This submission was created by the Network Security Team of the National Digital Certification Agency

Haikel Mejri Slim REKHIS Yacine Djemaiel Walid Hadjali

 

 

1 Methodologie

 

The Challenge MD5 hash file was copied from the Honeynet web site into a new text file named sotm23.tar.gz.md5 and was rearranged into a valid md5sum output: b676147f63923e1f428131d59b1d6a72  image.zip

Then the challenge file image.zip was copied into the same directory, and verified against the downloaded MD5 hash: $ md5sum -c image.zip.md5

Next the challenge file is unzipped: $ unzip image.zip


The first step of the technical investigation was the identification of the file type using the following command: $ file image.zip . The following result was obtained : image: x86 boot sector, system MSDOS5.0, FAT (12 bit). According to the file command result, the file seems to be the image of an MSDOS floppy disk formatted using the fat12 file system.

Next, we proceeded to the retrieving of trivial information using the strings command line tool : $ strings image > strings_output.

from all the strings printable characters in this files, we picked up these few infomations :

 

  1. System Informations
    • MSDOS5.0 NO NAME FAT12 : This ensure us that this is an MS DOS floppy disk formatted with fat12 file system.
    • NTLDR ...Remove disks or other media.... Disk error : This is an error message written by the BIOS when trying to boot with a disk floppy which doesn't contain an operating system.
    • IMMYJ1DOC...COVERP1JPG...SCHEDU1EXE : Theses strings seems to be the content of the fat table which lists the names of three files contained within the floppy. These files are the following:
      • IMMYJ1DOC: This file seems to be a word document
      • COVERP1JPG: This file seems to be a JPEG image.
      • SCHEDU1EXE: This fil seems to is a binary file.
  2. User Informations
  • Jimmy: Dude, your pot must be the best............you sent me before with that file. Talk to you later. Thanks, Joe : This paragraph seems to be a mail written by Joe to Jimmy Jungle.
  • Microsoft Word 10.0 OOOO Jimmy Jungle Title Microsoft Word Document MSWordDoc Word.Document.8 : These stings are probably annoncing the existance of an MSWord document.
  • JFIF $.' ",# (7),01444 '9=82<.342 : These stings are probably annoncing the presence of a JPEG image.
  • pw=goodtimes : This is probably the password that Joe spooke about in the mail above .
  • Scheduled Visits.xls : This is probably annoncing the presence of an MS excell file. according the mail below, this file may be the schedule that Joe spooke about.
  •  

In the second step, we tried to mount the floppy image on the hard disk with the following command : $ mount -o ro,loop,nodev,noexec image mount/

Note the use of the noexec option to avoid the execution of any malicious code and the ro option to avoid the modification of the content file of the floppy. The first look into the content of the mount directory with the ls command confirms the existance of the two files : cover page.jpgc & schedu1.exe. The third file IMMYJ1DOC seems to be deleted. in concequence its correct name should be ?IMMYJ1DOC where the ? represents the first file name character that was been removed by the operating system during the deletion of the file. In fact when the MS sytems delete a file, the first character of its name in the fat tables is removed.

In the next step, we will try to retrieve more information from the two file by using the file and strings commands :

 

  • file cover\ page.jpgc\ \ \ \ \ \ \ \ \ \ \ : give the following results : cover page.jpgc : PC formatted floppy with no filesystem which is stange, because this file should be normaly an image file. When we tried to open this file with an image viewer, it wasn't possible, and the xviewer command gives this error message: unknown or unsupported image type.
  • file schedu1.exe : gives the following results : schedu1.exe: Zip archive data, at least v2.0 to extract. When we tried to execute this file under an MS DOS system, an error has occured, and we tried to unzip this file with the unzip command the following error message appears : cannot find zipfile directory in one of schedu1.exe or schedu1.exe.zip, and cannot find schedu1.exe.ZIP, period.
  • strings schedu1.exe : gives the following results Scheduled Visits.xls 5kUM gvmq[A N[! sC6g( .........1C/+N X%#$ which show that this file contain probably the Scheduled Visits.xls file.
  • strings cover\ page.jpgc\ \ \ \ \ \ \ \ \ \ \ : There is no character in this file which is stange because a normal JPEG file should contain at least the JFIF strings.

 

It's now clear that the floppy has been affronted to some manipulation of its entire files or file system; we tried with the fsck.msdos command to check the file system of this floppy. We obtained many error messages confirming that the entire content of the floppy has been manipulated.

In the next step we tried to use the forensic tools :TASK and Autopsy Forensic Browser.

 

  • TASK integrates TCT & TCTUTILs, adds support for Microsoft file systems. and also contains some few new tools.
  • The Autopsy Forensic Browser is an HTML interface to TASK which allows an investigator to browse forensic images from a file, inode, or block level abstraction, and also provides a convenient interface for searching for key words on an image.

 

To configure Autopsy Forensic Browser, we put the floppy disk image file in the morgue directory, and configured the fsmorgue file by adding the following line

image  fat12   /mount   EST5EDT

To launch the Autopsy Forensic Browser we wrote the following command : ./autopsy 8888 localhost which start le AUTOPSY web server on the localhost machine on the 8888 TCP port. The program start and give on the output console the valid URL to connect which change from on execution to an other. In this case this is the URL which we used : http://localhost:8888/42601366343949744940/autopsy

 

This tool showed us the three files that we have spoken before. We confirm also that the Jimmy Jungle.doc file was deleted. This file mentioned in red color by the Autopsy Forensic Browser indicate that it is deleted and can not be viewed with simply an ls command but it is still physically present in the hard drive within the inode number 5. The mac time of the three files confirm the malicious manipulation made to them, infact the written time of the  Jimmy Jungle.doc and the Schduled Visits.exe are lower than their accessed and created time. Also the Accessed time of the three files is lower than their created time.

We exported the content of the deleted file bye using the web interface facilities (clicking under the inode number, then clicking under Export ), but we doesn't be able to open this document with any document reader.

Now in addition to the information mentioned by the fsck.msdos we can confirm that some modification to the fat table that have modified to blocs address or the shorts file name has ben occured.
So we tried to get seek to the correct content of theses file by searching in the floppy disk sectors. By clicking into the File System option of the Autopsy Forensic Browser, we get more helpful information

By clicking under the 73-103 (31) link we get this information : JPEG image data, JFIF standard 1.01, resolution (DPI), 96 x 96. By exporting the content of this file to cover_recovered.jpg , and opening it with the xview command , we get this picture :

 

To try looking to some crucial information from this image, we begin by the strings command : $ strings cover_recovered.jpg

At the end of the output characters we note the presence of some crutial data : pw=goodtimes Theses strings or passwod has been added with a hidden manner to the image content.

 

Now by clicking under the 104-108 (5) link we get this information : Zip archive data, at least v2.0 to extract. By exporting the content of this file to

schedule.zip , and opening it with the unzip command, we get this message Archive: schdule.zip [schdule.zip] Scheduled Visits.xls password: So now when we tried to put the password goodtime that we picked from the cover_page content file, this password was the right one, and we got the scheduled Visits.xls file. By opening this file with kspread program we got a document describing the whole scheduled visits to the schools per month per day.

 

We have now picked the the cover page image and the schduled visits document but was still unable to recover the jimmy jingle document. So tried to use a windows program called  RECOVERITALL demo version and tried to recover the floppy disk ( which we have created using this command : $ dd if=image of=/dev/fd0

 

With this utility we was able to recover the Jimmy Jungle.doc file which contain the following mail :

Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111


Jimmy:

Dude, your pot must be the best ? it made the cover of High Times Magazine! Thanks for sending me the Cover Page. What do you put in your soil when you plant the marijuana seeds? At least I know your growing it and not some guy in
Columbia.
 
These kids, they tell me marijuana isn?t addictive, but they don?t stop buying from me. Man, I?m sure glad you told me about targeting the high school students. You must have some experience. It?s like a guaranteed paycheck. Their parents give them money for lunch and they spend it on my stuff. I?m an entrepreneur. Am I only one you sell to? Maybe I can become distributor of the year!

I emailed you the schedule that I am using. I think it helps me cover myself and not be predictive.  Tell me what you think. To open it, use the same password that you sent me before with that file. Talk to you later.

Thanks,

Joe

 

2 Questions

 

2.1 Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier

 

According to the recovered Jimmy Jungle.doc document, the Jacob's supplier marijuana is ``Jimmy Jungle'' his address is ``626 Jungle Ave Apt 2. Jungle, NY 11111''

 

2.2 What crucial data is available within the coverpage.jpg file and why is this data crucial?

 

When displaying the STRING outpouts in the JPEG file picked with the Autopsy Forensic Browser from the 73-103 (31) Sectors of the floppy disk image, we find this content : pw=gootimes This is the zip password file of the file content picked with Autopsy Forensic Browser from the 104-108 (5) sectors of the floppy disk image. 

With this password, it is possible to open the zipped file which was been crypted with this password.

2.3 What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

 

By opening the ``scheduled visits.xls'' file, we discovered the scheduled visits of Jimmy Jungle to theses schools:

  • Smith Hill High School
  • Key High School
  • Leetch High School
  • Birard High School
  • Richter High School
  • Hull High School

 

2.4 For each file, what processes were taken by the suspect to mask them from others?

 

The first file Jimmy Jungle.doc was been deleted, and has got a written time which is lower than the created time, and accessed time lower than the created time.
The cover page.jpgc has been getting a long name written in the file table which is different from his short name COVERP~1.JPG  .This give a reason to the malicious manipulation of the FAT table content. this file has also getting a written time which is lower than the created time, and accessed time lower than the created time.

The third file has got also a written time which is lower than the created time, and accessed time lower than the created time. this file has got may be a cluster chain length which is higher than 1024 according to the command fsck.msdos output.

 

2.5 What processes did you (the investigator) use to successfully examine the entire contents of each file ?

 

The investigator was clearly detailed in the method section, we will try here to reminder the differents steps mentioned above

 

  • Covrer page : we used Autopy forensic Browser, exported the 73 103 sectors, then used the string command to pick up the password, and the xview tool to view the content of the image
  • Scheduled visits: we used Autopy forensic Browser, exported the 104 108 sectors, then used the unzip command with the "goodimes" password to extract the schduled visits.xls document. To view the content of the document we used kspread tool
  • Jimmy Jingle document : we used the RECOVERITALL tool to recover this deleted file, and we open it using MS Word.

 

2.6 Bonus Question: What Microsoft program was used to create the Cover Page file. What is your proof (Proof is the key to getting this question right, not just making a guess).

In this response we will try the make a proof that this file was issued by a micro

The Cover Page was created by the ``MS Paint'' program, in fact w have discovered that any file created by MSPaint and applied to the following command : $ strings file_name, may begin by the followings stings :

JFIF

$.' ",#

(7),01444

'9=82<.342

!22222222222222222222222222222222222222222222222222

 

This give us a proof that the cover page file was created with an MSPaint program, now the strings " pw=goodtimes" are added probably by editing the file in HEX form.