Scan of the Month #24, October 2002
Honeynet Project & DFS
Solution
by Josh Berghouse
The Challenge:
Discern the criminal behavior of a drug dealer from a floppy disk found
in his possession.
Background Information: According to police reports, suspicious behavior was noted concerning Joe Jacobs near and around area high schools. Suspecting he was a drug-dealer, police conducted a sting and arrested Jacobs on a minor charge. Evidence seized from Jacobs’ residence included a floppy disk that might contain more incriminating details of his activities.
Evidence Detail:
One floppy disk image, created with dd and supplied via download.
Question Detail:
DFS asked that the following questions be answered:
1.
Who is
Joe Jacob's supplier of marijuana and what is the address listed for the
supplier?
2.
What
crucial data is available within the coverpage.jpg file and why is this data
crucial?
3.
What
(if any) other high schools besides Smith Hill does Joe Jacobs frequent?
4.
For
each file, what processes were taken by the suspect to mask them from others?
5.
What
processes did you (the investigator) use to successfully examine the entire
contents of each file?
6.
Bonus:
What Microsoft
program was used to create the Cover Page file? What is your proof? (Proof is
the key to getting this question right, not just making a guess).
1.
Jimmy
Jungle, 626 Jungle Ave Apt 2, Jungle, NY 11111.
2.
The
password to the zipped file archive containing “scheduled visits.xls.” Without it we would be unable to view the
encrypted file.
3.
Too
many to list here (Key, Leetch, and Birard High School to name three).
4.
The
letter to Jimmy was deleted, excel spreadsheet was zipped and password
protected, password was stenographically concealed within “coverpage.jpg.”
5.
Binary
file viewer, various file recovery tools. (See Long Answers section).
6.
Microsoft
Paint. (Proof in
Long Answers section).
Hex Editor: XVI32 v2.3 by Christian Maas (http://www.chmaas.handshake.de)
Hex
Editor: WinHex by X-Ways Software (http://www.davory.com/)
Floppy
Image Tool: Floppy Image v2.1 by
Rundegren Software (http://www.rundegren.com/)
Data
Recovery Software: Davory 1.01 by
X-Ways Software (http://www.davory.com/)
All tools
used in this exercise were either freeware or shareware.
Step One:
Examining the file “image” with a hex editor
Since I am unfamiliar with Linux, I
decided to attempt the solution using the technology I know best: Windows and
DOS. I started out by downloading and
verifying the floppy image file, then examining it with a hex editor in text
mode. This yielded some interesting
clues about the information contained within about the image, which I’ve shown
in the attached file segments. Segment
1 told me that the boot area of the drive was created on an NT machine
(NTLDR). Segment 2 looked like a file
table of some sort, with the text of what appeared to be partial file names
(IMMYJ~1.DOC, COVER~1.JPG, SCHEDU~1.EXE)
This gave me an idea of what I should look for once I began to try and
retrieve whole files. Segment 3 looks
like the contents of a document file, and Segment 4 confirms it was created in
Microsoft Word 10 (aka Word XP).
Segment 3 also solved question #1, since it appeared that the file
content was a letter to Joe’s supplier, Jimmy Jungle. Segment 5 contained the text “JFIF”, which is header content for
a jpg image file. Segment 6 looked like
a stenographic message in plaintext imbedded within the image
(pw=goodtimes). Segment 7 contained the
text “PK”, which is header content for a zip file archive, as well as the
content of that archive, another file named “Scheduled Visits.xls”. Zip file footer information was contained in
Segment 8.
|
Segment 1 |
|
Segment 2 |
|
Segment 3 |
|
Segment 4 |
|
Segment 5 |
|
Segment 6 |
|
Segment 7 |
|
Segment 8 |
Step Two: Mount the image and attempt file
recovery
After mounting the image, only two
files were visible to windows:
|
Files visible to Windows after image mount |
All attempts to read these files in
a normal way resulted in failure, so a more detailed analysis of the mounted
image was done using the data recovery software. The first attempt resulted in the recovery of three files:
|
Three files were found |
These were the two previously unreadable files, “cover page.jpgc”, and “SCHEDU~1.exe”, as well as a more respectful representation of Joe’s letter to Mr. Jungle, his supplier. It appears that at some point the Word document had been deleted, but the cluster space was never overwritten. Since I knew that there was more information in the image, a more thorough examination was needed. Using another method looking for telltale file header information, the data recovery software was able to extract and assemble two more files:
|
|
Recovered jpg file: “cover page.jpg” |
|
|
|
Scheduled Visits.xls makes it’s appearance (Don’t
forget the password :) |
|
|
|
PW: goodtimes |
The spreadsheet file contained Joe’s
selling schedule. He was a very busy
dealer:
|
Portion of “Scheduled Visits.xls” |
Answer to the Bonus Question:
A look at several headers from jpg files
created by many different programs can help illustrate:
|
Different jpg file header types |
The first
header is from a jpg I created in paint, and the second is from
“coverpage.jpg.” They are consistent
with each other. The third header came
from an Adobe Illustrator jpg export file, the fourth came from a jpg file
created by GIMP, and the fifth came from a Macromedia Flash XP jpg export file.
The
evidence recovered from Joe Jacobs’ floppy should be enough to continue the
investigation. Data analysis and file
recovery took approximately two hours, and this write up about three hours.
The only
question I don’t think I answered fully was #4. From my limited experience, I’m unsure as to whether the suspect
imbedded “SCHEDU~1.EXE” (a self extracting zip) into the image file, or if
there was some kind of overlapping of data after one or the other had been
deleted. I guess I’ll have to wait for
the expert write-up!