Scan Of the Month Challenge – By [email protected]

 

Q1. Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?

 

Jimmy Jungle

626 Jungle Ave Apt 2

Jungle, NY 11111

 

 

Q2. What crucial data is available within the coverpage.jpg file and why is this data crucial?

 

The cover page that was directly recovered from the image contained nothing useful. But, the cover page recovered from the image contained the front page of pot smokers monthly whichlinks to some of the information in the letter to jimmy.

 

"Thanks for sending me the Cover Page. What do you put in your soil when you plant the marijuana seeds? At least I know your growing it and not some guy in Columbia."

 

It helps confirm that jimmy is indeed a drug dealer and is in contact with Joe.

 

One of the most useful pieces of data is located toward the eng of the jpg. It seems that jimmy has tried to incorporate some poor form of stenography into his communications with Joe.

 

At Offset 0x3D20 Len 0x000C is the statement 'pw=goodtimes' one could only assume that pw stands for password and 'goodtimes' is the password.

It turns out that this is the password for the zip file containing Joe’s drug dealing schedule.

 

Q3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

 

Joe also frequents these schools.

 

Key High School (B)

Leetch High School (C)

Birard High School (D)

Richter High School (E)

Hull High School (F)

 

 

Q4. For each file, what processes were taken by the suspect to mask them from others?

The following files where recovered from the disk.

- Jimmy Jungle.doc

- SCHEDU~1.zip

- Scheduled Visits.xls

- cover page.jpg

 

The following are the processes taken to mask the files.

- jimmy jungle.doc

- cover page.jpg

I don’t suspect that Joe had purposely cross linked the clusters on the disk, more than likely just a soft error that could be due to data corruption. The data can be read and written correctly with no errors, but the data is not what it should be. For example, in the FAT file system, an entry in the FAT table may be corrupted. It may point to a cluster which does not exist (sector not found error) or it may point to a cluster which is already owned by another file (cross linked clusters). Clearly any given cluster can only belong to a single file. Thus if two (or more) files think that they own the same cluster there is an error.

 

- SCHEDU~1.zip

The suspect had changed the extension of this file to .exe knowing that only himself would know of this, therefore hiding the data within the archive. The archive itself was password protected using a password cleverly hidden within the coverpage image.

 

- Scheduled Visits.xls

This file was the most protected file on the disk, and it contained information pertaining to Joes’ drug dealing habits.

 

 

Q5. What processes did you (the investigator) use to successfully examine the entire contents of each file?

 

$ md5 image.zip

MD5 (image.zip) = b676147f63923e1f428131d59b1d6a72

 

Checked the checksum of the image which checked out then proceeded to write the image to a disk, I used rawwrite for this operation.

 

Enter source file name: image

Enter destination drive: a:

Please insert a formatted diskette into drive A: and press -ENTER- :

Number of sectors per track for this disk is 18

Writing image to drive A:.  Press ^C to abort.

Track: 79  Head:  1 Sector: 16

Done.

 

The following files are what came from the disk image.

 

 Directory of A:\

 

11/09/2002  08:30 AM            15,585 cover page.jpgc

24/05/2002  08:20 AM             1,000 SCHEDU~1.EXE

               2 File(s)         16,585 bytes

               0 Dir(s)       1,439,232 bytes free

              

Both the files have commonly known extensions .exe

 

.EXE  Executable File

 

And if you remove the c from the extension you get another commonly known extension .jpg

 

.JPG  JPEG/JIFF Image 

 

I attempt to open it as a jpeg file I couldn’t see anything. So I opened the file in ultraedit, to find that it is one continuous stream of 'öööööööööö'.

 

I tried to run Scheduled Visits.exe, I got an ms-dos subsystem error. I threw Scheduled Visits.exe into ultraedit to have a closer look at the file. Nothing really stood out in this file except for 'Scheduled Visits.xls' which was in plain text near the top of the file. I had the suspicion that the file could be either corrupt or fake.

 

From this point I decided to check if the disk was corrupt starting by analyzing the partition boot sector(PBS).

 

Analysis of the PBS

 

Offset        Length         Value             Meaning

-------------------------------------------------------------------

0x0000        0x0003         EB 3C 90          Jump Instruction

0x0003        0x0008         MSDOS5.0          OEM Name in text

0x000B        0x0002         0x0002            Bytes per sector

0x000D        0x0001         0x01              Sectors per Cluster

0x000E        0x0002         0x0100            Reserved Sectors

0x0010        0x0001         0x02              Number of FATs

0x0011        0x0002         0xE000            Root entries

0x0013        0x0002         0x400B            Number Of Sectors

0x0015        0x0001         0xF0              Media Type (F0 = 3 1/2 floppy, 1.44MB)

0x0016        0x0002         0x0900            Sectors per FAT

0x0018        0x0002         0x1200            Sectors per Track

0x001A        0x0002         0x0200            Number of Heads

0x001C        0x0004         00 00 00 00       Hidden Sectors

0x0020        0x0004         00 00 00 00       Large Sectors

0x0024        0x0002         00 00             Physical Disk

0x0026        0x0001         29                Sig.  (Needed by NT)

0x0027        0x0004         CF CD B1 C4       Vol. Serial Number

0x002B        0x000B         NO NAME           Volume Label

0x0036        0x0008         FAT12             System ID

0x003E        0x01aa         33 C9 8E ...      Bootstrap code

0x01FE        0x0002         55 AA             End of sector marker

 

as seen from the analysis above, the hidden sectors isnt the same number

as number of sectors, therefore meaning that the boot sector was corrupted

and the partition should not be used.

 

Knowing the problems with the PBS, I decided to see if there were any other files I could recover from the disk.

 

I started up r-studio demo (r-tt.com) and tried to recover all possible files off the disk. It was able to recover 3 files. One of which was something that I hadn’t seen before 'Jimmy Jungle.doc'. Which was a word document of a letter from Joe to his dealer Jimmy Jungle.

 

11/09/2002  08:30 AM            15,585 cover page.jpgc

15/04/2002  02:42 PM            20,480 Jimmy Jungle.doc

24/05/2002  08:20 AM             1,000 SCHEDU~1.EXE

               3 File(s)         37,065 bytes

 

This document contained several pieces of information pertaining to gaining access to the other files on the disk.

 

'Thanks for sending me the Cover Page'

 

- Jimmy sent Joe a cover page image.

 

'I emailed you the schedule that I am using.'

 

- Joe sent jimmy his schedule for dealing drugs to school children.

 

'To open it, use the same password that you sent me before with that file.'

 

- to open it use the password from the file that was sent before(cover page image)

  which leads me to believe that there is some password in coverpage image.

             

Although I had recovered a new file, I still knew that the disk was

corrupt in some form, so I ran scandisk on it to see if it done anything

to help my cause.

 

A:\>chkdsk /F a:

The type of the file system is FAT.

Volume Serial Number is C4B1-CDCF

Windows is verifying files and folders...

\cover page.jpgc             first allocation unit is not valid. The entry will

be truncated.

Removing nonvalid long folder entry from \...

File and folder verification is complete.

Convert lost chains to files (Y/N)? y

15872 bytes in 1 recovered files.

Windows has made corrections to the file system.

 

    1,457,664 bytes total disk space.

          512 bytes in 1 folders.

       18,432 bytes in 2 files.

    1,438,720 bytes available on disk.

 

          512 bytes in each allocation unit.

        2,847 total allocation units on disk.

        2,810 allocation units available on disk.

 

Resulting in

 

A:\>dir

 Volume in drive A has no label.

 Volume Serial Number is C4B1-CDCF

 

 Directory of A:\

 

24/05/2002  08:20 AM             2,560 SCHEDU~1.EXE

               1 File(s)          2,560 bytes

               0 Dir(s)       1,438,720 bytes free

              

The check had resulted in a larger file. I once again tried to run it to no-avail. I opened it up in ultraedit to have one last once look over the file. I noticed that the file started with PK which I thought maybe a header for pkzip(winzip). I checked it against a real zip file and was right. I copied the file to another location and saved it as .zip. I opened it up in winzip and found that it contained Scheduled Visits.xls which was password protected.

 

BUT I HAD NO PASSWORD.

 

Which brings me back to my theory that the password was somehow in the cover page image which I was yet to find.

 

I opened back up r-studio with the freshly chkdsk'd disk and tried to see if anything new showed up. This is the log of what occurred

 

Information       Enumeration of files started for A:

Warning           FAT     Short file name discards 2 lfn slot(s) while parsing directory id: 4

Information       Enumeration of files finished for A:

Information       Recover           Recovering of selected files to C:\SOTM\ started

Warning           FAT     FAT chain closed by end of file entry and 1 clusters were parsed. But file size indicates, that file occupies 39 clusters more.  This may indicates, that file was overwritten lately by another file.

Error            Recover   Restoring file C:\SOTM\ Root\Jimmy Jungle. failed. Can't read file to be recovered completely (801).

Information       Recover           3 files of 4 were successfully recovered

Information       Recover           2 folders of 2 were successfully recovered

 

25/10/2002  03:05 PM            15,585 cover page.jpgc

25/10/2002  03:05 PM    <DIR>          FOUND.000

25/10/2002  03:05 PM               512 Jimmy Jungle

25/10/2002  03:05 PM             2,560 SCHEDU~1.EXE

and in FOUND.000

25/10/2002  03:05 PM            15,872 FILE0000.CHK

 

It had pretty much got me all the files I had except that the jimmy jungle document got cross linked and was removed. I also got a scandisk recovered file(FILE0000.CHK)

I didn’t know what sort of file it was, but it was similar in size to the coverpage file that wouldn’t open.

 

I opened the file up in ultraedit to check it out.

 

The first 16 bytes of the file contained

'˙Ų˙ą JFIF  `'

Which reminded me of the file format I had earlier described (.JPG  JPEG/JIFF Image).

I opened a jpeg file and inspected it. It's first 16 bytes were the same as the ones I had just outlined. I then proceeded to do exactly what I had done for the zip file, copying it to another location and saving it as a jpeg. The resulting jpeg was a picture of the cover page of high times magazine.

There was still the outstanding issue of the password for the zip file. I probably could have brute forced the password, but I knew the password was in the image somewhere.

At position 0x3D20 Length 0X000C was an interesting snippet

 

'pw=goodtimes'

 

I opened up the zip and used the password with success I gained access to Scheduled Visits.xls which contained all the information on Joes drug dealing habits to schools.