I’m going to follow step by step a network forensics case, the Nitroba State University Harrassment Case. All the material is available here, published under the CC0 licence : https://digitalcorpora.org/corpora/scenarios/nitroba-university-harassment-scenario

This scenario includes two important documents

The first one is the presentation of the Case : http://downloads.digitalcorpora.org/corpora/network-packet-dumps/2008-nitroba/slides.ppt

The second one is the PCAP capture : http://downloads.digitalcorpora.org/corpora/network-packet-dumps/2008-nitroba/nitroba.pcap. Read below about PCAP

Let’s have a first look at the PCAP file

Just click on the PCAP file, and it should open in Wireshark. You get a first overview of the very long list of packets captured

In the first section, you get the list of packets/frames ordered by number, time, source IP, destination IP, protocol, length, and informations about content

In the second section, you see the details of a packet (here packet/frame number 1), shown according to the main layers of the OSI model. For packet number 1, we have informations about the first four layers (respectively n°1 “wire”, n°2 “Ethernet”, n°3 “IP”, n°4 “TCP”)

In the third section, we have the details of the packet number 1 in HEX format. It is usefull to check the source data in a “compact” format (instead of binary which would be very long)

As a very first step, you can easily gather statistics about this capture, just using the statistics module of Wireshark : Statistics => Capture File Properties

We can see that the SHA1 and SHA256 hash signatures match with the ones given in the scenario (as expected). We also see that the elapsed time of the capture was about 4 hours and 22 minutes. This is quite long, and explains the quantity of packets received in this network capture : 94 410 lines. No chance to read through each packet line by line…this is why a key concept in Wireshark is to make use of filters to narrow down any search made in the capture. As you can guess, we are going to use filters for our analysis…!

Map the Nitroba dorm room network

Now, read through the Powerpoint presentation to get an overview of the Case. There is one key information to start analyzing the PCAP capture

The IP was found in the email header

So, let’s filter the PCAP file using the IP adress used to send the first email : 140.247.62.34, both in the source and destination IP : ip.src==140.247.62.34 or ip.dst==140.247.62.34 (to learn the filtering by IP, check this : https://networkproguide.com/wireshark-filter-by-ip/)

We find that this IP has a low presence in the Wireshark statistics : 0.06% of the total sent packets (equal 52 packets)

Now, look closer at the IP adresses source and destination (here below a screenshot of the first packets)…you see that the IP 192.168.15.4 plays a central role as it is the only IP bridging with our IP 140.247.62.34

This type of IP is well known : it’s a private IP adress. See below some explanations

Let’s have a look in the OSI layer n°2 of a packet capture between these two IP adresses 192.168.15.4 (source) and IP 140.247.62.34 (destination). We find interesting informations about the hardware and MAC adress of the two physical devices pointed by these IP

So, the information reads as follows

A Google check with the MAC 00:17:f2:e2:c0:ce confirms this is an Apple device

What is HonHaiPr ? A carefull Google search reveals it’s Hon Hai Precision Industry Co Ltd, also known as the electronics giant Foxconn

Find who sent email to lilytuckrige@yahoo.com and identify the TCP connections that include the hostile message

Let’s use again the filter capabilities of Wireshark : frame contains “tuckrige”

We find three packets . The first two of them are using the OSI model layer n°7, that is the application layer, represented by the HTTP protocol. The last one is using the OSI model layer n°4, in this case the TCP protocol

The packet n°80614 shows an harassing message was sent using sendanonymousemail.net

The source IP is 192.168.15.4, and the destination IP is 69.80.225.91

The packet n°83601 shows an harassing message was sent using Willselfdestruct.com, with the exact email header as described in the Powerpoint “you can’t find us”

The source IP is 192.168.15.4, and the destination IP is 69.25.94.22

At this point of the article, we can confirm that the IP 192.168.15.4 plays a central role in the email “attacks” and the harassment faced by the professor Lily Tuckrige

Let’s keep in mind this key information for the next paragraphs

Find information in one of those TCP connections that identifies the attacker

So now that we have an interesting IP / MAC pair, that may lead to the identification of the attacker, what could we do next ?

I’ve decided to have a look further in the packets. Could we find maybe, the email adress of the attacker ? And, how to check that ?

I’ve just filtered in Wireshark typing “frame contains mail”. This is a little bit “quick and dirty” but could help to narrow down the research as I had no better idea at this point…then I went scrolling into the selected frames and found some frames titled “GET /mail/ HTTP/1.1 with some interesting content…look at the cookie ! They reveal some email adress and the link to the email platform used !

In the example below, we see the frame n°16744, showing a GET /mail/ HTTP/1.1, the MAC adress in layer 2 of the OSI model, and some cookie informations in clear text :

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.16)

Cookie pair: gmailchat=elishevet@gmail.com/945167

[Full request URI: http://mail.google.com/mail/]

Of course, the http adress points to the Gmail sign in page. When the person is signing in, Gmail downloads the cookie for authentification needs

It’s quite amazing to find this level of information in clear text, furthermore in Wireshark, isn’t it ? Well, not quite. Just read this blog and the summary below -> enforce SSL so the cookie isn’t sent in cleartext !

https://blog.teamtreehouse.com/how-to-create-totally-secure-cookies

Now that we have found a way to identify the email adress of the attacker, let’s go through the different frames including the GET /mail/ HTTP/1.1 info and let’s check the email, IP, MAC data. Probably, we will find a match with the already suspicious IP/MAC pair from the previous paragraph ? Here below the result of my analysis in a table, the match is easily found and highlighted in red

So who dit it ?

Now, we can come to a conclusion, since we have a potential name “jcoach”. Let’s compare with the list of alumni in Lily Tuckrige classroom

We have a match with Johnny Coach ! We found the solution to this harassment case

NetworkMiner versus Wireshark

As we solved the case with Wireshark, let’s have a quick look what NetworkMiner could bring. Here a good summary available in Google

I will provide here below a few screenshots of what you can do to solve the case

Conclusion

Doing this exercise, we have discovered some good network packet sniffers, and now could be able to solve more difficult cases

We have seen that with a good packet sniffer, a lot of critical informations could be collected…in such case your personal informations are no longer safe

It was pretty straigthforward to come down to the attacker, thanks to the available email header, then basic filtering in Wireshark and/or NetworkMiner, applying the necessary keywords

Is such a scenario realistic ? Yes, it could be. A network Admin can install such networking sniffers and gather data, or an attacker could slip in a network and also gather informations

To protect yourself, avoid the non encrypted protocols such as HTTP, FTP, TELNET

You can get additional informations about sniffing attacks here : https://www.greycampus.com/blog/information-security/what-is-a-sniffing-attack-and-how-can-you-defend-it

Update 2021/04/30 : please read the chat below, with the user “kinimod” as it shows a deeper complexity to the case !

I found an excellent website for this : https://www.forensicfocus.com/challenges-and-images/, were you can practically train yourself to Computer Forensics. On the home page, please follow the link to the NIST website where you can access several test images : https://www.cfreds.nist.gov/

In this first article, I have taken a test image called “Hacking Case“. There has been several reviews of this case already with published solutions, so I hope that my article brings some value to you guys

The scenario is the following

This is quite vintage…so, an old Dell CPi notebook computer has been found and it is suspected that a so called hacking suspect “Greg Schardt“, is the owner of this device. A hard drive disc image has been generated and made available to us for analysis

Where to start from ? We have a disc drive image (split in 8 parts) and also an EnCase image…what is the difference ? Should we consider both in our analysis, or choosing one of the two images is ok ?

EnCase is one of the most popular computer forensic solution available : https://www.guidancesoftware.com/encase-forensic. It has far reaching capabilities for forensic analysis. An EnCase image was obtained using the EnCase Imager software : https://www.guidancesoftware.com/document/product-brief/encase-forensic-imager

The final format of the image will be the same, either using the disc drive image or the EnCase image. It will be a file full of exotic symbols, that you can see by yourself just clicking on one of the image link : https://www.cfreds.nist.gov/images/4Dell%20Latitude%20CPi.E01

What are these symbols ? These are just Unicode representation of the raw datas encoded into the Hard Disc Drive. It’s not quite human readable, it’s not meant to be in fact…a computer program will do it for you, interpreting the raw data into a human readable format. An Hex Editor will be a first step to represent this data into HEX format, in a more structured way (that’s just an example, no need to do this step to continue reading the article)

So, as the raw images and the EnCase images are in the same format, I chose the EnCase one

I am using the Free Download Manager for this : https://www.freedownloadmanager.org/fr/ Just copy the link of the image file into this tool and it will download the data into one file for you, pretty neat

For the analysis of the image, I’m using the open source Autopsy software for Windows (no need to register to download) : https://www.autopsy.com/download/

The installation is pretty straightforward. Once it’s done, just start a new “Case” in Autopsy by loading the forensic image. You then land on the main screen of this nice software. On this home screen, you will find the image at the top left side. Just right click on it and select “View Summary Information”, and you will find some basic informations allowing to answer the first questions

1. What is the image hash? Does the acquisition and verification hash match ?

The hash is an MD5, it’s value is AEE4FCD9301C03B3B054623CA261959A. Just to remind, this is a unique identifier coming from an MD5 algorithm calculation applied to the file content. It allows a unique identification of the source file

However, the acquisition hash is not given, so I’m not able to compare acquisition and verification hash

2. What operating system was used on the computer ?

You can see immediately that it’s a Windows XP operating system. I told you, it’s vintage !

Looking into the C:\boot.ini file, we find it’s a Professional version

3. When was the install date ?

It seems that there was initially a Windows 98 version installed, followed by an installation of Windows XP (update process) on the 19/08/2004 at 17:35:37 time

4. What is the timezone settings ?

Using Autopsy, we can navigate through the registry. It can be found in Windows\System32\Config folder. In this directory, we can navigate through the files in the top right hand window of Autopsy, which lets the registry informations unfold in the bottom right hand window. Here we go !

First, we have a system registry key set to “Central Standard Time” zone, in system\ControlSet001\Control\TimeZoneInformation :

Second, we have another important registry key in software\Microsoft\Windows NT\CurrentVersion\Time Zones, which contains the exact time zone : GMT – 06:00

5. Who is the registered owner ?

In software\Microsoft\Windows NT\CurrentVersion, we find that the registered owner is Greg Schardt

6. What is the computer account name ?

It can be found in Documents and Settings : Mr. Evil

or, it can be found also in the registry, in the SAM file

7. What is the primary domain name ?

It is N-1A9ODN6ZXK4LQ, which can be found in software\Microsoft\Windows NT\CurrentVersion\Winlogon

8. When was the last recorded computer shutdown date/time ?

To find this, we go to the below registry key : software\Microsoft\WindowNT\CurrentVersion\Prefetcher\ExitTime

We find a shutdown date/time of 27/08/2004–10:46:27

9. How many accounts are recorded (total number) ?

In question 6, we had found already the 5 user names : Administrator, Guest, HelpAssistant, Mr. Evil, SUPPORT_388945a0

10. What is the account name of the user who mostly uses the computer ?

Mr. Evil is the only real user of this computer, as can be seen in Operating System User Account (1)

11. Who was the last user to logon to the computer ?

The name of the last user who logged on successfully appears in the key DefaultUserName in software\Microsoft\Windows NT\CurrentVersion\Winlogon : it’s Mr. Evil !

12. A search for the name of “Greg Schardt” reveals multiple hits. One of these proves that Greg Schardt is Mr. Evil and is also the administrator of this computer. What file is it? What software program does this file relate to ?

We have seen that Greg Schardt is the registered owner of the device, while Mr. Evil is the only user of the system. We therefore can believe this is the same person

The search for the name Greg Schardt brings us to this result :

We can see, in Program Files, a program called Look@LAN. It’s a portable application that allows a user to monitor which clients are connected to a local network (LAN = Local Area Network) : https://www.majorgeeks.com/files/details/looklan.html

The Program Files Look@LANirunin.ini ties us to Mr. Evil as a LAN user, which proves us the link with Greg Schardt !

13.  List the network cards used by this computer

There are 2 network cards in use in software\Microsoft\Windows NT\CurrentVersion\NetworkCards :

Compaq WL110 Wireless LAN PC Card

Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface)

14. This same file reports the IP address and MAC address of the computer. What are they ?

The question is not immediately clear, but you get the idea when considering the software Look@LAN monitors the clients connected to the local network. To search again for the file we already opened in question 12, just type in the top right search bar, the file name irinin.ini

Inside this file, you will easily find the following :

%LANIP%=192.168.1.111 -> usually this IP identifies a PC on a local network (so it makes sense to find this IP !)

%LANNIC%=0010a4933e09 -> a simple MAC adress lookup tool such as https://rst.im/oui/, will confirm this is a Xircom adress. It makes sense with question 13 !

15. An internet search for vendor name/model of NIC cards by MAC address can be used to find out which network interface was used. In the above answer, the first 3 hex characters of the MAC address report the vendor of the card. Which NIC card was used during the installation and set-up for LOOK@LAN ?

The configuration file of LOOK@LAN is irunin.ini. Let’s open again this file. We find the below informations inside this file :

So, it’s clear that the NIC – Network Interface Card used during the installation and setup, is the card with the MAC adresss 0010a4933e09, that is the Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface)

16. Find 6 installed programs that may be used for hacking

Looking into the Program Files, it’s pretty easy to find the following programs :

123WASP : https://www.techspot.com/downloads/107-123-write-all-stored-passwords.html

Anonymizer : https://news.hitb.org/content/anonymizer-launches-free-anonymizer-privacy-tool-ms-ie-browser

Cain : https://myhackingworld.com/cain-and-abel/

Ethereal : https://hackersonlineclub.com/what-is-ethereal-hacking/

(NB : since that time, it has been renamed into Wireshark, the famous network packet sniffing tool https://www.wireshark.org/download.html)

Look@LAN : https://www.techspot.com/community/topics/look-lan.64758/

NetStumbler : https://dudehackingtricks.wordpress.com/2014/08/14/netstumbler-hack-wifi-password/

17. What is the SMTP email address for Mr. Evil ?

To find this information, you could look into the AGENT.INI file. See more about this file in previous versions of Windows :

https://groups.google.com/forum/#!topic/alt.usenet.offline-reader.forte-agent/23uh0mRbq88

The file is located in Program Files\Agent\Data\AGENT.INI

We find the email adress of Mr. Evil : whoknowsme@sbcglobal.net

18. What are the NNTP (news server) settings for Mr. Evil ?

NNTP stands for Network News Transfer Protocol (Newsgroup / Usenet) : https://ccnatutorials.in/application-layer-of-tcp-ip/nntp-network-news-transfer-protocol/

Again, a search in the AGENT.INI file will let you find the information

19. What two installed programs show this information ?

We need to look for mail client and/or Usenet client. One source to look into this is NTUSER.DAT, which is a well known Forensic source

We find that MS Outlook Express reveals the email adress of Mr. Evil. To find this, you need to look into NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\UnreadMail

Just type in NTUSER.DAT in the search bar, and navigate in the file structure

At this moment, I’m not able to find the second program revealing the same information…if you find it, please put it in the comment section !

20. List 5 newsgroups that Mr. Evil has subscribed to ?

There is a good article to understand Outlook Express forensics : https://www.mailxaminer.com/blog/outlook-express-email-forensics/

All the Outlook Express email folders and messages, local IMAP folders and settings are stored in one folder. The location of this directory is :

Documents and Settings\user_name\Local Settings\Application Data\Identities\Microsoft\Outlook Express

We find many newsgroup to which Mr. Evil has suscribed !

21. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are
the user settings that was shown when the user was online and in a chat channel ?

The mIRC program (https://www.mirc.com/) can be found in the Program Files

Just open and check through the mirc.ini and you will get the requested information

user=Mini Me
email=none@of.ya
nick=Mr
anick=mrevilrulez

22. This IRC program has the capability to log chat sessions. List 3 IRC channels that the
user of this computer accessed

The log section if mIRC in the Program Files section, reveals their is a “logs” directory. The chat sessions immediately appear here

23. Ethereal, a popular “sniffing” program that can be used to intercept wired and
wireless internet packets was also found to be installed. When TCP packets are collected
and re-assembled, the default save directory is that users \My Documents directory. What is the name of the file that contains the intercepted data ?

Searching into the Ethereal directory, we find a “recent” file. Open this file reveals the requested information “interception“

24. Viewing the file in a text format reveals much information about who and what was
intercepted. What type of wireless computer was the victim (person who had his internet
surfing recorded) using ?

The interception file can be found typing “interception” in the search bar on the top right of the home screen

The user agent is a Microsoft Internet Explorer 4.01 using a Pocket PC with Windows CE, screen resolution 240×320. I told you, it’s vintage !

25. What websites was the victim accessing ?

The victim was accessing mobile.msn.com, as can be seen in the interception file. We can see down below that the victim was also using MSN hotmail (email)

26. Search for the main users web based email address. What is it ?

In the Extracted content web history, you can find many historical browsing files. Searching through these files, you can see some instances were the user had to login. It reveals the email adress mrevilrulez@yahoo.com (we already found this name in question 21)

27. Yahoo mail, a popular web based email service, saves copies of the email under what
file name ?

The Yahoo emails are stored under “ShowLetter[1]“

We can confirm the email adress used by Mr. Evil

28. How many executable files are in the recycle bin ?

There are 4 executables in the recycle bin

29. Are these files really deleted ?

No, they are just moved to the recycle bin and not deleted…!

30. How many files are actually reported to be deleted by the file system ?

It is pretty easy. Just browse to “View” and you will find the counter “All” -> 1 371 files were deleted. Thanks to “bobo” for the tip !

31. Perform an Anti-Virus check. Are there any viruses on the computer ?

Yes, there is a zip bomb present, unix_hack.tgz

It’s found in the “Interesting Items” section

This is what Wikipedia says about zip bombs

Here is an example of a famous zip bomb (try with caution !) : https://www.unforgettable.dk/

Conclusion :

After this writeup, it is clear now that Greg Schardt and Mr. Evil are just one single person. The seized laptop is including hacking software that was used to sniff data from victims, chat on hackers newsgroup and IRC, contain a zip bomb. So, all suspicions about Greg Schardt were true !

One can only be amazed by the power of forensic tools such as Autopsy. It’s quite amazing all the data stored in your PC, that can be recovered by someone knowing were to look at. Be carefull with your data ! Don’t think you can hide on Internet !

Additional note :

I would like to share an excellent ressource I found from the DFIR – Digital Forensics and Incident Response (SANS training and certification institute). It helped me a lot to walk through this challenge. You can download an excellent PDF on this page : https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download

See below an example of the sections you find in this PDF. It’s a very helpfull checklist !