Solving Computer Forensics Case Using Autopsy



 

Computer Forensics is the well-planned series of procedures and techniques used for obtaining evidence from computer systems and storage media. This evidence can then be analyzed for relevant information that is to be presented in a court of law.

This article focused on a particular case and a forensic tool to give you a ‘feel’ of what computer forensics investigations are like. However, it is in no way comprehensive enough to cover the variety of problems and complications faced by the investigator.
 

Scenario 

A complaint was made to the authorities describing alleged Wi-Fi hacking activity. When the authorities reached the spot, they found an abandoned Dell computer which is suspected that this computer was used for hacking purposes. Schardt uses "Mr.Evil" nickname when he goes online.
He is also accused of parking his car in wireless range (like Starbucks and other T-Mobile Hotspots) where he would then intercept internet traffic, attempting to get credit card numbers, usernames & passwords. We're going to solve 20 important questions that will be related to this case by examining the images of his computer.

Tasks performed: During the course of investigation, analysis of the evidence would require performing the 12 basic tasks of computer forensics:


  1. Generating an image hash and confirming the integrity of the image
  2. Determining the Operating System used on the disk
  3. Determining the date of OS installation
  4. Determining the registered owner, account name in use and the last recorded shut down date and time
  5. Determining the account name of the user who mostly used the computer and the user who last logged into it
  6. Determining the hacker handle of the user and tying the actual name of the user to his hacker handle
  7. Determining the MAC and last allocated IP address of this computer
  8. Locating the programs installed in this computer that could have been used for hacking purposes
  9. Collecting information regarding the IRC service that was used by the owner
  10. Searching the Recycle Bin for relevant information
  11. Listing the Newsgroups that the owner of the computer has registered to
  12. Determining the SMTP email address in use


We will use Autopsy software for this forensic investigation and windows7.

Seized Laptop's Disk Image
Part 1: http://www.cfreds.nist.gov/images/4Dell%20Latitude%20CPi.E01
Part 2: http://www.cfreds.nist.gov/images/4Dell%20Latitude%20CPi.E02

Autopsy download link: https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.14.0/autopsy-4.14.0-64bit.msi

Step 1: After downloading the evidence disk and installing Autopsy, run Autopsy it and select New Case



Step 2: Set a name for this case as i have set Mr.Evil and also set the location where you want to save your forensic investigation data. click next and provide information but it's optional. click finish.





Step 3: Select the first options Disk Image



Select the evidence disk image which you have downloaded before. i have created a separate folder by the name of Forensic Case and pasted the disk images into it.


Note: Although both parts of downloaded image are there in this folder, you will only see the first part to select. Autopsy will automatically take the second part of the downloaded image.


Click next and let all options as default.



Wait until all steps of analysis and integrity check loads completely.
make sure you have sufficient storage minimum 1GB otherwise the modules will not completely load and the investigation will be incomplete.


So now let's start our investigation
We will find the solution for these given tasks from the disk image of the suspect.


Q1. What is the image hash?
Q2: What operating system was used on the computer?
Q3: When was the install date?
Q4. Who is the registered owner?
Q5. What is the computer account name?
Q6. When was the last recorded computer shutdown date/time?
Q7. How many accounts are recorded (total number)?
Q8.Who was the last user to logon to the computer?
Q9. List the network cards used by this computer?
Q10. What is the IP address and MAC address of the computer?
Q11. Search for programs/tools that aided in the crime (Wireless Hacking)
Q12. Which Email client is used by Mr. Evil?
Q13. What is the SMTP email address for Mr. Evil?
Q14. How many executable files are in the recycle bin?
Q15. Are there any malware on the computer?
Q16. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the userid,
Q17. Ethereal, a popular “sniffing” program that can be used to intercept wired and wireless internet packets was also found to be installed. When TCP packets are collected and re-assembled, the default save directory is that users \My Documents directory. What is the name of the file that contains the intercepted data?
Q18. Which internet browser was used?
Q19. What websites victim was accessing?
Q20. What is the web-based email address for the main user?


Q1. What is the image hash?
Ans1: The HASH of image is AEE4FCD9301C03B3B054623CA261959A.

How?
Click on Data source --> Select the image Dell Latitude CPi, E01 --> Click on Metadata
MD5: AEE4FCD9301C03B3B054623CA261959A

We check hash to see if the image is not altered or something is not added or not deleted from the activities. It's very important because a single tamper to data would make an accused, guilty or innocent.



Q2: What operating system was used on the computer?
Ans2: Microsoft Windows XP was used.

How?
Click on results --> Extracted Content --> Operating System Information
then on the right side click on software you can see the under Program Information tab which is written Microsoft Windows XP.
Q3: When was the install date?
Ans3: 2004-08-19 22:48:27
How?
Click on results --> Extracted Content --> Operating System Information
then on the right side click on software you can see under the Date Time tab which is written Microsoft Windows XP.


Q4. 
Who is the registered owner?
Ans4: The owner is Greg Schardt

How?
Click on results --> Extracted Content --> Operating System Information
then on the right side click on software you can see the under Owner tab which shows Greg Schardt.



Q5. What is the computer account name?
Ans5: The account name is N-1A9ODN6ZXK4LQ


How?
Click on results --> Extracted Content --> Operating System Information
then on the right side click on System you can see the under Name which it shows N-1A9ODN6ZXK4LQ

Q6. When was the last recorded computer shutdown date/time?
Ans6: The last recorded shutdown time of the computer is 2004/08/27-10:46:27


How?
Click on Data Sources select 4Dell Latitude --> vol2 --> WINDOWS\system32\config\software\Microsoft\WindowNT\CurrentVersion\Prefetcher\ExitTime



Q7. How many accounts are recorded (total number)?
Ans7: There are 5 accounts
Mr, Administrator, Guest, Support388945a0, HelpAssistant


How?
Click on Results --> Operating System User Accounts


Q8.Who was the last user to logon to the computer?
Ans8: Mr. Evil
The system will obtain the last user who logged on from the key ‘DefaultUserName’. This information can be uncovered from the following path


How?
Click on Data Sources select 4Dell Latitude --> vol2 -->
WINDOWS/SYSTEM32/CONFIG/SOFTWARE/MICROSOFT/WINDOWS NT/CURRENT VERSION/WINLOGON/DEFAULT USER NAME

Q9. List the network cards used by this computer?
Ans9: Compaq WL110 Wireless LAN PC Card, Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface).
How?
Click on Data Sources select 4Dell Latitude --> vol2 -->
WINDOWS\system32\config\software\Microsoft\Windows NT\CurrentVersion\NetworkCards\
click on descriptions




Q10. What is the IP address and MAC address of the computer?
Ans10: IP=192.168.1.111, MAC=00:10:a4:93:3e:09


How?
Click on Data Sources select 4Dell Latitude --> vol2 --> Program Files/Look@LAN/irunin.ini

Q11. Search for programs/tools that aided in the crime (Wireless Hacking)
Ans11: The programs which will be used for hacking purpose
1. Look@LAN
Look@Lan is an advanced network monitor that allows you to monitor your net in few clicks.
2. Cain
Cain and Abel is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks.
3. Network Stumbler
NetStumbler is a tool for Windows that facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. It runs on Microsoft Windows operating systems from Windows 2000 to Windows XP.
4. mIRC
mIRC is an Internet Relay Chat client for Windows, created in 1995.
5. Ethereal/Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

6. 123WASP
WASP will display all passwords of the currently logged in user that are stored in the Microsoft PWL file.


Click on Results --> Extracted Content --> Installed Programs

Q12. Which Email client is used by Mr. Evil?

Ans12: Outlook Express, Forte Agent, MSN Explorer, MSN (Hotmail) Email
How?

Click on Data Sources select 4Dell Latitude --> vol2 -->
WINDOWS\system32\config\software\clients\Mail

Q13. What is the SMTP email address for Mr. Evil?
Ans13: The SMTP email address iswhoknowsme@sbcglobal.net How?
Click on Data Sources select 4Dell Latitude --> vol2 -->
Program Files\Agent\Data\Agent.ini


Q14. How many executable files are in the recycle bin?
Ans14: There are 4 files in recycle bin
How?
Click on Data Sources select 4Dell Latitude --> vol2 -->
Recycler

Q15. Are there any malware on the computer?
Ans15: Yes there is a zip bomb malware by the name of unix_hack.giz in this system.
How?
Click on Results --> Extracted Content --> Interesting Items --> Possible Zip Bomb -->Interesting Files

Q16. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the userid,
Ans16: user=Mini Me, email=none@of.ya, nick=Mr, anick=mrevilrulez
How?

Click on Data Sources select 4Dell Latitude --> vol2 -->
Program Files\mIRC\mirc.ini



Q17. Ethereal, a popular “sniffing” program that can be used to intercept wired and wireless internet packets was also found to be installed. When TCP packets are collected and re-assembled, the default save directory is that users \My Documents directory. What is the name of the file that contains the intercepted data?

Ans17: File name is Interception
How?

Click on Data Sources select 4Dell Latitude --> vol2 -->
Document and Settings\Mr.Evil\intercerption
Q18. Which internet browser was used?

Ans18: Internet explorer
How?
Click on Data Sources select 4Dell Latitude --> vol2 -->
Document and Settings\Mr.Evil\intercerption


scroll down and see User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320)

Q19. What websites victim was accessing? Ans19: login.passport.com, mobile.msn.com, www.passportimages.com
How?
you can also copy all texts from intercept file and search for the .com it will show you the websites which were visited.

Q20. What is the web-based email address for main user?
Ans20: mrevilrulez@yahoo.com was found in web history.
How?
Click on Results --> Extracted Content --> Web History
I have used Windows 7 Magnifier to zoom in



Conclusion
Computers Forensics is a vast field of study and includes topics like Processing Crime Scenes, Operating Systems and File Structures, Recovering Graphic Files and Defeating Steganography, Email Investigations, Mobile Device Investigations, Report Writing.




Comments

  1. In the same data source, have few other tasks to be performed. email activity on a certain date and website browsed

    ReplyDelete
  2. how to check rdp connection in autopsy

    ReplyDelete

Post a Comment

Popular posts from this blog

Pentesting - Exploitation Guide Metasploitable 1

How does a proxy server work