<<< Previous

---

Analysis

After downloading the file scan26.zip, we proceeded to an integrity check process before and after unzipping the file. The ouput of the commands below was compared to the digests of scan26 and scan26.zip published on the challenge page.

$ md5sum scan 26 e9c7d0c87ab0ecce09bf90362b830a74 scan26 $ md5sum scan26.zip c8e2454b970538de26a0fa887017109b scan26.zip

Then we tried to identify the type of the file scan26 using the linux command below :

$ file scan26 scan26: x86 boot sector

The file seens to be an image of a disk and may be a bootable disk. To identify exactly the type of the disk we tryed the linux command strings to extract readable strings from the disk content :

$ strings scan26 "RVRbIHC NO NAME FAT12 8f$| rG8-t ^tJNt ?MZu YZXr @u Invalid system disk Disk I/O error Replace the disk, and then press any key IO SYSMSDOS SYS WINBOOT SYS

According to the bold strings the disk seems to contain a fat12 formatted file sytsem, so it represents the image of a floppy disk.

Two other informations has been identifed from the output of the command strings. The first one is pw=help that seems to be a hidden password. The second one is John Smith's Address: 1212 Main Street, Jones, FL 00001 and seems to be John Smith's address (probable answers for questions 1 and 2).

$ strings scan26 [remaining data] h%ad H:qV kcpkt kA$4 pw=help John Smith's Address: 1212 Main Street, Jones, FL 00001

Now let's go inside the floppy disk to identify the files it contains. Using the linux command hexdump (or khexedit if you feel better with graphical tools), we start the analyse of the fat12 file system.

The Fat12 as specified by the figure below contains a boot sector (sector 0), a fat allocation table (9 sectors starting from sector 1), a second copy of the fat allocation table (9 sectors starting from sector 10), a root directory (14 sectors from sector 20) and the area where data is supposed to be stored (starting at sector 33).

Looking to the hexdump result, the two copies of the fat as well as the root diectory do not contain any entry. Thus it appears that the floppy disk does not contain any data. However, the data area seems to contain information that we will try firstly to identify and then to extract.

Boots Sector (sector 0)
00000000 00000010 00000020 00000030 00000040 00000050 00000060 00000070 00000080 00000090 000000a0 000000b0 000000c0 000000d0 000000e0 000000f0 00000100 00000110 00000120 00000130 00000140 00000150 00000160 00000170 00000180 00000190 000001a0 000001b0 000001c0 000001d0 000001e0 000001f0	eb 3e 90 22 52 56 52 62 49 48 43 00 02 01 01 00 02 e0 00 40 0b f0 09 00 12 00 02 00 00 00 00 00 00 00 00 00 00 00 29 44 06 da 16 4e 4f 20 4e 41 4d 45 20 20 20 20 46 41 54 31 32 20 20 20 f1 7d fa 33 c9 8e d1 bc fc 7b 16 07 bd 78 00 c5 76 00 1e 56 16 55 bf 22 05 89 7e 00 89 4e 02 b1 0b fc f3 a4 06 1f bd 00 7c c6 45 fe 0f 8b 46 18 88 45 f9 fb 38 66 24 7c 04 cd 13 72 3c 8a 46 10 98 f7 66 16 03 46 1c 13 56 1e 03 46 0e 13 d1 50 52 89 46 fc 89 56 fe b8 20 00 8b 76 11 f7 e6 8b 5e 0b 03 c3 48 f7 f3 01 46 fc 11 4e fe 5a 58 bb 00 07 8b fb b1 01 e8 94 00 72 47 38 2d 74 19 b1 0b 56 8b 76 3e f3 a6 5e 74 4a 4e 74 0b 03 f9 83 c7 15 3b fb 72 e5 eb d7 2b c9 b8 d8 7d 87 46 3e 3c d8 75 99 be 80 7d ac 98 03 f0 ac 84 c0 74 17 3c ff 74 09 b4 0e bb 07 00 cd 10 eb ee be 83 7d eb e5 be 81 7d eb e0 33 c0 cd 16 5e 1f 8f 04 8f 44 02 cd 19 be 82 7d 8b 7d 0f 83 ff 02 72 c8 8b c7 48 48 8a 4e 0d f7 e1 03 46 fc 13 56 fe bb 00 07 53 b1 04 e8 16 00 5b 72 c8 81 3f 4d 5a 75 a7 81 bf 00 02 42 4a 75 9f ea 00 02 70 00 50 52 51 91 92 33 d2 f7 76 18 91 f7 76 18 42 87 ca f7 76 1a 8a f2 8a 56 24 8a e8 d0 cc d0 cc 0a cc b8 01 02 cd 13 59 5a 58 72 09 40 75 01 42 03 5e 0b e2 cc c3 03 18 01 27 0d 0a 49 6e 76 61 6c 69 64 20 73 79 73 74 65 6d 20 64 69 73 6b ff 0d 0a 44 69 73 6b 20 49 2f 4f 20 65 72 72 6f 72 ff 0d 0a 52 65 70 6c 61 63 65 20 74 68 65 20 64 69 73 6b 2c 20 61 6e 64 20 74 68 65 6e 20 70 72 65 73 73 20 61 6e 79 20 6b 65 79 0d 0a 00 49 4f 20 20 20 20 20 20 53 59 53 4d 53 44 4f 53 20 20 20 53 59 53 80 01 00 57 49 4e 42 4f 4f 54 20 53 59 53 00 00 55 aa	|ë>."RVRbIHC.....| |.à.@.ð..........| |......)D.Ú.NO NA| |ME FAT12 ñ}| |ú3É.Ѽü{..½x.Åv.| |.V.U¿"..~..N.±.ü| |ó¤..½.|ÆEþ..F..E| |ùû8f$|.Í.r<.F..÷| |f..F..V..F..ÑPR.| |Fü.Vþ¸ ..v.÷æ.^.| |.ÃH÷ó.Fü.NþZX»..| |.û±.è..rG8-t.±.V| |.v>ó¦^tJNt..ù.Ç.| |;ûråë×+ɸØ}.F><Ø| |u.¾.}¬..ð¬.Àt.<ÿ| |t.´.»..Í.ëî¾.}ëå| |¾.}ëà3ÀÍ.^....D.| |Í.¾.}.}..ÿ.rÈ.ÇH| |H.N.÷á.Fü.Vþ»..S| |±.è..[rÈ.?MZu§.¿| |..BJu.ê..p.PRQ..| |3Ò÷v..÷v.B.Ê÷v..| |ò.V$.èÐÌÐÌ.̸..Í| |.YZXr.@u.B.^.âÌÃ| |...'..Invalid sy| |stem diskÿ..Disk| | I/O errorÿ..Rep| |lace the disk, a| |nd then press an| |y key...IO | |SYSMSDOS SYS..| |.WINBOOT SYS..Uª|
Fat (Copy 1)
00000200 00000210	f0 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	|ðÿÿ.............| |................|
*
Fat (Copy 2)
00001400 00001410	f0 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	|ðÿÿ.............| |................|
*
Root Directory
00002600	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00	|................|
*
Data Area
00004200 00004210 00004220 00004230 00004240	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff fe 00 4c 11 53 6e 55 47 b3 2d 44 35 d2 23 66 6b 1d bd 76 3c 89 68 69 d4 17 60 e8 a8 a4 2d 09 59 19 ab 28 1a de 5e 98 60 c2 a5 c3 a7 ae 24 d0 3d 16 03 47 6a 60 90 da e1 44 f9 cc	|ÿØÿà..JFIF.....H| |.H..ÿþ.L.SnUG³-D| |5Ò#fk.½v<.hiÔ.`è| |¨¤-.Y.«(.Þ^.`Â¥Ã| |§®$Ð=..Gj`.ÚáDùÌ|
[Ramining Sectors ...]

 

The existence of the following strings JFIF and BMv, in the output of the strings command, reveals the existence of one jpeg file and one BMP file.

$ strings scan26 [Ramaining Data] JFIF [Ramaining Data] BMv [Ramaining Data]

Let's Try to extract the two files now.

JPEG file extraction

According to the JPEG file structure, a JPEG file begins with the two bytes market 0xFFD8 followed by the JFIF marker 0xFFE0. The end of a JPEG file is announced by the following two bytes marker 0xFFD9.

If we find the 0xFFD8 and the 0xFFD9 markers into the floppy disk dump, we will be able to compute the first and last cluster of the JPEG file.

Using khexedit we find that the 0xFFD8 marker is located in the offset 4200 and the 0xFFD9 marker is located in offset C158. In terms of sectors the JPEG file starts in sector 33 and terminates in sector 96 (we only need to devide the offset by 200 which corresponds in decimal to 512 the size of sector in bytes). The number of sector used by the JPEG file is 96 - 33 +1 = 64.

To extract the JPEG file the following linux command was executed :

$ dd if =scan26 skip=33 count=64 bs=512 of=image.jpg

Click to find the extracted image.jpg.

Now, we tried to guess if there is some information hidden inside the recoverd JPEG image. However Stegaboraphy is a technique taht permit to hide a secret message within an ordinary messge (in almost case it is an image) so no one suspects it exists without knowing the used algorithm and secret key.

Stegdetect is a powerfull tool that permit to detect the presence of steganography in the images. To use it we proceed by:

$ ./stegdetect image.jpg image-jpg : invisible[7771](***) appended(166)<[nonrandom][data][................]>

The output command show that a steganography techniques has been used to probably hide some usefull informations.

BMP file extraction

Let's do now the same thing with the BMP file. According to the specification of the file BMP structure, that format starts with the following 2 byte size value 0x424D (we have to read it as 0x4D42 corresponds to the decimal value 19778). This value was found in offset 0xC200. The next 4 bytes, starting in the offset 0xC202, specify the size of the BMP file in bytes. We need to read these bytes from right to left to get the correct file size wich is 0011CC76 bytes or 1166454 bytes in decimal. The last offset of the file can be computed using this formula 0xC200 + 0x0011CC76 - 0x1 = 0x128E75.

In trems of sectors the BMP file starts in sector 0xC200/0x200 = 0x61 = 97 in decimal and terminates in sector 0x128E75/0x200 = 0x947 = 2375 in decimal. The BMP file starts in the first sector after the JPEG file. The number of sectors used by the BMP file is 2375 - 97 +1 = 2279.

To extract the BMP file the following linux command was executed :

$ dd if =scan26 skip=97 count=2279 bs=512 of=image.BMP

Click to find the extracted image.bmp . (Be careful this is a big file so you can find here a smaller one in jpeg format)

images analysis

The BMP image shows that Jimmy Jungle is currently hiding in the following addres 22 Jones (Answer form the question number 4).

The exact location where Jimmy Jungle received the drugs is dunny's 12 pier Boat Lunch. This information appears in both the JPEG and BMP file (Answer for question number 3).

Bonus Question Analysing

The hexadecimal dump of the floppy disk content shows that only the root directory sectors have been "zeroized", and the two fat tables execept the first 3 bytes of each one of them. The boot sector and the data area remain still conatin data. The process used here seems to be a quick format. To confirm that idea we have quick formated a second floppy disk, and we have obtained the same result.

Tools

khexedit
file
strings
dd
hexdump

Biblioraphy