2 \newpage\section{Can you find hints or evidence on the personality of the applicant of Charles Prince? (2 points)}
5 \newpage\section{In particular, search for name, address or contact information (e.g., online nicknames). (2 points)}
6 Online nicks: n.o.b.o.d.y (ebay)
9 \newpage\section{Can you find hard evidence that Charles Prince has stolen the car? (2 points)}
10 Documents and Settings/EdgarAllanPoe/Local Settings/Temp/Temporary Internet Files/Content.IE5/0P2NGHQ3/eBayISAPI[8].htm is an ebay bid page for "4 Sommerreifen für Aston Martin V12 Vanquish"
13 pagefile.sys contains a sms.at-send-sms-page to 42420815 content: I have stolen the Aston. You can get it at the arranged place. greetz, charles prince.
16 \newpage\section{Search for pictures of the stolen car. (2 points)}
20 \newpage\section{Can you find any information on where the car is parked for delivery? (2 points)}
23 \newpage\section{Find all traces of online activity that is connected with the theft. (2 points)}
34 \newpage\section{Details}
36 \subsubsection{NTFS\_Image.dd}
37 NTFS image at the beginning.
39 \textbf{size}: 271401984 byte\\
40 \textbf{''file''-output}: DOS/MBR boot sector, Microsoft Windows XP Bootloader NTFS (german)\\
41 \textbf{sha512}\\\ttfamily{
42 4caa0188dce8219246af0a5e2c52841140fec8d33513e91d880971b19b87c8c0\\
43 16f946227a941e31fdfeb5f35f901c6156e500f8d5fce9bb2035d36cfec34cfa}
47 \subsection{Used tools on GuestVM}
48 Tools that were used for analysis (-{}-version):
53 \subsection{Used tools on VM-Host}
54 Tools that were used for analysis (-{}-version):
56 \item sha512sum (GNU coreutils) 8.22
57 \item ls (GNU coreutils) 8.22
64 \item \textbf{Virtual machine}\\
65 Windows XP Version5.1 (Build2600.xpsp\_sp3\_qfe.130704-0421 : Service Pack3)
66 \item \textbf{Oracle VirtualBox} 4.3.10
67 \item \textbf{Host machine}\\
68 Linux rebx 3.14.0-gentoo-somenet.org \#1 SMP Sun Apr 6 01:00:17 CEST 2014 x86\_64 Intel(R) Core(TM)2 Duo CPU T9300 \@ 2.50GHz GenuineIntel GNU/Linux