Scan of the Month 24
Analysis by Charley Pfaff (chuckk7 at yahoo)
October 8, 2002

Table of Contents:
The challenge
Questions
Tools used
methods
Answers
Appendix

The challenge:
    The folks from Digital Forensic Research WorkShop have created a unique challenge for you. Your mission is to analyze a recovered floppy and answer the questions below. What makes this challenge unique, you will need to read the police report before continuing your challenge. Just like an investigation in the real world, you will have some background information and some evidence, but its up to you and your technical skills to dig up the answers. Below is the dd image of the recovered floppy. This is the image that will provide you the answers, providing you can 'extract' the data.

Questions:
1. Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?
2. What crucial data is available within the coverpage.jpg file and why is this data crucial?
3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
4. For each file, what processes were taken by the suspect to mask them from others?
5. What processes did you (the investigator) use to successfully examine the entire contents of each file?
Bonus:
6. What Microsoft program was used to create the Cover Page file. What is your proof (Proof is the key to getting this question right, not just making a guess).

Tools used:
@stake TASK
windows XP
redhat linux 7.2

Methods
The very first step that was used was to md5sum the downloaded image file. Using the md5sum command and comparing the results with the md5 from the site.

#md5sum image.zip


Once this checked out ok, the strings command was used on the image file to see if there is any readable data that could be extracted from the file before proceeding with further analysis. The results yielded a great deal of information including the text from the deleted .doc file and the most important password from the .jpg file.

   

  #strings -a image > strings.txt
  blah
   blah
   blah
   Jimmy Jungle
   626 Jungle Ave Apt 2
   Jungle, NY 11111
   Jimmy:
   Dude, your pot must be the best
   it made the cover of High Times Magazine! Thanks for sending me the Cover Page.
   What do you put in your soil when you plant the marijuana seeds? At least    I kno
   w your growing it and not some guy in Columbia.
   These kids, they tell me marijuana isn
   t addictive, but they don
   t stop buying from me. Man, I
   m sure glad you told me about targeting the high school students. You must have
   some experience. It
   s like a guaranteed paycheck. Their parents give them money for lunch and they s
   pend it on my stuff. I
   m an entrepreneur. Am I only one you sell to? Maybe I can become distributor of
   the year!
   I emailed you the schedule that I am using. I think it helps me cover myself and
   not be predictive. Tell me what you think. To open it, use the same password t
   hat you sent me before with that file. Talk to you later.
   Thanks,
   Joe
   blah
   blah
   Microsoft Word 10.0
   blah
   blah
   pw=goodtimes
   Scheduled Visits.xlsPK

This was enough information to get started on the right track. The info showed that there was a word document created in word 2002, that there is a password used for something, and there is a zipped xls file. The next step was to mount the image and take a look at the files, so the image was mounted using the mount command:


#mount -o ro,loop,nodev,noexec image /t


I started looking at the data getting some info on the files. The file and less commands where used it to determine if the files where good. The results lead to skepticism about the integrity about the files..


#file cover_page.jpgc
cover page.jpgc : PC formatted floppy with no filesystem


The output made no sense until the contents of the file were viewed

#less cov*

This gave nothing but junk so it was figured that the inode information is referencing a blank part of the floppy. Then moving on to the schedu~1.exe using the file command it showed to be a self extracting zip so I copied the file to a windows XP computer and tried to open the file. This would only kick out NTVDM errors and die. Well guessing that either the person is using a special zip program or since the cover_page file was wrong then this file might also have parts missing.

  Well after not being able to do anything with the data that was mounted, analysis of the image file started so as to extract the information so that it can ascertained who this person is and how to get at him. The first thing was to break out my trusty tool TASK from @stake to read the fat file system.

  When looking at the mounted file system it was noticed that there were only two visible files on the floppy a jpg and exe with excel, but my strings output showed there was a word document somewhere in there. So I wanted to first find any files that were deleted from the system. The first thing was to find out what is happening on the floppy by using the fls tool.

# ./fls -f fat12 ./image
r/r * 5: Jimmy Jungle.doc (_IMMYJ~1.DOC)
r/r 8: cover page.jpgc (COVERP~1.JPG)
r/r 11: Scheduled Visits.exe (SCHEDU~1.EXE)

 The file with the asterisk shows that the doc file has been deleted. So I wanted to yank that file off the floppy so that I could get what someone didn't want to see. Using the dls tool the lost file was reconstructed.

#./dls -l -f fat12 ./image > deleted

  The listing showed deleted sectors from 33-72 and 109-up. So knowing that the file was around 20k and this section is 20k It was figured this was it so I proceeded to extract the data using the dls command again.

#./dls -f fat12 ./image 33-72 > jimmy.doc

  This yielded the doc file and it was check using the file command and was verified that it was a Microsoft document.The document was then transferred to a windows machine for further analysis. Upon examining the document It was sited that there was an excel document that was protected by password and listed the places that he frequented and a picture also. The next step was to recover the full files since it could not use icat to get it from the listed inodes. The first step used was the fsstat tool so that I could find out where the actual data was at on the drive and reconstruct it.

#./fsstat -f fat ./image
File System Type: FAT
OEM: MSDOS5.0
Volume ID: 3299986895
Volume Label: NO NAME
File System Type (super block): FAT12

META-DATA INFORMATION
--------------------------------------------
Inode Range: 2 - 45762
Root Inode: 2

CONTENT-DATA INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 512
Sector of First Cluster: 33
Total Sector Range: 0 - 2878
FAT 0 Range: 1 - 9
FAT 1 Range: 10 - 18
Data Area Sector Range: 19 - 2878

FAT CONTENTS (in sectors)
--------------------------------------------
73-103 (31) -> EOF
104-108 (5) -> EOF

  The information this gave was good but what was needed is on the bottom, sectors 73-103 and 104-108. Using the information, the extraction of the data was started so that the information could be analyzed. The tool that was needed for this was dcat..

#./dcat -f fat image 73-103 15872 > cover.jpg

#./dcat -f fat image 104-109 3072 > schedule.exe

  The output gave me the files that were needed to do the rest of the analysis. The files were then moved over to the windows XP box and started the analysis. The jpeg file was first viewed using a graphical display  to see if there is anything that is of importance and it showed nothing of importance except the dealers name. Upon viewing the file in a text editor it showed that text was appended to the file and it was pw=goodtimes.Using the information that was read from the doc file, it was surmised that this was the password that was needed to decompress the zip file. Moving to the self extracting zip file , it was extracted and prompted for a password, using the goodtimes password the file was decompressed and all the data was attained on the dealers schedule and the locations that he had frequented. This ended the analysis of the diskette and the data turned over the proper hands.

Answers:

1. Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?

   The suppliers information was gathered from the mailing address located on the header of the jimmy.doc file that was deleted from the disk by the seller and revived. The name and location of the supplier is:

Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111

2. What crucial data is available within the coverpage.jpg file and why is this data crucial?

    There are two pieces of information that are crucial the first is that it confirms the name of the supplier. The second piece of information is the password that was appended to the end of the file that is not visible unless you look at the image with a text viewer. The password was then used to open the self zip file.

3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

   Joe Jacobs frequents several schools all over and his schedule is included in the xls file that was extracted from the zip file. This is a listing of the schools that he frequents. For a complete listing of his schedule please see Appendix A.

Birard High School
Hull High School
Key High School
Leetch High School
Richter High School
Smith Hill High School

4. For each file, what processes were taken by the suspect to mask them from others?

    The first file that was examined was the missing doc file. The suspect did not take any special precautions on protecting the file except by deleting the file. The suspect could have used a scrubber to have made it harder to get or permanently erased the data but didn't do that.

The second file being the jpg file was used to carry the needed password for the opening of the zip file. Opening the file with a normal jpeg viewer shows a picture of a coverpage with no information. Further examine with a text viewer it shows text appended. This is a simple way to hide information that some people forget to look at. The basic command to do such a thing in windows would be:

echo pw=goodtimes >> cover_page.jpg

The last file is the self extracting zip file. The only form of concealment used was that the file was password protected. The password was gathered from the jpg file and the file was extracted and read.

On a final note I was unsure about how the directory information was messed up on the diskette. This could have come about by mishandling during the process or a another guise to keep others from reading it. I am not sure if it was done intentionally or not.

5. What processes did you (the investigator) use to successfully examine the entire contents of each file?

   The processes that were used to examine the contents of the files was explained in the methods section of this write up but I will present a quick recap.The beginning stage was set by using basic commands such as strings and less to examine the contents of the image file to determine if there is any valuable information. Then the image was mounted and checked to see if data was extractable and readable. Once this was determined not possible I moved on to recover the first file. The first file was a deleted file that was recovered using the dls tools from the TASK tool kit. Then the file was examined using Microsoft word 10 on a windows XP box.The next file was the jpg file that was recovered from the disk using the dcat tool from the TASK tool kit. Once extracted it was examined with mspaint,notepad, and vi.The last file was the exe zip file that was also recovered using the dcat tool from TASK. The file was extracted using winzip 8 and the password supplied with the jpg file. The file was examined using Microsoft excel 2002 to obtain the information. For a more detailed process please see methods

   The use of Microsoft products was to maintain an environment that the suspects used.

6. What Microsoft program was used to create the Cover Page file. What is your proof (Proof is the key to getting this question right, not just making a guess).

    The MS program that was used to create the file was MSPAINT. I came to this conclusion by taking several programs and recreating jpg files and matching the beginning of each file and it matched up with mspaint. As you can see the file that I created with mspaint and the original match up the best

Created with ms paint

^@^PJFIF^@^A^A^A^@`^@`^@^@^@C^^F^F^G^F^E^G^G^G^I ^L^T^M^L^K^K^L^Y^R^S^O^T^]^Z^_^^^]^Z^\^\ $.' ",#^\^\(7),01444^_'9=82<.342^@C^A ^L^K^L^X^M^M^X2!^\!2222222222222222222222222222222222222 2222222222222^@^^A<80>^B^@^C^A"^@^B^Q^A^C^Q^A^@^_^@^@^A^E^A^A^A^A^A^A^@^@^@ ^@^@^@^@^@^A^B^C^D^E^F^^I ^K^@^P^@^B^A^C^C^B^D^C^E^E^D^D^@^@^A}^A^B^C^@^D^Q^E^R!1A^F^SQa^G"q^T2<81><91> #B^UR$3br<82> ^V^W^X^Y^Z%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz<83><84><85><86><87><88> <89><8A><92><93><94><95><96><97><98><99><9A> ^@^_^A^@^C^A^A^A^A^A^A^A^A^A^@^@^@^@^@^@^A^B^C^D^E^F^^I ^K^@^Q^@^B^A^B^D^D^C^D^G^E^D^D^@^A^Bw^@^A^B^C^Q^D^E!1^F^RAQ^Gaq^S"2<81^TB<91> #3R^Ubr ^V$4%^W^X^Y^Z&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz<82><83><84><85><86> <87><88><89><8A><92><93><94><95><96><97><98><99><9A> ^@^L^C^A^@^B^Q^C^Q^@?^@(<80>

Original Coverpage image

^@^PJFIF^@^A^A^A^@`^@`^@^@^@C^^F^F^G^F^E^G^G^G^I ^L^T^M^L^K^K^L^Y^R^S^O^T^]^Z^_^^^]^Z^\^\ $.' ",#^\^\(7),01444^_'9=82<.342^@C^A ^L^K^L^X^M^M^X2!^\!2222222222222222222222222222222222222 2222222222222^@^^@^@^C^A"^@^B^Q^A^C^Q^A^@^_^@^@^A^E^A^A^A^A^A^A^@^@^@^@^@ ^@^@^@^A^B^C^D^E^F^^I ^K^@^P^@^B^A^C^C^B^D^C^E^E^D^D^@^@^A}^A^B^C^@^D^Q^E^R!1A^F^SQa^G"q^T2<81><91> #B^UR$3br<82> ^V^W^X^Y^Z%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz<83><84><85><86><87><88> <89><8A><92><93><94><95><96><97><98><99><9A> ^@^_^A^@^C^A^A^A^A^A^A^A^A^A^@^@^@^@^@^@^A^B^C^D^E^F^^I ^K^@^Q^@^B^A^B^D^D^C^D^G^E^D^D^@^A^Bw^@^A^B^C^Q^D^E!1^F^RAQ^Gaq^S"2<81^TB<91> #3R^Ubr ^V$4%^W^X^Y^Z&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz<82><83><84><85><86> <87><88><89><8A><92><93><94><95><96><97><98><99><9A> ^@^L^C^A^@^B^Q^C^Q^@?^@(<80>

Appendix A

Month DAY HIGH SCHOOLS
2002
April Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)
Monday (1) Hull High School (F)
Tuesday (2) Smith Hill High School (A)
Wednesday (3) Key High School (B)
Thursday (4) Leetch High School (C)
Friday (5) Birard High School (D)
Monday (1) Richter High School (E)
Tuesday (2) Hull High School (F)
Wednesday (3) Smith Hill High School (A)
Thursday (4) Key High School (B)
Friday (5) Leetch High School (C)
Monday (1) Birard High School (D)
Tuesday (2) Richter High School (E)
Wednesday (3) Hull High School (F)
Thursday (4) Smith Hill High School (A)
Friday (5) Key High School (B)
Monday (1) Leetch High School (C)
Tuesday (2) Birard High School (D)
May
Wednesday (3) Richter High School (E)
Thursday (4) Hull High School (F)
Friday (5) Smith Hill High School (A)
Monday (1) Key High School (B)
Tuesday (2) Leetch High School (C)
Wednesday (3) Birard High School (D)
Thursday (4) Richter High School (E)
Friday (5) Hull High School (F)
Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)
Monday (1) Hull High School (F)
Tuesday (2) Smith Hill High School (A)
Wednesday (3) Key High School (B)
Thursday (4) Leetch High School (C)
Friday (5) Birard High School (D)
Monday (1) Richter High School (E)
Tuesday (2) Hull High School (F)
Wednesday (3) Smith Hill High School (A)
Thursday (4) Key High School (B)
Friday (5) Leetch High School (C)
June
Monday (1) Birard High School (D)
Tuesday (2) Richter High School (E)
Wednesday (3) Hull High School (F)
Thursday (4) Smith Hill High School (A)
Friday (5) Key High School (B)
Monday (1) Leetch High School (C)
Tuesday (2) Birard High School (D)
Wednesday (3) Richter High School (E)
Thursday (4) Hull High School (F)
Friday (5) Smith Hill High School (A)
Monday (1) Key High School (B)
Tuesday (2) Leetch High School (C)
Wednesday (3) Birard High School (D)
Thursday (4) Richter High School (E)
Friday (5) Hull High School (F)
Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)

.Command referance

/dls -f fat12 ./image 33-72 > test.doc
./fsstat -f fat ./image
./dcat -f fat image 73-103 15872 > i
./dcat -f fat image 104-109 3072 > o