Analysis by Charley Pfaff (chuckk7 at yahoo)
October 8, 2002
The challenge
Questions
Tools used
methods
Answers
Appendix
The folks from Digital Forensic Research WorkShop have created a unique
challenge for you. Your mission is to analyze a recovered floppy and answer the questions
below. What makes this challenge unique, you will need to read the police report before
continuing your challenge. Just like an investigation in the real world, you will have
some background information and some evidence, but its up to you and your technical skills
to dig up the answers. Below is the dd image of the recovered floppy. This is the image
that will provide you the answers, providing you can 'extract' the data.
1. Who is Joe Jacob's supplier of marijuana and what is the address listed for the
supplier?
2. What crucial data is available within the coverpage.jpg file and why is this data
crucial?
3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
4. For each file, what processes were taken by the suspect to mask them from others?
5. What processes did you (the investigator) use to successfully examine the entire
contents of each file?
6. What Microsoft program was used to create the Cover Page file. What is your proof
(Proof is the key to getting this question right, not just making a guess).
@stake TASK
windows XP
redhat linux 7.2
The very first step that was used was to md5sum the downloaded image file. Using the
md5sum command and comparing the results with the md5 from the site.
#md5sum image.zip
Once this checked out ok, the strings command was used on the image file to see if there
is any readable data that could be extracted from the file before proceeding with further
analysis. The results yielded a great deal of information including the text from the
deleted .doc file and the most important password from the .jpg file.
#strings -a image > strings.txt
blah
blah
blah
Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111
Jimmy:
Dude, your pot must be the best
it made the cover of High Times Magazine! Thanks for sending me the Cover Page.
What do you put in your soil when you plant the marijuana seeds? At least I kno
w your growing it and not some guy in Columbia.
These kids, they tell me marijuana isn
t addictive, but they don
t stop buying from me. Man, I
m sure glad you told me about targeting the high school students. You must have
some experience. It
s like a guaranteed paycheck. Their parents give them money for lunch and they s
pend it on my stuff. I
m an entrepreneur. Am I only one you sell to? Maybe I can become distributor of
the year!
I emailed you the schedule that I am using. I think it helps me cover myself and
not be predictive. Tell me what you think. To open it, use the same password t
hat you sent me before with that file. Talk to you later.
Thanks,
Joe
blah
blah
Microsoft Word 10.0
blah
blah
pw=goodtimes
Scheduled Visits.xlsPK
This was enough information to get started on the right track. The info showed that there was a word document created in word 2002, that there is a password used for something, and there is a zipped xls file. The next step was to mount the image and take a look at the files, so the image was mounted using the mount command:
#mount -o ro,loop,nodev,noexec image /t
I started looking at the data getting some info on the files. The file and less commands where used it to determine if the files where good. The results lead to skepticism about the integrity about the files..
#file cover_page.jpgc
cover page.jpgc : PC formatted floppy with no filesystem
The output made no sense until the contents of the file were viewed
#less cov*
This gave nothing but junk so it was figured that the inode information is referencing a blank part of the floppy. Then moving on to the schedu~1.exe using the file command it showed to be a self extracting zip so I copied the file to a windows XP computer and tried to open the file. This would only kick out NTVDM errors and die. Well guessing that either the person is using a special zip program or since the cover_page file was wrong then this file might also have parts missing.
Well after not being able to do anything with the data that was mounted, analysis of the image file started so as to extract the information so that it can ascertained who this person is and how to get at him. The first thing was to break out my trusty tool TASK from @stake to read the fat file system.
When looking at the mounted file system it was noticed that there were only two visible files on the floppy a jpg and exe with excel, but my strings output showed there was a word document somewhere in there. So I wanted to first find any files that were deleted from the system. The first thing was to find out what is happening on the floppy by using the fls tool.
# ./fls -f fat12 ./image
r/r * 5: Jimmy Jungle.doc (_IMMYJ~1.DOC)
r/r 8: cover page.jpgc (COVERP~1.JPG)
r/r 11: Scheduled Visits.exe (SCHEDU~1.EXE)
The file with the asterisk shows that the doc file has been deleted. So I wanted to yank that file off the floppy so that I could get what someone didn't want to see. Using the dls tool the lost file was reconstructed.
#./dls -l -f fat12 ./image > deleted
The listing showed deleted sectors from 33-72 and 109-up. So knowing that the file was around 20k and this section is 20k It was figured this was it so I proceeded to extract the data using the dls command again.
#./dls -f fat12 ./image 33-72 > jimmy.doc
This yielded the doc file and it was check using the file command and was verified that it was a Microsoft document.The document was then transferred to a windows machine for further analysis. Upon examining the document It was sited that there was an excel document that was protected by password and listed the places that he frequented and a picture also. The next step was to recover the full files since it could not use icat to get it from the listed inodes. The first step used was the fsstat tool so that I could find out where the actual data was at on the drive and reconstruct it.
#./fsstat -f fat ./image
File System Type: FAT
OEM: MSDOS5.0
Volume ID: 3299986895
Volume Label: NO NAME
File System Type (super block): FAT12
META-DATA INFORMATION
--------------------------------------------
Inode Range: 2 - 45762
Root Inode: 2
CONTENT-DATA INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 512
Sector of First Cluster: 33
Total Sector Range: 0 - 2878
FAT 0 Range: 1 - 9
FAT 1 Range: 10 - 18
Data Area Sector Range: 19 - 2878
FAT CONTENTS (in sectors)
--------------------------------------------
73-103 (31) -> EOF
104-108 (5) -> EOF
The information this gave was good but what was needed is on the bottom, sectors 73-103 and 104-108. Using the information, the extraction of the data was started so that the information could be analyzed. The tool that was needed for this was dcat..
The output gave me the files that were needed to do the rest of the analysis. The files were then moved over to the windows XP box and started the analysis. The jpeg file was first viewed using a graphical display to see if there is anything that is of importance and it showed nothing of importance except the dealers name. Upon viewing the file in a text editor it showed that text was appended to the file and it was pw=goodtimes.Using the information that was read from the doc file, it was surmised that this was the password that was needed to decompress the zip file. Moving to the self extracting zip file , it was extracted and prompted for a password, using the goodtimes password the file was decompressed and all the data was attained on the dealers schedule and the locations that he had frequented. This ended the analysis of the diskette and the data turned over the proper hands.
1. Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?
Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111
2. What crucial data is available within the coverpage.jpg file and why is this data crucial?
There are two pieces of information that are crucial the first is that it confirms the name of the supplier. The second piece of information is the password that was appended to the end of the file that is not visible unless you look at the image with a text viewer. The password was then used to open the self zip file.
3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
Joe Jacobs frequents several schools all over and his schedule is included in the xls file that was extracted from the zip file. This is a listing of the schools that he frequents. For a complete listing of his schedule please see Appendix A.
Birard High School
Hull High School
Key High School
Leetch High School
Richter High School
Smith Hill High School
4. For each file, what processes were taken by the suspect to mask them from others?
The first file that was examined was the missing doc file. The
suspect did not take any special precautions on protecting the file except by deleting the
file. The suspect could have used a scrubber to have made it harder to get or permanently
erased the data but didn't do that.
The second file being the jpg file was used to carry the needed password for the opening
of the zip file. Opening the file with a normal jpeg viewer shows a picture of a coverpage
with no information. Further examine with a text viewer it shows text appended. This is a
simple way to hide information that some people forget to look at. The basic command to do
such a thing in windows would be:
echo pw=goodtimes >> cover_page.jpg
The last file is the self extracting zip file. The only form of concealment used was that the file was password protected. The password was gathered from the jpg file and the file was extracted and read.
On a final note I was unsure about how the directory information was messed up on the diskette. This could have come about by mishandling during the process or a another guise to keep others from reading it. I am not sure if it was done intentionally or not.
5. What processes did you (the investigator) use to successfully examine the entire contents of each file?
The processes that were used to examine the contents of the files was
explained in the methods section of this write up but I will present a quick recap.The
beginning stage was set by using basic commands such as strings and less to examine the
contents of the image file to determine if there is any valuable information. Then the
image was mounted and checked to see if data was extractable and readable. Once this was
determined not possible I moved on to recover the first file. The first file was a deleted
file that was recovered using the dls tools from the TASK tool kit. Then the file was
examined using Microsoft word 10 on a windows XP box.The next file was the jpg file that
was recovered from the disk using the dcat tool from the TASK tool kit. Once extracted it
was examined with mspaint,notepad, and vi.The last file was the exe zip file that was also
recovered using the dcat tool from TASK. The file was extracted using winzip 8 and the
password supplied with the jpg file. The file was examined using Microsoft excel 2002 to
obtain the information. For a more detailed process please see methods
The use of Microsoft products was to maintain an environment that the
suspects used.
The MS program that was used to create the file was MSPAINT. I came
to this conclusion by taking several programs and recreating jpg files and matching the
beginning of each file and it matched up with mspaint. As you can see the file that I
created with mspaint and the original match up the best
Created with ms paint
ÿØÿà^@^PJFIF^@^A^A^A^@`^@`^@^@ÿÛ^@C^^F^F^G^F^E^G^G^G^I ^L^T^M^L^K^K^L^Y^R^S^O^T^]^Z^_^^^]^Z^\^\ $.' ",#^\^\(7),01444^_'9=82<.342ÿÛ^@C^A ^L^K^L^X^M^M^X2!^\!2222222222222222222222222222222222222 2222222222222ÿÀ^@^^A<80>^B^@^C^A"^@^B^Q^A^C^Q^AÿÄ^@^_^@^@^A^E^A^A^A^A^A^A^@^@^@ ^@^@^@^@^@^A^B^C^D^E^F^^I ^KÿÄ^@µ^P^@^B^A^C^C^B^D^C^E^E^D^D^@^@^A}^A^B^C^@^D^Q^E^R!1A^F^SQa^G"q^T2<81><91> #B±Á^URÑð$3br<82> ^V^W^X^Y^Z%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz<83><84><85><86><87><88> <89><8A><92><93><94><95><96><97><98><99><9A>¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖרÙÚ áâãäåæçèéêñòóôõö÷øùúÿÄ^@^_^A^@^C^A^A^A^A^A^A^A^A^A^@^@^@^@^@^@^A^B^C^D^E^F^^I ^KÿÄ^@µ^Q^@^B^A^B^D^D^C^D^G^E^D^D^@^A^Bw^@^A^B^C^Q^D^E!1^F^RAQ^Gaq^S"2<81^TB<91> ¡±Á #3Rð^UbrÑ ^V$4á%ñ^W^X^Y^Z&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz<82><83><84><85><86> <87><88><89><8A><92><93><94><95><96><97><98><99><9A>¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒ ÓÔÕÖרÙÚâãäåæçèéêòóôõö÷øùúÿÚ^@^L^C^A^@^B^Q^C^Q^@?^@÷ú(¢<80>
Original Coverpage image
ÿØÿà^@^PJFIF^@^A^A^A^@`^@`^@^@ÿÛ^@C^^F^F^G^F^E^G^G^G^I ^L^T^M^L^K^K^L^Y^R^S^O^T^]^Z^_^^^]^Z^\^\ $.' ",#^\^\(7),01444^_'9=82<.342ÿÛ^@C^A ^L^K^L^X^M^M^X2!^\!2222222222222222222222222222222222222 2222222222222ÿÀ^@^^@Ç^@Ð^C^A"^@^B^Q^A^C^Q^AÿÄ^@^_^@^@^A^E^A^A^A^A^A^A^@^@^@^@^@ ^@^@^@^A^B^C^D^E^F^^I ^KÿÄ^@µ^P^@^B^A^C^C^B^D^C^E^E^D^D^@^@^A}^A^B^C^@^D^Q^E^R!1A^F^SQa^G"q^T2<81><91> #B±Á^URÑð$3br<82> ^V^W^X^Y^Z%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz<83><84><85><86><87><88> <89><8A><92><93><94><95><96><97><98><99><9A>¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖרÙÚ áâãäåæçèéêñòóôõö÷øùúÿÄ^@^_^A^@^C^A^A^A^A^A^A^A^A^A^@^@^@^@^@^@^A^B^C^D^E^F^^I ^KÿÄ^@µ^Q^@^B^A^B^D^D^C^D^G^E^D^D^@^A^Bw^@^A^B^C^Q^D^E!1^F^RAQ^Gaq^S"2<81^TB<91> ¡±Á #3Rð^UbrÑ ^V$4á%ñ^W^X^Y^Z&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz<82><83><84><85><86> <87><88><89><8A><92><93><94><95><96><97><98><99><9A>¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒ ÓÔÕÖרÙÚâãäåæçèéêòóôõö÷øùúÿÚ^@^L^C^A^@^B^Q^C^Q^@?^@÷ú(¢<80>
Month DAY HIGH SCHOOLS
2002
April Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)
Monday (1) Hull High School (F)
Tuesday (2) Smith Hill High School (A)
Wednesday (3) Key High School (B)
Thursday (4) Leetch High School (C)
Friday (5) Birard High School (D)
Monday (1) Richter High School (E)
Tuesday (2) Hull High School (F)
Wednesday (3) Smith Hill High School (A)
Thursday (4) Key High School (B)
Friday (5) Leetch High School (C)
Monday (1) Birard High School (D)
Tuesday (2) Richter High School (E)
Wednesday (3) Hull High School (F)
Thursday (4) Smith Hill High School (A)
Friday (5) Key High School (B)
Monday (1) Leetch High School (C)
Tuesday (2) Birard High School (D)
May
Wednesday (3) Richter High School (E)
Thursday (4) Hull High School (F)
Friday (5) Smith Hill High School (A)
Monday (1) Key High School (B)
Tuesday (2) Leetch High School (C)
Wednesday (3) Birard High School (D)
Thursday (4) Richter High School (E)
Friday (5) Hull High School (F)
Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)
Monday (1) Hull High School (F)
Tuesday (2) Smith Hill High School (A)
Wednesday (3) Key High School (B)
Thursday (4) Leetch High School (C)
Friday (5) Birard High School (D)
Monday (1) Richter High School (E)
Tuesday (2) Hull High School (F)
Wednesday (3) Smith Hill High School (A)
Thursday (4) Key High School (B)
Friday (5) Leetch High School (C)
June
Monday (1) Birard High School (D)
Tuesday (2) Richter High School (E)
Wednesday (3) Hull High School (F)
Thursday (4) Smith Hill High School (A)
Friday (5) Key High School (B)
Monday (1) Leetch High School (C)
Tuesday (2) Birard High School (D)
Wednesday (3) Richter High School (E)
Thursday (4) Hull High School (F)
Friday (5) Smith Hill High School (A)
Monday (1) Key High School (B)
Tuesday (2) Leetch High School (C)
Wednesday (3) Birard High School (D)
Thursday (4) Richter High School (E)
Friday (5) Hull High School (F)
Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)
.Command referance
/dls -f fat12 ./image 33-72 > test.doc
./fsstat -f fat ./image
./dcat -f fat image 73-103 15872 > i
./dcat -f fat image 104-109 3072 > o