Scan of the Month 26 Report

Date: 2003 Feb 21
Authour: Johnny Lee (typo_pl@hotmail.com)

Summary
 
Background:

This month's challenge is a continuation of Scan of the Month 24. In that first challenge, you had to decode and analyze a floppy disk recovered from the drug dealer Joe Jacobs. Your mission is to now analyze the floppy recovered from his supplier, Jimmy Jungle. All submissions have to be in by Friday, 21 February. Results will be released Friday, 28 February.
 
Question 1: Who is the probable supplier of drugs to Jimmy Jungle?
Answer: The probable name of the drug supplier is John Smith. See Legible Strings below.
Question 2: What is the mailing address of Jimmy Jungle's probable drug supplier?
Answer: The mailing address is 1212 Main Street, Jones, FL 00001. See Legible Strings below.
Question 3: What is the exact location in which Jimmy Jungle received the drugs?
Answer: Danny's, Pier 12 Boat Lunch (Launch?)
Question 4: Where is Jimmy Jungle currently hiding?
Answer: Jimmy Jungle is hiding at 22 Jones Ave near Smith Street.
Question 5: What kind of car is Jimmy Jungle driving?
Answer: ???
Bonus Question: Explain the process that was performed so that there were no entries in the root directory and File Allocation Table (FAT), yet the contents of each file remained in the data area?
Answer: While the floppy disk is in drive A:, enter 'FORMAT /Q A:' at a command/DOS prompt. This command performs a quick format of the floppy disk. The command will erase the root directory and FATs but leave the data area untouched. This command is valid on DOS 5.x+, OS/2 Warp, Windows 9x, Windows ME, Windows NT 4, Windows 2000 or Windows XP. Jimmy Jungle probably used Windows 9x or Windows ME to format the floppy.

 

Details of Investigation

Investigation was performed on a computer running Windows 2000 Service Pack 3.

Startup

I downloaded the floppy image, scan6.zip, to my local hard drive. I changed the file attributes of the downloaded file to read-only.

I checked the MD5 checksum of 'scan26.zip' to see if it matched the reported MD5 checksun.

I checked the ZIP file's contents via 'unzip -v' to see what was in the ZIP file.

I checked the integrity of the zip file by running 'unzip -t' on the ZIP file.

I unzipped the ZIP file.

I changed the file attributes of the scan26 file to read-only.

I checked the MD5 checksum of 'scan26' to see if it matched the reported MD5 checksun.

I downloaded the data from scan24 challenge to familiarize myself with the scenario.

Legible Strings

I ran the scan26 file through strings.exe to discover any legible strings in the file. Two strings were noteworthy:

The second string could be the answers to questions #1 and #2.

Floppy Image Contents

I ran the scan26 file through hd.exe to get a hex dump of the file's contents.

I downloaded a description of the FAT volume format.

I wrote a perl script to dump the major pieces of information about a FAT volume.

I discovered that the floppy image contained no directory entries and the FAT contained no links to files. See Floppy Disk Image Dump

I switched to the hex dump of the scan26 file.

In the boot sector of the floppy image (first 512 bytes), there's the following data:

000001d0   79 20 6b 65 79 0d 0a 00 49 4f 20 20 20 20 20 20  y key...IO      
000001e0   53 59 53 4d 53 44 4f 53 20 20 20 53 59 53 80 01  SYSMSDOS   SYS..
000001f0   00 57 49 4e 42 4f 4f 54 20 53 59 53 00 00 55 aa  .WINBOOT SYS..U.

Note the ASCII representation in the right-hand column.

This indicates that the floppy disk was likely formatted on Windows 9x or Windows ME since those operating systems use the files IO.SYS, MSDOS.SYS, and WINBOOT.SYS. MS-DOS uses the first two files, but WINBOOT.SYS is indicative of Windows 9x/ME. Floppies formatted with Windows NT and Windows 2000 reference the file NTLDR.

Looking at the hexdump, I found the following data:

000041f0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00004200   ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48  ......JFIF.....H
00004210   00 48 00 00 ff fe 00 4c 11 53 6e 55 47 b3 2d 44  .H.....L.SnUG.-D
00004220   35 d2 23 66 6b 1d bd 76 3c 89 68 69 d4 17 60 e8  5.#fk..v<.hi..`.

I searched the web via www.google.com for 'JFIF' and discovered that it was a marker for the JPEG file format.

I extracted the contents for the JPEG file and saved it to a file.

I viewed the file and saw the text "Danny's Pier 12 Boat Lunch" in the JPEG file.

I also found the following data after the JPEG file in the floppy image:

0000c1f0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0000c200   42 4d 76 cc 11 00 00 00 00 00 36 00 00 00 28 00  BMv.......6...(.
0000c210   00 00 d0 02 00 00 1c 02 00 00 01 00 18 00 00 00  ................
0000c220   00 00 40 cc 11 00 00 00 00 00 00 00 00 00 00 00  ..@.............

I searched the web via www.google.com for 'BM file format'. Google suggested 'BMP file format'.

I extracted the data as a BMP file and tried to open the file with MS Paint. MS Paint opened the file successfully. The file showed the likely hideout location for Jimmy Jungle.

I downloaded a document describing the JPEG file format. See Reference #2. There was a section about JPEG comments. Perhaps the JPEG file contained data. I recall reading about steganography - hiding data within pictures.

I wrote a perl script to dump out the markers and any comments in a JPEG file.

Running the perl script on the JPEG file revealed two JPEG comment sections.

I searched the web for information on steganography and programs that could hide data in JPEG files.

I found this web page http://members.tripod.com/steganography/stego/software.html.

I found one interesting resource: Stegdetect from http://www.outguess.org/detection.php.

I downloaded the application and ran it against the JPEG file.

Stegdetect.exe reported:

file1.jpg : invisible[7771](***)

'invisible' referred to the steganography program Invisible Secrets according to the Stegdetect source code.

I looked up Invisible Secrets on the web and found an Invisible Secrets 2002 program that would hide data in JPEG files.

I downloaded the trial version of the program and tried the program with the JPEG file using the 'help' password found with strings.exe.

Invisible Secrets said there wasn't any data that it hid in the file.

I looked at the JPEG comments and saw that the last four bytes of the first comment are similar to the size of the second comment.

The second comment also seemed to begin with a Length value.

I tried several other steganography programs without success.

I tried various invocations of the format command and finally discovered one way to erase the root directory and FAT area while leaving the data area untouched as found in the scan26 floppy image.

I wrote a program to create a file containing the entire contents of a floppy disk. I used this program to check the results of the format command above.

References and Tools

  1. FAT32 File System Specification from http://www.microsoft.com/hwdev/download/hardware/FATGEN103.doc
  2. JPEG file layout and format from http://www.funducode.com/freec/Fileformats/format3/format3b.htm
  3. Unzip application from http://www.info-zip.org/UnZip.html
  4. Win32 ActivePerl application from http://www.activestate.com
  5. Google search engine at http://www.google.com
  6. fddump.pl - perl script to dump information about a floppy disk image. Available upon request.
  7. jpgdump.pl - perl script to dump information about a JPEG file. Available upon request.
  8. read_floppy.exe - Win32 app to dump floppy disk contents to a file. Available upon request.