October 2002 Scan of the Month Analysis
Analysis by Jason Scheuerman mt@null.net
October 4th, 2002
The police have imaged a suspected drug dealer's floppy disk and have provided a copy. They would like to examine the floppy disk and provide answers to the following questions:
I changed the order of the questions since this is they had to be answered in this order. Starting with almost no working knowledge of disk image files, FAT, jpeg and ZIP formats the majority of my analysis time was doing a lot of learning about these things.
Tools:
The tools used to analyze the challenge consisted mostly of freeware and shareware tools found on the internet:
UltraEdit
WinHex
Floppy Image
MD5
Checksum
Calc.exe
Questions:
What processes were used to successfully examine the entire contents of each file?
Analyzing the disk
It was extremely helpful understanding how a floppy disk's data is laid out:
Dos Boot Code | 1 sector | Starts at offset 0h |
File Allocation Table #1 | 6 sectors | Starts at offset 200h |
File Allocation Table #2 | 6 sectors | Starts at offset 1400h |
Directory | 8 sectors | Starts at offset 2600h |
Data Section | Remainder of the disk | Starts at offset 4200h |
I copied the image onto a floppy using Floppy Image and opened the disk in Winhex. I then used the Directory browser to jump to the directory entries on the floppy to find out what files were there.
00002600h: E5 64 00 6F 00 63 00 00 00 FF FF 0F 00 BC FF FF
; d.o.c.....
00002610h: FF FF FF FF FF FF FF FF FF
FF 00 00 FF FF FF FF ; ..
00002620h: E5 4A
00 69 00 6D 00 6D 00 79 00 0F 00 BC 20 00 ; J.i.m.m.y... .
00002630h: 4A 00 75 00 6E 00 67 00 6C 00 00 00 65 00 2E 00
; J.u.n.g.l...e...
00002640h: E5 49 4D 4D 59 4A 7E 31 44
4F 43 20 00 68 38 46 ; IMMYJ~1DOC .h8f
00002650h: 2B 2D
2B 2D 00 00 4F 75 8F 2C 02 00 00 50 00 00 ; +-+-..Ou,...P..
00002660h: 42 67 00 63 00 20 00 20 00 20 00 0F 00 F4 20 00
; Bg.c. . . ... .
00002670h: 20 00 20 00 20 00 20 00 20
00 00 00 20 00 20 00 ; . . . . ... . .
00002680h: 01 63 00 6F 00 76 00 65 00 72 00 0F 00 F4 20 00
; .c.o.v.e.r... .
00002690h: 70 00 61 00 67 00 65 00 2E
00 00 00 6A 00 70 00 ; p.a.g.e.....j.p.
00002700h: 43 4F
56 45 52 50 7E 31 4A 50 47 20 00 6D 4D 46 ; COVERP~1JPG .mMF
00002710h: 2B 2D 2B 2D 00 00 DA 43 2B 2D A4 01 E1 3C 00 00
; +-+-..C+-.<..
00002720h: 42 69 00 74 00 73 00 2E
00 65 00 0F 00 9E 78 00 ; Bi.t.s...e...x.
00002730h: 65
00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 ; e. . . . ... . .
00002740h: 01 53 00 63 00 68 00 65 00 64 00 0F 00 9E 75 00
; .S.c.h.e.d...u.
00002750h: 6C 00 65 00 64 00 20 00 56
00 00 00 69 00 73 00 ; l.e.d. .V...i.s.
00002760h: 53 43
48 45 44 55 7E 31 45 58 45 20 00 53 53 46 ; SCHEDU~1EXE .SSF
00002770h: 2B 2D 2B 2D 00 00 90 42 B8 2C 49 00 E8
03 00 00 ; +-+-..B,I....
00002780h: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002790h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
; ................
There are three files that are contained on the disk:
Recovering Jimmy Jungle.doc
Jimmy Jungle.doc appears to have been simply deleted. This does not mean, however that the file is gone. The first character of the file in the directory entries has been changed to E5h which is how DOS denotes a deleted file. The data space that the file took up is simply marked as available, but the data is probably still there.
Winhex allowed me to jump to the place on the disk where the files are located at offset 4200h (the start of the data section) and went to offset 91FFh
Using UltraEdit, I copied that range of data (4200h - 91FFh) into a new file and named it Jimmy Jungle.doc and saved it to my local hard drive. I then opened it with Microsoft Word and Wah Lah!
Jimmy
Jungle Jimmy: Dude, your pot must be the best it made the cover
of High Times Magazine! Thanks for sending me the Cover Page. What do you
put in your soil when you plant the marijuana seeds? At least I know your
growing it and not some guy in Columbia. These kids, they tell me marijuana isnt addictive,
but they dont stop buying from me. Man, Im sure glad you told me about
targeting the high school students. You must have some experience. Its
like a guaranteed paycheck. Their parents give them money for lunch and
they spend it on my stuff. Im an entrepreneur. Am I only one you sell to?
Maybe I can become distributor of the year! I emailed you the schedule that I am using. I think
it helps me cover myself and not be predictive. Tell me what
you think. To open it, use the same password that you sent me before with
that file. Talk to you later. Thanks, Joe
626 Jungle Ave Apt 2
Jungle, NY 11111
We find out the growers address. We also find proof that the suspect has been selling marijuana to high school kids (which we already knew)
Recovering Cover Page.jpg
I attempted to use the same method of jump & copy for Cover Page.jpg, however, when using WinHex to jump to the area where CoverPage.jpg was supposed to be I ended up at hex 38600h-3C2C0h which was ~15.2k of nothing.
Assuming that the data must be somewhere on the disk, I did some research on the JPEG file format.
JPEG files start with a header of:
FF D8 FF E0 00 10 4A 46 49 46 00
I performed a search of the image for that particular string of bytes and found it at offset 9200h. (Just after Jimmy Jungle.doc) Apparently the suspect had used some program to find the file in a different place than the FAT said they should be.
JPEG files end with an End of Image (EOI) marker of "FF D9" which I found at offset CEDFh.
So I copied all the data between the header and the EOI marker (9200h - CEDFh) and copied that to a file and got the picture out.
Howver, picture was of no value in itself. Directory entries are written as follows:
Offset | Value |
0000h - 000Ah | Filename with extension |
000Bh | Attributes of the file |
000Ch - 0015h | Reserved |
0016h - 0017h | Time |
0018h - 0019h | Date |
0020h - 0021h | FAT entry cluster value |
0022h - 0029h | File size |
The filesize that was written in the directory entry for this file was "E1 3C"
Since entries are usually written backwards, I reversed this to 3CE1 and used calc.exe to convert this to 15585 .However, I found that the info between the markers was 15552 bytes long. What was the rest of the data? I found following data was in rest of the block after the EOI marker.
0000ced0h: A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 ff
; .(.(.(.
0000cee0h: D9 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 ; ...............
0000cef0h: 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
; ................
0000cf10h: 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 ; ................
0000cf20h: 70 77
3D 67 6F 6F 64 74 69 6d 65 73 00 00 00 00 ; pw=goodtimes....
0000cf30h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
; ................
0000cf40h: 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 ; ................
0000cf50h: 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
"pw= goodtimes"? Very interesting! Looked like a password to me so I wrote it down.
<Red Herring> I speculated that the suspect had used a steganography program to imbed some data in the picture and this was a password for the encrypted data embeded therein. Without knowing which program was used, the password would be useless. </Red Herring>
Recovering Scheduled Visits.exe:
This file was where the FAT said it would be, because when I jumped to the entry in WinHex, there was data there at offset D000h - D3E7h
0000d000h: 50 4B 03 04 14 00 01 00 08 00 98 5A B7 2C 27 55
; PK........Z,U
0000d010h: 60 8D EA 08 00 00 00 42 00
00 14 00 00 00 53 63 ; `....B......Sc
0000d020h: 68 65
64 75 6c 65 64 20 56 69 73 69 74 73 2e 78 ; heduled Visits.x
0000d030h: 6C 73 94 C8 31 2A E3 49 0B DB A8 10 C2 70 9D FC
; ls1*I.ۨ.p
...
It didn't look like an executible, per se, but more like a PK Zip file with a file named "Scheduled Visits.xls" inside. It was a Microsoft Excel spreadsheet inside! I also know that you can password protect a zip files, so I was betting that this is what the password was for.
I tried the copy-write to file method I had with the others (copying the bytes exactly to a new file on my hard drive), however when I tried open it with WinZip, an error came up saying that the file was corrupted.
I opened up WinHex again and looked at the directory entry. The directory entry for Scheduled Visits.exe had a filesize of "E8 03". I revesed this to 03E8 and used calc.exe to convert this to 1000. I jumped to the data area and saw that there was still more data after the 1000 bytes specified by .
It appeared that it went all the way down to offset D96Fh. But how do I know if the 00 data at the end is part of the zip file or not?
I guessed that .ZIP files probably had a "End of Zip" marker just like JPEGs, so I just copied everything to the end of the sector D000h - D9FFh where there was still data and hoped that WinZip would just read it.
WRONG! Corrupt file error.
Question:
How do we know where to cut off the
data?
Solution:
I created a
spreadsheet in Microsoft Excel with some dummy information in it and named it
Scheduled Visits.xls. I then created a ZIP file with a password of "goodtimes"
and put my new spreadsheet in it.
Then I looked at my newly created file with my hex editor (UltraEditor) and saw that the file ended with four bytes of 00h.
Looking at the D800h - D9FFh block I saw that the file appeared to end in this block. From D970h to D9FFh all the characters were 00h and after that it was all the nothingness (probably the blank data area).
I then copied all the data from D000h - D973h to a new file (had to have four bytes of 00h) and wrote them to my hard drive as Scheduled Visits.exe and opened it with WinZip.
Ta da!!
I had a working winzip file with one file inside.... Scheduled Visits.xls.
When I tried to extract it, I was prompted for a password. I put in 'goodtimes' and I was able to open the file:
Who is the dealer's supplier of marijuana and what is the address listed for the supplier?
The answer is contained in Jimmy Jungle.doc:
Jimmy
Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111
For each file, what processes were taken by the suspect to mask them from others?
File #1:Jimmy Jungle.doc was masked through simply deleting it. The first character of the file in the directory entries was changed to E5h which is how DOS denotes a deleted file. The data space that the file took up is simply marked as available, but the data was still there.
File #2: Cover Page.jpg was masked through misdirection. The file pointer in the FAT lead to a blank area on the disk.
File #3: Scheduled Visits.exe was masked through truncation. The filesize of the file in the directory was purposely shorter than expected so that when a normal Zip reader tried to read it or when anyone tried to copy the file off it would fail.
What crucial data is available within the coverpage.jpg file and why is this data crucial?
Coverpage.jpg had additional data after the End of Image marker which contained the password used to protect the contents of Scheduled Visits.exe
The filesize that was written in the directory entry for this file was "E1 3C"
Since entries are usually written backwards, I reversed this to 3CE1 and used calc.exe to convert this to 15585 .However, I found that the info between the markers was 15552 bytes long. What was the rest of the data? I found following data was in rest of the block after the EOI marker.
0000ced0h: A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 ff
; .(.(.(.
0000cee0h: D9 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 ; ...............
0000cef0h: 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
; ................
0000cf10h: 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 ; ................
0000cf20h: 70 77
3D 67 6F 6F 64 74 69 6d 65 73 00 00 00 00 ; pw=goodtimes....
0000cf30h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
; ................
0000cf40h: 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 ; ................
0000cf50h: 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
What (if any) other high schools besides Smith Hill does the dealer frequent?
Below is the list of and day of each of the High Schools visited recovered from Scheduled Visits.xls found in Scheduled Visits.exe (which was a password protected zip file)
Month
DAY
HIGH
SCHOOLS
2002
April
Monday
(1)
Smith Hill High
School (A)
Tuesday
(2)
Key High School
(B)
Wednesday
(3)
Leetch High School (C)
Thursday
(4)
Birard High
School (D)
Friday
(5)
Richter High
School (E)
Monday
(1)
Hull High
School (F)
Tuesday
(2)
Smith Hill High
School (A)
Wednesday
(3)
Key High School
(B)
Thursday
(4)
Leetch High School (C)
Friday
(5)
Birard High
School (D)
Monday
(1)
Richter High
School (E)
Tuesday
(2)
Hull High
School (F)
Wednesday
(3)
Smith Hill High
School (A)
Thursday
(4)
Key High School
(B)
Friday
(5)
Leetch High School (C)
Monday
(1)
Birard High
School (D)
Tuesday
(2)
Richter High
School (E)
Wednesday
(3)
Hull High
School (F)
Thursday
(4)
Smith Hill High
School (A)
Friday
(5)
Key High School
(B)
Monday
(1)
Leetch High School (C)
Tuesday
(2)
Birard High
School (D)
May
Wednesday
(3)
Richter High
School (E)
Thursday
(4)
Hull High
School (F)
Friday
(5)
Smith Hill High
School (A)
Monday
(1)
Key High School
(B)
Tuesday
(2)
Leetch High School (C)
Wednesday
(3)
Birard High
School (D)
Thursday
(4)
Richter High
School (E)
Friday
(5)
Hull High
School (F)
Monday
(1)
Smith Hill High
School (A)
Tuesday
(2)
Key High School
(B)
Wednesday
(3)
Leetch High School (C)
Thursday
(4)
Birard High
School (D)
Friday
(5)
Richter High
School (E)
Monday
(1)
Hull High
School (F)
Tuesday
(2)
Smith Hill High
School (A)
Wednesday
(3)
Key High School
(B)
Thursday
(4)
Leetch High School (C)
Friday
(5)
Birard High
School (D)
Monday
(1)
Richter High
School (E)
Tuesday
(2)
Hull High
School (F)
Wednesday
(3)
Smith Hill High
School (A)
Thursday
(4)
Key High School
(B)
Friday
(5)
Leetch High School (C)
June
Monday
(1)
Birard High
School (D)
Tuesday
(2)
Richter High
School (E)
Wednesday
(3)
Hull High
School (F)
Thursday
(4)
Smith Hill High
School (A)
Friday
(5)
Key High School
(B)
Monday
(1)
Leetch High School (C)
Tuesday
(2)
Birard High
School (D)
Wednesday
(3)
Richter High
School (E)
Thursday
(4)
Hull High
School (F)
Friday
(5)
Smith Hill High
School (A)
Monday
(1)
Key High School
(B)
Tuesday
(2)
Leetch High School (C)
Wednesday
(3)
Birard High
School (D)
Thursday
(4)
Richter High
School (E)
Friday
(5)
Hull High
School (F)
Monday
(1)
Smith Hill High
School (A)
Tuesday (2)
Key High School (B)
Wednesday (3)
Leetch High School (C)
Thursday (4)
Birard High School (D)
Friday (5)
Richter High School
(E)
What Microsoft program was used to create the Cover Page file and what is your proof ?
Answer: The Coverpage.jpg file was created using Microsoft Paint version 5.0
Theory: Each image creation/editing program implements the JPEG/JFIF standard differently.
Every JPEG starts with the following byte signature:
FF D8 FF E0 00 10 4A 46 49 46 00
The actual data that pertains to the image starts with the Start of Image (SOI) marker:FF DA
Between the beginning of the file and the SOI marker, is information on how to display the picture -- Construction information. It includes Huffman Tables, Quantization Tables and other information on how the image was constructed. (All stuff I don't pretend to understand). It also includes the possibility of Application Specific Data Markers and Comment Markers.
There are various ways to construct a JPEG image and various wasys of implementing the JFIF specification. Consequently each software package that constructs JPEG images does so in it's own way. A lot of image software will use the Application Specific Data markers and Comment Markers to denote that a particular image was created with their software.
For example, in a JPEG file created with Adobe Photoshop 5.0, the software will put a comment marker (FF FE) with the data of:
File written by Adobe Photoshop 5.0
So we know that it was created by Adobe Photoshop 5.0
Sample: 000001c0h: 00 00 FF FE 00 26 46 69 6C 65 20 77 72 69 74 74 ; ...&File
writt
Some software packages are not identified this way. They
have no such comments to identify themselves (As is the case with our
unknown sample, coverpage.jpg). However, since each software package implements
these construction information headers in different ways, it should
be possible to develop a fingerprint of how a particular program will
create these headers for any JPEG file and then compare it to the header from
coverpage.jpg (Just like the police compare human
fingerprints) Proof (by induction): Note: I would have to
spend more time to determine with greater certainty that all other image editing
applications could be ruled out. I would also have to compare headers
across versions of the same application with different builds and patches.. but
it could be done. Applications Tested:
97.21% 97.21%
000001d0h: 65 6e 20 62 79 20 41 64 6F 62 65 20 50 68 6F 74 ; en by
Adobe Phot
000001e0h: 6f 73 68 6F 70 A8 20 35 2E 30 FF EE 00 0E 41
64 ; oshop 5.0..Ad
I downloaded several freeware and
shareware image applications and downloaded several images known to have been
created by other commercial software packages. I then used UltraEdit to
compare the
construction header of the coverpage.jpg as saved by each application. Looking
for characteristics of each program. The three criteria I chose were:
Package
Includes
Identifying
comments?Length
Quantization Table
Possiblity of
match
Unknown (coverpage.jpg)
None
609 bytes
67 bytes - Repeats 32h after 17 bytes
ACD See 5.0
Yes
528
bytes
96
bytes
<
50%
LView Pro 2002
No
331
bytes
Match
<
50%
Paint Shop Pro 7.04
No
609
bytes
67 bytes
- Repeats 1Eh after 17 bytes
Photoshop 5.0
Yes
986
bytes
132
bytes
<
50%
Vic Man's Photo Editor 6.999
(beta)
No
609
bytes
67 bytes
- Repeats 28h after 17 bytes
97.21%
Microsoft Paint 5.0
No
609
bytes
Match
99.34%
Microsoft PictureIt! 2000
No
609
bytes
67 bytes
- Repeats 14h after 17 bytes
Microsoft Powerpoint
Yes
416
bytes
Match
<
50%
Conclusion:
Since the question asked which Microsoft program was used to create the file, I concluded that Microsoft Paint 5.0 was the program. Microsoft has only a few products that create and edit images. Of these, only Microsoft Paint came within 1% difference of the unknown.
The only difference between Microsoft Paint 5.0 and the unknown file was the four bytes at 00Eh - 0011h (X and Y pixel density). The build that I was using consistantly had this value at 012Ch for all images. The unknown file had this value at 0060h, and I have not been able to account for this. There may be settings that control this value either within the Windows registry, or is different in previous builds of MS Paint 5.0.
References:
Acknowledgements:
This being my first submission to the Honeynet project I just wanted to thank the Honeynet team. This was fun!