In SotM 24, a floppy disk recovered from the drug dealer Joe Jacobs was analyzed for evidence. In SotM 26, we are given a police report and an image of a floppy disk recovered from Jimmy Jungle, Joe Jacobs drug supplier. Again, we need to analyze the floppy disk image and recover evidence for police investigators.
Police investigators need the answers to the questions: who is the probable supplier of drugs to Jimmy Jungle, what is the mailing address of his probable drug supplier, what is the location in which he received the drugs, where is he currently hiding, and what kind of car is he driving?
SYSTEM USED:
IBM Compatible PC with
AMD 900Mhz Athlon Processor and
128MB DDR RAM running Windows 2000 Professional SP3
TOOLS USED:
New Technologies Inc. "ASCII Filter Program" Version 3.0
Convar's "PC Inspector File Recovery" Version 3.0
Gilles Vollant's "WinImage" Version 6.10.6100
WinZip Computing, Inc.'s "WinZip" Version 8.0 (3105)
Microsoft's "WordPad" Version 5.0
Microsoft's "Paint" Version 5.0
Step 1: After downloading the "scan26.zip" floppy disk image file from Honeynet.org, WinZip was used to extract the image file "scan26" to the Desktop folder \sotm.
Step 2: The "ASCII Filter Program" was copied into the \sotm folder and run from a DOS prompt. ("ASCII Filter Program" is used to remove non ASCII and control character data from binary files. This allows an easy text based view of the file to determine patterns of text.)
Step 3: Using the "ASCII Filter Program" the "scan26" file was selected with options: replace with spaces, carriage return and line feeds left in. The file "scan26.x01" was created.
Step 4: Microsoft "WordPad" (a text viewer/word processor) was then used to open and view the "scan26.x01" file. The very end of the file contained important reference information:
BMv W
pw=help
John Smith's Address: 1212 Main Street, Jones, FL 00001
This information provides a car (pulling BMW from BMv W), a password (pw=help) for a possible password protected file the data was in, and an address (probable drug supplier to Jimmy Jungle). No other usable text patterns were found.
Step 5: Next, the original image file "scan26" was renamed "scan26.dsk" in order to use "WinImage" to extract the image file to a new and blank floppy disk.
Step 6: Once the floppy disk had been imaged with "scan26.dsk", "PC Inspector File Recovery" program was used to scan the floppy disk for any and all lost files or data. "PC Inspector File Recovery" found two recoverable files in cluster 2 and 66 of the floppy disk. These files were recovered on the floppy disk and saved as:
cluster 2.jpg
cluster 66.bmp
Both files were graphics files in two separate formats. No other files or data were found by "PC Inspector File Recovery".
Step 7: Both of the graphics files, "cluster 2.jpg" and "cluster 66.bmp", were opened using Microsoft's "Paint" program to view the files.
Both files were compared visually and found to be slightly different. Both graphics showed a mapped area with distinct road names and special locations marked with X's in green shaded squares. These special locations were:
Danny's Pier 12 Boat Lunch (on Shore Line Drive)
Hideout 22 Jones (on Jones Ave.)
However, "cluster 2.jpg" only showed the "Danny's Pier 12 Boat Lunch" location, whereas "cluster 66.bmp" showed both locations.
Since "Hideout" was used to describe the "22 Jones Ave." location, it is probable that this location is were Jimmy Jungle is currently hiding. The only other location listed, "Danny's Pier 12 Boat Lunch" would be the probable location of where Jimmy Jungle received the drugs from John Smith.
Step 8: From the above analysis this report was created, and all data, files, images, disks and this report were saved and backed up.
Q: Who is the probable supplier of drugs to Jimmy Jungle?
A: John Smith
Q: What is the mailing address of Jimmy Jungle's probable drug supplier?
A: 1212 Main Street, Jones, FL 00001
Q: What is the exact location in which Jimmy Jungle received the drugs?
A: Danny's on Shore Line Drive, Pier 12 (Boat Lunch)
Q: Where is Jimmy Jungle currently hiding?
A: 22 Jones Ave.
Q: What kind of car is Jimmy Jungle driving?
A: BMW
Q: Bonus Question: Explain the process that was performed so that there were no entries in the root directory and File Allocation Table (FAT), yet the contents of each file remained in the data area?
A: A common misunderstanding is that data is actually removed from a disk when you delete the file. Any time that a file is deleted, it is not truly deleted. Instead, the information that points to the location of the file on the disk is deleted. This pointer, along with the pointers for every folder and file on the disk, is saved in the File Allocation Table at the beginning of the disk and is used by the operating system to compile the directory tree structure. By deleting the pointer file, the actual file becomes undetectable to the operating system yet remains in the data area of the disk.
Jimmy Jungle obviously attempted to delete the files from the disk without knowing he was only deleting the pointers to the file and not the actual data.
