Marc
Bayerkohler
Vince Elliott
October 25, 2002
Introduction
To complete the challenge, a forensic examination of the disk must be performed, and the challenge questions answered.
File Recovery
Initial data gathering
The image of the floppy disk was downloaded onto a Red Hat 7.2 linux box, and the md5sum compared to that from the website.$ wget http://www.honeynet.org/scans/scan24/image.zipThe Honeynet Project's web site confirms the MD5sum:
--17:01:02-- http://www.honeynet.org/scans/scan24/image.zip
=> `image.zip'
Connecting to www.honeynet.org:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 18,146 [application/zip]
0K .......... ....... 100% @ 5.26 KB/s
17:01:05 (5.26 KB/s) - `image.zip' saved [18146/18146]
$ md5sum < image.zip
b676147f63923e1f428131d59b1d6a72 -
image.zip MD5 = b676147f63923e1f428131d59b1d6a72 ( image.zip )The first command run was the unix 'strings' command, which displays any text strings that it finds in a file.
$ strings image | moreThis revealed a wealth of information. The disk identifies itself as "MSDOS5.0" and is formatted as FAT12, apparently on a WindowsNT system, because of the reference to the "NTLDR".
MSDOS5.0
)ÏͱÄNO NAME FAT12 3É
Ѽð{
|8N$}$
<snip>
File names were found in the directory table (see Table 1), including one deleted file. The text of a letter was recovered (Listing 1), what appears to be a password (Table 2), and reference to a spreadsheet (Table 2).
| åIMMYJ~1DOC |
A deleted file, possible a Microsoft Word document |
| COVERP~1JPG |
A possible JPEG image file |
| SCHEDU~1EXE |
A possible executable file |
| Jimmy Jungle 626 Jungle Ave Apt 2 Jungle, NY 11111 Jimmy: Dude, your pot must be the best it made the cover of High Times Magazine! Thanks for sending me the Cover Page. What do you put in your soil when you plant the marijuana seeds? At least I know your growing it and not some guy in Columbia. These kids, they tell me marijuana isnt addictive, but they dont stop buying from me. Man, Im sure glad you told me about targeting the high school students. You must have some experience. Its like a guaranteed paycheck. Their parents give them money for lunch and they spend it on my stuff. Im an entrepreneur. Am I only one you sell to? Maybe I can become distributor of the year! I emailed you the schedule that I am using. I think it helps me cover myself and not be predictive. Tell me what you think. To open it, use the same password that you sent me before with that file. Talk to you later. Thanks, Joe |
| pw=goodtimes |
A possible password |
| Scheduled Visits.xls |
Name of a Microsoft Excel spreadsheet |
| Scheduled Visits.xlsPK |
Name of a Microsoft Excel spreadsheet |
To access the files in the image of the floppy, it was linked to a loop device and mounted on the linux filesystem. The loop device was mounted with a number of options (Table 3) to ensure the integrity of the data, and protect the server.
# /sbin/losetup /dev/loop0 imageAnd it could now be accessed from the linux filesystem.
# mount -o ro,nodev,nosuid,noexec /dev/loop0 mount/
# mount
...
/dev/loop0 on /tmp/sotm/24/mount type vfat (ro,noexec,nosuid,nodev)
$ cd mount
$ ls -l
total 17
-rw-r--r-- 1 root root 15585 Sep 11 08:30 cover page.jpgc
-rw-r--r-- 1 root root 1000 May 24 08:20 schedu~1.exe
| ro |
Read only |
| nodev |
Do not interpret character or block special devices
on the file system |
| nosuid |
Do not allow set-user-identifier
or set-group-identifier bits to take effect |
| noexec |
Do not allow execution of any binaries on the mounted
file system |
The unix 'file' command attempts to classify a file by looking at its data. For instance, a JPEG file could be renamed to 'command.com', but it would still have the JPEG headers in the file to identify it.
$ file *The "cover page.jpgc" doesn't say it is a JPEG file, but the text of the letter seems to indicate it should be a valid image file, so perhaps it has been altered (encrypted/encoded/wiped) to conceal the picture. The file cannot be displayed with image viewing programs. According to 'file', "schedu~1.exe" appears to be a self-extracting archive in the Zip format. Since the longer filename "Scheduled Visits.xls" was also found, this is probably the full name of the archived file. However, if run as an executable, it errors out, and zip archive utilities (WinZip 8.0, unix unzip) are not able to make sense of it. This file may also have been changed to conceal its data. "åIMMYJ~1DOC" has been deleted. These three files must be recovered to a readable format for further investigation.
cover page.jpgc : PC formatted floppy with no filesystem
schedu~1.exe: Zip archive data, at least v2.0 to extract
Ashes to ashes, disk to disk
To continue the examination, it was useful to restore the image to a floppy disk. This was done from the command line on a Windows box using 'fdimage.exe', available as part of OpenBSD.C:\scan24>fdimage image a:The disk was physically write-protected and scanned for viruses (negative). Writing was then allowed, and reimaged as needed during the investigation.
Recovering Jimmy Jungle.doc
On a FAT file system, when a file is deleted, only the directory listing for the file is changed. The first character of the filename is changed, its location is marked as unused, and the file is no longer visible. The data of the file itself is left on disk, and would eventually be over written in the normal course of moving data on the disk. There are many utilities designed to recover files deleted in this manner. "åIMMYJ~1DOC" appears to be a deleted Word document.Windows95 includes the 'undelete' command, and was used to recover the file. after booting to MS-DOS mode.
C:\>undelete a:*.*This fully recovered the Jimmy Jungle.doc file.
MS-DOS directory contains 1 deleted files.
Of those, 1 files may be recovered.
Using the MS-DOS directory method.
?IMMYJ~1 DOC 20480 4-15-02 2:42p ..A Undelete (Y/n)?y
Please type the first character for ?IMMYJ~1.DOC: j
File successfully undeleted.
Recovering Scheduled Visits.xls
As previously mentioned, although 'file' indicates "SCHEDU~1.EXE" is a zip file, zip utilities cannot read the archive.$ unzip schedu~1.exeIn the strings output "Scheduled Visits.xlsPK", the "PK" is another indication that this is a zip file. According the the zip file format found at My File Formats, PK, or 50 4B in hex, is used to seperate different sections in a zip file. WinHex is a full featured windows based hex editor by X-Ways Software Technology AG, which provides a free download for evaluation. On a Windows2000 computer, "SCHEDU~1.EXE" was opened using WinHex. According to the zip format, PK should appear three times, but it only occurs once in this file, which ends suddenly without the proper signatures for the end of a zip archive. The disk image was opened in WinHex, and a search for PK shows all three expected hits, including a proper zip file ending.
Archive: schedu~1.exe
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
note: schedu~1.exe may be a plain executable, not an archive
unzip: cannot find zipfile directory in one of schedu~1.exe or
schedu~1.exe.zip, and cannot find schedu~1.exe.ZIP, period.
Following the zip archive format, the file should start at offset 0x0000D000:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E Fand end at offset 0x0000D973:
0000D000 50 4B 03 04 14 00 01 00 08 00 98 5A B7 2C C7 55 PK........˜Z·,ÇU
0000D010 60 8D EA 08 00 00 00 42 00 00 14 00 00 00 53 63 `�ê....B......Sc
0000D020 68 65 64 75 6C 65 64 20 56 69 73 69 74 73 2E 78 heduled Visits.x
0000D030 6C 73 94 C8 31 2A E3 49 0B DB A8 10 C2 70 9D FC ls”È1*ãI.Û¨.Âp�ü
0000D940 00 00 20 00 B6 81 00 00 00 00 53 63 68 65 64 75 .. .¶�....ScheduUsing WinHex, this was tested. We defined a block with the correct offsets, and saved it to a new file.
0000D950 6C 65 64 20 56 69 73 69 74 73 2E 78 6C 73 50 4B led Visits.xlsPK
0000D960 05 06 00 00 00 00 01 00 01 00 42 00 00 00 1C 09 ..........B.....
0000D970 00 00 00 00 ....
Edit -> Define Block...The new file was a valid zip archive, and could be opened. The password needed to open the file is the one found earlier (Table 2) with 'strings', and mentioned in the letter (Listing 1).
<image>
Edit -> Copy Block -> Into New File
This proves that the entire archive is on the disk, but that accessing it normally does not give the entire file. A directory listing shows the file size is suspicious.
05/24/2002 08:20a 1,000 SCHEDU~1.EXEThe file size is exactly 1,000, an unlikely figure. The recovered file is 2420 bytes in length. This means that the file length listed in the File Allocation Table (FAT) is incorrect. Given that the length was changed to an even number, it may have been edited manually using a hex editor to make the file unreadable until the length is changed back.
DOS Drive Tool (DDT) by Dan Heimsoth is a directory/sector editor available for free download. To test the method the suspect would use to access the file, we changed the file size from 1000 bytes (0x3E8) to what we now know is the correct length, 2420 bytes (0x974). After writing the change to disk (F9), the entire file was usable from the floppy, giving complete access to "Scheduled Visits.xls".
| PATH = A:\ ENTRY # = 0008 ┌───────────────┬────────────────────────────────────────────┬─────────────────┐ │ "|"= unused │ Vol Rd.only [ Attributes ] │ Start Cluster │ │ "+"= erased │ Sub │ Hid │ ┌─────────┬─────────┤ ┌───────────┤ │ Filename.ext │ Arc │ │ Sys │ │ │ Date │ Time │ │ File Size │ ├───────────────┴────────────────────────┴─────────┴─────────┴─────┴───────────┤ │ +d|o|c||.|?? │ 0 0 0 0 1 1 1 1 │ 15-31-07│ 31:63:62│ 0000│ FFFFFFFF │ │ +J|i|m|m.|y| │ 0 0 0 0 1 1 1 1 │ 3-12-80│ 0:03:14│ 0000│ 002E0065 │ │ +IMMYJ?1.DOC │ 0 0 1 0 0 0 0 0 │ 4-15-02│ 14:42:30│ 0002│ 00005000 │ │ Bg|c| | .| | │ 0 0 0 0 1 1 1 1 │ 1-00-80│ 0:01:00│ 0000│ 00200020 │ │ ?c|o|v|e.|r| │ 0 0 0 0 1 1 1 1 │ 1-14-80│ 0:03:10│ 0000│ 0070006A │ │ COVERP?1.JPG │ 0 0 1 0 0 0 0 0 │ 9-11-02│ 8:30:52│ 01A4│ 00003CE1 │ │ Bi|t|s|..|e| │ 0 0 0 0 1 1 1 1 │ 1-00-80│ 0:01:00│ 0000│ 00200020 │ │ ?S|c|h|e.|d| │ 0 0 0 0 1 1 1 1 │ 2-22-80│ 0:01:00│ 0000│ 00730069 │ │> SCHEDU?1.EXE │ 0 0 1 0 0 0 0 0 │ 5-24-02│ 8:20:32│ 0049│ 000003E8 <│ │ ||||||||.||| │ 0 0 0 0 0 0 0 0 │ 0-00-80│ 0:00:00│ 0000│ 00000000 │ │ ||||||||.||| │ 0 0 0 0 0 0 0 0 │ 0-00-80│ 0:00:00│ 0000│ 00000000 │ │ ||||||||.||| │ 0 0 0 0 0 0 0 0 │ 0-00-80│ 0:00:00│ 0000│ 00000000 │ │ ||||||||.||| │ 0 0 0 0 0 0 0 0 │ 0-00-80│ 0:00:00│ 0000│ 00000000 │ │ ||||||||.||| │ 0 0 0 0 0 0 0 0 │ 0-00-80│ 0:00:00│ 0000│ 00000000 │ └──────────────────────────────────────────────────────────────────────────────┘ [ F1 ][ F2 ][ F3 ][ F4 ][ F5 ][ F6 ][ F7 ][ F8 ][ F9 ][ F10 ] HELP SEARCH EXIT FAT CLUSTR SUBDIR WRITE CLEAR F1 = Display Help information |
A directory listing now shows the correct file length.
05/24/2002 08:20a 2,420 SCHEDU~1.EXE
Recovering cover page.jpg
A directory listing of the floppy shows a "cover page.jpgc".09/11/2002 08:30a 15,585 cover page.jpgcBut the file is difficult to access. Most windows programs are unable to access it, and the command line tools do not do any better.
C:\dloads\sotm24\temp>copy a:c*.* .On the linux system, a directory listing shows that the filename has been padded to make it more difficult to access.
a:cover page.jpgc
The system cannot find the file specified.
0 file(s) copied.
$ ls --escapeThe 'hexdump' command was used to view the contents of cover page. Inside is nothing but 0xF6 and 0x00.
cover\ page.jpgc\ \ \ \ \ \ \ \ \ \ \
$ hexdump cover\ page.jpgc\ \ \ \ \ \ \ \ \ \ \This is certainly not a file that follows the JPEG file format. According to the format, a JPEG file should start with 0xFFD8, and end with 0xFFD9. Searching the image with WinHex reveals both of these exist, and define a block that looks like a valid JPEG file. Using the same procedure as above, WinHex was used to save the block to a new file, which was indeed a JPEG image file.
0000000 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6
*
0000200 0000 0000 0000 0000 0000 0000 0000 0000
*
0003ce0
The JPEG file was on the floppy, but the directory was misdirected to point at another part of the disk. The suspect must want the file, because pains have been taken to conceal it, rather than delete it. Therefore it must be possible to reverse the process to access the file normally.
Using WinHex to open the floppy disk (not the image) shows that the actual JPEG file starts at cluster 42, which the directory lists as free space.
DDT shows "COVERP?1.JPG" starts at cluster 0x01A4 (see Table X), or 420 decimal. Likewise, WinHex shows that cluster 420 belongs to "cover page.jpgc ".
420 is an easy change from 42; it appears the suspect edited the FAT again, this time changing the starting cluster of a file. DDT was used to correct the starting cluster of "cover page.jpgc" to 42 (0x2a).
|
PATH = A:\ ENTRY # = 0005 ┌───────────────┬────────────────────────────────────────────┬─────────────────┐ │ "|"= unused │ Vol Rd.only [ Attributes ] │ Start Cluster │ │ "+"= erased │ Sub │ Hid │ ┌─────────┬─────────┤ ┌───────────┤ │ Filename.ext │ Arc │ │ Sys │ │ │ Date │ Time │ │ File Size │ ├───────────────┴────────────────────────┴─────────┴─────────┴─────┴───────────┤ │ +d|o|c||.|?? │ 0 0 0 0 1 1 1 1 │ 15-31-07│ 31:63:62│ 0000│ FFFFFFFF │ │ +J|i|m|m.|y| │ 0 0 0 0 1 1 1 1 │ 3-12-80│ 0:03:14│ 0000│ 002E0065 │ │ +IMMYJ?1.DOC │ 0 0 1 0 0 0 0 0 │ 4-15-02│ 14:42:30│ 0002│ 00005000 │ │ Bg|c| | .| | │ 0 0 0 0 1 1 1 1 │ 1-00-80│ 0:01:00│ 0000│ 00200020 │ │ ?c|o|v|e.|r| │ 0 0 0 0 1 1 1 1 │ 1-14-80│ 0:03:10│ 0000│ 0070006A │ │> COVERP?1.JPG │ 0 0 1 0 0 0 0 0 │ 9-11-02│ 8:30:52│ 002A│ 00003CE1 <│ │ Bi|t|s|..|e| │ 0 0 0 0 1 1 1 1 │ 1-00-80│ 0:01:00│ 0000│ 00200020 │ │ ?S|c|h|e.|d| │ 0 0 0 0 1 1 1 1 │ 2-22-80│ 0:01:00│ 0000│ 00730069 │ │ SCHEDU?1.EXE │ 0 0 1 0 0 0 0 0 │ 5-24-02│ 8:20:32│ 0049│ 00000974 │ │ ||||||||.||| │ 0 0 0 0 0 0 0 0 │ 0-00-80│ 0:00:00│ 0000│ 00000000 │ │ ||||||||.||| │ 0 0 0 0 0 0 0 0 │ 0-00-80│ 0:00:00│ 0000│ 00000000 │ │ ||||||||.||| │ 0 0 0 0 0 0 0 0 │ 0-00-80│ 0:00:00│ 0000│ 00000000 │ │ ||||||||.||| │ 0 0 0 0 0 0 0 0 │ 0-00-80│ 0:00:00│ 0000│ 00000000 │ │ ||||||||.||| │ 0 0 0 0 0 0 0 0 │ 0-00-80│ 0:00:00│ 0000│ 00000000 │ └──────────────────────────────────────────────────────────────────────────────┘ [ F1 ][ F2 ][ F3 ][ F4 ][ F5 ][ F6 ][ F7 ][ F8 ][ F9 ][ F10 ] HELP SEARCH EXIT FAT CLUSTR SUBDIR WRITE CLEAR F9 = Write the new DIRECTORY data to the disk. |
Mounting the floppy under linux makes it easy to evade the strange file name.
$ cp cover\ page.jpgc\ \ \ \ \ \ \ \ \ \ \ /tmp/coverpage.jpgAnd now we have recovered the "cover page.jpg". It should be noted that Symantec's Norton Disk Doctor was also able to recover this file, even though the directory entry was completely wrong, and the actual file was in space listed as free.
Below is a simplified graphic showing the differences between the actual file locations and those described by the FAT edited to conceal them.
Figure 1, Placement of files on the disk.
Recovered files
The files recovered can be accessed here. The MD5 is provided to assure the integrity of the evidence to be used in court.| Filename |
MD5 |
Size |
Description |
| JIMMYJ~1.DOC |
b775eb6a4ccc319759d9aaae1e340acc |
20480 |
Letter from Mr.Jacobs to Mr. Jungle. MS Word
document. |
| SCHEDU~1.EXE |
ab6a87ff7acf36eb2803dfd12ec2036f |
2420 |
Zip archive of Scheduled Visits.xls. |
| Scheduled Visits.xls |
63201eae843132476343a862966f7643 |
16896 |
Rotating schedule of visits to high schools. MS
Excel. |
| cover page.jpg |
e30e8ecec4500678f7270e96b1d5663b |
15585 |
Cover of a "High Times Magazine" declaring Mr. Jungle
a featured pot grower. JPEG image. |
File Analysis
Time stamps
Utilizing ils from The Coroner's Toolkit, inode information was retrieved from the image:# ils -e -f fat12 /tmp/sotm/24/image.ddUsing the retrieved inodes and istat from the coroner's toolkit, some basic file information was returned:
class|host|device|start_time
ils|wghou899061a7|/tmp/sotm/24/image.dd|1035497126
st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_mode|st_nlink|st_size|st_block0|st_block1
2|a|0|0|0|0|0|40000|1|7168|1|0
5|f|0|0|1018899750|1031720400|1031752188|100777|0|20480|2|0
8|a|0|0|1031751052|1031720400|1031752226|100777|1|15585|420|0
11|a|0|0|1022246432|1031720400|1031752238|100777|1|1000|73|0
# istat -f fat12 /tmp/sotm/24/image.dd 2This appears to be the directory (or File Allocation Table) of the floppy.
Directory Entry: 2
Allocated
DOS Mode: Directory, Read Only, Hidden
size: 7168
num of links: 1
Directory Entry Times:
Written: Wed Dec 31 18:00:00 1969
Accessed: Wed Dec 31 18:00:00 1969
Created: Wed Dec 31 18:00:00 1969
Sectors:19 20 21 22 23 24 25 26 27 28 29 30 31 32
# istat -f fat12 /tmp/sotm/24/image.dd 5This appears to be a deleted file! See the 'File Recovery' and 'Recovering Jimmy Jungle.doc' for details on the recovery. The 'Written' date corresponds to the time frame from the recovered schedule spreadsheet. Further, from the police report "Jacobs has been seen on numerous occasions hanging out at various local high school parking lots around 2:30pm" it is possible that the computer on which Jacobs created this file is in close proximity to Richter High School, the school Jacobs was to visit that day (according to the recovered schedule).
Directory Entry: 5
Not Allocated
DOS Mode: File
size: 20480
num of links: 0
Name: _IMMYJ~1.DOC
Directory Entry Times:
Written: Mon Apr 15 14:42:30 2002
Accessed: Wed Sep 11 00:00:00 2002
Created: Wed Sep 11 08:49:48 2002
Sectors:33
# istat -f fat12 /tmp/sotm/24/image.dd 8This appears to be an image file (from it's filename). Using a hex editor confirms this (A JFIF header is visible in the image).
Directory Entry: 8
Allocated
DOS Mode: File
size: 15585
num of links: 1
Name: COVERP~1.JPG
Directory Entry Times:
Written: Wed Sep 11 08:30:52 2002
Accessed: Wed Sep 11 00:00:00 2002
Created: Wed Sep 11 08:50:26 2002
Sectors:451
# istat -f fat12 /tmp/sotm/24/image.dd 11From the filename, this appears to be a Windows executable. Using a hex editor, it appears to be a zip file. Perhaps it's a self-extracting archive.
Directory Entry: 11
Allocated
DOS Mode: File
size: 1000
num of links: 1
Name: SCHEDU~1.EXE
Directory Entry Times:
Written: Fri May 24 08:20:32 2002
Accessed: Wed Sep 11 00:00:00 2002
Created: Wed Sep 11 08:50:38 2002
Sectors:104 105
Hiding text within image files
The password, 'goodtimes', was recovered using the unix 'strings' command. However, because the suspect manipulated the FAT, it is difficult to know if the text is an artifact of a previous deleted file, or if it was in fact part of another file. Its location on the disk is at the end of the JPEG file. Some image file formats, such as JPEG and GIF, allow text to be added to the end of a file while remaining a valid image.For example, the images below have text added to them.
$ cat anne.jpg hidden.txt > anne_text.jpg
|
|
|
| $strings anne.jpg | tail -3 Z#_a zx{w ln6= |
$strings anne_text.jpg | tail -3 zx{w ln6= Look GIR, a secret message! |
$strings anne_text.gif | tail -3 ,|dG ]p|U@ ;Look GIR, a secret message! |
Misdirection
It also appears that Mr. Jacobs was using misdirection in his letter to Mr. Jungle. In the letter, he refers to Mr. Jungles appearance on the cover of "High Times Magazine". However, the recovered image is the cover of "POT SMOKERS MONTHLY". This may have been an attempt to divert attention to the grower on the cover of High Times Magazine if his letter were intercepted.
|
|
| Recovered image file, cover of POT SMOKERS MONTHLY,
date unknown. |
Archived image file, cover of High Times Magazine
for September, 2002. |
Answers to Questions
Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?
Jimmy Jungle626 Jungle Ave Apt 2
Jungle, NY 11111
What crucial data is available within the coverpage.jpg file and why is this data crucial?
The image itself declares Jimmy Jungle to be "This month's featured pot grower, smoker and seller". This corroborates both Mr. Jacobs initial statement to police, which he had refused to validate, "Look at this stuff, Colombians couldn't grow it better! My supplier not only sells it direct to me, he grows it himself.", and his statements to the same effect in his letter to Mr. Jungle. This could be crucial in preparing a case against Mr. Jungle even if Mr. Jacobs refuses to testify.The suspect had manually edited the FAT, and so it is unclear exactly where the coverpage.jpg file ends on the disk. It is possible that the password, 'goodtimes', was being stored as text on the end of the file. This was crucial in unzipping the spreadsheet, although there are tools available for cracking encrypted zip archives.
What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
As listed in his Scheduled Visits spreadsheet: Birard High School, Hull High School, Key High School, Leetch High School, and Richter High School.For each file, what processes were taken by the suspect to mask them from others?
Jimmy Jungle.docDeleted in a normal fashion.
SCHEDU~1.EXE
Edited the FAT to change the length of the file.
cover page.jpg
Added extra characters to the filename, edited the FAT so the directory pointed to the wrong starting cluster for the file.
What processes did you (the investigator) use to successfully examine the entire contents of each file?
Jimmy Jungle.docUsed the DOS undelete command to recover the file.
SCHEDU~1.EXE
Identified the file's boundries by following the zip archive format, then used WinHex to recreate the file. Alternatively, repaired the file's length in the FAT so the file is available from floppy. The file was unzipped using WinZip, with the password 'goodtimes' that was found on the disk.
cover page.jpg
Identified the file's boundries by following the JPEG image format, then used WinHex to recreate the file. Alternatively, repaired the file's starting cluster in the FAT so the file is available from floppy. Alternatively, used Norton Disk Doctor to recover the file.
*BONUS* What Microsoft program was used to create the Cover Page file? What is your proof (Proof is the key to getting this question right, not just making a guess)?
We believe that Paint 5.1 was used to create the cover page image. In order to determine the application that created the jpg, the header of the file was disected using WinHex. This deconstruction follows:FFD8: SOI (Identify a JPEG/JFIF File)After testing several Microsoft Image Editing Programs (Image Composer, PhotoDraw 2k and Paint 5.0 and Paint 5.1), it was discovered that, of these, only Microsoft Paint 5.1 (under Windows XP) created a header with an x and y density identical to that of the recovered jpg file (0060 - see above). Therefore, we believe that Paint 5.1 was used to create the cover page image.
FFE0: JFIF APP0 segment marker
0010: Length (high byte: 00; low byte: 10 -- Length of 16 bytes)
4A46494600: Identifies JFIF
01: Major Revision
01: Minor Revision
01: Units for x/y densities (here, x/y is in dots/inch)
0060: X density (high byte; low byte)
0060: y density (high byte; low byte)
00: thumbnail width
00: thumbnail height
FFDB: Define Quantization Table
0043: Length (high byte; low byte)
00: n bytes QT, n = 64*(precision+1), Precision (0=8bit)
Quantization Table
08060607060508
0707070909080A0C140D0C0B0B0C1912
130F141D1A1F1E1D1A1C1C20242E2720
222C231C1C2837292C30313434341F27
393D38323C2E333432
FFDB: Define another Quantization Table
0043: Length (high byte; low byte)
01: n bytes QT, n = 64*(precision+1), Precision (1=16bit)
Quantization table
0909090C0B0C180D0D1832211C2132323232
32323232323232323232323232323232
32323232323232323232323232323232
3232323232323232323232323232
FFC0: Start of Frame 0
0011: Length
08: Precision (8 bits/sample)
00C7: Height
00D0: Width
03: Number of components
Component #1
01: Y component
22: sampling factor
00: quantization table #
Component #2
02: Cb Component
11: sampling factor
01: quantization table #
Component #3
03: Cr component
11: sampling factor
01: quantization table #
APP0: JFIF segment marker:
~~~~~~~~~~~~~~~~~~~~~~~~~~
- $ff, $e0 (APP0)
- length (high byte, low byte), must be >= 16
- 'JFIF'#0 ($4a, $46, $49, $46, $00), identifies JFIF
- major revision number, should be 1 (otherwise error)
- minor revision number, should be 0..2 (otherwise try to decode anyway)
- units for x/y densities:
0 = no units, x/y-density specify the aspect ratio instead
1 = x/y-density are dots/inch
2 = x/y-density are dots/cm
- x-density (high byte, low byte), should be <> 0
- y-density (high byte, low byte), should be <> 0
- thumbnail width (1 byte)
- thumbnail height (1 byte)
- n bytes for thumbnail (RGB 24 bit), n = width*height*3
Table #1. APP0 Segment Information
SOF0: Start Of Frame 0:
~~~~~~~~~~~~~~~~~~~~~~~
- $ff, $c0 (SOF0)
- length (high byte, low byte), 8+components*3
- data precision (1 byte) in bits/sample, usually 8 (12 and 16 not
supported by most software)
- image height (2 bytes, Hi-Lo), must be >0 if DNL not supported
- image width (2 bytes, Hi-Lo), must be >0 if DNL not supported
- number of components (1 byte), usually 1 = grey scaled, 3 = color YCbCr
or YIQ, 4 = color CMYK)
- for each component: 3 bytes
- component id (1 = Y, 2 = Cb, 3 = Cr, 4 = I, 5 = Q)
- sampling factors (bit 0-3 vert., 4-7 hor.)
- quantization table number
Table #2. Frame 0 Segment Information
Image Composer: 0001,0001
PhotoDraw: 0096,0096
Paint 5.0: 012C,012C
Paint 5.1: 0060,0060
recovered.jpg: 0060,0060
Marc Bayerkohler
Senior Technical Consultant, Schlumberger
marc_hnet@slb.com
Vince Elliott
Systems Developer, Schlumberger
vince_hnet24@slb.com
