Experiment-1

Name : Abid Hussain

Sap ID : 500075822

Roll No. : 09

-------------------------------------------------------------------
1. What is the image hash? Does the acquisition and verification hash match?

Hash is : aee4fcd9301c03b3b054623ca261959a
Acquisition hash is not given so it is not possible to compare both of them

2. What operating system was used on the computer?

Operating system is : Windows

3. When was the install date?

Install date is : 2004-08-19

4. What is the time zone settings?

Time Zone is : Indian Standard Time(IST)
5. Who is the registered owner?
Owner Name is : Greg Schardt

6. What is the computer account name?

Account Name is : Mr. Evil

7. What is the primary domain name?

Primary Domain Name is : N-1A9ODN6ZXK4LQ

8. When was the last recorded computer shutdown date/time?

Shutdown Date/Time is : 27-8-2004 and time is 10:46:27

9. How many accounts are recorded (total number)?

5 usernames are : Guest, Admin, Mr. Evil, SUPPORT_388945a0, HelpAssistant

10. What is the account name of the user who mostly uses the computer?
Mr. Evil is the most used account name

11. Who was the last user to logon to the computer?

Mr. Evil is the last user to logon to the computer
12. A search for the name of “G=r=e=g S=c=h=a=r=d=t” reveals multiple hits. One of these
proves that G=r=e=g S=c=h=a=r=d=t is Mr. Evil and is also the administrator of this
computer. What file is it? What software program does this file relate to?
Greg Schardt is the registered owner while Mr. Evil is only user of system
This is the exact person we were looking for

13. List the network cards used by this computer

1. Compaq WL110 Wirelsess LAN PC card
2. Xircom Cardbus Ethernet 100 + Modem 56

14. This same file reports the IP address and MAC address of the computer. What are they?
File contains both IP and MAC Address :
%LANIP% : 192.168.1.111
%LANNIC% : 0010a4933e09

15. An internet search for vendor name/model of NIC cards by MAC address can be used to
find out which network interface was used. In the above answer, the first 3 hex characters
of the MAC address report the vendor of the card. Which NIC card was used during the
installation and set-up for LOOK@LAN?

Network interface card(NIC) is used while installation with the MAC : 0010a4933e09 is
Xircom Cardbus Ethernet 100 + Modem 56
16. Find 6 installed programs that may be used for hacking.
1. Anonymizer
2. Ethereal
3. Cain and Abel
4. 123WASP
5. NetStumbler
6. Look@LAN

17. What is the SMTP email address for Mr. Evil?

AGENT.INI File should be addressed for this info in which we can find the mail of Mr. Evil
which is : whoknowsme@sbcglobal.net

18. What are the NNTP settings for Mr. Evil?

NNTP for Mr. Evil can be found by looking at file name AGENT.INI
News Server : “news.dallas.sbc.global.net”
MailServer : “smtp.sbcglobal.net”

19. What two installed programs show this info?

We have to look to the file NTUSER.DAT fot this info and we found that MS OUTLOOK
EXPRESS is the only installed program in there

20. List 5 newsgroups that Mr. Evil has subscribed to?

There are many newsgroups which Mr. Evil has subscribed to which we can see in the ss
21. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the user
settings that was shown when the user was online and in a chat channel?

Go through the mirc.ini file and found :

User : Mini Me
Email : none@of.ya
Nick = Mr
Anick = mrevilrulez
22. This IRC program has the capability to log chat sessions. List 3 IRC channels that the user of
this computer accessed.
In the mirc folder go through logs and we will find the chat sessions appeared here only

23. Ethereal, a popular “sniffing” program that can be used to intercept wired and wireless
internet packets was also found to be installed. When TCP packets are collected and re-
assembled, the default save directory is that user’s \My Documents directory. What is the
name of the file that contains the intercepted data?
In the Ethearal directory, there was a ‘recent’ file, this file contains “interception”

24. Viewing the file in a text format reveals much information about who and what was
intercepted. What type of wireless computer was the victim (person who had his internet
surfing recorded) using?
The file with interception in it found typed in the search bar on the top right

25. What website was the victim accessing?

Website accessed by the victim is : mobile.msn.com
26. Search for the main user’s web based email address. What is it?
As we can see in the ss that the Mr. Evil’s email is mrevilrulez@yahoo.com

27. Yahoo mail, a popular web based email service, saves copies of the email under what file
name?
Yahoo Emails are stored under : ShowLetter[1]
From here we can confirm the email address used by Mr. Evil

28. How many executable files are in the recycle bin?

4 executable file which can be seen under RECYCLER
29. Are these files really deleted ?
Not really, just moved to recycle bin
30. How many files are actually reported to be deleted by the file system?
All in total 1381 files were deleted
31. Perform an Anti-Virus check. Are there any viruses on the computer?
Found under interesting files : a zip bomb

A zip bomb is a zip malicious archive file design to crash the useless programs or system.
Used to disable antivirus programs