Question #5.
----------------------------------------
Forensics Report - Recovered Floppy Disk
Investigator - Ramece Cave
----------------------------------------
The analysis is done on a PII 300 with 128MB RAM, running Slackware 8.0
TASK is used to perform the initial analysis. TASK is a modified version of TCT enhanced to
incorporate windows filesystems. TCT has options for usage with FAT; but support is unstable.
TCT was originally used during the begining of the investigation, moved to TASK after recieving several magic
number errors in association of no support for FAT file systems.
During the investigation I will provide various methods for confirmation of reported findings (if available).
Prompt and directory listings have been truncated for clarity.
Information from the Police Report was used to begin the investigation.
**This page will be updated shortly with an analysis for recovering the corrupted zip file.**
Directory Structure
sotm -- main directory
images -- disk image files
deleted-files -- recovered files
disk-files -- original disk contents
findings -- strings or output files
notes -- investigation notes
reports -- provided information, html documents
Software used:
Analysis
The Coroner's Toolkit
TASK
StegDetect
Data Recovery
fatback
foremost
ZipFix
jpeg-recover
1. Verifed MD5 Sum for 'image.zip' obtained from http://www.honeynet.org, 'md5sum' is used to verify sums.
Reported MD5 Sum:
image.zip MD5 = b676147f63923e1f428131d59b1d6a72 ( image.zip )
Actual MD5 Sum:
b676147f63923e1f428131d59b1d6a72 image.zip
After unziping the file renamed 'image' to 'floppy_image', verified original image still intact.
ac3f7b85816165957cd4867e62cf452b floppy_image
ac3f7b85816165957cd4867e62cf452b image
Beginning Inestigation
2. Determining operating system associated with disk image.
Method #1
fsstat -f /images/floppy_image
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT
OEM: MS DOS5.0
Volume ID: 3299986895
Volume Label: NO NAME
File System Type (super block): FAT12
META-DATA INFORMATION
--------------------------------------------
Inode Range: 2 - 45762
Root Inode: 2
CONTENT-DATA INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 512
Sector of First Cluster: 33
Total Sector Range: 0 - 2878
FAT 0 Range: 1 - 9
FAT 1 Range: 10 - 18
Data Area Sector Range: 19 - 2878
FAT CONTENTS (in sectors)
--------------------------------------------
73-103 (31) -> EOF
104-108 (5) -> EOF
Method #2
dcat -s -f fat /images/floppy_image
512: Size of Addressable Unit
512: File Block Size
1: Num Frags
FAT file systems use 512 byte cluster sizes for storage.
Image confirmed FAT, associated with windows based operating system.
3. Used loopback devices to mount the image locally
losetup /dev/loop0 floppy_image
mount /dev/loop0 /mnt
List Output
root@mindfk/mnt#: ls -l
total 17
-rwxr-xr-x 1 root root 15585 Sep 11 08:30 cover\ page.jpgc\ \ \ \ \ \ \ \ \ \ \ *
-rwxr-xr-x 1 root root 1000 May 24 08:20 schedu~1.exe*
root@mindfk/mnt#:
4. Running floppy_image though strings to parse any viable data.
strings -o floppy_image > floppy_image-strings (Used -o to include decimal offset)
After viewing the file, there is traces of data on the disk, beyond the two files listed originally.
grep pass findings/floppy_image-strings
0020148 I emailed you the schedule that I am using. I think it helps me cover myself and not be predictive.
Tell me what you think. To open it, use the same password that you sent me before with that file. Talk to you later.
5. Extracting unallocated disk space (slack)
dls -f fat /images/floppy_image /findings/floppy_image.dls
6. Extracting all ASCII data from unallocated space
strings -o /findings/floppy_image.dls > /findings/floppy_image.dls
NOTE: There are noted changes in the findings based on the file size and md5sum.
The disk image contains recoverable data.
6dc12d4ce2035de9bc52bc52e05edca4 floppy_image-strings
ffe8591dcdde959e4ae3c3ab4b05458a floppy_image.dls.str
root@mindfk/findings#: ls -l
-rw-r--r-- 1 root root 4230 Oct 9 09:01 floppy_image-strings
-rw-r--r-- 1 root root 1675 Oct 9 09:23 floppy_image.dls.str
root@mindfk/findings#:
All "interesting" portions of the strings file are in bold floppy_image-strings
7. Looking for any file contents on the image.
Method #1
fls -f fat /images/floppy_image
r/r * 5: Jimmy Jungle.doc (_IMMYJ~1.DOC)
r/r 8: cover page.jpgc (COVERP~1.JPG)
r/r 11: Scheduled Visits.exe (SCHEDU~1.EXE)
Three files were located in the image any deleted documents are marked with an *. The inodes for the files are also specified.
Method #2
ffind -f fat -d /images/floppy_image 5
* /Jimmy Jungle.doc (_IMMYJ~1.DOC)
ffind -f fat -d /images/floppy_image 8
-ORPHAN_FILE-/COVERP~1.JPG
ffind -f fat -d /images/floppy_image 11
-ORPHAN_FILE-/SCHEDU~1.EXE
Ffind confirmed the files based on the inodes.
8. Extracting files based on the inodes
icat -f fat /images/floppy_image 5 > /deleted-files/_IMMYJ~1.DOC-recover
icat -f fat /images/floppy_image 8 > /deleted-files/COVERP~1.JPG-recover
icat -f fat /images/floppy_image 11 > /deleted-files/SCHEDU~1.EXE-recover
file /deleted-files/*
/deleted-files/COVERP~1.JPG-recover: PC formatted floppy with no filesystem
/deleted-files/SCHEDU~1.EXE-recover: Zip archive data, at least v2.0 to extract
/deleted-files/_IMMYJ~1.DOC-recover: Microsoft Word document data
9. Recovering deleted files using 'fatback' for the doc and 'foremost' for the jpg.
fatback /dev/loop0 -o /deleted-files/
No audit log specified, using "./fatback.log"
Parsing file system.
/ (Done)
fatback> ls
Sun Apr 15 14:42:30 2002 20480 ?IMMYJ~1.DOC Jimmy Jungle.doc
Sun Sep 11 08:30:52 2002 15585 COVERP~1.JPG cover page.jpgc
Sun May 24 08:20:32 2002 1000 SCHEDU~1.EXE Scheduled Visits.exe
fatback> copy ?IMMYJ~1.DOC /root/sotm/deleted-files
fatback> copy COVERP~1.JPG /root/sotm/deleted-files
fatbaok> copy SCHEDU~1.EXE /root/sotm/deleted-files
fatback> quit
fatback.log:
fatback>
copy ?IMMYJ~1.DOC /root/sotm/deleted-files
Extracting cluster chain 2 to file /root/sotm/deleted-files/Jimmy Jungle.doc
"/root/sotm/deleted-files/Jimmy Jungle.doc": Unable to recover file entirely, carving instead.
fatback> copy COVERP~1.JPG /root/sotm/deleted-files
Extracting cluster chain 420 to file /root/sotm/deleted-files/cover page.jpgc
"/root/sotm/deleted-files/cover page.jpgc ": Unable to recover file entirely, carving instead.
fatback> copy SCHEDU~1.EXE /root/sotm/deleted-files
Extracting cluster chain 73 to file /root/sotm/deleted-files/Scheduled Visits.exe
fatback> quit
Link to recovered doc file Jimmy Jungle.doc
root@mindfk~/deleted-files#: ls -l
total 52
-rw-r--r-- 1 root root 20480 Oct 9 22:46 Jimmy\ Jungle.doc
-rw-r--r-- 1 root root 1000 Oct 9 22:48 Scheduled\ Visits.exe\ \ \ \ \ \
-rw-r--r-- 1 root root 15585 Oct 9 22:47 cover\ page.jpgc\ \ \ \ \ \ \ \ \ \ \
root@mindfk~/deleted-files#:
'foremost' recovered a jpg and doc file from the image
foremost -o /deleted-files /images/floppy_image
foremost version 0.60
Written by Kris Kendall and Jesse Kornblum.
Using output directory: /deleted-files
Using configuration file: foremost.conf
Opening /root/sotm/images/floppy_image.
/images/floppy_image: 100.0% done (1.4 MB read)
foremost audit log:
Foremost version 0.60 audit file
Started at Wed Oct 9 23:23:11 2002
with commandline: foremost -o /root/sotm/deleted-files /root/sotm/images/floppy_image
Using output directory: /root/sotm/deleted-files
File Found at Byte Length Extracted From
00000001.doc 16896 100000 /root/sotm/images/floppy_image
00000002.jpg 37376 8754 /root/sotm/images/floppy_image
Completed at Wed Oct 9 23:23:12 2002
Link to recovered JPEG File cover page.jpg
Alternate JPEG Analysis
schedul~1.exe is a ZIP file:
10. Zipfix was used to recover and repair the file. Zipfix was unable to recover the file because it is corrupt.
The recovered file is named "Scheduled Visits.xls".
Pictures of the zip recover process: schedu~1.exe
The password to the file is goodtimes