NIST Hacking Case

Scenario
• On 09/20/04 , a Dell CPi notebook computer, serial # VLQLW, was
found abandoned
• it has a wireless PCMCIA card and an external homemade 802.11b antennae.
• It is suspected that this computer was used for hacking purposes
• It may be tied to a hacking suspect, Greg Schardt.
• Schardt also goes by the online nickname of “Mr. Evil”
• Some of his associates have said that he would park his vehicle within
range of Wireless Access Points (like Starbucks and other T-Mobile
Hotspots) where he would then intercept internet traffic, attempting
to get credit card numbers, usernames & passwords.
Goal: is Greg Schardt a hacker?
• Find
• Any hacking software if there are any
• Usage of evidence software
• Any data that might have been generated.
• intercepted internet traffic, credit card numbers, usernames & passwords
• Attempt to tie the computer to the suspect.
Get DD images
Download DD images

repeat wget 8 times…

1. What is the image hash? Does the
acquisition and verification hash match?

Merge .00? to one dd image

Check MD5
2. What operating system was used on the
computer?
Show partitions (NTFS) and unallocated space using mmls
Extract software, which contains OS information saved in Win registry
Find regrip plugin

Find winver
3. When was the OS install date?
• See previous slide
• InstallDate 2004-08-19 22:48:27Z
4. What is the timezone settings?
Search for “system”
$ To the end of the line.

Extract “system”

Find timezone
5. Who is the registered owner?
6. What is the computer account name?
7. What is the primary domain (workgroup)
name?
• Windows domain is associated with workgroup
• and PC name, IP address
• Workgroup can be found in system event log
• We need to
• search workgroup in system event log
• extract the event log
• find a tool to parse the event log
• find domain information
Dump system event log
Download evtparse

Test evtparse
Parse System Event log
find domain information, PC name, etc.
8. When was the last recorded computer
shutdown date/time?
9. How many accounts are recorded (total
number)?
• All Windows user account names, SIDs (Security Identifiers), login
counts, creation dates, last password change dates, groups, and much
more can be found in the Windows Registry SAM (Security Account
Manager) file.
10. What is the account name of the user who
mostly uses the computer?
• Same as question 9
 Method 1

11. Who was

the last user to
logon to the
computer?

shutdown
Method 2

epoch to a date
12. Proves that Greg Schardt is Mr. Evil
• A search (on local PC) for the name of “Greg Schardt” reveals multiple
hits. One of these proves that Greg Schardt is Mr. Evil and is also the
administrator of this computer. What file is it? What software
program does this file relate to?
• Approach
• Search “Greg” and check if the name associated with “Evil”
• In order to search, we need to mount the DD image
Create a mounting point
Setup a loop device

Mount dd to the mounting

point
Search globally for the string “Grep Schardt”

Observation:
• look@lan is a software because it was installed under the “Program
Files” folder
• look@lan has a configuration file named “irunin.ini”
• The initial config file has owner and user name information.
• The config file has a setup log
Search for the string “evil”
Other evidence may helpful:
Search both key words “”Evil” and “Greg”. The search results show Evil is associated with yahoo web visits.
13. List the network cards used by this
computer
14. This same file reports the IP address and
MAC address of the computer. What are they?
• list all files contain IP address
• list all files contain MAC address
• Find intersection of two files
egrep or grep –E: Run grep with extended regular expressions.
-r: Recursively search
I: ignore binary file
l: only list file name

\b: Match either the beginning or end of a word.

[^]: match anything except the characters within a
bracket by beginning the list of characters within the
brackets with a ^ character.
Verify irunin.ini has both IP and MAC addresses
15. Which NIC card was used during the
installation and set-up for LOOK@LAN?
• MAC addresses are primarily assigned by device manufacturers
• Often referred to as the burned-in address.
• The IEEE assigns manufacturers the numbers, called organizationally
unique identifiers (6 Hex).
• The remaining bits of each MAC address act as a serial number, assigned to a
NIC when it is made.
https://www.adminsub.net/mac-address-finder/XIRCOM

It proves that the XIRCOM was used during

the installation and set-up for LOOK@LAN.
16. Find 6 installed programs that may be
used for hacking.
Hacking Programs Explained
• Ethereal: “Ethereal is a sniffer, an application that can capture all packets sent through a network to then
interpret them and see what tasks are being carried out on the network.”
• Network Stumbler: “Network stumbler is a wifi scanner and monitor tool for windows, it allows you to detect
WLANs using 802.11a, 802.11b and 802.11g wireless cards.”
• WinPcap: “Enables applications to send and receive raw network packets to/from network cards. Receiving raw
network packets is also known as packet capturing, therefore the name "Windows Packet capture library".
• 123 Write All Stored: Password Cracker. “A Password Cracker program is used to decrypt a password or password
file. Some Password Crackers programmatically try different passwords while others use brute force logging in
with passwords word lists.”
• Anonymizer Bar 2.0: “The Anonymizer toolbar plug-in hosts seven tools that basically switch your originating
Web address to the Anonymizer proxy server, thus concealing your identity.”
• Cain and Abel: “The Cain & Abel program is designed to crack passwords in the most difficult situations. Capable
of detecting passwords hidden by "asterisks. [Gives user] access to a sniffer - a network traffic analyzer, the
purpose of which is to intercept valuable information transmitted over the network.”
• CuteFTP: “Allows you to transfer files from your PC to another PC or a server in an easy way, just drag&drop and
see how they are transferred.”
17. What is the SMTP email address for Mr.
Evil?
• NTUSER.DAT Contains Your User Profile Settings
• Every time you make a change to the look and behavior of Windows and
installed programs, Windows needs to remember your preferences the next
time it loads.
• whether that’s your desktop background, monitor resolution, or even which printer
is the default,
• Windows accomplishes this by first storing that information to the
HKEY_CURRENT_USER hive.
• Then when you sign out or shut down, Windows saves that information to the
NTUSER.DAT file.
• The next time you sign in, Windows will load NTUSER.DAT to memory, and all your
preferences load to the Registry again.
Search for ntuser.data

Extract Evil ntuser.data

Search the email

pattern

The strings command returns each string of printable characters

in files. Its main uses are to determine the contents of and to
extract text from binary files.
18. What are the NNTP (news server) settings
for Mr. Evil?
• Understand new server
• Find new applications installed
• Find the application installation directory
• Search for configuration files or key words
Understand new server
• The Network News Transfer Protocol
(NNTP) is an application protocol
• for transporting Usenet news articles
(netnews) between news servers and
• for reading and posting articles by end
user client applications.
• Examples
• Commercial: NewsLeecher, Forte
Agent, Lotus Notes, BinTube
• Free: Pan, Spotnet, Claws Mail, Gnus,
Outlook Express
Find new applications installed
Search for installed Forte Agent using the keyword “forte” or “agents”

nothing
Looking for Forte Agent configuration files or data
Find news server configuration
List all files that are associated with outlook express by searching the key work “outlook”
Find the news server:news.dallas.sbcglobal.net in the .dbx (outlook express format)
19. What two installed programs show this
information?
20. List 5 newsgroups that Mr. Evil has
subscribed to?
21. Investigate an Internet Relay Chat
program
A popular IRC (Internet Relay Chat) program called MIRC was installed.
What are the user settings that was shown when the user was online
and in a chat channel?
• Find new applications installed
• Find the application installation directory
• Search for configuration files or key words
Find mIRC installation
directory
Find some important configuration

This IRC program has the capability to log chat sessions.

22. List 3 IRC channels that the user of this
computer accessed.
23. Investigate Ethereal
• Ethereal, a popular “sniffing” program that can be used to intercept
wired and wireless internet packets was also found to be installed.
• When TCP packets are collected and re-assembled, the default save
directory is that users default documents directory.
• What is the name of the file that contains the intercepted data?
• Find the location \Document and Setting\Mr. Evil
• Search for TCP packets saved (.pcap)
Find the type of file using file command
24. What type of device was the victim (person
who had his internet surfing recorded) using?
Search for user agent from http request
25. What websites was the victim accessing?
Sort the requests with unique entries
26. Search for the main user’s web-based
email address. What is it?
Understand Extended Regular Expression (ERE)
1. Basic vs Extended Regular
Expressions
• In basic regular expressions
the meta-characters ?, +, {,
|, (, and ) lose their special
meaning; instead use the
backslashed versions \?, \+, \
{, \|, \(, and \).
2. Pre-defined classes
• [:alnum:], [:alpha:], [:blank:],
• [:cntrl:], [:digit:], [:graph:],
• [:lower:], [:print:], [:punct:],
• [:space:], [:upper:], [:xdigit:]
-E: Extended Regular Expression
-i: ignore case
-o: show only match, not whole lines
-r: recursive
-h: don’t show file name
-I: ignore binary files
Sort all emails, count them, and sort again based on counts

uniq options:
-c, --count
prefix lines by the number of occurrences
sort options:
-n, --numeric-sort
compare according to string numerical value
-r, --reverse
reverse the result of comparisons
 27. Yahoo mail saves copies (web cache) of
the email under what file name?
Search email under Mr. Evil’s account
View cached webpages
28. How many executable files are in the
recycle bin?
29. Are these files really deleted?
• No. They can be restored.
• We will try to recover the deleted files’ information
Recover deleted files’ information
• Extract deleted file from Windows Recycle Bin
• using Rifiuti2
• Rifiuti2 is a for analyzing Windows Recycle Bin INFO2 file.
• The complete path and file or folder name is stored in a hidden file called
INFO2 which is inside the Recycled or Recycler folder.
• Rifiuti2 can extract
• file deletion time,
• original path
• size of deleted files ad
• whether the trashed files have been permanently removed.
rifiuti2 features
• Handles oldest (Win95) to newest (Win 10 and Server 2019) recycle
bin format
• Windows 95 – 2003 uses a single index file named INFO or INFO2
• Vista or above uses one index file for each deleted item
• 64-bit file size support
• Supports all localized versions of Windows — both Unicode-based
ones and legacy ones (using ANSI code page)
• Supports output in XML format as well as original tab-delimited text
• Obscure features such as recycle bin on network share (\\server\share)
Install rifiuti2
Install using apt

Check the verion

Show Recycler Bin

Show INFO2 in Recycler Bin

Show the full path of deleted files
30. How many files are actually reported to
be deleted by the file system?
Show deleted files (365)
31. Perform an Anti-Virus check. Are there
any viruses on the computer?
• Suspect may produce virus/be infected.
• Use Clam AntiVirus to scan Windows
• ClamAV is a free software, cross-platform and open-source antivirus
software toolkit able to detect many types of malicious software,
including viruses.
• One of its main uses is on mail servers as a server-side email virus
scanner.
Installation and verification
Scan results
What is your conclusion?
• is Greg Schardt a hacker?