Solving Computer Forensic Case Using Autopsy 

Computer Forensics is the well-planned series of procedures and techniques used 

for obtaining evidence from computer systems and storage media. This evidence 
can then be analyzed for relevant information that is to be presented in a court of 
law.  

This article focused on a particular case and a forensic tool to give you a ‘feel’ of 
what computer forensics investigations are like. However, it is in no way 
comprehensive enough to cover the variety of problems and complications faced 
by the investigator. 

Scenario

A complaint was made to the authorities describing alleged Wi-Fi hacking activity. 
When the authorities reached the spot, they found an abandoned Dell computer 
which is suspected that this computer was used for hacking purposes. Schardt 
uses "Mr.Evil" nickname when he goes online. 

He is also accused of parking his car in wireless range (like Starbucks and other 
T-Mobile Hotspots) where he would then intercept internet traffic, attempting to 
get credit card numbers, usernames & passwords. We're going to solve 20 
important questions that will be related to this case by examining the images of his 
computer. 

 
 

Tasks performed:

During the course of investigation, analysis of the evidence would require 

performing the 12 basic tasks of computer forensics: 

1. Generating an image hash and confirming the integrity of the image 

2. Determining the Operating System used on the disk 
3. Determining the date of OS installation 
4. Determining the registered owner, account name in use and the last recorded 
shut down date and time 
5. Determining the account name of the user who mostly used the computer 
and the user who last logged into it 
6. Determining the hacker handle of the user and tying the actual name of the 
user to his hacker handle 
7. Determining the MAC and last allocated IP address of this computer 
8. Locating the programs installed in this computer that could have been used 
for hacking purposes 
9. Collecting information regarding the IRC service that was used by the owner 
10. Searching the Recycle Bin for relevant information 
11. Listing the Newsgroups that the owner of the computer has registered to 
12. Determining the SMTP email address in use 

 
My Blog:

https://qaishussainy.blogspot.com/ 

Video tutorial for this investigation

https://youtu.be/0TUHpYIscBA 
 

Seized Laptop's Disk Image:

Part 1: h
​ ttp://www.cfreds.nist.gov/images/4Dell%20Latitude%20CPi.E01 

Part 2: h
​ ttp://www.cfreds.nist.gov/images/4Dell%20Latitude%20CPi.E02 

Autopsy download link:

https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.14.0/autopsy-4.14.0-64bit.msi

 
 

 
 

Step 1​:  

After downloading the evidence disk and installing Autopsy, run Autopsy it and select New Case 

Step 2: 

Set a name for this case as i have set Mr.Evil and also set the location where you want to save 
your forensic investigation data. click next and provide information but it's optional. click finish. 

 
 

Step 3: 
Select the first options Disk Image  

Select the evidence disk image which you have downloaded before. i have created a separate 
folder by the name of Forensic Case and pasted the disk images into it. 
 

Note: ​ Although both parts of the downloaded image are there in this folder, you will only see 
the first part to select. Autopsy will automatically take the second part of the downloaded image.  

Click next and let all options as default. 

 
  

Wait until all steps of analysis and integrity check loads completely. 
make sure you have sufficient storage minimum 1GB otherwise the modules will not completely 
load and the investigation will be incomplete.  

 
So now let's start our investigation

We will find the solution for these given tasks from the disk image of the suspect. 

Q1. What is the image hash? 

Q2: What operating system was used on the computer? 

Q3: When was the install date? 

Q4. Who is the registered owner? 

Q5. What is the computer account name? 

Q6. When was the last recorded computer shutdown date/time? 

Q7. How many accounts are recorded (total number)? 

Q8.Who was the last user to logon to the computer? 

Q9. List the network cards used by this computer? 

Q10. What is the IP address and MAC address of the computer? 

Q11. Search for programs/tools that aided in the crime (Wireless Hacking) 

Q12. Which Email client is used by Mr. Evil? 

Q13. What is the SMTP email address for Mr. Evil? 

Q14. How many executable files are in the recycle bin? 

Q15. Are there any malware on the computer? 

Q16. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the 
userid, 

Q17. ​Ethereal, a popular “sniffing” program that can be used to intercept wired and wireless 
internet packets was also found to be installed. When TCP packets are collected and 
re-assembled, the default save directory is that users \My Documents directory. What is the 
name of the file that contains the intercepted data? 

Q18. Which internet browser was used? 

Q19. What websites victim was accessing? 

Q20. What is the web-based email address for the main user? 
 

Q1​. What is the image hash?  

Ans1: The HASH of image is A

​ EE4FCD9301C03B3B054623CA261959A. 

How? 

Click on Data source --> Select the image Dell Latitude CPi, E01 --> Click on Metadata 

MD5: AEE4FCD9301C03B3B054623CA261959A 

We check hash to see if the image is not altered or something is not added or not deleted from 
the activities. It's very important because a single tamper to data would make an accused, guilty 
or innocent. 

 
 

Q2​: What operating system was used on the computer? 

Ans2: Microsoft Windows XP was used​. 

How​? 

Click on results --> Extracted Content --> Operating System Information 

then on the right side click on software you can see the under Program Information tab which is 
written Microsoft Windows XP. 

 
 

Q3​: When was the install date? 

Ans3: 2​ 004-08-19 22:48:27 

How? 

Click on results --> Extracted Content --> Operating System Information 

then on the right side click on software you can see under the Date Time tab which is written 
Microsoft Windows XP. 

 
 

 
 

Q4​. Who is the registered owner? 

Ans4: The owner is Greg Schardt 

How? 

Click on results --> Extracted Content --> Operating System Information 

then on the right side click on software you can see the under Owner tab which shows Greg 
Schardt. 

  

 
 

 
 

Q5​. What is the computer account name? 

Ans5: The account name is ​N-1A9ODN6ZXK4LQ 

How? 

Click on results --> Extracted Content --> Operating System Information 

then on the right side click on System you can see the under Name which it shows 
N-1A9ODN6ZXK4LQ 

 
 

Q6​. When was the last recorded computer shutdown date/time? 

Ans6: The last recorded shutdown time of the computer is 2004/08/27-10:46:27 

How? 

Click on Data Sources select 4Dell Latitude --> vol2 --> 

WINDOWS\system32\config\software\Microsoft\WindowNT\CurrentVersion\Prefetcher\ExitTim
e 

 
 

Q7​. How many accounts are recorded (total number)? 

Ans7: There are 5 accounts  

Mr, Administrator, Guest, Support388945a0, HelpAssistant 

How? 

Click on Results --> Operating System User Accounts 

 
 

Q8​.Who was the last user to logon to the computer? 

Ans8: Mr. Evil 

The system will obtain the last user who logged on from the key ‘DefaultUserName’. This 
information can be uncovered from the following path 

How? 

Click on Data Sources select 4Dell Latitude --> vol2 -->  

WINDOWS/SYSTEM32/CONFIG/SOFTWARE/MICROSOFT/WINDOWS NT/CURRENT 
VERSION/WINLOGON/DEFAULT USER NAME 

 
 

Q9​. List the network cards used by this computer? 

Ans9: Compaq WL110 Wireless LAN PC Card, Xircom CardBus Ethernet 100 + Modem 56 
(Ethernet Interface). 

How​? 

Click on Data Sources select 4Dell Latitude --> vol2 -->  

WINDOWS\system32\config\software\Microsoft\Windows NT\CurrentVersion\NetworkCards\ 

click on descriptions

 
  

Q10​. What is the IP address and MAC address of the computer? 

Ans10: IP=192.168.1.111, MAC=00:10:a4:93:3e:09 

How? 

Click on Data Sources select 4Dell Latitude --> vol2 --> Program Files/Look@LAN/irunin.ini 

 
 

Q11​. Search for programs/tools that aided in the crime (Wireless Hacking) 

Ans11: The programs which will be used for hacking purpose 

1. Look@LAN  

Look​@​Lan​ is an advanced network monitor that allows you to monitor your net in few clicks. 

2. Cain  

Cain and Abel is a password recovery tool for Microsoft Windows. It can recover many kinds of 
passwords using methods such as network packet sniffing, cracking various password hashes 
by using methods such as dictionary attacks, brute force and cryptanalysis attacks. 

3. Network Stumbler  

NetStumbler is a tool for Windows that facilitates detection of Wireless LANs using the 
802.11b, 802.11a and 802.11g WLAN standards. It runs on Microsoft Windows operating 
systems from Windows 2000 to Windows XP. 

4. mIRC  

mIRC is an Internet Relay Chat client for Windows, created in 1995. 

5. Ethereal/Wireshark  

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, 
analysis, software and communications protocol development, and education. 

6. 123WASP 

WASP will display all passwords of the currently logged in user that are stored in the Microsoft 
PWL file. 

 
 

How? 

Click on Results --> Extracted Content --> Installed Programs 

 
 

Q12​. Which Email client is used by Mr. Evil? 

Ans12: Outlook Express, Forte Agent, MSN Explorer, MSN (Hotmail) Email 

How? 

Click on Data Sources select 4Dell Latitude --> vol2 -->  

WINDOWS\system32\config\software\clients\Mail 

 
 

Q13​. What is the SMTP email address for Mr. Evil? 

Ans13: The SMTP email address [email protected] 

How​? 

Click on Data Sources select 4Dell Latitude --> vol2 -->  

Program Files\Agent\Data\Agent.ini 

 
 

Q14​. How many executable files are in the recycle bin? 

Ans14: There are 4 files in recycle bin 

How? 

Click on Data Sources select 4Dell Latitude --> vol2 -->  

Recycler 

Q15​. Are there any malware on the computer? 

Ans15: Yes there is a zip bomb malware by the name of unix_hack.giz in this system. 
How​? 

Click on Results --> Extracted Content --> Interesting Items --> Possible Zip Bomb 
-->Interesting Files 

 
 

Q16​. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the 
userid, 

Ans16: user=Mini Me, [email protected], nick=Mr, anick=mrevilrulez 

How​? 

Click on Data Sources select 4Dell Latitude --> vol2 -->  

Program Files\mIRC\mirc.ini 

 
Q17​. E
​ thereal, a popular “sniffing” program that can be used to intercept wired and wireless 
internet packets was also found to be installed. When TCP packets are collected and 
re-assembled, the default save directory is that users \My Documents directory. What is the 
name of the file that contains the intercepted data? 

Ans17: File name is Interception 

How? 

Click on Data Sources select 4Dell Latitude --> vol2 --> Document and 
Settings\Mr.Evil\intercerption

 
 

Q18​. Which internet browser was used? 

Ans18: Internet explorer 

How? 

Click on Data Sources select 4Dell Latitude --> vol2 --> Document and 
Settings\Mr.Evil\intercerption 
scroll down and see User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 
240x320) 

Q19​. What websites victim was accessing? 

Ans19: l​ ogin.passport.com, mobile.msn.com, ​www.passportimages.com 

How? 

you can also copy all texts from ​intercept​ file and search for the .com it will show you the 
websites which were visited. 
 

Q20​. What is the web-based email address for the main user? 

Ans20: m
​ [email protected] was found in web history. 

How​? 

Click on Results --> Extracted Content --> Web History 

I have used Windows 7 Magnifier to zoom in 

Conclusion 

Computers Forensics is a vast field of study and includes topics like Processing Crime Scenes, 
Operating Systems and File Structures, Recovering Graphic Files and Defeating Steganography, 
Email Investigations, Mobile Device Investigations, Report Writing​.