Honeynet Project
Scan of the month – October 2002
Yoann
Le Corvic
yoann.lecorvic@linkvest.com
The challenge this month is
to recover files from a floppy, and provide information that could be used to
prove the guilt of a suspect of drug dealing.
Before doing anything else,
let’s check the MD5 checksum of the file.
I did the whole analysis on
a Windows box this time. For a change…
The questions are answered
in the same order they have been asked. The main description of the process I
used is in §5.
The name and address of the
supplier are:
Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111
At first, I couldn’t locate the info anywhere on the
2 files I recovered (cf §5). So, I used HVIEW to open the image directly and
see what text I could recover from this.
Then I used a Freeware data recovery program to
check the floppy disk. I explain this in details in §5, and managed to recover
the deleted Word Document.
After recovering this file,
(the different methods I used are described in §5) I tried to open it with
NOTEPAD, to see what could be hiding in it, and I noticed something
interesting, that didn’t really look like JPEG data : “pw=goodtimes”
He is visiting other
school, and in a rather organised way. See the Excel File for all details.
The methods used to
obfuscate the files from unwanted reader are as follow:
o In general, there was a FAT allocation table
corruption that I needed to fix to get the files back. The FAT correction
revealed the cover page image, and the “schedu~1.exe file”
o The word document was erased from the disc. We could
see it in Hview as the first letter of the file name was deleted. The recovery
program had no trouble getting the file back.
o The Excel file was protected in 2 ways. First, it was
added to a ZIP File that was renamed as an executable so that it wouldn’t be
recognised as an archive. Then the ZIP file was password protected. The
password was hidden in the CoverPage JPEG File (pw=goodtimes).
-
First used rawwrite
to create a floppy and see the its content as the computer’s point of view
-
Then I tried to look inside
of the 2 files found by the computer:
1.
Found that the first, “cover
page.jpgc “, was
inaccessible. And the fact that there was some spaces at the end of the file
name that I couldn’t trim, gave me a hint that the FAT table may be corrupted.
2.
For the second, “Schedu~1.exe”,
when I opened it with Notepad, I saw PK as the starting letters of the
file. Which lead me to think that this file could be a ZIP File. To
confirm that, I renamed the file to
“.ZIP” instead of “.EXE”, to see if I could extract the content of the
file. There was an error again, but apparently WinZip recognised a ZIP File. It
just complained that it may be corrupt.
-
From then I used two
different techniques to get the data back, but I started by opening directly
the image file in Hview, from where I discovered the name and address of the
supplier. I also noticed, that there should be 3 files at least, because of the
names appearing in the FAT Table :
o Jimmy
Jungle.doc - Probably deleted because the first letter of the short name
(JIMMYJ~1.doc) is deleted)
o Cover
page.jpgc – Short name COVERP~1.JPG
o Scheduled visits.exe – Short name SCHEDU~1.EXE
My first attempt was to run a simple CheckDisk from Windows to try and
fix the suspected FAT problems. At the end of the scan, I noticed 3 things:
o The “cover page.jpgc “ disappeared,
o
A folder “found.000”
appeared,
In that folder, there was a “.CHK” file, and, as I suspected, this was
the fixed JPEG File. When I renamed it to “.JPG”, I got this:
o And third, the size of the file “Schedu~1.exe”
changed. When I then changed the extension to “.ZIP”, I could extract the file “Scheduled
Visits.xls”, containing the list of all the school, and the associated
distribution planning.
The second attempt. I knew there was a file missing, a word document,
that I could identify in Hview, and I suspected it was deleted because of the
first letter of the filename missing. As I had nothing at hand to recover DOS
files, I downloaded an eval copy of GetDataBack (http://www.runtime.com) to see what this
could recover.
I ran it once, but it just gave me the 2 files I already had, which made me
wonder if the program wasn’t blindly trusting the FAT table (which I sill
thought was corrupted). I fiddled around in the options of the program, till I
found one that said “IGNORE FAT TABLE ENTRIES”. Ticked that, tried
again, and I got this:
Here is the missing Word Document. Note, though that you could see the content
of this document in Hview anyway (but it’s much nicer to have it straight in
Word to present to the court J)
This program also found the lost files in the same way Windows ScanDisk did
(though for some reason the size of the JPG File is 1MB).
Difficult one this
is…
The truth is I don’t
know. I guess it is Microsoft Office, so I tried to generate a JPEG File with
Powerpoint and checked the content in Hview, but it didn’t help much.
The picture below shows the differences between the header in the floppy image
file (on the top), and the one I generated with PowerPoint (the bottom one). We
can see that PowerPoint adds the data “Software:Microsoft Office” in the JPEG
Headers.
So I am very curious
to see the result of this question
Those are the files that were recovered using the
different techniques described along this document :
The deleted Word
Document : J_IMMYJ~1.DOC
The cover page
recovered after Scandisk: CoverPage.jpeg
The cover page
recovered by “GetDataBack”: CoverPage.jpeg
The original ZIP
ARCHIVE: Scheduled Visits.exe
(corrupt file)
The ZIP File after
ScanDisk: Scheduled Visits.exe
(password: goodtimes)
The Excel File
inside the ZIP: Scheduled Visits.xls
EOF