Cyber Forensics Case Study
Cyber Forensics Case Study
Cyber Forensics Case Study
CYBER FORENSICS
MS (Cyber Law and Information Security)
(2013-2015)
Submitted By:
BHANU VRAT (IMS2013054)
NIKHIL AGARWAL (IMS2013055)
TABLE OF CONTENTS
S.N
o
1.
2
2.
Topic
SMMP Matrix
Mapping of Greg Schards Hacking
case with Forensics Chart
Solving Greg Schards Hacking
case
Page No
..
..
3
5
..
2 | Page
ASSIGNMENT NO: 1
Objective: Analyse a cyber crime case study and create a SMMP Matrix table
for it.
Case Study:
The complainant filed a case of fraud and cheating alleging theft and sale of proprietary data.
The complainant had a subsidiary company in the United States which did business with its
US partner. The US partner provided mortgage loans to US residents for residential premises.
The business of the complainant was providing leads to their US partner. The data included
the details of the loan seekers along with their telephone numbers. The complainant generated
leads through arrangements with call centres in India who called from their database and
shortlisted home owners who were interested in availing refinance facility on their existing
mortgage loans.
Investigation
Preliminary investigations revealed that the accused was holding the post of the senior
programme manager and was the team leader for data management. During employment the
accused along with his father had opened a partnership firm. It was found that raw data was
sent as attachments from the e-mail ID of this (accused) firm's Website domain. The Website
was traced and the e-mail ID address and registration details were recovered by the
investigating officer using specialised software. It was revealed that the accused had passed
data bought by and belonging to the complainant firm to various call centres (as if the same
belonged to his firm), to make the calls on their behalf for generating leads.
The entire business process of the complainant firm was studied and a systems analysis was
conducted to establish the possible source of data theft. The accused had opened a foreign
currency account in the name of his firm. An analysis of the printout revealed that payments
had been made to two call centres. The call centres were contacted and the raw data sent as
attachments were collected. The data was comprised of six separate files and it was compared
with the data purchased by the complainant company in the US. This was done by writing
and executing SQL queries.
Analysis of the e-mail headers of the mails sent by the accused through his ID were carried
out. The originating IP address was found and information was obtained from VSNL.
Accordingly it was found that the range of IP was allotted to the complainant company. It was
thus established that the accused has sent the stolen data from the office of the complainant
company using the e-mail ID of his (accused) firm.
An analysis of the bank account of the accused showed that payments were being made to
two people. It was found that they were also ex-employees of the complainant company who
had resigned after the accused left the company. On interrogation he revealed that he had
roped in two of his colleagues who actively assisted him in his clandestine activities. One of
3 | Page
them, while still an employee of the complainant company, coordinated with various call
centres on behalf of the accused. The other facilitated the installation of proprietary
sequencing software in the personal computer of the accused. In order to have a clientele base
in US, the accused had sought the assistance of one more person. The two accused were
arrested.
SMMP Matrix:
SCENARIO
MOTIVATI
ON
MAPPING
WITH IT ACT
Financial
Gain
IT ACT Sec
43(j), Sec 72,
Sec72A
POTENTIA
L SOURCE
OF
EVIDENCE
E-mail
header
information
4 | Page
ASSIGNMENT NO: 2
Objective: Map the Greg Schardt hacking case with forensic chart give
below:Mapping:S.No
.
Question
Mapping
5 | Page
2.
3.
4.
5.
6.
7.
PREPARATION /
EXTRACTION
(Extract data requested)
PREPARATION /
EXTRACTION
(Extract data requested)
PREPARATION /
EXTRACTION
(Extract data requested)
PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)
PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)
PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)
9.
PREPARATION /
EXTRACTION
(Duplicate and verify
integrity of Forensic Data?)
PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)
PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)
IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
6 | Page
List)
11.
13.
IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)
ANALYSIS
(Associated Artifacts and
Metadata)
PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)
IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)
IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)
IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)
17.
ANALYSIS
(Who/What)
18. What are the NNTP (news server) settings for Mr.
Evil?
ANALYSIS
(Who/What)
19.
ANALYSIS
(Who/What)
ANALYSIS
(Associated Artifacts and
Metadata)
20.
ANALYSIS
(Other Connections)
7 | Page
ANALYSIS
(Associated Artifacts and
Metadata)
ANALYSIS
(Who/What)
IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)
25.
ANALYSIS
(Who/What)
26. Search for the main users web based email address.
What is it?
ANALYSIS
(Who/What)
IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)
28.
29.
ANALYSIS
(Where)
ANALYSIS
(Who/What)
ANALYSIS
(How)
ANALYSIS
(Associated Artifacts and
Metadata)
8 | Page
ASSIGNMENT NO: 3
Objective: Solve the Greg Schardt hacking case using Encase V4
Scenario:
On 09/20/04, a Dell CPi notebook computer, serial # VLQLW, was found abandoned along
with a wireless PCMCIA card and an external homemade 802.11b antennae. It is suspected
that this computer was used for hacking purposes, although cannot be tied to a hacking
suspect, Greg Schardt. Schardt also goes by the online nickname of Mr. Evil and some of
his associates have said that he would park his vehicle within range of Wireless Access Points
(like Starbucks and other T-Mobile Hotspots) where he would then intercept internet traffic,
attempting to get credit card numbers, usernames & passwords.
Find any hacking software, evidence of their use, and any data that might have been
generated. Attempt to tie the computer to the suspect, Greg Schardt.
Questions:Q1. What is the image hash? Does the acquisition and verification hash match?
Soln. AEE4FCD9301C03B3B054623CA261959A .Yes, they match.
9 | Page
10 | P a g e
11 | P a g e
12 | P a g e
PATH:
C\WINDOWS\system32\config\SAM\NTRegistry\ SAM\Domains\Account\Users\Names\
13 | P a g e
Q10. What is the account name of the user who mostly uses the computer?
Soln.
Q11.Who was the last user to logon to the computer?
Soln. Mr. Evil
PATH:
C:\WINDOWS\system32\config\software\Microsoft\WindowsNT\CurrentVersion\Winlogon\
DefaultUserName
14 | P a g e
Q12. A search for the name of Greg Schardt reveals multiple hits. One of these proves that
Greg Schardt is Mr. Evil and is also the administrator of this computer. What file is it? What
software program does this file relate to?
Soln. PATH: C:\Program Files\Look@LAN\irunin.ini
Look@LAN
15 | P a g e
Q14. This same file reports the IP address and MAC address of the computer. What are they?
16 | P a g e
Soln. 192.168.1.111
0010a4933e09
Q15. An internet search for vendor name/model of NIC cards by MAC address can be used
to find out which network interface was used. In the above answer, the first 3 hex characters
of the MAC address report the vendor of the card. Which NIC card was used during the
installation and set-up for LOOK@LAN?
Soln. Xircom
17 | P a g e