Scan Of the Month Challenge – By azzazzin@hush.com
Q1. Who is Joe
Jacob's supplier of marijuana and what is the address listed for the supplier?
Jimmy Jungle
Q2. What crucial data
is available within the coverpage.jpg file and why is
this data crucial?
The cover page that was directly recovered from the image
contained nothing useful. But, the cover page recovered from the image
contained the front page of pot smokers monthly whichlinks to some of the information in the letter to
jimmy.
"Thanks for sending me the Cover Page. What do you put
in your soil when you plant the marijuana seeds? At least I know your growing
it and not some guy in
It helps confirm that jimmy is indeed a drug dealer and is
in contact with Joe.
One of the most useful pieces of data is located toward the
eng of the jpg. It seems that jimmy has tried to incorporate some poor form of
stenography into his communications with Joe.
At Offset 0x3D20 Len 0x000C is the statement 'pw=goodtimes' one could only
assume that pw stands for password and 'goodtimes' is the password.
It turns out that this is the password for the zip file
containing Joe’s drug dealing schedule.
Q3. What (if any)
other high schools besides Smith Hill does Joe Jacobs frequent?
Joe also frequents these schools.
Leetch High School (C)
Q4. For each file,
what processes were taken by the suspect to mask them from others?
The following files where recovered from the disk.
- Jimmy Jungle.doc
- SCHEDU~1.zip
- Scheduled Visits.xls
- cover page.jpg
The following are the processes taken to mask the files.
- jimmy jungle.doc
- cover page.jpg
I don’t suspect that Joe had purposely cross linked the
clusters on the disk, more than likely just a soft error that could be due to
data corruption. The data can be read and written correctly with no errors, but
the data is not what it should be. For example, in the FAT file system, an
entry in the FAT table may be corrupted. It may point to a cluster which does
not exist (sector not found error) or it may point to a cluster which is
already owned by another file (cross linked clusters). Clearly any given
cluster can only belong to a single file. Thus if two (or more) files think
that they own the same cluster there is an error.
- SCHEDU~1.zip
The suspect had changed the extension of this file to .exe
knowing that only himself would know of this,
therefore hiding the data within the archive. The archive itself was password
protected using a password cleverly hidden within the coverpage
image.
- Scheduled Visits.xls
This file was the most protected file on the disk, and it
contained information pertaining to Joes’ drug dealing habits.
Q5. What processes
did you (the investigator) use to successfully examine the entire contents of
each file?
$ md5 image.zip
MD5 (image.zip) =
b676147f63923e1f428131d59b1d6a72
Checked the checksum of the image which checked out then
proceeded to write the image to a disk, I used rawwrite
for this operation.
Enter source file name: image
Enter destination drive: a:
Please insert a formatted diskette into drive A: and press
-ENTER- :
Number of sectors per track for this disk is 18
Writing image to drive A:. Press ^C to abort.
Track: 79
Head: 1 Sector: 16
Done.
The following files are what came from the disk image.
Directory of A:\
2
File(s) 16,585 bytes
0
Dir(s) 1,439,232 bytes free
Both the files have commonly known extensions .exe
.EXE
Executable File
And if you remove the c from the extension you get another commonly
known extension .jpg
.JPG
JPEG/JIFF Image
I attempt to open it as a jpeg file I couldn’t see anything.
So I opened the file in ultraedit, to find that it is
one continuous stream of 'öööööööööö'.
I tried to run Scheduled Visits.exe,
I got an ms-dos subsystem error. I threw Scheduled Visits.exe into ultraedit to have a closer look at the file. Nothing really
stood out in this file except for 'Scheduled Visits.xls' which was in plain
text near the top of the file. I had the suspicion that the file could be
either corrupt or fake.
From this point I decided to check if the disk was corrupt
starting by analyzing the partition boot sector(PBS).
Analysis of the PBS
Offset
Length Value Meaning
-------------------------------------------------------------------
0x0000
0x0003 EB 3C 90 Jump Instruction
0x0003
0x0008 MSDOS5.0 OEM Name in text
0x000B
0x0002 0x0002 Bytes per sector
0x000D
0x0001 0x01 Sectors per Cluster
0x000E
0x0002 0x0100 Reserved Sectors
0x0010
0x0001 0x02 Number of FATs
0x0011
0x0002 0xE000 Root entries
0x0013
0x0002 0x400B Number Of
Sectors
0x0015
0x0001 0xF0 Media Type (F0 = 3 1/2 floppy,
1.44MB)
0x0016
0x0002 0x0900 Sectors per FAT
0x0018
0x0002 0x1200 Sectors per Track
0x001A
0x0002 0x0200 Number of Heads
0x001C
0x0004 00 00 00 00 Hidden Sectors
0x0020
0x0004 00 00 00 00 Large Sectors
0x0024
0x0002 00 00
Physical Disk
0x0026 0x0001 29 Sig. (Needed by NT)
0x0027
0x0004 CF CD B1 C4 Vol. Serial Number
0x002B
0x000B NO NAME Volume Label
0x0036
0x0008 FAT12 System ID
0x003E
0x01aa 33 C9 8E ... Bootstrap code
0x01FE
0x0002 55 AA End of sector marker
as seen from the analysis above,
the hidden sectors isnt the same number
as number of sectors, therefore
meaning that the boot sector was corrupted
and the partition should not be
used.
Knowing the problems with the PBS, I decided to see if there
were any other files I could recover from the disk.
I started up r-studio demo (r-tt.com) and tried to recover
all possible files off the disk. It was able to recover 3 files. One of which
was something that I hadn’t seen before 'Jimmy Jungle.doc'. Which
was a word document of a letter from Joe to his dealer Jimmy Jungle.
3
File(s) 37,065 bytes
This document contained several pieces of information pertaining
to gaining access to the other files on the disk.
'Thanks for sending me the Cover Page'
- Jimmy sent Joe a cover page image.
'I emailed you the schedule that I am using.'
- Joe sent jimmy his schedule for dealing drugs to school
children.
'To open it, use the same password that you sent me before
with that file.'
- to open it use the password from
the file that was sent before(cover page image)
which
leads me to believe that there is some password in coverpage
image.
Although I had recovered a new file, I still knew that the
disk was
corrupt in some form, so I ran
scandisk on it to see if it done anything
to help my cause.
A:\>chkdsk /F a:
The type of the file system is FAT.
Volume Serial Number is C4B1-CDCF
Windows is verifying files and folders...
\cover page.jpgc first allocation unit is not
valid. The entry will
be truncated.
Removing nonvalid long folder
entry from \...
File and folder verification is complete.
Convert lost chains to files (Y/N)? y
15872 bytes in 1 recovered files.
Windows has made corrections to the file system.
1,457,664 bytes
total disk space.
512 bytes in
1 folders.
18,432 bytes in 2 files.
1,438,720
bytes available on disk.
512 bytes in each allocation unit.
2,847 total
allocation units on disk.
2,810 allocation units available on disk.
Resulting in
A:\>dir
Volume in drive A has
no label.
Volume Serial Number
is C4B1-CDCF
Directory of A:\
1
File(s) 2,560 bytes
0
Dir(s) 1,438,720 bytes free
The check had resulted in a larger file. I once again tried
to run it to no-avail. I opened it up in ultraedit to
have one last once look over the file. I noticed that the file started with PK
which I thought maybe a header for pkzip(winzip). I checked it against a
real zip file and was right. I copied the file to another location and saved it
as .zip. I opened it up in winzip and found that it
contained Scheduled Visits.xls which was password protected.
BUT I HAD NO PASSWORD.
Which brings me back to my theory that the
password was somehow in the cover page image which I was yet to find.
I opened back up r-studio with the freshly chkdsk'd disk and tried to see if anything new showed up.
This is the log of what occurred
Information Enumeration
of files started for A:
Warning FAT Short file name discards 2 lfn slot(s) while parsing directory id: 4
Information Enumeration
of files finished for A:
Information Recover Recovering of selected files to
C:\SOTM\ started
Warning FAT FAT chain closed by end of file entry and 1
clusters were parsed. But file size indicates, that file occupies 39 clusters more. This may indicates,
that file was overwritten lately by another file.
Error Recover Restoring
file C:\SOTM\ Root\Jimmy Jungle. failed. Can't read
file to be recovered completely (801).
Information Recover 3 files of 4 were successfully recovered
Information Recover 2 folders of 2 were successfully
recovered
and in FOUND.000
It had pretty much got me all the files I had except that
the jimmy jungle document got cross linked and was removed. I also got a
scandisk recovered file(FILE0000.CHK)
I didn’t know what sort of file it was, but it was similar
in size to the coverpage file that wouldn’t open.
I opened the file up in ultraedit
to check it out.
The first 16 bytes of the file contained
'˙Ų˙ą JFIF
`'
Which reminded me of the file format I had earlier described
(.JPG JPEG/JIFF
Image).
I opened a jpeg file and inspected it. It's
first 16 bytes were the same as the ones I had just outlined. I then proceeded
to do exactly what I had done for the zip file, copying it to another location
and saving it as a jpeg. The resulting jpeg was a picture of the cover page of
high times magazine.
There was still the outstanding issue of the password for
the zip file. I probably could have brute forced the password, but I knew the
password was in the image somewhere.
At position 0x3D20 Length 0X000C was an interesting snippet
'pw=goodtimes'
I opened up the zip and used the password with success I gained access to Scheduled Visits.xls which contained all the information on Joes drug dealing habits to schools.