Wylie, Texas
lee@forensic4cast.com

4:mag Challenge Solution

Earlier this year I published the first (and, thus far, the only) edition of 4:mag. In this issue I set a challenge in which a copy of David Cowen’s latest book “Computer Forensics InfoSec Pro Guide”. The only information you were given was as follows:

Somewhere in the digital copy of the magazine (downloaded from the 4cast website) you will find a clue. Follow this clue and complete the challenge.

That was the extent of it. In digital forensics we are often given much more vague criteria than this, so I wasn’t really prepared to give any more information that this. It was my belief that I may have made the challenge too difficult. I can be very sadistic at times and I did what I could to cause people to not only use their skills, but also think in a really obscure way. That being said I was very surprised when, the day after publication, I received an email from Tyler Hudak of KoreLogic (korelogic.com) saying that he’d figured it out. As it turns out I’m not nearly as sadistic or obscure as I thought.

Over the next few weeks a couple of other people were able to figure it out as I gave additional clues on social media but Tyler shocked me when he was able to provide a solution after only one day. I asked him to provide an explanation of how he found the answer. Please read it below. Let me know what you think. Was this a totally obscure challenge or did I under-think things?

The description of the contest stated that the clue was somewhere within the magazine. Since the magazine was a PDF, I figured I’d shortcut things and look at the PDF itself in the hopes that I would find something.

I ran pdfid.py on it and saw there were some JavaScript objects. Odd,
especially for a magazine.

$ pdfid.py 4mag-1-Q2-2013.pdf

PDFiD 0.0.12 4mag-1-Q2-2013.pdf
PDF Header: %PDF-1.6
obj                 1341
endobj              1341
stream               618
endstream            618
xref                   0
trailer                0
startxref              1
/Page                  0
/Encrypt               0
/ObjStm                2
/JS                    1
/JavaScript            2
/AA                    2
/OpenAction            0
/AcroForm              0
/JBIG2Decode           0
/RichMedia             0
/Launch                0
/EmbeddedFile          0
/Colors > 2^24         0

I then ran pdf-parser to find all the JS objects. Object 1414 contained JavaScript code to extract an attachment from the document. Further analysis showed that object 1412 pointed to a name “Found Me.7z” in object 1415, and then 1416 which contained the actual 7z file. I then used pdf-parser.py to extract “Found Me.7z” from object 1416.

$ pdf-parser.py -w -f -o 1416 -d 1416.7z 4mag-1-Q2-2013.pdf
file 1416.7z
obj 1416 0
Type:
Referencing:
Contains stream

<<
/DL 423
/Filter /FlateDecode
/Length 437
/Params
<<
/CheckSum <566439E24662D359F0BB5214DB31F246>
/CreationDate (D:20130326150915-05’00’)
/ModDate (D:20130322173640)
/Size 423
>>
>>

$ file 1416.7z
1416.7z: 7-zip archive data, version 0.3

Once the 7z file was extracted, I quickly found that it was password protected. I initially tried a number of passwords like 4:mag, forensic4cast, etc. with no luck. I then set up a brute force to try all the passwords from the rockyou.txt file (a big password file) and let it go.

While that was going I jumped onto forensic4cast.com and was looking around. Thats when I noticed the background was a bunch of binary numbers which did not seem to have a discernible pattern. I isolated the picture (https://forensic4cast.com/wp-content/themes/colorway/images/body-bg.png) and copied out the binary by hand into a file. I then ran the following bash/Perl to convert it to letters:

$ for NUM in `cat /tmp/binary`; do export NUM; perl -e ‘print chr(unpack(“N”, pack(“B32”, substr(“0” x 32 . $ENV{‘NUM’}, -32)))); ‘; done

I saw the output and at first thought I had done it wrong, or it was a hash or encrypted string of some sort. Just for the heck of it I tried it as the password for the 7z itself and was happily surprised when it worked.

Congratulations Tyler. We’ll send you a copy of David’s book very soon.

One Response

  1. […] Lee Whitfield has posted the solution to the forensic challenge in the last issue of 4:Mag, http://forensic4cast.com/2013/12/4mag-challenge-solution/. Forensic challenges are fun and help you to improve your skills! I would recommend trying it on […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.