Solutions for Scan 24
by Daniel B. Sedory
The Questions, and the Answers submitted by this investigator :
Obtained from the
MS-Word Document file
"Jimmy Jungle.doc" which had been deleted, but all the data was left intact on the floppy
diskette. Looking at the
Directory's raw data for the Long File Name, shows that this is indeed the
name of the file (which means JIMMYJ~1.DOC is the correct Short or DOS 8.3
- Who is Joe Jacob's supplier of marijuana and what is the address listed
for the supplier?
626 Jungle Ave
Jungle, NY 11111
The document is signed, "Joe" (very likely, Joe
Jacobs, since the diskette was found in his house per the police report), says that
one "Jimmy Jungle"
was growing his own marijuana and selling it to Joe who also implicates himself in the sale of marijuana to high school
students in this letter.
What crucial data is available within the cover page.jpg file and why is
this data crucial?
The phrase "pw=goodtimes"
can clearly be seen near the end of this file. This turns out to be the
"Scheduled Visits.xls" from the disguised PKZIP file on the diskette.
(The fact that this JFIF pic states that Jimmy Jungle is a "featured
pot grower, smoker and seller"
certainly corroborates the evidence found in the .doc file.)
As referenced in "Jimmy Jungle.doc" by the statement: "To open it, use the same password
that you sent me
before with that file." ("That file"
being "cover page.jpg").
[ I'm assuming that this question means "crucial" in so far as
able to turn the data
over to the police as soon as possible, because PKZIP password cracking programs
are available; even as public downloads from the Internet. Although PKZIP
passwords do not use the strongest encryption possible, it can, however, take
a long time to crack them. ]
What (if any) other high schools besides Smith Hill does Joe Jacobs
From the file,
"Scheduled Visits.xls" you will also find these schools listed:
Key High School, Leetch High School, Birard High School, Richter High
School and Hull High School.
For each file, what processes were taken by the suspect to mask them from
"Jimmy Jungle.doc" --- was only "deleted"
(or "erased"), but not destroyed; luckily
none of the data was overwritten before we acquired the diskette.
"cover page.jpg" --- was somehow changed to:
" (which is .jpgc followed by 11 spaces). This is an illegal
file name; although you can have many spaces in a Long File Name (LFN), you
cannot end a filename with even a single space. Trying to do
so under MS-Windows 9x Explorer, for example, will result in a filename with
no trailing spaces without any warning; it just drops them automatically. Besides that, the value
for the Beginning Cluster location of the file on the diskette was changed
from 42 to 420 (see this page: For a color illustration
of this file's faulty Directory entry). Lastly, the file
size may have been changed in an attempt to keep others from copying the
password to other media.
"Scheduled Visits.zip" --- which contains the PKZIP
password protected file "Scheduled Visits.xls" was renamed
to "Scheduled Visits.exe "
(the .exe is followed by 6 trailing spaces quite similar to how the .JPG
file was changed). Supposedly in an
attempt to hide the fact
that this file is really a ".ZIP" file (it is not a
self-extracting ZIP file). Its creator went one step further
and changed the file size to only 1000 bytes; instead of the correct size of at
least 2,420 bytes.
Under normal circumstances (especially with so many free entries left in this diskette's Root Directory), any renaming of a file
(using MS-Windows/DOS) would cause a new and separate entry to be created and the original entry to be deleted (with E5 bytes placed in the
appropriate locations). Furthermore, the checksum bytes for such a
change in the DOS filename to "SCHEDU~1.EXE" would be 55 hex,
they are still set to 9E hex ( the correct checksum for
"SCHEDU~1.ZIP"). This proves that something other than
the normal MS-DOS commands or Windows OS interface was used to make
otherwise illegal data entries at
the byte level. Therefore, it's my conclusion that the Directory entries for
these last two files must have been changed with a disk editor or
similar utility program.
What processes did you (the investigator) use to successfully examine the
entire contents of each file?
(with my eyes) the image file in a hex editor (plenty
easy to do since most of the diskette was not being used; all F6-byte
sectors at the end, except for the very last sector which was all zero
I quickly noted that there was a deleted
file entry in the Directory (sector 19), but the important data (who was Joe's
supplier, etc.) was clearly visible in even a text editor (in order to ensure that none of
the deleted file had
been damaged, I needed to use a DOS UNERASE program on a diskette made from the
image file; those who use special forensic programs may have been able to do
so with just the image file).
After noticing the bytes "PK" at the beginning of a sector in
the image file and seeing that the last used sector (just
before all the F6-byte sectors)
had a PK filename listing in it, I simply copied all the bytes from the "PK"
signature to the end of the last used sector (only five sectors in total;
2,560 bytes) from my hex editor to a new file with a .ZIP extension. I was
immediately able to see that there was one file inside it, and since I had
already guessed that the phrase I saw at the end of the previous file ("pw=goodtimes")
during my scan was a password, I tried it out and got a copy of "Scheduled Visits.xls"
which, even in a text editor, clearly shows all the high schools that "Joe" was visiting.
( Note: If the .ZIP had not opened
correctly the first time, I could have used a program called PKZIPFIX to see
if that fixed it. I later ran the program against the copy I had made, and found that the original file size was most likely 2,420
eyeballing the image file, I had also noticed the signature "JFIF"
near the beginning of a sector. The contents of the .DOC file mentioned a pic
as well, so I copied all of the bytes from this sector to the end of the
sector just before the sector that started the .ZIP file, set the extension to
.JPG and quickly viewed the picture! Later on I
was able to prove that the picture could be viewed with as little as 15,585
bytes (which is the file length shown in its Directory entry), but I suspect that
this may have been changed as well, since doing so would keep
anyone from ever
seeing the PKZIP password that was embedded in the end of
the file if they didn't copy at least 15,660 bytes of it.
After noting all of
the changes which were made to these file entries, I concluded that a disk editor
or some other low-level utility must have been used to change specific bytes in these entries.
Tools used by this investigator (in order of importance):1. Hex Editor:
FRee Hex EDitor (FRHED).
2. An old DOS version of the Norton Utilities' UNERASE program;
the UNERASE program from an old MS-DOS version could have been used instead.
3. Disk Editor: Old DOS version of Norton Utilities' DiskEdit to check
and obtain some more info about the FAT and Directory entries on the diskette.
4. Text Editors: A free text editor called The GUN
Notepad) to open the image file and quickly read TEXT strings in it; you do not need this if you're running Win2000
/ NT, since NOTEPAD
in those versions can open very large files!
5. PKZIP package 2.04g for PKZIPFIX: Not really necessary
in this case, but could have been useful if the ZIP file had been damaged. I
used it to find what I consider to be the original file length of the .ZIP file.
Submitted by: Daniel B. Sedory
Computer Consultant / Technician
This form page can be used to send me email: