Questions

1. # Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?
2. # What crucial data is available within the coverpage.jpg file and why is this data crucial?
3. # What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
4. # For each file, what processes were taken by the suspect to mask them from others?
5. # What processes did you (the investigator) use to successfully examine the entire contents of each file?

Bonus Question:
6.# What Microsoft program was used to create the Cover Page file. What is your proof

(Proof is the key to getting this question right, not just making a guess).


  

    
Answers

  

  
Question #1

Jimmy Jungle
626 Jungle Ave Apt 2
Jungle, NY 11111

Question #2

Coverpage.jpg contains the password needed for the zip file.

Question #3

No other schools were found, the 'scheduled visits.xls' file is corrupt and contained no data.

Question #4

DOC
The document file was deleted manually, the file was renamed to ?IMMYJ~1.DOC.
If a file is deleted in Windows the first letter of the file is replaced with a random character.

EXE
The exe file is a encrypted zip file which contains a document called Scheduled Visits.xls,
the password is 'goodtimes' 

JPG
All of the ASCII content had been removed from the file, this may have been done with a hex editor used to
retrieve the password.

Question #5

Link to the Investigation Process

Question #6

The JPEG file was created using MS Paint

The headers of a test picture created with MS Paint for comparison also contain the following headers:

Headers from test.JPG
Strings ouput for test.JPG:

JFIF  
 $.' ",#
(7),01444
'9=82<.342
!22222222222222222222222222222222222222222222222222
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
        #3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz

Headers from 00000001.jpg:
Strings ouput for 00000001.jpg

JFIF
 $.' ",#
(7),01444
'9=82<.342
!22222222222222222222222222222222222222222222222222
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
        #3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz


Both MD5 Sums are different for the files:

md5sum 00000001.jpg
dd5c7e571e9e4b229141b98bf183469f  00000001.jpg
 
md5sum test.JPG
6b656f506bceff7188c3c00afc257dd2  test.JPG