Scan of the Month #24, October 2002

Honeynet Project & DFS

 

Solution by Josh Berghouse

 

The Challenge:  Discern the criminal behavior of a drug dealer from a floppy disk found in his possession.

 

Background Information:  According to police reports, suspicious behavior was noted concerning Joe Jacobs near and around area high schools. Suspecting he was a drug-dealer, police conducted a sting and arrested Jacobs on a minor charge. Evidence seized from Jacobs’ residence included a floppy disk that might contain more incriminating details of his activities.

 

Evidence Detail:  One floppy disk image, created with dd and supplied via download.

 

Question Detail:  DFS asked that the following questions be answered:

1.       Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?

2.       What crucial data is available within the coverpage.jpg file and why is this data crucial?

3.       What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

4.       For each file, what processes were taken by the suspect to mask them from others?

5.       What processes did you (the investigator) use to successfully examine the entire contents of each file?

6.       Bonus: What Microsoft program was used to create the Cover Page file? What is your proof? (Proof is the key to getting this question right, not just making a guess).

Short Answers:

1.       Jimmy Jungle, 626 Jungle Ave Apt 2, Jungle, NY 11111.

2.       The password to the zipped file archive containing “scheduled visits.xls.”  Without it we would be unable to view the encrypted file.

3.       Too many to list here (Key, Leetch, and Birard High School to name three).

4.       The letter to Jimmy was deleted, excel spreadsheet was zipped and password protected, password was stenographically concealed within “coverpage.jpg.”

5.       Binary file viewer, various file recovery tools. (See Long Answers section).

6.       Microsoft Paint. (Proof in Long Answers section).

Long Answers and Methodology

Tools Used:

 

Hex Editor:  XVI32 v2.3  by Christian Maas (http://www.chmaas.handshake.de)

Hex Editor:  WinHex by X-Ways Software (http://www.davory.com/)

Floppy Image Tool:  Floppy Image v2.1 by Rundegren Software (http://www.rundegren.com/)

Data Recovery Software:  Davory 1.01 by X-Ways Software (http://www.davory.com/)

 

All tools used in this exercise were either freeware or shareware.

Step One:  Examining the file “image” with a hex editor

Since I am unfamiliar with Linux, I decided to attempt the solution using the technology I know best: Windows and DOS.  I started out by downloading and verifying the floppy image file, then examining it with a hex editor in text mode.  This yielded some interesting clues about the information contained within about the image, which I’ve shown in the attached file segments.  Segment 1 told me that the boot area of the drive was created on an NT machine (NTLDR).  Segment 2 looked like a file table of some sort, with the text of what appeared to be partial file names (IMMYJ~1.DOC, COVER~1.JPG, SCHEDU~1.EXE)  This gave me an idea of what I should look for once I began to try and retrieve whole files.  Segment 3 looks like the contents of a document file, and Segment 4 confirms it was created in Microsoft Word 10 (aka Word XP).  Segment 3 also solved question #1, since it appeared that the file content was a letter to Joe’s supplier, Jimmy Jungle.  Segment 5 contained the text “JFIF”, which is header content for a jpg image file.  Segment 6 looked like a stenographic message in plaintext imbedded within the image (pw=goodtimes).  Segment 7 contained the text “PK”, which is header content for a zip file archive, as well as the content of that archive, another file named “Scheduled Visits.xls”.  Zip file footer information was contained in Segment 8.

 

1

Segment 1

2

Segment 2

3

Segment 3

4

Segment 4

5

Segment 5

6

Segment 6

7

Segment 7

8

Segment 8

 

Step Two: Mount the image and attempt file recovery

After mounting the image, only two files were visible to windows:

 

floppy

Files visible to Windows after image mount

 

All attempts to read these files in a normal way resulted in failure, so a more detailed analysis of the mounted image was done using the data recovery software.  The first attempt resulted in the recovery of three files:

 

davory

Three files were found

 

These were the two previously unreadable files, “cover page.jpgc”, and “SCHEDU~1.exe”, as well as a more respectful representation of Joe’s letter to Mr. Jungle, his supplier.  It appears that at some point the Word document had been deleted, but the cluster space was never overwritten.  Since I knew that there was more information in the image, a more thorough examination was needed.  Using another method looking for telltale file header information, the data recovery software was able to extract and assemble two more files:

 

coverpage

Recovered jpg file: “cover page.jpg”

  unzipitplease

Scheduled Visits.xls makes it’s appearance (Don’t forget the password :)

goodtimes

PW: goodtimes

 

The spreadsheet file contained Joe’s selling schedule.  He was a very busy dealer:

 

Scheduled Visits.xls

Portion of “Scheduled Visits.xls”

 

Answer to the Bonus Question:

A look at several headers from jpg files created by many different programs can help illustrate:

 

Comparison of jpg files

Different jpg file header types

 

The first header is from a jpg I created in paint, and the second is from “coverpage.jpg.”  They are consistent with each other.  The third header came from an Adobe Illustrator jpg export file, the fourth came from a jpg file created by GIMP, and the fifth came from a Macromedia Flash XP jpg export file.

Conclusion

The evidence recovered from Joe Jacobs’ floppy should be enough to continue the investigation.  Data analysis and file recovery took approximately two hours, and this write up about three hours.

The only question I don’t think I answered fully was #4.  From my limited experience, I’m unsure as to whether the suspect imbedded “SCHEDU~1.EXE” (a self extracting zip) into the image file, or if there was some kind of overlapping of data after one or the other had been deleted.  I guess I’ll have to wait for the expert write-up!