Hidden info on a Floppy

Printable View

March 12th, 2004, 06:36 AM
Nautiqeman

Hidden info on a Floppy

We got a cool assignment today in my Network Security class.. Here is the scenario:
@ 2:05pm the FBI arrested what is thought to be a drug lord. No drugs were found on the dealer. He has been in contact with known drug dealers. A flopy disk was found on the subject. He tried to flee from the scene so he might of dropped something to incriminate him on drug charges....

I have to give a report that a computer forensics investigator would write.. I need a program to work with XP that can read the entire floppy disk. I am guessing there is plenty of information hidden on the disk that would incriminate him. The teacher hinted at this hard. He said that it would be better to us Linux to check out the disk. He wasnt sure if there was a good Hex editor that would read the entire disk. I dont know though

My biggest question is, what is the best way to read this file on the floppy. And what is on the Floppy disk.
March 12th, 2004, 07:00 AM
phishphreek

You have to create your own program? Or, can you use other software?

I've not done a whole lot of forensics... but I have been reading Incident Responce . (Awesome book!)

It seems that the "best" tool that they use is called "EnCase". However... it costs a pretty penny. You can request an fully functional demo/evaluation CD from here. They don't have it for download. :(

I recommend you check out this article.
http://www.securityfocus.com/guest/16691

If you have the $$... you should def. get the Incident Reponse. Its a great book.

Also, check out the following searches. There are too many links to post here.
Can't get them to link right here... so go to google and type in

"computer forensics site:www.securityfocus.com"

and

"computer forensics site:www.sans.org"

Do those searches without the " "
March 12th, 2004, 08:05 AM
Tim_axe

If you want to do some low-level reading of a floppy disk, there are programs that let you view low-level data, such as deleted files, etc.

http://www.theabsolute.net/sware/dskinv.html

I can explain some reasoning behind why this low-level reading of the disk works. When you delete a file, it isn't really deleted. On a floppy disk, a FAT partition system (filesystem) is used, and the filesystem keeps track of stuff on the disk, like where files are, where bad sectors are, etc. When you delete a file, it Windows usually puts it in the recycle bin. What really happens is that the name is given a question mark as the first character (?). You can't use that in normal files; Windows won't let you since it marks a deleted file. But the data isn't erased, the area of the disk where the file is, is simply marked empty in that file table. So the data can still exist, and if you search the disk you could find this data. It is possible that it was overwritten and the data is corrupt, but if it was a text file you should be able to make out the text no problem, and see where it was overwritten.

Hopefully I didn't go off in some rant or another. Just get the program and learn how it works, and you can find all sorts of files that you thought you deleted. It has two views, folder list (it can show some deleted files) and low level view, which shows low level data including the HEX values of data, along with ASCII values (text that you can read).

-Tim_axe

Edit: Is this a real situation? Sounds cool if it is. I originally thought it was a hypothetical... I wish I got to do that instead of imaging computers...

BTW, make sure the disk is in read-only. There are a ton of things you have to acturally do for it to be admitted as evidence. In hacks/break-ins, usually an admin has to follow special procedure to image and duplicate a HDD and play with the duplicate, for it to be allowed as evidence. I don't know how to do this with a floppy disk though, so if this is a real situation, please realize that there are some things that you have to follow, and I don't happen to know what they are...
March 12th, 2004, 08:07 AM
Nautiqeman

We can use any software... We just have to come up with as much evidence as possible with only having this Floppy disk to examine
March 12th, 2004, 08:10 AM
Nautiqeman

It's a project for my Network Security class. I'm a little behind because I am suppose to take this at the end of my 2nd year and I'm in the middle of my 1st year... a great class though!
March 12th, 2004, 12:06 PM
nihil

Hi,

Can you mirror the disk then compress it and either post it here or attach it to a personal message (PM)?

Looks like an interesting one?..........so when we have inserted the launch codes for trident ICBMs...........he will get a lot more than your average drug dealer? :D

I would like to try a few tools on it................not realistic I know, but still worthwhile if you can create a true mirror?

Cheers
March 12th, 2004, 12:57 PM
Info Tech Geek

WinHex www.winhex.com

You need a hex editor and you are going to read the previous deleted material.

If you want to cheat, I would suggest using a Windows 95 system and use Norton's Disk Editor. All you are doing is reviewing the uncovered material that was deleted off the disk. We all know floppies make the material unavailable, but do not delete it unless it is overwritten. Unless he used a secure delete system, then we may have to attack it at a higher level, but I have a feeling it was just a text document that was deleted and not over written. This will be readable with any ASCII viewer, I suggest using winhex. You can get a free trial of it, which will allow you to read the material. If you need any further assistance PM me. I have been through a few computer forensics classes myself.
March 12th, 2004, 01:56 PM
FlamingRain

The reason your instructor said linux would be a good choice is probably because of the dd utility. It'll allow you to quickly image a floppy.

I dunno though. If I were a drug lord, I'd make sure that if I carried that diskette around, to keep a high-powered magnet in my other pocket. That way, when I hear sirens, I could put both in the same pocket and help garble all the data on it. It would have been encrypted too, but that's besides the point.

I'm assuming that srug dealers aren't quite bright enough to do that though.

Anyways, I agree with the previous posters and have used many of the tools they mentioned. I would recommend that if you have a linux or BSD distro lying around to load it up, use dd on it, compress the image (tar with whatever parameters for compression), put the data onto an MsDOS disk (i'm pretty sure this is viable as you can mount an msdos disk so i'd assume you can put a file on it) and then use your windows tools to hack it apart. I recommend Hiew, Hackman 7.0, and A.X.E. That's largely because they're good and best of all, FREE.
March 12th, 2004, 02:46 PM
Draco980172

I have used a program for Windows called "Drive Rescue" It seems to work real well but it is pretty slow. This is Freeware and you can get it from: http://home.nexgo.de/christian_grau/rescue/index.html

....... I just checked my link :( .... This software is now called File Recovery and is no longer free. The standard version is around $60 and the Professional version is around $100.

I have attached an older "freeware" version.

BTW: This program was recommended to me by one of the Investigators for the U.S. Department of Labor

I hope this helps!
March 12th, 2004, 02:57 PM
THE-OMEN

HI also take a look at how forensics are conducted such as not actually using the disk but making an exact image of it (due to evidence laws)

And also dates and times of documents if you mail me @ [email protected] ill be able to send you a number of PDF files on this.

(but i am on holiday from monday to next friday)

Damien
March 12th, 2004, 07:02 PM
gizmofreak

Man, this is a very famous case known as the joe jacob case wherein the colombian drug lord was convicted on the basis of forensic tests on the floppy.
Search for joe jacob on google and u might find more than i cud ever tell u.
best of luck
March 12th, 2004, 07:23 PM
gizmofreak

Here r some programs to help u.Pm me ur mail id i might even send u some very helpful pdfs to crack the image in windows
March 12th, 2004, 07:30 PM
gizmofreak

image

Got this image somewhere on my hd tell me if its the same.
March 12th, 2004, 07:40 PM
Soda_Popinsky

I know Linux-STD has a lot of tools- Autopsy, DD? I haven't had a chance to use them but this sounds like a good time. Would the integrity of the data be ok when it's transferred to this site? Are there time stamps that would be screwed with that we would need to do a proper job on it?

If you could post that, this would be a pretty damn cool thread.
Soda
March 12th, 2004, 08:38 PM
Nautiqeman

[email protected] is my email...

Is there a way for me to send everything written on this disk out to you guys?
March 12th, 2004, 09:00 PM
Soda_Popinsky

Attach it to a post? I'll drop you an email as well.
March 12th, 2004, 10:02 PM
slarty

Most likely your best bet to start with is to get an image of the floppy (windows program rawread will do this as will "dd" on Linux)

Then get out a hex editor and look for anything obvious.

Obvious places to start are the root directory for deleted files (or other directories if it has subdirectories), unused clusters, and slack space.

Of course the tricky part would be, if you can recover *part* of something like a zipfile which has been deleted and partially overwritten (NOTE: zipfiles are potentially quite convenient because the directory is at the end, and the most likely part to be overwritten is the beginning)

The reason that using Linux might be easier, is you can hexedit the image and then mount it using loopback and examine files. However, on Windows you can do the same thing by using another floppy, which is slower, but achieves the same.

Slarty
March 12th, 2004, 11:10 PM
smart031279

If you are willing to do your assignment using Windows, I would recommend you trying " BadCopy Pro "out.

It is a fabulous little proggie to recover / read data from almost all media, it can scan / read physical sectors even if the floppy is damaged or doesn't works. Best part is that it is GUI-based.

This is a shareware so the evaluation copy will let you see what files the floppy contains, but you won't be able to copy / open them unless you purchase it (but... I don't know... I should say this -- b'cuz it is Anti- anti-online ) just use google to find its serial no. do your work and **honestly** uninstall / destroy the copy of the software.

Hope it helps...

PS: You can download it from www.download.com [file size approx. 862 KB]
March 13th, 2004, 12:57 AM
vvirtho

Hidden Info on Floppy

Hello Everyone!

I was so intrigued after reading this post that I did a little searching on Google and guess what I found!? Yep - the infamous Joe Jacobs scenario! It is on the Honeynet.org site (http://www.honeynet.org/scans/scan24/) under their monthly challenges from 2002. The 'police report' (http://www.honeynet.org/scans/scan24/report.txt) laid out the whole story, while the challenge questons are posted on the scan24 page. I even managed to find some freeware forensic tools for anyone that is interested (http://www.dmares.com/maresware/freesoftware.htm). The MD5 Checksum for the floppy image file is: MD5 = b676147f63923e1f428131d59b1d6a72 ( image.zip ) and can be downloaded direct (http://www.honeynet.org/scans/scan24/image.zip) or I've attached a copy for those of you in a hurry (it's probably a duplicate of the one noted in an earlier reply "found on a HD" and attached).

So - happy hunting. When you finish you can compare your results to the individuals who entered (as long as you don't cheat!). As for me, I believe I have a bit of reading to do . . . Enjoy!!

V.
March 13th, 2004, 06:04 PM
HDD

I've attached a small program that I use myself in order to retrive deleted information from a floppy disk.

Also take a look at this tutorial written by groovicus called Windows Forensics-Where to look-What to use and see if anything there will help you out :)
March 13th, 2004, 09:59 PM
Nautiqeman

I can attach the word document to an attachment on here but how can I attach what is on the actual floppy disk?
March 13th, 2004, 10:03 PM
Nautiqeman

My biggest problem is this: I shouldn't even be in this class. I have some decent computer knowledge but just not enough for this class. I have gotten by with reading as much as I can to keep up but I shouldn't even be taking this class until the end of next year after I take some other classes... I used Bad Copy Pro and found some 'deleted' files but the only one that says anything is an email with some evidence but I need a lot more. I just don't know how to use a Hex editor. I'm not trying to get someone to do my homework by any means. I just need help on how to do some of these things.
Anyways, you guys have helped a ton already and didn't have to. I appreciate it a great deal too.
Mike
March 13th, 2004, 10:07 PM
phishphreek

You can use rawwrite to create an image of the floppy.

Then, users can take the floppy image and copy it back to the floppy.

http://uranus.it.swin.edu.au/~jn/linux/rawwrite.htm

It may be too big to attach to the board here... so, you may have to zip it to get it down in size. Well, you can't attach an .img file anyway. You'll have to zip it regardless.
March 13th, 2004, 10:15 PM
Tim_axe

The free program I posted a link to earlier, Disk Investigator (http://www.theabsolute.net/sware/dskinv.html), has a hex editor while it goes through the low level disk stuff. You can find deleted files, and go into hex mode to try and find anything that looks like plain text or other evidence. Just go to View -> Disk, instead of Directories, and it shows everything in HEX, Text (ASCII), and Decimal (#0 - 255).

Hopefully it is what you need, but you can also look at what everyone else recommends. Have fun, and maybe there is some reason you're in this class a year earlier than normal. Good luck :)
March 13th, 2004, 10:26 PM
Nautiqeman

Quote:

Originally posted here by phishphreek80
You can use rawwrite to create an image of the floppy.

Then, users can take the floppy image and copy it back to the floppy.

http://uranus.it.swin.edu.au/~jn/linux/rawwrite.htm

It may be too big to attach to the board here... so, you may have to zip it to get it down in size. Well, you can't attach an .img file anyway. You'll have to zip it regardless.

Binary or Source... which should I download and install?
March 13th, 2004, 10:53 PM
nihil

Nautiqeman

No problems with the "homework" :D .........as soon as you have a budget to manage you learn to cheat...............

WinHex has been recommended...............I will go with that...............also, don't forget DOS tools?...I am guessing that part of the question is about standard windows deletion tools........?

GROOVICUS.............where are you man? ........just when your people need ya?

Any chance of posting a mirror of the disk?

Cheers
March 14th, 2004, 04:28 AM
smart031279

I guess this thread is getting longer than it should. 3 pages... wow full of stuff and ideas... :D

Home work must be completed by now over 3 to 5 times I guess... lolz... cya all..
March 14th, 2004, 04:30 AM
Nautiqeman

It's not due till monday. All I have is an email and the properties of the disk with his name on it... The email was written before he was arrested. I don't have any hard evidence though
March 16th, 2004, 10:56 AM
therenegade

mm nice one...think I've seen this cae before..what're the files on the floppy?yes you'll have to use linux for a bit...tho you can try and use a set of unix utilities for windows..dont remember the exact addy but you can search for it on google(try unixutils.zip).It's a pretty nice set for users who're on windows..has dd,md5..and a lot more,check it out..you'll also need a hex editor..incidentally..if someone's actually still reading this..lets say you've deleted a file which was 1.4mb of a floppy..how d'you recover it if someone's stored something else...wouldnt the tracks be written over or something?