1. What is the image hash? Does the acquisition
verification hash match?
2. What operating system was used on the computer?
3. When was the install date?
4. What is the timezone settings?
5. Who is the registered owner?
6. What is the computer account name?
7. What is the primary domain name?
8. When was the last recorded computer shutdown date/time?
9. How many accounts are recorded (total number)?
10. What is the account name of the user who mostly uses the computer?
11. Who was the last user to logon to the computer?
12. A search for the name of “Greg Schardt” reveals multiple hits. One of these proves that Greg Schardt is Mr. Evil and is also the administrator of this computer. What file is it? What software program does this file relate to?
13. List the network cards used by this computer
14. This same file reports the IP address and MAC address of the computer. What are they?
15. An internet search for vendor name/model of NIC cards by MAC address can be used to find out which network interface was used. In the above answer, the first 3 hex characters of the MAC address report the vendor of the card. Which NIC card was used during the installation and set-up for LOOK@LAN?
16. Find 6 installed programs that may be used for hacking.
17. What is the SMTP email address for Mr. Evil?
18. What are the NNTP (news server) settings for Mr. Evil?
19. What two installed programs show this information?
20. List 5 newsgroups that Mr. Evil has subscribed to?
21. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the user settings that was shown when the user was online and in a chat channel?
22. This IRC program has the capability to log chat sessions. List 3 IRC channels that the user of this computer accessed.
23. Ethereal, a popular “sniffing” program that can be used to intercept wired and wireless internet packets was also found to be installed. When TCP packets are collected and re-assembled, the default save directory is that users \My Documents directory. What is the name of the file that contains the intercepted data?
24. Viewing the file in a text format reveals much information about who and what was intercepted. What type of wireless computer was the victim (person who had his internet surfing recorded) using?
25. What websites was the victim accessing?
26. Search for the main users web based email address. What is it?
27. Yahoo mail, a popular web based email service, saves copies of the email under what file name?
28. How many executable files are in the recycle bin?
29. Are these files really deleted?
30. How many files are actually reported to be deleted by the file system?
31. Perform a Anti-Virus check. Are there any viruses on the computer?
Looking at the answers requires a password.
NIST is an agency of the U.S. Commerce Department
Privacy Poilcy/Security Notice -- Disclaimer | FOIA |USAGov
Last updated: November 27, 2007
Technical comments: email@example.com
Website comments: firstname.lastname@example.org