Honeynet Project – October 2002
Analysis by Peter Mc Laughlin
October 24th 2002
Summary
Tools
Methodology
Questions
References
“Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law” – source Dibs USA
The recovery, analysis and presentation of “digital evidence” is an area that is becoming more and more important to law enforcement agencies globally. The cascade of the benefits of working in a digital world have not only reached the man / woman in the street but also the criminal elements within our society.
This exercise demonstrates that a would be drug pusher would do better to invest in appropriate disk scrubbing technology than rely on outdated MS methods of deleting files and data from storage media.
@stake Research Tools: Autopsy Forensic Browser
Downloaded the image file from http://project.honeynet.org/ relating to scan of the month 24 to /forensics on local machine
Copied the MD5 hash for this challenge from the Honeynet web site into a new text file named sotm24 and rearranged it into a valid md5sum output. Verified this MD5 sum against the MD5 listed on the web site. Proves file has not been tampered with and we are ready to progress forensic analysis of floppy disk and its contents.
Extracted the image onto a formatted 1.44mb floppy in order to carry out an initial investigation of the disk. This was achieved by executing
dd
if=/forensics/image of=/dev/fd0
I also read only mounted the image onto my Redhat machine by running
Mount
–o –ro,loop,nodev,noexec /forensics/image /home/forensics
Initially the contents of the disk revealed 2 files apparent from both the NT and Linux platforms
cover
page.jpgc
schedu~1.exe
The @stake tool kit and theAutopsy forensic browser were the primary tools I used to perform the forensic analysis on this image. The tool requires that the image file be copied into the /morgue directory and an entry placed in /morgue/fsmorgue as detailed below.
image fat
A:
EST5EDT
This entry points the tool towards the image file stored in /morgue, the type of file system was fat, the mount point was A: and the time zone.
The tool was initiated by executing
/autopsy-1.62/autopsy
8888 localhost
Autopsy revealed a different picture that what was first seen on the disk……
Cover
page.jpgc
Jimmy Jungle.doc
Scheduled Visits.exe
(COVERP~1.JPG)
(_IMMY~1.doc)
(SCHEDU~1.EXE)
We are now working with 3 files as opposed to two. The
easiest of these to recover was Jimmy Jungle.doc. This file was a straight
forward delete from Windows and would be easily recoverable as MS does not fully
delete the file but merely removes the first character. The necessary info
required from this file was viewable from an ASCII output of the relevant
sectors on the disk. (Sectors 38 & 39) A case insensitive keyword search in
Autopsy recovered the 2 segments of the doc file. ( Only a small section is
shown for the purposes of layout, see Appendix for full Doc.)
ASCII
Contents of Sector 38 (512 bytes) in image
Jimmy
Jungle
626
Jungle Ave Apt 2
Jungle,
NY 11111
Jimmy:
Dude,
your pot must be the best . it made the cover of High Times Magazine! Thanks for
sending me the Cover Page. What do you put in your soil when you plant the
marijuana seeds? At least I know your growing it and not some guy in
Columbia.
The
remaining files were more complicated as there has been some attempt to
camouflage their contents and file type.
Schedu~1.exe
or Scheduled
Visits.exe
(to give it its full long file name) is in no shape or form an executable file.
An examination of the files contents within Autopsy reveals a reference to
Scheduled Visits.xls. Was this file embedded within the so called
.EXE?
Changing Schedu~1.exe
to Schedu~1.txt and
running it through the NTI filter strips out all non alpha numeric characters
and shows the following:)
PK
Z , U`
B
Scheduled Visits.xls 1*
I p 1 H <K u Q *6 $ ~uF NVO `6T .# R #-4 HT b ^ ? Rr f J x 5kUM a_ SA# ; Qk
I ;
2
There
was not enough Alpha Numeric data within the dump to in to indicate an XLS
renamed as an EXE. This could have been a WINZIP file that was changed to
.EXE.
This
idea was copper fastened by taking an XLS zipping it renaming it to .EXE and
then .txt and running it through the filter.
PK
n}X-N( H
<
xls.xls _l E 3; {- s \ K
$b
G Qc yC
C4
H > h4 8g~ ; c S .
} m # N;O5 R # T!M \6 j:]
The
similarities were obvious so it was reasonable to assume that we were looking
for a ZIP file at this point that had been renamed to
.EXE.
A
keyword search for Scheduled Visits.xls within Autopsy revealed file fragments
spanning 5 sectors on the disk (104 –108)
As
we needed to recover this file to further the investigation it was necessary to
export the data from each of these segments in RAW format and string them
together to from a valid ZIP file. There were 5 files in total
104-108
This
was achieved as follows
cat image-Sector105.raw
>> cat image-Sector104.raw
cat image-Sector106.raw
>> cat image-Sector104.raw
cat image-Sector107.raw
>> cat image-Sector104.raw
cat image-Sector108.raw
>> cat image-Sector104.raw
cat image-Sector104.raw
was
the master file that was believed to be the ZIP file. This file was exported to
a WIN2K server and renamed as cat
image-Sector104.zip and
successfully opened to reveal Scheduled Visits.XLS………but there was a password
required to extract the XLS!
As
there was no apparent reference to a password I moved onto cover page.jpgc to
perform the same function as above and hopefully extract a useable
file.
An
analysis of the file system on the disk showed that in addition to sectors
104-108 containing data there was also a large amount of data (in relative
terms) residing in sectors 73-103. The file header at sector 73 contained the
following data (after exporting it and filtering through the NTI
filter)
JFIF ` ` C $.'
",# (7),01444 '9=82<.342
The
JFIF entry is common to the JPG file format, this was cross checked by analysing
the headers of 20 standard JPG files which all contained the JFIF
ref.
Sectors
73-103 were dumped out and pieced together as per the previous file and renamed
as a JPG and successfully opened…see attachments for actual
jpg
An added bonus related to extracting all the data within
sectors 73-103 was discovering a password hidden in sector 103 (see string report below)
Autopsy
string Sector Report (ver 1.62)
------------------------------------------------------
Sector:
103
Length:
512 bytes
Not
allocated to any inodes
MD5 of
raw Sector: f1430559d3bc8df3c04b384b47936e35
MD5 of
string output: f3adc79ce7002790260171fa48af93db
Image:
/morgue/image
Image
Type: fat12
Date
Generated: Fri Oct 25 12:33:37 2002
Investigator: peter mc
laughlin
------------------------------------------------------
pw=goodtimes
It was not a giant leap of faith to suggest that this was the
password to extract the XLS from the Zip file, it worked! (See Appendix for
XLS)
Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?
Jimmy
Jungle
626
Jungle Ave Apt 2
Jungle,
NY 11111
What
crucial data is available within the coverpage.jpg file and why is this data
crucial?
Cover Page.jpg contains a hidden password
(pw=goodtimes) that allowed investigator
to successfully
extract the XLS from the ZIP file. Without this password it would not have been
possible to extract the XLS and identify the other High Schools that Joe was
selling to. In addition valuable investigation time was not spent attempting a
brute force attack against the ZIP file to gain access.
What (if
any) other high schools besides Smith Hill does Joe Jacobs
frequent?
|
Key
High School |
Leetch High School
|
Birard High School
|
Richter High School
|
Hull
High School |
For each
file, what processes were taken by the suspect to mask them from
others?
cover page.jpgc File was rendered un readable by the addition of additional characters into the file name . The method used was probably similar to the alt+255 exploit. Alt+255 character sequence is unreadable by windows. In addition file name was extended to.jpgc Also the file was more than likely split across different segments with a file splitter to make it harder to find.
schedu~1.exe This file was initially a ZIP file it was renamed as an EXE and split into multiple segments and fragmented across the disk. The ZIP file was password protected and the password manually entered into the source code of cover page.jpg to hide it from others.
What
processes did you (the investigator) use to successfully examine the entire
contents of each file?
Please see
methodology above
What Microsoft program was used to create the Cover Page file. What is your proof (Proof is the key to getting this question right, not just making a guess)
My investigation leads me
to believe that Jacobs used Microsoft Word for Windows 8.0. See filtered raw
dump below. Sector 72 on the disk is the sector prior to sector 73 where the
first section of cover page.jpg resides
Hex
Contents of Sector 72 (512 bytes) in image1
0 0100feff 030a0000
ffffffff 06090200
.... .... .... ....
16 00000000 c0000000
00000046 18000000
.... .... ...F ....
32 4d696372 6f736f66
7420576f 72642044
Micr osof t Wo rd D
48 6f63756d 656e7400
0a000000 4d53576f
ocum ent. .... MSWo
64 7264446f 63001000
0000576f 72642e44
rdDo c... ..Wo rd.D
80 6f63756d 656e742e
3800f439 b2710000
ocum ent. 8..9 .q.
References
http://www.dmares.com/maresware/forensic_tools.htm
http://project.honeynet.org/scans/scan15/som/som31.txt
http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-response-invest.html
http://www.cc.ic.ac.uk/helpdesk/apriori/15.2352.html
http://recover.sourceforge.net/unix/
http://is-it-true.org/pt/ptips8.shtml
http://is-it-true.org/pt/ptips8.shtml
Appendices
1.1 – Copy of Actual Letter from Jacobs to Jungle
Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111
Jimmy:
Dude, your pot must be the best – it made the cover of High Times Magazine! Thanks for sending me the Cover Page. What do you put in your soil when you plant the marijuana seeds? At least I know your growing it and not some guy in Columbia.
These kids, they tell me marijuana isn’t addictive, but they don’t stop buying from me. Man, I’m sure glad you told me about targeting the high school students. You must have some experience. It’s like a guaranteed paycheck. Their parents give them money for lunch and they spend it on my stuff. I’m an entrepreneur. Am I only one you sell to? Maybe I can become distributor of the year!
I emailed you the schedule that I am using. I think it helps me cover myself and not be predictive. Tell me what you think. To open it, use the same password that you sent me before with that file. Talk to you later.
Thanks,
Joe
1.2 – Copied data from spreadsheet detailing Jacobs Detailing activity
Month |
DAY |
HIGH
SCHOOLS |
2002 |
|
|
April |
Monday
(1) |
Smith
Hill High School (A) |
|
Tuesday
(2) |
Key
High School (B) |
|
Wednesday
(3) |
Leetch High School (C)
|
|
Thursday
(4) |
Birard High School
(D) |
|
Friday
(5) |
Richter High School
(E) |
|
Monday
(1) |
Hull
High School (F) |
|
Tuesday
(2) |
Smith
Hill High School (A) |
|
Wednesday
(3) |
Key
High School (B) |
|
Thursday
(4) |
Leetch High School (C)
|
|
Friday
(5) |
Birard High School
(D) |
|
Monday
(1) |
Richter High School
(E) |
|
Tuesday
(2) |
Hull
High School (F) |
|
Wednesday
(3) |
Smith
Hill High School (A) |
|
Thursday
(4) |
Key
High School (B) |
|
Friday
(5) |
Leetch High School (C)
|
|
Monday
(1) |
Birard High School
(D) |
|
Tuesday
(2) |
Richter High School
(E) |
|
Wednesday
(3) |
Hull
High School (F) |
|
Thursday
(4) |
Smith
Hill High School (A) |
|
Friday
(5) |
Key
High School (B) |
|
Monday
(1) |
Leetch High School (C)
|
|
Tuesday
(2) |
Birard High School
(D) |
May |
|
|
|
Wednesday
(3) |
Richter High School
(E) |
|
Thursday
(4) |
Hull
High School (F) |
|
Friday
(5) |
Smith
Hill High School (A) |
|
Monday
(1) |
Key
High School (B) |
|
Tuesday
(2) |
Leetch High School (C)
|
|
Wednesday
(3) |
Birard High School
(D) |
|
Thursday
(4) |
Richter High School
(E) |
|
Friday
(5) |
Hull
High School (F) |
|
Monday
(1) |
Smith
Hill High School (A) |
|
Tuesday
(2) |
Key
High School (B) |
|
Wednesday
(3) |
Leetch High School (C)
|
|
Thursday
(4) |
Birard High School
(D) |
|
Friday
(5) |
Richter High School
(E) |
|
Monday
(1) |
Hull
High School (F) |
|
Tuesday
(2) |
Smith
Hill High School (A) |
|
Wednesday
(3) |
Key
High School (B) |
|
Thursday
(4) |
Leetch High School (C)
|
|
Friday
(5) |
Birard High School
(D) |
|
Monday
(1) |
Richter High School
(E) |
|
Tuesday
(2) |
Hull
High School (F) |
|
Wednesday
(3) |
Smith
Hill High School (A) |
|
Thursday
(4) |
Key
High School (B) |
|
Friday
(5) |
Leetch High School (C)
|
June |
|
|
|
Monday
(1) |
Birard High School
(D) |
|
Tuesday
(2) |
Richter High School
(E) |
|
Wednesday
(3) |
Hull
High School (F) |
|
Thursday
(4) |
Smith
Hill High School (A) |
|
Friday
(5) |
Key
High School (B) |
|
Monday
(1) |
Leetch High School (C)
|
|
Tuesday
(2) |
Birard High School
(D) |
|
Wednesday
(3) |
Richter High School
(E) |
|
Thursday
(4) |
Hull
High School (F) |
|
Friday
(5) |
Smith
Hill High School (A) |
|
Monday
(1) |
Key
High School (B) |
|
Tuesday
(2) |
Leetch High School (C)
|
|
Wednesday
(3) |
Birard High School
(D) |
|
Thursday
(4) |
Richter High School
(E) |
|
Friday
(5) |
Hull
High School (F) |
|
Monday
(1) |
Smith
Hill High School (A) |
|
Tuesday
(2) |
Key
High School (B) |
|
Wednesday
(3) |
Leetch High School (C)
|
|
Thursday
(4) |
Birard High School
(D) |
|
Friday
(5) |
Richter High School
(E) |