The work done involved analysis of a Floppy Disk image, deducing clues left by Mr. Jacobs, and analyzing files located on the Disk image.
Before going in-depth with autopsy, I mounted the floppy image read-only and tried to copy two files off of the disk: "cover page.jpgc" and "schedu~1.exe". Running the file command on the two files reported the following:
cover page.jpgc        :PC formatted floppy with no filesystemI made the assumption that schedu~1.exe was a Zip file with a built-in unzipper, which I'm sure was correct, but I didn't have a Window's machine handy on which to test the untrusted binary. However, the unzip command when attempted, returned an error: "End-of-central-directory signature not found." This led me to believe that the file was not complete for some reason. I made note of this and continued on.
schedu~1.exe:           Zip archive data, at least v2.0 to extract
I was much more confused by the result of "cover page.jpgc". I assumed that there was meant to be a jpg somewhere on the disk, but that the filesystem had been modified, possibly intentially, to mask the file.
I then began my analysis of the disk using Autopsy. After clicking on the File Browsing link, I first noticed the deleted file "Jimmy Jungle.doc" (Figure 1). I checked the Inode information on that deleted Inode (Figure 2), and was suprised when I saw the major difference between the reported Size of the file, and the number of sectors it occupied on the disk. I clicked on the "33" link, and spent a few minutes stepping through the clusters on the disk until I found the end of the file at sector 72. While stepping through the clusters, I knew I was collecting an important piece of evidence when I hit Cluster 38 (Figure 3). I was uncovering a letter to what appeared to be Joe's supplier. Not only did I now have the Supplier's name and address, I was given another important clue: There is a password on the schedule zip file, and it's the same as what was included in the file Jimmy'd sent him. Presumably this was the "Cover Page.jpg" mentioned in the letter and that appeared to be on the disk.
Knowing that the next important piece of evidence to recover appeared to be the "Cover Page.jpg", I turned attention toward recovering that. Checking the Inode information, I was interested to see that the device claimed that the file began on Sector 451, as that is pretty far on the disk, especially for the few number of small files located on the disk. Checking the hex dump for Sector 451 (Figure 4), I quickly noted that this was NOT the header for any JPEG file I'd ever seen. Not to be deterred, I popped open Autopsy's Keyword Search, and searched for the string "JFIF" as I knew that that string appears in the Header of every JPEG in existence. Luckily, only a single Sector was returned for where this header was located, Sector 73. Noting that this was only a single sector ahead of where "Jimmy Jungle.doc" ended on the disk, I checked the Inode information for "Scheduled Visits.exe" saw that is was supposed to begin on Sector 104. Checking that sector information, I saw that, sure enough, Sector 104 had the telltale "PK" header to denote a PKZip file. I assumed that this meant that the "Cover Page.jpg" was on the floppy from Sector 73-103.
Since I'd already tried unzipping "Scheduled Visits.exe", and come to the assumption that the file I'd copied was incomplete, I didn't believe the Inode information's claim that the file ended on Sector 105. I began the familiar practice of stepping through the image Cluster by Cluster, until I found the final "PK" footer on the file. I found it quickly in the listing for Sector 108.
I now believed I knew the locations of the three files on the image. However, I still needed to extract the files from the images. Autopsy would allow me to extract the sectors I needed, one sector at a time. Being a reasonably lazy person, I wasn't going to do this, so I whipped up a quick perl script that used the dcat program from the TASK toolkit to extract all the sectors in a given range and put them into a file. The script is somewhat crude, but it worked nicely, and provided me with what appeared to be three good files.
I attempted to unzip "Scheduled Visits.exe" and was greeted by a password prompt. Rather than trying to brute force the password, I remembered that Joe said the password would be the same as in that file Jimmy'd sent him. The only file I had matching that description was "Cover Page.jpg" Opening the image in an image viewer, didn't yield any useful information. Simply a rather simple mock-up of a magazine cover page. Reaching out on a limb, I ran the standard Unix strings program on the JPEG, and was given the following output:
JFIFWell, that line "pw=goodtimes" certainly looked interesting, so I attempted unzipping the Scheduled Visits file once again, this time with the password of "goodtimes". Sure enough, I now had the "Scheduled Visits.xls" file. After converting it to HTML, I could see all the schools that Joe frequented in his dealing attempts.
I still wasn't sure what exactly had been done to hide the files, so I found a good reference on-line about the FAT filesystem, and wrote the small program linked to above that would first print out the Boot Sector information on the filesystem. Then it would traverse to the Directory Entry for the root directory, and print out information for all the files. The code is admittedly clunky and inelegant, however, I was having trouble avoiding the VFAT information algorithmically, and I felt it was better that the I had the information, than that the code was perfect. The output from that program was as follows:
OEM String: MSDOS5.0Armed with this data, it was fairly obvious what had been done. "Jimmy Jungle.doc" had been deleted from the filesystem, as signified by the 'å' character (0xE5). "Cover Page.jpg" has had it's Directory Entry modified so that it supposedly started on Sector 420, instead of 42. And "Scheduled Visits.exe"'s entry had been edited so that the file appeared much smaller than it really was.
Number of Bytes/Sector: 512
Number of Sectors/Cluster: 1
Number of Reserved sectors: 1
Number of FAT Copies: 2
Number of Root Directory Entries: 224
Total number of sectors in the filesystem: 2880
Number of Sectors per FAT: 9
Number of Sectors per Track: 18
Number of heads: 2
Number of Hidden Sectors: 0
File Number: 1
Start Sector: 0
File Size: 0
File Number: 2
File Name: åIMMYJ~1DOC
Start Sector: 2
File Size: 20480
File Number: 3
File Name: COVERP~1JPG
Start Sector: 420
File Size: 15585
File Number: 4
File Name: SCHEDU~1EXE
Start Sector: 73
File Size: 1000
A quick scan of the floppy revealed no information past Sector 108 on the disk, so I believe that I've found all the interesting information that existed there. I then prepared md5 sums of all the evidence files I'd collected, and prepared my write-up of the investigation.
|Filename||Start Sector||End Sector||md5sum||Link?||HTML Version?|
626 Jungle Ave Apt 2
Jungle, NY 11111
Embedded within the coverpage.jpg file, at offset 3d20, is a field named pw with the value "goodtimes". "goodtimes" is the password to the zip file included on the disk, and it was clear that that would be the password becuase Joe writes to Jimmy in the letter that the password "is the same password that you sent me before with that file."
Taken from the "Scheduled Visits.xls" file included in the "Scheduled Visits.exe" zip file, here is the list of all the high schools Joe Jacobs frequented.
"Jimmy Jungle.doc" was deleted from the filesystem, however, using the [email protected] toolkit, it was easy to find and recover this file on the filesystem.
"coverpage.jpg" had it's directory entry on the filesystem changed, so that it no longer pointed to Cluster 73, where coverpage.jpg resides, but to Cluster 420.
"Scheduled Visits.exe" has it's directory entry on the filesystem edited so that the file appeared much smaller than it actually was, preventing it from being easily copied from the disk.
This was answered in my section on procedures.