|
||
Honeynet Project Scan of the Month Twenty Sixer- Scan 26 (February 2003) Submission by Dophine V. Britanico < Philippines |
||
|
||
Challenge Summary | ||
Analyze the modified floppy recovered from Jimmy Jungle residence given and image by Police Officers from previous sweep on his supposed hideout, and obtain as much incriminating information Document the process and techniques used to alter and mislead the digital forensic analyst to recover crucial data on the floppy disk. |
||
Tools and | ||
O.S. Used: | OS: | |
C2 Compliant WinXP Professional Edition | ||
Armoured Red Hat Linux 6.2 (Stable) | ||
Tools: | ||
Standard Linux Binaries | ||
Ultra Edit (Eval) www.ultraedit.com | ||
Winzip (Eval) www.winzip.com | ||
Your Gray Matter | ||
Overview | ||
In my first submission on Honeynet Scan24 ( Downloaded:
Oct 21/02/12:36 AM |
||
GumShoe: | ||
First I downloaded the ImageFile and guessing that this is like Scan24 I never dd the image nor perfomed md5sum since I quite trusted my download from Honeynet, next I fired up Ultra edit directly hex editing the unzipped image file (that saves me precious 3-4 minutes, instead of manually zipping the image file from linux console). At first glance, I already sense something was wrong with the File Allocation Table (FAT) at beginning offset (203h) upto offset (4200h) exactly above the 512 bytes Boot Sector Code (unbootable) which missed some of the proper identifying marks of a unique File systems stamps on the FAT. This was mark with hex (0x00) technically in D.O.S and other File System means unused bytes. Given this data scrolling down further the image file I found out exactly a trivial find, the telltale sign of a graphical file those continous streams of identical hexadecimal streams common to RLE encoded pixels, uncommon to executable files and that took me less than 5 minutes. To prove that my assessment are correct I started searching for unique header information: A quick reference for common header signature common on windows boxen for aspiring digital forensic analyst: |
||
MZ (4D5Ah) = Executable file unique header signature found in old DOS, | ||
P.E, DLL, OCX, VXD, DRV and etc. | ||
EB/E8/E9(h) = Com file header signature. With file extensions of .COM | ||
be careful here because some tricky Microsoft file | ||
manipulation like renaming an 'EXE' to 'COM' and may | ||
confused an amateur analyst thereby using wrong | ||
information here. Experience really count here | ||
FFD8FFE010 | ||
and 4A464946 = Joint Photography Expert Group Header (JPEG) | ||
474946383761 | ||
and 474946383961 = Compuserve GIF Header | ||
424D = Windows Bitmap Followed by obvious streaming similar | ||
and sometimes identical hexadecimal data. | ||
D0CF11E0 = Windows Microsoft Word / Excel / Access Header | ||
Next I search the whole image file for any occurrence of those common header signature. Luckily my assessment is correct, found a JPEG file signature (figure 1), and Windows Bitmap (figure 2). Search for other signature related to a file executable or something proves to be negative. My next move extracting the data from the image, gave me the following options. Write a program in C++, or Ansi C in windows and or Linux, or Extract it directly using cut and paste. The first options seems a better approach and seems to be elitist, so to speak in let say presenting here technically but will take me another 30 minutes if I do it so. Finally I took the simple, fast and effective method cut and paste the data from the image file and rename the filename to its appropriate file extension (Turing Equivalence : -)) that took me another 5 minutes. And bingo! here's what I've got. (figure 1.a) from the JPEG file and (figure 2.a) from the BITMAP file (I converted it to JPEG for faster upload). |
||
So far so good, I've got the answer to questions 1 to 3 in the challenge, that leaves me questions 4 and 5 un-answered. My next challenge were I'm stuck is looking for the kind of car Jimmy Jungle Driving, my theories probably encoded in one of those hidden picture file (steganography) just like what I have found out in figure 2.a John Smith's Address in Windows BMP image a clever approach ( lossless) and pw=help, most likely the JPEG image file XOR with the password ''help''. To further analyzed the image file I decided to write it on disk and see for myself how it look like and I maybe missing something. |
||
Start Run / cmd | ||
Microsoft Windows XP [Version 5.1.2600] | ||
(C) Copyright 1985 - 2001 Microsoft Corp. | ||
C:\Documents and Settings\rebel.REBEL-LANDO> cd \ | ||
C:\> cd \scan26 | ||
C:\SCAN26> path g:\os\oberon\beta | ||
C:\SCAN26> rawrite | ||
Native Oberon RAwrite 11.12.2000 <http://www.oberon.ethz.ch/native/> | ||
Write a diskette image to a 1.44MB diskette. May be distributed freely. | ||
Diskette image file [0beon0.dsk]:scan26 | ||
Drive to write to <A or B>:A |
||
100% written | ||
100% verified | ||
Next I reboot the system and make the floppy disk drive as the default boot drive to see what happen. And Hopefully our first assessment was indeed correct, the diskette is unbootable and contain to visible file entries. Next I perfomed a disk check to see if I missed something e.g Bad Sectors, or Cross Linked files or directories that might harbor our elusive number 4 & 5 question. (Common Techniques by VX writers). |
||
C:\SCAN26>c:\windows\system32\chkdsk a: | ||
The type of the file system is FAT | ||
Volume Serial Number is 16DA-0644 | ||
Windows is verifying files and folders... | ||
File and Folder verification is complete | ||
Windows has checked the file system and found no problem | ||
.... blah | ||
2,847 allocation units available on disk. | ||
So far the disk is clean, next I tried to find a hidden files and even looking for old hacker style alt-255 [dec] file hiding technique, finding nothing I reboot the system and continue hex editing he image file for another 3 hours, slowly taking note of any pattern I can used but still no answers for exact question for number 4 & 5. Next I decided to use linux this time to find anything that might be useful in our tinkering adventure. ''Spock aren't you dead? I rebooted...''. |
||
[root@marikit /root]#mount -t vfat /dev/fd0 /mnt | ||
[root@marikit /tmp]#cp /mnt/scan26.zip ./;unzip scan26.zip | ||
Archive: scan26.zip | ||
nflating: scan26 | ||
[root@marikit /tmp]md5sum scan26 | ||
e9c7d0c87ab0ecce09bf90362b830a74 scan26 | ||
[root@marikit /tmp]strings scan26 (result of strings) | ||
I've got identical results with what I have found so far on my windows boxen compared to what I have found here in linux, but no answer for 4 & 5 :- ( that's leave me one option to code the XORing algorithm if it works. |
||
Answers: | ||
Who is the probable supplier of drugs to Jimmy Jungle? | ||
John Smith. | ||
What is the mailing address of Jimmy Jungle's probable drug supplier? | ||
1212 Main Street, Jones, FL 00001. | ||
What is the exact location in which Jimmy Jungle received the drugs? | ||
With the extracted file (map 1). Jimmy Jungle probably received drugs on Jones Avenue and Smith Street and maybe at Danny's. | ||
Where is Jimmy Jungle currently hiding? | ||
This one is hypothetical, from extracted file (map 2), Jimmy Jungle probable hideout at number 22 Jones Avenue. | ||
What kind of car is Jimmy Jungle driving? | ||
I might as well see how the other guys do this... | ||
Bonus | ||
Question | ||
Explain the process that was performed so that there were no entries in the root directory and File Allocation Table (FAT), yet the contents of each file remained in the data area?" | ||
There is two possible answer here. One is that during the desperate attemp (fictitious base on the police report) Jungle probably just quick formatted the floppy diskette, since the nature of DOS quick formatting and deletion is not permanently removed from the data areas of the disk and the cluster is only being freed up in File Allocation Table and not permanently removed as users knowned, technically it stay there waiting to be overwritten for the next write on that sector were it is located. Same also with deletion, technically can be recovered specially with disk editing utilities by just looking for the hexidecimal (E5) followed by the 8.3 format extension less 1. included also is the file size in bytes in reverse. ex file size 2,738 bytes (decimal) will appear as (B20A) in the File Allocation Table after a few bytes from the 8.3 filename.Two intentionally altering the entries of the File Allocation Table by marking it with up hex (00) and also we can easily modify the boot sector code here to make it none bootable, and make the diskette appears to be blank. Here's how I can easily duplicate what Jimmy Jungle has done if for example I follow options two: Format a blank floppy disk and put all data file there, next acquire a disk editing utilities and look for the the filenames in the File Allocation Table and overwrite it all with hex (00). A good example is DOS/Windows "debug". Let say loading boot sector of floppy drive a just do an ''L 0 0 0 1" at the command prompt to load it on the memory and after the minus sign if you wish to display it type "d 0" or "d l 200" for the complete boot sector code, I can easily modify it to, like "a 0" and typing instructions after the memory offset something like "jmp 002" "int 18h" "int 20" (hex) "EB00CD18CD20" and writing it to the disk by typing "w 0 0 0 1" FAT Entries follows after that. | ||
Credits | ||
Thanks to the SO for the stregth. My daugther who inspire me and to all the nameless and faceless people who silently works for the good... | ||
Reference: | It's all in the brain... | |