Scan of the Month 24 Report


Author

Jeff Craig

Overview

This report covers the techniques and programs used to analyze the floppy disk captured from Joe Jacobs, which police believed contained files in relation the Mr. Jacobs Marijuana Dealing.

The work done involved analysis of a Floppy Disk image, deducing clues left by Mr. Jacobs, and analyzing files located on the Disk image.

Tools Used:

Procedure

Once I had a hold of the image, I immediately generated an md5 sum of the image itself, so I could verify that the image was not changing as I was working. I then created a work directory, and initialized autopsy to use my work directory as my morgue.

Before going in-depth with autopsy, I mounted the floppy image read-only and tried to copy two files off of the disk: "cover page.jpgc" and "schedu~1.exe". Running the file command on the two files reported the following:

cover page.jpgc        :PC formatted floppy with no filesystem
schedu~1.exe:           Zip archive data, at least v2.0 to extract
I made the assumption that schedu~1.exe was a Zip file with a built-in unzipper, which I'm sure was correct, but I didn't have a Window's machine handy on which to test the untrusted binary. However, the unzip command when attempted, returned an error: "End-of-central-directory signature not found." This led me to believe that the file was not complete for some reason. I made note of this and continued on.

I was much more confused by the result of "cover page.jpgc". I assumed that there was meant to be a jpg somewhere on the disk, but that the filesystem had been modified, possibly intentially, to mask the file.

I then began my analysis of the disk using Autopsy. After clicking on the File Browsing link, I first noticed the deleted file "Jimmy Jungle.doc" (Figure 1). I checked the Inode information on that deleted Inode (Figure 2), and was suprised when I saw the major difference between the reported Size of the file, and the number of sectors it occupied on the disk. I clicked on the "33" link, and spent a few minutes stepping through the clusters on the disk until I found the end of the file at sector 72. While stepping through the clusters, I knew I was collecting an important piece of evidence when I hit Cluster 38 (Figure 3). I was uncovering a letter to what appeared to be Joe's supplier. Not only did I now have the Supplier's name and address, I was given another important clue: There is a password on the schedule zip file, and it's the same as what was included in the file Jimmy'd sent him. Presumably this was the "Cover Page.jpg" mentioned in the letter and that appeared to be on the disk.

Knowing that the next important piece of evidence to recover appeared to be the "Cover Page.jpg", I turned attention toward recovering that. Checking the Inode information, I was interested to see that the device claimed that the file began on Sector 451, as that is pretty far on the disk, especially for the few number of small files located on the disk. Checking the hex dump for Sector 451 (Figure 4), I quickly noted that this was NOT the header for any JPEG file I'd ever seen. Not to be deterred, I popped open Autopsy's Keyword Search, and searched for the string "JFIF" as I knew that that string appears in the Header of every JPEG in existence. Luckily, only a single Sector was returned for where this header was located, Sector 73. Noting that this was only a single sector ahead of where "Jimmy Jungle.doc" ended on the disk, I checked the Inode information for "Scheduled Visits.exe" saw that is was supposed to begin on Sector 104. Checking that sector information, I saw that, sure enough, Sector 104 had the telltale "PK" header to denote a PKZip file. I assumed that this meant that the "Cover Page.jpg" was on the floppy from Sector 73-103.

Since I'd already tried unzipping "Scheduled Visits.exe", and come to the assumption that the file I'd copied was incomplete, I didn't believe the Inode information's claim that the file ended on Sector 105. I began the familiar practice of stepping through the image Cluster by Cluster, until I found the final "PK" footer on the file. I found it quickly in the listing for Sector 108.

I now believed I knew the locations of the three files on the image. However, I still needed to extract the files from the images. Autopsy would allow me to extract the sectors I needed, one sector at a time. Being a reasonably lazy person, I wasn't going to do this, so I whipped up a quick perl script that used the dcat program from the TASK toolkit to extract all the sectors in a given range and put them into a file. The script is somewhat crude, but it worked nicely, and provided me with what appeared to be three good files.

The Unveiling

Now that I had the three files it was time to try to open the files. Knowing that there was some helpful evidence in the "Jimmy Jungle.doc" file I began by sending that into the antiword program, so that I got the text of the document sent back to me, rather than importing it into a Word Processor. The text of that letter is linked to below. It was clear that this Jimmy Jungle was Joe's supplier, and that Joe was sending Jimmy his schedule of schools to visit, but that there may be a password on the zip file.

I attempted to unzip "Scheduled Visits.exe" and was greeted by a password prompt. Rather than trying to brute force the password, I remembered that Joe said the password would be the same as in that file Jimmy'd sent him. The only file I had matching that description was "Cover Page.jpg" Opening the image in an image viewer, didn't yield any useful information. Simply a rather simple mock-up of a magazine cover page. Reaching out on a limb, I ran the standard Unix strings program on the JPEG, and was given the following output:

JFIF
$.' ",#
(7),01444
***output snipped***
zz7q
K;dMj
)
pw=goodtimes
Scheduled Visits.xls
5kUM
gvmq[A
***output snipped***
7*ou
g#6U
H@@ +U
Scheduled Visits.xlsPK
Well, that line "pw=goodtimes" certainly looked interesting, so I attempted unzipping the Scheduled Visits file once again, this time with the password of "goodtimes". Sure enough, I now had the "Scheduled Visits.xls" file. After converting it to HTML, I could see all the schools that Joe frequented in his dealing attempts.

I still wasn't sure what exactly had been done to hide the files, so I found a good reference on-line about the FAT filesystem, and wrote the small program linked to above that would first print out the Boot Sector information on the filesystem. Then it would traverse to the Directory Entry for the root directory, and print out information for all the files. The code is admittedly clunky and inelegant, however, I was having trouble avoiding the VFAT information algorithmically, and I felt it was better that the I had the information, than that the code was perfect. The output from that program was as follows:

OEM String: MSDOS5.0
Number of Bytes/Sector: 512
Number of Sectors/Cluster: 1
Number of Reserved sectors: 1
Number of FAT Copies: 2
Number of Root Directory Entries: 224
Total number of sectors in the filesystem: 2880
Number of Sectors per FAT: 9
Number of Sectors per Track: 18
Number of heads: 2
Number of Hidden Sectors: 0
File Number: 1
File Name:
Start Sector: 0
File Size: 0
File Number: 2
File Name: åIMMYJ~1DOC
Start Sector: 2
File Size: 20480
File Number: 3
File Name: COVERP~1JPG
Start Sector: 420
File Size: 15585
File Number: 4
File Name: SCHEDU~1EXE
Start Sector: 73
File Size: 1000
Armed with this data, it was fairly obvious what had been done. "Jimmy Jungle.doc" had been deleted from the filesystem, as signified by the 'å' character (0xE5). "Cover Page.jpg" has had it's Directory Entry modified so that it supposedly started on Sector 420, instead of 42. And "Scheduled Visits.exe"'s entry had been edited so that the file appeared much smaller than it really was.

A quick scan of the floppy revealed no information past Sector 108 on the disk, so I believe that I've found all the interesting information that existed there. I then prepared md5 sums of all the evidence files I'd collected, and prepared my write-up of the investigation.

Summary of Findings

I was able to find the following files on the floppy:
Filename Start Sector End Sector md5sum Link? HTML Version?
Jimmy Jungle.doc 2 41 b775eb6a4ccc319759d9aaae1e340acc Yes Yes
Cover Page.jpg 42 72 045dc7ef554c0099efa6f3792cd88bb5 Yes No
Scheduled Visits.exe 73 77 4e0be275e3040701145e3235dd43ea4a Yes No
Scheduled Vists.xls N/A N/A 0988df42266ff538fb6101e7bc9d8e05 Yes Yes

Answers to Challange Questions:

  1. Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?

    Jimmy Jungle
    626 Jungle Ave Apt 2
    Jungle, NY 11111
  2. What crucial data is available within the coverpage.jpg file and why is this data crucial?

    Embedded within the coverpage.jpg file, at offset 3d20, is a field named pw with the value "goodtimes". "goodtimes" is the password to the zip file included on the disk, and it was clear that that would be the password becuase Joe writes to Jimmy in the letter that the password "is the same password that you sent me before with that file."

  3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

    Taken from the "Scheduled Visits.xls" file included in the "Scheduled Visits.exe" zip file, here is the list of all the high schools Joe Jacobs frequented.

    • Smith Hill High School
    • Key High School
    • Leetch High School
    • Birard High School
    • Richter High School
    • Hull High School
  4. For each file, what processes were taken by the suspect to mask them from others?

    "Jimmy Jungle.doc" was deleted from the filesystem, however, using the T@SK toolkit, it was easy to find and recover this file on the filesystem.

    "coverpage.jpg" had it's directory entry on the filesystem changed, so that it no longer pointed to Cluster 73, where coverpage.jpg resides, but to Cluster 420.

    "Scheduled Visits.exe" has it's directory entry on the filesystem edited so that the file appeared much smaller than it actually was, preventing it from being easily copied from the disk.

  5. What processes did you (the investigator) use to successfully examine the entire contents of each file?

    This was answered in my section on procedures.

  6. BONUS: What Microsoft program was used to create the Cover Page file. What is your proof (Proof is the key to getting this question right, not just making a guess).