Answer to Scan 24 Honeypot challenge
Prepared by Chan Chun Fai, Ricci Ieong and Vincent Ip
This honeypot challenge is a simulation of a standalone forensics investigation case. In this case, computer was used as an instrument to assist the criminals to commit the crime. A floppy disk discovered in the crime scene was believed to contain information related to the crime.
The floppy disk was seized and submitted for investigation. It is the only media seized from the suspect Joe Jacobs house. The police would like to thoroughly search for evidence related to illegal drug business.
In this case, the seized media was discovered to holding relevant information. By recovering and investigating the content on the floppy disk, we discovered that Joe Jacobs should have sold drugs to high schools (such as Key High school, Leetch High school, etc). In addition, we believed that Joe Jacob's supplier/producer of marijuana should be Jimmy Jungle. All these evidences were recovered and identified from the given floppy disk image.
In conclusion, we believed that the floppy disk could be
submitted to the policy and the evidences identified could be helpful for the
policy to sue the suspect
§ BinText (Foundstone, www.foundstone.com)
§ Chkdsk (MS Windows)
§ dd (Linux Red Hat 7.1) or rawrite (MS Windows)
§ Encase (Guidance Software, www.guidancesoftware.com)
§ MS Paint (MS Windows)
§ MS Word (MS Office)
§ MS Excel (MS Office)
§ Sig
§ md5sum
§ UltraEdit (UltraEdit, www.ultraedit.com)
§ WinHex (X-Ways software technology AG, www.sf-soft.de)
§ Zip (WinZip)
After downloaded the image.zip from the honeypot challenge web page, we immediately verified the MD5 checksum of the image.zip against the value in honeynet web page..
C:\>md5sum image.zip
b676147f63923e1f428131d59b1d6a72 *image.zip
In the preliminary information searching process, we assumed that meaningful information could be found in plaintext. Therefore, we performed a string search using BinText in the image file directly as shown in Figure 1.
Figure 1: The content of a letter found in the image by using the BinText program
In the collected strings, we identified meaning text and strings like pw=goodtimes (as shown in Figure 2). In later process, the goodtimes was confirmed to be a password of another file.
Figure 2: pw=goodtimes was found in the image using BinText.
We formatted a floppy disk and checked the floppy disk with chkdsk to ensure the disk is clean without bad sector and free from residual data.
C:\>format A:
C:\>chkdsk /f /r A:
Then we copied the image to the prepared floppy disk using rewrite and dd, where dd was used for verifying the reproduced disk image.
C:\>rawrite f:image.zip d a: -n
#dd if=image of=/dev/fd0
Then we set the floppy disk to write-protected mode to prevent any modification to the data on the floppy disk.
We examined the floppy disk by listing the content of the disk using dir.
C:\>dir /t:W /-w a:\
Volume in drive A has no label.
Volume Serial Number is
C4B1-CDCF
Directory of a:\
11/09/2002 08:30 15,585 cover page.jpgc
24/05/2002 08:20 1,000 SCHEDU~1.EXE
2 File(s) 16,585 bytes
0 Dir(s) 1,439,232 bytes free
C:\>dir /t:A /-w a:\
Volume in drive A has no label.
Volume Serial Number is
C4B1-CDCF
Directory of a:\
11/09/2002 00:00 15,585 cover page.jpgc
11/09/2002 00:00 1,000 SCHEDU~1.EXE
2 File(s) 16,585 bytes
0 Dir(s) 1,439,232 bytes free
C:\>dir /t:C /-w a:\
Volume in drive A has no label.
Volume Serial Number is
C4B1-CDCF
Directory of a:\
11/09/2002 08:50 15,585 cover page.jpgc
11/09/2002 08:50 1,000 SCHEDU~1.EXE
2 File(s) 16,585 bytes
0 Dir(s) 1,439,232 bytes free
By further examining the content of the floppy disk, we identified that cover page.jpgc cannot be viewed with a JPEG viewer. The file name of cover page.jpgc contains special characters and does not comply with Microsoft FAT format, so it cannot be accessed directly from the FAT file system.
We did not find the document with the text content identified in the previous process from the directory listing. We suspected that the file should have been deleted or misplaced, with the residual data in the disk.
We examined the content of floppy disk with Encase and WinHex separately.
With these two investigation tools, we had the following findings:
1.
Only the first 3% of disk content contained relevant data:
Only sectors from 0x0000 0xD9FF were occupied;
for the sectors from 0xDA00 to 0x167DFF, all spaces were allocated with 0xF6
for the sectors from 0x167E00 to 0x167FFF were allocated with 0x00.
2. Following the boot sector, primary FAT, secondary FAT and directory files, the unallocated disk space was found to contained information of the deleted letter. The name of the deleted file was identified to be Jimmy Jungle.doc by Encase.
3. Then an unlinked space was found afterwards. This is cover page.jpg.
4. Finally, Schedule Visit.exe was found
5. No other meaningful data was found beyond disk sector location of schedule visit.exe
Figure 3: WinHex view of the unlinked clusters which contains the cover page.jpg
Figure 4: Encase view of the entire disk content which shows the file and the disk content physical location.
With the information obtained, we started to recover file content from the floppy disk. The following steps were performed to recover the file content:
1. The unlinked clusters of coverpage jpeg file were linked again using chkdsk.
2. Encase was used to undelete the Jimmy Jungle.doc file from the floppy disk.
3. Verified and confirmed the file type by matching the file header using Sig program with the file header signature. Through this verification process, the schedu~1.exe file was identified to be a Zip file.
4. Renamed schedu~1.exe to Schedule Visit.zip
5. Opened the Excel file Schedule Visit.xls. We found that the Excel file is protected with a password and we recalled that we obtained a string pw=goodtimes during the string searching. We reckoned that that pw stands for password. We tried to unlock the Excel with password of goodtimes and it worked.
We examined the content of the files to discover evidences for illegal drugs selling for the police:
1. In the Coverpage.jpg, we found that Jimmy Jungle is the pot grower, smoker and seller of the drug for September
2. From the Jimmy Jungle.doc, we identified the address of Jimmy Jungle
3. From the Schedule Visit.xls, we collected names and high school names listed in the worksheet. The names might be related to the drugs seller and smoker.
4. Therefore, we believed that the Schedule Visit.xls, Jimmy Jungle.doc and coverpage.jpg were the crucial evidence on the collected floppy disk.
Recovered files (Jimmy Jungle.doc, Schedule Visit.xls and coverpage.jpg) are presented in the attached zip file.
During the investigation process, we identified that there had been 8 components in the floppy disk Boot Sector, Primary FAT, Secondary FAT, Disk Directory, Jimmy Jungle.doc, coverpage.jpg, Schedule Visit.exe and Unallocated clusters. They were arranged in the following order in the floppy disk:
Boot Sectors
Primary FAT
Secondary FAT
Disk Directory
Jimmy Jungle.doc (deleted)
Coverpage.jpg (unconnected clusters)
Schedule Visit.exe
Unallocated clusters
By further investigating the MAC (Modified, Accessed and Created time) information of the files, we had the timeline of the three files. The timeline are listed as:
File Name |
Last Accessed |
Last Written |
File Created |
Coverpage.jpg |
09/11/02 |
09/11/02 08:30:52am |
09/11/02 08:50:26am |
Jimmy Jungle.doc |
09/11/02 |
04/15/02 02:42:30pm |
09/11/02 08:49:48am |
Schedule Visit.exe |
09/11/02 |
05/24/02 08:20:32am |
09/11/02 08:50:38am |
Complying the information, we concluded the following scenario,
1. The suspect created Jimmy Jungle.doc, Schedule Visit.zip and Coverpage.jpg. These files were not directly created on the floppy disk, because the creation time of these fileswas later than the last written time. The explanation is that these files were copied from other source to the floppy disk.
2. Before copying the files to the floppy disk, Schedule Visit.zip was renamed to Schedule Visit.exe
3. After these files were created, the suspect copied Jimmy Jungle.doc to the disk by 09/11/02, 08:49:48am
4. Then Coverpage.jpg was copied to the disk at 09/11/02, 08:50:26am
5. Schedule visit.exe was then copied to the disk at 09/11/02, 08:50:38am
6. Afterwards, the Jimmy Jungle.doc was deleted
7. The starting address of coverpage.jpg in the disk directory was modified
8. All files were not accessed after they were created; therefore, the last access time was 00:00:00.
From the content of the Jimmy Jungle.doc MS Word document and the coverpage.jpg picture, we found that Jimmy Jungle should be Joe Jacobs supplier of marijuana. The address listed for the supplier is identified to be
Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111
Within the content of coverpage.jpg, we found a meaningful plaintext content (pw=goodtimes) in the slack space of coverpage.jpg. This identified plaintext content (goodtimes) is the password of schedule visits.xls in schedule visits .zip.
From Schedule Visits.xls, we found that Joe Jacobs might have frequently visited the following high schools:
Name of the high schools |
Frequency |
Birard High School (D) |
11 |
Hull High School (F) |
10 |
Key High School (B) |
11 |
Leetch High School (C) |
11 |
Richter High School (E) |
11 |
Smith Hill High School (A) |
11 |
The following files were found in the
floppy disk:
Jimmy Jungle.doc |
Deleted from the floppy disk |
Schedule Visit.zip |
Renamed to Schedule Visit.exe |
Coverpage.jpg |
Starting address of coverpage.jpg was changed in the disk directory |
In this investigation process, we used WinHex to examine the entire image and individual files. We also used BinText and Ultraedit to search information from the files.
By examining the file header and content of jpeg files, we observed that jpeg file header and content patterns are different and the differences depend on the program that was used to create the jpeg file.
As we were told that coverpage.jpg was created with a Microsoft program, we created various jpeg file using MS Paint, MS Imaging, MS Image Composer, MS GIF animator and MS Photo Editor. By comparing the jpeg file content (the content can be found in Figure 5), we found that MS Paint should be the program that was used to create coverpage.jpg.
Extracted file content of the Coverpage.jpg |
Extracted file content of the new Jpeg file created using MS Paint |
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60
’Ų’ą..JFIF.....` 00 60 00 00 FF DB 00 43 00 08 06 06 07 06 05 08
.`..’Ū.C........ 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12
................ 13 0F 14 1D 1A 1F 1E 1D 1A 1C 1C 20 24 2E 27 20
........... $.' 22 2C 23 1C 1C 28 37 29 2C 30 31 34 34 34 1F 27
",#..(7),01444.' 39 3D 38 32 3C 2E 33 34 32 FF DB 00 43 01 09 09
9=82<.342’Ū.C... 09 0C 0B 0C 18 0D 0D 18 32 21 1C 21 32 32 32 32
........2!.!2222 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32
2222222222222222 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32
2222222222222222 32 32 32 32 32 32 32 32 32 32 32 32 32 32 FF C0
22222222222222’Ą 00 11 08 00 C7 00 D0 03 01 22 00 02 11 01 03 11
....Ē.Š.."...... 01 FF C4 00 1F 00 00 01 05 01 01 01 01 01 01 00
.’Ä............. 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09
................ 0A 0B FF C4 00 B5 10 00 02 01 03 03 02 04 03 05
..’Ä.µ.......... 05 04 04 00 00 01 7D 01 02 03 00 04 11 05 12 21
......}........! 31 41 06 13 51 61 07 22 71 14 32 81 91 A1 08 23
1A..Qa."q.2”.# 42 B1 C1 15 52 D1 F0 24 33 62 72 82 09 0A 16 17
B±Į.RŃš$3br.... 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38 39 3A
...%&'()*456789: 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A
CDEFGHIJSTUVWXYZ 63 64 65 66 67 68 69 6A 73 74 75 76 77 78 79 7A
cdefghijstuvwxyz 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99
9A A2 A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7
¢£¤„¦§Ø©Ŗ²³“µ¶· B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4 D5
ø¹ŗĀĆÄÅĘĒČÉŹŅÓŌÕ D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7 E8 E9 EA F1
Ö×ŲŁŚįāćäåęēčéźń F2 F3 F4 F5 F6 F7 F8 F9 FA FF C4 00 1F 01 00 03
ņóōõö÷ųłś’Ä..... 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01
................ 02 03 04 05 06 07 08 09 0A 0B FF C4 00 B5 11 00
..........’Ä.µ.. 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00
..............w. 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13
......!1..AQ.aq. 22 32 81 08 14 42 91 A1 B1 C1 09 23 33 52 F0 15
"2..B”±Į.#3Rš. 62 72 D1 0A 16 24 34 E1 25 F1 17 18 19 1A 26 27
brŃ..$4į%ń....&' 28 29 2A 35 36 37 38 39 3A 43 44 45 46 47 48 49
()*56789:CDEFGHI 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69
JSTUVWXYZcdefghi 6A 73 74 75 76 77 78 79 7A 82 83 84 85 86 87 88
jstuvwxyz
89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4 A5 A6
¢£¤„¦ A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4
§Ø©Ŗ²³“µ¶·ø¹ŗĀĆÄ C5 C6 C7 C8 C9 CA D2 D3 D4 D5 D6 D7 D8 D9 DA E2
ÅĘĒČÉŹŅÓŌÕÖ×ŲŁŚā E3 E4 E5 E6 E7 E8 E9 EA F2 F3 F4 F5 F6 F7 F8 F9
ćäåęēčéźņóōõö÷ųł FA FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 F7
ś’Ś..........?.÷ |
FF
D8 FF E0 00 10 4A 46 49 46 00 01 01
01 01 2C ’Ų’ą..JFIF....., 01 2C 00 00 FF DB 00 43 00 08 06 06 07 06 05 08
.,..’Ū.C........ 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12
................ 13 0F 14 1D 1A 1F 1E 1D 1A 1C 1C 20 24 2E 27 20
........... $.' 22 2C 23 1C 1C 28 37 29 2C 30 31 34 34 34 1F 27
",#..(7),01444.' 39 3D 38 32 3C 2E 33 34 32 FF DB 00 43 01 09 09
9=82<.342’Ū.C... 09 0C 0B 0C 18 0D 0D 18 32 21 1C 21 32 32 32 32
........2!.!2222 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32
2222222222222222 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32
2222222222222222 32 32 32 32 32 32 32 32 32 32 32 32 32 32 FF C0
22222222222222’Ą 00 11 08 01 B0 02 40 03 01 22 00 02 11 01 03 11
....°.@.."...... 01 FF C4 00 1F 00 00 01 05 01 01 01 01 01 01 00
.’Ä............. 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09
................ 0A 0B FF C4 00 B5 10 00 02 01 03 03 02 04 03 05
..’Ä.µ.......... 05 04 04 00 00 01 7D 01 02 03 00 04 11 05 12 21
......}........! 31 41 06 13 51 61 07 22 71 14 32 81 91 A1 08 23
1A..Qa."q.2”.# 42 B1 C1 15 52 D1 F0 24 33 62 72 82 09 0A 16 17
B±Į.RŃš$3br.... 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38 39 3A
...%&'()*456789: 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A
CDEFGHIJSTUVWXYZ 63 64 65 66 67 68 69 6A 73 74 75 76 77 78 79 7A
cdefghijstuvwxyz 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99
9A A2 A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7
¢£¤„¦§Ø©Ŗ²³“µ¶· B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4 D5
ø¹ŗĀĆÄÅĘĒČÉŹŅÓŌÕ D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7 E8 E9 EA F1
Ö×ŲŁŚįāćäåęēčéźń F2 F3 F4 F5 F6 F7 F8 F9 FA FF C4 00 1F 01 00 03
ņóōõö÷ųłś’Ä..... 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01
................ 02 03 04 05 06 07 08 09 0A 0B FF C4 00 B5 11 00
..........’Ä.µ.. 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00
..............w. 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13
......!1..AQ.aq. 22 32 81 08 14 42 91 A1 B1 C1 09 23 33 52 F0 15
"2..B”±Į.#3Rš. 62 72 D1 0A 16 24 34 E1 25 F1 17 18 19 1A 26 27
brŃ..$4į%ń....&' 28 29 2A 35 36 37 38 39 3A 43 44 45 46 47 48 49
()*56789:CDEFGHI 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69
JSTUVWXYZcdefghi 6A 73 74 75 76 77 78 79 7A 82 83 84 85 86 87 88
jstuvwxyz
89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4 A5 A6
¢£¤„¦ A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4
§Ø©Ŗ²³“µ¶·ø¹ŗĀĆÄ C5 C6 C7 C8 C9 CA D2 D3 D4 D5 D6 D7 D8 D9 DA E2
ÅĘĒČÉŹŅÓŌÕÖ×ŲŁŚā E3 E4 E5 E6 E7 E8 E9 EA F2 F3 F4 F5 F6 F7 F8 F9
ćäåęēčéźņóōõö÷ųł FA FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 F7
ś’Ś..........?.÷ |
Figure 5: File content comparison of first portion of coverpage.jpg and file generated using MS Paint.
-- End --