Sunday, March 13, 2011

Answers to Forensic Puzzle #6

On February 24th, I posted a quick puzzle for people that were interested in working through a forensic puzzle. You can read the original post here.

Many comments and emails were sent asking about the puzzle, so I figured it was time to post the basic information that you were supposed to get. Going back to the scenario, a file was given to you for examination and you were asked to examine it and determine its purpose or any other information. You were also asked to provide the MD5 hash value of any final files you were able to examine.

Let start with the file:

Looking at the file and/or doing a file signature analysis using EnCase would reveal its a OLE compound file. The header is the same as a Microsoft Office document.  An OLE compound file has its own internal file system. The technical structure of this file can be found here. You can manually decode this file using the information provided on the MSDN library.

An easier solution is to use the built-in capabilities of EnCase. Since EnCase can parse OLE compound files, we can let EnCase do the tedious work for us.

Once we do this, the single file becomes two:

Now, looking at the contents of the single "suspicious file", you have two internal files named Details & File_0. Now, this next part is difficult to know without having looked at many files like this. This file is XOR encrypted. How do I know? I don't know. I's just something that after looking at many files like this, data patterns jump out and kind of reveal themselves. No, I am not Neo, but just like date fields and other structure become apparent after seeing them enough times, you can begin to recognize when data is XOR'd.

In this case, I theorized that the file named "file_0" was probably an EXEcutable. If you look at an Executable with a hex editor, you will see the MZ header followed by a bunch of zeros that make up the COFF header. So, looking at the image above, all the values with 6A, are actually 00. This makes un-xor'ing (technically xor'ing it again) the file easy since you can theorize that if this was originally an EXE, the value was 00, the resulting value is now 6A. Xor'ing the value of 00 with the XOR key of 6A, results in a value of 6A (imagine that). Therefore, we have just discovered our XOR key. 

If we XOR this file with the value of 6A, we end up with the following data:

We can clearly see this is a EXEcutable file and it has a standard COFF/PE header.  The MD5 of this file is 8dc601710e3e68b8d78b5cd73fb28616

A quick look at the contents of this file reveal a string resource that says:
"PopCap Games, Inc.,Zuma,,Zuma,Copyright © 2003 - 2004 PopCap Games, Inc.,Zuma.exe,Zuma Deluxe,,Presented by GameHouse".

If you save this file, there is a Icon associated with this EXE that is consistant with the game "ZUMA".  A strings of this file also reveals numerous text fragments that are consistant with a game.

If we look at the second file named "details":

We could try the same XOR key, which would work in this case. It would result in the file:

The MD5 hash value of this file is: f93a7bb8e02a8a23f87dad22b9ecd578

When I cannot determine the original type of file (like the first one above, I theorized it was an EXE by the patterns of data) or what XOR key that was used, then I use an EnScript I wrote to quickly XOR the data with all 256 possible values. It results in 256 files being written, each using a different XOR key, but then I can quickly look through those files and see any data I might recognize. 

Thanks to those who participated..... To date, *nobody* has posted any comments or answers to puzzle #1


Lance Mueller Saturday, 19 March, 2011  

Greg Back sent me a link to an article he posted about this puzzel that I thought everyone may benefit from:

Anonymous Tuesday, 19 April, 2011  

thank you

computer forensics Tuesday, 30 August, 2011  

All I can say is 'wow' - great pointing out, step by step.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles