What have I been doing for the past week or so?
Jeesh, it's been awhile since I've updated the blog.. I'm bad.
Last Friday night I went to the Gainesville 2600 meeting. It was pretty
lame, but there was a small discussion about the
Honeynet Project
Scan of the Month for
October. Some of the guys
at the meeting had spent several weeks working on it, and had come up with
some interesting results, so that got me thinking..
When I got home, I went ahead and downloaded the image file and did my own
forensics on it. Although my results were a week too late to submit for any
sort of valid score, I went ahead and submitted them anyway and was told they
won't be accepted into the challenge, but that they would go ahead and score
me.
I was pretty happy, my forensic results were done in 2 hours. I'll include
the results at the end of todays blog..
Saturday I spent the day re-installing my laptop. I went ahead and put
RedHat 8.0 on it so that I could be consistent with what I was rolling out
at work. I also bought a Linksys WAP11 and WCP11 wireless hub and card,
which was nuts simple to setup under RH8. I mean it really couldn't get
any easier to setup..
A big part of the day was spent downloading the iso's, it would have been
easier just to drive to work and pick them up. After that, it took about
4 hours to get everything the way I wanted it Ogle with some code which
makes me a violator of the DMCA but allows me to watch dvd's that I own,
adding the MP3 plugin to xmms, StarOffice 6 instead of OpenOffice -- more
fonts good, Netscape 4 so I can use the Dell Premium support site, Flash 5,
Real Player One, and Acrobat Reader rather than xpdf. Unfortunately, the
version of Xfree86 that ships with RH8 *STILL* doesn't support my video
card properly ****ARGH****
I spent most of Sunday with Geoff and his hottie. We went to check out her
new house it's got a big garage so she'll be able to put chains and racks
and stuff in there and call Geoff 'The Gimp' and make him do her bidding..
After that, we went to Cedar Key for lunch, then took the long way home.
Well, that's it. Here's the forensics report which I submitted. I got
a note back from a guy in the air force about it, interesting..
HoneyNet Forensic Challenge 24
------------------------------
Answers to the questions:
1. Who is Joe Jacob's supplier of marijuana and what is the address listed for
the supplier?
Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111
2. What crucial data is available within the coverpage.jpg file, and why is
this data crucial?
"pw=goodtimes" at offset 0x3D20. The password 'goodtimes' is important for
unzipping the encrypted excel spreadsheet.
3. What, if any, other high schools besides Smith Hill does Joe Jacobs
frequent?
Key High School, Leetch High School, Birard High School, Richter High
School, Hull High School.
4. For each file, what processes were taken by the suspect to mask them from
others?
A. 'cover page.jpg' -- file was overwritten (recreated) and renamed.
B. 'jimmyj~1.doc' -- file was overwritten (recreated) and deleted.
C. 'schedu~1.exe' -- file was renamed (.zip file) and truncated at 1k.
5. What proceses did you (the investigator) use to successfully examine
the contents of each file?
Steps used for forensics study listed below.
6. What Microsoft program was used to create the Cover Page file? What
is your proof?
Undetermined, hey I did this in 2 hours and don't have access to Windows
from here.. :-)
Steps used for forensic study:
1. Unpacked the original archive. Using file 3.37 determined the image file
was an image of an MS-DOS diskette:
[ken@dali honey]$ file image
image: x86 boot sector, system MSDOS5.0, FAT (12 bit)
2. Mounted the image via the loopback device, found the files:
"cover page.jpgc" and "schedu~1.exe".
3. Looked at the disk image with hexedit 1.2.2. Found a deleted file in the
FAT table at offset 0x2640. File named "?IMMYJ~1DOC"
00002630 4A 00 75 00 6E 00 67 00 6C 00 00 00 65 00 2E 00 J.u.n.g.l...e...
00002640 E5 49 4D 4D 59 4A 7E 31 44 4F 43 20 00 68 38 46 .IMMYJ~1DOC .h8F
00002650 2B 2D 2B 2D 00 00 4F 75 8F 2C 02 00 00 50 00 00 +-+-..Ou.,...P..
4. Unmounted the loopback device, edited the FAT entry byte at offset
0x2640, changed 0xE5 (ms-dos deleted file special marker flag) to
0x4A (J).
00002630 4A 00 75 00 6E 00 67 00 6C 00 00 00 65 00 2E 00 J.u.n.g.l...e...
00002640 4A 49 4D 4D 59 4A 7E 31 44 4F 43 20 00 68 38 46 JIMMYJ~1DOC .h8F
00002650 2B 2D 2B 2D 00 00 4F 75 8F 2C 02 00 00 50 00 00 +-+-..Ou.,...P..
5. Remounted image via loopback device. Tried to access the files, failure.
The zip file was short, and the jpg & doc were empty.
6. MS-Word documents start with the HEX code: D0 CF 11 E0 A1 B1 1A E1.
Using hexedit, found the start of a word document at offset 0x4200 that
is 18889 bytes long. The file was recovered by issuing the command:
dd ibs=1 if=image skip=16896 count=18889 of=blah.doc
The file was viewed with Star Office 6.0. The contents of the letter
follow:
Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111
Jimmy:
Dude, your pot must be the best - it made the cover of High Times Magazine!
Thanks for sending me the Cover Page. What do you put in your soil when you
plant the marijuana seeds? At least I know your growing it and not some guy
in Columbia.
These kids, they tell me marijuana isn't addictive, but they don't stop buying
from me. Man, I'm sure glad you told me about targeting the high school
students. You must have some experience. It's like a guaranteed paycheck.
Their parents give them money for lunch and they spend it on my stuff. I'm
an entrepreneur. Am I only one you sell to? Maybe I can become distributor
of the year!
6. The 7-10th characters in JPG files spell out "JFIF". Searching the disk
image, I found the start of a JPG file at offset 0x9200.
Using dd I was able to recover the file.
[ken@dali honey]$ dd ibs=1 if=image skip=37376 count=15800 of=blah.jpg
The image was an ad for 'Pot Smokers Monthly' which discussed this months
featured pot grower, smoker, and seller, Jimmy Jungle. Additionally,
the phrase "pw=goodtimes" was found at offset 0x3D20 within the jpg file.
00003D10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00003D20 70 77 3D 67 6F 6F 64 74 69 6D 65 73 00 00 00 00 pw=goodtimes....
00003D30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
7. Continuing the search of the disk, at offset 0xCF20, found the ascii
phrase "pw=goodtimes". This was within the jpg file above:
0000CF10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000CF20 70 77 3D 67 6F 6F 64 74 69 6D 65 73 00 00 00 00 pw=goodtimes....
0000CF30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
9. Searching the disk found the start of a PKZIP file at offset 0xD0000
that ended at 0xD96F.
0000CFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000D000 50 4B 03 04 14 00 01 00 08 00 98 5A B7 2C C7 55 PK.........Z.,.U
0000D010 60 8D EA 08 00 00 00 42 00 00 14 00 00 00 53 63 `......B......Sc
Using dd, the file was recovered:
dd ibs=1 if=image skip=53248 count=2420 of=blah.zip
10. Unzipping the file, blah.zip, was asked for a password for 'Visits.xls'.
Used the same as found at 0xCF20. The password 'goodtimes' was valid
and allowed me to access the excel file. The file was viewed with Star
Office 6.0, the contents are here:
Month DAY HIGH SCHOOLS
2002
April Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)
Monday (1) Hull High School (F)
Tuesday (2) Smith Hill High School (A)
Wednesday (3) Key High School (B)
Thursday (4) Leetch High School (C)
Friday (5) Birard High School (D)
Monday (1) Richter High School (E)
Tuesday (2) Hull High School (F)
Wednesday (3) Smith Hill High School (A)
Thursday (4) Key High School (B)
Friday (5) Leetch High School (C)
Monday (1) Birard High School (D)
Tuesday (2) Richter High School (E)
Wednesday (3) Hull High School (F)
Thursday (4) Smith Hill High School (A)
Friday (5) Key High School (B)
Monday (1) Leetch High School (C)
Tuesday (2) Birard High School (D)
May
Wednesday (3) Richter High School (E)
Thursday (4) Hull High School (F)
Friday (5) Smith Hill High School (A)
Monday (1) Key High School (B)
Tuesday (2) Leetch High School (C)
Wednesday (3) Birard High School (D)
Thursday (4) Richter High School (E)
Friday (5) Hull High School (F)
Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)
Monday (1) Hull High School (F)
Tuesday (2) Smith Hill High School (A)
Wednesday (3) Key High School (B)
Thursday (4) Leetch High School (C)
Friday (5) Birard High School (D)
Monday (1) Richter High School (E)
Tuesday (2) Hull High School (F)
Wednesday (3) Smith Hill High School (A)
Thursday (4) Key High School (B)
Friday (5) Leetch High School (C)
June
Monday (1) Birard High School (D)
Tuesday (2) Richter High School (E)
Wednesday (3) Hull High School (F)
Thursday (4) Smith Hill High School (A)
Friday (5) Key High School (B)
Monday (1) Leetch High School (C)
Tuesday (2) Birard High School (D)
Wednesday (3) Richter High School (E)
Thursday (4) Hull High School (F)
Friday (5) Smith Hill High School (A)
Monday (1) Key High School (B)
Tuesday (2) Leetch High School (C)
Wednesday (3) Birard High School (D)
Thursday (4) Richter High School (E)
Friday (5) Hull High School (F)
Monday (1) Smith Hill High School (A)
Tuesday (2) Key High School (B)
Wednesday (3) Leetch High School (C)
Thursday (4) Birard High School (D)
Friday (5) Richter High School (E)
Posted at: 23:26 on 04/11/2002
[ /diary ]
#
Older articles (2024): 
