The Greg Schardt Case 4cc061 Digital Forensic Investigation

qwertyuiopasdfghjklzxc

vbnmqwertyuiopasdfghj

klzxcvbnmqwertyuiopas

dfghjklzxcvbnmqwertyui

opasdfghjklzxcvbnmqwe

CASE INVESTIGATION

The Greg Schardt case

4CC061 Digital Forensic Investigation

Bartosz Inglot

29/04/2009

Digital Forensics | 4CC061 Marking Tutor: HS Lallie Bartosz Inglot | 100090743

2

Case Study

A Dell CPi notebook was seized on 20th September 2004 with the serial number: VLQLW. An external

‘home made’ antenna (802.11b) was also seized. It is suspected that the notebook was used for

hacking purposes, however it cannot be directly linked to the suspect ‐ Greg Schardt. Schardt also

goes by the online nickname of “Mr. Evil”, it is believed that he has been parking his vehicle within

range of Wireless Access Points (such as Starbucks and T‐Mobile Hotspots) where he would then

intercept internet traffic in an attempt to get credit card numbers, usernames & passwords.

The task is to produce a report using FTK which answers the questions in the next section.

Specific Questions

1. Is there any software that could be used for hacking on the notebook?

2. Is there any evidence of the use of that software?

3. Is there evidence of any data that may have been generated as a result of the use of the software?

4. What is the image hash? Does the acquisition and verification hash match?

5. What was the operating system used on the notebook?

6. When was the installation date of the operating system and any other programs (hacking

software)?

7. What is the time‐zone setting?

8. Who was the registered owner?

9. What is the computer account name?

10. What is the primary domain name?

11. When was the last recorded computer shutdown date/time?

12. How many accounts are recorded (total number)?