• 4:mag Challenge Solution

    Posted on December 23, 2013 by Lee Whitfield in News, Technical Articles.

    Earlier this year I published the first (and, thus far, the only) edition of 4:mag. In this issue I set a challenge in which a copy of David Cowen’s latest book “Computer Forensics InfoSec Pro Guide”. The only information you were given was as follows:

    Somewhere in the digital copy of the magazine (downloaded from the 4cast website) you will find a clue. Follow this clue and complete the challenge.

    That was the extent of it. In digital forensics we are often given much more vague criteria than this, so I wasn’t really prepared to give any more information that this. It was my belief that I may have made the challenge too difficult. I can be very sadistic at times and I did what I could to cause people to not only use their skills, but also think in a really obscure way. That being said I was very surprised when, the day after publication, I received an email from Tyler Hudak of KoreLogic (korelogic.com) saying that he’d figured it out. As it turns out I’m not nearly as sadistic or obscure as I thought.

    Over the next few weeks a couple of other people were able to figure it out as I gave additional clues on social media but Tyler shocked me when he was able to provide a solution after only one day. I asked him to provide an explanation of how he found the answer. Please read it below. Let me know what you think. Was this a totally obscure challenge or did I under-think things?

    The description of the contest stated that the clue was somewhere within the magazine. Since the magazine was a PDF, I figured I’d shortcut things and look at the PDF itself in the hopes that I would find something.

    I ran pdfid.py on it and saw there were some JavaScript objects. Odd,
    especially for a magazine.

    $ pdfid.py 4mag-1-Q2-2013.pdf

    PDFiD 0.0.12 4mag-1-Q2-2013.pdf
    PDF Header: %PDF-1.6
    obj                 1341
    endobj              1341
    stream               618
    endstream            618
    xref                   0
    trailer                0
    startxref              1
    /Page                  0
    /Encrypt               0
    /ObjStm                2
    /JS                    1
    /JavaScript            2
    /AA                    2
    /OpenAction            0
    /AcroForm              0
    /JBIG2Decode           0
    /RichMedia             0
    /Launch                0
    /EmbeddedFile          0
    /Colors > 2^24         0

    I then ran pdf-parser to find all the JS objects. Object 1414 contained JavaScript code to extract an attachment from the document. Further analysis showed that object 1412 pointed to a name “Found Me.7z” in object 1415, and then 1416 which contained the actual 7z file. I then used pdf-parser.py to extract “Found Me.7z” from object 1416.

    $ pdf-parser.py -w -f -o 1416 -d 1416.7z 4mag-1-Q2-2013.pdf
    file 1416.7z
    obj 1416 0
    Type:
    Referencing:
    Contains stream

    <<
    /DL 423
    /Filter /FlateDecode
    /Length 437
    /Params
    <<
    /CheckSum <566439E24662D359F0BB5214DB31F246>
    /CreationDate (D:20130326150915-05’00’)
    /ModDate (D:20130322173640)
    /Size 423
    >>
    >>

    $ file 1416.7z
    1416.7z: 7-zip archive data, version 0.3

    Once the 7z file was extracted, I quickly found that it was password protected. I initially tried a number of passwords like 4:mag, forensic4cast, etc. with no luck. I then set up a brute force to try all the passwords from the rockyou.txt file (a big password file) and let it go.

    While that was going I jumped onto forensic4cast.com and was looking around. Thats when I noticed the background was a bunch of binary numbers which did not seem to have a discernible pattern. I isolated the picture (https://forensic4cast.com/wp-content/themes/colorway/images/body-bg.png) and copied out the binary by hand into a file. I then ran the following bash/Perl to convert it to letters:

    $ for NUM in `cat /tmp/binary`; do export NUM; perl -e ‘print chr(unpack(“N”, pack(“B32”, substr(“0” x 32 . $ENV{‘NUM’}, -32)))); ‘; done

    I saw the output and at first thought I had done it wrong, or it was a hash or encrypted string of some sort. Just for the heck of it I tried it as the password for the 7z itself and was happily surprised when it worked.

    Congratulations Tyler. We’ll send you a copy of David’s book very soon.

One Responseso far.

  1. […] Lee Whitfield has posted the solution to the forensic challenge in the last issue of 4:Mag, http://forensic4cast.com/2013/12/4mag-challenge-solution/. Forensic challenges are fun and help you to improve your skills! I would recommend trying it on […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.