To complete this challenge, TASK 1.52 and Autopsy 1.62 were used. Both are free and available at:
http://www.sleuthkit.org/sleuthkit
http://www.sleuthkit.org/autopsy
Analysis can be done any any of the major UNIX platforms (Linux, OS X, FreeBSD, or Solaris). Installation directions for each tool can be found in the tar file.
The image.zip file was downloaded from the Honeynet website and validated using md5sum. It was then unzipped and the image file was placed in the morgue directory. All images and configuration files must be placed in the morgue directory for Autopsy. The fsmorgue file for Autopsy was as follows:
image | fat12 | A:\ | EST5EDT |
The MD5 value of image was then placed in md5.txt so that we could verify its integrity through Autopsy. The md5.txt file had the following contents:
ac3f7b85816165957cd4867e62cf452b | image |
Next, the image contents were examined by selecting 'File Browsing'. There were three files in the root directory (screen shot):
cover page.jpgc
Jimmy Jungle.doc (deleted)
Scheduled Visits.exe
Each was examined in alphabetical order.
Since the file is 15585 bytes and each sector is only 512 bytes, there should be ((15585 + 511) / 512) = 31 sectors. (NOTE: TASK does not use clusters when analyzing FAT, refer to the documentation in TASK for more information). Something has been done to this file to make it difficult to read. To get a better understanding of the image and what could have been done to this file, the remaining files were examined next.
When FAT deletes files, the starting sector is still known, but the remaining ones are not because their entries in the File Allocation Table are set to 0. If the file was not fragmented (i.e. it had consecutive sectors), recovery will be easy if the sectors have not been allocated since the deletion (i.e. they are still set to 0). We tried that theory first.
The first step was the find out how many sectors were needed for the file. The file size was 20480 bytes and the sector size was 512 bytes. Therefore, the file would require ((20480 + 511) / 512) = 40 sectors. We knew the file started at sector 33 and if the file was not fragmented then it would have allocated sectors 33 to 72.
The next step was to look at the File Allocation Table (FAT) to identify if these sectors were currently allocated. The FAT can be found using the 'File System' link ( screen shot). The FAT has the following contents:
73-103 (31) -> EOF
104-108 (5) -> EOF
This shows that sectors 73 to 103 are allocated to the same file and 104 to 108 are allocated to the same file. We can also see that the sector of the first cluster was 33. That means that the first sector that can be allocated for a file would be 33. This supports our theory that this file was located in clusters 33 to 72. The next step was to extract those sectors so that we could analyze the data.
To extract the data, the 'Data Browsing' link was selected and '33' was entered as the sector number and '40' as the number of consecutive sectors. This extracted 40 sectors, starting at number 33. The result was both binary and ASCII values, but text from a letter to 'Jimmy Jungle' about the quality of pot could be seen. To remove the binary values from the output, the 'strings' link was selected (screen shot).
'Export' was used to save the data to disk so it could be viewed in a word processor (result). The MD5 of the sector chain was calculated on the command line:
% md5sum image-Sector33.raw
MD5 (image-Sector33.raw) = b775eb6a4ccc319759d9aaae1e340acc
Viewing the resulting document in Microsoft Word showed the address of Joe's supplier. The document in HTML can be found here.
082a5cc64deea22a3a580ffbb5a6fa66
The unzip command was used to unzip the file, but an error was given that the "End was not found". Either it was corrupt or there was a second file in the archive that we did not have. Examining the directory entry details (#5) ( screen shot) showed that the size of the file was 1000 bytes and it had sectors 104-105.
We recall from the FAT contents that sectors 104-108 formed a "sector" chain. TASK will only show as many sectors as are needed for the given file size. So, even though 104-108 formed a chain in the FAT, only the first two will be shown if the file size is 1000 bytes (((1000 + 511) / 512) = 2). Therefore, it could be that the suspect modified the file size so that the final three sectors would not be examined. To test this theory, the entire chain was extracted.
The 'File System' mode was used and the 104-108 (5) link was selected (this is the equivalent of using 'Data Browsing' mode and extracting 5 sectors starting at 104). 'strings' was used to identify embedded information and the string Scheduled Visits.xls was seen twice (screen shot). That could be the name of the file in the archive. 'Export' was used to save the file to disk. It can be found here and has the following MD5:
4e0be275e3040701145e3235dd43ea4a
When unzipping this file, no error was generated, but we were prompted for a password (which the previous Word document mentioned).
It was noticed that the size of the jpg file was reported to be 15585 bytes, which would require ((15585 + 511) / 512) = 31 sectors. That matched the length of the 73-103 sector chain. The sector chain was viewed in Autopsy (from the 'File System' link), which reported a file type of JPEG image data. 'strings' was run on it next to identify embedded information. At the bottom of the file, the 'pw=goodtimes' string was noticed ( screen shot). This could be the password we were looking for. The sectors were exported and the following MD5 was calculated:
28cfe7fe68f5b13071a2ce0b87ff1e9b
Opening the image with an image viewer showed us that Jimmy Jungle was featured on the cover of 'POT SMOKERS MONTHLY'. The file can be found here.
md5: 0988df42266ff538fb6101e7bc9d8e05
size: 16896 bytes
The xls file was opened with Microsoft Excel to find a list of high schools and visit dates. Its contents are shown here.
dd if=image bs=512 skip=109 | hexdump
0000000 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6 f6f6
*
015a400 0000 0000 0000 0000 0000 0000 0000 0000
*
015a600
This showed that the rest of the image was 0xf6 and 0x00, as 'hexdump' (by default) does not repeat values that are the same as the previous line.
Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111
2. The password for the zip file was found in the slack space of coverpage.jpg (at byte offset 288 of sector 103).
3. The list of other high schools can be seen here
4. Hiding techniques:
5. The process used to recover the data is shown above using TASK and Autopsy.