October 2002 Scan of the Month Analysis

Analysis by Jason Scheuerman mt@null.net
October 4th, 2002

Summary:

The police have imaged a suspected drug dealer's floppy disk and have provided a copy. They would like to examine the floppy disk and provide answers to the following questions:

I changed the order of the questions since this is they had to be answered in this order. Starting with almost no working knowledge of disk image files, FAT, jpeg and ZIP formats the majority of my analysis time was doing a lot of learning about these things.  

Tools:

The tools used to analyze the challenge consisted mostly of freeware and shareware tools found on the internet:

UltraEdit
WinHex
Floppy Image
MD5 Checksum
Calc.exe


Questions
:

What processes were used to successfully examine the entire contents of each file?

Analyzing the disk

It was extremely helpful understanding how a floppy disk's data is laid out:

Dos Boot Code 1 sector Starts at offset 0h
File Allocation Table #1 6 sectors Starts at offset 200h
File Allocation Table #2 6 sectors Starts at offset 1400h
Directory 8 sectors Starts at offset 2600h
Data Section Remainder of the disk Starts at offset 4200h

I copied the image onto a floppy using Floppy Image and opened the disk in Winhex.  I then used the Directory browser to jump to the directory entries on the floppy to find out what files were there.

00002600h: E5 64 00 6F 00 63 00 00 00 FF FF 0F 00 BC FF FF ; d.o.c.....
00002610h: FF FF FF FF FF FF FF FF FF FF 00 00 FF FF FF FF ; ..
00002620h: E5 4A 00 69 00 6D 00 6D 00 79 00 0F 00 BC 20 00 ; J.i.m.m.y... .
00002630h: 4A 00 75 00 6E 00 67 00 6C 00 00 00 65 00 2E 00 ; J.u.n.g.l...e...
00002640h: E5 49 4D 4D 59 4A 7E 31 44 4F 43 20 00 68 38 46 ; IMMYJ~1DOC .h8f
00002650h: 2B 2D 2B 2D 00 00 4F 75 8F 2C 02 00 00 50 00 00 ; +-+-..Ou,...P..
00002660h: 42 67 00 63 00 20 00 20 00 20 00 0F 00 F4 20 00 ; Bg.c. . . ... .
00002670h: 20 00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 ;  . . . . ... . .
00002680h: 01 63 00 6F 00 76 00 65 00 72 00 0F 00 F4 20 00 ; .c.o.v.e.r... .
00002690h: 70 00 61 00 67 00 65 00 2E 00 00 00 6A 00 70 00 ; p.a.g.e.....j.p.
00002700h: 43 4F 56 45 52 50 7E 31 4A 50 47 20 00 6D 4D 46 ; COVERP~1JPG .mMF
00002710h: 2B 2D 2B 2D 00 00 DA 43 2B 2D A4 01 E1 3C 00 00 ; +-+-..C+-.<..
00002720h: 42 69 00 74 00 73 00 2E 00 65 00 0F 00 9E 78 00 ; Bi.t.s...e...x.
00002730h: 65 00 20 00 20 00 20 00 20 00 00 00 20 00 20 00 ; e. . . . ... . .
00002740h: 01 53 00 63 00 68 00 65 00 64 00 0F 00 9E 75 00 ; .S.c.h.e.d...u.
00002750h: 6C 00 65 00 64 00 20 00 56 00 00 00 69 00 73 00 ; l.e.d. .V...i.s.
00002760h: 53 43 48 45 44 55 7E 31 45 58 45 20 00 53 53 46 ; SCHEDU~1EXE .SSF
00002770h: 2B 2D 2B 2D 00 00 90 42 B8 2C 49 00 E8 03 00 00 ; +-+-..B,I....
00002780h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00002790h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................

There are three files that are contained on the disk:

  1. Jimmy Jungle.doc 
  2. Cover Page.jpg
  3. Scheduled Visits.exe

Recovering Jimmy Jungle.doc

Jimmy Jungle.doc appears to have been simply deleted.  This does not mean, however that the file is gone.  The first character of the file in the directory entries has been changed to E5h which is how DOS denotes a deleted file.  The data space that the file took up is simply marked as available, but the data is probably still there. 

Winhex allowed me to jump to the place on the disk where the files are located at offset 4200h (the start of the data section) and went to offset 91FFh 

Using UltraEdit, I copied that range of data (4200h - 91FFh) into a new file and named it Jimmy Jungle.doc and saved it to my local hard drive. I then opened it with Microsoft Word and Wah Lah!

Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111

Jimmy: 

Dude, your pot must be the best it made the cover of High Times Magazine! Thanks for sending me the Cover Page. What do you put in your soil when you plant the marijuana seeds? At least I know your growing it and not some guy in Columbia.

These kids, they tell me marijuana isnt addictive, but they dont stop buying from me. Man, Im sure glad you told me about targeting the high school students. You must have some experience. Its like a guaranteed paycheck. Their parents give them money for lunch and they spend it on my stuff. Im an entrepreneur. Am I only one you sell to? Maybe I can become distributor of the year!

I emailed you the schedule that I am using. I think it helps me cover myself and not be predictive.  Tell me what you think. To open it, use the same password that you sent me before with that file. Talk to you later.

Thanks,

Joe

We find out the growers address. We also find proof that the suspect has been selling marijuana to high school kids (which we already knew)

Recovering Cover Page.jpg

I attempted to use the same method of jump & copy for Cover Page.jpg, however, when using WinHex to jump to the area where CoverPage.jpg was supposed to be I ended up at hex 38600h-3C2C0h which was ~15.2k of nothing.

Assuming that the data must be somewhere on the disk, I did some research on the JPEG file format.

JPEG files start with a header of:

FF D8 FF E0 00 10 4A 46 49 46 00

I performed a search of the image for that particular string of bytes and found it at offset 9200h.  (Just after Jimmy Jungle.doc) Apparently the suspect had used some program to find the file in a different place than the FAT said they should be.

JPEG files end with an End of Image (EOI) marker of  "FF D9" which I found at offset CEDFh.

So I copied all the data between the header and the EOI marker (9200h - CEDFh) and copied that to a file and got the picture out.

Howver, picture was of no value in itself. Directory entries are written as follows:

Offset Value
0000h - 000Ah Filename with extension
000Bh Attributes of the file
000Ch - 0015h Reserved
0016h - 0017h Time
0018h - 0019h Date
0020h - 0021h FAT entry cluster value
0022h - 0029h File size

The filesize that was written in the directory entry for this file was "E1 3C"

Since entries are usually written backwards, I reversed this to 3CE1 and used calc.exe to convert this to 15585 .However, I found that the info between the markers was 15552 bytes long.  What was the rest of the data?  I found following data was in rest of the block after the EOI marker.

0000ced0h: A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 ff ; .(.(.(.
0000cee0h: D9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ...............
0000cef0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf10h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf20h: 70 77 3D 67 6F 6F 64 74 69 6d 65 73 00 00 00 00 ; pw=goodtimes....
0000cf30h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf40h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf50h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................

"pw= goodtimes"? Very interesting!  Looked like a password to me so I wrote it down. 

<Red Herring> I speculated that the suspect had used a steganography program to imbed some data in the picture and this was a password for the encrypted data embeded therein.  Without knowing which program was used, the password would be useless. </Red Herring>

Recovering Scheduled Visits.exe:

This file was where the FAT said it would be, because when I jumped to the entry in WinHex, there was data there at offset D000h - D3E7h

0000d000h: 50 4B 03 04 14 00 01 00 08 00 98 5A B7 2C 27 55 ; PK........Z,U
0000d010h: 60 8D EA 08 00 00 00 42 00 00 14 00 00 00 53 63 ; `....B......Sc
0000d020h: 68 65 64 75 6c 65 64 20 56 69 73 69 74 73 2e 78 ; heduled Visits.x
0000d030h: 6C 73 94 C8 31 2A E3 49 0B DB A8 10 C2 70 9D FC ; ls1*I.ۨ.p

...

It didn't look like an executible, per se, but more like a PK Zip file with a file named "Scheduled Visits.xls" inside. It was a Microsoft Excel spreadsheet inside! I also know that you can password protect a zip files, so I was betting that this is what the password was for.

I tried the copy-write to file method I had with the others (copying the bytes exactly to a new file on my hard drive), however when I tried open it with WinZip, an error came up saying that the file was corrupted.

I opened up WinHex again and looked at the directory entry. The directory entry for Scheduled Visits.exe had a filesize of "E8 03".  I revesed this to 03E8 and used calc.exe to convert this to 1000.  I jumped to the data area and saw that there was still more data after the 1000 bytes specified by .

It appeared that it went all the way down to offset D96Fh.  But how do I know if the 00 data at the end is part of the zip file or not?

I guessed that .ZIP files probably had a "End of Zip" marker just like JPEGs, so I just copied everything to the end of the sector D000h - D9FFh where there was still data and hoped that WinZip would just read it.

WRONG! Corrupt file error.

Question:
How do we know where to cut off the data?

Solution:
I created a spreadsheet in Microsoft Excel with some dummy information in it and named it Scheduled Visits.xls. I then created a ZIP file with a password of "goodtimes" and put my new spreadsheet in it.

Then I looked at my newly created file with my hex editor (UltraEditor) and saw that the file ended with four bytes of 00h.

Looking at the D800h - D9FFh block I saw that the file appeared to end in this block.  From D970h to D9FFh all the characters were 00h and after that it was all the nothingness (probably the  blank data area).

I then copied all the data from D000h - D973h to a new file (had to have four bytes of 00h) and wrote them to my hard drive as Scheduled Visits.exe and opened it with WinZip.

Ta da!!

I had a working winzip file with one file inside.... Scheduled Visits.xls.

When I tried to extract it, I was prompted for a password.  I put in 'goodtimes' and I was able to open the file:


Who is the dealer's supplier of marijuana and what is the address listed for the supplier?

The answer is contained in Jimmy Jungle.doc:

Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111


For each file, what processes were taken by the suspect to mask them from others?

File #1:Jimmy Jungle.doc was masked through simply deleting it.   The first character of the file in the directory entries was changed to E5h which is how DOS denotes a deleted file.  The data space that the file took up is simply marked as available, but the data was still there. 

File #2: Cover Page.jpg was masked through misdirection.  The file pointer in the FAT lead to a blank area on the disk.

File #3: Scheduled Visits.exe was masked through truncation.  The filesize of the file in the directory was purposely shorter than expected so that when a normal Zip reader tried to read it or when anyone tried to copy the file off it would fail.


What crucial data is available within the coverpage.jpg file and why is this data crucial? 

Coverpage.jpg had additional data after the End of Image marker which contained the password used to protect the contents of Scheduled Visits.exe

The filesize that was written in the directory entry for this file was "E1 3C"

Since entries are usually written backwards, I reversed this to 3CE1 and used calc.exe to convert this to 15585 .However, I found that the info between the markers was 15552 bytes long.  What was the rest of the data?  I found following data was in rest of the block after the EOI marker.

0000ced0h: A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 ff ; .(.(.(.
0000cee0h: D9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ...............
0000cef0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf10h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf20h: 70 77 3D 67 6F 6F 64 74 69 6d 65 73 00 00 00 00 ; pw=goodtimes....
0000cf30h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf40h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
0000cf50h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................


 What (if any) other high schools besides Smith Hill does the dealer frequent?

Below is the list of and day of each of the High Schools visited recovered from Scheduled Visits.xls found in Scheduled Visits.exe (which was a password protected zip file)

Month DAY HIGH SCHOOLS
2002
April Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)
Monday (1) Hull High School (F)
Tuesday (2) Smith Hill High School (A)
Wednesday (3) Key High School (B)
Thursday (4) Leetch High School (C)
Friday (5) Birard High School (D)
Monday (1) Richter High School (E)
Tuesday (2) Hull High School (F)
Wednesday (3) Smith Hill High School (A)
Thursday (4) Key High School (B)
Friday (5) Leetch High School (C)
Monday (1) Birard High School (D)
Tuesday (2) Richter High School (E)
Wednesday (3) Hull High School (F)
Thursday (4) Smith Hill High School (A)
Friday (5) Key High School (B)
Monday (1) Leetch High School (C)
Tuesday (2) Birard High School (D)
May
Wednesday (3) Richter High School (E)
Thursday (4) Hull High School (F)
Friday (5) Smith Hill High School (A)
Monday (1) Key High School (B)
Tuesday (2) Leetch High School (C)
Wednesday (3) Birard High School (D)
Thursday (4) Richter High School (E)
Friday (5) Hull High School (F)
Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)
Monday (1) Hull High School (F)
Tuesday (2) Smith Hill High School (A)
Wednesday (3) Key High School (B)
Thursday (4) Leetch High School (C)
Friday (5) Birard High School (D)
Monday (1) Richter High School (E)
Tuesday (2) Hull High School (F)
Wednesday (3) Smith Hill High School (A)
Thursday (4) Key High School (B)
Friday (5) Leetch High School (C)
June
Monday (1) Birard High School (D)
Tuesday (2) Richter High School (E)
Wednesday (3) Hull High School (F)
Thursday (4) Smith Hill High School (A)
Friday (5) Key High School (B)
Monday (1) Leetch High School (C)
Tuesday (2) Birard High School (D)
Wednesday (3) Richter High School (E)
Thursday (4) Hull High School (F)
Friday (5) Smith Hill High School (A)
Monday (1) Key High School (B)
Tuesday (2) Leetch High School (C)
Wednesday (3) Birard High School (D)
Thursday (4) Richter High School (E)
Friday (5) Hull High School (F)
Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)


What Microsoft program was used to create the Cover Page file and what is your proof ?

Answer:  The Coverpage.jpg file was created using Microsoft Paint version 5.0

Theory: Each image creation/editing program implements the JPEG/JFIF standard differently. 

Every JPEG starts with the following byte signature:

FF D8 FF E0 00 10 4A 46 49 46 00

The actual data that pertains to the image starts with the Start of Image (SOI) marker:

FF DA

Between the beginning of the file and the SOI marker, is information on how to display the picture -- Construction information.  It includes Huffman Tables, Quantization Tables and other information on how the image was constructed. (All stuff I don't pretend to understand).  It also includes the possibility of Application Specific Data Markers and Comment Markers.

There are various ways to construct a JPEG image and various wasys of implementing the JFIF specification.  Consequently each software package that constructs JPEG images does so in it's own way.  A lot of image software will use the Application Specific Data markers and Comment Markers to denote that a particular image was created with their software.


For example, in a JPEG file created with Adobe Photoshop 5.0, the software will put a comment marker (FF FE) with the data of:

File written by Adobe Photoshop 5.0

So we know that it was created by Adobe Photoshop 5.0

Sample:

000001c0h: 00 00 FF FE 00 26 46 69 6C 65 20 77 72 69 74 74 ; ...&File writt
000001d0h: 65 6e 20 62 79 20 41 64 6F 62 65 20 50 68 6F 74 ; en by Adobe Phot
000001e0h: 6f 73 68 6F 70 A8 20 35 2E 30 FF EE 00 0E 41 64 ; oshop 5.0..Ad 


Some software packages are not identified this way.  They have no such comments to identify themselves (As is the case with our unknown sample, coverpage.jpg).  However, since each software package implements these construction information headers in different ways, it should be possible to develop a fingerprint of how a particular program will create these headers for any JPEG file and then compare it to the header from coverpage.jpg (Just like the police compare human fingerprints)

Proof (by induction):
I downloaded several freeware and shareware image applications and downloaded several images known to have been created by other commercial software packages.  I then used UltraEdit to compare the construction header of the coverpage.jpg as saved by each application.  Looking for characteristics of each program.  The three criteria I chose were:

Note: I would have to spend more time to determine with greater certainty that all other image editing applications could be ruled out.  I would also have to compare headers across versions of the same application with different builds and patches.. but it could be done.

Applications Tested:

Package Includes Identifying 
comments?
Length Quantization Table Possiblity of match
Unknown (coverpage.jpg) None 609 bytes 67 bytes - Repeats 32h after 17 bytes
ACD See 5.0 Yes 528 bytes 96 bytes < 50%
LView Pro 2002 No 331 bytes Match < 50%
Paint Shop Pro 7.04 No 609 bytes 67 bytes - Repeats 1Eh after 17 bytes

97.21%

Photoshop 5.0 Yes 986 bytes 132 bytes < 50%
Vic Man's Photo Editor 6.999 (beta) No 609 bytes 67 bytes - Repeats 28h after 17 bytes 97.21%
Microsoft Paint 5.0 No 609 bytes Match 99.34%
Microsoft PictureIt! 2000 No 609 bytes 67 bytes - Repeats 14h after 17 bytes

97.21%

Microsoft Powerpoint Yes 416 bytes Match < 50%

Conclusion:

Since the question asked which Microsoft program was used to create the file, I concluded that Microsoft Paint 5.0 was the program.  Microsoft has only a few products that create and edit images. Of these, only Microsoft Paint came within 1% difference of the unknown.

The only difference between Microsoft Paint 5.0 and the unknown file was the four bytes at 00Eh - 0011h (X and Y pixel density).  The build that I was using consistantly had this value at 012Ch for all images.  The unknown file had this value at 0060h, and I have not been able to account for this. There may be settings that control this value either within the Windows registry, or is different in previous builds of MS Paint 5.0.

References:

  1. http://www.manningjames.com/college/sem2/fat12.htm
  2. http://www.garykessler.net/library/file_sigs.html
  3. http://www.geocities.com/dzzie/recovering-files.txt
  4. http://www.obrador.com/essentialjpeg/HeaderInfo.htm
  5. http://www.w3.org/Graphics/JPEG/jfif3.pdf

Acknowledgements:

This being my first submission to the Honeynet project I just wanted to thank the Honeynet team.  This was fun!