Monday, April 7, 2014

FEDA Challenge 1

1.    Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?
The file Jimmy Jungle.doc has been recovered from the disk image. It’s a letter from ‘joe’ to:
Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111

From the of the letter it appears that Joe’s supplier is “Jimmy Jungle”.
(Jimmy Jungle.doc)

2.    What crucial data is available within the coverpage.jpg file and why is this data crucial?
Cover page.jpg had additional data after the End of Image (FF D9). The file coverpage.jpg, contains the string “pw=goodtimes” which appears to be a password as shown on Figure 1.

Figure 1. Additional data on Cover Page


Figure 2. Cover Page.jpg


3.    What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
From Scheduled Visits.xls file that has been recovered, found in Scheduled Visits.exe (password protected zip file//pw=goodtimes), these are the names of High Schools besides Smith Hill High School:
a)    Key High School
b)    Leetch High School
c)    Birard High School
d)    Richter High School
e)    Hull High School

4.    For each file, what processes were taken by the suspect to mask them from others?
Three files were recovered from the disk image. Each one was hidden or masked using a different method.
a)    Schedule.exe: Zip file was renamed as an executable (.exe). File length in the root directory was changed from 2420 to 1000 bytes.
b)    Cover page.jpg: file name was edited. Cover Page.jpg was masked through misdirection.  The file pointer in the FAT lead to a blank area on the disk.
c)    Jimmy jungle.doc: File was deleted. The first character of the file in the directory entries was changed to E5h which is how DOS denotes a deleted file.  The data space that the file took up is simply marked as available, but the data was still there.
d)    Scheduled Visits.xls: File was hidden in a password protected zip file.

5.    What processes did you (the investigator) use to successfully examine the entire contents of each file?
a)    Download the IMAGE.ZIP file (From Mr. Hamid, forwarded by Mr. Dedy Haryadi via DropBox)
Verified the MD5 hash from image.zip with WinMD5. The result is match.




Figure 3. MD5 checksum of image.zip



Figure 4 Result MD5 Checksum

b)    Mount image.zip with AccessData FTK Imager 3.1.2.0 as Drive L
c)    Mount image on Drive L with AccessData FTK Imager 3.1.2.0 as Drive M, as shown on Figure 4.


Figure 5. Image Mounting

d)    Analyzing the Disk with FTK, as shown on Figure 5

Figure 6. Evidence 1 Data

e)    Analyzing using WinHex, as shown on Figure 6.
There are three files that are contained on the disk:
a.    Jimmy Jungle.doc 
b.    Cover Page.jpgc
c.    Sched~1.exe


Figure 7. Analyzing Evidence 1 with WinHex



f)    Jimmy Jungle.doc: File was deleted. The first character of the file in the directory entries was changed to E5h which is how DOS denotes a deleted file.  The data space that the file took up is simply marked as available, but the data was still there.

Figure 8. Analyzing Jimmy Jungle Directories Entry with WinHex

g)    Recovered Jimmy Jungle.doc file by using the R-UNDELETE tool. Jimmy Jungle.doc has succesfully recovered.


Figure 9. Jimmy Jungle.doc recovered using R-UNDELETE.


h)    JPEG files start with a header of:  FF D8 FF E0 00 10 4A 46 49 46 00
i)    To recovered Cover Page.jpg, search the image for the header and found it at offset 9200h.  Apparently the suspect had used some program to find the file in a different place than the FAT said they should be.
JPEG files end with an End of Image (EOI) marker of  FF D9 which is found at offset CEDFh.  All the data between the header and the EOI marker (9200h - CEDFh) are copied into a new file (Cover Page.jpg)
j)    According to FAT, the Schedu~1.exe was at offset D000h - D3E7h. At first copied the sectors from D000h - D96Fh to a new file, the Scheduled.exe was corrupt. After a few search on the web for documentation on the Zip format file, there is reference for decoding the header information in the Zip file. The End of Zip file is four bytes of 00h. Next, all the data from D000h - D973h copied to a new file as scheduled.exe.
k)    Opened the scheduled.exe file with WinZIP using the password found in the slackspace of the Cover Page.jpg file, and found a file named Scheduled Visits.xls.
(Appendix B: Scheduled Visits)


Figure 10. Extracted files from Evidence 1


6.    Bonus Question:
What Microsoft program was used to create the Cover Page file. What is your proof (Proof is the key to getting this question right, not just making a guess).
A several tested on Microsoft Paint and then compared the headers of these files to cover page.jpg’s header. The Microsoft Paint on Windows XP produce an identical header to the cover page header.


Figure 11 Cover Page.jpg Header
Figure 12. Example 2 Image Header

Figure 13 Example Image Header










Posted by at
Labels: , , , , , ,

1 comment:

  1. AnonymousApril 27, 2022 at 8:36 AM

    Coretan Sembari Mikir: Feda Challenge 1 >>>>> Download Now

    >>>>> Download Full

    Coretan Sembari Mikir: Feda Challenge 1 >>>>> Download LINK

    >>>>> Download Now

    Coretan Sembari Mikir: Feda Challenge 1 >>>>> Download Full

    >>>>> Download LINK oo

    ReplyDelete

Subscribe to: Post Comments (Atom)