Scribd
Upload
5 views7 pages

Autopsy Activity

The document provides a detailed forensic analysis of a computer, including information such as the image hash, operating system, registered owner, install date, and last shutdown time. It also lists the number of user accounts, the last person to log on, executable files in the recycle bin, and tools related to wireless hacking. Additionally, it mentions the presence of a zip bomb and details about the network cards and IP/MAC addresses used by the computer.

Uploaded by

johnhista1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
5 views7 pages

Autopsy Activity

The document provides a detailed forensic analysis of a computer, including information such as the image hash, operating system, registered owner, install date, and last shutdown time. It also lists the number of user accounts, the last person to log on, executable files in the recycle bin, and tools related to wireless hacking. Additionally, it mentions the presence of a zip bomb and details about the network cards and IP/MAC addresses used by the computer.

Uploaded by

johnhista1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

John Argie T.

Hista, Kent Pielago BSIT – 4 Free Elec 2

1. What is the image hash?

💡Hint: To check the image hash, click on the image and go to the File Metadata tab.
We check the image hash to verify that it is the same as the hash created during the
time when the image was created.

Answer:

aee4fcd9301c03b3b054623ca261959a

Can be found in File Metadata:

2. What operating system was used on the computer?


💡Hint: Look in the C:\[Link] file

Answer: Microsoft Windows XP Professional

Can be found in [Link] text section:


3. Who is the registered owner?

💡Hint: The owner is found in the same OS info section

Answer: Greg Schardt

Can be found in WINDOWS/system32/config/software in the application section and in


Microsoft/Windows NT/CurrentVersion/RegisteredOwner.

4. When was the install date?

💡Hint: Still look into the OS info section

Answer: Tue Aug 20, 2004 [Link] UTC (Tue Aug 20, 2004 [Link] UTC+8)

Can be found in the same path as the previous together with RegisteredOwner which is InstallDate.
5. What is the computer account name?

💡Hint: Click on Operating System Information

Answer: Mr. Evil

Can be found in the same path as the previous together with RegisteredOwner and InstallDate, but in
the directory and file Winlogon/SpecialAccounts/DefaultUserName.

6. When was the last recorded computer shutdown time?

Answer: 2004/08/27 – [Link]


Can be found in the same path as the previous together with RegisteredOwner and InstallDate, but in
the directory and file Prefetcher/ExitTime.

7. What is the timezone settings?

Answer: Central Standard Time

Can be found in WINDOWS/system32/config/system in the application section and in


ControlSet002/Control/TimeZoneInformation/StandardName.

8. How many accounts are recorded (total number)?


Answer: 5 (Administrator, Guest, HelpAssistant, Mr. Evil, Support_388945a0)

Can be found in WINDOWS/system32/config/SAM in the application section and in


SAM/Domains/Account/Users/Names.
9. Who was the last person to logon to the computer?
Answer: Mr. Evil

Found by finding the latest Modification Time in accounts.

10. How many executable files are in the recycle bin?


Answer: 4

Can be found in the RECYCLER.

11. Search for programs/tools that aided in the crime (Wireless hacking)
Answer: Cain & Abel v2.5 beta45 – Password cracking tool, Network Stumbler 0.4.0 (remove only) -
Wireless LAN detaction and attack, Anonymizer Bar 2.0 (remove only) - A program that aims to render
online activity untraceable.

Can be found in Data Artifacts/Installed Programs.


12. Perform an anti-virus check. Are there any viruses on the computer?

Answer: Zip bomb with location of /My Documents/FOOTPRINTING/UNIX/unix_hack.tgz.

Can be found in Interesting Items/Possible Zip Bomb

13. List the network cards used by this computer?

Answer: Compaq WL110 Wireless LAN PC Card, and Xircom CardBus Ethernet 100 + Modem 56 (Ethernet
Interface)

Can be found in WINDOWS/system32/config/software in the application section and in Microsoft\


Windows NT\CurrentVersion\NetworkCards.
14. What is the IP Address and MAC Address of the computer?

Answer: IP Address is [Link], and MAC Address is [Link].

Can be found in Program Files/Look@LAN/[Link] text section.

15. Which internet browser was used when performing attacks?


Answer:

You might also like