Scan Of the Month Challenge – By [email protected]
Q1. Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?
Q2. What crucial data is available within the coverpage.jpg file and why is this data crucial?
The cover page that was directly recovered from the image contained nothing useful. But, the cover page recovered from the image contained the front page of pot smokers monthly whichlinks to some of the information in the letter to jimmy.
"Thanks for sending me the Cover Page. What do you put
in your soil when you plant the marijuana seeds? At least I know your growing
it and not some guy in
It helps confirm that jimmy is indeed a drug dealer and is in contact with Joe.
One of the most useful pieces of data is located toward the eng of the jpg. It seems that jimmy has tried to incorporate some poor form of stenography into his communications with Joe.
At Offset 0x3D20 Len 0x000C is the statement 'pw=goodtimes' one could only assume that pw stands for password and 'goodtimes' is the password.
It turns out that this is the password for the zip file containing Joe’s drug dealing schedule.
Q3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
Joe also frequents these schools.
Leetch High School (C)
Q4. For each file, what processes were taken by the suspect to mask them from others?
The following files where recovered from the disk.
- Jimmy Jungle.doc
- Scheduled Visits.xls
- cover page.jpg
The following are the processes taken to mask the files.
- jimmy jungle.doc
- cover page.jpg
I don’t suspect that Joe had purposely cross linked the clusters on the disk, more than likely just a soft error that could be due to data corruption. The data can be read and written correctly with no errors, but the data is not what it should be. For example, in the FAT file system, an entry in the FAT table may be corrupted. It may point to a cluster which does not exist (sector not found error) or it may point to a cluster which is already owned by another file (cross linked clusters). Clearly any given cluster can only belong to a single file. Thus if two (or more) files think that they own the same cluster there is an error.
The suspect had changed the extension of this file to .exe knowing that only himself would know of this, therefore hiding the data within the archive. The archive itself was password protected using a password cleverly hidden within the coverpage image.
- Scheduled Visits.xls
This file was the most protected file on the disk, and it contained information pertaining to Joes’ drug dealing habits.
Q5. What processes did you (the investigator) use to successfully examine the entire contents of each file?
$ md5 image.zip
MD5 (image.zip) = b676147f63923e1f428131d59b1d6a72
Checked the checksum of the image which checked out then proceeded to write the image to a disk, I used rawwrite for this operation.
Enter source file name: image
Enter destination drive: a:
Please insert a formatted diskette into drive A: and press -ENTER- :
Number of sectors per track for this disk is 18
Writing image to drive A:. Press ^C to abort.
Track: 79 Head: 1 Sector: 16
The following files are what came from the disk image.
Directory of A:\
2 File(s) 16,585 bytes
0 Dir(s) 1,439,232 bytes free
Both the files have commonly known extensions .exe
.EXE Executable File
And if you remove the c from the extension you get another commonly known extension .jpg
.JPG JPEG/JIFF Image
I attempt to open it as a jpeg file I couldn’t see anything. So I opened the file in ultraedit, to find that it is one continuous stream of 'öööööööööö'.
I tried to run Scheduled Visits.exe, I got an ms-dos subsystem error. I threw Scheduled Visits.exe into ultraedit to have a closer look at the file. Nothing really stood out in this file except for 'Scheduled Visits.xls' which was in plain text near the top of the file. I had the suspicion that the file could be either corrupt or fake.
From this point I decided to check if the disk was corrupt starting by analyzing the partition boot sector(PBS).
Analysis of the PBS
Offset Length Value Meaning
0x0000 0x0003 EB 3C 90 Jump Instruction
0x0003 0x0008 MSDOS5.0 OEM Name in text
0x000B 0x0002 0x0002 Bytes per sector
0x000D 0x0001 0x01 Sectors per Cluster
0x000E 0x0002 0x0100 Reserved Sectors
0x0010 0x0001 0x02 Number of FATs
0x0011 0x0002 0xE000 Root entries
0x0013 0x0002 0x400B Number Of Sectors
0x0015 0x0001 0xF0 Media Type (F0 = 3 1/2 floppy, 1.44MB)
0x0016 0x0002 0x0900 Sectors per FAT
0x0018 0x0002 0x1200 Sectors per Track
0x001A 0x0002 0x0200 Number of Heads
0x001C 0x0004 00 00 00 00 Hidden Sectors
0x0020 0x0004 00 00 00 00 Large Sectors
0x0024 0x0002 00 00 Physical Disk
0x0026 0x0001 29 Sig. (Needed by NT)
0x0027 0x0004 CF CD B1 C4 Vol. Serial Number
0x002B 0x000B NO NAME Volume Label
0x0036 0x0008 FAT12 System ID
0x003E 0x01aa 33 C9 8E ... Bootstrap code
0x01FE 0x0002 55 AA End of sector marker
as seen from the analysis above, the hidden sectors isnt the same number
as number of sectors, therefore meaning that the boot sector was corrupted
and the partition should not be used.
Knowing the problems with the PBS, I decided to see if there were any other files I could recover from the disk.
I started up r-studio demo (r-tt.com) and tried to recover all possible files off the disk. It was able to recover 3 files. One of which was something that I hadn’t seen before 'Jimmy Jungle.doc'. Which was a word document of a letter from Joe to his dealer Jimmy Jungle.
3 File(s) 37,065 bytes
This document contained several pieces of information pertaining to gaining access to the other files on the disk.
'Thanks for sending me the Cover Page'
- Jimmy sent Joe a cover page image.
'I emailed you the schedule that I am using.'
- Joe sent jimmy his schedule for dealing drugs to school children.
'To open it, use the same password that you sent me before with that file.'
- to open it use the password from the file that was sent before(cover page image)
which leads me to believe that there is some password in coverpage image.
Although I had recovered a new file, I still knew that the disk was
corrupt in some form, so I ran scandisk on it to see if it done anything
to help my cause.
A:\>chkdsk /F a:
The type of the file system is FAT.
Volume Serial Number is C4B1-CDCF
Windows is verifying files and folders...
\cover page.jpgc first allocation unit is not valid. The entry will
Removing nonvalid long folder entry from \...
File and folder verification is complete.
Convert lost chains to files (Y/N)? y
15872 bytes in 1 recovered files.
Windows has made corrections to the file system.
1,457,664 bytes total disk space.
512 bytes in 1 folders.
18,432 bytes in 2 files.
1,438,720 bytes available on disk.
512 bytes in each allocation unit.
2,847 total allocation units on disk.
2,810 allocation units available on disk.
Volume in drive A has no label.
Volume Serial Number is C4B1-CDCF
Directory of A:\
1 File(s) 2,560 bytes
0 Dir(s) 1,438,720 bytes free
The check had resulted in a larger file. I once again tried to run it to no-avail. I opened it up in ultraedit to have one last once look over the file. I noticed that the file started with PK which I thought maybe a header for pkzip(winzip). I checked it against a real zip file and was right. I copied the file to another location and saved it as .zip. I opened it up in winzip and found that it contained Scheduled Visits.xls which was password protected.
BUT I HAD NO PASSWORD.
Which brings me back to my theory that the password was somehow in the cover page image which I was yet to find.
I opened back up r-studio with the freshly chkdsk'd disk and tried to see if anything new showed up. This is the log of what occurred
Information Enumeration of files started for A:
Warning FAT Short file name discards 2 lfn slot(s) while parsing directory id: 4
Information Enumeration of files finished for A:
Information Recover Recovering of selected files to C:\SOTM\ started
Warning FAT FAT chain closed by end of file entry and 1 clusters were parsed. But file size indicates, that file occupies 39 clusters more. This may indicates, that file was overwritten lately by another file.
Error Recover Restoring file C:\SOTM\ Root\Jimmy Jungle. failed. Can't read file to be recovered completely (801).
Information Recover 3 files of 4 were successfully recovered
Information Recover 2 folders of 2 were successfully recovered
and in FOUND.000
It had pretty much got me all the files I had except that the jimmy jungle document got cross linked and was removed. I also got a scandisk recovered file(FILE0000.CHK)
I didn’t know what sort of file it was, but it was similar in size to the coverpage file that wouldn’t open.
I opened the file up in ultraedit to check it out.
The first 16 bytes of the file contained
'˙Ų˙ą JFIF `'
Which reminded me of the file format I had earlier described (.JPG JPEG/JIFF Image).
I opened a jpeg file and inspected it. It's first 16 bytes were the same as the ones I had just outlined. I then proceeded to do exactly what I had done for the zip file, copying it to another location and saving it as a jpeg. The resulting jpeg was a picture of the cover page of high times magazine.
There was still the outstanding issue of the password for the zip file. I probably could have brute forced the password, but I knew the password was in the image somewhere.
At position 0x3D20 Length 0X000C was an interesting snippet
I opened up the zip and used the password with success I gained access to Scheduled Visits.xls which contained all the information on Joes drug dealing habits to schools.