Forensic Analysis of an Abandoned Hacker's Laptop | bakeery

Scenario

On 09/20/04 , a Dell CPi notebook computer, serial # VLQLW, was found abandoned along with a wireless PCMCIA card and an external homemade 802.11b antennae. It is suspected that this computer was used for hacking purposes, although cannot be tied to a hacking suspect, G=r=e=g S=c=h=a=r=d=t. (The equal signs are just to prevent web crawlers from indexing this name; there are no equal signs in the image files.) Schardt also goes by the online nickname of “Mr. Evil” and some of his associates have said that he would park his vehicle within range of Wireless Access Points (like Starbucks and other T-Mobile Hotspots) where he would then intercept internet traffic, attempting to get credit card numbers, usernames & passwords.

Resources (Images)

1. 1st part
2. 2nd part

Download the images and ensure they are not corrupted. Use a stable internet connection for best results.
Initially, I attempted to automate the download using PowerShell, but the files were getting corrupted.
Therefore, I used wget on my Linux machine to download the files and then transferred them to my Windows machine, where I have Autopsy installed.

wget https://cfreds-archive.nist.gov/images/4Dell%20Latitude%20CPi.E01
wget https://cfreds-archive.nist.gov/images/4Dell%20Latitude%20CPi.E02

Creating the Case in Autopsy

Before we begin answering the questions, we need to create a case in Autopsy. Since the images are already provided, there is no need for acquisition.

✨ Make sure you have Autopsy installed on your system.

Start Autopsy. Once it opens, navigate to the Case tab and create a new case. Follow the steps below:

Step 1

Click on New Case

Step 2

Give your case a name. In my case, I named it NistHackingCase.

Step 3

Provide some additional information.

ℹ️ These details are optional but important, especially in real-world investigations where documentation and case tracking are essential.

Step 4

Click Next, then select the data source type — in this case, choose Disk Image or VM File.

Step 5

Browse to the location of the disk image you downloaded.

Step 6

For practice purposes, select all the ingest modules (i.e., check all the boxes). This will ensure that Autopsy returns data from all relevant sources.

Step 7

Wait for Autopsy to finish processing the data. This may take a few seconds to a minute, depending on your system.

Dashboard View

Once the data is loaded, you will see the Autopsy dashboard like this:

Analysis and Answers

Now that we have our environment set up, let’s begin answering the questions.

🔎 It’s worth noting that knowledge of the Windows Registry is crucial for completing this case successfully, as many of the answers rely on parsing registry hives such as SOFTWARE, SYSTEM, and SAM.

❌ Q1. What is the image hash? Does the acquisition and verification hash match?

We will skip this question, as we were not involved in the acquisition process. The image was provided to us.

✅ Q2. What operating system was used on the computer?

Navigate to Data Artifacts > Operating System Information.
From there, we can confirm that the system is running Windows XP.

✅ Q3. When was the install date?

The install date can be found in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Autopsy parses this key to extract the installation date.
After converting the timestamp to UTC, the installation date is:

Thursday, August 19, 2004 – 12:48:27 PM (UTC)

✅ Q4. What is the timezone setting?

We check the registry path:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\TimeZoneInformation

This key contains information about the configured timezone.
There are two control sets (ControlSet001 and ControlSet002), but we use ControlSet002 as it’s marked as the LastKnownGood configuration.

✅ Q5. Who is the registered owner?

Navigate back to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

The RegisteredOwner field shows the user who registered the OS:

G=r=e=g S=c=h=a=r=d=t

The use of = is a redaction technique to avoid search engine indexing.

✅ Q6. What is the computer account name?

To retrieve the computer name, go to:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\ComputerName\ComputerName

This is the standard location where Windows stores the assigned computer name.

✅ Q8. When was the last recorded computer shutdown date/time?

Registry path:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Windows

Look for the binary value ShutdownTime. Converting the hex value C4 92 8E 51 86 8B C4 01 reveals:

August 27, 2004 – 10:46:33

✅ Q9. How many accounts are recorded (total number)?

The SAM hive stores local user account information.

Path to check:
SAM\Domains\Account\Users\Names

Each subkey under Names corresponds to a user account. In this case, we see 5 accounts listed.

✅ Q10. What is the account name of the user who mostly uses the computer?

To determine the most active user, I examined the logon count values under the user keys.

Mr.Evil had 15 logons, making him the primary user of the machine.

✅ Q11. Who was the last user to log on to the computer?

Registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

The value DefaultUserName holds the name of the last user who logged in.

✅ Q12. What file proves that “G=r=e=g S=c=h=a=r=d=t” is Mr. Evil and also the administrator?

A keyword search revealed a file named irunin.ini.
It contains configuration information linking Greg Schardt to the Mr.Evil username and confirms administrative privileges.

✅ Q13. List the network cards used by this computer.

We inspect the following registry path in both ControlSets:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

This key lists all network adapters (physical or virtual) ever installed.
Under the subkeys:

• 0010 → Compaq WL110 Wireless LAN PC Card
• 0001 → Xircom Ethernet Adapter

✅ Q14. What is the IP address and MAC address of the computer?

Revisiting the irunin.ini file, we find both the IP and MAC addresses listed.

This file was saved during the setup of a network tool and contains relevant interface details.

✅ Q15. Which NIC card was used during the installation of LOOK@LAN?

To identify the NIC vendor, extract the first 6 hex characters (OUI) of the MAC address found earlier:

MAC: 00:10:A4

An online lookup or OUI database shows this belongs to:

Vendor: XIRCOM

This confirms that the Xircom NIC was active during LOOK@LAN installation and setup.

Q16. Find 6 installed programs that may be used for hacking.

Honestly, I did something that should not be done in a real-world scenario — the software list is very old, and instead of manually evaluating them, I copied the installed programs and asked ChatGPT. 😅

⚠️ Note: In real investigations, do not copy or paste forensic data online. Follow proper analysis and policy procedures.

✅ Potential Hacking / Penetration Testing Tools:

1. Ethereal 0.10.6 (Wireshark predecessor)

   • Network sniffer and analyzer.
   • Can capture/analyze network packets including sensitive data.

2. Look@LAN

   • Network monitoring tool, potentially used for footprinting.

3. CuteFTP

   • File transfer tool. Can be used to upload/download malicious files.

4. Network Stumbler 0.4.0

   • WiFi scanning tool.
   • Can be used for wardriving or locating weak wireless networks.

5. 123 Write All Stored Passwords

   • Password dumping utility — definitely malicious intent.

6. Cain & Abel v2.5 beta45

   • Password cracking, ARP spoofing, MITM attacks.
   • Widely used in hacking and pentesting.

7. Anonymizer Bar 2.0

   • Hides IP addresses.
   • Helps maintain anonymity — not inherently malicious, but can aid hackers.

Q17. What is the SMTP email address for Mr. Evil?

I used the search function with the keyword EmailAddress to locate any related entries in config files since the Data Artifact section didn’t have a direct answer.

Q18. What are the NNTP (news server) settings for Mr. Evil?

Used the keyword NewsServer in the search bar. The information appeared in the AGENT.INI file.

Q19. What two installed programs show this information?

I copied the installed programs and prompted ChatGPT with:
“Among the installed softwares, which one uses NNTP (News Server)? Just list the names of the tools. No explanation.”

📝 Again, avoid copying forensic data to AI tools in real investigations.

Q20. List 5 newsgroups that Mr. Evil has subscribed to.

This was tricky until I decided to explore the Outlook directory. That revealed the list of subscribed groups.

Q21. What are the user settings shown in mIRC while online?

I searched for mIRC and found the mirc.ini file, which holds user and configuration settings.

.ini files typically store application settings.

Q22. This IRC program logs chat sessions. List 3 IRC channels visited.

Easiest question. Navigated to the mIRC program folder and opened the /logs directory. It showed all accessed channels.

📂 Location: /img_4Dell Latitude CPi.E01/vol_vol2/Program Files/mIRC/logs

Q23. Ethereal intercepted data: what is the file name?

I followed the path mentioned:
📁 /img_4Dell Latitude CPi.E01/vol_vol2/Documents and Settings/Mr. Evil/

The file was named interception.

Q24. What wireless device was used by the victim?

Opened the intercepted file in a text editor. The headers revealed the device info:
📱 Windows CE (Pocket PC) - Version 4.20

Q25. What websites was the victim accessing?

From the same intercepted traffic, the site accessed was:
🌐 Host: mobile.msn.com

Q26. What is the main user’s web-based email address?

Checked the temporary internet files under Mr. Evil’s profile:
📂 /img_4Dell Latitude CPi.E01/vol_vol2/Documents and Settings/Mr. Evil/Local Settings/Temporary Internet Files

Specifically:
/Content.IE5/HYU1BON0/ShowLetter[1]/ShowLetter[1]/0

It revealed a Yahoo alert containing the user’s email.

Q27. Yahoo mail saves email copies under what file name?

🗂 The folder was named ShowLetter[1], and it contained .html files which preserved email content.

Q28. How many executable files are in the Recycle Bin?

Accessed the old recycle bin folder (called RECYCLER in Windows 2000/XP):
📂 /img_4Dell Latitude CPi.E01/vol_vol2/RECYCLER/S-1-5-21-2000478354-688789844-1708537768-1003

Found 4 executable files (.exe).

Conclusion

This forensic investigation revealed several hacking tools, suspicious configurations, and evidence of malicious activity. Through methodical analysis of installed programs, configuration files, and internet artifacts, key insights were uncovered about the user’s intent and actions. Such findings highlight the importance of proper digital forensic practices and maintaining chain of custody in real-world scenarios.