Scan of the month – October 2002
The challenge this month is to recover files from a floppy, and provide information that could be used to prove the guilt of a suspect of drug dealing.
Before doing anything else, let’s check the MD5 checksum of the file.
I did the whole analysis on a Windows box this time. For a change…
The questions are answered in the same order they have been asked. The main description of the process I used is in §5.
The name and address of the supplier are:
626 Jungle Ave Apt 2
Jungle, NY 11111
At first, I couldn’t locate the info anywhere on the 2 files I recovered (cf §5). So, I used HVIEW to open the image directly and see what text I could recover from this.
Then I used a Freeware data recovery program to check the floppy disk. I explain this in details in §5, and managed to recover the deleted Word Document.
After recovering this file, (the different methods I used are described in §5) I tried to open it with NOTEPAD, to see what could be hiding in it, and I noticed something interesting, that didn’t really look like JPEG data : “pw=goodtimes”
He is visiting other school, and in a rather organised way. See the Excel File for all details.
The methods used to obfuscate the files from unwanted reader are as follow:
o In general, there was a FAT allocation table
corruption that I needed to fix to get the files back. The FAT correction
revealed the cover page image, and the “schedu~1.exe file”
o The word document was erased from the disc. We could
see it in Hview as the first letter of the file name was deleted. The recovery
program had no trouble getting the file back.
o The Excel file was protected in 2 ways. First, it was added to a ZIP File that was renamed as an executable so that it wouldn’t be recognised as an archive. Then the ZIP file was password protected. The password was hidden in the CoverPage JPEG File (pw=goodtimes).
- First used rawwrite to create a floppy and see the its content as the computer’s point of view
- Then I tried to look inside of the 2 files found by the computer:
1. Found that the first, “cover page.jpgc “, was inaccessible. And the fact that there was some spaces at the end of the file name that I couldn’t trim, gave me a hint that the FAT table may be corrupted.
For the second, “Schedu~1.exe”,
when I opened it with Notepad, I saw PK as the starting letters of the
file. Which lead me to think that this file could be a ZIP File. To
confirm that, I renamed the file to
“.ZIP” instead of “.EXE”, to see if I could extract the content of the
file. There was an error again, but apparently WinZip recognised a ZIP File. It
just complained that it may be corrupt.
- From then I used two different techniques to get the data back, but I started by opening directly the image file in Hview, from where I discovered the name and address of the supplier. I also noticed, that there should be 3 files at least, because of the names appearing in the FAT Table :
o Jimmy Jungle.doc - Probably deleted because the first letter of the short name (JIMMYJ~1.doc) is deleted)
o Cover page.jpgc – Short name COVERP~1.JPG
o Scheduled visits.exe – Short name SCHEDU~1.EXE
My first attempt was to run a simple CheckDisk from Windows to try and fix the suspected FAT problems. At the end of the scan, I noticed 3 things:
o The “cover page.jpgc “ disappeared,
A folder “found.000”
In that folder, there was a “.CHK” file, and, as I suspected, this was the fixed JPEG File. When I renamed it to “.JPG”, I got this:
o And third, the size of the file “Schedu~1.exe” changed. When I then changed the extension to “.ZIP”, I could extract the file “Scheduled Visits.xls”, containing the list of all the school, and the associated distribution planning.
The second attempt. I knew there was a file missing, a word document,
that I could identify in Hview, and I suspected it was deleted because of the
first letter of the filename missing. As I had nothing at hand to recover DOS
files, I downloaded an eval copy of GetDataBack (http://www.runtime.com) to see what this
I ran it once, but it just gave me the 2 files I already had, which made me wonder if the program wasn’t blindly trusting the FAT table (which I sill thought was corrupted). I fiddled around in the options of the program, till I found one that said “IGNORE FAT TABLE ENTRIES”. Ticked that, tried again, and I got this:
Here is the missing Word Document. Note, though that you could see the content of this document in Hview anyway (but it’s much nicer to have it straight in Word to present to the court J)
This program also found the lost files in the same way Windows ScanDisk did (though for some reason the size of the JPG File is 1MB).
Difficult one this is…
The truth is I don’t know. I guess it is Microsoft Office, so I tried to generate a JPEG File with Powerpoint and checked the content in Hview, but it didn’t help much. The picture below shows the differences between the header in the floppy image file (on the top), and the one I generated with PowerPoint (the bottom one). We can see that PowerPoint adds the data “Software:Microsoft Office” in the JPEG Headers.
So I am very curious to see the result of this question
Those are the files that were recovered using the different techniques described along this document :
The deleted Word Document : J_IMMYJ~1.DOC
The cover page recovered after Scandisk: CoverPage.jpeg
The cover page recovered by “GetDataBack”: CoverPage.jpeg
The original ZIP ARCHIVE: Scheduled Visits.exe (corrupt file)
The ZIP File after ScanDisk: Scheduled Visits.exe (password: goodtimes)
The Excel File inside the ZIP: Scheduled Visits.xls