Honeynet Project

Scan of the month – October 2002

Yoann Le Corvic


1          Introduction


The challenge this month is to recover files from a floppy, and provide information that could be used to prove the guilt of a suspect of drug dealing.

Before doing anything else, let’s check the MD5 checksum of the file.

I did the whole analysis on a Windows box this time. For a change…

The questions are answered in the same order they have been asked. The main description of the process I used is in §5.

2          October challenge questions

2.1        Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?

The name and address of the supplier are:

Jimmy Jungle

626 Jungle Ave Apt 2

Jungle, NY 11111

At first, I couldn’t locate the info anywhere on the 2 files I recovered (cf §5). So, I used HVIEW to open the image directly and see what text I could recover from this.

Then I used a Freeware data recovery program to check the floppy disk. I explain this in details in §5, and managed to recover the deleted Word Document.


2.2        What crucial data is available within the “coverpage.jpg” file and why is this data crucial?

After recovering this file, (the different methods I used are described in §5) I tried to open it with NOTEPAD, to see what could be hiding in it, and I noticed something interesting, that didn’t really look like JPEG data : “pw=goodtimes


2.3        What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?

He is visiting other school, and in a rather organised way. See the Excel File for all details.


2.4        For each file, what processes were taken by the suspect to mask them from others?

The methods used to obfuscate the files from unwanted reader are as follow:

o       In general, there was a FAT allocation table corruption that I needed to fix to get the files back. The FAT correction revealed the cover page image, and the “schedu~1.exe file”

o       The word document was erased from the disc. We could see it in Hview as the first letter of the file name was deleted. The recovery program had no trouble getting the file back.

o       The Excel file was protected in 2 ways. First, it was added to a ZIP File that was renamed as an executable so that it wouldn’t be recognised as an archive. Then the ZIP file was password protected. The password was hidden in the CoverPage JPEG File (pw=goodtimes).


2.5        What processes did you (the investigator) use to successfully examine the entire contents of each file?

-         First used rawwrite to create a floppy and see the its content as the computer’s point of view

-         Then I tried to look inside of the 2 files found by the computer:

1.      Found that the first, “cover page.jpgc           “, was inaccessible. And the fact that there was some spaces at the end of the file name that I couldn’t trim, gave me a hint that the FAT table may be corrupted.

2.      For the second, “Schedu~1.exe”, when I opened it with Notepad, I saw PK as the starting letters of the file. Which lead me to think that this file could be a ZIP File. To confirm that, I renamed the file to  “.ZIP” instead of “.EXE”, to see if I could extract the content of the file. There was an error again, but apparently WinZip recognised a ZIP File. It just complained that it may be corrupt.

-         From then I used two different techniques to get the data back, but I started by opening directly the image file in Hview, from where I discovered the name and address of the supplier. I also noticed, that there should be 3 files at least, because of the names appearing in the FAT Table :

o        Jimmy Jungle.doc - Probably deleted because the first letter of the short name (JIMMYJ~1.doc) is deleted)

o        Cover page.jpgc – Short name COVERP~1.JPG

o       Scheduled visits.exe – Short name SCHEDU~1.EXE


My first attempt was to run a simple CheckDisk from Windows to try and fix the suspected FAT problems. At the end of the scan, I noticed 3 things:

o       The “cover page.jpgc           “ disappeared,

o       A folder “found.000” appeared,
In that folder, there was a “.CHK” file, and, as I suspected, this was the fixed JPEG File. When I renamed it to “.JPG”, I got this:


o       And third, the size of the file “Schedu~1.exe” changed. When I then changed the extension to “.ZIP”, I could extract the file “Scheduled Visits.xls”, containing the list of all the school, and the associated distribution planning.


The second attempt. I knew there was a file missing, a word document, that I could identify in Hview, and I suspected it was deleted because of the first letter of the filename missing. As I had nothing at hand to recover DOS files, I downloaded an eval copy of GetDataBack (http://www.runtime.com) to see what this could recover.
I ran it once, but it just gave me the 2 files I already had, which made me wonder if the program wasn’t blindly trusting the FAT table (which I sill thought was corrupted). I fiddled around in the options of the program, till I found one that said “IGNORE FAT TABLE ENTRIES”. Ticked that, tried again, and I got this:

Here is the missing Word Document. Note, though that you could see the content of this document in Hview anyway (but it’s much nicer to have it straight in Word to present to the court
This program also found the lost files in the same way Windows ScanDisk did (though for some reason the size of the JPG File is 1MB).


2.6        Bonus Question: What Microsoft program was used to create the Cover Page file. What is your proof (Proof is the key to getting this question right, not just making a guess).


Difficult one this is…

The truth is I don’t know. I guess it is Microsoft Office, so I tried to generate a JPEG File with Powerpoint and checked the content in Hview, but it didn’t help much. The picture below shows the differences between the header in the floppy image file (on the top), and the one I generated with PowerPoint (the bottom one). We can see that PowerPoint adds the data “Software:Microsoft Office” in the JPEG Headers.

So I am very curious to see the result of this question



3          The recovered files


Those are the files that were recovered using the different techniques described along this document :


The deleted Word Document : J_IMMYJ~1.DOC

The cover page recovered after Scandisk: CoverPage.jpeg

The cover page recovered by “GetDataBack”: CoverPage.jpeg

The original ZIP ARCHIVE: Scheduled Visits.exe (corrupt file)

The ZIP File after ScanDisk: Scheduled Visits.exe (password: goodtimes)

The Excel File inside the ZIP: Scheduled Visits.xls