Thursday, 9 August 2012

Puzzle #10: PaulDotCom Goes Off the Air

My solution to Puzzle #10 "PaulDotCom Goes Off the Air"

I started by downloading the evidence file and verifying the SHA256 hash.
Extract the files from the archive

Opened “quarter-SDHC-snippet.dd” with FTK Imager (a free tool from AccessData)

Created AD1 custom content image from the deleted files found on “quarter-SDHC-snippet.dd”
Mounted the AD1 image as a logical, file system, read only.
The AD1 container was created because if I just mounted the dd image I would still have to deal with the deleted files. I could have just exported the deleted files but they could get intentionality modified, "cleaned" by AV etc.. Mounting the AD1 image as Read Only via FTK Imager allows me to work on the files without risk of modifying the evidence.

1. In his conversation with juniorkeyy, how old does Larry initially say he is?

Answer: 4

Looked through chatlog files on the mounted image file to get the answer.
From “chatlog1.txt “ “2:38:17 PM Larry Pesce: I'm 4.”

2. What was the filename of the file that had the following SHA256 sum:

Answer: e56931935bc60ac4c994eabd89b003a7ae221d941f1b026b05a7947a48dc9366

I hacked up a C# tool called SHATool using System.Security.Cryptography.SHA256Managed to find and compute SHA256 hash values. The slightly cleaned up code can be found here. It was quicker for me to hack together a simple console app in c# then to Google for a tool to calculate SHA256 hashes that would most likely not have had the ability to search for files with a specific hash. 

I ran SHATool over the mounted image file and found the file “superstrand.jpg” matched the hash value.

3. What is the SHA256sum of the photo from the “dd” image that shows Larry taking a bite out of a wireless router?

Answer: 1bdfd9d7445d38fdb7ba5acbb58669cf31c7c568c7aa6e6fcf0c961628f4c32e

Two files have Larry taking a bite out of a router
The way the question is worded I chose the hash for larryeatswrt.jpg as the same “picture” (the files are not identical) appears in the pcap data. 

4. What is the SHA256sum of the image that shows zombie Larry taking a bite out of a cat?

Answer: 9c0a8bc6c3baa2ad7f390ef4e41c3edf3d98a543f492afb50a4bab8700af5766 (Larry_zombie_cat.jpg)

5. What is Larry saying as he rocks back and forth? (No spaces or capital letters.) 

Answer: dekankcah

Used QuickTime player to play the video trapped.mp4 backwards by using the key shortcut Ctrl + Left Arrow. Larry says "Hack Naked, Hack Naked"
I answered this question based on how it was worded + the hint in the narrative.

6. Where are Paul and John? Report their GPS coordinates:a) Latitudeb) Longitude
BONUS. What is the name of the nearest bar?

a) 6.421402
b) 3.441021
Bonus: Bar Baric 

To start with I created a c# console app to extract any exif GPS location data from JPG files, the code can be found here.

I opened pcap-from-surviving-hard-drive.pcap in WireShark and NetworkMiner to analyse the data. Initially done to extract images so I could check to see if there were any GPS coordinates in the exif data using the console app I created. None were found, this question was not going to be that easy.

Looking at the protocols in the pcap file I found some SMB transfers. NetworkMiner didn't appear to extract these files. I used WireShark “File, Export, Objects, SMB” Found 4 files all called larryeatswrt-with-secretsauce.jpg

This looks interesting! File 3 had a JPG header and was only about ¼ of a full image.
I used HxD to concatenate the files starting with the one with the JPG header FF D8 FF E0. After some trial and error I got the correct sequence. File 3->4->1->2. There was some corruption around the file joins, I took a look and started deleting data one byte at a time, 24 bytes later the first join was fixed. When I got to the second join I found it was a 24 byte overlap. (If I had only completely read the extremely well written narrative, or listened to the podcast before I started I could have save myself some time) anyhow, I removed the “twenty-four overlapping bites” from the joins. Ok check for GPS exif data. No luck. 

From analysing the PCAP data with WireShark and NetworkMiner, of interest were the web sites visited and Google / Bing searches:

Google: how do i hide things in pictures

Stenography Sites and urls visited…

Other Excellent sites from the PCAP file…

I took a look at the method used from the instructables site and did not find any images encoded using that method. Also all jpg files had the correct FF D9 footer making this type of stenography unlikely for these files.

I then downloaded stegdetect (windows binary) and ran it over the dd image files and larryeatswrt-with-secretsauce.jpg 
It detected 
paul2.jpg : jphide(*)
Used jpseek.exe with key dekankcah no luck.

I ran stegbreak over the same files using dekankcah in my word list and found…
haxorthematrix-has-a-posse.jpg : outguess[v0.13b](9dekankcah)[binary Computer Graphics Metafile][.)RN49..BY..IK9T]
I had a look at Binary Computer Graphics Metafile files. That file format is messed up, good luck data carving for it.

I couldn’t find an outguess binary for windows so I fired up Ubuntu in VirtualBox, and installed the outguess package.
outguess on haxorthematrix-has-a-posse.jpg failed "Extracted datalen is to long:"

outguess -t -r -kdekankcah larryeatswrt-with-secretsauce.jpg /home/me/data.txt
Reading larryeatswrt-with-secretsauce.jpg....
Extracting usable bits:   16713 bits
Steg retrieve: seed: 10, len: 171
cat /home/me/data.txt 

Gone fishing, back in 2 weeks.

Paul & John

P.S.  We aren't sure what happened to Larry. 

P.P.S.  We're at a bar near here if you want to hang:  6.421402,3.441021

I checked the location on Google maps and found Bar Baric with this review...
“This bar was good, but there were some rowdy guys who would shout "WE'RE THE WORLDS #1 HACKERS" and then laugh loudly. No one understood why it was funny, but they were nice and bought the whole place many rounds of drinks.”

I cracked open a beer, and submitted my answers...

No comments:

Post a Comment