Answer to Scan 24 Honeypot challenge

 

Prepared by Chan Chun Fai, Ricci Ieong and Vincent Ip

1         Summary

This honeypot challenge is a simulation of a standalone forensics investigation case. In this case, computer was used as an instrument to assist the criminals to commit the crime. A floppy disk discovered in the crime scene was believed to contain information related to the crime.

The floppy disk was seized and submitted for investigation. It is the only media seized from the suspect Joe Jacobs’ house. The police would like to thoroughly search for evidence related to illegal drug business.

In this case, the seized media was discovered to holding relevant information. By recovering and investigating the content on the floppy disk, we discovered that Joe Jacobs should have sold drugs to high schools (such as Key High school, Leetch High school, etc). In addition, we believed that Joe Jacob's supplier/producer of marijuana should be Jimmy Jungle. All these evidences were recovered and identified from the given floppy disk image.

In conclusion, we believed that the floppy disk could be submitted to the policy and the evidences identified could be helpful for the policy to sue the suspect

2         Tools

§         BinText (Foundstone, www.foundstone.com)

§         Chkdsk (MS Windows)

§         dd (Linux Red Hat 7.1) or rawrite (MS Windows)

§         Encase (Guidance Software, www.guidancesoftware.com)

§         MS Paint (MS Windows)

§         MS Word (MS Office)

§         MS Excel (MS Office)

§         Sig

§         md5sum

§         UltraEdit (UltraEdit, www.ultraedit.com)

§         WinHex (X-Ways software technology AG, www.sf-soft.de)

§         Zip (WinZip)

 

3         Analysis Methodology

3.1      Verification of the source

After downloaded the “image.zip” from the honeypot challenge web page, we immediately verified the MD5 checksum of the “image.zip” against the value in honeynet web page..

C:\>md5sum image.zip

b676147f63923e1f428131d59b1d6a72 *image.zip

3.2      Preliminary information searching

3.2.1      Keyword Search Phase 1

In the preliminary information searching process, we assumed that meaningful information could be found in plaintext. Therefore, we performed a string search using BinText in the image file directly as shown in Figure 1.

Figure 1: The content of a letter found in the image by using the BinText program

In the collected strings, we identified meaning text and strings like “pw=goodtimes” (as shown in Figure 2). In later process, the “goodtimes” was confirmed to be a password of another file.

Figure 2: pw=goodtimes was found in the image using BinText.

3.2.2      Restoring of image

We formatted a floppy disk and checked the floppy disk with “chkdsk” to ensure the disk is clean without bad sector and free from residual data.

C:\>format A:

C:\>chkdsk /f /r A:

 

Then we copied the image to the prepared floppy disk using rewrite and dd, where dd was used for verifying the reproduced disk image.

C:\>rawrite –f:image.zip –d a: -n

 

#dd if=image of=/dev/fd0

 

Then we set the floppy disk to write-protected mode to prevent any modification to the data on the floppy disk.

3.2.3      Analyzing the disk

We examined the floppy disk by listing the content of the disk using dir.

C:\>dir /t:W /-w a:\

 Volume in drive A has no label.

 Volume Serial Number is C4B1-CDCF

 

 Directory of a:\

 

11/09/2002  08:30               15,585 cover page.jpgc

24/05/2002  08:20                1,000 SCHEDU~1.EXE

               2 File(s)         16,585 bytes

               0 Dir(s)       1,439,232 bytes free

 

C:\>dir /t:A /-w a:\

 Volume in drive A has no label.

 Volume Serial Number is C4B1-CDCF

 

 Directory of a:\

 

11/09/2002  00:00               15,585 cover page.jpgc

11/09/2002  00:00                1,000 SCHEDU~1.EXE

               2 File(s)         16,585 bytes

               0 Dir(s)       1,439,232 bytes free

 

C:\>dir /t:C /-w a:\

 Volume in drive A has no label.

 Volume Serial Number is C4B1-CDCF

 

 Directory of a:\

 

11/09/2002  08:50               15,585 cover page.jpgc

11/09/2002  08:50                1,000 SCHEDU~1.EXE

               2 File(s)         16,585 bytes

               0 Dir(s)       1,439,232 bytes free

 

By further examining the content of the floppy disk, we identified that “cover page.jpgc” cannot be viewed with a JPEG viewer. The file name of “cover page.jpgc” contains special characters and does not comply with Microsoft FAT format, so it cannot be accessed directly from the FAT file system.

We did not find the document with the text content identified in the previous process from the directory listing. We suspected that the file should have been deleted or misplaced, with the residual data in the disk.

3.3      Further investigation

We examined the content of floppy disk with Encase and WinHex separately.

With these two investigation tools, we had the following findings:

1.      Only the first 3% of disk content contained relevant data:
Only sectors from 0x0000 – 0xD9FF were occupied;
for the sectors from 0xDA00 to 0x167DFF, all spaces were allocated with 0xF6
for the sectors from 0x167E00 to 0x167FFF were allocated with 0x00.

2.      Following the boot sector, primary FAT, secondary FAT and directory files, the unallocated disk space was found to contained information of the deleted letter.  The name of the deleted file was identified to be “Jimmy Jungle.doc” by Encase.

3.      Then an unlinked space was found afterwards. This is “cover page.jpg”. 

4.      Finally, “Schedule Visit.exe” was found

5.      No other meaningful data was found beyond disk sector location of “schedule visit.exe”

Figure 3: WinHex view of the unlinked clusters which contains the cover page.jpg

Figure 4: Encase view of the entire disk content which shows the file and the disk content physical location.

3.3.1      Recovering the data content

With the information obtained, we started to recover file content from the floppy disk. The following steps were performed to recover the file content:

1.      The unlinked clusters of “coverpage jpeg” file were linked again using chkdsk.

2.      Encase was used to undelete the “Jimmy Jungle.doc” file from the floppy disk.

3.      Verified and confirmed the file type by matching the file header using Sig program with the file header signature. Through this verification process, the schedu~1.exe file was identified to be a Zip file.

4.      Renamed “schedu~1.exe” to “Schedule Visit.zip”

5.      Opened the Excel file – “Schedule Visit.xls”.  We found that the Excel file is protected with a password and we recalled that we obtained a string “pw=goodtimes” during the string searching.  We reckoned that that “pw” stands for “password”. We tried to unlock the Excel with password of “goodtimes” and it worked.

3.3.2      File content examination

We examined the content of the files to discover evidences for illegal drugs selling for the police:

1.      In the “Coverpage.jpg”, we found that Jimmy Jungle is the pot grower, smoker and seller of the drug for September

2.      From the “Jimmy Jungle.doc”, we identified the address of Jimmy Jungle

3.      From the “Schedule Visit.xls”, we collected names and high school names listed in the worksheet. The names might be related to the drugs seller and smoker.

4.      Therefore, we believed that the “Schedule Visit.xls”, “Jimmy Jungle.doc” and “coverpage.jpg” were the crucial evidence on the collected floppy disk.

 

Recovered files (Jimmy Jungle.doc, Schedule Visit.xls and coverpage.jpg) are presented in the attached zip file.

3.4      Timeline investigation

During the investigation process, we identified that there had been 8 components in the floppy disk– Boot Sector, Primary FAT, Secondary FAT, Disk Directory, Jimmy Jungle.doc, coverpage.jpg, Schedule Visit.exe and Unallocated clusters. They were arranged in the following order in the floppy disk:

 

Boot Sectors

Primary FAT

Secondary FAT

Disk Directory

Jimmy Jungle.doc (deleted)

Coverpage.jpg (unconnected clusters)

Schedule Visit.exe

Unallocated clusters

 

By further investigating the MAC (Modified, Accessed and Created time) information of the files, we had the timeline of the three files.  The timeline are listed as:

 

File Name

Last Accessed

Last Written

File Created

Coverpage.jpg

09/11/02
00:00:00am

09/11/02 08:30:52am

09/11/02 08:50:26am

Jimmy Jungle.doc

09/11/02
00:00:00am

04/15/02 02:42:30pm

09/11/02 08:49:48am

Schedule Visit.exe

09/11/02
00:00:00am

05/24/02 08:20:32am

09/11/02 08:50:38am

 

Complying the information, we concluded the following scenario,

1.      The suspect created “Jimmy Jungle.doc”, “Schedule Visit.zip” and “Coverpage.jpg”. These files were not directly created on the floppy disk, because the creation time of these fileswas later than the last written time. The explanation is that these files were copied from other source to the floppy disk.

2.      Before copying the files to the floppy disk, “Schedule Visit.zip” was renamed to “Schedule Visit.exe”

3.      After these files were created, the suspect copied “Jimmy Jungle.doc” to the disk by 09/11/02, 08:49:48am

4.      Then “Coverpage.jpg” was copied to the disk at 09/11/02, 08:50:26am

5.      “Schedule visit.exe” was then copied to the disk at 09/11/02, 08:50:38am

6.      Afterwards, the “Jimmy Jungle.doc” was deleted

7.      The starting address of “coverpage.jpg” in the disk directory was modified

8.      All files were not accessed after they were created; therefore, the last access time was 00:00:00.

 

4         Answers to the Questions

 

4.1      Question 1:

From the content of the Jimmy Jungle.doc MS Word document and the coverpage.jpg picture, we found that Jimmy Jungle should be Joe Jacob’s supplier of marijuana. The address listed for the supplier is identified to be

 

Jimmy Jungle

626 Jungle Ave Apt 2

Jungle, NY 11111

4.2      Question 2:

Within the content of coverpage.jpg, we found a meaningful plaintext content (pw=goodtimes) in the slack space of coverpage.jpg. This identified plaintext content (goodtimes) is the password of “schedule visits.xls” in “schedule visits .zip”.

4.3      Question 3:

From “Schedule Visits.xls”, we found that Joe Jacobs might have frequently visited the following high schools:

 

Name of the high schools

Frequency

Birard High School (D)

11

Hull High School (F)

10

Key High School (B)

11

Leetch High School (C)

11

Richter High School (E)

11

Smith Hill High School (A)

11

 

4.4      Question 4:

The following files were found in the floppy disk:

Jimmy Jungle.doc

Deleted from the floppy disk

Schedule Visit.zip

Renamed to Schedule Visit.exe

Coverpage.jpg

Starting address of coverpage.jpg was changed in the disk directory

 

4.5      Question 5:

In this investigation process, we used WinHex to examine the entire image and individual files. We also used BinText and Ultraedit to search information from the files.

 

4.6      Bonus Question:

By examining the file header and content of jpeg files, we observed that jpeg file header and content patterns are different and the differences depend on the program that was used to create the jpeg file.

As we were told that coverpage.jpg was created with a Microsoft program, we created various jpeg file using MS Paint, MS Imaging, MS Image Composer, MS GIF animator and MS Photo Editor. By comparing the jpeg file content (the content can be found in Figure 5), we found that MS Paint should be the program that was used to create coverpage.jpg.


 

Extracted file content of the Coverpage.jpg

Extracted file content of the new Jpeg file created using MS Paint

FF D8 FF E0 00 10 4A 46  49 46 00 01 01 01 00 60   ’Ų’ą..JFIF.....`

00 60 00 00 FF DB 00 43  00 08 06 06 07 06 05 08   .`..’Ū.C........

07 07 07 09 09 08 0A 0C  14 0D 0C 0B 0B 0C 19 12   ................

13 0F 14 1D 1A 1F 1E 1D  1A 1C 1C 20 24 2E 27 20   ........... $.'

22 2C 23 1C 1C 28 37 29  2C 30 31 34 34 34 1F 27   ",#..(7),01444.'

39 3D 38 32 3C 2E 33 34  32 FF DB 00 43 01 09 09   9=82<.342’Ū.C...

09 0C 0B 0C 18 0D 0D 18  32 21 1C 21 32 32 32 32   ........2!.!2222

32 32 32 32 32 32 32 32  32 32 32 32 32 32 32 32   2222222222222222

32 32 32 32 32 32 32 32  32 32 32 32 32 32 32 32   2222222222222222

32 32 32 32 32 32 32 32  32 32 32 32 32 32 FF C0   22222222222222’Ą

00 11 08 00 C7 00 D0 03  01 22 00 02 11 01 03 11   ....Ē.Š.."......

01 FF C4 00 1F 00 00 01  05 01 01 01 01 01 01 00   .’Ä.............

00 00 00 00 00 00 00 01  02 03 04 05 06 07 08 09   ................

0A 0B FF C4 00 B5 10 00  02 01 03 03 02 04 03 05   ..’Ä.µ..........

05 04 04 00 00 01 7D 01  02 03 00 04 11 05 12 21   ......}........!

31 41 06 13 51 61 07 22  71 14 32 81 91 A1 08 23   1A..Qa."q.2‘”.#

42 B1 C1 15 52 D1 F0 24  33 62 72 82 09 0A 16 17   B±Į.RŃš$3br‚....

18 19 1A 25 26 27 28 29  2A 34 35 36 37 38 39 3A   ...%&'()*456789:

43 44 45 46 47 48 49 4A  53 54 55 56 57 58 59 5A   CDEFGHIJSTUVWXYZ

63 64 65 66 67 68 69 6A  73 74 75 76 77 78 79 7A   cdefghijstuvwxyz

83 84 85 86 87 88 89 8A  92 93 94 95 96 97 98 99   ƒ„…†‡ˆ‰Š’“”•–—˜™

9A A2 A3 A4 A5 A6 A7 A8  A9 AA B2 B3 B4 B5 B6 B7   𢣤„¦§Ø©Ŗ²³“µ¶·

B8 B9 BA C2 C3 C4 C5 C6  C7 C8 C9 CA D2 D3 D4 D5   ø¹ŗĀĆÄÅĘĒČÉŹŅÓŌÕ

D6 D7 D8 D9 DA E1 E2 E3  E4 E5 E6 E7 E8 E9 EA F1   Ö×ŲŁŚįāćäåęēčéźń

F2 F3 F4 F5 F6 F7 F8 F9  FA FF C4 00 1F 01 00 03   ņóōõö÷ųłś’Ä.....

01 01 01 01 01 01 01 01  01 00 00 00 00 00 00 01   ................

02 03 04 05 06 07 08 09  0A 0B FF C4 00 B5 11 00   ..........’Ä.µ..

02 01 02 04 04 03 04 07  05 04 04 00 01 02 77 00   ..............w.

01 02 03 11 04 05 21 31  06 12 41 51 07 61 71 13   ......!1..AQ.aq.

22 32 81 08 14 42 91 A1  B1 C1 09 23 33 52 F0 15   "2..B‘”±Į.#3Rš.

62 72 D1 0A 16 24 34 E1  25 F1 17 18 19 1A 26 27   brŃ..$4į%ń....&'

28 29 2A 35 36 37 38 39  3A 43 44 45 46 47 48 49   ()*56789:CDEFGHI

4A 53 54 55 56 57 58 59  5A 63 64 65 66 67 68 69   JSTUVWXYZcdefghi

6A 73 74 75 76 77 78 79  7A 82 83 84 85 86 87 88   jstuvwxyz‚ƒ„…†‡ˆ

89 8A 92 93 94 95 96 97  98 99 9A A2 A3 A4 A5 A6   ‰Š’“”•–—˜™š¢£¤„¦

A7 A8 A9 AA B2 B3 B4 B5  B6 B7 B8 B9 BA C2 C3 C4   §Ø©Ŗ²³“µ¶·ø¹ŗĀĆÄ

C5 C6 C7 C8 C9 CA D2 D3  D4 D5 D6 D7 D8 D9 DA E2   ÅĘĒČÉŹŅÓŌÕÖ×ŲŁŚā

E3 E4 E5 E6 E7 E8 E9 EA  F2 F3 F4 F5 F6 F7 F8 F9   ćäåęēčéźņóōõö÷ųł

FA FF DA 00 0C 03 01 00  02 11 03 11 00 3F 00 F7   ś’Ś..........?.÷

FF D8 FF E0 00 10 4A 46  49 46 00 01 01 01 01 2C   ’Ų’ą..JFIF.....,

01 2C 00 00 FF DB 00 43  00 08 06 06 07 06 05 08   .,..’Ū.C........

07 07 07 09 09 08 0A 0C  14 0D 0C 0B 0B 0C 19 12   ................

13 0F 14 1D 1A 1F 1E 1D  1A 1C 1C 20 24 2E 27 20   ........... $.'

22 2C 23 1C 1C 28 37 29  2C 30 31 34 34 34 1F 27   ",#..(7),01444.'

39 3D 38 32 3C 2E 33 34  32 FF DB 00 43 01 09 09   9=82<.342’Ū.C...

09 0C 0B 0C 18 0D 0D 18  32 21 1C 21 32 32 32 32   ........2!.!2222

32 32 32 32 32 32 32 32  32 32 32 32 32 32 32 32   2222222222222222

32 32 32 32 32 32 32 32  32 32 32 32 32 32 32 32   2222222222222222

32 32 32 32 32 32 32 32  32 32 32 32 32 32 FF C0   22222222222222’Ą

00 11 08 01 B0 02 40 03  01 22 00 02 11 01 03 11   ....°.@.."......

01 FF C4 00 1F 00 00 01  05 01 01 01 01 01 01 00   .’Ä.............

00 00 00 00 00 00 00 01  02 03 04 05 06 07 08 09   ................

0A 0B FF C4 00 B5 10 00  02 01 03 03 02 04 03 05   ..’Ä.µ..........

05 04 04 00 00 01 7D 01  02 03 00 04 11 05 12 21   ......}........!

31 41 06 13 51 61 07 22  71 14 32 81 91 A1 08 23   1A..Qa."q.2‘”.#

42 B1 C1 15 52 D1 F0 24  33 62 72 82 09 0A 16 17   B±Į.RŃš$3br‚....

18 19 1A 25 26 27 28 29  2A 34 35 36 37 38 39 3A   ...%&'()*456789:

43 44 45 46 47 48 49 4A  53 54 55 56 57 58 59 5A   CDEFGHIJSTUVWXYZ

63 64 65 66 67 68 69 6A  73 74 75 76 77 78 79 7A   cdefghijstuvwxyz

83 84 85 86 87 88 89 8A  92 93 94 95 96 97 98 99   ƒ„…†‡ˆ‰Š’“”•–—˜™

9A A2 A3 A4 A5 A6 A7 A8  A9 AA B2 B3 B4 B5 B6 B7   𢣤„¦§Ø©Ŗ²³“µ¶·

B8 B9 BA C2 C3 C4 C5 C6  C7 C8 C9 CA D2 D3 D4 D5   ø¹ŗĀĆÄÅĘĒČÉŹŅÓŌÕ

D6 D7 D8 D9 DA E1 E2 E3  E4 E5 E6 E7 E8 E9 EA F1   Ö×ŲŁŚįāćäåęēčéźń

F2 F3 F4 F5 F6 F7 F8 F9  FA FF C4 00 1F 01 00 03   ņóōõö÷ųłś’Ä.....

01 01 01 01 01 01 01 01  01 00 00 00 00 00 00 01   ................

02 03 04 05 06 07 08 09  0A 0B FF C4 00 B5 11 00   ..........’Ä.µ..

02 01 02 04 04 03 04 07  05 04 04 00 01 02 77 00   ..............w.

01 02 03 11 04 05 21 31  06 12 41 51 07 61 71 13   ......!1..AQ.aq.

22 32 81 08 14 42 91 A1  B1 C1 09 23 33 52 F0 15   "2..B‘”±Į.#3Rš.

62 72 D1 0A 16 24 34 E1  25 F1 17 18 19 1A 26 27   brŃ..$4į%ń....&'

28 29 2A 35 36 37 38 39  3A 43 44 45 46 47 48 49   ()*56789:CDEFGHI

4A 53 54 55 56 57 58 59  5A 63 64 65 66 67 68 69   JSTUVWXYZcdefghi

6A 73 74 75 76 77 78 79  7A 82 83 84 85 86 87 88   jstuvwxyz‚ƒ„…†‡ˆ

89 8A 92 93 94 95 96 97  98 99 9A A2 A3 A4 A5 A6   ‰Š’“”•–—˜™š¢£¤„¦

A7 A8 A9 AA B2 B3 B4 B5  B6 B7 B8 B9 BA C2 C3 C4   §Ø©Ŗ²³“µ¶·ø¹ŗĀĆÄ

C5 C6 C7 C8 C9 CA D2 D3  D4 D5 D6 D7 D8 D9 DA E2   ÅĘĒČÉŹŅÓŌÕÖ×ŲŁŚā

E3 E4 E5 E6 E7 E8 E9 EA  F2 F3 F4 F5 F6 F7 F8 F9   ćäåęēčéźņóōõö÷ųł

FA FF DA 00 0C 03 01 00  02 11 03 11 00 3F 00 F7   ś’Ś..........?.÷

Figure 5: File content comparison of  first portion of coverpage.jpg and file generated using MS Paint.

-- End --