to explore the image as if it were a local drive.

My first task was to determine the Operating System, the install date of the Operating System, and the

time zone used.

In order to do this, I started with Windows Registry Viewer. This tool enabled me to mount and examine

each of the registry files so that I can easily locate valuable information. To speed up the process, I used

Access Data’s Registry Quick Find Chart as a reference. It can be downloaded/viewed at the following

location:

http://www.accessdata.com/media/en_us/print/papers/wp.Registry_Quick_Find_Chart.en_us.pdf

The registry files are located in F:\WINDOWS\system32\config path, where F is the drive letter given to

the mounted image on my local machine. The Operating System is located in the SOFTWARE registry file

under Microsoft -> Windows NT -> Current Version. The laptop was running Microsoft Windows XP.

The install date of the Operating System is also located in the SOFTWARE registry file under Microsoft ->

Windows NT -> Current Version. The value is stored as a hexadecimal value, so I double-clicked on the

value to present the Data View. I then switched the view from hexadecimal to Timestamp. Per this

entry, the Operating System was installed on August 19, 2004 at 10:48:27 PM.

The Time Zone Information is located in the SYSTEM registry file under Control Set 001 -> Control ->

Time Zone Information. The laptop was being operated in Central Standard Time.

My next step was to identify the registered owner of the system. In order to do this, I opened up the

SOFTWARE registry file and looked under Microsoft -> Windows NT -> Current Version. The registered

owner for this device is Greg Shardt.

Next, I looked further into the system to see if I could determine if the user in question used any aliases.

To determine this, I loaded the SAM file into Windows Registry File viewer to identify all user accounts

located on the machine. According to the SAM file, there are currently 5 user accounts that could

possibly access the system. These accounts are: Administrator, Guest, HelpAssistant, Mr. Evil, and

SUPPORT_388945a0.

The next step was to identify who was the last user to log into the computer. In order to determine this,

I looked in the SOFTWARE registry file under Microsoft -> Windows NT -> Current Version -> WinLogon.

This entry shows that Mr. Evil is listed as the DefaultUserName as well as the AltDefaultUserName.

After looking into the system and user information, I started examining the hardware used on the

laptop. I looked into the network cards that were installed and used on the laptop, the IP address(es)

assigned to the laptop and MAC addresses of the network cards.

First I looked for the network cards in the SOFTWARE registry file under Microsoft -> Windows NT ->

Current Version\Network Cards. The first entry is for Compaq WL110 Wireless LAN PC card.

The second entry is for a Xircon CardBus Ethernet 100 + Modem 56 (Ethernet Interface) card.

The next step was to find the IP addresses used on this machine. My first thought was to inspect the

SYSTEM registry file for the TCP/IP settings for the network adapter. I was unable to find any evidence

of IP addresses in the registry file. Next, I decided to look for evidence of the user Greg Schardt

elsewhere on the machine. By doing a search in Windows Registry Viewer, I was able to determine that

the user SCHARDT had a tool called Look@LAN installed on his machine. After some research online, I

was able to determine that this tool is used for network discovery. I examined the installation directory

for Look@LAN. Opening up the irunin.ini, it revealed the IP address and MAC address.

The LAN IP address is 192.168.1.111 and The MAC address of the laptop is 00010a4933e09

Next, I set about to find out if this machine was used for hacking of any wireless networks. I figured that

after finding that Look@LAN was installed on this machine that looking in the Program Files directory on

the laptop image may reveal additional hacking programs installed. From a directory look, it appears as

if there are 4 program files that can be directly used for hacking wireless networks as well as some

additional programs which also can be used for hacking activities.

The four wireless hacking programs are Cain, Ethereal, Look@LAN, and Network Stumbler.

In addition to the four wireless hacking programs, there is also 123WASP, a password cracking utility,

and Anonymizer which is used to conceal a user’s IP address while surfing the web.

Next, I examined the laptop to see if there was any evidence that the suspect was communicating with

others using NNTP or IRC. By doing a quick search of the SOFTWARE registry file under Clients, I was

able to determine that the user had two possible NNTP programs installed on the computer: Forte

Agent and Outlook Express. I then cross-referenced with google.com to make sure that both of these

programs could be used to read NNTP. In fact, both can be used as NNTP clients.

I ran a windows search on the mounted laptop image and found the Forte Agent install in F:\Program

Files\Agent. To be sure I was able to see all folders, I enabled search of system folders, hidden files and

folders, and subfolders. I then looked through the files to see if there were any of importance and the

F:\Program Files\Agent\Data\AGENT.INI contains some useful information. For instance, the user, Mr.

Evil, is subscribed to one NNTP news server, “news.dallas.sbcglobal.net”.

Next, I did a search of the mounted drive to see if I could gather more information about NNTP

subscriptions through Outlook Express. To be sure I was able to see all folders, I enabled search of

system folders, hidden files and folders, and subfolders. A search of the drive exposed this directory:

F:\Documents and Settings\Mr. Evil\Local Settings\Application Data\Identities\{EF086998-1115-4ECD-

9B13-9ADC067B4929}\Microsoft\Outlook Express. I selected this folder and was presented with a

number of newsgroups, many of which deal with hacking.

I also took an additional step of looking at the Program Files directory on the laptop and that revealed

that mIRC is installed on the machine. I looked at the mirc.ini file and found evidence of the Mr. Evil

user.

Further, I examined the log file directory and found entries for a number of hacking-related IRC

channels. I found this under the F:\Program Files\mIRC\logs directory.

Examining a log file from the mIRC logs directory shows that the user in question was using mIRC to

communicate with other users on the internet.

Next I was to find any email addresses used by the user or websites that the user accessed. I navigated

to the directory where cookies for Internet Explorer are stored for the user Mr. Evil - F:\Documents and

Settings\Mr. Evil\Cookies. Here are the websites reflected in this directory:

I also examined the Temporary Internet Files folder to see if any further evidence of websites, or emails

was left behind. While examining, I noticed that there were files related to Yahoo. In particular, Yahoo

leaves copies of an email session in a file called Showletter[1].htm. By opening this file, I was able to see

that the user in question had a Yahoo email account under the user name mrevilrulez.

My next task was to determine if any viruses are on the system. To do this, I ran Avast and ran a

targeted scan of the mounted disc image, mapped as my F:/ drive. Avast found several Trojan, Adware,

and Exploitation viruses on the laptop image.

Conclusion

Based upon the evidence discovered on the laptop, including hacking programs, network sniffing

programs, and evidence of participation in hacking discussions, it is my opinion that the suspect, Greg

Schardt, was using the machine to hack into other people’s computers to obtain information without

their knowledge.