This submission was created by the Network Security Team of the National Digital Certification Agency
Haikel Mejri
– Slim REKHIS – Yacine Djemaiel – Walid Hadjali
The Challenge MD5 hash file was copied from the Honeynet web site into a new text file named sotm23.tar.gz.md5 and was rearranged into a valid md5sum output: b676147f63923e1f428131d59b1d6a72 image.zip
Then the challenge file image.zip was copied into the same directory, and verified against the downloaded MD5 hash: $ md5sum -c image.zip.md5
Next the challenge file is unzipped: $ unzip image.zip
The first step of the technical investigation was the identification of the
file type using the following command: $ file
image.zip . The following result was obtained : image: x86 boot
sector, system MSDOS5.0, FAT (12 bit). According to the file command
result, the file seems to be the image of an MSDOS floppy disk formatted using
the fat12 file system.
Next, we proceeded to the retrieving of trivial information using the strings command line tool : $ strings image > strings_output.
from all the strings printable characters
in this files, we picked up these few infomations :
In the second step, we tried to mount the floppy image on the hard disk with the following command : $ mount -o ro,loop,nodev,noexec image mount/
Note the use of the noexec option to avoid the execution of any malicious code and the ro option to avoid the modification of the content file of the floppy. The first look into the content of the mount directory with the ls command confirms the existance of the two files : cover page.jpgc & schedu1.exe. The third file IMMYJ1DOC seems to be deleted. in concequence its correct name should be ?IMMYJ1DOC where the ? represents the first file name character that was been removed by the operating system during the deletion of the file. In fact when the MS sytems delete a file, the first character of its name in the fat tables is removed.
In the next step, we will try to retrieve
more information from the two file by using the file and strings
commands :
It's now clear that the floppy has been affronted to some manipulation of its entire files or file system; we tried with the fsck.msdos command to check the file system of this floppy. We obtained many error messages confirming that the entire content of the floppy has been manipulated.
In the next step we tried to use the
forensic tools :TASK and Autopsy Forensic Browser.
To configure Autopsy Forensic Browser, we put the floppy disk image file in the morgue directory, and configured the fsmorgue file by adding the following line
image fat12
/mount EST5EDT
To launch the Autopsy Forensic Browser
we wrote the following command : ./autopsy
8888 localhost which start le AUTOPSY web server on the
localhost machine on the 8888 TCP port. The program start and give on the
output console the valid URL to connect which change from on execution to an
other. In this case this is the URL which we used : http://localhost:8888/42601366343949744940/autopsy
This tool showed us the three files that we have spoken before. We confirm also that the Jimmy Jungle.doc file was deleted. This file mentioned in red color by the Autopsy Forensic Browser indicate that it is deleted and can not be viewed with simply an ls command but it is still physically present in the hard drive within the inode number 5. The mac time of the three files confirm the malicious manipulation made to them, infact the written time of the Jimmy Jungle.doc and the Schduled Visits.exe are lower than their accessed and created time. Also the Accessed time of the three files is lower than their created time.
We exported the content of the deleted
file bye using the web interface facilities (clicking under the inode number,
then clicking under Export ), but we doesn't be able to open this
document with any document reader.
Now in addition to the information
mentioned by the fsck.msdos we
can confirm that some modification to the fat table that have modified to blocs
address or the shorts file name has ben occured.
So we tried to get seek to the correct content of theses file by searching in
the floppy disk sectors. By clicking into the File System option of the Autopsy
Forensic Browser, we get more helpful information
By clicking under the 73-103 (31) link
we get this information : JPEG image data, JFIF standard 1.01,
resolution (DPI), 96 x 96. By exporting the content of this file to cover_recovered.jpg
, and opening it with the xview command , we get this picture :
To try looking to some crucial information from this image, we
begin by the strings command : $
strings cover_recovered.jpg
At the end of the output characters we
note the presence of some crutial data : pw=goodtimes Theses strings or
passwod has been added with a hidden manner to the image content.
Now by clicking under the 104-108 (5)
link we get this information : Zip archive data, at least v2.0 to
extract. By exporting the content of this file to
schedule.zip , and opening it with the unzip command, we get this message Archive: schdule.zip [schdule.zip] Scheduled Visits.xls password: So now when we tried to put the password goodtime that we picked from the cover_page content file, this password was the right one, and we got the scheduled Visits.xls file. By opening this file with kspread program we got a document describing the whole scheduled visits to the schools per month per day.
We have now picked the the cover page
image and the schduled visits document but was still unable to recover the jimmy
jingle document. So tried to use a windows program called RECOVERITALL
demo version and tried to recover the floppy disk ( which we have created using
this command : $ dd if=image of=/dev/fd0
)
With this utility we was able to recover
the Jimmy Jungle.doc file
which contain the following mail :
Jimmy Jungle
Jimmy:
Dude, your pot must be the best ? it made the cover of High Times Magazine!
Thanks for sending me the Cover Page. What do you put in your soil when you
plant the marijuana seeds? At least I know your growing it and not some guy in
These kids, they tell me marijuana isn?t addictive, but they don?t stop buying
from me. Man, I?m sure glad you told me about targeting the high school
students. You must have some experience. It?s like a guaranteed paycheck. Their
parents give them money for lunch and they spend it on my stuff. I?m an
entrepreneur. Am I only one you sell to? Maybe I can become distributor of the
year!
I emailed you the schedule that I am using. I think it helps me cover myself
and not be predictive. Tell me what you think. To open it, use the same
password that you sent me before with that file. Talk to you later.
Thanks,
Joe
According to the recovered Jimmy Jungle.doc document, the Jacob's
supplier marijuana is ``Jimmy Jungle'' his address is ``
When displaying the STRING outpouts in the JPEG file picked with the Autopsy Forensic Browser from the 73-103 (31) Sectors of the floppy disk image, we find this content : pw=gootimes This is the zip password file of the file content picked with Autopsy Forensic Browser from the 104-108 (5) sectors of the floppy disk image.
With this password, it is possible to
open the zipped file which was been crypted with this password.
By opening the ``scheduled visits.xls'' file, we discovered the scheduled visits of Jimmy Jungle to theses schools:
The first file Jimmy Jungle.doc was been deleted, and has
got a written time which is lower than the created time, and accessed time
lower than the created time.
The cover page.jpgc has been getting a long name written in the file
table which is different from his short name COVERP~1.JPG .This give a reason to the malicious
manipulation of the FAT table content. this file has also getting a written
time which is lower than the created time, and accessed time lower than the
created time.
The third file has got also a written time which is
lower than the created time, and accessed time lower than the created time.
this file has got may be a cluster chain length which is higher than 1024
according to the command fsck.msdos output.
The investigator was clearly detailed in the method section, we will try here to reminder the differents steps mentioned above
In this response we will try the make a
proof that this file was issued by a micro
The
Cover Page was created by the ``MS Paint'' program, in fact w have discovered
that any file created by MSPaint and applied to the following command : $
strings file_name, may begin by the followings stings :
JFIF
$.' ",#
(7),01444
'9=82<.342
!22222222222222222222222222222222222222222222222222
This give us a proof that the cover page
file was created with an MSPaint program, now the strings " pw=goodtimes"
are added probably by editing the file in HEX form.