Investigator: John H. Sawyer ([email protected])

Investigator's System:

Gateway SOLO Pro 9300 Laptop running Redhat Linux 8.0 with kernel 2.4.19


I. Acquisition and Preparation of Image

A. wget http://www.honeynet.org /...../image.zip

md5sum verification

md5sum image.zip

image.zip b676147f63923e1f428131d59b1d6a72


B. Analysis will be done using the following tools from http://www.atstake.com :

Autopsy 1.62

Task 1.52


II. Analysis & Questions

A. Questions

1. Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?

According to the information contained within the file “Jimmy Jungle.doc”, the supplier is Jimmy Jungle and his address is 626 Jungle Ave Apt 2, Jungle, NY 11111.

2. What crucial data is available within the coverpage.jpg file and why is this data crucial?

The image is the cover for “Pot Smoker's Monthly” and it confirms that Jimmy Jungle is a supplier of marijuana by the headline, “This months' featured pot grower, smoker and seller is Jimmy Jungle.”

3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

According to the file “Scheduled Visits.xls” contained in the password protected zip file “Scheduled Visits.exe”, Joe Jacobs went to the following high schools: Key High School, Leetch High School, Birard High School, Richter High School, and Hull High School

4. For each file, what processes were taken by the suspect to mask them from others?

Jimmy Jungle.doc - this file was deleted with no further effort to hide the data. Autopsy shows it as being deleted and the file size is 20480 bytes.

Coverpage.jpg – the pointer in the fat table was changed to point at sector 451 when the file actually exists at sector 73. The file size was not changed.

Scheduled Visits.exe – the file size was changed to 1000 bytes. After analysis, the original file size appears to be 2560 bytes. This file is a self-extracting zip file that contains a file named “Scheduled Visits.xls” and is password protected with the password “goodtimes.”



5. What processes did you (the investigator) use to successfully examine the entire contents of each file?

All file analysis was done with Autopsy 1.62.

fsmorgue:

image fat a: est2edt

command for autopsy:

#./autopsy 8080 127.0.0.1

used Keyword Search for 'marijuana'

2 occurrences of 'marijuana' were found

38 (Hex – Ascii)

- offset 221 bytes

- offset 328 bytes

ASCII Contents of Sector 38 (512 bytes) in image

Jimmy Jungle 626 Jungle Ave Apt 2 Jungle, NY 11111 Jimmy: Dude, your pot must be the best . it made the cover of High Times Magazine! Thanks for sending me the Cover Page. What do you put in your soil when you plant the marijuana seeds? At least I know your growing it and not some guy in Columbia. These kids, they tell me marijuana isn.t addictive, but they don.t stop buying from me. Man, I.m sure glad you told me about targeting the high school students. You must have some experience. It.s like a guara

*** It is obvious that this message is cutoff and extends past the end of sector 38. Clicking Next will allow us to see the contents of sector 39.

ASCII Contents of Sector 39 (512 bytes) in image

nteed paycheck. Their parents give them money for lunch and they spend it on my stuff. I.m an entrepreneur. Am I only one you sell to? Maybe I can become distributor of the year! I emailed you the schedule that I am using. I think it helps me cover myself and not be predictive. Tell me what you think. To open it, use the same password that you sent me before with that file. Talk to you later. Thanks, Joe ...................................................................................................

Switching to Data Browsing allows the investigator to choose which sector to view and how many consecutive sectors. The investigator chose sector 38 and two consecutive sectors (JimmyJungle.txt):

ASCII Contents of Sector 38 (1024 bytes) in image

Jimmy Jungle

626 Jungle Ave Apt 2

Jungle, NY 11111

Jimmy: Dude, your pot must be the best . it made the cover of High Times Magazine! Thanks for sending me the Cover Page. What do you put in your soil when you plant the marijuana seeds? At least I know your growing it and not some guy in Columbia. These kids, they tell me marijuana isn.t addictive, but they don.t stop buying from me. Man, I.m sure glad you told me about targeting the high school students. You must have some experience. It.s like a guaranteed paycheck. Their parents give them money for lunch and they spend it on my stuff. I.m an entrepreneur. Am I only one you sell to? Maybe I can become distributor of the year! I emailed you the schedule that I am using. I think it helps me cover myself and not be predictive. Tell me what you think. To open it, use the same password that you sent me before with that file. Talk to you later. Thanks, Joe </pre>

******Continuing to add sectors, 41 sectors provides the investigator a view of a JPEG (JFIF) header that denotes the beginning of a new file. Backing up to 40 sectors, the end of the Word document is found. Exporting sectors 33 to 72, the word document, “Jimmy Jungle.doc”, can be recovered successfully. The suspect simply deleted the file and took no other effort to hide it.

==========================

File Browsing mode also references a “coverpage.jpgc” located at inode 8. The entry for inode 8 points to sector 451. Viewing the surrounding 10 sectors, there is no entry for a JPEG file as denoted by a data header of JFIF (ffd8ffe0 00104a46 49460001 01010060).

Using the Keyword Search and searching for JFIF, 1 occurrence of 'JFIF' was found at sector 73 (offset 6 bytes). Within Data Browsing mode, contiguous sectors of data are searched for the end of the jpg file. After adding 31 sectors, the file footer (FFD9) is found . The sectors are then exported to “coverpage.jpg.” To view the file, GQview 1.0.2 was used.


==========================

Zip, self-extracting, file starts at sector 104 and continues for 5 sectors. Denoted by PK at beginning and end of file. Password is “goodtimes” and is found hidden in sector 103. “pw=goodtimes”

$ unzip schedule.exe

Archive: schedule.exe

[schedule.exe] Scheduled Visits.xls password:

inflating: Scheduled Visits.xls

OpenOffice.org 1.0.1 was used to view the extracted file.

6. BONUS QUESTION: What Microsoft program was used to create the Cover Page file. What is your proof?

Microsoft Paint on Windows XP – the investigator used several Microsoft programs to create jpg files for comparison. The following products were used: PowerPoint 2000, PowerPoint XP(2002), Paint, PhotoEditor, and PictureIt!

Using the “cmp”, the file created by Paint was found to be the only file with a matching header. All other files were similar for 16 bytes while the Paint file matched up to the first 164 bytes. XPHomePaint.jpg is included for reference. Further evidence is provided by looking at sector 0 of the image for NTLDR to distinguish that the floppy was formatted on a Windows XP system.

$ cmp XPHomePaint.jpg coverpage.jpg

XPHomePaint.jpg coverpage.jpg differ: byte 164, line 2


References:

Incident Response: Investigating Computer Crime by Chris Prosise and Kevin Mandia

http://www.garykessler.net/library/file_sigs.html

http://www.winhex.com/winhex/forum/messages/174/234.html

http://www.winhex.com/winhex/forum/messages/174/34.html