Honeynet Scan of the Month

#24 - November 1, 2002

 

North Carolina State University, grad students

Joe Sremack (jcsremac@unity.ncsu.edu)

Yatin Tawde (ystawde@unity.ncsu.edu)

Jim Yuill (jimyuill@pobox.com)

 

 

I. Answers to questions

 

These questions are answered using evidence found in three files on the floppy-disk image. The files are documented in section IV, and they are attached.

 

1. Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?

 

Jimmy Jungle

626 Jungle Ave Apt 2

Jungle, NY 11111

 

This information is in the file "Jimmy Jungle.doc", found on the floppy. It appears to be a letter from Joe Jacob to his supplier, whose name and address are stated therein.

 

 

2. What crucial data is available within the coverpage.jpg file and why is this data crucial?

 

The crucial data is the password needed to unzip a file found on the floppy disk. The password is "goodtimes" and the file "Scheduled Visits.exe".

 

 

3. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

 

Key High School

Leetch High School

Birard High School

Richter High School

Hull High School

This information is in the file "Scheduled Visits.exe", found on the floppy. The letter in "Jimmy Jungle.doc" states that "Joe" sent "Jimmy Jacobs" his "schedule". The schedule is implied to be for selling drugs at high schools. "Scheduled Visits.exe" is an XL spreadsheet that appears to contain Joe's schedule for selling drugs at these schools. The schedule is created by an algorithm: one school is visited each weekday. He rotates visits to the 6 schools in a periodic order.

 

 

4. For each file, what processes were taken by the suspect to mask them from others?

 

The files are documented in detail in section IV. In summary, the techniques used to hide the files are:

 

       Jimmy Jungle.doc

o      The file was deleted

       Scheduled Visits.exe

o      The actual file size is approximately 3k. However the root directory was altered to state the file is only 1k. Consequently, when the file is opened, only the first 1k of data is obtained.

o      The contents are a PkZip file, but the suffix deceptively identifies it as an exe file.

o      The file is tagged as "hidden", keeping it from being displayed by FileExplorer's default setting.

       coverpage.jpg

o      The file is a jpg file, but the suffix deceptively identifies it as an jpgc file.

o      The file is tagged as "hidden".

o      The root directory was altered to contain an incorrect "starting cluster" for the file. Thus, the file could not be opened.

o      The file takes up 16k on disk, but the actual file is only 15.2k. The extra .8k is used to hold hidden data, namely the password to the PkZip file. This data is not returned when the file is opened.

 

5. What processes did you (the investigator) use to successfully examine the entire contents of each file?

 

This is documented in detail in section IV.

 

       Bonus Question: What Microsoft program was used to create the Cover Page file. What is your proof (Proof is the key to getting this question right, not just making a guess).

 

Microsoft Paint was used. Also, it was a version capable of creating jpg files. Older versions of Paint could not create jpg files.

 

As described in section IV, the top of the jpg file has a field for identifying the tool used to create the file. coverpage.jpg identifies Paint as the creator.

 

 

II. FORENSIC TOOLS USED

 

1)     WinHex:

This is a Windows (95/98/ME/NT4.0/2000/XP) based hex editor capable of displaying the contents of each type of file using a two-digit hexadecimal number. ASCII strings in the document are displayed and a character-by-character mapping can be done by having a look at the corresponding offsets displayed in hexadecimals. A hex-dump of an entire floppy disk can also be done with this tool. [WHEX]

2)     Frhead:

This is a binary file editor for Windows 95/98/NT. Unlike WinHex (free version), this has the feature which enables the user to directly enter hex values in the hex-dump of a file/disk and alter its contents. [FRHEAD]

3)     Undisker:

This is a tool that can open, create, and extract ISO files (images of CDROM disks containing exact binary copies of original CDs). Undisker can also create disk images (exact binary copy of a source disk including boot sector, FAT, and all files and folders) of hard, floppy disk and removable drives. [UNDISK]

4)     Microsoft Paint:

This is an image viewer/editor for all Windows platforms which can save image files in a variety of formats like gif, jpg, bmp.

5)     dls:

This is a feature of the TASK (The @stake Sleuth Kit) tool by which, one can extract unallocated disk units. [TASK]

6)     ils:

This tool is used to retrieve the data associated with unallocated metadata which can be vital in forensic analysis. [TASK]

7)     mactime:

This tool generates a timeline of file activity starting from a particular date (to be specified in the mm/dd/yyyy format) [TASK].

 

 

III. TIMELINE OF ACTIVITY

 

We ran the mactime program starting from 01/01/2001 to get a timeline of file activity on the image and following are its results. This gives an evidence of the relative dates on which the files were written (specified by "m"), accessed (specified by "a") and changed (specified by "c").

 

Mon Apr 15 2002 14:42:30 20480 m.. -rwxrwxrwx 0 0 5 <image-_IMMYJ~1.DOC-dead-5

20480 m.. -/-rwxrwxrwx 0 0 5 /Jimmy Jungle.doc (_IMMYJ~1.DOC) (deleted)

 

Fri May 24 2002 08:20:32 1000 m.. -/-rwxrwxrwx 0 0 11 /Scheduled Visits.exe (SCHEDU~1.EXE)

 

Wed Sep 11 2002 00:00:00 20480 .a. -rwxrwxrwx 0 0 5 <image-_IMMYJ~1.DOC-dead-5>

1000 .a. -/-rwxrwxrwx 0 0 11 /Scheduled Visits.exe (SCHEDU~1.EXE)

20480 .a. -/-rwxrwxrwx 0 0 5 /Jimmy Jungle.doc (_IMMYJ~1.DOC) (deleted)

15585 .a. -/-rwxrwxrwx 0 0 8 /cover page.jpgc (COVERP~1.JPG)

 

Wed Sep 11 2002 08:30:52 15585 m.. -/-rwxrwxrwx 0 0 8 /cover page.jpgc (COVERP~1.JPG)

 

Wed Sep 11 2002 08:49:48 20480 ..c -/-rwxrwxrwx 0 0 5 /Jimmy Jungle.doc (_IMMYJ~1.DOC) (deleted)

 

20480 ..c -rwxrwxrwx 0 0 5 <image-_IMMYJ~1.DOC-dead-5>

Wed Sep 11 2002 08:50:26 15585 ..c -/-rwxrwxrwx 0 0 8 /cover page.jpgc (COVERP~1.JPG)

 

Wed Sep 11 2002 08:50:38 1000 ..c -/-rwxrwxrwx 0 0 11 /Scheduled Visits.exe (SCHEDU~1.EXE)

 

 

IV. Forensic details of the three files

 

In order to analyze the files located on the image file, use a hex editor, such as WinHex, to open the image file. Then go to the directory entry section, which is located at byte offset 0x2600.

 

The following two allocated files are located on the image file: "cover page.jpgc" and "Scheduled Visits.exe".

 

 

IV.A. File: "cover page.jpgc"

 

The location of "cover page.jpgc" starts at byte offset 0x9200 and ends at 0xCFFF. In order to find these values, we checked the starting cluster and file size fields in the FAT directory entry:

 

43 4F 56 45 52 50 7E 31 4A 50 47 20 00 6D 4D 46

2B 2D 2B 2D 00 00 DA 43 2B 2D A4 01 E1 3C 00 00

 

The last four bytes denote the file size in bytes, which equals 15,585 bytes (FAT12 uses low endian). The two bytes that precede the file size correspond to the starting cluster, and that equals 0x34800. However, 0x34800 points to reserved data on the image, not the actual file.

 

At offset 0x9200, there are four bytes that correspond to a JPEG-JFIF file header:

 

FF D8 FF E0

 

Thus, the starting cluster value in the directory entry for "cover page.jpgc" was altered to point to the wrong starting cluster. Also, the filename is such that "c" in the file extension prevents image programs from recognizing the file as a JPEG-JFIF file; so one has to open the file from inside of an image program.

 

To recover this file, the starting cluster was changed to point to byte offset 0x9200. Computing the starting cluster is accomplished by first calculating the converting 0x9200 to decimal and multiplying that number by 512. Then, convert the number to the logical sector number by subtracting 31 (subtract the starting cluster number, 33, and add 2) and converting the number back to hexadecimal. So, the starting cluster is 2A.

 

Therefore, "cover page.jpgc" is located in sectors 73 through 103. To repair this file, modify the directory entry at positions 0x26BB-0x26BC to be "2A 00", respectively. Then to recover the file, highlight the blocks from 0x9200 through 0xCFFF using WinHex, use its "Edit->copy blocks to file" option and save the file as "cover page.jpgc".

 

Bonus: "cover page.jpgc" was created with MS Paint. "cover page.jpgc" contains the following header (taken from WinHex):

 

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

 

00009200 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60 ..JFIF.....`

00009210 00 60 00 00 FF DB 00 43 00 08 06 06 07 06 05 08 .`...C........

00009220 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................

00009230 13 0F 14 1D 1A 1F 1E 1D 1A 1C 1C 20 24 2E 27 20 ........... $.'

00009240 22 2C 23 1C 1C 28 37 29 2C 30 31 34 34 34 1F 27 ",#..(7),01444.'

00009250 39 3D 38 32 3C 2E 33 34 32 FF DB 00 43 01 09 09 9=82<.342.C...

00009260 09 0C 0B 0C 18 0D 0D 18 32 21 1C 21 32 32 32 32 ........2!.!2222

00009270 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 2222222222222222

00009280 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 2222222222222222

00009290 32 32 32 32 32 32 32 32 32 32 32 32 32 32 FF C0 22222222222222

 

Note how there is a string of 2's. The following a JPEG-JFIF file created by Adobe Photoshop:

 

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

 

00000000 FF D8 FF E0 00 10 4A 46 49 46 00 01 02 00 00 64 ..JFIF.....d

00000010 00 64 00 00 FF EC 00 11 44 75 63 6B 79 00 01 00 .d....Ducky...

00000020 04 00 00 00 1B 00 00 FF EE 00 0E 41 64 6F 62 65 .........Adobe

00000030 00 64 C0 00 00 00 01 FF DB 00 84 00 11 0C 0C 0C .d..........

00000040 0D 0C 11 0D 0D 11 19 10 0E 10 19 1D 16 11 11 16 ................

00000050 1D 22 17 17 17 17 17 22 21 1A 1D 1C 1C 1D 1A 21 ."....."!......!

00000060 21 26 28 2B 28 26 21 34 34 38 38 34 34 41 41 41 !&(+(&!448844AAA

00000070 41 41 41 41 41 41 41 41 41 41 41 41 01 12 10 10 AAAAAAAAAAAA....

00000080 13 15 13 17 14 14 17 16 12 15 12 16 1C 16 18 18 ................

00000090 16 1C 29 1C 1C 1E 1C 1C 29 35 26 21 21 21 21 26 ..).....)5&!!!!&

000000A0 35 2F 32 2B 2B 2B 32 2F 39 39 35 35 39 39 41 41 5/2+++2/995599AA

 

Note how Adobe is listed and the string starting at offset 0x70 differs from that of "cover page.jpgc". The next hex dump is of a file created by Microsoft Paint, which shows the string of 2's is a unique signature of JPEG files created by Paint.

 

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

 

00000000 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60 ..JFIF.....`

00000010 00 60 00 00 FF DB 00 43 00 08 06 06 07 06 05 08 .`...C........

00000020 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................

00000030 13 0F 14 1D 1A 1F 1E 1D 1A 1C 1C 20 24 2E 27 20 ........... $.'

00000040 22 2C 23 1C 1C 28 37 29 2C 30 31 34 34 34 1F 27 ",#..(7),01444.'

00000050 39 3D 38 32 3C 2E 33 34 32 FF DB 00 43 01 09 09 9=82<.342.C...

00000060 09 0C 0B 0C 18 0D 0D 18 32 21 1C 21 32 32 32 32 ........2!.!2222

00000070 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 2222222222222222

00000080 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 2222222222222222

00000090 32 32 32 32 32 32 32 32 32 32 32 32 32 32 FF C0 22222222222222

 

 

IV.B. File: "Scheduled Visits.exe"

 

"Scheduled Visits.exe" has the following starting cluster and filesize directory entry values (in bold):

 

E5 43 48 45 44 55 7E 31 45 58 45 20 00 53 53 46

2B 2D 2B 2D 00 00 90 42 B8 2C 49 00 E8 03 00 00

 

The file size is given as 1000 bytes. However, the file does not open. Going to the starting cluster given, the following hex string that has been converted to ASCII appears:

 

PK........Z,U`....B......Scheduled Visits.xls

 

This matches the format of a PKZipped file; however, at 1000 bytes from the offset, the correct PKZip trailer is not found. The correct trailer begins at byte offset 0xD91C and finishes at 0xD96F. This means that the file size is actually 2560 bytes, not 1000 bytes.

 

Thus, the file size in the directory entry was intentionally modified to make "Scheduled Visits.exe" unreadable. Also, the file is a regular zip file, not a self-extracting zip. So one should open the file using a unzipping program, instead of trying to execute the file.

 

To repair this file, modify the directory entry at positions 271C-271F to be "00 0A 00 00", respectively. Then to recover the file, highlight the blocks from 0xD000 through 0xD9FF using WinHex, use its "Edit->copy blocks to file" option and save the file as "Scheduled Visits.exe".

 

The suspect password-protected this zip file to hide the file from others. Located in the slack space of "cover page.jpgc" at byte offset 0xCF20 is the following string:

 

pw=goodtimes

 

This password can be found by using the dls tool found in the TASK toolkit to gather unallocated data:

 

dls -f fat12 image > data/unallocated.dls

 

Then, use the UNIX command strings on the list of unallocated data to find all of the ASCII strings in unallocated data:

 

strings -t d data/unallocated.dls > data/unallocated.dls.str

 

Finally, the UNIX command grep can be used to find the string containing the password:

 

grep "pw" data/unallocated.dls.str

 

"goodtimes" is the password used for unzipping "Scheduled Visits.exe"

 

 

IV.C. File: "Jimmy Jungle.doc"

 

A third entry appears in the FAT's directory entry table - "Jimmy Jungle.doc". However, this file is unallocated, which means that the suspect deleted the file.

 

Recovering the file is a matter of finding the starting cluster and file size, and then copy the number of "file size" bytes beginning at the starting cluster. The directory entry is:

 

E5 49 4D 4D 59 4A 7E 31 44 4F 43 20 00 68 38 46

2B 2D 2B 2D 00 00 4F 75 8F 2C 02 00 00 50 00 00

 

The file size is 20,480 bytes, and the starting cluster is located at byte offset

0x4200 (using the same methods to calculate these values as is used above). The file does, in fact, appear at 0x4200 through 0x91FF.

 

To recover the file, highlight the blocks from 0x4200 through 0x91FF using WinHex, use its "Edit->copy blocks to file" option and save the file as "Scheduled Visits.exe".

 

 

V. BIBLIOGRAPHY

 

[FAT] File Allocation Table (FAT) Tutorial, http://students.cs.byu.edu/~cs345ta/lectures/seamons/FAT.pdf

 

[FRHEAD] Raihan Kibria, frhead v1.0.156, http://www.kibria.de/frhed.html

 

[TASK] Brian Carrier, The @stake Sleuth Kit (TASK), http://sourceforge.net/projects/sleuthkit

 

[UNDISK] QSX Software Group, 2001, http://www.undisker.com

 

[VFAT] LKT Software, http://www.maverick-os.dk/FileSystemFormats/VFAT_LongFileNames.html

 

[WHEX] X-Ways Software Technology AG, WinHex 10.55, http://www.sf-soft.de/winhex/index-m.html

 

 

VI. Acknowledgements

 

Sincere thanks to Digital Forensic Research WorkShop for a fun and challenging exercise!