Part 2: Forensic Analysis on an Abandoned Notebook

6 min readFeb 2, 2023

This is the second part of the forensic analysis project.

Question 11

Who was the last user to log on to the computer?

On the analysing to find the last user to log on to the computer, we successfully find it in key “DefaultUserName” of registry. In an operating system, the default user is a special user account that holds the default user profile information for new users. We can use path “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon”. Based on the diagram below, we can see the last user to log on to the computer is Mr. Evil.

Question 12

A search for the name “Greg Schardt” reveals multiple hits. One of these proves that Greg Schardt is Mr. Evil and is also the administrator of this computer. What file is it? What software program does this file relate to?

To search for “Greg Schardt” we entered the name in the keyword search and obtained 11 results. After searching every file we found out one interesting file whose location is “C:\Program Files\Look@LAN\irunin.ini”. On searching for the file, we found out that Look@LAN is an application that allows users to monitor the clients who are connected to LAN. Diagram below show in the irunin.ini file, it is mentioned that regowner is Greg Schardt while the LAN user is Mr. Evil which proves that both are same. Also, ISUSERNTADMIN is set to true which means the user is administrator.

Question 13

List the network cards used by this computer.

For the network card that the user being use we can find at window registry location “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards” which store all the network card information. Diagram below show type of network card used by this computer by using Autopsy at location “C:\windows\system32\config\software\Microsoft\Windows NT\CurrentVersion\NetworkCards”:

Network card Compaq — Wireless PC Card WL110–11

Network card Xircom RealPort CardBus Ethernet 10/100Mbps+56K

Question 14

This same file reports the IP address and MAC address of the computer. What are they? Because we learned from Question 12 that the Check@LAN programme watches the client that is connected to the LAN, we can look into the file we discovered there once again in order to determine IP and MAC addresses. As a result, we need to open the “C:Program Files/Look@LAN/irunin.ini” file in Autopsy. After we opening the file, we can quickly determine its IP and MAC addresses.

The IP address and MAC address of the computer are 192.168.1.111 and 0010a4933e09, respectively, as can be seen in the figure above.

Question 15

An Internet search for vendor name/model of NIC cards by MAC address can be used to find out which network interface was used. In the above answer, the first three hex characters of the MAC address report the vendor of the card. Which NIC card was used during the installation and setup for LOOK@LAN?

To find out which NIC card was used during the installation and setup for LOOK@LAN, we can use MAC address that we get from LOOK@LAN and using website macaddress.io that can provide current details on MAC Addresses and OUI Vendors.

Question 16

Find six installed programs that may be used for hacking.

All installed apps can be easily found by looking in “C: Program Files.” As following diagram below:

a) 123WASP — Freeware used to get all stored passwords.

b) Anonymizer — Tool used to create a proxy.

c) Cain — Password cracking tool

d) Ethereal — Packet sniffing tool

e) Look@LAN — Network monitoring tool

f) NetStumbler — wireless networking tool to hack Wi-Fi password

Question 17

What is the SMTP email address for Mr. Evil?

We use a keyword search in order to find SMTP email address. We just performed a “SMTP” search and received multiple hits. Following a thorough scan of every file, we discovered a file called “NTUSER.DAT” that included Mr. Evil’s SMTP email address. Finding SMTP email addresses in the NTUSER.DAT file is uncommon. A registry hive file called NTUSER.DAT stores user-specific configurations and settings for things like the desktop backdrop, user preferences, and application settings. Depending on the email service being used, the SMTP email addresses are normally saved in the configuration settings of the email client or in the database of the email server. Nevertheless, it’s conceivable that malware or other harmful software may save this data in the registry as a feature of its operation. It’s also conceivable that a programme like an email client, which is made expressly to save email addresses in the registry, may store the email address in the NTUSER.DAT file, however this is uncommon.

The highlighted text in the above diagram reveals that Mr. Evil’s SMTP email address is whoknowsme@sbcglobal.net.

Question 18

What are the NNTP (news server) settings for Mr. Evil?

For the NNTP user we use same method in question 17. we use a keyword search in order to find NNTP. We just performed a “NNTP” search and received multiple hits. Following a thorough scan of every file, we discovered a file called “NTUSER.DAT” in which we found info about NNTP. Upon seeing the highlighted text in the below diagram, we learned that NNTP “News.dallas.sbcglobal.net” is the name of the server.

Question 19

What two installed programs show this information?

Firstly, we discovered that MS Outlook Express makes Mr. Evil’s email address available. Outlook Express information is stored in the NTUSER.dat file location at “Document and Settings\Mr. Evil\NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\UnreadMail\whoknowsme@sbcglobal.net” as show diagram below:

Show information on available email address

Now, after doing further research by doing method a keyword search on whoknowsme@sbcglobal.net” as we get from “NTUSER.DART”. After that we found “AGENT.INI” file that contain information about server name is “news.dallas.sbcglobal.net” and email username whoknowsme@sbcglobal.net as show diagram below:

Question 20

List five newsgroups that Mr. Evil has subscribed to.

We went to the Outlook Express folder in order to locate what newsgroups that Mr. Evil has subscribed to. The path is “Document and setting/Mr.Evil/LocalSetting/App/Identity/{EF08/Microsoft/Outlook”