Earlier this year I published the first (and, thus far, the only) edition of 4:mag. In this issue I set a challenge in which a copy of David Cowen’s latest book “Computer Forensics InfoSec Pro Guide”. The only information you were given was as follows:
Somewhere in the digital copy of the magazine (downloaded from the 4cast website) you will find a clue. Follow this clue and complete the challenge.
That was the extent of it. In digital forensics we are often given much more vague criteria than this, so I wasn’t really prepared to give any more information that this. It was my belief that I may have made the challenge too difficult. I can be very sadistic at times and I did what I could to cause people to not only use their skills, but also think in a really obscure way. That being said I was very surprised when, the day after publication, I received an email from Tyler Hudak of KoreLogic (korelogic.com) saying that he’d figured it out. As it turns out I’m not nearly as sadistic or obscure as I thought.
Over the next few weeks a couple of other people were able to figure it out as I gave additional clues on social media but Tyler shocked me when he was able to provide a solution after only one day. I asked him to provide an explanation of how he found the answer. Please read it below. Let me know what you think. Was this a totally obscure challenge or did I under-think things?
The description of the contest stated that the clue was somewhere within the magazine. Since the magazine was a PDF, I figured I’d shortcut things and look at the PDF itself in the hopes that I would find something.
I ran pdfid.py on it and saw there were some JavaScript objects. Odd,
especially for a magazine.$ pdfid.py 4mag-1-Q2-2013.pdf
PDFiD 0.0.12 4mag-1-Q2-2013.pdf
PDF Header: %PDF-1.6
obj                1341
endobj             1341
stream              618
endstream           618
xref                  0
trailer               0
startxref             1
/Page                 0
/Encrypt              0
/ObjStm               2
/JSÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 1
/JavaScript           2
/AAÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 2
/OpenAction           0
/AcroForm             0
/JBIG2Decode          0
/RichMedia            0
/Launch               0
/EmbeddedFile         0
/Colors > 2^24Â Â Â Â Â Â Â Â 0I then ran pdf-parser to find all the JS objects. Object 1414 contained JavaScript code to extract an attachment from the document. Further analysis showed that object 1412 pointed to a name “Found Me.7z” in object 1415, and then 1416 which contained the actual 7z file. I then used pdf-parser.py to extract “Found Me.7z” from object 1416.
$ pdf-parser.py -w -f -o 1416 -d 1416.7z 4mag-1-Q2-2013.pdf
file 1416.7z
obj 1416 0
Type:
Referencing:
Contains stream<<
/DL 423
/Filter /FlateDecode
/Length 437
/Params
<<
/CheckSum <566439E24662D359F0BB5214DB31F246>
/CreationDate (D:20130326150915-05’00’)
/ModDate (D:20130322173640)
/Size 423
>>
>>$ file 1416.7z
1416.7z: 7-zip archive data, version 0.3Once the 7z file was extracted, I quickly found that it was password protected. I initially tried a number of passwords like 4:mag, forensic4cast, etc. with no luck. I then set up a brute force to try all the passwords from the rockyou.txt file (a big password file) and let it go.
While that was going I jumped onto forensic4cast.com and was looking around. Thats when I noticed the background was a bunch of binary numbers which did not seem to have a discernible pattern. I isolated the picture (https://forensic4cast.com/wp-content/themes/colorway/images/body-bg.png) and copied out the binary by hand into a file. I then ran the following bash/Perl to convert it to letters:
$ for NUM in `cat /tmp/binary`; do export NUM; perl -e ‘print chr(unpack(“N”, pack(“B32”, substr(“0” x 32 . $ENV{‘NUM’}, -32)))); ‘; done
I saw the output and at first thought I had done it wrong, or it was a hash or encrypted string of some sort. Just for the heck of it I tried it as the password for the 7z itself and was happily surprised when it worked.
Congratulations Tyler. We’ll send you a copy of David’s book very soon.
One response to “4:mag Challenge Solution”
[…] Lee Whitfield has posted the solution to the forensic challenge in the last issue of 4:Mag, http://forensic4cast.com/2013/12/4mag-challenge-solution/. Forensic challenges are fun and help you to improve your skills! I would recommend trying it on […]