Scan of the Month Challenge – Analysis                                                                                 

Honeynet Project – October 2002

Analysis by Peter Mc Laughlin

Pm110@lucent.com

October 24th 2002

 

Summary

Tools

Methodology

Questions

References

Appendices

 

 

Summary

 

  Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law” – source Dibs USA

 

The recovery, analysis and presentation of “digital evidence” is  an area that is becoming more and more important to law enforcement agencies globally. The cascade of the benefits of working in a digital world have not only reached the man / woman in the street but also the criminal elements within our society.

 

This exercise demonstrates that a would be drug pusher would do better to invest in appropriate disk scrubbing technology than rely on outdated MS methods of deleting files and data from storage media.

 

Tools

 

@stake Research Tools: TASK

@stake Research Tools: Autopsy Forensic Browser

The Coroners Toolkit

Linux Redhat 7.2

NTI ASCII Filter Program

 

 

Methodology

 

Downloaded the image file from http://project.honeynet.org/ relating to scan of the month 24 to /forensics on local machine

 

Copied the MD5 hash for this challenge from the Honeynet web site into a new text file named sotm24 and rearranged it into a valid md5sum output. Verified this MD5 sum against the MD5 listed on the web site. Proves file has not been tampered with and we are ready to progress forensic analysis of floppy disk and its contents.

 

Extracted the image onto a formatted 1.44mb floppy in order to carry out an initial investigation of the disk. This was achieved by executing

 

dd if=/forensics/image of=/dev/fd0

 

I also read only mounted the image onto my Redhat machine by running

 

Mount –o –ro,loop,nodev,noexec /forensics/image /home/forensics

 

Initially the contents of the disk revealed 2 files apparent from both the NT and Linux platforms

 

cover page.jpgc

schedu~1.exe

 

The @stake tool kit and theAutopsy forensic browser were the primary tools I used to perform the forensic analysis on this image. The tool requires that the image file be copied into the /morgue directory and an entry placed in /morgue/fsmorgue as detailed below.

 

image          fat              A:              EST5EDT

 

This entry points the tool towards the image file stored in /morgue, the type of file system was fat, the mount point was A: and the time zone.

 

The tool was initiated by executing

 

/autopsy-1.62/autopsy 8888 localhost

 

Autopsy revealed a different picture that what was first seen on the disk……

 

The file listing now consisted of 3 files

 

Cover page.jpgc             Jimmy Jungle.doc            Scheduled Visits.exe

(COVERP~1.JPG)            (_IMMY~1.doc)             (SCHEDU~1.EXE)

 

 

We are now working with 3 files as opposed to two. The easiest of these to recover was Jimmy Jungle.doc. This file was a straight forward delete from Windows and would be easily recoverable as MS does not fully delete the file but merely removes the first character. The necessary info required from this file was viewable from an ASCII output of the relevant sectors on the disk. (Sectors 38 & 39) A case insensitive keyword search in Autopsy recovered the 2 segments of the doc file. ( Only a small section is shown for the purposes of layout, see Appendix for full Doc.)

 

 

ASCII Contents of Sector 38 (512 bytes) in image

 

 

Jimmy Jungle

626 Jungle Ave Apt 2

Jungle, NY 11111

 

Jimmy:

 

Dude, your pot must be the best . it made the cover of High Times Magazine! Thanks for sending me the Cover Page. What do you put in your soil when you plant the marijuana seeds? At least I know your growing it and not some guy in Columbia.

 

 

The remaining files were more complicated as there has been some attempt to camouflage their contents and file type.

 

Schedu~1.exe or Scheduled Visits.exe (to give it its full long file name) is in no shape or form an executable file. An examination of the files contents within Autopsy reveals a reference to Scheduled Visits.xls. Was this file embedded within the so called .EXE?

 

Changing  Schedu~1.exe to Schedu~1.txt and running it through the NTI filter strips out all non alpha numeric characters and shows the following:)

 

PK         Z , U`      B      Scheduled Visits.xls  1* I     p    1  H <K u   Q  *6 $  ~uF  NVO    `6T   .#    R      #-4  HT b ^ ? Rr  f J     x 5kUM    a_   SA# ; Qk         I    ; 2

 

There was not enough Alpha Numeric data within the dump to in to indicate an XLS renamed as an EXE. This could have been a WINZIP file that was changed to .EXE.

This idea was copper fastened by taking an XLS zipping it renaming it to .EXE and then .txt and running it through the filter.

 

PK        n}X-N( H     <      xls.xls  _l E   3; {- s     \    K           $b       G Qc yC     C4             H >   h4  8g~  ; c S    .             } m  # N;O5    R #     T!M  \6 j:]

 

The similarities were obvious so it was reasonable to assume that we were looking for a ZIP file at this point that had been renamed to .EXE.

 

A keyword search for Scheduled Visits.xls within Autopsy revealed file fragments spanning 5 sectors on the disk (104 –108)

 

As we needed to recover this file to further the investigation it was necessary to export the data from each of these segments in RAW format and string them together to from a valid ZIP file. There were 5 files in total 104-108

 

This was achieved as follows

 

cat image-Sector105.raw >> cat image-Sector104.raw

cat image-Sector106.raw >> cat image-Sector104.raw

cat image-Sector107.raw >> cat image-Sector104.raw

cat image-Sector108.raw >> cat image-Sector104.raw

 

cat image-Sector104.raw was the master file that was believed to be the ZIP file. This file was exported to a WIN2K server and renamed as cat image-Sector104.zip and successfully opened to reveal Scheduled Visits.XLS………but there was a password required to extract the XLS!

 

 

As there was no apparent reference to a password I moved onto cover page.jpgc to perform the same function as above and hopefully extract a useable file.

 

An analysis of the file system on the disk showed that in addition to sectors 104-108 containing data there was also a large amount of data (in relative terms) residing in sectors 73-103. The file header at sector 73 contained the following data (after exporting it and filtering through the NTI filter)

 

JFIF     ` `     C       $.' ",#  (7),01444 '9=82<.342  

 

The JFIF entry is common to the JPG file format, this was cross checked by analysing the headers of 20 standard JPG files which all contained the JFIF ref.

 

Sectors 73-103 were dumped out and pieced together as per the previous file and renamed as a JPG and successfully opened…see attachments for actual jpg

                                                

An added bonus related to extracting all the data within sectors 73-103 was discovering a password hidden in sector 103 (see  string report below)

 

Autopsy string Sector Report (ver 1.62)

 

 ------------------------------------------------------

Sector: 103

Length: 512 bytes

Not allocated to any inodes

MD5 of raw Sector: f1430559d3bc8df3c04b384b47936e35

MD5 of string output: f3adc79ce7002790260171fa48af93db

Image: /morgue/image

Image Type: fat12

Date Generated: Fri Oct 25 12:33:37 2002

Investigator: peter mc laughlin

 ------------------------------------------------------

pw=goodtimes

 

 

It was not a giant leap of faith to suggest that this was the password to extract the XLS from the Zip file, it worked! (See Appendix for XLS)

 

 

 

 

Questions

 

Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?

 

Jimmy Jungle

626 Jungle Ave Apt 2

Jungle, NY 11111

 

What crucial data is available within the coverpage.jpg file and why is this data crucial?

 

Cover Page.jpg contains a hidden password (pw=goodtimes) that allowed investigator

to successfully extract the XLS from the ZIP file. Without this password it would not have been possible to extract the XLS and identify the other High Schools that Joe was selling to. In addition valuable investigation time was not spent attempting a brute force attack against the ZIP file to gain access.

 

 

What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

 

 

Key High School

Leetch High School

Birard High School

Richter High School

Hull High School

 

For each file, what processes were taken by the suspect to mask them from others?

 

Jimmy Jungle.doc File was simply deleted from the floppy disk, no other methods were employed to hide this file. File was easily viewable or recoverable.

 

cover page.jpgc File was rendered un readable by the addition of additional characters into the file name . The method used was probably similar to the alt+255 exploit. Alt+255 character sequence is unreadable by windows. In addition file name was extended to.jpgc  Also the file was more than likely split across different segments with a file splitter to make it harder to find.

 

schedu~1.exe This file was initially a ZIP file it was renamed as an EXE and split into multiple segments and fragmented across the disk. The ZIP file was password protected and the password manually entered into the source code of cover page.jpg to hide it from others.

 

What processes did you (the investigator) use to successfully examine the entire contents of each file?

 

Please see methodology above

 

 

What Microsoft program was used to create the Cover Page file. What is your proof (Proof is the key to getting this question right, not just making a guess)

 

 

 

My investigation leads me to believe that Jacobs used Microsoft Word for Windows 8.0. See filtered raw dump below. Sector 72 on the disk is the sector prior to sector 73 where the first section of cover page.jpg resides

 

Hex Contents of Sector 72 (512 bytes) in image1


0      0100feff 030a0000 ffffffff 06090200       .... .... .... ....
16      00000000 c0000000 00000046 18000000       .... .... ...F ....
32      4d696372 6f736f66 7420576f 72642044       Micr osof t Wo rd D
48      6f63756d 656e7400 0a000000 4d53576f       ocum ent. .... MSWo
64      7264446f 63001000 0000576f 72642e44       rdDo c... ..Wo rd.D
80      6f63756d 656e742e 3800f439 b2710000       ocum ent. 8..9 .q.

 

 

References

 

http://www.dmares.com/maresware/forensic_tools.htm

http://project.honeynet.org/scans/scan15/som/som31.txt

http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-response-invest.html

http://www.cc.ic.ac.uk/helpdesk/apriori/15.2352.html

http://recover.sourceforge.net/unix/

http://is-it-true.org/pt/ptips8.shtml

http://is-it-true.org/pt/ptips8.shtml

 

 

 

 

 

Appendices

 

1.1 – Copy of Actual Letter from Jacobs to Jungle

 

Jimmy Jungle

626 Jungle Ave Apt 2

Jungle, NY 11111

 

Jimmy:

 

Dude, your pot must be the best – it made the cover of High Times Magazine! Thanks for sending me the Cover Page. What do you put in your soil when you plant the marijuana seeds? At least I know your growing it and not some guy in Columbia.

 

These kids, they tell me marijuana isn’t addictive, but they don’t stop buying from me. Man, I’m sure glad you told me about targeting the high school students. You must have some experience. It’s like a guaranteed paycheck. Their parents give them money for lunch and they spend it on my stuff. I’m an entrepreneur. Am I only one you sell to? Maybe I can become distributor of the year!

 

I emailed you the schedule that I am using. I think it helps me cover myself and not be predictive.  Tell me what you think. To open it, use the same password that you sent me before with that file. Talk to you later.

 

Thanks,

 

Joe

 

 

 

1.2 – Copied data from spreadsheet detailing Jacobs Detailing activity

 

 

Month

DAY

HIGH SCHOOLS

2002

 

 

April

Monday (1)

Smith Hill High School (A)

 

Tuesday (2)

Key High School (B)

 

Wednesday (3)

Leetch High School (C)

 

Thursday (4)

Birard High School (D)

 

Friday (5)

Richter High School (E)

 

Monday (1)

Hull High School (F)

 

Tuesday (2)

Smith Hill High School (A)

 

Wednesday (3)

Key High School (B)

 

Thursday (4)

Leetch High School (C)

 

Friday (5)

Birard High School (D)

 

Monday (1)

Richter High School (E)

 

Tuesday (2)

Hull High School (F)

 

Wednesday (3)

Smith Hill High School (A)

 

Thursday (4)

Key High School (B)

 

Friday (5)

Leetch High School (C)

 

Monday (1)

Birard High School (D)

 

Tuesday (2)

Richter High School (E)

 

Wednesday (3)

Hull High School (F)

 

Thursday (4)

Smith Hill High School (A)

 

Friday (5)

Key High School (B)

 

Monday (1)

Leetch High School (C)

 

Tuesday (2)

Birard High School (D)

May

 

 

 

Wednesday (3)

Richter High School (E)

 

Thursday (4)

Hull High School (F)

 

Friday (5)

Smith Hill High School (A)

 

Monday (1)

Key High School (B)

 

Tuesday (2)

Leetch High School (C)

 

Wednesday (3)

Birard High School (D)

 

Thursday (4)

Richter High School (E)

 

Friday (5)

Hull High School (F)

 

Monday (1)

Smith Hill High School (A)

 

Tuesday (2)

Key High School (B)

 

Wednesday (3)

Leetch High School (C)

 

Thursday (4)

Birard High School (D)

 

Friday (5)

Richter High School (E)

 

Monday (1)

Hull High School (F)

 

Tuesday (2)

Smith Hill High School (A)

 

Wednesday (3)

Key High School (B)

 

Thursday (4)

Leetch High School (C)

 

Friday (5)

Birard High School (D)

 

Monday (1)

Richter High School (E)

 

Tuesday (2)

Hull High School (F)

 

Wednesday (3)

Smith Hill High School (A)

 

Thursday (4)

Key High School (B)

 

Friday (5)

Leetch High School (C)

June

 

 

 

Monday (1)

Birard High School (D)

 

Tuesday (2)

Richter High School (E)

 

Wednesday (3)

Hull High School (F)

 

Thursday (4)

Smith Hill High School (A)

 

Friday (5)

Key High School (B)

 

Monday (1)

Leetch High School (C)

 

Tuesday (2)

Birard High School (D)

 

Wednesday (3)

Richter High School (E)

 

Thursday (4)

Hull High School (F)

 

Friday (5)

Smith Hill High School (A)

 

Monday (1)

Key High School (B)

 

Tuesday (2)

Leetch High School (C)

 

Wednesday (3)

Birard High School (D)

 

Thursday (4)

Richter High School (E)

 

Friday (5)

Hull High School (F)

 

Monday (1)

Smith Hill High School (A)

 

Tuesday (2)

Key High School (B)

 

Wednesday (3)

Leetch High School (C)

 

Thursday (4)

Birard High School (D)

 

Friday (5)

Richter High School (E)