Introduction

Resources and Tools

Method

Answers to specific questions

Unanswered questions

Bibliography/Webography

Included Files

Dear Law Enforcement Officials -

I would like to personally thank you for considering me to work with you on this assignment. I have done my best to discover as much information as possible about Jimmy Jungle and his contacts as possible, using the information supplied.

This report is the culmination of all of my findings. I tried to make this as easy to read as possible, so that you may recreate my steps in your own environment to verify their accuracy.

Thank you again, and best of luck with the case,

- Alex M. Kalisiak

Supplied : the image of the floppy disk

Tools :

Cygwin : allows Unix/Linux tools to be run in a Windows environment. Specifically, it allows us to install TASK, which has the MD5 command

XVI32 : a freeware hex editor

WinZip : a multipurpose archiver/extractor

Symantec AntiVirus Corporate Edition : the ever-famous antivirus software

1. Everything In It’s Right Place

The first step was to obtain and verify the evidence, and then change it to a READ_ONLY status, thus preserving the authenticity.

I downloaded the zipped image, SCAN26.ZIP, and immediately ran the MD5 command. This command is used to verify the supplied image has not been modified in transit.

The MD5 string matched exactly with the string supplied to me from your webpage.

Next, I ran a virus scan on the file, since Zip files are subject to virus infections. With no viruses detected, the next step was to make the image READ_ONLY to prevent any accidental modifications.

Next, I extracted the floppy image from the zip file using WinZip

The above command calls WinZip, and has everything extracted ("-e") from the file ("scan26.zip") and placed in the current directory (".")

Once I had the image of the floppy extracted, I proceeded to check the MD5 string of the new file.

Again, the string of the file matched the string supplied to me. Once more, I checked for viruses, and discovered none. Finally, I made the image READ_ONLY so that nothing I did would alter the original.

All the menial tasks completed, the adventure begins.

2) Blank Stares and Blank Disks

Having used the program several times at work, I proceeded to open the image using the TASK/Autopsy combination (Installing TASK and Autopsy on a Windows 2000 machine is a trial in itself, and I won’t bore you with the details. A quick summary is : Install Cygwin with Perl and Make support. Install TASK. Install Autopsy. Looks easier than it really is), and this is what I was greated with :

According to Autopsy, the floppy had absolutely no contents on it! The only other option was to open the floppy image with a hex editor, and comb through the data byte by byte

3) Hexed!

Note: For this section, any number followed by an "h" (ie. 4200h) means that this is a "Hex" value, a series of numbers ranging from 0 – F instead of 0 - 9

A hex editor is a tool that can view files in almost their most basic form. Most often, this appears as absolute nonsense. But, with a little digging and proper views, you can sometimes find just what you’re looking for.

The following command opens the floppy image in XVI32, a freeware hex editor.

Scanning through the image, it appears that the FAT (File Allocation Table) and Root Directory have been completed over written with the string "00".

Now, it would be easy to simply page down through the data and discover, by brute force, that the data began at Address 4200h, but there is a more scientific method that could be used in situations where this method with be too time consuming.

This next section is using formulas and information found in John Lufkin’s paper on the File Allocation Table, listed in the Bibliography section. A thorough read of this paper might help any questions you have with this next section.

Also, to make this all a little more confusing, when reading pairs of bytes, you have to read them in reverse. So "00 02" is really "02 00", or 200.

The beginning of the data on a floppy (the Open Space) begins after the Root Directory. This is a two-step process: Find where the Root Directory starts, and find out how large the Root Directory is. Using information in the Boot Sector, we can find where the data should start.

Find where the Root Directory starts (bytes highlighted in red):

Take the number of File Allocation Tables (red A = 02), and multiply this with the number of sectors per File Allocation Table (red B = 0009), which gives us 18. Add the number of Boot Sectors to this number (always 1 on floppies), which gives us 19 (the total number of sectors). Multiply the total number of sectors (19) with the number of bytes per sector (red C = 0200h or 512) which gives us 9728, or 2600h. Address 2600h is normally where the Root Directory would start

Next, find the size of the Root Directory (bytes highlighted in yellow):

Take the number of directory entries (yellow A = 00E0h or 224) and multiply this by the number of bytes per directory entry (32 on floppies). This gives us 224 * 32 = 7168, or 1C00h.

Lastly, add the starting point of the Root Directory (9728) with the length of the Root Directory (7168) to get 16896, or 4200h. The Open Data area should begin at Address 4200h.

5) A Couple Pictures Is Worth A Thousand Questions

From this point, things get a little easier. Scrolling down to Address 4200h, I noticed the text string "JFIF" (red square). From experience, I knew this to be an image. Doing a quick search on the internet, I found the document on JFIF header info, and learned that the beginning of a JFIF image was the string "FF D8" (green square), and the end was always the string "FF D9" (blue square).

From here, I simply selected everything from "FF D8" to "FF D9" and saved that area as exported_jfif.jfif

Upon opening it, I discovered this map :

Finally, the first substantial clue!

A little ways after the JFIF file ended (blue square), a saw the beginning of a new file. This one started with the string "42 4D" (yellow square). So, a quick search on the internet again revealed that this was a BitMap file. According to the document on the BitMap header info, the next four bytes revealed the file’s size (red square).

Remembering to reverse the pairs, the size was "00 11 CC 76" (or 1166454 bytes). Adding this to the starting position (C200), the file should end at 128E76h.

Again, selecting this whole range, I exported this and saved it to exported_bm.bmp. Opening this, it revealed even more clues:

This file reveals more than the previous JFIF map did, as this one includes the Hideout.

6) String It All Together

Now, we had the answers to several of the most pressing questions, but we still didn’t know the supplier’s name or address. A final program was needed, the Unix command "strings".

This command searches a file and prints every string it can discover. Run against the floppy image, resulted in this interesting results:

Of course, most of it was nonsense, but the last two items discovered, was a name and address, and, interestingly enough, what appears to be a password.

With the two maps, the name, and the address, I think we can start making our case.

1) Who is the probable supplier of drugs to Jimmy Jungle?

The probable supplier of Jimmy Jungle's drugs is one John Smith, whose name is found when the 'strings' command was executed against the image

2) What is the mailing address of Jimmy Jungle's probable drug supplier

The mailing address of the probable supplier, John Smith, is 1212 Main Street, Jones, Florida 00001, which is found when the 'strings' command was executed against the image

3) What is the exact location in which Jimmy Jungle received the drugs?

The probable exact location Jimmy received the drugs was Danny's Pier 12 Boat Lunch on Shore Line Drive, as shown on the recovered bitmap image, exported_bm.bmp

4) Where is Jimmy Jungle currently hiding?

The most probably location would be at 22 Jones Avenue, since this area is marked "Hideout" on the exported_bm.bmp bitmap image recovered from the floppy image.

5) What kind of car is Jimmy Jungle driving?

My speculation is this: At Address 1400h is the string "F0 FF FF". This string is right in the middle of the FAT and the Root Directory, and by all rights it’s should have been changed to 00’s as well. This has led me to believe that this is a significant clue in this way: "F0 FF FF" in RGB is the colour "Azure". The Azure is a style of car produced by Bentley Automotive. It is my assertion then, that Jimmy Jungle drives a Bentley Azure, and left this string in the image as a tribute to the car of his choice.

Bonus Question: Explain the process that was performed so that there were no entries in the root directory and File Allocation Table (FAT), yet the contents of each file remained in the data area.

It appears as though the JPG image was saved to the disk first, then the BitMap, since the JPG appeared first in the data area. It can be assumed that the person copying the files to the disk tried to keep the transactions to a minimum to insure that the files would be contiguous, since once they have completed the task of overwriting the directory and FAT, it would be very difficult to recover the files if they became fragmented.

Once the files where successfully saved to the disk, it was most likely the user created an image of the disk, and then, using a hex editor, wrote a continual string of zeros (0’s) over both the root directory and the FAT. Once this was complete, the perpetrator wrote the image back to a floppy. This gave the impression that there was nothing on the disk, while still retaining a wealth of clues.

The string "pw=help" was returned when the "strings" command was executed. Although this didn’t seem to have a place on the floppy, I did try to open all of the profiles on the webpage mentioned on the floppy itself, dfwrs.org. This unfortunately, met with no success, so we can only wonder at what the use of the password may be.

Tools :

Cygwin : allows Unix/Linux based tools to be run on a Windows environment

http://www.cygwin.com

TASK : The @stake Sleuth Kit, an open source forensic kit. Not really needed in this case, but an invaluable tool nonetheless

http://www.atstake.com/research/tools/forensic/

Autopsy Forensic Browser : HTML face for TASK. Makes using TASK bearable

http://www.atstake.com/research/tools/forensic/

XVI32 : The very easy to use and very efficient freeware hex editor

http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm

WinZip : The ever useful archiving/extracting utility for Windows

http://www.winzip.com

Symantec AntiVirus : Pretty much everyone has heard of Symantec/Norton Antivirus. The industry standard.

http://www.symantec.com

Literature :

An excellent resource by John Lufkin on the layout of the FAT12 structure:

http://www.manningjames.com/college/sem2/fat12.htm

A good explanation of the BitMap file structure and header information:

http://users.ece.gatech.edu/~slabaugh/personal/c/bmpwrite.html

Not the most official source of JFIF/JPEG info, but it served its purpose

http://www.obrador.com/essentialjpeg/HeaderInfo.htm

Index.html : This file.

exported_jfif.jfif : The JFIF file exported from the floppy image

exported_bm.bmp : The BitMap file exported from the floppy image