Solutions for Scan 24

by Daniel B. Sedory

The Questions, and the Answers submitted by this investigator :

  1. Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?

    Jimmy Jungle
    626 Jungle Ave
    Apt 2
    Jungle, NY 11111

    Obtained from the MS-Word Document file "Jimmy Jungle.doc" which had been deleted, but all the data was left intact on the floppy diskette.  Looking at the Directory's raw data for the Long File Name, shows that this is indeed the name of the file (which means JIMMYJ~1.DOC is the correct Short or DOS 8.3 name).

    The document is signed, "Joe" (very likely, Joe Jacobs, since the diskette was found in his house per the police report), says that one "Jimmy Jungle" was growing his own marijuana and selling it to Joe who also implicates himself in the sale of marijuana to high school students in this letter.

  2. What crucial data is available within the cover page.jpg file and why is this data crucial?

    The phrase "pw=goodtimes" can clearly be seen near the end of this file. This turns out to be the password* for extracting "Scheduled Visits.xls" from the disguised PKZIP file on the diskette. (The fact that this JFIF pic states that Jimmy Jungle is a "featured pot grower, smoker and seller" certainly corroborates the evidence found in the .doc file.)
    _____________________________
    * As referenced in "Jimmy Jungle.doc" by the statement: "To open it, use the same password that you sent me before with that file." ("That file" being "cover page.jpg").


    [ I'm assuming that this question means "crucial" in so far as being able to turn the data over to the police as soon as possible, because PKZIP password cracking programs are available; even as public downloads from the Internet. Although PKZIP passwords do not use the strongest encryption possible, it can, however, take a long time to crack them. ]


  3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

    From the file, "Scheduled Visits.xls" you will also find these schools listed:

    Key High School, Leetch High School, Birard High School, Richter High
    School     and Hull High School.


  4. For each file, what processes were taken by the suspect to mask them from others?

     "Jimmy Jungle.doc" --- was only "deleted" (or "erased"), but not destroyed; luckily none of the data was overwritten before we acquired the diskette.
    "cover page.jpg" --- was somehow changed to: "cover page.jpgc           " (which is .jpgc followed by 11 spaces). This is an illegal file name; although you can have many spaces in a Long File Name (LFN), you cannot end a filename with even a single space. Trying to do so under MS-Windows 9x Explorer, for example, will result in a filename with no trailing spaces without any warning; it just drops them automatically. Besides that, the value for the Beginning Cluster location of the file on the diskette was changed from 42 to 420 (see this page: For a color illustration of this file's faulty Directory entry). Lastly, the file size may have been changed in an attempt to keep others from copying the password to other media.
    "Scheduled Visits.zip" --- which contains the PKZIP password protected file "Scheduled Visits.xls" was renamed to "Scheduled Visits.exe      " (the .exe is followed by 6 trailing spaces quite similar to how the .JPG file was changed). Supposedly in an attempt to hide the fact that this file is really a ".ZIP" file (it is not a self-extracting ZIP file).  Its creator went one step further and changed the file size to only 1000 bytes; instead of the correct size of at least 2,420 bytes.

    Under normal circumstances (especially with so many free entries left in this diskette's Root Directory), any renaming of a file (using MS-Windows/DOS) would cause a new and separate entry to be created and the original entry to be deleted (with E5 bytes placed in the appropriate locations). Furthermore, the checksum bytes for such a change in the DOS filename to "SCHEDU~1.EXE" would be 55 hex, but they are still set to 9E hex ( the correct checksum for "SCHEDU~1.ZIP"). This proves that something other than  the normal MS-DOS commands or Windows OS interface was used to make otherwise illegal data entries at the byte level. Therefore, it's my conclusion that the Directory entries for these last two files must have been changed with a disk editor or similar utility program.

  5. What processes did you (the investigator) use to successfully examine the entire contents of each file?

     Rapidly scanned (with my eyes) the image file in a hex editor (plenty easy to do since most of the diskette was not being used; all F6-byte sectors at the end, except for the very last sector which was all zero bytes). I quickly noted that there was a deleted file entry in the Directory (sector 19), but the important data (who was Joe's supplier, etc.) was clearly visible in even a text editor (in order to ensure that none of the deleted file had been damaged, I needed to use a DOS UNERASE program on a diskette made from the image file; those who use special forensic programs may have been able to do so with just the image file).

    After noticing the bytes "PK" at the beginning of a sector in the image file and seeing that the last used sector (    just before all the F6-byte sectors) had a PK filename listing in it, I simply copied all the bytes from the "PK" signature to the end of the last used sector (only five sectors in total; 2,560 bytes) from my hex editor to a new file with a .ZIP extension. I was immediately able to see that there was one file inside it, and since I had already guessed that the phrase I saw at the end of the previous file ("pw=goodtimes") during my scan was a password, I tried it out and got a copy of "Scheduled Visits.xls" which, even in a text editor, clearly shows all the high schools that "Joe" was visiting. ( Note: If the .ZIP had not opened correctly the first time, I could have used a program called PKZIPFIX to see if that fixed it. I later ran the program against the copy I had made, and found that the original file size was most likely 2,420 bytes. )

    When eyeballing the image file, I had also noticed the signature "JFIF" near the beginning of a sector. The contents of the .DOC file mentioned a pic as well, so I copied all of the bytes from this sector to the end of the sector just before the sector that started the .ZIP file, set the extension to .JPG and quickly viewed the picture! Later on I was able to prove that the picture could be viewed with as little as 15,585 bytes (which is the file length shown in its Directory entry), but I suspect that this may have been changed as well, since doing so would keep anyone from ever seeing the PKZIP password  that was embedded in the end of the file if they didn't copy at least 15,660 bytes of it.

    After noting all of the changes which were made to these file entries, I concluded that a disk editor or some other low-level utility must have been used to change specific bytes in these entries.

 

Tools used by this investigator (in order of importance):

1. Hex Editor: FRee Hex EDitor (FRHED).
2. An old DOS version of the Norton Utilities' UNERASE program; the UNERASE program from an old MS-DOS version could have been used instead.
3. Disk Editor: Old DOS version of Norton Utilities' DiskEdit to check and obtain some more info about the FAT and Directory entries on the diskette.
4. Text Editors: A free text editor called The GUN (Grown Up Notepad) to open the image file and quickly read TEXT strings in it; you do not need this if you're running Win2000 / NT, since NOTEPAD in those versions can open very large files!
5. PKZIP package 2.04g for PKZIPFIX: Not really necessary in this case, but could have been useful if the ZIP file had been damaged. I used it to find what I consider to be the original file length of the .ZIP file.

 

Submitted by: Daniel B. Sedory
Computer Consultant / Technician
This form page can be used to send me email:
< http://www.geocities.com/thestarman3/Feedback.html >